[libvirt-users] converting save/dump output into physical memory image
by Andrew Tappert
A lot of people in the security community, myself included, are
interested in memory forensics these days. Virtualization is a natural
fit with memory forensics because it allows one to get access to a
guest's memory without having to introduce any extra software into the
guest or otherwise interfere with it. Incident responders are
particularly interested in getting memory dumps from systems they're
investigating.
Virsh has "save" and "dump" commands for storing the state of a guest to
a file on disk, but memory of KVM guests doesn't get saved in the
"standard" input format for memory forensics tools, which is a raw
physical memory image. (This is what you'd get via the classical "dd
/dev/mem" approach or the contemporary equivalent using the crash
driver; and VMware Server and Workstation produce .vmem files, which are
such raw physical memory images, when a guest is paused or snapshotted.)
In order to analyze the memory of Libvirt/KVM guests with my Linux
memory forensics software, Second Look, I've created a tool for
converting Libvirt-QEMU-save files (output of virsh save command) or
QEMU-savevm files (output of virsh dump command) to raw physical memory
images.
I've got a basic working capability, though I'm still tracking down some
problems with a guest allocated 8GB RAM--not all the memory seems to be
present in the save or dump file. And I haven't tested very extensively
yet, version support is limited to what I myself am currently running, etc.
I'd like to know if this is a capability that others are interested in.
Is this something that would be of interest to the Libvirt project if I
were to contribute the code, or to the KVM project, or do you think it
best exists as a separate project?
I've also got a proof-of-concept tool for converting hibernate images to
raw physical memory images. Perhaps a collection of tools for
converting various memory dump formats would be a good project. Anyone
else interested in this kind of stuff? As an author of commercial
memory forensics software I've got a vested interest in availability of
good memory acquisition capabilities. But there are a number of people
working on FOSS Linux memory analysis tools, too...
Andrew
12 years, 5 months
Re: [libvirt-users] ruby-libvirt 0.4.0
by Chris Lalancette
On 07/29/11 - 09:34:17AM, David M. Barlieb wrote:
> Hi, I'm fairly new to using libvirt. I have RHEL6 servers running KVM
> virtual environment. As I understand it, libvirt provides the tools to
> the KVM environment so that I can create domains or virtual guests. So,
> that being said, what does this ruby-libvirt provide me or enhance given
> my current setup.
>
>
>
> I'll understabnd if this is a little rudimentary but I really do not
> know who or where else to ask these types of question. I get quite a bit
> of email from the libvirt-users groups about libvirt and really have no
> idea if I can or should put any of these into my current setup, or if I
> should be asking RedHat this.
>
>
>
> I certainly wouldn't mind testing and contributing to these effort to
> enhance the libvirt tools and KVM hypervisor but think I need a better
> understanding of exactly how libvirt and KVM interact and what the
> enhancements bring to the table.
In the future it is usually best to keep one of the lists on an email; that
way, if I'm away or not responding, someone else can help you. I've added
libvirt-users to this response.
In any case, you have the right idea. Libvirt is a control plane for various
different virtualization solutions. Arguably the most popular virtualization
solution that libvirt can control is KVM, but it can also manage Xen, VMware
ESX, LXC (linux containers), UML, etc.
Libvirt provides both tools (like virsh and libvirtd) and APIs for interacting
with virtual machines. The APIs are things like virDomainShutdown(),
virDomainReboot(), etc. The ruby-libvirt package is a thin wrapper around
these APIs, so that you can use this functionality from ruby programs. That
is, you would be able to do something like:
dom.reboot
dom.shutdown
from your ruby programs. There are also bindings for other languages such
as python, php, and perl.
There is a lot more information at http://libvirt.org, and there is more
information specifically about the ruby bindings at http://libvirt.org/ruby
--
Chris Lalancette
13 years
[libvirt-users] Second VM cannot get dhcp ip in NAT mode
by Magicloud Magiclouds
Hi,
Yesterday I started to use libvirt with kvm under centos6. The first
VM works great.
Today I added another VM and start to initialize with virt-install.
Well, it seems that, the second VM cannot get dhcp ip. I did not
change the default libvirt network configuration.
What should I do?
--
竹密岂妨流水过
山高哪阻野云飞
13 years, 1 month
[libvirt-users] Difficutlies with lp port
by Anselmo
Hello,
I'm using libvirt on debian as host and Windows XP Home as guest.
I would like to pass the /dev/parport0 to XP to attach a printer.
