If a user runs libvirtd inside a docker container, is there any way to discover the user's VMs?

BrianTheLion

2/5/23, 6:14 PM

Potentially naive question that I'm hoping some cgroups experts can answer quickly:

Assuming the following docker workflow was run by Linux user joe, how can the system root user determine that a VM is indeed running?

IMAGE_NAME="ubuntu:20.10"
DOCKER_ARGS="--rm -i --privileged"

cat <<"EOF" | docker run ${DOCKER_ARGS} ${IMAGE_NAME}
set -ex
apt-get update
apt-get install -y libvirt0 virt-manager

libvirtd --daemon
virtlogd --daemon

virsh net-list --name | fgrep default || virsh net-start default

virt-install \
  --name MyFedora \
  --memory 1024 \
  --disk path=/tmp/myFedora.img,size=10 \
  --network network=default \
  --os-variant fedora28 \
  --cdrom /opt/joe/Fedora-Server-dvd-x86_64-34-1.2.iso \
  --noautoconsole \
  --debug

virsh list --all

sleep infinity

EOF

Given that the libvirtd socket that joe is running against only exists inside the docker container, how does root find joe's VM?

330

0 + 0

virtualization

libvirt

containers

docker

djdomi

2/5/23, 7:55 PM

i am unsure, but it should be possible to deny sub virtualisation, as in the beginning they used lxc and there is it possible to deny that

A.B

2/6/23, 8:05 PM

root will see the qemu-system-x86 process running. (Btw, the ability to run docker allows to become root on the host, unless SELinux or AppArmor prevents some of it. so joe <=> root means joe is expected to do responsible things).

BrianTheLion

2/8/23, 4:30 PM

@A.B How can the pid of the `qemu-system-x86` process be used to track down and apply policy to the VM?

A.B

2/8/23, 4:33 PM

You should explain in the question what's the problem you are intending to solve. Else this can become an XY problem: https://xyproblem.info .

BrianTheLion

2/8/23, 4:50 PM

@A.B My comment was rhetorical in nature. The point being that -- unless `qemu-system-x86` is special; and it may be, idk -- having pid doesn't generally tell us very much about what might hiding behind the pid unless there is a viable mechanism for reverse-lookup into the application space.

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: If a user runs libvirtd inside a docker container, is there any way to discover the user's VMs?

TH: หากผู้ใช้เรียกใช้ libvirtd ภายในคอนเทนเนอร์นักเทียบท่า มีวิธีใดบ้างที่จะค้นพบ VM ของผู้ใช้

RO: Dacă un utilizator rulează libvirtd într-un container docker, există vreo modalitate de a descoperi VM-urile utilizatorului?

RU: Если пользователь запускает libvirtd внутри док-контейнера, есть ли способ обнаружить виртуальные машины пользователя?

VI: Nếu người dùng chạy libvirtd bên trong bộ chứa docker, có cách nào để khám phá máy ảo của người dùng không?

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.