mawalu
/
qsandbox
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity
qsandbox/README.md

66 lines
2.1 KiB
Markdown
Raw Permalink Blame History

# qemu-sandbox
PoC shell sandboxing using QEMU and virtiofsd. Simply enter `qsandbox run` to open your current working dir in a temporary QEMU vm.
## Installation
Clone the repo and link `qsandbox` somewhere in your path. The script currently expects the `image` and `ssh` folder next to its location on disk.
## Setup
You'll need a few things for the script to work:
* A ssh key pair in `ssh/qemu_ssh` & `ssh/qemu_ssh.pub`. You can link your default key pair or use the chance to generate one without a passphrase.
* `image/image.qcow2`, `image/vmlinuz-linux`, `image/initramfs-linux-custom.img`. The `build.sh` script can build these based on arch
These requirements are currently hard coded but should be configurable in the future.
## Usage
```
Usage:
qsandbox run [dir] - start sandbox and mount current working dir
qsandbox list - list running sandboxes
qsandbox enter - open ssh connection to a sandbox
qsandbox qemu - start the qemu process for a new sandbox, used by run
```
### `qsandbox run`
Starts a new vm using `systemd-run` and `qsandbox qemu`, mounts the current working dir or the specified directory and opens an ssh session.
### `qsandbox list`
Lists all running sandboxes and their ssh ports.
### `qsandbox enter`
A wrapper around `ssh`. Takes port as only argument but defaults to `5555`.
### `qsandbox qemu`
Starts the actual sandbox.
## Accessing the sandbox
By default, QEMU exposes two ports for each sandbox. An ssh port (starting at `5555`) and an "app port" that can be used by some app in the vm (starting at `8000`). Ports should be configurable in the future.
## Tips for custom images
Mount the default share automatically:
```
echo -e "share.1\t/mnt\tvirtiofs\trw,_netdev\t0\t0" >> /etc/fstab
```
Disable auth on the QEMU serial console:
```
mkdir -p /etc/systemd/system/serial-getty@ttyS0.service.d
echo -e "[Service]\nExecStart=\nExecStart=-/usr/bin/agetty --autologin root -s %I 115200,38400,9600 vt102" > /etc/systemd/system/serial-getty@ttyS0.service.d/autologin.conf
````
# License
MIT
Reference in New Issue View Git Blame Copy Permalink