kvm virtualization – Redirecting USB device to a virtual machine with virt-manager does not work

I have a Fedora workstation running an Ubuntu 16.04 virtual machine (KVM
hypervisor). I’d like to redirect a USB device to the VM, but when selecting
“Virtual Machine | Redirect USB device” from virt-manager, I get the
following error:

spice-client-error-quark: Could not redirect <USB device name> at 1-4:
Error setting USB device node ACL: 'Not authorized' (0)

The error window has a “Details” section which just reads “USB redirection
error”.

Here is what I’ve tried so far, without success:

  1. As suggested here, I created a /etc/udev/rules.d/50-spice.rules file with
    the following contents, then created a `spice` group and added my user to
    this group

    SUBSYSTEM=="usb", GROUP="spice", MODE="0660"
    SUBSYSTEM=="usb_device", GROUP="spice", MODE="0660"
    
  2. Downgraded spice-gtk from the latest version of Fedora 33 (0.39-1) to
    0.38-3.

  3. Disabled selinux

  4. sudo chmod 4755 /usr/libexec/spice-gtk-x86_64/spice-client-glib-usb-acl-helper

  5. Upgraded to Fedora 34 which comes with spice-gtk 0.39-2

malware – Rootkit hiding using virtualization technology

I remember seeing a conference where they talked about using virtualization to create malware that acted by virtualizing the victim’s entire operating system, remaining outside and thus becoming undetectable by any software within it. They also showed how malware from outside the vm could hijack syscall and many other things as if it were God. Unfortunately I don’t remember where I saw this interesting lecture and I ask you for more information.

virtualization – How to set machine state: poweron with community.vmware.vmware_guest_powerstate task?

I’m pretty new with Ansible so I might configured things wrong
(I have a Docker container running Ansible service in it
I have an Ansible repository that include the Ansible files (this is a .Git repository)

My will was to automatically revert each lab in vCenter server to a specific snapshot. But first I’m trying to: once power-off the lab’s machines when they’re turned-on and once power-on the lab’s machines when they’re turned-off

So, I (with the help of ansible-roles-explained-with-examples guide):

  • Created a role with ansible-galaxy init command name vcenter (see directory tree below)
  • Created some vcenter tasks files inside tasks folder (see directory tree below). Here is an example of poweroff.yml and poweron.yml tasks files:
- name: Set the state of a virtual machine to poweroff
  community.vmware.vmware_guest_powerstate:
    hostname: "{{ vcenter_hostname }}"
    username: "{{ vcenter_username }}"
    password: "{{ vcenter_password }}"
    folder: "/{{ datacenter_name }}/vm/{{ folder }}"
    name: "{{ ansible_hostname }}"
    # name: "{{ guest_name }}"
    validate_certs: no
    state: powered-off
    force: yes
  delegate_to: localhost
  register: deploy
- name: Set the state of a virtual machine to poweron using MoID
  community.vmware.vmware_guest_powerstate:
    hostname: "{{ vcenter_hostname }}"
    username: "{{ vcenter_username }}"
    password: "{{ vcenter_password }}"
    folder: "/{{ datacenter_name }}/vm/{{ folder }}"
    name: "{{ ansible_hostname }}"
    # moid: vm-42
    validate_certs: no
    state: powered-on
  delegate_to: localhost
  register: deploy
  • Supplied vCenter credentials in vcentervarsmain.yml file, like this:
# vars file for vcenter
vcenter_hostname: vcenter.foo.com
vcenter_username: hiddai@foo.com
vcenter_password: f#0$o#1$0o
datacenter_name: FOO_Fighters
# datastore_name: 
cluster_name: FOO
folder: '/FOO/PRODUCT/DOMAIN.COM/' 
  • Included the tasks in tasksmain.yml file with import-task key, like this:
---
# tasks file for roles/vcenter
- import_tasks: poweroff.yml
# - import_tasks: poweron.yml
# - import_tasks: revert.yml
# - import_tasks: shutdown.yml
  • Created a all.yml inside group_vars folder in inventories library (i don’t know if its a professional way to do like that) that include all winrm details like this:
---
#WinRM Protocol Details
ansible_user: DOMAINuser
ansible_password: f#0$o#1$0o
ansible_connection: winrm
ansible_port: 5985
ansible_winrm_scheme: http
ansible_winrm_server_cert_validation: ignore
ansible_winrm_transport: ntlm
ansible_winrm_read_timeout_sec: 60
ansible_winrm_operation_timeout_sec: 58
  • Created a revert_lab.yml playbook that include the role, like this
---
- name: revert an onpremis lab
  hosts: all
  roles:
  - vcenter

