Installing DANOS on Virtual Box
- FREEMAN, BRIAN D
- Scott Leishman
Recent versions of Virtual Box have the networking capabilities to install and run DANOS for demonstrations and learning about the features of DANOS.
The instructions below were done on the 6.1 version of Virtual Box. Generally, the approach is the same as the libvirt and OpenStack installs where the ISO disk is attached and ‘install image’ is run on the attached virtual hard disk and then the iso is removed. The key difference is to choose the Network Adapter as virtio-net.
In this ‘How-To’ we will create a three VM virtual box environment with a DANOS router, a traffic source and a traffic sink so we can demonstrate routing and basic firewall operations.
Prerequisites
Laptop/Desktop with sufficient memory for 8 - 12 GB of virtual machine memory and 4 to 8 vCPU. A 32GB laptop, Intel cor i7 on Windows 10 was used for this How-To but that is not the minimum.
Virtual Box 6.1 or later
DANOS ISO downloaded locally to where you are running Virtual Box.
You may need to download a Ubuntu ISO as well if you don't already have a Linux image in your Virtual Box setup.
Use Case Environment
The use case will be three virtual machines.
DANOS vRR
DANOS with 4 ports, a Ubuntu vm as a traffic source and an Ubuntu vm as a traffic sink
dp0p0s3 (adapter 1) - will be a dhcp Bridged Adapter so we can SSH into the vRR.
dp0p0s8 (adapter 2) - 192.168.2.2/24 (intnet)
dp0p0s9 (adapter 3) - 192.168.3.2/24 (intnet)
VM source (works better if only one is enabled at a time)
adapter 1- NAT (to get to internet for apt update / apt install )
adapter 2 - 192.168.2.3/24 gateway 192.168.2.2 (intnet)
VM sink (works better in only one is enabled at a time)
adapter 1 - NAT (to get to internet for apt update/apt install )
adapter 2 - 192.168.3.3/24 gateway 192.168.3.2 (intnet)
Step by step instructions
Create the DANOS Image from the ISO
Create a new image using the Virtual Box Manager → Machine → New
Enter a name (e.g. danosVRR)
Select Linux
Select Debian-64
Click Next
Select 4096 MB of RAM and Click Next
Select ‘Create a virtual hard disk now’ and Click Create
Select ‘Virtual Hard Disk’, not VDI or VMDK (these may work but the DANOS image uses a fixed disk size) and Click Next
Select ‘Use Fixed Size’ and Click Next
Select 8.00 GB and Click Create
The image should now be in your list of instances available to start
You may want to set Adapter 1 Adapter-Type to Advanced → Paravirtualized Network (virtio-net) so that you avoid an error when we activate dhcp in the next section.
Install the DANOS Image
Start the image you just created
Select as the start-up image the DANOS ISO
Click on the file folder icon
Click on +Add and a file browser window should pop up
Navigate to the DANOS ISO and click on “Open”
The ISO should be on the displayed list of options, select and click on “Choose”
Click Start
The virtual machine should now boot from the ISO, present a boot screen and then proceed to boot to a shell as vyatta
We want to activate dhcp on the dp0p0s3 port and turn on ssh so that we can use putty or ssh to configure DANOS with copy/paste. The recommended way is to use the config cli and to choose /config/config.boot as the source of the configuration when doing install image.
config set interfaces dataplane dp0p0s3 address dhcp set service ssh commit exit
You may get an error as it tries to start the dhcp client but you should ignore this error since we will correct the Adapter Type’s in the next section.You can check that the config is correct with a show config
Type ‘install image’ and follow the same sequence as the libvirt install
default for image name
default to select /config/config.boot
In the 2005 version, you will be asked to create an administrator account by supplying a username and password.
In the 1908 version the default user is vyatta and you supply a password.
default tty
default No for grub password
default No for reduced grub layout
it will prompt to confirm to install on /sda (this will be the new hard disk image we use instead of the iso)
default for gpt
default for partition and partition size
default for log partition [0]
default for Print final sizes
enter ‘yes’ to Continue the install
you should get a ‘Done’ at the end
Configure Machine Settings
At this point, the ISO is still attached to the machine and needs to be removed
Shutdown the machine (I usually pick sending the signal)
Remove the ISO image attached to the optical device
Go into Virtual Box Manager
Select your DANOS instance
Select Settings
Select Storage
Right-click on the DANOS ISO and Select ‘Remove Attachment’
Click ‘Remove’
Select System and set the number of CPUs to 4. If your environment is limited you should be able to get by with just 2 vCPUs. The default Chipset PIIX3 should be fine.
