From: Mikko Rapeli <mikko.rapeli@linaro.org>
To: Quentin Schulz <quentin.schulz@theobroma-systems.com>
Cc: openembedded-core@lists.openembedded.org
Subject: Re: [OE-core] [PATCH 2/2] runqemu: limit slirp host port forwarding to localhost 127.0.0.1
Date: Thu, 17 Nov 2022 16:20:15 +0200 [thread overview]
Message-ID: <Y3ZDH6S/Ee6lxNEs@nuoska> (raw)
In-Reply-To: <3dd2aa3d-6510-90e4-d8a8-a5ec12e9c16c@theobroma-systems.com>
Hi,
On Thu, Nov 17, 2022 at 02:17:13PM +0100, Quentin Schulz wrote:
> Hi Mikko,
>
> On 11/14/22 16:50, Mikko Rapeli wrote:
> > With default slirp port forwarding config qemu listens on TCP ports
> > 2222 and 2323 on all IP addresses available on the build host. Most
> > use cases with runqemu only need it for localhost and it is not
> > safe to run qemu images with root login without password enabled
> > and listening on all available, possibly Internet reachable network
> > interfaces. Limit qemu port forwarding to localhost 127.0.0.1 IP
> > address. Now qemu machine SSH and telnet ports are only
> > reachable from the build host machine, not full Internet.
> >
> > If qemu machine needs to be reachable from network, then it can
> > be enabled via local.conf or machine config variable QB_SLIRP_OPT:
> >
> > QB_SLIRP_OPT = "-netdev user,id=net0,hostfwd=tcp::2222-:22"
> >
> > Signed-off-by: Mikko Rapeli <mikko.rapeli@linaro.org>
> > ---
> > scripts/runqemu | 2 +-
> > 1 file changed, 1 insertion(+), 1 deletion(-)
> >
> > diff --git a/scripts/runqemu b/scripts/runqemu
> > index a6ea578564..7bd9465593 100755
> > --- a/scripts/runqemu
> > +++ b/scripts/runqemu
> > @@ -1071,7 +1071,7 @@ class BaseConfig(object):
> > logger.info("Network configuration:%s", netconf)
> > self.kernel_cmdline_script += netconf
> > # Port mapping
> > - hostfwd = ",hostfwd=tcp::2222-:22,hostfwd=tcp::2323-:23"
> > + hostfwd = ",hostfwd=tcp:127.0.0.1:2222-:22,hostfwd=tcp:127.0.0.1:2323-:23"
>
> With the additional knowledge we gathered in the last patches, I believe it
> would be a good thing to say a few words/update the documentation.
>
> See https://lore.kernel.org/yocto-docs/fedb4cc0-44d6-d7d8-bc26-c8de5bee06ca@theobroma-systems.com/T/#t
> for a patch I believe might make it to master soon? I think we should say
> what the default value entails (even if this patch isnt' taken) and maybe
> point/refer to the QEMU documentation for the meaning of options in
> QB_SLIRP_OPT. I believe some/all of options listed
> https://www.qemu.org/docs/master/system/invocation.html are possible?
>
> What do you think?
Yes, I agree, and saw that change too. I'll try to document this once
change gets integrated.
Cheers,
-Mikko
> Cheers,
> Quentin
next prev parent reply other threads:[~2022-11-17 14:20 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-11-14 15:50 [PATCH v2 1/2] qemurunner.py: support setting slirp host IP address Mikko Rapeli
2022-11-14 15:50 ` [PATCH 2/2] runqemu: limit slirp host port forwarding to localhost 127.0.0.1 Mikko Rapeli
2022-11-17 13:17 ` [OE-core] " Quentin Schulz
2022-11-17 14:20 ` Mikko Rapeli [this message]
2022-11-17 13:13 ` [OE-core] [PATCH v2 1/2] qemurunner.py: support setting slirp host IP address Quentin Schulz
2022-11-17 13:17 ` Mikko Rapeli
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=Y3ZDH6S/Ee6lxNEs@nuoska \
--to=mikko.rapeli@linaro.org \
--cc=openembedded-core@lists.openembedded.org \
--cc=quentin.schulz@theobroma-systems.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox