echothrust/howtos

A list of OpenBSD (mostly) material

View on GitHub

phpVirtualBox Interface Setup

Description

This web application is a PHP front for Oracle VirtualBox running headless. It connects to vboxwebsrv, a SOAP server distributed with VirtualBox, and provides a web interface that mimics VirtualBox.

Known security risks

phpVirtualBox uses system account ‘vbox’ to communicate SOAP in PLAINTEXT with vboxwebsrv on 127.0.0.1:18083. That is why we run them on the same box.

Server access

Supporting services

VirtualBox

This is the VM Host application (not a real service), but it is the base application package for vboxwebsrv. Some extra configuration on VirtualBox is needed:

** In case console is unavailable for a specific guest VM, use commands (as user ‘vbox’):

VBoxManage list vms to get the name, and VBoxManage modifyvm "VM name" --vrde on to enable VRDP on the specific guest

vboxwebsrv

VirtualBox’s SOAP web service

vbox-autostart

This “service” runs once on-boot to start any virtual machines that are set to autostart.

VMs gracefull auto-shutdown

Acpi signal is sent by stock init script (and waits 30 seconds for guests to shutdown). Configuration file /etc/default/virtualbox.

SHUTDOWN_USERS=”vbox” SHUTDOWN=acpibutton

On-demand poweron & acpi-shutdown for local VMs

Added the following file into the web root. $ cat /var/www/vboxweb/control.php

<?php
/*
 /etc/sudoers: www-data  ALL= (vbox) NOPASSWD : /usr/bin/VBoxManage
 sudo -u vbox -H command_to_run
 VBoxManage showvminfo "devdb"|grep "^State: *.*"
 VBoxManage controlvm "devdb" acpipowerbutton
 VBoxManage startvm "devdb" --type headless
*/

if (!isset($_REQUEST['host']) || !isset($_REQUEST['action']) ) {
  echo "Bad 'host'{vm_guest_name} and 'action'{on,off} in _REQUEST (POST/GET)";
}
else {
  $host = escapeshellcmd($_REQUEST['host']);
  $check = exec ('sudo -u vbox -H VBoxManage showvminfo "'.$host.'" |grep "^State: *.*"');
  switch($_REQUEST['action']) {
    case "on":
      if(preg_match('/^State: *powered off.*/',$check)) {
        if ( isset($_REQUEST['snapshot']) ) {
          $snapshot=escapeshellcmd($_REQUEST['snapshot']);
          exec ('sudo -u vbox -H VBoxManage snapshot "'.$host.'" restore "'.$snapshot.'"');
        }
        exec ('sudo -u vbox -H VBoxManage startvm "'.$host.'" --type headless');
      }
      else echo "Could not complete: host not in powered off state.";
      break;
    case "off":
      if(preg_match('/^State: *running.*/',$check))
        exec ('sudo -u vbox -H VBoxManage controlvm "'.$host.'" acpipowerbutton');
      else echo "Could not complete: host not in running state.";
      break;
    default:
      echo "action can be {on,off}";
      break;
  }
}