Network: let's enable adapters for our demonstrations. You will need to make sure that all enabled adapters use an Adapter-Type of Paravirtualized Network (virtio-net) or the dataplane will not come up. Select Network
Adapter 1 should be attached as 'Bridged Adapter'
Click Advanced
Select Adapter Type: Paravirtualized Network (virtio-net)
Select Adapter 2, Select Enable and Select Internal Network and take the default name as ‘intnet’
select Advanced and chose Adapter Type: Paravirtualized Network (virtio-net) like adapter 1.
we will attach traffic source and traffic sink to this internal VB network and use static IP address
Repeat for Adapter 3 and 4 just like Adapter 2 with the same name for the internal network (you can use a different internal network name but then we have to set that same name for the other VMs and for a local demonstration it is not needed.
We enabled Adapter 4 in case you want to try more advanced routing options but it is not used in this setup.
Start the machine
There should not be a long delay if the Adapters are set correctly and you should see dp0p0s3 starting DHCP. After a minutes you should be at the console port with a login promptLogin at vyatta/vyatta (or your chosen password)
show interfaces should show the dp0p0s3 interfaces as u/u
if you need to edit networking you may need to add your login to the superuser status.
Enter config mode
set system login user vyatta level superuser
commit
exit
log out of the machine and login
you should be able to sudo and edit /etc/network/interfaces as needed
You should be able to login to the vRR using telnet/putty to the IP listed.
Lets Configure DANOS for our demonstration
enter config mode
set interface dataplane dp0p0s8 address 192.168.2.2/24
set interface dataplane dp0p0s9 address 192.168.3.2/24
commit
show interfaces
exit
show interfaces
Create a Traffic Sink
Create a Ubuntu VM (you may need to download a Ubuntu ISO )
1 vcpu, 2 Gb memory , 10 Gb storage but even less memory is probably okay
Adapter 1 should be NAT
Adapter 2 should be enabled on the Internal Network with the same name as the vRR
There is no need for advanced settings.
The Ubuntu install will automatically remove the iso image during the install so simply hit enter on the reboot after install.
I enable Adapter 1, login and do apt update, apt install lighttpd, apt install curl, apt install net-tools , apt install traceroute and then disable Adapter 1.
This may not be needed if your networking environment doesn't confuse Ubuntu like mine did
You may need to add a corporate proxy to your API installation
sudo vi /etc/apt/apt.conf.d/proxy.confAcquire::http::Proxy "http://yourproxyaddress:proxyport";
You can use Ubuntu → Settings → Network to set the static IP address on the dp0p0s8 adapter
IPv4 Manual
192.168.3.3 255.255.255.0 192.168.3.2
Make sure curl http://127.0.01/ returns some html and you can ping the gateway 192.168.3.2 on the traffic-SINK
Repeat for the Traffic-Source but use 192.168.2.3, 192.168.2.2 as the gateway
Test
You should be able to ping the 192.168.3.3 address from the Traffic Source (192.168.2.3) and vice versa. Curl from the traffic-SINK should work to the 192.168.3.3 from 192.168.2.3.
show interface counters should reflect the routing through the vRRYou can update the DANOS firewall rules and enable/disable the firewall to test a Port 80 connection policy just like the Openstack use case.
Create a Firewall policy and attach it to interface dp0p0s8 (the traffic-SOURCE ingress port towards the traffic-SINK)
vyatta@vyatta:~$ config
[edit]
vyatta@vyatta# set security firewall name Test80 description "Allow port 80"
[edit]
vyatta@vyatta# set security firewall name Test80 rule 100 destination address 192.168.3.3
[edit]
vyatta@vyatta# set security firewall name Test80 rule 100 destination port 80
[edit]
vyatta@vyatta# set security firewall name Test80 rule 100 protocol tcp
[edit]
vyatta@vyatta# set security firewall name Test80 rule 100 action accept
[edit]
vyatta@vyatta# set interfaces dataplane dp0p0s8 firewall in Test80
[edit]Curl should still work but ping will fail because the policy does not allow ICMP through.
Disable port 80
config
set security firewall name Test80 rule 100 action drop
commitCurl should also be blocked now
Enable Curl on port 80 with:
config
set security firewall name Test80 rule 100 action accept
commit
f. Now let's enable ICMP so both ping and curl work to traffic-SINK (192.168.3.3) from the traffic-SOURCE (192.168.2.3)
vyatta@vyatta# set security firewall name Test80 rule 110 destination address 192.168.3.3
[edit]
vyatta@vyatta# set security firewall name Test80 rule 110 protocol icmp
[edit]
vyatta@vyatta# set security firewall name Test80 rule 110 action accept
[edit]
vyatta@vyatta# commit
[edit]
g. Turn on UDP to permit traceroute through so we can see the vRR is doing the routing.
vyatta@vyatta# set security firewall name Test80 rule 120 destination address 192.168.3.3
[edit]
vyatta@vyatta# set security firewall name Test80 rule 120 protocol udp
[edit]
vyatta@vyatta# set security firewall name Test80 rule 120 action accept
[edit]
vyatta@vyatta# commit
[edit]
You should be able to extend this How-To for more features and different topologies depending on how much memory/cpu you have available.
.