trinitor/DetectionLab
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

LibVirt fixes

Browse Source
This commit is contained in:
Chris Long
2020-02-17 15:04:32 -08:00
parent f3c40e84b5
commit 16003bbd68
4 changed files with 124 additions and 191 deletions
Download Patch File Download Diff File Expand all files Collapse all files

55
LIBVIRT_README.md
View File

@@ -1,55 +0,0 @@
# Detection Lab Libvirt build
## Intro
This page contains the instruction to build DetectionLab for Qemu/LibVirt. This is the provider for you *if*:
* You are familiar with LibVirt, virt-manager and Qemu and prefer this software stack instead of VirtualBox
* You are willing to spend a bit more time thinkering with the build process as it is less hands-off than the official DetectionLab
A [step-by-step guide is available here](https://selorasec.wordpress.com/2019/12/03/ad-in-a-box-for-pocs-and-iocs-on-the-cheap-detectionlab-on-libvirt/#Setting_Up_Vagrant).
## Prequisite
### LibVirt
The `libvirt` and `virt-manager` installation walkthrough and documentation is out of scope of this project. To follow along, you need an already working installation of `libvirt`, `virt-manager`, and `QEMU+kvm`.
### Packer
1. The [Virtio drivers](https://docs.fedoraproject.org/en-US/quick-docs/creating-windows-virtual-machines-using-virtio-drivers/) ISO needs to be location in the `DetectionLab/Packer/` directory.
* This is a direct [link to the latest version of the virtio drivers ISO](https://fedorapeople.org/groups/virt/virtio-win/direct-downloads/latest-virtio/virtio-win.iso).
* There's also a "stable" version available [here](https://fedorapeople.org/groups/virt/virtio-win/direct-downloads/stable-virtio/virtio-win.iso).
2. Edit the windows_X.json files
* Make sure the following user-defined variables are pointing to the right thing:
* `virtio_win_iso` : The ISO containing thethe lastest VirtIO drivers
* `packer_build_dir` : Where to output the QCOW2 images. It's a temporary directory, the .box files will still be in DetectionLab/Packer
3. Build the images
```
env TMPDIR=/path/to/large/storage/ PACKER_LOG=1 PACKER_LOG_PATH="packer_build.log" packer build --only=qemu windows_2016.json
env TMPDIR=/path/to/large/storage/ PACKER_LOG=1 PACKER_LOG_PATH="packer_build.log" packer build --only=qemu windows_10.json
```
### Vagrant
1. Install the necessary plugins:
* `vagrant plugin install vagrant-reload vagrant-libvirt vagrant-winrm-syncedfolders`
* See the guide for ubuntu as the vagrant packages comes with a ton on unofficial & outdated plugins that will cause problems
2. Add the previously built windows .box files
* `vagrant box add windows_10_libvirt.box --name windows_10_libvirt`
* `vagrant box add windows_2016_libvirt.box --name windows_2016_libvirt`
3. Build: `vagrant up --provider libvirt --no-parallel --provision`
#### Notes:
The libvirt builder is highly experimental. This sections describes the tradeoffs and the differences between the vanilla DetectionLab.
- No pre-built images and integration with the build.sh script for now. This means building the Windows base boxes with Packer (> 1h) and provisioning with Vagrant manually (> 1h). Fortunately, the process is relatively straightforward.
- The boxes will have two network adapters
The vagrant-libvirt provider works by binding to a "management" network adapter IP addresses. The way vagrant finds the VM's IP address is by probing the dnsmasq lease file of libvirt's host. There's probably a better way, but this is the best I could do that just works (tm) so far. Here's what the configuration looks like:
* Management Network: Isolated network, no NAT, no internet access, with DHCP.
* Detectionlab Network: 192.168.38.0/24, with NAT, with internet access, with DHCP.
- The synced folder is using an old, slow and buggy plugin. While this barely works, it's enough to push the provisioning scripts to the Windows instances. Any modifications to the `vm.synced_folder` in the VagrantFile libvirt provider will likely break the provisionning process
- The graphical and input settings assume the use of virt-manager with the SPICE viewer on Windows and the VNC viewer on Linux (logger). The spice agent for copy/pasting and other quality of life improvement, like auto-resolution changes is *NOT* installed on the Windows hosts. *Guacamole* is a better way to access your VMs.

