GuestAgent实现从外部注入写文件到KVM虚拟机内部(2)

注意：有的qemu-ga会拒绝部分指令，这是因为qemu-ga的配置文件里将某些指令给禁用了，比如在centos7里，配置文件为/etc/sysconfig/qemu-ga

# 修改/etc/sysconfig/qemu-ga，将以下内容注释掉，或直接删掉 BLACKLIST_RPC=guest-file-open,guest-file-close,guest-file-read,guest-file-write,guest-file-seek,guest-file-flush,guest-exec,guest-exec-status # 重启qemu-ga才能生效 systemctl restart qemu-guest-agent

3️⃣ 测试qemu-ga

在VM的宿主机上，执行以下命令：

# ${DOMAIN}表示虚拟机名字或UUID virsh qemu-agent-command ${DOMAIN} '{"execute":"guest-ping"}'

如果返回以下内容则表示qemu-ga可用

{"return":{}}

接下来查看下qemu-ga支持哪些指令

virsh qemu-agent-command ${DOMAIN} --pretty '{"execute":"guest-info"}'

应该会看到支持很多命令，由于接下来做的实验需要用到如下命令，因此请先确认是否均支持

▪ guest-exec：执行命令（异步操作）
▪ guest-exec-status：查看执行命令的结果
▪ guest-file-open：打开文件，获得句柄
▪ guest-file-write：写文件（传递base64）
▪ guest-file-close：关闭文件

Step3. 注入操作说明

实验目标：将RSA的公钥内容写入到/root/.ssh/authorized_keys

这涉及到如下3个步骤：

1. 创建/root/.ssh目录且权限为700
2. 创建/root/.ssh/authorized_keys文件且权限为600
3. 将RSA公钥文本进行Base64编码（guest-file-write不支持明文，仅支持base64），并将编码后的内容写入/root/.ssh/authorized_keys

Step4. Base64计算

这里先假设RSA公钥内容为

ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDVKog04pbbLaarjbpvK7CRaIuUwWxehJIH8tqtX/oV4GYN5WGYPFa1tzsd4Vyoblm4LePX79WeI4kFHgSbH5P6H9i8l3KCTFHHeJT/g0P55/c60yDb3o6lqpWu9IKE3I4lsTp05Y/W0Ks7W27Jndr162ni0Ybthgd9CQyoiburoh35ECiPGwWUOBVJ4IEpSpOZdDUJLS/vVuSQgvEH0fq/G1DP3SOyR+DNasJ00mwonfaUKHZXmWAlH8marNwPmWapyTSQwCFKKh1HwlJEWETV4fYuFwm3iennb8cX1y4aX9AJWnA2cc35rpulivMijeXs/ssT5iFljXXGYzmkX6nR root@localhost.localdomain

进行Base64编码

echo 'ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDVKog04pbbLaarjbpvK7CRaIuUwWxehJIH8tqtX/oV4GYN5WGYPFa1tzsd4Vyoblm4LePX79WeI4kFHgSbH5P6H9i8l3KCTFHHeJT/g0P55/c60yDb3o6lqpWu9IKE3I4lsTp05Y/W0Ks7W27Jndr162ni0Ybthgd9CQyoiburoh35ECiPGwWUOBVJ4IEpSpOZdDUJLS/vVuSQgvEH0fq/G1DP3SOyR+DNasJ00mwonfaUKHZXmWAlH8marNwPmWapyTSQwCFKKh1HwlJEWETV4fYuFwm3iennb8cX1y4aX9AJWnA2cc35rpulivMijeXs/ssT5iFljXXGYzmkX6nR root@localhost.localdomain' | base64 -w 0

这样就获得了base64编码内容

c3NoLXJzYSBBQUFBQjNOemFDMXljMkVBQUFBREFRQUJBQUFCQVFEVktvZzA0cGJiTGFhcmpicHZLN0NSYUl1VXdXeGVoSklIOHRxdFgvb1Y0R1lONVdHWVBGYTF0enNkNFZ5b2JsbTRMZVBYNzlXZUk0a0ZIZ1NiSDVQNkg5aThsM0tDVEZISGVKVC9nMFA1NS9jNjB5RGIzbzZscXBXdTlJS0UzSTRsc1RwMDVZL1cwS3M3VzI3Sm5kcjE2Mm5pMFlidGhnZDlDUXlvaWJ1cm9oMzVFQ2lQR3dXVU9CVko0SUVwU3BPWmREVUpMUy92VnVTUWd2RUgwZnEvRzFEUDNTT3lSK0ROYXNKMDBtd29uZmFVS0haWG1XQWxIOG1hck53UG1XYXB5VFNRd0NGS0toMUh3bEpFV0VUVjRmWXVGd20zaWVubmI4Y1gxeTRhWDlBSlduQTJjYzM1cnB1bGl2TWlqZVhzL3NzVDVpRmxqWFhHWXpta1g2blIgcm9vdEBsb2NhbGhvc3QubG9jYWxkb21haW4K Step5. 开始注入

1️⃣ 创建/root/.ssh目录且权限为700

# mkdir /root/.ssh virsh qemu-agent-command ${DOMAIN} '{"execute":"guest-exec","arguments":{"path":"mkdir","arg":["-p","/root/.ssh"],"capture-output":true}}' # 假设上一步返回{"return":{"pid":911}}，接下来查看结果（通常可忽略） virsh qemu-agent-command ${DOMAIN} '{"execute":"guest-exec-status","arguments":{"pid":911}}' # chmod 700 /root/.ssh，此行其实可不执行，因为上面创建目录后就是700，但为了防止权限不正确导致无法使用，这里还是再刷一次700比较稳妥 virsh qemu-agent-command ${DOMAIN} '{"execute":"guest-exec","arguments":{"path":"chmod","arg":["700","/root/.ssh"],"capture-output":true}}' # 假设上一步返回{"return":{"pid":912}}，接下来查看结果（通常可忽略） virsh qemu-agent-command ${DOMAIN} '{"execute":"guest-exec-status","arguments":{"pid":912}}'

2️⃣ 创建/root/.ssh/authorized_keys文件且权限为600

# touch /root/.ssh/authorized_keys virsh qemu-agent-command ${DOMAIN} '{"execute":"guest-exec","arguments":{"path":"touch","arg":["/root/.ssh/authorized_keys"],"capture-output":true}}' # 假设上一步返回{"return":{"pid":913}}，接下来查看结果（通常可忽略） virsh qemu-agent-command ${DOMAIN} '{"execute":"guest-exec-status","arguments":{"pid":913}}' # chmod 600 /root/.ssh/authorized_keys，此行其实可不执行，因为上面创建文件后就是600，但为了防止权限不正确导致无法使用，这里还是再刷一次600比较稳妥 virsh qemu-agent-command ${DOMAIN} '{"execute":"guest-exec","arguments":{"path":"chmod","arg":["600","/root/.ssh/authorized_keys"],"capture-output":true}}' # 假设上一步返回{"return":{"pid":914}}，接下来查看结果（通常可忽略） virsh qemu-agent-command ${DOMAIN} '{"execute":"guest-exec-status","arguments":{"pid":914}}'