Re: Guestinfo alike info polling from Guest via guest-agent

[Florian Lohoff via]

Hi,

On Thu, Dec 12, 2024 at 08:24:22AM -0800, Connor Kuehl wrote:
> Hmm, yeah, in this case, I don't see a more privacy-respecting
> alternative to doing this with the current version of qemu-ga.
> 
> If the extent of your use case is limited to host ssh pubkeys, then
> I'd imagine it wouldn't be a hard sell to pitch the idea of adding
> some new RPCs to qemu-ga, like guest-ssh-get-host-publickeys, seeing
> as there's already commands like
> guest-ssh-{get,set,remove}-authorized-keys.
> 
> Then your customer VMs' qemu-ga.conf can specify just
> guest-ssh-get-host-publickeys in the allowlist.
> 
> Maybe upstream would also be amenable to a more minimal interface as
> you've already described of allowing the guest to assign key,value pairs
> and adding a RPC to allow the hypervisor to fetch bits of data that way.
> Though, it would probably require a fair bit more design before the
> implementation arrives.

What we tried now was writing a small addition on the hypervisor
listening on a serial on all VMs - so we simply create VMs with an
additional serial which had a minimalistic API to send key/value
pairs via a serial to the hypervisors service.

For obvious reasons one would rather like a more standardised approach.

Flo
-- 
Florian Lohoff f...@zz.de
  Any sufficiently advanced technology is indistinguishable from magic.


signature.asc
Description: PGP signature

Re: Guestinfo alike info polling from Guest via guest-agent

[Connor Kuehl]

On 12/11/24 11:15 PM, Florian Lohoff wrote:
>> With regards to the specific use-case above, you might be able to accomplish
>> that with one or more of guest-file-open, guest-exec, or maybe
>> something else I didn't see.
>>
>> [1] https://www.qemu.org/docs/master/interop/qemu-ga-ref.html
> 
> I found that - and "exec cat /etc/ssh/ssh_host*.pub" works but for
> me thats a deep intrusion into the guests OS and i would rather not see
> something like that working.

Yeah, that's completely fair. Especially in cases where the owner
of the VM is different from the owner of the hypervisor.

> I like the vmwares possibility of storing variables in the hypervisor 
> with small blobs e.g. like ssh host keys. Which makes it possible to
> retrieve host keys Out of band without security nightmares like
> stricthostkeychecking=no or userknownhostfile=/dev/null and the like.
> 
> I use it to mark the VM to be available for connection and i also copy
> ssh host keys to the customers netbox. From netbox i generate DNS with 
> "sshfp" 
> DNS records, and the start of all ansible first replaces the local 
> ssh known hosts from the ones in netbox - So no hackery needed on
> "first connect" from anywhere. SSH Host keys are common knowledge after
> that because we had a secure out of band channel. 
> 
> I am trying to find a solution for this with qemu and i fail - sort of.
> 
> Thats the last commands in a vmware setup:
> 
> for key in /etc/ssh/ssh_host_*pub; do
> base=$(basename $key | sed -e 's/.pub$/_pub/')
> vmtoolsd --cmd="info-set guestinfo.$base ""$(base64 -w0 <$key)"
> done
> 
> Then you have your ssh keys as e.g. "guestinfo.ssh_host_ed25519_key_pub" in 
> your
> hypervisors variable store for that VM.

Hmm, yeah, in this case, I don't see a more privacy-respecting
alternative to doing this with the current version of qemu-ga.

If the extent of your use case is limited to host ssh pubkeys, then
I'd imagine it wouldn't be a hard sell to pitch the idea of adding
some new RPCs to qemu-ga, like guest-ssh-get-host-publickeys, seeing
as there's already commands like
guest-ssh-{get,set,remove}-authorized-keys.

Then your customer VMs' qemu-ga.conf can specify just
guest-ssh-get-host-publickeys in the allowlist.

Maybe upstream would also be amenable to a more minimal interface as
you've already described of allowing the guest to assign key,value pairs
and adding a RPC to allow the hypervisor to fetch bits of data that way.
Though, it would probably require a fair bit more design before the
implementation arrives.

--
Connor