I use virt-manager. When I add a parallel port as a "dev" type I got
this conf file:
....
<parallel type='dev'>
<source path='/dev/parport0'/>
<target port='0'/>
</parallel>
....
And this command line:
....
-chardev tty,id=charparallel0,path=/dev/parport0
-device isa-parallel,chardev=charparallel0,id=parallel0
....
The first parameter is "tty".Should not it be "parport"?
Anyway I never see any parallel port on the guest with these options.
Even starting kvm from the command line.
While is seems to work immediatly using the kvm option:
"-parallel /dev/parport0"
Where i've made a mistake? Or how can I just tell libvirt to use the
"-parallel" option instead.
Thank's for your help
Anselmo Luginbühl
13 years, 1 month
[libvirt-users] win7 instance just disappears
by Alex
Hi,
I have a fedora15 box with a win7 kvm instance that has been running
for some time, but lately it seems to just crash and disappear without
any idea of what happened. It's never happened while I have been using
it, only when the instance is idle.
I usually start the instance using virt-manager, but also start it
just using "virsh start mykvm" then access it using the spicec client.
I can't find any logging information to indicate why this is happening
or how to go about fixing it.
I've tried accessing it using the normal virt-manager client as well
as the spicec client an it doesn't make any difference.
When it crashes, the whole process is gone. Is there something that
could cause it to do this when the system is idle?
I also installed the qxl video drivers
(qxl-win-0.1010-20110308-d9eb3203bd) some time ago, so it could
possibly be related to that.
I thought it might be helpful to have a copy of the qemu XML file:
<domain type='kvm'>
<name>alex-win7</name>
<uuid>f7decb31-88cf-d003-8716-66258550b996</uuid>
<memory>3145728</memory>
<currentMemory>3145728</currentMemory>
<vcpu>1</vcpu>
<os>
<type arch='x86_64' machine='pc-0.14'>hvm</type>
<boot dev='hd'/>
</os>
<features>
<acpi/>
<apic/>
<pae/>
</features>
<cpu match='exact'>
<model>Opteron_G3</model>
<vendor>AMD</vendor>
<feature policy='require' name='skinit'/>
<feature policy='require' name='vme'/>
<feature policy='require' name='mmxext'/>
<feature policy='require' name='fxsr_opt'/>
<feature policy='require' name='cr8legacy'/>
<feature policy='require' name='ht'/>
<feature policy='require' name='3dnowprefetch'/>
<feature policy='require' name='3dnowext'/>
<feature policy='require' name='wdt'/>
<feature policy='require' name='extapic'/>
<feature policy='require' name='pdpe1gb'/>
<feature policy='require' name='osvw'/>
<feature policy='require' name='cmp_legacy'/>
<feature policy='require' name='3dnow'/>
</cpu>
<clock offset='localtime'/>
<on_poweroff>destroy</on_poweroff>
<on_reboot>restart</on_reboot>
<on_crash>restart</on_crash>
<devices>
<emulator>/usr/bin/qemu-kvm</emulator>
<disk type='file' device='disk'>
<driver name='qemu' type='raw'/>
<source file='/home/libvirt-images/alex-win7.img'/>
<target dev='hda' bus='ide'/>
<address type='drive' controller='0' bus='0' unit='0'/>
</disk>
<disk type='file' device='disk'>
<driver name='qemu' type='raw'/>
<source file='/home/libvirt-images/alex-win7a-2.img'/>
<target dev='vda' bus='virtio'/>
<address type='pci' domain='0x0000' bus='0x00' slot='0x06'
function='0x0'/>
</disk>
<controller type='ide' index='0'>
<address type='pci' domain='0x0000' bus='0x00' slot='0x01'
function='0x1'/>
</controller>
<controller type='virtio-serial' index='0'>
<address type='pci' domain='0x0000' bus='0x00' slot='0x07'
function='0x0'/>
</controller>
<interface type='bridge'>
<mac address='52:54:00:6c:6c:47'/>
<source bridge='br0'/>
<model type='virtio'/>
<address type='pci' domain='0x0000' bus='0x00' slot='0x03'
function='0x0'/>
</interface>
<serial type='pty'>
<target port='0'/>
</serial>
<console type='pty'>
<target type='serial' port='0'/>
</console>
<channel type='spicevmc'>
<target type='virtio' name='com.redhat.spice.0'/>
<address type='virtio-serial' controller='0' bus='0' port='1'/>
</channel>
<input type='mouse' bus='ps2'/>
<graphics type='spice' autoport='yes'/>
<sound model='ich6'>
<address type='pci' domain='0x0000' bus='0x00' slot='0x04'
function='0x0'/>
</sound>
<video>
<model type='qxl' vram='9216' heads='1'/>
<address type='pci' domain='0x0000' bus='0x00' slot='0x02'
function='0x0'/>
</video>
<memballoon model='virtio'>
<address type='pci' domain='0x0000' bus='0x00' slot='0x05'
function='0x0'/>
</memballoon>
</devices>
</domain>
Thanks,
Alex
13 years, 1 month
[libvirt-users] virsh cannot list broken guest.
