Install Virtual Machines

The SEE allows you to have your application(s) executing on one or more virtual machines protected within the FIPS 140-2 Level 3 boundary. 

The following describes how to create and configure a virtual machine to deploy your application within the virtual machine. Note that your application cannot be executed within the SFP directly and must be executed within a virtual machine.

Create Disk Image

The Secure Foundation Platform (SFP) accepts the following image file types qcow2 and raw. It is recommended using the qcow2 type since this allows the disk image file to grow as needed. Other benefits of qcow2 are that the performance hit is smaller compared to a fixed size image file such as raw and that qcow2 allows for snapshots and thus enables your image files to be digitally signed.

There is a very minor performance hit with this type of image file compared to a fixed size image file, such as the type raw. Moreover, using the raw image format does not allow for snapshots and therefore, your disk image files cannot be digitally signed. 

You create the image file(s) outside of the SFP to allow the virtual machine to be tested, configured, and updated outside the SFP. You can for example use one of the following virtualization applications to create your disk image: 

  • VDI: Oracle’s VM VirtualBox hard disk image format.
  • VHDX: Microsoft’s Hyper-V virtual hard disk-X disk image format.
  • VMDK: VMware’s version 3 and 4 compatible disk image formats.

To convert the image format to the qcow2 format, use the qemu-img binary available on the SFP. To for example convert a VMDK disk format to qcow2, issue the following command:

qemu-img convert -f vmdk -O qcow2 <filename>.vmdk <filename>.qcow2

We recommend that you test your disk image file outside of the SEE to ensure that all the necessary software is installed within the image file, before deploying it on the SFP.

If your virtual machine is a Microsoft Windows-based OS, you may need to install additional hardware drivers and/or perform additional libvirt configuration for network access to your virtual machine. For information on how to install additional device drivers to a Windows guest virtual machine running on the SEE, refer to https://www.linux-kvm.org/page/WindowsGuestDrivers.

Store VM Image

The following covers storing your original virtual machine (VM) image file(s). 

The SEE includes an internal 256G SDD and two encrypted external SSDs. Once your VM image is installed within the SFP, a snapshot of the image is taken and any changes to a working VM are stored on the snapshot image. Generally, it is recommended to store the virtual disk images on the internal SSD unless you expect your VM image file will grow beyond 200G, see Store VM Snapshot on External Disk.

The following instructions cover how to store your VM image file on the internal SSD. Note that myvm refers to the name of your virtual machine.

  1. Access the SFP via SSH .
  2. Create the directory path /cos/vmImages/org/myvm using the command:
    mkdir -p /cos/vmImages/org/myvm
  3. Create the file /cos/vmImages/org/myvm/myvm.link using the command:
    vi /cos/vmImages/org/myvm/myvm.link
  4. Insert the following file content:
    org = /cos/vmImages/org/myvm 
    base = /cos/vmImages/base/myvm 
    work = /cos/vmImages/work/myvm
  5. Save the. myvm.link file.

  6. Copy your virtual machine image file to /cos/vmImages/org/myvm/myvm.qcow2. You can use your SSH keys to copy the disk image file onto the SFP.

The org directive specifies the path where the original VM image file(s) will be stored. The image file(s) will not grow since the configuration described below will automatically create two snapshots.

The base directive specifies the path where the first snapshot will be stored. This snapshot allows the OEM to make configuration changes to the VM which will be propagated to the VM when it is deployed. This snapshot image file will not grow since when the machine is in the deployed operational state (3) and changes to the virtual machine are only stored in the second work snapshot.

Store VM Snapshot on External Disk

If you expect that your virtual machine image disk will grow beyond 200G, it is recommended that you place the second snapshot image file on one of the encrypted external disks.

