Running OSX Server in a true Sandbox

Discussion in 'Mac OS X Server, Xserve, and Networking' started by jgbr, Feb 8, 2010.

  1. macrumors 6502

    Joined:
    Sep 14, 2007
    #1
    I want to run OSX Server virtualised but completely independant to the host system and in a true box.

    I am using a mac Pro, so can give it a dedicated CPU/RAM and Ethernet, any other recommendations : Ext HD?

    I can not/do not want data leakage between the two systems. If i simply want to discard and loose logs of it forever, i just delete the image as such
     
  2. macrumors member

    mcprobie

    Joined:
    Nov 16, 2009
    Location:
    Paradise Corrupt
  3. thread starter macrumors 6502

    Joined:
    Sep 14, 2007
    #3
    Yes i am using VMWARE but i want to sand box it further then that.

    Dedicated Ethernet, obv allows IP, EXT HD is the only other idea? alongside CPU/RAM
     
  4. macrumors member

    mcprobie

    Joined:
    Nov 16, 2009
    Location:
    Paradise Corrupt
    #4
    But how have you set up VMware ? Are you using NAT or Host IP only networking ... That way it is already seperate from your LAN.

    You can put the virtual disk image on an external disk, no problem, but that doesn't "sandbox" it more because it is already a seperate file ...

    Sorry if I'm not understanding your question.
     
  5. thread starter macrumors 6502

    Joined:
    Sep 14, 2007
    #5
    I just want to ensure that the two machines are seperate in hardware and software.

    Essenentally: Anyone looking in or tracing back to OSX server, will see OSX Server, not a Mac Pro/SL
     
  6. macrumors member

    mcprobie

    Joined:
    Nov 16, 2009
    Location:
    Paradise Corrupt
    #6
    I think basically it will show that it is only the OSX server ... One will not see the Mac Pro ... But, then again, if you have the mac address of the virtual NIC, you could look up the vendor, it will probably show it is a NIC from VMware ... Maybe if you change the mac address to something general this might help.

    You could also set up a ipsec tunnel to your server, or a constant vpn tunnel.

    But it is all useless if you put the OSX server on the same network as the Mac Pro though (same subnet).... Except for the vpn-tunnel.
     
  7. thread starter macrumors 6502

    Joined:
    Sep 14, 2007
    #7
    Its all hidden behind a router anyway; so must traces just get the router address not the IP address.

    Do you think giving it an dedicated HD and IP address is wise too?

    SHould someone see past the router, it would still look like a seperate machine as the IP address would be different to the main Mac Pro SL address
     
  8. macrumors member

    mcprobie

    Joined:
    Nov 16, 2009
    Location:
    Paradise Corrupt
    #8
    No giving it a seperate HDD would not make any difference ... A different and/or fixed IP address is of course wise ... Definitely a different one then the address of your Mac pro (different subnet all together would be ideal ... But maybe that is not feasible?)

    If the virtual machine is in the same subnet as your Mac Pro, potential hackers would scan the network and see both machines as seperate ... But still would see both machines.
     
  9. thread starter macrumors 6502

    Joined:
    Sep 14, 2007
    #9
    so how would i put the Server on a dedicated subnet? im using airport extremes
     
  10. macrumors P6

    DoFoT9

    Joined:
    Jun 11, 2007
    Location:
    Singapore
    #10
    that could be done thru VMware itself (software), or by using another router to create a new subnet hardware-wise.
     
  11. thread starter macrumors 6502

    Joined:
    Sep 14, 2007
    #11
    a guide on how to do both would be idea

    software is easier then going and buying another router
     
  12. macrumors member

    mcprobie

    Joined:
    Nov 16, 2009
    Location:
    Paradise Corrupt
    #12
    The way I would do it ... (this depends if you are going to use the Mac Pro for anything else of course) ... is change the IP-address of the Mac Pro so it is on its own subnet ... For example 10.10.10.1 ... Then only the virtual machine will be on the "production" network, this way the Mac pro is hidden and/but only accessible locally ...

    Another option is have 2 NICs in the Mac Pro and dedicate one for a seperate subnet, but you will then have to have a second router or make the Mac Pro act as a router ... A bit more challenging to set up :D

    {edit} .... Like DoFoT9 mentioned ... I'm second ;) ... There are software based router systems to be found ... Mostly Linux based, they also have a firewall most of the time, but you could leave that open and just route stuff ... Or use NAT.
     
  13. macrumors P6

    DoFoT9

    Joined:
    Jun 11, 2007
    Location:
    Singapore
    #13
    i am not truely familar with vmware, sorry but maybe somebody else can help. i use parallels to emulate my OSs (more stable im my experience), but it cannot run OSX server :(

    for software based, its all in the settings of the VM - ive confused myself now though, if you choose "shared networking" it creates a new subnet for the VM but its an extension of your actual computer. traceroutes would show the computer in the middle in this case.

    ill sleep on it!
     
  14. thread starter macrumors 6502

    Joined:
    Sep 14, 2007
    #14
    guide to doing that in vmware fusion would be great
     
  15. thread starter macrumors 6502

    Joined:
    Sep 14, 2007
    #15
    sounds like the best course of action is to just use the other NIC in the Mac Pro and Wing it. I am not too fussed it seeing the other machines on the network, just for it to think its a seperate machine.
     
  16. macrumors member

    mcprobie

    Joined:
    Nov 16, 2009
    Location:
    Paradise Corrupt
    #16
    I will see what I can deliver ... But it might take a while seeing I'm still at work :D
     
  17. macrumors P6

    DoFoT9

    Joined:
    Jun 11, 2007
    Location:
    Singapore
    #17
    using "bridged" mode using the other NIC would indeed make it appear as a separate machine. very easy to test for as im sure you know.

    ill fire up vmware tomorrow and see what i can do :) bed calls now.
     
  18. thread starter macrumors 6502

    Joined:
    Sep 14, 2007
    #18
    Thankyou.

    The main objective is to make it look like a seperate machine, although most traffic traced would just come up as our public address not the internal one.

    I might give it a dedicated ip address far out from the other machines...to fool a looker even more.
     
  19. thread starter macrumors 6502

    Joined:
    Sep 14, 2007
    #19
    its the tip of the iceburg as im assigning a dedicated mouse and keyboard via usb controller in vmware for it.lol
     
  20. macrumors P6

    DoFoT9

    Joined:
    Jun 11, 2007
    Location:
    Singapore
    #20
    you really do want it in true sandbox mode!!

    i just realised that parallels can run server versions of OSX - would you consider running parallels? i find it to be a much nicer and more stable experience.

    ok seriously, bed time! lol
     

Share This Page