Skip to content

feat(core): restrict libvirt socket access and introduce vlctl tool #817

Merged
yaroslavborbat merged 8 commits intomainfrom
feat/core/auth-virtqemud
Mar 31, 2025
Merged

feat(core): restrict libvirt socket access and introduce vlctl tool #817
yaroslavborbat merged 8 commits intomainfrom
feat/core/auth-virtqemud

Conversation

@yaroslavborbat
Copy link
Copy Markdown
Member

@yaroslavborbat yaroslavborbat commented Mar 3, 2025
edited by Isteb4k
Loading

Description

Restrict libvirt socket access and introduce vlctl tool
This PR enhances security in KubeVirt by restricting virtqemud socket access and introducing vlctl, a new tool to retrieve domain information without using virsh.

Changes

1. Added libvirt patch (002-auth-pid-restriction.patch)

  • Introduces the LIBVIRT_UNIX_SOCKET_AUTH_PID environment variable for virtqemud.
  • Restricts socket access to a specific process ID, allowing only the specified process to communicate with virtqemud.

2. Added KubeVirt patch (041-restrict-libvirt-socket-to-qemu.patch)

  • Configures virtqemud to use the LIBVIRT_UNIX_SOCKET_AUTH_PID environment variable, restricting access to the virt-launcher process that started it.
  • Prevents unauthorized processes from connecting to the libvirt socket, reducing security risks.
  • Updates the migration mechanism: since virt-handler directly connects to the virtqemud socket during migration, the libvirt patch does not authorize it. To address this issue, an additional migration-proxy has been introduced in virt-launcher. This proxy receives traffic from virt-handler and forwards it to virtqemud.
  • A new gRPC call, MigrationProxy, has been added to start this migration proxy.

3. Introduced vlctl tool

  • A lightweight alternative to virsh for retrieving domain-related information.
  • Provides structured access to domain data, guest info, users, filesystems, and stats.
  • Reduces dependencies on virsh, improving efficiency and security.

vlctl Command Reference

General Commands

  • vlctl ping – Check connectivity with virt-launcher.
  • vlctl qemu version – Get the QEMU version.

Domain Commands

  • vlctl domain – Get the domain specification.
  • vlctl domain stats – Get domain statistics.

Guest Commands

  • vlctl guest info – Get general guest info.
  • vlctl guest filesystems – Get info about the guest's filesystems.
  • vlctl guest users – Get info about logged-in guest users.
  • vlctl guest ping – Ping guest agent.

Security Commands

  • vlctl sev – Get SEV info.

These commands allow for efficient interaction with virtual machines while improving security and reducing dependency on virsh.

Why do we need it, and what problem does it solve?

These changes strengthen the isolation of QEMU processes, minimize unnecessary socket exposure, and provide a more efficient way to query domain information.

What is the expected result?

Checklist

  • The code is covered by unit tests.
  • e2e tests passed.
  • Documentation updated according to the changes.
  • Changes were tested in the Kubernetes cluster manually.

Changelog entries

section: core
type: feature
summary: Enhance security by restricting access to the virtqemud socket, allowing only the virt-launcher to connect.

section: core
type: feature
summary: Introduce the vlctl tool as a replacement for virsh, compatible with the restricted libvirt socket.

@yaroslavborbat yaroslavborbat changed the base branch from main to feat/core/disable-unnecessary-libvirt-sockets March 3, 2025 17:53
@yaroslavborbat yaroslavborbat added this to the v0.17.0 milestone Mar 3, 2025
Base automatically changed from feat/core/disable-unnecessary-libvirt-sockets to main March 3, 2025 18:44
@yaroslavborbat yaroslavborbat force-pushed the feat/core/auth-virtqemud branch 5 times, most recently from 370d96f to 4ac41ce Compare March 3, 2025 20:23
@Isteb4k Isteb4k modified the milestones: v0.17.0, v0.18.0 Mar 4, 2025
@yaroslavborbat yaroslavborbat force-pushed the feat/core/auth-virtqemud branch 3 times, most recently from 5185563 to 50a01e5 Compare March 10, 2025 15:05
@yaroslavborbat yaroslavborbat changed the base branch from main to refactor/kubevirt/set-reboot-action-in-virt-launcher March 10, 2025 15:05
@yaroslavborbat yaroslavborbat force-pushed the refactor/kubevirt/set-reboot-action-in-virt-launcher branch from 5262955 to f959af4 Compare March 10, 2025 17:10
@yaroslavborbat yaroslavborbat force-pushed the feat/core/auth-virtqemud branch 3 times, most recently from 99f022f to 27e388d Compare March 11, 2025 08:39
Base automatically changed from refactor/kubevirt/set-reboot-action-in-virt-launcher to main March 11, 2025 16:51
@yaroslavborbat yaroslavborbat force-pushed the feat/core/auth-virtqemud branch 4 times, most recently from dd943c0 to 260de3f Compare March 12, 2025 13:11
@yaroslavborbat yaroslavborbat changed the title feat(core): auth virtqemud feat(core): Restrict libvirt socket access and introduce vmx tool Mar 12, 2025
@yaroslavborbat yaroslavborbat force-pushed the feat/core/auth-virtqemud branch 4 times, most recently from f75a8c7 to 595663c Compare March 13, 2025 00:01
@yaroslavborbat yaroslavborbat marked this pull request as ready for review March 13, 2025 00:01
universal-itengineer
universal-itengineer reviewed Mar 27, 2025
View reviewed changes
Comment thread images/virt-launcher/werf.inc.yaml Outdated
@universal-itengineer universal-itengineer force-pushed the feat/core/auth-virtqemud branch 5 times, most recently from acd092c to 243377a Compare March 27, 2025 08:29
diafour
diafour reviewed Mar 27, 2025
View reviewed changes
Comment thread images/virt-artifact/patches/README.md Outdated
Comment thread images/virt-artifact/patches/README.md Outdated
Comment thread images/virt-launcher/werf.inc.yaml Outdated
@yaroslavborbat yaroslavborbat force-pushed the feat/core/auth-virtqemud branch from 091e079 to 61222a6 Compare March 27, 2025 09:23
@yaroslavborbat yaroslavborbat force-pushed the feat/core/auth-virtqemud branch from 61222a6 to f5565f8 Compare March 27, 2025 10:09
yaroslavborbat and others added 8 commits March 27, 2025 23:48
@yaroslavborbat
impl
41484fe 
Signed-off-by: Yaroslav Borbat <yaroslav.borbat@flant.com>
@yaroslavborbat @fl64
Update images/virt-launcher/vlctl/cmd/vlctl/app/app.go
28fa26d 
Co-authored-by: Pavel Tishkov <pavel.tishkov@flant.com>
Signed-off-by: Yaroslav Borbat <86148689+yaroslavborbat@users.noreply.github.com>
@yaroslavborbat @diafour
Update images/virt-launcher/vlctl/Taskfile.yaml
ffc743b 
Co-authored-by: Ivan Mikheykin <ivan.mikheykin@flant.com>
Signed-off-by: Yaroslav Borbat <86148689+yaroslavborbat@users.noreply.github.com>
@yaroslavborbat @diafour
Update images/virt-artifact/patches/041-restrict-libvirt-socket-to-qe…
cc650fc 
…mu.patch

