VBoxManage/vmrun proxy to allow communication from within a VM to the hypervisor running the VM.
This allows you to communicate with hypervisors from within docker containers.
The main use case I am working towards for my MVP is to support the local hypervisor machinery that the cuckoo sandbox uses so that my project docker-cuckoo can work with VMware/VirtualBox/KVM etc.
vm-proxy works by creating a secure local webhook to proxy VBoxManage
or vmrun
out the the host running docker. So from the container's perspective it is using the real tools locally, but they are instead using a small golang binary that securely communicates to vm-proxy.
vm-proxy also creates SSL certs and a token to secure communications between the container and the hypervisor. Also I will only expose a minimal set of hypervisor functionality at first to prevent malicious actors from trying to harm your host or VMs. I will also sanitize input sent via the clients to the server.
Others have created solutions where containers can ssh to the host and run ANY commands, which I believe is not safe (think rm -rf /
). Or you can leverage APIs exposed by the hypervisors, but then you have to maintain your middleware to talk to them. You also will need to setup and start the API servers locally.
My solution (targeting cuckoo) requires NO changes to cuckoo as it thinks it is talking to the real VBoxManage
/vmrun
binaries, making it easier to maintain in the long term and requiring no changes on cuckoo's side.
$ brew install blacktop/tap/vm-proxy
$ brew services start blacktop/tap/vm-proxy
$ vm-proxy --help
Usage: vm-proxy [OPTIONS] COMMAND [arg...]
VMProxy Server - allows hypervisors to be controlled from docker containers
Version: , BuildTime:
Author:
blacktop - <https://github.com/blacktop>
Options:
--verbose, -V verbose output
--host value microservice host (default: "127.0.0.1") [$VMPROXY_HOST]
--port value microservice port (default: "3993") [$VMPROXY_PORT]
--token value webhook token [$VMPROXY_TOKEN]
--help, -h show help
--version, -v print the version
Commands:
update Update images
export Export Database
help Shows a list of commands or help for one command
Run 'vm-proxy COMMAND --help' for more information on a command.
$ vm-proxy
WARN[0000] no webhook token set: --token
2018/03/19 15:58:04 written cert.pem
2018/03/19 15:58:04 written key.pem
INFO[0000] vm-proxy service listening host=127.0.0.1 port=3993 token=
See docs here
See docs here
See docs here
- Add version check to debugvm calls
- vmrun
- create homebrew installer for vm-proxy-server
- build small base images with VBoxManage in them
- figure out filesystem translation for dropping PCAP or memory dumps so container can see them (using volumes?)
- auto-create certs on first run
- standardize on a log provider (apex/logrus)
Find a bug? Want more features? Find something missing in the documentation? Let me know! Please don't hesitate to file an issue
Apache License (Version 2.0) Copyright (c) 2016 - 2018 blacktop