How to set up identical VM's to access separate folders on a file server VM and be unable to see each other's files
Linux - NetworkingThis forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
How to set up identical VM's to access separate folders on a file server VM and be unable to see each other's files
A script generates identical ubuntu VM's. They all have access to a ubuntu file server VM. We want them to only be able to see their own files on the file server and not each other's. How can this be done given the user is the same in all VM's and given the server names of all VM's are the same? Only the DHCP-derived IP's are different.
In other words, how could permissions per IP be implemented? Or ownership per IP? Or per MAC address?
Could limit the number of identical VM's to 10 if need be. The ideal would be to have all files in one folder instead of 10 separate folders. Create 10 different users to become the owners of the files? Also need to counter hackers getting root access to one VM and this is critical: how would they be stopped from accessing files owned by other VM's by spoofing IP's and MAC addresses?
Could generate each VM with a MAC address that will be used to make the username that logs in to the file server, eg user1234567890ab where 12:34:56:78:90:ab is the MAC address, while the file server would have created user user1234567890ab on detection of the MAC address with arp-scan and crucially, the password would be passed to the VM as a text file in a virtual CD, and be a hash on the MAC. But what if the hacker eavesdrops file content while it is transfered? Seems complicated too, any other options?
access separate folders on a file server VM and be unable to see each other's files
Quote:
The idea would be to have all files in one folder instead of 10 separate folders.
I had read your thread prior to your edit and it would be easier having different usernames but your requirements are still confusing. By what protocol/service are you planning on using to access the files? ssh, nfs, samba etc.
The ideal, not the idea. As in, that would be nice to have all files in one place but probably not supported by any protocol. The protocol/service is open. As long as a hacked VM cannot mess with files other than its own or eavesdrop any data transfers. sshfs seems to be promising.
"We want them to only be able to see their own files on the file server and not each other's."
Generally there are two permissions here. One is the protocol permission and the other is the file based permission. I'd think that something like ACL's could support use but multiple folder seems to be usable and more easy.
Any time a system is hacked it could have means to gain access to others.
Some protocols support multiple access (transactional aware) where some don't.
Could have 10 users named user1, user2, ..., user10 and respective private/public key pairs in each VM that are generated with ssh-keygen in the host, saved in respective CD images keys1.iso, keys2.iso, ..., keys10.iso with mkisofs, passed to each generated VM through a line like this in the vmx:
sata0:1.fileName = "keys1.iso"
and the public key of each VM would be sent to the file server by running the following just once in each VM:
cp the key files id_rsa and id_rsa.pub from the virtual CD to ~/.ssh/
NUM=`read the number of this VM from the virtual CD`
ssh-copy-id user$NUM@10.0.0.1 # 10.0.0.1 is the file server
and the public key of the file server would be passed to all VM's by running the folllowing in the server every time a new MAC address is detected with arp-scan:
# Let everyone know my public key
for i in {2..11}
do
ssh-copy-id user@10.0.0.$i
done
and finally each VM mounts the network folder at boot time with something like:
NUM=`read the number from the virtual CD`
sshfs user$NUM@10.0.0.1:/home/user/Desktop /home/user/Desktop -C
pkill nemo-desktop
nemo-desktop &
and now the desktop is actually the file server desktop. Minus files belonging to other users? Not sure what sshfs is doing with permissions.
NFS allows you to export filesystem trees (folder structures) that are accessible to certain NFS clients. As to the requirement to have everything in the same place, you could create directories under /srv that you then export selectively:
where client1, client2 etc. are the NFS client VMs, either their hostnames or IP addresses. This means that client1 has read/write access to the /srv/client1 share and so on.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.