Install & config VM controller
include::./_macros.adoc[]
The role of the VM Controller is to manage the VM on behalf of the student. {tc} uses digitally signed VM Controller configuration files and executables to ensure the integrity of the code and passed parameters.
NOTE: All the commands must be executed as root on the installation machine
== Configuring Nginx
The VM controller is delivered through Nginx to the running VMs.
An example of the /etc/nginx/conf.d/vmc.ticrypt.conf
configuration file is:
server { listen 80;
server_name vmc.ticrypt;
root /var/www/ticrypt-vmc;
add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block";
add_header Content-Security-Policy "script-src 'unsafe-inline' 'unsafe-eval' 'self' https://code.getmdl.io; frame-ancestors 'self' http://127.0.0.1:*";
}
The connection is only served to the VMs, and the VM Stub checks the digital signature on all the files. There is no need to use an SSL/TLS connection.
We changed the Nginx configuration; we need to tell it to apply the changes:
systemctl reload nginx
== Installing the software
Since different operating systems are supported for the VMs, code for each specific operating system needs to be installed.
- Windows: link:{ctrl-url}{win-ver}/tiCryptVMWin64{win-ver}.tar.gz[]
- Linux: link:{ctrl-url}{lin-ver}/tiCryptVM-el7_cs2-{lin-ver}.tar.gz[]
Now we create the directory /var/www/ticrypt-vmc
and unpack the files:
[source,bash,subs="attributes+"]
mkdir -p /var/www/ticrypt-vmc/ wget {ctrl-url}{win-ver}/tiCryptVMWin64{win-ver}.tar.gz wget {ctrl-url}{lin-ver}/tiCryptVM-el7cs2-{lin-ver}.tar.gz tar -C /var/www/ticrypt-vmc/ -xaf tiCryptVM-el7_cs2-{lin-ver}.tar.gz tar -C /var/www/ticrypt-vmc/ -xaf tiCryptVM_Win64{win-ver}.tar.gz rm tiCryptVM-el7cs2-{lin-ver}.tar.gz tiCryptVM_Win64{win-ver}.tar.gz
Tell SELinux about the files so Nginx can serve them
restorecon -R /var/www/ticrypt-vmc/
== Configuration files config.toml
and config.toml.sig
An example configuration file config.toml
is:
The host
host = "ticrypt.example.com"
The address range for the VMs
network = "172.24.0.0/16"
Sets the cost of the key derivation function used when deriving the shared
keys for the secure communication channel with clients.
pbkdf2Iterations = 100000
CAUTION: The host
parameter must be identical to the hostname in the TLS/SSL certificate.
CAUTION: The network
parameter must cover the range used by the realm configuration.
To get the configuration file config.toml
signed contact Tera Insights. You will receive the corresponding file config.toml.sig
.
WARNING: The VM Stub will refuse to work without signed configuration files.
Once you get your configuration file and the signature, copy them into the directory /var/www/ticrypt-vmc
.