97
Packer/windows_10.json
View File

@@ -1,50 +1,6 @@
{
"builders": [
{
"type": "qemu",
"vm_name":"windows_10",
"communicator": "winrm",
"iso_url": "{{user `iso_url`}}",
"iso_checksum_type": "{{user `iso_checksum_type`}}",
"iso_checksum": "{{user `iso_checksum`}}",
"headless": true,
"boot_wait": "6m",
"boot_command": "",
"winrm_username": "vagrant",
"winrm_password": "vagrant",
"winrm_timeout": "4h",
"shutdown_timeout": "2h",
"shutdown_command": "a:/sysprep.bat",
"accelerator": "kvm",
"disk_size": "{{user `disk_size`}}",
"output_directory": "{{ user `packer_build_dir`}}",
"qemuargs": [
[ "-m", "2048"],
[ "-smp", "2"],
[ "-drive", "file={{ user `virtio_win_iso` }},media=cdrom,index=3" ],
[ "-drive", "file={{ user `packer_build_dir`}}/{{ .Name }},if=virtio,cache=writeback,discard=ignore,format=qcow2,index=1" ]
],
"floppy_files": [
"{{user `autounattend_virtio`}}",
"./floppy/WindowsPowershell.lnk",
"./floppy/PinTo10.exe",
"./scripts/fixnetwork.ps1",
"./scripts/rearm-windows.ps1",
"./scripts/disable-screensaver.ps1",
"./scripts/disable-winrm.ps1",
"./scripts/enable-winrm.ps1",
"./scripts/microsoft-updates.bat",
"./scripts/win-updates.ps1",
"./scripts/unattend.xml",
"./scripts/sysprep.bat"
]
},
{
"type": "vmware-iso",
"vm_name": "windows_10",
"communicator": "winrm",
@@ -132,6 +88,57 @@
"2"
]
]
},
{
"type": "qemu",
"vm_name": "windows_10",
"communicator": "winrm",
"iso_url": "{{user `iso_url`}}",
"iso_checksum_type": "{{user `iso_checksum_type`}}",
"iso_checksum": "{{user `iso_checksum`}}",
"headless": false,
"boot_wait": "6m",
"boot_command": "",
"winrm_username": "vagrant",
"winrm_password": "vagrant",
"winrm_timeout": "4h",
"shutdown_timeout": "2h",
"shutdown_command": "a:/sysprep.bat",
"accelerator": "kvm",
"disk_size": "{{user `disk_size`}}",
"output_directory": "{{ user `packer_build_dir`}}",
"qemuargs": [
[
"-m",
"2048"
],
[
"-smp",
"2"
],
[
"-drive",
"file={{ user `virtio_win_iso` }},media=cdrom,index=3"
],
[
"-drive",
"file={{ user `packer_build_dir`}}/{{ .Name }},if=virtio,cache=writeback,discard=ignore,format=qcow2,index=1"
]
],
"floppy_files": [
"{{user `autounattend_virtio`}}",
"./floppy/WindowsPowershell.lnk",
"./floppy/PinTo10.exe",
"./scripts/fixnetwork.ps1",
"./scripts/rearm-windows.ps1",
"./scripts/disable-screensaver.ps1",
"./scripts/disable-winrm.ps1",
"./scripts/enable-winrm.ps1",
"./scripts/microsoft-updates.bat",
"./scripts/win-updates.ps1",
"./scripts/unattend.xml",
"./scripts/sysprep.bat"
]
}
],
"provisioners": [
@@ -188,6 +195,6 @@
"disk_size": "61440",
"virtio_win_iso": "./virtio-win.iso",
"autounattend_virtio": "./answer_files/10_virtio/Autounattend.xml",
"packer_build_dir": "/media/packer_build_dir/win10"
"packer_build_dir": "./win10"
}
}