My ansible.cfg is like this:

(defaults)
inventory = /ansible/inventories
roles_path = ./roles:..~/ansible/roles

I executed the playbook successfully to poweroff all the machines in the lab, then I “turned on” the poweron task in the role, like that:

---
# tasks file for roles/vcenter
# - import_tasks: poweroff.yml
- import_tasks: poweron.yml
# - import_tasks: revert.yml
# - import_tasks: shutdown.yml

Now that the all lab’s machines are shutdown, executing the playbook, give the following error:

PLAY (revert vmware vcenter lab) *************************************************
TASK (Gathering Facts) ***********************************************************
fatal: (vm1.domain.com): UNREACHABLE! => {"changed": false, "msg": "ntlm: 
HTTPConnectionPool(host='vm1.domain.com', port=5985): Max retries exceeded with url: /wsman (Caused by NewConnectionError('<urllib3.connection.HTTPConnection object at 0x7fb7ae4908d0>: Failed to establish a new connection: (Errno 111) Connection refused',))", "unreachable": true}
fatal: (vm2.domain.com): UNREACHABLE! => {"changed": false, "msg": "ntlm: HTTPConnectionPool(host='vm2.domain.com', port=5985): Max retries exceeded with url: /wsman (Caused by NewConnectionError('<urllib3.connection.HTTPConnection object at 0x7fb7ae487b00>: Failed to establish a new connection: (Errno 111) Connection refused',))", "unreachable": true}
fatal: (vm3.domain.com): UNREACHABLE! => {"changed": false, "msg": "ntlm: HTTPConnectionPool(host='vm3.domain.com', port=5985): Max retries exceeded with url: /wsman (Caused by NewConnectionError('<urllib3.connection.HTTPConnection object at 0x7fb7ae48acc0>: Failed to establish a new connection: (Errno 111) Connection refused',))", "unreachable": true}
fatal: (vm4.domain.com): UNREACHABLE! => {"changed": false, "msg": "ntlm: HTTPConnectionPool(host='vm4.domain.com', port=5985): Max retries exceeded with url: /wsman (Caused by NewConnectionError('<urllib3.connection.HTTPConnection object at 0x7fb7ae48de80>: Failed to establish a new connection: (Errno 111) Connection refused',))", "unreachable": true}
fatal: (vm5.domain.com): UNREACHABLE! => {"changed": false, "msg": "ntlm: 
HTTPConnectionPool(host='vm5.domain.com', port=5985): Max retries exceeded with url: /wsman (Caused by NewConnectionError('<urllib3.connection.HTTPConnection object at 0x7fb7ae41f080>: Failed to establish a new connection: (Errno 111) Connection refused',))", "unreachable": true}
fatal: (vm6.domain.com): UNREACHABLE! => {"changed": false, "msg": "ntlm: HTTPConnectionPool(host='vm6.domain.com', port=5985): Max retries exceeded with url: /wsman (Caused by NewConnectionError('<urllib3.connection.HTTPConnection object at 0x7fb7ae41d7f0>: Failed to establish a new connection: (Errno 111) Connection refused',))", "unreachable": true}
fatal: (vm7.domain.com): UNREACHABLE! => {"changed": false, "msg": "ntlm: HTTPConnectionPool(host='vm7.domain.com', port=5985): Max retries exceeded with url: /wsman (Caused by NewConnectionError('<urllib3.connection.HTTPConnection object at 0x7fb7ae428048>: Failed to establish a new connection: (Errno 111) Connection refused',))", "unreachable": true}
fatal: (vm8.domain.com): UNREACHABLE! => {"changed": false, "msg": "ntlm: HTTPConnectionPool(host='vm8.domain.com', port=5985): Max retries exceeded with url: /wsman (Caused by NewConnectionError('<urllib3.connection.HTTPConnection object at 0x7fb7ae425588>: Failed to establish a new connection: (Errno 111) Connection refused',))", "unreachable": true}

