Professional Documents
Culture Documents
EVE NG On Google Cloud PDF
EVE NG On Google Cloud PDF
Contents
Introduc tion
Building an EVE lab could require much resources that your workstation might lack.
You can make use of the free tier of Google Cloud to avoid:
- your workstation hardware limitation/upgrade.
- rack rental and its high costs.
When you cloud EVE, all your EVE labs and topology images will be hosted on a VM on the cloud.
W hy G oogle C loud?
It offers $300 credit once you create a Google Cloud account by which you can get a server with computing
resources up to 52GB RAM and 8 vCPU for free.
No auto-charge after free trial ends.
It also supports nested virtualization which is a must if you want to run QEMU VMs (.qcow2 images) inside
EVE VM hosted on the cloud.
W ha t a bout Am a zon AW S , …?
The free tier of the other cloud service providers is very limited.
Amazon cloud does not natively support nested virtualization and the their solution comes with high costs.
However, Oracle cloud and Microsoft Azure do support nested virtualization natively.
EVE-NG on Google Cloud
Note: it will ask you for credit card credentials, however you will not pay anything at any stage.
After creating your Google Cloud account, you will get the $300 credit and you will be landed on Google
Cloud Platform dashboard.
At any time later, you can access Google Cloud Platform through https://console.cloud.google.com/
S te p 2: C re a te a nd c onfigure a VM ins ta nc e
think of the VM instance as your workstation that requires operating system and hardware.
2.1 Name
You can create several VM instances, so you need to give each one a name to distinguish between them.
2.2 Region
Google datacenters hosting its cloud services is located in several locations around the world.
You can choose in which location you want to host your VM instance.
However, pricing is different from one region to another.
Regarding cost, Region = us-east1 (South Carolina) and Zone = us-east1-b are good choices.
Options for the disk which the machine will boot from:
1- an existing disk(must be unattached to be able to attach it to another VM)
2- a snapshot of a previously created disk(to avoid unattaching it).
2- a public image (such as Linux ubuntu and Windows,..).
3- a custom image.
As we did not create a VM instance before, we cannot rely on the snapshots or existing disks choices now.
Public images are the ones offered to you by Google Cloud Platform service:
Public images are good but nested virtualization (to run qemu on EVE server) is not enabled on them.
So that we will customize a public image to enable nested virtualization, using Google Cloud Shell:
where qemu-enabled-image is the output image that we will configure our VM instance to boot from.
The source image that we've licensed is ubuntu 16.0.4 LTS which is a cheap and a perfect OS for EVE server.
Now you can configure your machine to boot from the customized image you have just created:
By default, all incoming traffic from outside a network to the VM instance is blocked.
We will access EVE and "transmission" via HTTP so we will allow HTTP traffic.
After creating the VM, you will be redirected to the "VM instances" work area:
To connect to the VM, you need to know its public IP address (External IP):
There are two types of authentication methods; using password or public key.
We will use password authentication method for the root user as it is simpler (but less secure) and sufficient for
this demonstration.
this command is to edit the settings of the SSH service on the VM instance to modify the following settings:
PermitRootLogin yes
PasswordAuthentication yes
Note: to activate file editing you, press "i".
Note: to save file with changes, press "ESC" followed by ":wq"
5- for changes to take effect, restart the SSH service:
service sshd restart
Connect to a VM instance via putty
Now, you can connect to the VM via Putty using the root user credentials:
1- obtain the public IP address of the VM instance.
2- paste the IP address into the Host Name field within putty:
Note: we will need to use winSCP in a later stage. we will use the same method (password authentication) and
credentials (username: root and password: network secured).
S te p 4: S e t up the E VE -N G on the VM ins ta nc e
For EVE to function, the first Ethernet interface name of the VM instance should be eth0.
To verify the name of the NIC, issue the command ifconfig
4.2 Ins ta ll E VE :
apt update
Note: every time you login to the VM instance hosting EVE you will be presented with the EVE-NG Setup
utility, click Control-C:
If you need to get appliances for your EVE labs through torrent, you can download and install "transmission"
as it wouldn't conflict with any HTTP service running on the VM instance.
After installing "transmission", you will need to create the locations (and set their permissions) for
"transmission" downloads:
mkdir /home/kareem/Downloads
mkdir /home/kareem/Downloads/transmission
mkdir /home/kareem/Downloads/transmission/incompletetorrents
chgrp -R debian-transmission /home/kareem/Downloads/transmission
chmod -R 775 /home/kareem/Downloads/transmission
service transmission-daemon start
service transmission-daemon stop
5.3 C onfigure "tra ns m is s ion" s e ttings
-To edit the transmission service settings, use the following command:
vim /etc/transmission-daemon/settings.json
By default, all incoming traffic from outside your network is blocked unless you allow it.
So you need a firewall rule to allow inbound connections on port 9091, the port we configured transmission to
listen on:
You can create a single rule that control whatever ports you need:
5.5 Ve rify "tra ns m is s ion"
I will use a magnet link to download an IOU (to demonstrate later how to generate its license) and a QEMU
appliance to test KVM (nested virtualization).