93
Packer/windows_2016.json
View File

@@ -1,47 +1,5 @@
{
"builders": [
{
"type": "qemu",
"vm_name":"windows_10",
"communicator": "winrm",
"iso_url": "{{user `iso_url`}}",
"iso_checksum_type": "{{user `iso_checksum_type`}}",
"iso_checksum": "{{user `iso_checksum`}}",
"headless": true,
"boot_wait": "6m",
"boot_command": "",
"winrm_username": "vagrant",
"winrm_password": "vagrant",
"winrm_timeout": "4h",
"shutdown_command": "shutdown /s /t 10 /f /d p:4:1 /c \"Packer Shutdown\"",
"accelerator": "kvm",
"disk_size": "{{user `disk_size`}}",
"output_directory": "{{ user `packer_build_dir`}}",
"qemuargs": [
[ "-m", "2048"],
[ "-smp", "2"],
[ "-drive", "file={{ user `virtio_win_iso` }},media=cdrom,index=3" ],
[ "-drive", "file={{ user `packer_build_dir`}}/{{ .Name }},if=virtio,cache=writeback,discard=ignore,format=qcow2,index=1" ]
],
"floppy_files": [
"{{user `autounattend_virtio`}}",
"./floppy/WindowsPowershell.lnk",
"./floppy/WindowsPowershell.lnk",
"./floppy/PinTo10.exe",
"./scripts/unattend.xml",
"./scripts/sysprep.bat",
"./scripts/disable-screensaver.ps1",
"./scripts/disable-winrm.ps1",
"./scripts/enable-winrm.ps1",
"./scripts/microsoft-updates.bat",
"./scripts/win-updates.ps1"
]
},
{
"vm_name": "WindowsServer2016",
"type": "vmware-iso",
@@ -124,6 +82,55 @@
"2"
]
]
},
{
"type": "qemu",
"vm_name": "windows_10",
"communicator": "winrm",
"iso_url": "{{user `iso_url`}}",
"iso_checksum_type": "{{user `iso_checksum_type`}}",
"iso_checksum": "{{user `iso_checksum`}}",
"headless": false,
"boot_wait": "6m",
"boot_command": "",
"winrm_username": "vagrant",
"winrm_password": "vagrant",
"winrm_timeout": "4h",
"shutdown_command": "shutdown /s /t 10 /f /d p:4:1 /c \"Packer Shutdown\"",
"accelerator": "kvm",
"disk_size": "{{user `disk_size`}}",
"output_directory": "{{ user `packer_build_dir`}}",
"qemuargs": [
[
"-m",
"2048"
],
[
"-smp",
"2"
],
[
"-drive",
"file={{ user `virtio_win_iso` }},media=cdrom,index=3"
],
[
"-drive",
"file={{ user `packer_build_dir`}}/{{ .Name }},if=virtio,cache=writeback,discard=ignore,format=qcow2,index=1"
]
],
"floppy_files": [
"{{user `autounattend_virtio`}}",
"./floppy/WindowsPowershell.lnk",
"./floppy/WindowsPowershell.lnk",
"./floppy/PinTo10.exe",
"./scripts/unattend.xml",
"./scripts/sysprep.bat",
"./scripts/disable-screensaver.ps1",
"./scripts/disable-winrm.ps1",
"./scripts/enable-winrm.ps1",
"./scripts/microsoft-updates.bat",
"./scripts/win-updates.ps1"
]
}
],
"provisioners": [
@@ -172,6 +179,6 @@
"autounattend": "./answer_files/2016/Autounattend.xml",
"virtio_win_iso": "./virtio-win.iso",
"autounattend_virtio": "./answer_files/2016_virtio/Autounattend.xml",
"packer_build_dir": "/media/packer_build_dir/win2016"
"packer_build_dir": "./win2016"
}
}

