Build a Course
Allocating Resources
There are a few rules of thumb for allocating resources, our enterprise poweredge servers can easily service 250+ VMs of varying sizes. Our enterprise security class has over a dozen systems per student with about 20 students in a class, all of which have 2 CPU and at least 2GiB RAM, the 2-3 windows systems and the log server typically have 4GiB RAM. On our little reference architecture NUCs we will have to make do with a small example set of VMs.
We will build two courses
- OMJ-100 (Introduction to Offensive Magic)
- DAD-480 (Advanced Defense against the Dark Arts)
Course Config
Each class has a json configuration file that indicates parameters needed for the class such as the Networks Required for each student, the location of the linked clone parents the datastores and hypervisors that support the class.
Here's a sample one OMJ-100-01-config.json
{
"domain": "range.local",
"ad_vsphere_group": "vsphere-users",
"vcenter_server": "vcenter.range.local",
"courses_folder": "SPRING-23",
"course_name": "OMJ-100-01",
"course_networks_folder": "COURSE-NETWORKS",
"student_networks_folder": "STUDENT-NETWORKS",
"group_networks_folder": "GROUP-NETWORKS",
"student_role": "range-student",
"esxi_host": "esxi2.range.local",
"data_store_name": "NFS-STUDENT",
"base_vms":"BASE-VMS",
"student_vms_folder":"STUDENT-VMS",
"course_vms_folder": "COURSE-VMS",
"group_vms_folder" : "GROUP-VMS",
"default_network":"OMJ-100-01-WAN",
"networks":["LAN","DMZ","MGMT","OPT"],
"instructors":["severus.snape"],
"instructor_role" : "range-instructor",
"snapshots": "1"
}
| key | description |
|---|---|
| domain | the active directory domain like range.lcao |
| ad_vsphere_group | the parent group of students and users |
| vcenter_server | fqdn for the vcenter server |
| courses_folder | where in the vcenter hierarchy should this course be inserted |
| course_name | keep it brief enough to identify the section, it will be prepended on a lot of objects |
| course_networks_folder | folder for course networks (like the COURSE WAN) |
| student_networks_folder | folder containing student networks |
| group_networks_folder | in cases where we are doing group projects such as a team competition or group work, identities will be by AD group name |
| student_role | vcenter role for students |
| esxi_host | a course is pinned to specific hypervisor, IP or FQDN |
| data_store_name | network or local datastore for linked clones |
| base_vms | the folder name in the hierarchy to search for parent vms by name |
| student_vms_folder | folder containing all student vms |
| course_vms_folder | courses have vms themselves like the gateway or in some cases a web server |
| group_vms_folder | folder containing group vms |
| default_network | when a VM is provisioned, we typically assign it the WAN adapter for the course |
| networks | an array of networks, in some courses there is just LAN in other's we have 3 or 4 |
| instructors | array of instructor names, they have different privileges |
| instructor_role | vsphere role for instructors |
| snapshots | use with care, if you give students unlimited snapshots they will drain your storage very quickly. 0 or 1 is the best |
The Roster
Each class has a roster of student names, these should match exactly the name in active directory, when deploying VMs, we essentially loop through the roster, deploying that modules set of VMs. It is often helpful for an instructor to have a "student account" so that they can validate and troubleshoot an environment as a student.
OMJ-100-01-roster.txt
hermione.granger
ronald.weasely
#draco.malfoy
Note, one can comment out a student if you want them skipped, this allows for one off deployments in the case where a student borked their VM
The Course Powershell Driver
The example driver can be found here. It can be non-interractive but a simple set if prompts is helpful when deploying throughout the semester, you only need to initialize the course once.
Initialize a Course
Once all the above are configured, we can initialize the course which establishes the directory structure, and the COURSE WAN. We can also provision the student private networks. For instances, each student in enterprise security has a LAN, DMZ, and MANAGEMENT network and they share the COURSE-WAN
The following function initializes the course, based on the configuration within the course .json file.
initializeCourse -configuration_file $configuration_file
The Course Gateway
Each course typically has its own vyOS router that links a COURSE-WAN with the physical network. This level of abstraction allows us to have the same internal IP structure for most courses to include the default gateway for the COURSE-WAN network. The instructions assume you've created a vyOS base virtual machine. The Course Gateway and other Production VMs (not fly by night ephemeral student VMs) are best if they are full clones, independent of a parent VM.
Create a full clone of you vyOS base VM and drop it in your COURSE-VMS Folder like so. The clone should be configured to run on the same ESXi Host as the one found in your .json file. In this case, we are storing the VM locally on the ESXi local datastore.
Virtual Networking
Have Network Adapter 1 on VM Network and Adapter 2 on the COURSE-WAN. This will correspond to eth0 and eth1 on vyOS
The following are the vyOS commands required for a typical course. The configuration can start on the console and then shift to SSH once you've set your eth0 IP address.
- vyOS console
configure
set system login user vyos authentication plaintext-password THEHARDPASSWORDGOESHERE
commit save
set interfaces ethernet eth0 address 192.168.1.233/24
delete interfaces ethernet eth0 address dhcp
set service ssh listen-address 192.168.4.37
delete service ssh listen-address 0.0.0.0
set system hostname GW-OMJ-100-01
commit
save
- over ssh
configure
set interfaces ethernet eth0 description RANGE-LOCAL
set interfaces ethernet eth1 description COURSE-WAN
set interfaces ethernet eth1 address 10.0.17.2/24
set nat source rule 10 description 'NAT to RANGE-LOCAL'
set nat source rule 10 outbound-interface eth0
set nat source rule 10 source address 10.0.17.0/24
set nat source rule 10 translation address masquerade
set protocols static route 0.0.0.0/0 next-hop YOURUPSTREAMGATEWWAY
set service dns forwarding allow-from 10.0.17.0/24
set service dns forwarding listen-address 10.0.17.2
set service dns forwarding system
set system name-server YOURNAMESERVERIP
commit
save
- optional dhcp
set service dhcp-server global-parameters 'local-address 10.0.17.2;'
set service dhcp-server shared-network-name DHCPPOOL authoritative
set service dhcp-server shared-network-name DHCPPOOL subnet 10.0.17.0/24 default-router '10.0.17.2'
set service dhcp-server shared-network-name DHCPPOOL subnet 10.0.17.0/24 dns-server '10.0.17.2'
set service dhcp-server shared-network-name DHCPPOOL subnet 10.0.17.0/24 domain-name 'range.local'
set service dhcp-server shared-network-name DHCPPOOL subnet 10.0.17.0/24 lease '86400'
set service dhcp-server shared-network-name DHCPPOOL subnet 10.0.17.0/24 range POOL1 start '10.0.17.20'
set service dhcp-server shared-network-name DHCPPOOL subnet 10.0.17.0/24 range POOL1 stop '10.0.17.200'
commit
save