Building a fault-tolerant firewall system with virtual machines: Creating virtual machine with qemu


For secure purpose, do not run qemu as root. However, there are situations where the virtual machine creation process is forced to use root privileges. This should be controlled and considered empowering decision-making for the admin and  the security policy.
When qemu runs the bridge helper program to create tap devices that require root privileges, which defaults to the binary /usr/libexec/qemu-bridge-helper, this binary can be run as root because it is set uid root

The snapshot above shows that only users in the kvm group can use the helper program. Furthermore, the helper program can only run if the administrator configuring to allow access for the corresponding bridge devices in the /etc/qemu/bridge.conf configuration file.
It's not enough. In terms of security, the qemu-bridge-helper binary has the type virt_bridgehelper_exec_t. It will run in the virt_bridgehelper_t domain and is able to open /dev/net/tun only if the following rule is included in the security policy:

allow virt_bridgehelper_t tun_tap_device_t:chr_file rw_chr_file_perms;

The command below creates the virtual machine fw-1:

qemu -enable-kvm                                                    \
     -m 4G                                                          \
     -smp 2                                                         \
     -cpu host                                                      \
     -machine q35,vmport=off                                        \
     -netdev tap,id=n1,br=br0,ifname=net01,script=no,downscript=no  \
     -device virtio-net,netdev=n1,mac=12:34:56:78:9a:01             \
     -netdev tap,id=n2,br=br1,ifname=net11,script=no,downscript=no  \
     -device virtio-net,netdev=n2,mac=12:34:56:78:9a:11             \
     -netdev tap,id=n3,br=br2,ifname=net21,script=no,downscript=no  \
     -device virtio-net,netdev=n3,mac=12:34:56:78:9a:21             \
     -drive file=disk-omarine-fw.raw,format=raw                     \
     -name fw-1                                                     \
     -device intel-hda -device hda-duplex                           \
     -display none                                                  \
     -vga qxl                                                       \
     -spice port=3001,disable-ticketing=on                          \
     -device virtio-serial                                          \
     -chardev spicevmc,id=vdagent,debug=0,name=vdagent              \
     -device virtserialport,chardev=vdagent,name=com.redhat.spice.0 \
     -device qemu-xhci,multifunction=on                             \
     -chardev spicevmc,name=usbredir,id=usbredirchardev1            \
     -device usb-redir,chardev=usbredirchardev1,port=1              \
     -chardev spicevmc,name=usbredir,id=usbredirchardev2            \
     -device usb-redir,chardev=usbredirchardev2,port=2              \
     -chardev spicevmc,name=usbredir,id=usbredirchardev3            \
     -device usb-redir,chardev=usbredirchardev3,port=3

Explanation of options:
    • -enable-kvm: Use KVM full virtualization support
    • -m 4G: Set RAM size to 4G
    • -smp 2: SMP system with 2 CPUs
    • -cpu host: Use CPU model as host machine
    • -machine q35,vmport=off: The emulated machine type is q35 - the newest machine type in QEMU. Disable VMWare IO port, this is necessary for the mouse to work properly with spice
    • -netdev tap,id=n1,br=br0,ifname=net01,script=no,downscript=no: Configure the tap network backend with id n1, bridge br0. Don't use bridge helper because we have created the tap interface net01. Once the tap interface has been created, normal users can access /dev/net/tun without requiring root privileges.
    • -device virtio-net,netdev=n1,mac=12:34:56:78:9a:01: Define a nic whose type virtio-net for the guest (virtual machine) connecting to the host's tap interface which corresponds to the tap network backend whose id n1. The mac address is needed for the DHCP server to automatically assign an IP address to the virtual machine. The next two nics are configured in a similar way
    • -drive file=disk-omarine-fw.raw,format=raw: The virtual machine uses the disk image disk-omarine-fw.raw, raw format
    • -name fw-1: The name of the guest is fw-1. This name is shown on the virtual machine window caption, not the machine name on the network.
    • -device intel-hda -device hda-duplex: Configure Intel HD Audio sound device
    • -display none: Do not display the virtual machine at the host machine. The user will connect to and display the remote virtual machine at the client later
    • -vga qxl: Use the qxl graphics card. The virtual machine needs to equip the qxl video driver and the X configuration to use it. This is the best graphics card when going with spice protocol
    • -spice port=3001,disable-ticketing=on: Communicate with the client via port 3001. To simplify the example, do not authenticate the client.
    • -device virtio-serial -chardev spicevmc,id=vdagent,debug=0,name=vdagent -device virtserialport,chardev=vdagent,name=com.redhat.spice.0: spicevmc character device backend is used by virtio serial port in the spice agent's communication on virtual machine. The default port is /dev/virtio-ports/com.redhat.spice.0. This port can be set when running spice agent. Usually, mouse's motion and response on virtual machines are not smooth. With spice agent, the mouse works in the client mode, its motion and response is completely smooth. There is no need to capture the mouse when hovering the mouse over the virtual machine window on the client. It also supports copy and paste between virtual machine and client, drag and drop to transfer files.
    • -device qemu-xhci,multifunction=on -chardev spicevmc,name=usbredir,id=usbredirchardev1 -device usb-redir,chardev=usbredirchardev1,port=1…: Define three redirected USB ports, supports USB 3.0, thanks to the spicevmc character device backend

The command to create virtual machine above can be considered successful if nothing is output behind the command

Currently unrated


There are currently no comments

New Comment


required (not published)



What is 5 × 1?