Start vm from command line

[VDoro]

Hi there.

We have VirtualBox installed in our labs for studnets.
Due to security concerns - we don't want virtual machines to be on our network, especially Kali Linux that we have for cybersecurity course.
So what we have done - by manipulating file security permissions we managed to achive one of our main goals.
- Students wont be able to modify existing vms - so they don't have access to college LAN.
Also we run

Code: Select all

VBoxManage setextradata global GUI/Customizations noSelector,noMenuBar,noStatusBar

and create shortcuts to vms
So for student there is no VirtualBox gui available only shortcuts

Now the second goal is that the student wont be able to create new vms.

Code: Select all

VBoxManage createvm         --name <name>
                                                   [--groups <group>, ...]
                                                   [--ostype <ostype>]
                                                   [--register]
                                                   [--basefolder <path>]
                                                   [--uuid <uuid>]
                                                   [--default]

If student tries to create vm with

Code: Select all

--register

switch it will fail - because VirtualBox.xml is read-only and VBOX_USER_HOME was changed it is now in "C:\VM\"
It is system variable and non Administrators can not change it.

Code: Select all

VBoxManage startvm          <uuid|vmname>...
                            [--type gui|sdl|headless|separate]
                            [-E|--putenv <NAME>[=<VALUE>]]

And here is the question:
Is there any way to

Code: Select all

startvm

without registring it in VirtualBox.xml? Is there any way student can create new vm with his own options and start it.
What would be Your way to launch vm in such an environment. Maybe import appliance via command line?
We just want to be sure that it will be immposible for student to create and launch his own vm. Thank You.

[scottgus1]

Regrettably, your project starts from an untenable position:

VirtualBox.xml is read-only

This is a show-stopper. Virtualbox reads its xml files but also re-writes them at any time at its own discretion. You'll run into untold problems down the line by finagling permissions. Things like this:

VBoxManage setextradata global GUI/Customizations noSelector,noMenuBar,noStatusBar

are undoable by the regular user. Virtualbox is designed to run by a regular non-admin user, and attempts to prevent these things from being user-editable will break Virtualbox.

Additionally, not allowing the GUI restricts them from learning the GUI, which could be a valuable thing to teach them.

Better to stem the problem at its source:

so they don't have access to college LAN.

If your students' PCs are networked to the college LAN, they will get onto it. Students are hackers by nature. If it's there, they'll get into it. Doesn't matter what 'it' is.

A Stack-Exchange-style frame challenge: keep the students off the college LAN by not connecting them to the LAN. Instead, have a separate private network switch & Wi-fi access point handling these classrooms' PCs. Don't connect that switch to the college LAN. Now your students can hack each other all day long, and the air gap prevents them from editing their grades on the department server WarGames fashion. If you must allow them internet, you can also add a decent firewall router between the switch and the college LAN with adequate blocking rules, similar to this on a single Virtualbox host: Virtualbox Networks: In Pictures: "Sandbox" Or your school could spring for a separate internet connection for the computer lab.

*****************
To answer your final questions:
A VM must be registered to start it. You can see the command line necessary by right-clicking the VM in the list and make a desktop shortcut, then inspect the shortcut. Also this will start a VM:

vboxmanage startvm "VM name"

[VDoro]

Thank You so much for Your answer. Now I'm calm.

So right!

Students are hackers by nature

If we will - here is the forum for us to ask.
But suprisingly it works when You launch vm from a shortcut, and it shuts down correctly. Also .vbox file in machine folder is read-only too. But not the Logs folder - it's world writable.

You'll run into untold problems down the line

No doubdt. But it was so hard to make those restrictions working. I was amazed that none of the virtualization solutions are intended for educational environment - nor Hyper-V, nor VMWare, nor VirtualBox.
The choice for us is or no GUI or hundreds of fully pledged Kali LInux vms in our network.

Additionally, not allowing the GUI restricts them from learning the GUI, which could be a valuable thing to teach them

Once more thank You for Your expert answer.

[scottgus1]

hundreds of fully pledged Kali LInux vms in our network.

Not if you don't connect them to the network.