Co-authored-by: Ivan Mikheykin <ivan.mikheykin@flant.com>
Signed-off-by: Yaroslav Borbat <86148689+yaroslavborbat@users.noreply.github.com>
@universal-itengineer @yaroslavborbat
refactor build vlctl
bdb3112 
Signed-off-by: Nikita Korolev <nikita.korolev@flant.com>
@yaroslavborbat @diafour
Update images/virt-artifact/patches/README.md
37b324e 
Co-authored-by: Ivan Mikheykin <ivan.mikheykin@flant.com>
Signed-off-by: Yaroslav Borbat <86148689+yaroslavborbat@users.noreply.github.com>
@yaroslavborbat @diafour
Update images/virt-artifact/patches/README.md
beb88f2 
Co-authored-by: Ivan Mikheykin <ivan.mikheykin@flant.com>
Signed-off-by: Yaroslav Borbat <86148689+yaroslavborbat@users.noreply.github.com>
@yaroslavborbat @diafour
Update images/virt-launcher/werf.inc.yaml
eb9e3de 
Co-authored-by: Ivan Mikheykin <ivan.mikheykin@flant.com>
Signed-off-by: Yaroslav Borbat <86148689+yaroslavborbat@users.noreply.github.com>
@yaroslavborbat yaroslavborbat force-pushed the feat/core/auth-virtqemud branch from f5565f8 to eb9e3de Compare March 27, 2025 20:48
@Isteb4k Isteb4k modified the milestones: v0.18.0, v0.17.0 Mar 28, 2025
@yaroslavborbat yaroslavborbat merged commit d16d2ab into main Mar 31, 2025
18 checks passed
@yaroslavborbat yaroslavborbat deleted the feat/core/auth-virtqemud branch March 31, 2025 07:22
@deckhouse-BOaTswain deckhouse-BOaTswain mentioned this pull request Mar 31, 2025
Merged
@deckhouse-BOaTswain deckhouse-BOaTswain mentioned this pull request Apr 29, 2025
Merged
yachmenevas pushed a commit that referenced this pull request Oct 15, 2025
@yaroslavborbat @fl64
@diafour @universal-itengineer
feat(core): restrict libvirt socket access and introduce vlctl tool (
2597cf7 
…#817)

Restrict libvirt socket access and introduce vlctl tool
This PR enhances security in KubeVirt by restricting virtqemud socket access and introducing vlctl, a new tool to retrieve domain information without using virsh.
---------
Signed-off-by: Yaroslav Borbat <yaroslav.borbat@flant.com>
Signed-off-by: Nikita Korolev <nikita.korolev@flant.com>
Co-authored-by: Pavel Tishkov <pavel.tishkov@flant.com>
Co-authored-by: Ivan Mikheykin <ivan.mikheykin@flant.com>
Co-authored-by: Nikita Korolev <nikita.korolev@flant.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@diafour diafour diafour approved these changes

@fl64 fl64 fl64 approved these changes

@universal-itengineer universal-itengineer universal-itengineer approved these changes

@nevermarine nevermarine Awaiting requested review from nevermarine nevermarine is a code owner

@Isteb4k Isteb4k Awaiting requested review from Isteb4k Isteb4k is a code owner

Assignees

@yaroslavborbat yaroslavborbat

Labels

None yet

Projects

None yet

Milestone

v0.17.0

Development

Successfully merging this pull request may close these issues.

5 participants

@yaroslavborbat @diafour @fl64 @universal-itengineer @Isteb4k