[Qemu-devel] Live viewing qemu running image

[Qemu-devel] Live viewing qemu running image

[Olga Levy]

Hi,

Nice to meet you. I'm a new security engineer and working on a prototype
using QEMU.

What I need is to collect running image internal data (like running
processes, netstat, files modification, etc.) but without running any
process inside. I mean, doing it from "outside" (I need Qemu support).

For example,

How can I live view FS of a running image?

Efrat

Re: [Qemu-devel] Live viewing qemu running image

[Eric Blake]

On 05/29/2018 07:33 AM, Olga Levy wrote:
> Hi,
> 
> Nice to meet you. I'm a new security engineer and working on a prototype
> using QEMU.
> 
> What I need is to collect running image internal data (like running
> processes, netstat, files modification, etc.) but without running any
> process inside. I mean, doing it from "outside" (I need Qemu support).
> 
> For example,
> 
> How can I live view FS of a running image?

In general, you can't - qemu does not know and does not care what 
operating system the guest code is running, let alone what file systems 
that guest has structured on top of the raw storage that qemu is 
emulating for the guest.  What you are asking for is akin to asking 
Intel to add a new register to their chips that will tell you how many 
open files a bare-metal processor is managing, while telling the chip 
designers that they are not permitted to know whether the user will 
install Windows, Linux, or some other operating system on the machine 
using that chip.

With some effort and knowledge about specific types of guests, it IS 
possible to take snapshots of a guest, and then peek at specific memory 
locations or read the (hopefully consistent) state of the disk at the 
time of the snapshot to learn things about that guest.  And in fact, the 
libguestfs project does a LOT of those hacks, for several mainstream 
operating systems where the effort of writing the hacks is not too much 
of a maintenance burden.  But that's more a question for the libguestfs 
list, as interacting with the guest (or a snapshot of the guest) is 
outside the realm of things that qemu directly targets.

-- 
Eric Blake, Principal Software Engineer
Red Hat, Inc.           +1-919-301-3266
Virtualization:  qemu.org | libvirt.org

Re: [Qemu-devel] Live viewing qemu running image

[Stefan Hajnoczi]

[-- Attachment #1: Type: text/plain, Size: 886 bytes --]

On Tue, May 29, 2018 at 03:33:40PM +0300, Olga Levy wrote:
> Hi,
> 
> Nice to meet you. I'm a new security engineer and working on a prototype
> using QEMU.
> 
> What I need is to collect running image internal data (like running
> processes, netstat, files modification, etc.) but without running any
> process inside. I mean, doing it from "outside" (I need Qemu support).
> 
> For example,
> 
> How can I live view FS of a running image?

You might be interested in http://libvmi.com/ and
https://github.com/KVM-VMI.

In general these mechanisms are problematic because they go against the
philosophy that the guest is a black box.  They are invasive, difficult
to maintain, and reduce performance.

But if they are useful to enough people, then eventually they will
mature and be integrated into QEMU/KVM after enough effort is invested
into them.

Stefan

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 455 bytes --]