2.1 KiB
qemu-sandbox
PoC shell sandboxing using QEMU and virtiofsd. Simply enter qsandbox run to open your current working dir in a temporary QEMU vm.
Installation
Clone the repo and link qsandbox somewhere in your path. The script currently expects the image and ssh folder next to its location on disk.
Setup
You'll need a few things for the script to work:
- A ssh key pair in
ssh/qemu_ssh&ssh/qemu_ssh.pub. You can link your default key pair or use the chance to generate one without a passphrase. image/image.qcow2,image/vmlinuz-linux,image/initramfs-linux-custom.img. Thebuild.shscript can build these based on arch
These requirements are currently hard coded but should be configurable in the future.
Usage
Usage:
qsandbox run [dir] - start sandbox and mount current working dir
qsandbox list - list running sandboxes
qsandbox enter - open ssh connection to a sandbox
qsandbox qemu - start the qemu process for a new sandbox, used by run
qsandbox run
Starts a new vm using systemd-run and qsandbox qemu, mounts the current working dir or the specified directory and opens an ssh session.
qsandbox list
Lists all running sandboxes and their ssh ports.
qsandbox enter
A wrapper around ssh. Takes port as only argument but defaults to 5555.
qsandbox qemu
Starts the actual sandbox.
Accessing the sandbox
By default, QEMU exposes two ports for each sandbox. An ssh port (starting at 5555) and an "app port" that can be used by some app in the vm (starting at 8000). Ports should be configurable in the future.
Tips for custom images
Mount the default share automatically:
echo -e "share.1\t/mnt\tvirtiofs\trw,_netdev\t0\t0" >> /etc/fstab
Disable auth on the QEMU serial console:
mkdir -p /etc/systemd/system/serial-getty@ttyS0.service.d
echo -e "[Service]\nExecStart=\nExecStart=-/usr/bin/agetty --autologin root -s %I 115200,38400,9600 vt102" > /etc/systemd/system/serial-getty@ttyS0.service.d/autologin.conf
License
MIT