From owner-freebsd-virtualization@FreeBSD.ORG Thu Nov 14 09:02:24 2013 Return-Path: Delivered-To: freebsd-virtualization@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id DCBB054D for ; Thu, 14 Nov 2013 09:02:23 +0000 (UTC) Received: from hapkido.dreamhost.com (hapkido.dreamhost.com [66.33.216.122]) by mx1.freebsd.org (Postfix) with ESMTP id B6F8428A2 for ; Thu, 14 Nov 2013 09:02:23 +0000 (UTC) Received: from homiemail-a110.g.dreamhost.com (mailbigip.dreamhost.com [208.97.132.5]) by hapkido.dreamhost.com (Postfix) with ESMTP id 71D6FDE08F for ; Thu, 14 Nov 2013 01:02:23 -0800 (PST) Received: from homiemail-a110.g.dreamhost.com (localhost [127.0.0.1]) by homiemail-a110.g.dreamhost.com (Postfix) with ESMTP id 5FB7C2005D909 for ; Thu, 14 Nov 2013 01:02:17 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=nyclocal.net; h=message-id :date:subject:from:to:mime-version:content-type :content-transfer-encoding; s=nyclocal.net; bh=Xfxm7yFna0hfzLve2 88QzEnBRDE=; b=i1JaxmZgp9GWxPx6WoFXofP5IwF6G+A/5HRH1g74LaAoy5Bx6 dU/NAv7YpTcT54rSXAFxidHWAx9i6UqISqdMrrJydmp0l+3ENHtcmU/lvZrddQ/s VEPvIQ6N1mhBK5jvLgXaPodlOSEtSgJpIUF7GqK7RVZ5PozL+gwBHAbnBg= Received: from webmail.nyclocal.net (caiajhbihbdd.dreamhost.com [208.97.187.133]) (Authenticated sender: dnixon-fnre@nyclocal.net) by homiemail-a110.g.dreamhost.com (Postfix) with ESMTPA id 5CFD32005D908 for ; Thu, 14 Nov 2013 01:02:17 -0800 (PST) Received: from 50.14.66.127 (proxying for 50.14.66.127) (SquirrelMail authenticated user dnixon-fnre@nyclocal.net) by webmail.nyclocal.net with HTTP; Thu, 14 Nov 2013 04:02:17 -0500 Message-ID: Date: Thu, 14 Nov 2013 04:02:17 -0500 Subject: RFD: Remote console access to bhyve guest instances? From: "Dee Nixon" To: "FreeBSD virtualization" User-Agent: SquirrelMail/1.4.21 MIME-Version: 1.0 Content-Type: text/plain;charset=iso-8859-1 Content-Transfer-Encoding: quoted-printable X-BeenThere: freebsd-virtualization@freebsd.org X-Mailman-Version: 2.1.16 Precedence: list List-Id: "Discussion of various virtualization techniques FreeBSD supports." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 14 Nov 2013 09:02:24 -0000 Problem scenario: A cloud provider (defined as someone who allows multiple end-users to create and manage their own guest instances without direct access to the host's operating system) needs to provide console access to each instance in a secure manner. If a cloud provider were to use bhyve in its current form, a cloud end-user could SSH into a guest instance, provided the instance is already installed and running, but the user could NOT do the following tasks, which can be performed only at the console: * OS installation * Recovering from a virtual =93hardware=94 or OS failure * Rebooting a halted machine A cloud end-user needs to be able to perform the above tasks on a guest instance without compromising the security of the host. Thus the end-user needs access to a virtual guest =93console=94 that enables the above tasks to be performed on a virtual machine =96 just as, on a physical machine, the above tasks could be performed via the physical machine's console. However, bhyve does not currently provide any means by which users can access a guest console without first logging into the host's console and/or performing some other task that is quite likely to have security issues. A few possible solutions: * Use some external program to pipe console I/O via a socket to the end-user? (but this would be hard to standardize) * Restricted login? (but this would have concurrency issues as to which user can access which guest instance) * Perhaps bhyve could add a console socket port for each guest instance? (Aryeh Friedman and I favor this idea, unless someone can suggest something better. If others think this is a good idea, we can write this addition to bhyve.) Does anyone have any other suggestions? The discussion of how to handle this problem should consider the following issues: * The solution must allow access to multiple guest consoles at once by multiple users * The solution must not require users of guest instances to have access to the host console, although these users may have limited access to the host by other means, such as SSH to a port dedicated to a specific guest. * The solution must not expose the host OS to other possible security issues either (remember, bhyve runs as root) * The solution must be scriptable. * A virtual machine should, as much as possible, behave like an actual physical machine in its interactions with its designated user, despite the user's lack of access to the host console.