New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
Do you trust QEMU-ga (and other things) installed on your linux VPS ?
The QEMU Guest Agent is a daemon intended to be run within virtual machines. It allows the hypervisor host to perform various operations in the guest, such as:
- get information from the guest
- set the guest’s system time
- read/write a file
- sync and freeze the filesystems
- suspend the guest
- reconfigure guest local processors
- set user’s password
…
Thanked by 1JohnnySac
Do You TRUST preinstalled linux version on your VPS ?
- Do you use your VPS as is ?84 votes
- I use linux VPS unmodified34.52%
- I check and delete some services/packets10.71%
- I prefer install from original source16.67%
- I install custom ISO38.10%
Comments
A lot of hosting providers also use Cloudinit, which can do similar things.
The best way is to install with a custom ISO and use LUKS full disk encryption. However, even then, I believe it is still possible for a malicious hosting provider to dump memory and get the encryption keys.
You can see what
qemu-gaRPC commands the host provider is running by looking at:I usually install from ISO which doesn't include guest agent. I have recently ran into providers that require you to run
qemu-gain the guest O/S. I haven't decided what to do in that situation. I may test my luck without it, or I may severely limit what the guest agent can do with:The
allow-rpcs=option blocks all RPC's except the ones you allow.There is also the
block-rpcs=option which allows all RPC's except the ones you block likeblock-rpcs=guest-exec,guest-exec-status.I'd be interested to know if providers care or not if users don't install guest agents.
Without QEMU Guest Agent, the host can still probe the virtual disk when offline if the disk is not encrypted.
i am quite new to vps services. i wasnt aware of things like qemu-ga. maybe it is time to check my servers. as far as trust goes, i dont think having qemu-ga matters. the provider virtualising your server has full control over it in the end.
This just makes your life easier as a customer.. If you don't want it just uninstall it. Most people like the convenience. IP address change? Customer doesn't have to touch a thing qemu agent handles it.
Even without qemu agent and encrypted you're still running memory and storage on a system that you don't physically own which is a bigger concern if the question is strict privacy.
Wait, it has stuff installed besides the stuff I think I installed?
It being the VPS
Posted as image because i got blocked
anyone have single command line to uninstall completely the qemu agent? Thank you.
not working but asking 4.1 give me this
apt remove qemu-guest-agentReally? That sounds a bit like providers who don't allow customers to change the root password. Name and shame them.
Same story with windows VPS, and notice that ballooning cause unstability and slowing down to the host (and all its vps)...
Better than some cloud providers whose guest OS includes an ssh key from the hypervisor... Not sure OnApp still does that or not.
I've seen that one before, that's one of the reasons I reinstall all my vps myself.
How do you do that if provider does not allow for custom iso?
Netboot
There is some reinstall scripts you can use.
https://github.com/bin456789/reinstall
Installnet.sh
And many others
Might need to fork them to customize things like partitions etc.
Change provider !
I always use that to install Alpine Linux lol
Every provider I've used that had it pre-installed on a template only seemed to be using it so they could include disk usage stats in their control panel. As I rarely even go to the control panel, I just disable it and don't think any more about it.
On linux, they don't need that for VPS disk or ram usage.
Always remove the qemu-ga backdoor, but didn't remove cloud-init. Was too lazy to switch to a static network config without it. But now that you say it is a similar backdoor, will get onto removing it as well.
I got banned on Reddit for posting some copy-pasted code to answer a question, and good luck getting unbanned, still hadn't, just signed up for a new account.
If you installed the OS, no.
If you accepted the preinstalled template, then also no, you didn't install it.
I click button
But, from what I know, the provider could still make a snapshot of your running vm in its LUKS unlocked state, then mount it and use it as if it didn't have LUKS to begin with right? They don't even need to mess with memory dumps right? So then what's the point of using LUKS?
Yes, I believe that could be another way.
The point is that it’s just another barrier of entry from automated tools. I believe some panels (e.g., Virtualizor) use libguestfs to modify files if I remember correctly.
To slow down the admin's curiosity.
Ok, I like your signature, we love ExtraVM.
Anyway, but that's the point, it doesn't slow down the admin's curiosity because if he creates a snapshot of your running vm in its LUKS unlocked state (and let's be real, you won't have your server turned off much) then it's as if LUKS was never used. They could inspect it without any hassle or workaround needed.
It's all a fake sense of security, having your vm luks encrypted does not prevent or make it ANY harder for your host to snoop in your gay porn files.