by Magicloud Magiclouds
Hi,
I am starting to learn using libvirt with kvm on CentOS 6.
Just used this command to start a guest:
virt-install -ntest -r1024 --vcpus=1
-c/var/lib/libvirt/images/CentOS-6.0-x86_64-netinstall.iso
--os-type=linux --os-variant=rhel6 --disk vol=kvmguests/test --vnc -v
--virt-type=kvm --check-cpu --prompt --arch=x86_64
Then I found out that I misconfigured vnc. And I do not know how to
gracefully stop qemu. So I killed it.
Then with the command, I got:
ERROR Guest name 'test' is already in use.
What is the name of your virtual machine?
But at this time, there is nothing listed in virsh:
Welcome to virsh, the virtualization interactive terminal.
Type: 'help' for help with commands
'quit' to quit
virsh # list
Id Name State
----------------------------------
virsh # connect qemu:///system
virsh # list
Id Name State
----------------------------------
virsh #
What should I do?
--
竹密岂妨流水过
山高哪阻野云飞
13 years, 1 month
[libvirt-users] Snapshot Error
by huachao yao
Hey
When I want to take a snapshot for a Domain by using
virDomainSnapshotCreateXML. The Error as below happen:
libvir: QEMU error : Requested operation is not valid: Disk
'/var/lib/libvirt/images/fedora-qcow.qcow2' does not support snapshotting
The snapshot Configuration is :
<domainsnapshot>
<description>Snapshot of OS install and updates</description>
<disks>
<disk name='/var/lib'>
<source file='/var/lib-snapshot'/>
</disk>
<disk name='vdb' snapshot='no'/>
</disks>
</domainsnapshot>
And /var/lib/libvirt/images/fedora-qcow.qcow2 is the disk for the domain
(use qemu-img to create). And I had tried another Disk format
(*.img), but the error still happen. how can i deal with this error??
PS:qemu version is 0.14 & libvirt version is 0.9.4. Pls help. :-(
13 years, 1 month
[libvirt-users] how to convert from xen .cfg files to libvirt xml?
by Mauro
I have a .cfg configuration file for a xen virtual machine.
I need to convert it in xml format to use with libvirt.
So I run virsh domxml-from-native xen-xm backupsrv.cfg but I have an error:
error: Unknown failure.
How can I investigate about the error?
13 years, 1 month
[libvirt-users] virsh edit problems
by Robin Lee Powell
I've got a problem where I can't access my console (well, I can',
but I can't type in a password), which I don't think is a libvirt
issue but any help or commentary is certainly welcome
http://thread.gmane.org/gmane.comp.emulators.kvm.devel/79561 , and
I'm trying to debug it by trying out different console/serial
options in my .xml file, and I can't change them.
What I have now:
<serial type='pty'>
<target port='0'/>
</serial>
<console type='pty'>
<target type='serial' port='0'/>
</console>
No matter what I change, whether I use "virsh edit" or edit the
files directly, even with libvirt off, as soon as libvirt notices
(i.e. when I turn it back on) my changes get blown away and it ends
up looking just like the above. Even as simple a thing as changing
the port number, or removing the console, or adding a second
serial... all gone.
Oh, wait, that's not quite true; adding a second serial *does* work.
But nothing else I've tried does.
What I'm actually trying to do is copy the docs
http://libvirt.org/formatdomain.html#elementsConsole more closely
and specify my own source paths; I'm worried that the serial and the
console are somehow ending up in the same place and maybe that's
causing my problem?
What I've been trying to do is something like:
<serial type='pty'>
<source path='/dev/pts/3'/>
<target port='0'/>
</serial>
<console type='pty'>
<source path='/dev/pts/4'/>
<target port='0'/>
</console>
And it just won't stick. Maybe that's not even my problem, but it's
not showing any errors, and it's annoying me and I'd like to
understand why.
-Robin
13 years, 2 months