qemu-devel
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Qemu-devel] QEMU - Security Research Questions #2

From: Paolo Bonzini
Subject: Re: [Qemu-devel] QEMU - Security Research Questions #2
Date: Thu, 6 Oct 2016 09:19:01 +0200
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Thunderbird/45.3.0 

On 06/10/2016 05:44, Joey Connelly wrote:
> Hey QEMU dev group,
> 
> I'm a graduate student at Boise State University working on my thesis
> involving Virtualization/Cloud Computing Security and I wanted to ask
> another IN-DEPTH question I've been trying to solve. If you have some time
> it would be greatly appreciated:
> 
> 
> *[Question:]*
> 
> Can I migrate a VM to a nested VM using only the ports on my host and
> knowing (from a super-user host administrator perspective) any/all network
> information as required??
> 
> 
> 
> *[Senario:]*
> 
> I'm a sys admin with root privileges. 1 QEMU process is running, guest_VM0,
> with -monitoring and -enable-kvm options (its virtual environment supports
> Intel-VTx).
> 
> I then create a new guest_VM1 with the same virtual environment & support,
> have -enable-kvm option and -hostfwd option enabled from host port 4444 to
> guest post 5555.
> 
> Within guest_VM1 I create another QEMU process, guest_VM_COPY, with again
> same virtual environment & Intel-VTx support, have -enable-kvm and this
> time it’s just sitting with -incoming tcp<options,...,listen-port5555>
> waiting for migration.
> 
> I then execute from guest_VM0 Monitor Console -migrate to port 4444, which
> through hostfwd should send to my nested vm paused with -incoming
> initialized.
> 
> *[So… re-wording my question with this scenario now presented:]*
> 
> After migration, with full super-user control, is there ANY virtual
> network, (socket, bridge, user, etc) or combination of things I could setup
> so that my nested guest_VM_COPY can still access the network through the
> same host external network that it originally accessed?? Basically no
> interruptions for the original guest_VM0 during or after migration?

In theory it would work if you set up networking to bridge to the host
network.  I'm not sure anyone has ever tried it...

-hostfwd doesn't work in this configuration (which uses -netdev tap or
-netdev bridge; hostfwd is only an option for user-mode emulation i.e.
-netdev user).  However you don't need it, because you can just migrate
to the IP address of guest_VM1, port 5555.

Paolo
reply via email to
[Prev in Thread] Current Thread [Next in Thread]