Skip to content

feat(kubevirt): add tool for QEMU guest agent access#811

Open
codingben wants to merge 1 commit intocontainers:mainfrom
codingben:add-guest-info
Open

feat(kubevirt): add tool for QEMU guest agent access#811
codingben wants to merge 1 commit intocontainers:mainfrom
codingben:add-guest-info

Conversation

@codingben
Copy link
Contributor

Implements vm_guest_info tool to retrieve information from inside running VMs via QEMU guest agent without requiring SSH credentials. This addresses a critical gap in KubeVirt management by enabling:

  • Network troubleshooting (find IP addresses without SSH)
  • Disk space monitoring (prevent outages before they happen)
  • Security auditing (list logged-in users for compliance)
  • VM inventory collection (OS versions for patch management)

Assisted-By: Claude [email protected]

Implements vm_guest_info tool to retrieve information
from inside running VMs via QEMU guest agent without
requiring SSH credentials. This addresses a critical gap
in KubeVirt management by enabling:

- Network troubleshooting (find IP addresses without SSH)
- Disk space monitoring (prevent outages before they happen)
- Security auditing (list logged-in users for compliance)
- VM inventory collection (OS versions for patch management)

Assisted-By: Claude <[email protected]>
Signed-off-by: Ben Oukhanov <[email protected]>
@codingben
Copy link
Contributor Author

/cc @lyarwood @ksimon1 @manusa @Cali0707

description: "Use vm_guest_info to audit which users are currently logged into VMs for security compliance"
steps:
setup:
inline: |-
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

can you please use new format of tasks as e.g. we are using here: #756?

Copy link
Contributor

@lyarwood lyarwood left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Lets start with the evals, the use cases here are far too high level and model dependant for now. Can you simplify these and break them out into their own commits before any tooling is introduced.

echo " - User 'admin' logged in at 2024-02-25 14:30 ✓"
echo " - User 'unknown_user' logged in at 2024-02-25 03:00 ⚠ Investigate!"
echo ""
echo "✓ Security audit eval complete"
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Does the judge actually use this? If not it's just slop output that's not asserting anything.

kubectl delete namespace "$NS" --ignore-not-found
prompt:
inline: |
As part of a security compliance audit, you need to check who is currently logged into the production VirtualMachine "prod-app" in the ${EVAL_NAMESPACE:-vm-test} namespace.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I like idea of eventually testing use cases like this but we really need to start with simple building blocks. Something like "list defined users in the VM" and asserting the returned list etc given the image used.

kubectl delete namespace "$NS" --ignore-not-found
prompt:
inline: |
A user reports that they cannot connect to the web server running inside the VirtualMachine named "web-server" in the ${EVAL_NAMESPACE:-vm-test} namespace.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Again just simplify and fetch and assert the IP?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants