Shulou(Shulou.com)06/02 Report--

This article will take writing files directly from the host to the VM as an example to explain why injection is needed and how to implement it.

Tag: qemu-ga, qemu guest agent, kvm, guest-file-write, inject

Brother slow's original article, welcome to reprint.

Catalogue

Why should ▪ be "injected" into VM?

How to realize "injection" in ▪

▪ Step1. Configure channel for VM

▪ Step2. Deploy qemu-ga

▪ Step3. Injection operation description

▪ Step4. Base64 calculation

▪ Step5. Start injecting

▪ attached 1. All instructions supported by qemu-ga

▪ attached 2. Configure multiple channel

▪ reference documentation

Why "inject" into the VM?

The reason is simple: it cannot be implemented outside VM, so it can only be implemented in VM.

Unlike Docker (container), which simply isolates processes from cgroup, KVM is a fully closed environment.

For KVM-based virtual machines, there are usually the following requirements:

▷ changes passwords online

▷ adds public key online

▷ online collection performance (such as cpu utilization, load, memory usage and other performance indicators)

Various other online features of ▷

The commonness of the above scenarios: it cannot be achieved outside of VM alone. As a result, there are a variety of solutions, but either solution must meet the following two points at the same time:

▷ channel: open a channel between the inside and outside of the VM (host) for data exchange

▷ agent: plant an agent inside the VM to receive external instructions and feedback the results

Planting agent within VM can be vividly called "inject injection"

How to realize "injection"

Step one, open the channel.

There are two types of methods:

▷ to go to the network: it will be more complicated, need to pre-insert a management network card in advance, or use the existing network card + special routing to ensure that the data can go out, which leads to a more complex network topology

▷ walking device: it is much easier to establish a device channel between the VM and the host. For example, add a character device to the KVM virtual machine and map it to a socket file on the host. A channel is formed between the character device and the socket, through which the internal and external data can be exchanged.

"walking the network" is not what this article wants to introduce, and all the next content is "walking the equipment".

Step 2: start agent

Start an agent in the virtual machine, read the character device in real time, and realize the data interaction with the host.

You can define what kind of data to send and receive in channel, or you can use the solution officially implemented by KVM, called Qemu Guest Agent, or qemu-ga for short. It includes two aspects:

Protocol definition for transferring data in ▷ channel: JSON-based format

Agent in ▷ VM: starts a daemon called qemu-ga, which takes the incoming json instruction from the character device, then executes the command according to the instruction, and returns the result to the host through the character device

The advantage of qemu-ga is that its encapsulated instructions are compatible with different operating systems, such as the write file instruction guest-file-write, which can be used for both linux and windows.

With regard to the configuration and use of qemu-ga, the author has written an article entitled "interacting with qemu Virtual Machine based on QMP", which introduces its working principle and basic usage in detail. The address is attached here.

Https://www.toutiao.com/i6646012291059810823/

Since the topic of this article is "injecting to write a file," the next part will focus on how to write a file, but will also post the deployment and enabling methods of qemu-ga again.

Step1. Configure channel for VM

The virtual machine started by libvirt can add a section of configuration to XML.

Note: the above configuration should be put in the paragraph.

Step2. Deploy qemu-ga

1 ️installation qemu-ga

Installing and launching qemu-ga,linux and windows inside VM supports qemu-ga. Many linux publishers provide their own qemu-ga, such as rhel/centos, fedora, ubuntu, and opensuse, which can be downloaded and used directly. For windows systems, you need to download virtio-win, which includes some win drivers and qemu-ga installation packages for virtio, or you can download only qemu-ga installation packages.

# rhel/centosyum install qemu-guest-agent# windows, the latest virtio-win iso https://fedorapeople.org/groups/virt/virtio-win/direct-downloads/latest-virtio/# windows, the latest qemu-ga installation package https://fedorapeople.org/groups/virt/virtio-win/direct-downloads/latest-qemu-ga/

The qemu-ga installation package for windows is shown in the figure

2 ️launch qemu-ga

Take centos7 as an example

# start the qemu-ga daemon systemctl start qemu-guest-agent# to join boot and start systemctl enable qemu-guest-agent

After startup, you should be able to see that the process has started through systemctl status qemu-guest-agent, as shown in the figure

Note: some qemu-ga will reject some instructions because some instructions are disabled in the qemu-ga configuration file. For example, in centos7, the configuration file is / etc/sysconfig/qemu-ga

# modify / etc/sysconfig/qemu-ga, comment out the following, or delete BLACKLIST_RPC=guest-file-open,guest-file-close,guest-file-read,guest-file-write,guest-file-seek,guest-file-flush,guest-exec,guest-exec-status# and restart qemu-ga directly to take effect on systemctl restart qemu-guest-agent

3 ️testing qemu-ga

On the host in VM, execute the following command:

# ${DOMAIN} indicates the name of the virtual machine or UUIDvirsh qemu-agent-command ${DOMAIN}'{"execute": "guest-ping"}'

Qemu-ga is available if the following is returned

{"return": {}}

Let's take a look at which instructions are supported by qemu-ga.

Virsh qemu-agent-command ${DOMAIN}-pretty'{"execute": "guest-info"}'

You should see that many commands are supported. Since the following commands are needed in the following experiment, please confirm whether they are supported first.

▪ guest-exec: execute commands (asynchronous operations)

▪ guest-exec-status: view the results of executing a command

▪ guest-file-open: open the file and get the handle

▪ guest-file-write: write file (pass base64)

▪ guest-file-close: closing files

Step3. Injection operation description

Lab objective: write the public key contents of RSA to / root/.ssh/authorized_keys

This involves the following three steps:

1. Create a / root/.ssh directory with permissions of 700

two。 Create a / root/.ssh/authorized_keys file with permissions of 600

3. Encode the RSA public key text with Base64 (guest-file-write does not support plaintext, only base64), and write the encoded content to / root/.ssh/authorized_keys

Step4. Base64 calculation

Let's assume that the RSA public key content is

Ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDVKog04pbbLaarjbpvK7CRaIuUwWxehJIH8tqtX/oV4GYN5WGYPFa1tzsd4Vyoblm4LePX79WeI4kFHgSbH5P6H9i8l3KCTFHHeJT/g0P55/c60yDb3o6lqpWu9IKE3I4lsTp05Y/W0Ks7W27Jndr162ni0Ybthgd9CQyoiburoh45ECiPGwWUOBVJ4IEpSpOZdDUJLS/vVuSQgvEH0fq/G1DP3SOyR+DNasJ00mwonfaUKHZXmWAlH8marNwPmWapyTSQwCFKKh2HwlJEWETV4fYuFwm3iennb8cX1y4aX9AJWnA2cc35rpulivMijeXs/ssT5iFljXXGYzmkX6nR root@localhost.localdomain

Encode Base64

Echo 'ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDVKog04pbbLaarjbpvK7CRaIuUwWxehJIH8tqtX/oV4GYN5WGYPFa1tzsd4Vyoblm4LePX79WeI4kFHgSbH5P6H9i8l3KCTFHHeJT/g0P55/c60yDb3o6lqpWu9IKE3I4lsTp05Y/W0Ks7W27Jndr162ni0Ybthgd9CQyoiburoh45ECiPGwWUOBVJ4IEpSpOZdDUJLS/vVuSQgvEH0fq/G1DP3SOyR+DNasJ00mwonfaUKHZXmWAlH8marNwPmWapyTSQwCFKKh2HwlJEWETV4fYuFwm3iennb8cX1y4aX9AJWnA2cc35rpulivMijeXs/ssT5iFljXXGYzmkX6nR root@localhost.localdomain' | base64-w 0

In this way, you get the base64 encoded content.

C3NoLXJzYSBBQUFBQjNOemFDMXljMkVBQUFBREFRQUJBQUFCQVFEVktvZzA0cGJiTGFhcmpicHZLN0NSYUl1VXdXeGVoSklIOHRxdFgvb1Y0R1lONVdHWVBGYTF0enNkNFZ5b2JsbTRMZVBYNzlXZUk0a0ZIZ1NiSDVQNkg5aThsM0tDVEZISGVKVC9nMFA1NS9jNjB5RGIzbzZscXBXdTlJS0UzSTRsc1RwMDVZL1cwS3M3VzI3Sm5kcjE2Mm5pMFlidGhnZDlDUXlvaWJ1cm9oMzVFQ2lQR3dXVU9CVko0SUVwU3BPWmREVUpMUy92VnVTUWd2RUgwZnEvRzFEUDNTT3lSK0ROYXNKMDBtd29uZmFVS0haWG1XQWxIOG1hck53UG1XYXB5VFNRd0NGS0toMUh4bEpFV0VUVjRmWXVGd20zaWVubmI4Y1gxeTRhWDlBSlduQTJjYzM1cnB1bGl2TWlqZVhzL3NzVDVpRmxqWFhHWXpta1g2blIgcm9vdEBsb2NhbGhvc3QubG9jYWxkb21haW4KStep5. Start injecting

1 ️administrator creates a / root/.ssh directory with permissions of 700

# mkdir / root/.sshvirsh qemu-agent-command ${DOMAIN}'{"execute": "guest-exec", "arguments": {"path": "mkdir", "arg": ["- p", "/ root/.ssh"], "capture-output": true}'# suppose {"return": {"pid": 911}} is returned in the previous step Next, check the results (usually negligible) virsh qemu-agent-command ${DOMAIN}'{"execute": "guest-exec-status", "arguments": {"pid": 911}}'# chmod 700 / root/.ssh, this line can not be executed, because the above directory is 700 after the creation of the directory, but in case the permissions are incorrect and cannot be used. Virsh qemu-agent-command ${DOMAIN}'{"execute": "guest-exec", "arguments": {"path": "chmod", "arg": ["700"," / root/.ssh "]," capture-output ": true}'# suppose {" return ": {" pid ": 912}} is returned in the previous step. Next, check the results (usually ignored) virsh qemu-agent-command ${DOMAIN}'{"execute": "guest-exec-status", "arguments": {"pid": 912}}'

2 ️create / root/.ssh/authorized_keys file with permission of 600

# touch / root/.ssh/authorized_keysvirsh qemu-agent-command ${DOMAIN}'{"execute": "guest-exec", "arguments": {"path": "touch", "arg": ["/ root/.ssh/authorized_keys"], "capture-output": true}}'# suppose {"return": {"pid": 913}} is returned in the previous step Next, check the result (usually negligible) virsh qemu-agent-command ${DOMAIN}'{"execute": "guest-exec-status", "arguments": {"pid": 913}}'# chmod 600 / root/.ssh/authorized_keys, this line can not be executed, because the above file is 600 after the creation of the file, but in case the permissions are incorrect and cannot be used. It is safer to brush virsh qemu-agent-command ${DOMAIN}'{"execute": "guest-exec", "arguments": {"path": "chmod", "arg": ["600", "/ root/.ssh/authorized_keys"], "capture-output": true}'# suppose {"return": {"pid": 914}} is returned in the previous step. Next, check the results (usually ignored) virsh qemu-agent-command ${DOMAIN}'{"execute": "guest-exec-status", "arguments": {"pid": 914}}'

3 ️encoding writes Base64 encoding to / root/.ssh/authorized_keys

# Open the file (read / write) and get the handle virsh qemu-agent-command ${DOMAIN}'{"execute": "guest-file-open", "arguments": {"path": "/ root/.ssh/authorized_keys", "mode": "w +"}'# write to the file, assuming that {"return": 1000} is returned in the previous step 1000 is the handle virsh qemu-agent-command ${DOMAIN}'{"execute": "guest-file-write", "arguments": {"handle": 1000, "buf-b64": "c3NoLXJzYSBBQUFBQjNOemFDMXljMkVBQUFBREFRQUJBQUFCQVFEVktvZzA0cGJiTGFhcmpicHZLN0NSYUl1VXdXeGVoSklIOHRxdFgvb1Y0R1lONVdHWVBGYTF0enNkNFZ5b2JsbTRMZVBYNzlXZUk0a0ZIZ1NiSDVQNkg5aThsM0tDVEZISGVKVC9nMFA1NS9jNjB5RGIzbzZscXBXdTlJS0UzSTRsc1RwMDVZL1cwS3M3VzI3Sm5kcjE2Mm5pMFlidGhnZDlDUXlvaWJ1cm9oMzVFQ2lQR3dXVU9CVko0SUVwU3BPWmREVUpMUy92VnVTUWd2RUgwZnEvRzFEUDNTT3lSK0ROYXNKMDBtd29uZmFVS0haWG1XQWxIOG1hck53UG1XYXB5VFNRd0NGS0toMUh4bEpFV0VUVjRmWXVGd20zaWVubmI4Y1gxeTRhWDlBSlduQTJjYzM1cnB1bGl2TWlqZVhzL3NzVDVpRmxqWFhHWXpta1g2blIgcm9vdEBsb2NhbGhvc3QubG9jYWxkb21haW4K"}'# close the file virsh qemu-agent-command ${DOMAIN}'{"execute": "guest-file-close", "arguments": {"handle": 1000}}'

View effect: check / root/.ssh/authorized_keys in VM at this time, and you should see the new line.

Attached 1. All instructions supported by qemu-ga

Different qemu-ga versions and different operating systems will support different instructions. Here are all the current parameters seen on the official website.

▪ guest-exec

▪ guest-exec-status

▪ guest-file-close

▪ guest-file-flush

▪ guest-file-open

▪ guest-file-read

▪ guest-file-seek

▪ guest-file-write

▪ guest-fsfreeze-freeze

▪ guest-fsfreeze-freeze-list

▪ guest-fsfreeze-status

▪ guest-fsfreeze-thaw

▪ guest-fstrim

▪ guest-get-fsinfo

▪ guest-get-host-name

▪ guest-get-memory-block-info

▪ guest-get-memory-blocks

▪ guest-get-osinfo

▪ guest-get-time

▪ guest-get-timezone

▪ guest-get-users

▪ guest-get-vcpus

▪ guest-info

▪ guest-network-get-interfaces

▪ guest-ping

▪ guest-set-memory-blocks

▪ guest-set-time

▪ guest-set-user-password

▪ guest-set-vcpus

▪ guest-shutdown

▪ guest-suspend-disk

▪ guest-suspend-hybrid

▪ guest-suspend-ram

▪ guest-sync

▪ guest-sync-delimited

For specific usage, please refer to the official website documentation.

Https://qemu.weilnetz.de/doc/qemu-ga-ref.html attached 2. Configure multiple channel

1 ️channels can configure multiple channel in XML, so that multiple device channels can be created

2 ️VM to start two qemu-ga daemons, you can make a copy of the original service file and modify it

Cd / usr/lib/systemd/systemcp qemu-guest-agent.service qemu-guest-agent-1.service

Then modify the qemu-guest-agent-1.service

3 ️startup service

Systemctl start qemu-guest-agent-1 reference document # qemu-ga introduction and use: QEMU Guest Agent# qemu-ga complete parameters: https://qemu.weilnetz.de/doc/qemu-ga-ref.html# another related article by the author, "interacting with qemu virtual machines based on QMP": https://www.toutiao.com/i6646012291059810823/

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.