Re: [RFC] Design executing commands from within domains

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



At 2016-08-08 23:19:26, "Daniel P. Berrange" <berrange@xxxxxxxxxx> wrote:
>On Mon, Aug 08, 2016 at 05:00:38PM +0200, Michal Privoznik wrote:
>> Dear list,
>> 
>> while wiring qemu-ga into libvirt I've noticed that it has ability to
>> spawn commands inside guest. I haven't paid much attention to it then as
>> implementing libvirt <-> qemu-ga communication was more important. But
>> lately couple of requests on the list showed up where ability to spawn
>> various commands inside guests would be much appreciated (e.g. when
>> fetching some stats that HV can't know or has no support for yet -
>> free/df/..).
>> 
>
>I never really liked the qemu guest agent ability to run arbitrary commands.
>It is basically re-inventing the shell but with really awful features. eg the
>having to provide all the input  upfront, not having any  way to stream large
>stdout/stderr data back to the host.
>
>Further, from a security POV it is really bad practice to have this feature
>in QEMU guest agent, as it makes it impossible to provide any kind of sane
>security confinment for the GA. IIRC, default Fedora SELinux policy will not
>even permit the exec command to be to used. Most of the QEMU GA commands have
>very tight scope so are easily confined, but 'exec' by its very nature wants
>todo anything. From that POV, a general purpose exec facility is really better
>suited to a separate command.

Users could ban it inside VM by blacklist.
Also, with default SELinux policy, qga could not do anything more.
So it's under control.

>
>Also from an API modelling POV, exposing the guest agent exec in libvirt
>is pretty much giving up on any sense of API design. It'll just discourage
>anyone from ever writing any further special case guest agent commands
>with formal APIs.
>
>IOW, I don't think we should ever expose the qemu guest agent exec command
>via libvirt APIs.

We've had qemuAgentCommand.
So I think it's better for a new public API.

Regards,
- Chen


--
libvir-list mailing list
libvir-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/libvir-list



[Index of Archives]     [Virt Tools]     [Libvirt Users]     [Lib OS Info]     [Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Big List of Linux Books]     [Yosemite News]     [KDE Users]     [Fedora Tools]