以另一个用户身份启动 QEMU

tag-icon tag-icon networking sudo qemu kvm su
以另一个用户身份启动 QEMU

我目前正在尝试拦截/阻止 QEMU 中来宾的特定请求。
根据这个问题,似乎最简单的方法是以不同的用户身份运行 QEMU,这样我就可以区分 iptables 中的主机和来宾流量。

但是,以其他用户身份启动 QEMU 总是失败:

❯ sudo -u qemu-user qemu-system-x86_64 -enable-kvm ...
Authorization required, but no authorization protocol specified

gtk initialization failed

知道如何解决这个问题,或者我可以使用什么其他方法来阻止访客流量(例如特定端口)?

答案1

它正在尝试连接到您的本地 X11 服务器,但无权访问;您可以使用以下命令更改此xhost设置:

❯ xhost +
access control disabled, clients can connect from any host
❯ export DISPLAY=:0

sudo -E -u root qemu-system-x86_64 -enable-kvm -serial mon:stdio -m 8g -smp 4 -hda ~/Downloads/debian-12-generic-amd64.qcow2 -nic user,model=virtio-net-pci

对我有用,GTK initialization failed错误也是一条线索;它正在尝试连接到 X 服务器,但无法连接,因为您需要允许用户并将位置指定为环境变量DISPLAY=:0(默认)

请务必阅读该xhost命令的手册页以及xhost +当您不指定用户名(它允许任何用户名)时会发生什么。通常这是可以的,但我只是想确保您理解这一点。

OPTIONS
       Xhost accepts the following command line options described below.  For security, the options that af‐
       fect  access control may only be run from the "controlling host".  For workstations, this is the same
       machine as the server.  For X terminals, it is the login host.

       -help   Prints a usage message.

       [+]name The given name (the plus sign is optional) is added to the list allowed to connect to  the  X
               server.  The name can be a host name or a complete name (See NAMES for more details).

       -name   The given name is removed from the list of allowed to connect to the server.  The name can be
               a host name or a complete name (See NAMES for more details).  Existing  connections  are  not
               broken, but new connection attempts will be denied.  Note that the current machine is allowed
               to be removed; however, further connections (including attempts to add it back) will  not  be
               permitted.   Resetting the server (thereby breaking all connections) is the only way to allow
               local connections again.

       +       Access is granted to everyone, even if they aren't on  the  list  (i.e.,  access  control  is
               turned off).

       -       Access is restricted to only those on the list (i.e., access control is turned on).

       nothing If no command line arguments are given, a message indicating whether or not access control is
               currently enabled is printed, followed by the list of those allowed to connect.  This is  the
               only option that may be used from machines other than the controlling host.

编辑 **

阻止访客流量到达特定端口;使用用户模式网络,例如:-nic user,model=virtio-net-pci将为您提供一个访客隔离网络,您可以通过 qemu 监视器控制端口转发(启用后-serial mon:stdio您可以在串行模式和 qemu 监视器模式之间切换,control-a-c另请参阅hostfwd_add

更多信息:https://wiki.qemu.org/Documentation/Networking#User_Networking_(SLIRP)

https://github.com/paigeadelethompson/docker-solaris#networking

相关内容