On Wed, May 22, 2024 at 05:06:57PM +0200, Alexander Ivanov wrote: > Add an interactive mode to the guest-exec command in the QEMU Guest Agent > using the VSOCK communication mechanism. It enables interactive sessions > with the executed command in the guest, allowing real-time input/output. > > Introduce "interactive" mode in the GuestExecCaptureOutputMode enumeration > and add optional "cid" and "port" fields to the guest-exec response. In > such a way user can execute guest-exec command, get CID and port number > from the response and connect to the guest server. After connection user > can communicate with the started process. All the data transmitted to the > server is redirected to stdin. Data from stdout and stderr is redirected > to the client. All data blocks are preceded by 32-bit headers (network > byte order): most significant bit contains a sign of stream (stdout - 0, > stderr - 1), all the other bits contain the payload size.
Every patch to 'guest-exec' takes us torwards re-inventing yet more SSH/telnet functionality, but a poor simulation of it. For exmaple this still lacks any separation of stdout/stderr streams, just interleaving all their data back to the host. There is also zero access control facilities beyond turning off the 'guest-exec' command entirely. IMHO we should really consider "arbitrary command execution" to be something to be handled by a separate process. Let the guest OS admin decide separately from running QEMU GA, whether they want to enable arbitrary host processes to have a trival privileged backdoor into their guest. systemd now supports exposing SSH over VSOCK, and provides an SSH proxy in the host to connect to VMs, while libvirt also has added its own host SSH proxy to allow SSH based on libvirt VM name. For windows guests, there is something called PowerShell Direct which exposes PowerShell over vmbus under HyperV. Possibly that can be enabled in QEMU too if someone understands windows & vmbus enough... ? With regards, Daniel -- |: https://berrange.com -o- https://www.flickr.com/photos/dberrange :| |: https://libvirt.org -o- https://fstop138.berrange.com :| |: https://entangle-photo.org -o- https://www.instagram.com/dberrange :|
