These are some notes on using [http://www.ubuntu.com/products/whatisubuntu/serveredition/jeos JeOS] -- which stands for "Just Enough Operating System" -- and virtualization software to create a (hopefully) secure Sage server. I'm using [http://www.virtualbox.org/ VirtualBox] and a Ubuntu host.

This is intended for a server that you build and administer yourself; it's not the same as the VMWare image we distribute, which is intended "for the masses". I'm assuming you have experience with Linux administration and using virtualization software.

Preliminaries

Setup

I installed JeOS under VirtualBox. This was no trouble. I recommend separating the root partition and the /home partition, so that if some idiot fills up the disk (accidentally or otherwise), the VM will still run. The OS, including the packages we're going to install, along with Sage takes up about 2.1 gigabytes; I'd allocate about 4 gigs for the root partition and maybe another 4 for /home. I used "sageadm" for the user I created during installation; we'll create more users later. Once the VM was running, I installed some new packages. Some of these aren't totally essential; use your own judgement.

Now, on the host, we'll set up port forwarding so the server is accessible from the outside world. I suppose we could do bridging and so on, but I don't really know how to set it up, and besides we only want two open ports going to the Sage server.

On the host, pick a port to forward to port 22 on the Sage server so we can ssh into the server. I'm using 2222. Do:

VBoxManage setextradata "$VMNAME" "VBoxInternal/Devices/pcnet/0/LUN#0/Config/ssh/HostPort" 2222

VBoxManage setextradata "$VMNAME" "VBoxInternal/Devices/pcnet/0/LUN#0/Config/ssh/GuestPort" 22

VBoxManage setextradata "$VMNAME" "VBoxInternal/Devices/pcnet/0/LUN#0/Config/ssh/Protocol" TCP

Naturally you should replace $VMNAME with the name you gave your virtual machine, and if you want to use something else than 2222, replace that too. You can also change the "ssh" between "Config" and "Protocol" if you like; it's just a bit of text that identifies the service. Now choose a port where people will access the server, say 8000, and do a similar thing:

VBoxManage setextradata "$VMNAME" "VBoxInternal/Devices/pcnet/0/LUN#0/Config/sage/HostPort" 8000

VBoxManage setextradata "$VMNAME" "VBoxInternal/Devices/pcnet/0/LUN#0/Config/sage/GuestPort" 8000

VBoxManage setextradata "$VMNAME" "VBoxInternal/Devices/pcnet/0/LUN#0/Config/sage/Protocol" TCP

Now inside the VM, we'll create some unprivileged users. First, though, I created a sageusers group and added my main user (sageadm) to it:

sudo addgroup sageusers
sudo adduser sageadm sageusers

Create an unprivileged user that defaults to the sageusers group:

sudo adduser --ingroup sageusers nb1

I also created nb2, nb3, nb4, and nb5. I don't know how many you really need. Next, generate a passwordless ssh key as the sageadm user and copy it to all the unprivileged users; it's convenient to use "ssh-copy-id nb1@localhost" for this.

Running the server

Download Sage to the VM and install it; I unpacked the tarball into /opt. Create a directory for the notebook files -- this must be outside sageadm's dot-sage directory; I used ~/nbfiles. Change the permissions so it's group-writable by the sageusers group. Now run the server with directory='/home/sageadm/nbfiles', an appropriate server_pool, and so on. I've attached the actual script I use to start the notebook: attachment:start_notebook.sage.

Security notes

to come

Other things I find convenient

to come