[Qemu-devel] Idea: fuse-kvm filesystem

[Qemu-devel] Idea: fuse-kvm filesystem

[Avi Kivity]

Currently when you mount a filesystem, you face two issues:
- you have to be root
- if the media is untrusted, it can exploit your kernel

With kvm and fuse, we can have a virtualized kernel mount the
filesystem, and re-export to the host, which mounts it using a fuse
interface.  This solves both problems, at the expense of speed and
simplicity.  In theory this can be used for mounting untrusted USB
sticks (perhaps only for the less well tested filesystems).

-- 
error compiling committee.c: too many arguments to function

Re: [Qemu-devel] Idea: fuse-kvm filesystem

[Richard W.M. Jones]

On Thu, May 10, 2012 at 03:29:54PM +0300, Avi Kivity wrote:
> Currently when you mount a filesystem, you face two issues:
> - you have to be root
> - if the media is untrusted, it can exploit your kernel
> 
> With kvm and fuse, we can have a virtualized kernel mount the
> filesystem, and re-export to the host, which mounts it using a fuse
> interface.  This solves both problems, at the expense of speed and
> simplicity.  In theory this can be used for mounting untrusted USB
> sticks (perhaps only for the less well tested filesystems).

I guess you CC'd me so I could point out guestmount :-?

  http://libguestfs.org/guestmount.1.html

guestmount does the above already, and you can point it directly at
USB sticks, hard drives and the like, although most people use it for
mounting VM filesystems on the host.

On my local machine I'm a member of the "disk" group so I can do all
this as non-root:

  $ guestmount --ro -a /dev/vg_pin/F16x64 -i /tmp/mnt
  $ cat /tmp/mnt/etc/redhat-release 
  Fedora release 16 (Verne)
  $ ls /tmp/mnt
  bin   dev  home  lib64       media  opt   root  sbin     srv  tmp  var
  boot  etc  lib   lost+found  mnt    proc  run   selinux  sys  usr

One problem you'll find is that FUSE is pretty slow.  I recommend if
you're looking for performance that you use the libguestfs API calls
directly instead of POSIX-over-FUSE.

Rich.

-- 
Richard Jones, Virtualization Group, Red Hat http://people.redhat.com/~rjones
virt-p2v converts physical machines to virtual machines.  Boot with a
live CD or over the network (PXE) and turn machines into Xen guests.
http://et.redhat.com/~rjones/virt-p2v

Re: [Qemu-devel] Idea: fuse-kvm filesystem

[Alex Bradbury]

On 10 May 2012 13:29, Avi Kivity <avi@redhat.com> wrote:
> Currently when you mount a filesystem, you face two issues:
> - you have to be root
> - if the media is untrusted, it can exploit your kernel
>
> With kvm and fuse, we can have a virtualized kernel mount the
> filesystem, and re-export to the host, which mounts it using a fuse
> interface.  This solves both problems, at the expense of speed and
> simplicity.  In theory this can be used for mounting untrusted USB
> sticks (perhaps only for the less well tested filesystems).

Is this not one of the many features of guestfs? At least, I'm not
sure I understand from your description how it's different.

http://libguestfs.org/guestmount.1.html

Alex

Re: [Qemu-devel] Idea: fuse-kvm filesystem

[Avi Kivity]

On 05/10/2012 03:35 PM, Richard W.M. Jones wrote:
> On Thu, May 10, 2012 at 03:29:54PM +0300, Avi Kivity wrote:
> > Currently when you mount a filesystem, you face two issues:
> > - you have to be root
> > - if the media is untrusted, it can exploit your kernel
> > 
> > With kvm and fuse, we can have a virtualized kernel mount the
> > filesystem, and re-export to the host, which mounts it using a fuse
> > interface.  This solves both problems, at the expense of speed and
> > simplicity.  In theory this can be used for mounting untrusted USB
> > sticks (perhaps only for the less well tested filesystems).
>
> I guess you CC'd me so I could point out guestmount :-?
>
>   http://libguestfs.org/guestmount.1.html

Is there a feature that libguestfs doesn't have?

Anyway I tried it out and it seems to work really well.

> guestmount does the above already, and you can point it directly at
> USB sticks, hard drives and the like, although most people use it for
> mounting VM filesystems on the host.
>
> On my local machine I'm a member of the "disk" group so I can do all
> this as non-root:
>
>   $ guestmount --ro -a /dev/vg_pin/F16x64 -i /tmp/mnt
>   $ cat /tmp/mnt/etc/redhat-release 
>   Fedora release 16 (Verne)
>   $ ls /tmp/mnt
>   bin   dev  home  lib64       media  opt   root  sbin     srv  tmp  var
>   boot  etc  lib   lost+found  mnt    proc  run   selinux  sys  usr
>
> One problem you'll find is that FUSE is pretty slow.  I recommend if
> you're looking for performance that you use the libguestfs API calls
> directly instead of POSIX-over-FUSE.

Yes, 'guestmount' consumes a fair bit of cpu.  But it probably doesn't
matter for USB sticks.

-- 
error compiling committee.c: too many arguments to function

Re: [Qemu-devel] Idea: fuse-kvm filesystem

[Avi Kivity]

On 05/10/2012 03:37 PM, Alex Bradbury wrote:
> On 10 May 2012 13:29, Avi Kivity <avi@redhat.com> wrote:
> > Currently when you mount a filesystem, you face two issues:
> > - you have to be root
> > - if the media is untrusted, it can exploit your kernel
> >
> > With kvm and fuse, we can have a virtualized kernel mount the
> > filesystem, and re-export to the host, which mounts it using a fuse
> > interface.  This solves both problems, at the expense of speed and
> > simplicity.  In theory this can be used for mounting untrusted USB
> > sticks (perhaps only for the less well tested filesystems).
>
> Is this not one of the many features of guestfs? At least, I'm not
> sure I understand from your description how it's different.
>
> http://libguestfs.org/guestmount.1.html

It is a subset of guestmount, libguestfs rocks.

-- 
error compiling committee.c: too many arguments to function

Re: [Qemu-devel] Idea: fuse-kvm filesystem

[Jan Kiszka]

On 2012-05-10 09:29, Avi Kivity wrote:
> Currently when you mount a filesystem, you face two issues:
> - you have to be root
> - if the media is untrusted, it can exploit your kernel
> 
> With kvm and fuse, we can have a virtualized kernel mount the
> filesystem, and re-export to the host, which mounts it using a fuse
> interface.  This solves both problems, at the expense of speed and
> simplicity.  In theory this can be used for mounting untrusted USB
> sticks (perhaps only for the less well tested filesystems).
> 

I preferred mountlo [1] for this task, specifically due to the quick
mount time and reasonable performance. Unfortunately, this setup,
specifically uml, required some love back then when I last tried.

Jan

[1] http://sourceforge.net/projects/fuse/files/mountlo

-- 
Siemens AG, Corporate Technology, CT T DE IT 1
Corporate Competence Center Embedded Linux