Problem scenario:

A cloud provider (defined as someone who allows multiple end-users
to create and manage their own guest instances without direct access
to the host's operating system) needs to provide console access to
each instance in a secure manner.   If a cloud provider were to use
bhyve in its current form, a cloud end-user could SSH into a guest
instance, provided the instance is already installed and running,
but the user could NOT do the following tasks, which can be
performed only at the console:

* OS installation
* Recovering from a virtual “hardware” or OS failure
* Rebooting a halted machine

A cloud end-user needs to be able to perform the above tasks on a
guest instance without compromising the security of the host.  Thus
the end-user needs access to a virtual guest “console” that enables
the above tasks to be performed on a virtual machine – just as, on a
physical machine, the above tasks could be performed via the
physical machine's console.

However, bhyve does not currently provide any means by which users
can access a guest console without first logging into the host's
console and/or performing some other task that is quite likely to
have security issues.

A few possible solutions:

* Use some external program to pipe console I/O via a socket to the
end-user? (but this would be hard to standardize)
* Restricted login? (but this would have concurrency issues as to
which user can access which guest instance)
* Perhaps bhyve could add a console socket port for each guest
instance? (Aryeh Friedman and I favor this idea, unless someone can
suggest something better.  If others think this is a good idea, we
can write this addition to bhyve.)

Does anyone have any other suggestions?

The discussion of how to handle this problem should consider the
following issues:

* The solution must allow access to multiple guest consoles at once
by multiple users
* The solution must not require users of guest instances to have
access to the host console, although these users may have limited
access to the host by other means, such as SSH to a port dedicated
to a specific guest.
* The solution must not expose the host OS to other possible
security issues either (remember, bhyve runs as root)
* The solution must be scriptable.
* A virtual machine should, as much as possible, behave like an
actual physical machine in its interactions with its designated
user, despite the user's lack of access to the host console.

_______________________________________________ mailing list
To unsubscribe, send any mail to 

Reply via email to