Skip to main content

Install & config VM controller

include::./_macros.adoc[]

The role of the VM Controller is to manage the VM on behalf of the student. {tc} uses digitally signed VM Controller configuration files and executables to ensure the integrity of the code and passed parameters.

NOTE: All the commands must be executed as root on the installation machine

== Configuring Nginx

The VM controller is delivered through Nginx to the running VMs.

An example of the /etc/nginx/conf.d/vmc.ticrypt.conf configuration file is:

server { listen 80;

server_name vmc.ticrypt;
root /var/www/ticrypt-vmc;

add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block";
add_header Content-Security-Policy "script-src 'unsafe-inline' 'unsafe-eval' 'self' https://code.getmdl.io; frame-ancestors 'self' http://127.0.0.1:*";

}

The connection is only served to the VMs, and the VM Stub checks the digital signature on all the files. There is no need to use an SSL/TLS connection.

We changed the Nginx configuration; we need to tell it to apply the changes:

systemctl reload nginx

== Installing the software

Since different operating systems are supported for the VMs, code for each specific operating system needs to be installed.

  • Windows: link:{ctrl-url}{win-ver}/tiCryptVMWin64{win-ver}.tar.gz[]
  • Linux: link:{ctrl-url}{lin-ver}/tiCryptVM-el7_cs2-{lin-ver}.tar.gz[]

Now we create the directory /var/www/ticrypt-vmc and unpack the files:

[source,bash,subs="attributes+"]

mkdir -p /var/www/ticrypt-vmc/ wget {ctrl-url}{win-ver}/tiCryptVMWin64{win-ver}.tar.gz wget {ctrl-url}{lin-ver}/tiCryptVM-el7cs2-{lin-ver}.tar.gz tar -C /var/www/ticrypt-vmc/ -xaf tiCryptVM-el7_cs2-{lin-ver}.tar.gz tar -C /var/www/ticrypt-vmc/ -xaf tiCryptVM_Win64{win-ver}.tar.gz rm tiCryptVM-el7cs2-{lin-ver}.tar.gz tiCryptVM_Win64{win-ver}.tar.gz

Tell SELinux about the files so Nginx can serve them

restorecon -R /var/www/ticrypt-vmc/

== Configuration files config.toml and config.toml.sig

An example configuration file config.toml is:

The host

host = "ticrypt.example.com"

The address range for the VMs

network = "172.24.0.0/16"

Sets the cost of the key derivation function used when deriving the shared

keys for the secure communication channel with clients.

pbkdf2Iterations = 100000

CAUTION: The host parameter must be identical to the hostname in the TLS/SSL certificate.

CAUTION: The network parameter must cover the range used by the realm configuration.

To get the configuration file config.toml signed contact Tera Insights. You will receive the corresponding file config.toml.sig.

WARNING: The VM Stub will refuse to work without signed configuration files.

Once you get your configuration file and the signature, copy them into the directory /var/www/ticrypt-vmc.