Message ID | 20221114155038.3654499-2-mikko.rapeli@linaro.org |
---|---|
State | Accepted, archived |
Commit | c6b1e3d50bf2feea80b70a42c6fad868fa9e6042 |
Headers | show |
Series | [v2,1/2] qemurunner.py: support setting slirp host IP address | expand |
Hi Mikko, On 11/14/22 16:50, Mikko Rapeli wrote: > With default slirp port forwarding config qemu listens on TCP ports > 2222 and 2323 on all IP addresses available on the build host. Most > use cases with runqemu only need it for localhost and it is not > safe to run qemu images with root login without password enabled > and listening on all available, possibly Internet reachable network > interfaces. Limit qemu port forwarding to localhost 127.0.0.1 IP > address. Now qemu machine SSH and telnet ports are only > reachable from the build host machine, not full Internet. > > If qemu machine needs to be reachable from network, then it can > be enabled via local.conf or machine config variable QB_SLIRP_OPT: > > QB_SLIRP_OPT = "-netdev user,id=net0,hostfwd=tcp::2222-:22" > > Signed-off-by: Mikko Rapeli <mikko.rapeli@linaro.org> > --- > scripts/runqemu | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/scripts/runqemu b/scripts/runqemu > index a6ea578564..7bd9465593 100755 > --- a/scripts/runqemu > +++ b/scripts/runqemu > @@ -1071,7 +1071,7 @@ class BaseConfig(object): > logger.info("Network configuration:%s", netconf) > self.kernel_cmdline_script += netconf > # Port mapping > - hostfwd = ",hostfwd=tcp::2222-:22,hostfwd=tcp::2323-:23" > + hostfwd = ",hostfwd=tcp:127.0.0.1:2222-:22,hostfwd=tcp:127.0.0.1:2323-:23" With the additional knowledge we gathered in the last patches, I believe it would be a good thing to say a few words/update the documentation. See https://lore.kernel.org/yocto-docs/fedb4cc0-44d6-d7d8-bc26-c8de5bee06ca@theobroma-systems.com/T/#t for a patch I believe might make it to master soon? I think we should say what the default value entails (even if this patch isnt' taken) and maybe point/refer to the QEMU documentation for the meaning of options in QB_SLIRP_OPT. I believe some/all of options listed https://www.qemu.org/docs/master/system/invocation.html are possible? What do you think? Cheers, Quentin
Hi, On Thu, Nov 17, 2022 at 02:17:13PM +0100, Quentin Schulz wrote: > Hi Mikko, > > On 11/14/22 16:50, Mikko Rapeli wrote: > > With default slirp port forwarding config qemu listens on TCP ports > > 2222 and 2323 on all IP addresses available on the build host. Most > > use cases with runqemu only need it for localhost and it is not > > safe to run qemu images with root login without password enabled > > and listening on all available, possibly Internet reachable network > > interfaces. Limit qemu port forwarding to localhost 127.0.0.1 IP > > address. Now qemu machine SSH and telnet ports are only > > reachable from the build host machine, not full Internet. > > > > If qemu machine needs to be reachable from network, then it can > > be enabled via local.conf or machine config variable QB_SLIRP_OPT: > > > > QB_SLIRP_OPT = "-netdev user,id=net0,hostfwd=tcp::2222-:22" > > > > Signed-off-by: Mikko Rapeli <mikko.rapeli@linaro.org> > > --- > > scripts/runqemu | 2 +- > > 1 file changed, 1 insertion(+), 1 deletion(-) > > > > diff --git a/scripts/runqemu b/scripts/runqemu > > index a6ea578564..7bd9465593 100755 > > --- a/scripts/runqemu > > +++ b/scripts/runqemu > > @@ -1071,7 +1071,7 @@ class BaseConfig(object): > > logger.info("Network configuration:%s", netconf) > > self.kernel_cmdline_script += netconf > > # Port mapping > > - hostfwd = ",hostfwd=tcp::2222-:22,hostfwd=tcp::2323-:23" > > + hostfwd = ",hostfwd=tcp:127.0.0.1:2222-:22,hostfwd=tcp:127.0.0.1:2323-:23" > > With the additional knowledge we gathered in the last patches, I believe it > would be a good thing to say a few words/update the documentation. > > See https://lore.kernel.org/yocto-docs/fedb4cc0-44d6-d7d8-bc26-c8de5bee06ca@theobroma-systems.com/T/#t > for a patch I believe might make it to master soon? I think we should say > what the default value entails (even if this patch isnt' taken) and maybe > point/refer to the QEMU documentation for the meaning of options in > QB_SLIRP_OPT. I believe some/all of options listed > https://www.qemu.org/docs/master/system/invocation.html are possible? > > What do you think? Yes, I agree, and saw that change too. I'll try to document this once change gets integrated. Cheers, -Mikko > Cheers, > Quentin
diff --git a/scripts/runqemu b/scripts/runqemu index a6ea578564..7bd9465593 100755 --- a/scripts/runqemu +++ b/scripts/runqemu @@ -1071,7 +1071,7 @@ class BaseConfig(object): logger.info("Network configuration:%s", netconf) self.kernel_cmdline_script += netconf # Port mapping - hostfwd = ",hostfwd=tcp::2222-:22,hostfwd=tcp::2323-:23" + hostfwd = ",hostfwd=tcp:127.0.0.1:2222-:22,hostfwd=tcp:127.0.0.1:2323-:23" qb_slirp_opt_default = "-netdev user,id=net0%s,tftp=%s" % (hostfwd, self.get('DEPLOY_DIR_IMAGE')) qb_slirp_opt = self.get('QB_SLIRP_OPT') or qb_slirp_opt_default # Figure out the port
With default slirp port forwarding config qemu listens on TCP ports 2222 and 2323 on all IP addresses available on the build host. Most use cases with runqemu only need it for localhost and it is not safe to run qemu images with root login without password enabled and listening on all available, possibly Internet reachable network interfaces. Limit qemu port forwarding to localhost 127.0.0.1 IP address. Now qemu machine SSH and telnet ports are only reachable from the build host machine, not full Internet. If qemu machine needs to be reachable from network, then it can be enabled via local.conf or machine config variable QB_SLIRP_OPT: QB_SLIRP_OPT = "-netdev user,id=net0,hostfwd=tcp::2222-:22" Signed-off-by: Mikko Rapeli <mikko.rapeli@linaro.org> --- scripts/runqemu | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)