Thanks for the outstanding reply. The project in question requires users to have their own uml. Great suggestion regarding COWs! The buggest issue for us was creating and maintaining the umls. From your reply, it sounds like this won't be a major issue for us. The biggest problem will be network load though. It could be minimized by created a seperate nessusd host that the umls could connect to, but that might hurt us when it comes to logging. Either way, great suggestion, and it will be something to look into.
I'll read up on the uml-bridging how-to as well.
Again, thanks for the great information!
roland <email@example.com> wrote:
Hi sergeant :)
>Is it feasible to use UML for this scenario, assuming the host machine is pwerful enough.
running 50 uml`s at the same time on a single FAT host should _basically_ be possible, but
not recommended. it absolutely depends of WHAT the users need todo INSIDE an uml. it`s
really a matter of load, these 50 concurrent users will produce. so at least you need to
estimate, what "average" and "maximum" load a user will generate, and test, how the system
behaves in such situations. letting 50 users run hping,nmap and nessus on the same machine
at the same time should generate a huge amount of load, IMHO - and this especially if inside
an UML, because we have the "syscall-overhead". why not splitting things up? AFAIK, hping,nmap
and nessus are basically usable on a "per user" basis from within a single OS. if you need to
give the users root
privileges, you could easily wrap those commands with "sudo" or make them
suid - so, do you really need separate OS`s for every single user? why not giving them just an
account and let them run a defined set of applications, configured for them individually?
as a rule of thumb: what you can "multi instanciate" on a single box, you won`t need to run
isolated inside separate ones. i think, you even should be able to run nessus on a per-user
basis on a single box.
at least there are configuration options for nessus, which give me that impression. from the
nessusd [-v] [-h] [-c config-file] [-a address ] [-p
port-number] [-D] [-d]
-c , --config-file=
Use the alternate configuration file instead of
-p , --port=
Tell the server to listen on connection on the port
rather than listening on port
sure - here you need to do lots of configuration and testing, too.(i`m not sure - but you probably
run into problems with the TCP/IP stack on a single system when doing agressive portscanning from
within 50 useraccounts)
plese see this just as an idea and a suggestion - i don`t know the very details of your scenario
and perhaps there IS a real need for UML or similar, though.
>Is there any easy way to create UMLs for new users?
sure there is. you just need a read-only root-filesystem and can use the copy-on-write feature.
so you can clone UML`s somewhat "on the fly".
>Can the creation of a UML be automated?
sure. shouldn`t be too hard, too. one recommended example to configure an uml from the "outside"
is on the uml website. see: http://user-mode-linux.sourceforge.net/config.html
>Would the maintenance of that many UMLs be too mcuh to handle?
that depends on WHAT you need to maintain. if they just
all need to be identical (and only differ
in hostname/ip) that should be quite easy
>Users will have access to their UML, and from there they should be able to run applications
>like nmap, hping, nessus against an internal target network. Can UML handle applications such
>as nmap or will there be problems?
i think this should work. watch out for the uml-bridging howto for uml network configuration.
if you setup the uml`s network in bridged mode, you shouldn`t run into problems with the hosts
tcp/ip stack, because the host`s stack isn`t related to the uml`s at all and all he does is
forwarding ethernet packets.
Do you Yahoo!?
Protect your identity with Yahoo! Mail AddressGuard