PLAY RECAP ***********************************************************************
vm1.domain.com    : ok=0    changed=0    unreachable=1    failed=0    skipped=0    rescued=0    ignored=0
vm2.domain.com    : ok=0    changed=0    unreachable=1    failed=0    skipped=0    rescued=0    ignored=0
vm3.domain.com    : ok=0    changed=0    unreachable=1    failed=0    skipped=0    rescued=0    ignored=0
vm4.domain.com    : ok=0    changed=0    unreachable=1    failed=0    skipped=0    rescued=0    ignored=0
vm5.domain.com   : ok=0    changed=0    unreachable=1    failed=0    skipped=0    rescued=0    ignored=0
vm6.domain.com   : ok=0    changed=0    unreachable=1    failed=0    skipped=0    rescued=0    ignored=0
vm7.domain.com     : ok=0    changed=0    unreachable=1    failed=0    skipped=0   rescued=0    ignored=0
vm8.domain.com     : ok=0    changed=0    unreachable=1    failed=0    skipped=0   rescued=0    ignored=0

Why the poweroff task works OK and poweron doesn’t? How can I fix this issue?

My repository:

C:.
├───ansible
│   │   ansible.cfg
│   ├───inventories
│   │   └───test
│   │       ├───cloud
│   │       └───onpremis
│   │           └───domain.com
│   │               │   lab_j.yml
│   │               │   lab_r.yml
│   │               └───group_vars
│   │                       all.yml
│   ├───playbooks
│   │       revert_lab.yml
│   └───roles
│       └───vcenter
│           ├───tasks
│           │       main.yml
│           │       poweroff.yml
│           │       poweron.yml
│           │       revert.yml
│           │       shutdown.yml
│           └───vars
│                   main.yml

My inventory lab_r.yml – this is a partial schema

---
all:
  children:
    root:
      children:
        center:
          children:
            appservers:
              hosts:
                vm1.domain.com:
            qservers:
              hosts:
                vm2.domain.com:
            dbservers:
              hosts:
                vm3.domain.com:

kvm virtualization – QEMU VM with tap interface sees all packages coming from hypervisor instead of real source IP

I have set up a very simple Hypervisor using Alpine Linux and my VM sees all traffic coming from the IP of the hypervisor.

Which also means if fail2ban tries to block attacks, it always blocks the hypervisors IP

How can I have the VM see the real IP Adresses and not just the IP of the hypervisor?

On the HV (192.168.5.5) I have a bridged interface br0 which is working fine

# tun1 setup script on Hypervisor
iptables -t nat -A POSTROUTING -o br0 -j MASQUERADE
iptables -P FORWARD ACCEPT
ip tuntap add dev tap1 mode tap user root
ip link set dev tap1 up
ip link set tap1 master br0

qemu-system-x86_64 (..non related parameters removed ..) 
-device virtio-net-pci,netdev=network0,mac=02:1f:ba:26:d7:56 
-netdev tap,id=network0,ifname=tap1,script=no,downscript=no

The VM has internet access but all traffic it sees comes from the IP of the hypervisor.

Someone is even trying to use my Server for an DNS amplification attack (blocked outgoing on my PFSense Firewall though)
DNS amplification attacks

Fail2ban also blocking the wrong IP
fail2ban log showing blocked HV ip

What virtualization solution are you using this days?

[*]What software do you use today to provide VM / Cloud hosting to your customers?

I know of:
[LIST][*]Virtualizor[*]OnApp[*]Virtuozzo[*]S… | Read the rest of https://www.webhostingtalk.com/showthread.php?t=1852790&goto=newpost