libvirt: execute command on host initiated by guest
Linux - Virtualization and CloudThis forum is for the discussion of all topics relating to Linux Virtualization and Linux Cloud platforms. Xen, KVM, OpenVZ, VirtualBox, VMware, Linux-VServer and all other Linux Virtualization platforms are welcome. OpenStack, CloudStack, ownCloud, Cloud Foundry, Eucalyptus, Nimbus, OpenNebula and all other Linux Cloud platforms are welcome. Note that questions relating solely to non-Linux OS's should be asked in the General forum.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
libvirt: execute command on host initiated by guest
Hi,
Is it possible, using libvirt, to trigger some command on host, from the guest?
Both machines run Linux, both are trusted.
But anyway, I don't mean guest executing whichever command it wants, but only predefined one.
Is it possible to do with, for example, QEMU Guest Agent?
I really would like all the configuration to sit within libvirt (e.g. in xml file or something like that).
What I plan to do, is to mount guest directory in the host using sshfs.
That would also require the possibility to run host's command when the machine is accidentally or forcibly shut down (to umount).
Alternatively, if you know better way to achieve that, I would like to hear it.
Still, I would like to know how to execute command on host from guest.
There are some more use cases for me.
Is it possible, using libvirt, to trigger some command on host, from the guest?
Both machines run Linux, both are trusted.
But anyway, I don't mean guest executing whichever command it wants, but only predefined one.
Is it possible to do with, for example, QEMU Guest Agent?
I really would like all the configuration to sit within libvirt (e.g. in xml file or something like that).
What I plan to do, is to mount guest directory in the host using sshfs.
That would also require the possibility to run host's command when the machine is accidentally or forcibly shut down (to umount).
Alternatively, if you know better way to achieve that, I would like to hear it.
Still, I would like to know how to execute command on host from guest.
There are some more use cases for me.
Thanks in advance!
--
Best regards,
Andrzej Telszewski
Were it proven possible today, it would be more difficult tomorrow. This is exactly the kind of thing developers and admins strive to PREVENT. Such a feature would subvert the security advantage in running processes or servers in virtual containers in the first place. All control must come from the host to the container, NEVER the other way.
That said, there may be other ways to accomplish your real purpose. Providing a "share" space on another container that can be mounted both from the host AND from any other containers would allow for storage communication between an arbitrary number of nodes. Would something like that have value in your case?
Were it proven possible today, it would be more difficult tomorrow. This is exactly the kind of thing developers and admins strive to PREVENT. Such a feature would subvert the security advantage in running processes or servers in virtual containers in the first place. All control must come from the host to the container, NEVER the other way.
I don't know if I was explicit enough.
I didn't mean for container to send whichever commands it wants and the host executing it.
I was thinking more about something like events.
Guest sends some event and the host can act accordingly upon it.
I don't see it as security problem.
You could achieve the same (or more dangerous) behavior using SSH or serial port / unix socket.
What is more, the container is private and trusted.
Quote:
Originally Posted by wpeckham
That said, there may be other ways to accomplish your real purpose. Providing a "share" space on another container that can be mounted both from the host AND from any other containers would allow for storage communication between an arbitrary number of nodes. Would something like that have value in your case?
What I would like to achieve, is to mount guest's rootfs in the host.
Guest is running under libvirt/QEMU, under regular user (session mode).
I'm more curious if there already is solution implementing my requirements.
I could boil something myself, but that wasn't my intent.
It is not critical, if it was, I would do something that you suggested.
No, there is no solution, and if anything, it's usually the host monitoring the guest via an agent, and acting upon received data, not the other way around.
My initial need was to mount guest's rootfs onto the host.
I can live without that, it would sometimes make things easier to setup, but not by a huge amount.
Another use case could be guest signalling host about finished task.
E.g. if VM is used for building packages, it could signal when it's done.
The aim is to receive signal, instead of polling the guest.
I know most of this could be done by other means, I was just wondering if it could be done within libvirt itself.
With any Full virtualization it is easy to mount the guest from the host. What you ask is that the GUEST trigger the host to mount the guest, and that is not something that you could normally trigger from the guest. In fact, the separation pretty much precludes such activity, for the reasons I gave earlier.
Have you considered bypassing libvert and full virtualization entirely and using kernel based virtual? Using LXC or OpernVZ the root of the guest is either ALWAYS available from the host, or available whenever the guest is mounted or running. This makes triggering a mount totally unnecessary.
What you ask is that the GUEST trigger the host to mount the guest, and that is not something that you could normally trigger from the guest. In fact, the separation pretty much precludes such activity, for the reasons I gave earlier.
I won't agree.
The communication between host and guest is happening all the time in many different parts of the system.
They all have to be thoughtfully designed.
And as I mentioned before, I'm not asking for the host directly executing whatever commands the guest sends.
What I'm thinking of is defining some sort of signal/event. Then host could execute e.g. script, or simply ignore the event request.
Quote:
Originally Posted by wpeckham
Have you considered bypassing libvert and full virtualization entirely and using kernel based virtual? Using LXC or OpernVZ the root of the guest is either ALWAYS available from the host, or available whenever the guest is mounted or running. This makes triggering a mount totally unnecessary.
Nope, LXC is on my wish list ;-)
I don't know if it's possible with technologies you mentioned, but what I really like about libvirt/QEMU is that I can run them under regular user account.
No root account involved.
The common practice is to use the virtio-serial (or regular serial port) in the guest, as a file on the host, if the guest wants to send a message to the host, it will send t to it's serial port, and the host needs to monitor the file for changes and act upon them. this is the mechanism most guest agents use to communicate with the host. It is safe, since the host initiates the virtual port polling and will only execute commands received from it if it is programmed to specifically.
Anything else will have to either go through a shared storage volume or over a network. You can, btw, use an isolated IP network that exists only between the host and a guest.
The common practice is to use the virtio-serial (or regular serial port) in the guest, as a file on the host, if the guest wants to send a message to the host, it will send t to it's serial port, and the host needs to monitor the file for changes and act upon them. this is the mechanism most guest agents use to communicate with the host. It is safe, since the host initiates the virtual port polling and will only execute commands received from it if it is programmed to specifically.
That's exactly what I was thinking of.
I just hoped that maybe libvirt already had an internal implementation.
virtio-vsock would also be a good candidate.
But I think it is just showing up as of this writing.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.