<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
</head>
<body>
<div dir="ltr">I’ll try snapshot create, I didn’t know about that. 
<div><br>
</div>
<div>I understand your security concerns, but they don’t apply in this case. The target environment is air gapped and isolated. I can’t see any reason to fear an attack on the VM before an attack on the host. </div>
<div><br>
</div>
<div>2. Well, I was experimenting with getting libvirt out of the system to simplify things, but I didn’t have much luck yet. </div>
</div>
<span id="draft-break"></span><br>
<br>
---<br>
Sent from <a href="https://whatisworkspaceone.com/boxer">Workspace ONE Boxer</a><span id="draft-break"></span><br>
<br>
<div>
<div class="null" dir="auto">On September 9, 2021 at 1:20:38 AM PDT, Daniel P. Berrangé <berrange@redhat.com> wrote:<br class="null">
</div>
<blockquote type="cite" style="border-left-style:solid;border-width:1px;margin-left:0px;padding-left:10px;" class="null">
<div class="null" dir="auto">
<div class="null">
<meta name="Generator" content="Microsoft Exchange Server" class="null">
<!-- converted from text -->
<div class="null"><font size="2" class="null"><span style="font-size:11pt;" class="null">
<div class="null">On Wed, Sep 08, 2021 at 04:22:31AM +0000, Leek, Jim wrote:<br class="null">
> I'm on a RHEL 8 host, using virt-manager to run a CentOS 8 guest.  I need<br class="null">
> to be able to have a program on the guest trigger a checkpoint to save<br class="null">
> the guest.  I came up with a kludgy way to do this involving a script<br class="null">
> that ssh's to the host and runs 'virsh qemu-monitor-command --hmp<br class="null">
> centos8_1 "savevm savestate1"' and that works to some degree, but it<br class="null">
> takes a long time and sometimes I get an error.<br class="null">
<br class="null">
This is a bad idea.<br class="null">
<br class="null">
"savevm" completely stops execution of the guest for the duration<br class="null">
that it runs.....so your ssh conenction is suspended. Depending<br class="null">
on how long this takes, your ssh connection may take some time to<br class="null">
recover, or in the worst case fail.<br class="null">
<br class="null">
Using qemu-monitor-command is not neccessary because libvirt already<br class="null">
has support for savevm via its domain snapshot APIs epxosed in virsh<br class="null">
using snapshot-* commands. Using qemu-monitor-command in this case<br class="null">
is likely to confuse libvirt because it is resulting in unexpected<br class="null">
state changes in the guest.<br class="null">
<br class="null">
Allowing the guest to ssh into the host and connect to libvirt<br class="null">
throws away any security isolation your host has from the guest.<br class="null">
So if your guest is compromised it'll easily take over the host<br class="null">
too.<br class="null">
<br class="null">
> So, I'm trying to think of ways to simplify the system.  If anyone has any ideas, I would love to have them.  All I can think of is:<br class="null">
> <br class="null">
>   1.  Connect to the qemu monitor with telnet from inside the VM.  (Therefore skipping the whole ssh remote command thing.)<br class="null">
<br class="null">
Definitely don't want todo that - access to the QEMU monitor<br class="null">
again allows guest to attack the host in various ways. If<br class="null">
libvirt is connected to the QEMU monitor, you can't have a<br class="null">
second connection anyway.<br class="null">
<br class="null">
Regards,<br class="null">
Daniel<br class="null">
-- <br class="null">
|: <a href="https://urldefense.us/v3/__https://berrange.com__;!!G2kpM7uM-TzIFchu!lFVFSs5C2w6Vt5mss2OePJAnR8QGxohw4OvKhWVxKNwxttCUfPD5f7tPKtVgtmY$" target="_BLANK" class="null">
https://urldefense.us/v3/__https://berrange.com__;!!G2kpM7uM-TzIFchu!lFVFSs5C2w6Vt5mss2OePJAnR8QGxohw4OvKhWVxKNwxttCUfPD5f7tPKtVgtmY$</a>       -o-   
<a href="https://urldefense.us/v3/__https://www.flickr.com/photos/dberrange__;!!G2kpM7uM-TzIFchu!lFVFSs5C2w6Vt5mss2OePJAnR8QGxohw4OvKhWVxKNwxttCUfPD5f7tPzRsfC3g$" target="_BLANK" class="null">
https://urldefense.us/v3/__https://www.flickr.com/photos/dberrange__;!!G2kpM7uM-TzIFchu!lFVFSs5C2w6Vt5mss2OePJAnR8QGxohw4OvKhWVxKNwxttCUfPD5f7tPzRsfC3g$</a>  :|<br class="null">
|: <a href="https://urldefense.us/v3/__https://libvirt.org__;!!G2kpM7uM-TzIFchu!lFVFSs5C2w6Vt5mss2OePJAnR8QGxohw4OvKhWVxKNwxttCUfPD5f7tPsx80x1w$" target="_BLANK" class="null">
https://urldefense.us/v3/__https://libvirt.org__;!!G2kpM7uM-TzIFchu!lFVFSs5C2w6Vt5mss2OePJAnR8QGxohw4OvKhWVxKNwxttCUfPD5f7tPsx80x1w$</a>          -o-           
<a href="https://urldefense.us/v3/__https://fstop138.berrange.com__;!!G2kpM7uM-TzIFchu!lFVFSs5C2w6Vt5mss2OePJAnR8QGxohw4OvKhWVxKNwxttCUfPD5f7tPsGUnCCQ$" target="_BLANK" class="null">
https://urldefense.us/v3/__https://fstop138.berrange.com__;!!G2kpM7uM-TzIFchu!lFVFSs5C2w6Vt5mss2OePJAnR8QGxohw4OvKhWVxKNwxttCUfPD5f7tPsGUnCCQ$</a>  :|<br class="null">
|: <a href="https://urldefense.us/v3/__https://entangle-photo.org__;!!G2kpM7uM-TzIFchu!lFVFSs5C2w6Vt5mss2OePJAnR8QGxohw4OvKhWVxKNwxttCUfPD5f7tPTFrwcL0$" target="_BLANK" class="null">
https://urldefense.us/v3/__https://entangle-photo.org__;!!G2kpM7uM-TzIFchu!lFVFSs5C2w6Vt5mss2OePJAnR8QGxohw4OvKhWVxKNwxttCUfPD5f7tPTFrwcL0$</a>     -o-   
<a href="https://urldefense.us/v3/__https://www.instagram.com/dberrange__;!!G2kpM7uM-TzIFchu!lFVFSs5C2w6Vt5mss2OePJAnR8QGxohw4OvKhWVxKNwxttCUfPD5f7tPe1eBb0E$" target="_BLANK" class="null">
https://urldefense.us/v3/__https://www.instagram.com/dberrange__;!!G2kpM7uM-TzIFchu!lFVFSs5C2w6Vt5mss2OePJAnR8QGxohw4OvKhWVxKNwxttCUfPD5f7tPe1eBb0E$</a>  :|<br class="null">
<br class="null">
</div>
</span></font></div>
</div>
</div>
</blockquote>
</div>
</body>
</html>