S te p 6: P re pa re im a ge s to w ork in E VE -N G
S tep 6a : P re pa re Q E M U im a ge s to w ork in E VE
After downloading the images you want, you need to import them to the EVE directory to be accessible by EVE.
qemu images should be in /opt/unetlab/addons/qemu/ directory:
If the file is compressed, you can decompress it directly into the destination directory:
tar xzvf /home/kareem/Downloads/transmission/winserver-S2016-R2-x64.tar.gz
--directory /opt/unetlab/addons/qemu/
After refreshing:
The last step is to fix the permissions:
/opt/unetlab/wrappers/unl_wrapper -a fixpermissions
Use this port number when connecting to the node from your workstation:
After downloading the images you want, you need to import them to the EVE directory to be accessible by EVE.
ios images should be in /opt/unetlab/addons/iol/bin/ directory:
To copy the image from the "transsmission" directory to EVE directory:
But first obtain the location of the source
cp /home/kareem/Downloads/transmission/i86bi_LinuxL3-AdvEnterpriseK9-
M2_157_3_May_2018.bin /opt/unetlab/addons/iol/bin/
6b.1 Create an iou keygen file in the EVE directory for iou images:
vim /opt/unetlab/addons/iol/bin/ioukeygen.py
This command will also open the file to be edited (by pressing "i").
6b.2 Copy the following script and paste it to the file (using the right click):
#! /usr/bin/python
print "\n*********************************************************************"
print "Cisco IOU License Generator - Kal 2011, python port of 2006 C version"
import os
import socket
import hashlib
import struct
# get the host id and host name to calculate the hostkey
hostid=os.popen("hostid").read().strip()
hostname = socket.gethostname()
ioukey=int(hostid,16)
for x in hostname:
ioukey = ioukey + ord(x)
print "hostid=" + hostid +", hostname="+ hostname + ", ioukey=" + hex(ioukey)[2:]
# create the license using md5sum
iouPad1='\x4B\x58\x21\x81\x56\x7B\x0D\xF3\x21\x43\x9B\x7E\xAC\x1D\xE6\x8A'
iouPad2='\x80' + 39*'\0'
md5input=iouPad1 + iouPad2 + struct.pack('!L', ioukey) + iouPad1
iouLicense=hashlib.md5(md5input).hexdigest()[:16]
# add license info to $HOME/.iourc
print "\n*********************************************************************"
print "Create the license file $HOME/.iourc with this command:"
print " echo -e '[license]\\n" + hostname + " = " + iouLicense + ";'" + " | tee $HOME/.iourc "
print "\nThe command adds the following text to $HOME/.iourc:"
print "[license]\n" + hostname + " = " + iouLicense + ";"
# disable phone home feature
print "\n*********************************************************************"
print "Disable the phone home feature with this command:"
print " grep -q -F '127.0.0.1 xml.cisco.com' /etc/hosts || echo '127.0.0.1 xml.cisco.com' | sudo tee -a /etc/hosts"
print "\nThe command adds the following text to /etc/hosts:"
print "127.0.0.1 xml.cisco.com"
print "\n*********************************************************************"
6b.3 Save the file and exit the editor (by pressing "ESC" then ":wq").
6b.3 Fix permissions for the new created script file:
chmod +x /opt/unetlab/addons/iol/bin/ioukeygen.py
6b.4 Run the license generator script the you have just written:
/opt/unetlab/addons/iol/bin/ioukeygen.py
6b.5 Copy the generated license:
[license]
eve-ng = 97264f2e52a3fbe6;
6b.6 Create iourc licence file for EVE:
vim /opt/unetlab/addons/iol/bin/iourc
6b.8 Save the file and exit the editor (by pressing "ESC" the ":wq").
6b.9 Fix permissions with:
/opt/unetlab/wrappers/unl_wrapper -a fixpermissions
Go back to the EVE GUI interface and start the IOU node, it should start now.
When you move your moue over the node, the port assigned to it will appear on the left bottom corner of the EVE
interface:
Note: your connection will be refused until you finish step 6c.
S te p 6c : a llow c onne c tions from the Inte rne t to E VE de vic e s :
By default, all incoming traffic from outside your network is blocked so you need to open every port forwarded to
every device in your EVE lab.
In our example we need to allow inbound connections to ports 32769 and 32770:
You can use the rule we have created in step 5 to allow the ports 32769 and 32770:
B a c kground
1- When you create a node in EVE, you assign its interfaces private IP addresses.
Any interface of this node to have access to the Internet needs:
- A gateway to access the Internet and
- Its IP to be translated to a public IP because its IP is not real ==> (PAT or Port Forwarding)
The real IP that we have is the external IP assigned to the VM instance hosting EVE.
2- EVE, during installation, creates 10 bridge interfaces on the host machine:
The role of a bridge interface is to connect a guest (a node inside EVE) interface to the host network interface (eth0).
S te ps
Let's assume you have assigned an IP of 192.168.13.17/24 to the windows server node in our topology so you will
need a gateway with an IP in this subnet to access the Internet (let's say 192.168.13.1):
You can configure any pnet interface (leave pnet0 for the Management access only as in step 6).
To make this configuration persistent to survive between reboots:
vim /etc/network/interfaces
2-As the communication between the guest and host interfaces is established on the kernel level, you need to enable IP
forwarding in the kernel:
echo 1 > /proc/sys/net/ipv4/ip_forward
3- Translate the IP addresses in this subnet to the dynamic interface IP address of the VM instance:
iptables -t nat -A POSTROUTING -o pnet0 -s 192.168.13.0/24 -j MASQUERADE
3- RDP the windows server node and open any web browser and test any web server on the Internet:
It works!
Note:
Cloudx is equivalent to pnetx, i.e., if you have configured pnet2 for another subnet, connect the nodes in this subnet to
cloud2 if they need access directly to the Internet.