Xen users - Dec 2008 - Disable QEMU monitor in HVM domains

Hi,

I use Xen 3.3, installed from sources. I run a few HVM domains for
clients. QEMU is also from the Xen 3.3 source package.

It seems that the QEMU Monitor is *by default* accessible via the VNC
interface (CTRL+ALT+2) on these domains. I did some research on
Google, and it seems that most people say that it has been disabled by
default since an earlier Xen/QEMU branch.

I am using more or less the default out-of-the box configuration, with
few options changed.
This is of course a big security risk. The monitor should be disabled
by default, and it clearly isn''t.

I can''t seem to disable it either. I tried options
"monitor=0" and
such in the domain configurations, but there''s no difference.

I would really, really, really like to change this behavior!

Kind regards,
Rik

_______________________________________________
Xen-users mailing list
Xen-users@lists.xensource.com
http://lists.xensource.com/xen-users

I''m replying to my own E-mail of 2 weeks ago. I have still found no
way to disable the Qemu monitor in HVM DomUs. I''d really like to
disable it for security reasons, but I can''t seem to find anything in
the docs or on Google. Please help (pretty please?)

Rik

2008/12/30 Rik v. A <rikratva@gmail.com>:
> Hi,
>
> I use Xen 3.3, installed from sources. I run a few HVM domains for
> clients. QEMU is also from the Xen 3.3 source package.
>
> It seems that the QEMU Monitor is *by default* accessible via the VNC
> interface (CTRL+ALT+2) on these domains. I did some research on
> Google, and it seems that most people say that it has been disabled by
> default since an earlier Xen/QEMU branch.
>
> I am using more or less the default out-of-the box configuration, with
> few options changed.
> This is of course a big security risk. The monitor should be disabled
> by default, and it clearly isn''t.
>
> I can''t seem to disable it either. I tried options
"monitor=0" and
> such in the domain configurations, but there''s no difference.
>
> I would really, really, really like to change this behavior!
>
> Kind regards,
> Rik
>
_______________________________________________
Xen-users mailing list
Xen-users@lists.xensource.com
http://lists.xensource.com/xen-users

On Thu, Jan 15, 2009 at 4:03 PM, Rik v. A <rikratva@gmail.com>
wrote:
> I''m replying to my own E-mail of 2 weeks ago. I have still found
no
> way to disable the Qemu monitor in HVM DomUs. I''d really like to
> disable it for security reasons, but I can''t seem to find anything
in
> the docs or on Google. Please help (pretty please?)
>
Looks like it should be off by default:
http://xen.markmail.org/search/?q=disable qemu monitor#query:disable
qemu monitor+page:1+mid:zv4jggk2lo4mknby+state:results

What version of Xen?

Cheers,
Todd

-- 
Todd Deshane
http://todddeshane.net
http://runningxen.com

_______________________________________________
Xen-users mailing list
Xen-users@lists.xensource.com
http://lists.xensource.com/xen-users

On Sunday 18 January 2009 22:39:34 Todd Deshane wrote:
> On Thu, Jan 15, 2009 at 4:03 PM, Rik v. A <rikratva@gmail.com> wrote:
> > I''m replying to my own E-mail of 2 weeks ago. I have still
found no
> > way to disable the Qemu monitor in HVM DomUs. I''d really like
to
> > disable it for security reasons, but I can''t seem to find
anything in
> > the docs or on Google. Please help (pretty please?)
>
> Looks like it should be off by default:
> http://xen.markmail.org/search/?q=disable qemu monitor#query:disable
> qemu monitor+page:1+mid:zv4jggk2lo4mknby+state:results
>
> What version of Xen?
>
> Cheers,
> Todd
This is on versions 3.3.0 and 3.3.1, both compiled from source.

Rik

_______________________________________________
Xen-users mailing list
Xen-users@lists.xensource.com
http://lists.xensource.com/xen-users

On Mon, Jan 19, 2009 at 4:20 AM, Rik v. A <rikratva@gmail.com>
wrote:
> On Sunday 18 January 2009 22:39:34 Todd Deshane wrote:
>> On Thu, Jan 15, 2009 at 4:03 PM, Rik v. A <rikratva@gmail.com>
wrote:
>> > I''m replying to my own E-mail of 2 weeks ago. I have
still found no
>> > way to disable the Qemu monitor in HVM DomUs. I''d really
like to
>> > disable it for security reasons, but I can''t seem to find
anything in
>> > the docs or on Google. Please help (pretty please?)
>>
>> Looks like it should be off by default:
>> http://xen.markmail.org/search/?q=disable qemu monitor#query:disable
>> qemu monitor+page:1+mid:zv4jggk2lo4mknby+state:results
>>
>> What version of Xen?
>>
>> Cheers,
>> Todd
>
> This is on versions 3.3.0 and 3.3.1, both compiled from source.
>

So then maybe it is a bug. Has anyone else tried it?

Maybe it would be worthwhile to check with xen-devel, since maybe
not many users actually think about it enough to disable it.

It is also possible that the default was changed around the time of 3.3
since there were quite a few little changes in 3.3

Cheers,
Todd

-- 
Todd Deshane
http://todddeshane.net
http://runningxen.com

_______________________________________________
Xen-users mailing list
Xen-users@lists.xensource.com
http://lists.xensource.com/xen-users