58
Vagrant/Vagrantfile vendored
View File

@@ -1,26 +1,13 @@
libvirt_win10_box = "../Boxes/windows_10_libvirt.box"
libvirt_win2016_box = "../Boxes/windows_2016_libvirt.box"
Vagrant.configure("2") do |config|
config.vm.provider "libvirt" do |libvirt|
# This is required for Vagrant to properly configure the network interfaces.
# See libvirt's README section for more information
libvirt.management_network_name = "VagrantMgmt"
libvirt.management_network_address = "192.168.123.0/24"
libvirt.management_network_mode = "none"
libvirt.cpu_mode = "host-passthrough"
# Which storage pool path to use. Default to /var/lib/libvirt/images or ~/.local/share/libvirt/images depending on if you are running a system or user QEMU/KVM session.
#libvirt.storage_pool_path = '/media/storage_nvme/system_session_vm_pool'
libvirt.storage_pool_name = 'default'
end
config.vm.define "logger" do |cfg|
cfg.vm.box = "generic/ubuntu1604"
cfg.vm.box = "bento/ubuntu-18.04"
cfg.vm.hostname = "logger"
cfg.vm.provision :shell, path: "bootstrap.sh"
cfg.vm.network :private_network, ip: "192.168.38.105", gateway: "192.168.38.1", dns: "8.8.8.8"
@@ -51,7 +38,16 @@ Vagrant.configure("2") do |config|
lv.video_vram = 32768
lv.memory = 4096
lv.cpus = 2
# This is required for Vagrant to properly configure the network interfaces.
# See https://github.com/clong/DetectionLab/wiki/LibVirt-Support for more information
lv.management_network_name = "VagrantMgmt"
lv.management_network_address = "192.168.123.0/24"
lv.management_network_mode = "none"
lv.cpu_mode = "host-passthrough"
# Which storage pool path to use. Default to /var/lib/libvirt/images or ~/.local/share/libvirt/images depending on if you are running a system or user QEMU/KVM session.
#libvirt.storage_pool_path = '/media/storage_nvme/system_session_vm_pool'
lv.storage_pool_name = 'default'
override.vm.box = "generic/ubuntu1604"
override.vm.synced_folder './', '/vagrant', type: 'rsync'
end
end
@@ -114,18 +110,12 @@ Vagrant.configure("2") do |config|
lv.video_type = "qxl"
lv.input :type => "tablet", :bus => "usb"
override.vm.box = libvirt_win2016_box
override.vm.box = "../Boxes/windows_2016_libvirt.box"
lv.video_vram = 32768
lv.memory = 3072
lv.cpus = 2
# This is NOT the right semantic for Vagrant synced folder. It's a dirty hack around :
# This is NOT the right semantic for Vagrant synced folder. It's a workaround:
# https://github.com/Cimpress-MCP/vagrant-winrm-syncedfolders/issues/11
# If dest is /vagrant, it'll upload in C:\vagrant\Vagrant....
# It's like 'cp /my/dir /my/dir2' vs 'cp /my/dir /my/dir2/'
#
# The Winrm synced folder plugin is also excruciatingly slow. Would gladly replace with something else
# that works with linux host and windows guest...
override.vm.synced_folder '.', '/', type: 'winrm'
end
end
@@ -185,18 +175,10 @@ Vagrant.configure("2") do |config|
lv.graphics_type = "spice"
lv.video_type = "qxl"
lv.input :type => "tablet", :bus => "usb"
override.vm.box = libvirt_win2016_box
override.vm.box = "../Boxes/windows_2016_libvirt.box"
lv.video_vram = 32768
lv.memory = 2048
lv.cpus = 2
# This is NOT the right semantic for Vagrant synced folder. It's a dirty hack around :
# https://github.com/Cimpress-MCP/vagrant-winrm-syncedfolders/issues/11
# If dest is /vagrant, it'll upload in C:\vagrant\Vagrant....
# It's like 'cp /my/dir /my/dir2' vs 'cp /my/dir /my/dir2/'
#
# The Winrm synced folder plugin is also excruciatingly slow. Would gladly replace with something else
# that works with linux host and windows guest...
override.vm.synced_folder '.', '/', type: 'winrm'
end
end
@@ -252,18 +234,10 @@ Vagrant.configure("2") do |config|
lv.graphics_type = "spice"
lv.video_type = "qxl"
lv.input :type => "tablet", :bus => "usb"
override.vm.box = libvirt_win10_box
override.vm.box = "../Boxes/windows_10_libvirt.box"
lv.video_vram = 32768
lv.memory = 2048
lv.cpus = 2
# This is NOT the right semantic for Vagrant synced folder. It's a dirty hack around :
# https://github.com/Cimpress-MCP/vagrant-winrm-syncedfolders/issues/11
# If dest is /vagrant, it'll upload in C:\vagrant\Vagrant....
# It's like 'cp /my/dir /my/dir2' vs 'cp /my/dir /my/dir2/'
#
# The Winrm synced folder plugin is also excruciatingly slow. Would gladly replace with something else
# that works with linux host and windows guest...
override.vm.synced_folder '.', '/', type: 'winrm'
end
end