To store the second snapshot onto one of the external disks, modify the contents of the /cos/vmImages/org/myvm/myvm.link to the following, where diska in the work directive specifies the first encrypted external disk:

org = /cos/vmImages/org/myvm
base = /cos/vmImages/base/myvm
work = /cos/diska/vmImages/work/myvm

Configure VM

The following covers how to create and configure your VMs using the VM Administration wizard. You can also configure your VM using the WebConf web management interface, for more information, see the guide How to Load Applications into SEE.

  1. Start the VM Administration wizard by running the following command from the SFP command line:
    vmadmin
  2. Select Create New VM and specify the following:
    • VM Name: VM name that must match the name given to the primary disk image file as described in the previous section.
    • VM Memory: The allocated virtual memory in kilobytes.
      (warning) The SEE comes with a maximum of 64 gigabytes of memory. Also, since the file system of the Linux operating system (PrimeLFS) is read-only and the execution of PrimeLFS is done in RAM, this will reduce the amount of memory that can be allocated to a VM. The maximum amount of RAM allocated to all of your VMs should not exceed 50 gigabytes. 
    • VM VCPUs: The number of allocated virtual CPUs to the VM. The current hardware configuration of the SEE has 8 CPUs. The virtualization engine will ignore any value higher than the number of physical CPUs.
    • Snapshot: yes indicates that the SFP application will create the necessary snapshots at the appropriate operational states. no will instruct the SFP application not to create any snapshots.
    • Networkyes indicates that the VM will be configured with at least one network port with the corresponding MAC address (see below).
      (warning) It is recommended to deploy a VM with at least one virtual network interface. However, if the VM is performing internal calculations and the SEE is only operating in the OEM operational state, then forgoing a network interface may be an option.
      (warning)
      It is possible to add more than one virtual network interface to your VM. This is achieved by editing the libvirt configuration file directly.
    • VM Image Format Either qcow2 (recommended) or raw.
    • VM VNC Port: Allows the console or desktop of your VM to be accessed over the VNC protocol. If your SEE comes with a Web UI configuration interface, then the VNC server will be listening to an internal address and any external VNC client will need to forward a port via SSH to this internal address. Alternatively, if the Web UI configuration interface is disabled on your SEE, then the VNC server is only listening on localhost – again using an external client will require you to forward a port via SSH. Must be an integer between 58000 and 59000. 
    • VM VNC Password: Password which a VNC client will request when attempting to connect to your VM via the VNC protocol. If no password is given, then no password is required by the VNC client.
    • VM MAC Address: An automatically generated network MAC address. By default, the virtual network interface is configured to use an OpenVSwitch bridge. Therefore, this MAC address will be exposed outside of the SEE.
  3. Press OK to create your VM.
  4. Exit the VM Administration wizard and execute the following script to ensure that the configuration takes effect and is available across re-boots of the SFP:
    writeConfig.sh

Advanced Configuration

The following describes how to configure advanced virtualization parameters in the libvirt virtualization configuration file. All virtualization parameters are stored in an XML file labeled with the name of your virtual machine that can be edited either using the VM Administration wizard or via the SFP command line.

Advanced Configuration using VM Admin wizard

  1. Select the VM Administration wizard option Edit XML Definition.
  2. Edit the parameters using the VM Admin internal XML editor.
  3. Press OK to save the changes.
  4. Eexecute the following script to ensure that the configuration takes effect and is available across re-boots of the SFP:
    writeConfig.sh
  5. Restart your VM to make the additional bridged network interface available.

Advanced Configuration using SFP CLI

  1. Issue the following command via the command line on the SFP:
    virsh edit myvm

  2. Edit the parameters in the XML editor and save the changes.
  3. Eexecute the following script to ensure that the configuration takes effect and is available across re-boots of the SFP:
    writeConfig.sh
  4. Restart your VM to make the additional bridged network interface available.

Example

The following example shows how the XML can be edited to insert an additional virtual network interface.

Note It may be required to configure the second virtual network interface within the VM itself, for example setting an IP address. You should be able to use the first network interface to gain access to your VM to complete this additional configuration.