Re: [Qemu-devel] Live viewing qemu running image

[Eric Blake <eblake@redhat.com>]

On 05/29/2018 07:33 AM, Olga Levy wrote:
> Hi,
> 
> Nice to meet you. I'm a new security engineer and working on a prototype
> using QEMU.
> 
> What I need is to collect running image internal data (like running
> processes, netstat, files modification, etc.) but without running any
> process inside. I mean, doing it from "outside" (I need Qemu support).
> 
> For example,
> 
> How can I live view FS of a running image?

In general, you can't - qemu does not know and does not care what 
operating system the guest code is running, let alone what file systems 
that guest has structured on top of the raw storage that qemu is 
emulating for the guest.  What you are asking for is akin to asking 
Intel to add a new register to their chips that will tell you how many 
open files a bare-metal processor is managing, while telling the chip 
designers that they are not permitted to know whether the user will 
install Windows, Linux, or some other operating system on the machine 
using that chip.

With some effort and knowledge about specific types of guests, it IS 
possible to take snapshots of a guest, and then peek at specific memory 
locations or read the (hopefully consistent) state of the disk at the 
time of the snapshot to learn things about that guest.  And in fact, the 
libguestfs project does a LOT of those hacks, for several mainstream 
operating systems where the effort of writing the hacks is not too much 
of a maintenance burden.  But that's more a question for the libguestfs 
list, as interacting with the guest (or a snapshot of the guest) is 
outside the realm of things that qemu directly targets.

-- 
Eric Blake, Principal Software Engineer
Red Hat, Inc.           +1-919-301-3266
Virtualization:  qemu.org | libvirt.org