Qubes internal network topology

190 views
Skip to first unread message

Zrubi

unread,
Feb 11, 2016, 6:20:46 AM2/11/16
to qubes...@googlegroups.com
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Hi,

I want to visualize the internal Qubes network topology.
Is there any better way to get the actual topology than parsing the
output of `qvm-ls -n`


Thanks.


- --
Zrubi
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQIcBAEBCAAGBQJWvG6BAAoJEC3TtYFBiXSvXhQP/2/bXFBiSQVuBiuRQ4z5LoNG
EqeSuD7gT9vt4fH7rDjOJ/3G+B9nDK4hM80PaKYeAeS0Ae5l8QFzl6htkBkpttEu
OOSa9Y/M8ixzP4qfjl30JDIRwYlxr0xkuL7/7IXyzy2kowUXbV4tj1naSorpHfC1
h3ogatHg/SrrMGjwInTgYBUvxKRhCjzssh2Lnhwa3I1bfAw9o8yYnBnvU6pn1YNa
zcKyaFH+VCq2IJBKgoMw9Jvn/xIlgh/06X10mwfvKt1r4UYiccLEhGC7nbQDEavK
ulcUbOaBrRMyNBY0/oJsDPhlKliYF90VH3BioRCZdRox6QctH9tk9e1EGS+VdP3I
2Ju0vbJixIHedDzjs5k6QzLfIY1rf2cR+Lr5bLO2KrmMupH05b1fv+iZUwk2hwhn
kCaKeloPgZgxaZ+P8mbacVax4er3XFdiCbBYwvVRnPQ6DtnDF893eblvmthDd8R7
7RTbfn6+0i377pFiMuqO4vYQ9d1aM75jGKnT2zG3YirBFP3meHZSf8XOZSEEd6xp
TalYbOqCTh3p511dRwgoombAFf0Z1tMJzz+5Z90TnOsiEG5MFZFGt9Hg5jb534qF
rAnrWNhNffXhD7JYywh4TN8cKE0BPt/7Y36+L0+DWTQPyczvuvExivjKwJme3tOH
/zHzlhdHRlbgaeiQSvza
=Brgs
-----END PGP SIGNATURE-----

Marek Marczykowski-Górecki

unread,
Feb 11, 2016, 8:42:32 AM2/11/16
to Zrubi, qubes...@googlegroups.com
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

On Thu, Feb 11, 2016 at 12:20:40PM +0100, Zrubi wrote:
> Hi,
>
> I want to visualize the internal Qubes network topology.
> Is there any better way to get the actual topology than parsing the
> output of `qvm-ls -n`

Unfortunately no, at least not yet. We'd love to have something like
that in Qubes Manager in Qubes 4.0, but that's just a wishlist entry
for now...

- --
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQEcBAEBCAAGBQJWvI/AAAoJENuP0xzK19csigQH/jk4Dh9lZdXDlr7vBxogBpb3
mHe6cuBJw7MDOKFGfrY+PgWzooRCTHJR2p7AwI+pPo3xs8pk2Z2sX1L2goFOw9IQ
Xg6hsov97KvLzrJfIs4KV/DNAgudKvsLqVDjldVQRRTrpZa3/SCHXmZEZyU5TZVi
FfU6K+TLf8KsUoXsykqHYnNNGVHcuwZumAkSXGQP5AcgAj/w2gZao34En9V/f4N/
X08JwCZDT7qCV0QKVn0EVEy2Er8wvOT8YDIA/q7Nh9/+lhaLikR/3cPaeaLhjHbY
owz8xTXjMcVSIVVKWsUfpAIl2LF+8J4xiYeZ+a+8QaRAHlr9mZRxxZqz2+c9IMs=
=KlWd
-----END PGP SIGNATURE-----

Andrew

unread,
Feb 11, 2016, 8:56:17 AM2/11/16
to qubes...@googlegroups.com
Marek Marczykowski-Górecki:
> On Thu, Feb 11, 2016 at 12:20:40PM +0100, Zrubi wrote:
>> Hi,
>
>> I want to visualize the internal Qubes network topology.
>> Is there any better way to get the actual topology than parsing the
>> output of `qvm-ls -n`
>
> Unfortunately no, at least not yet. We'd love to have something like
> that in Qubes Manager in Qubes 4.0, but that's just a wishlist entry
> for now...
>
>

I've made my own hacky script for visualizing network and PCI
attachments. Maybe this will tide you over until there's something more
official?

It's not completely bug-free; there is a spacing issue for ProxyVMs, but
visually I think it looks just fine and haven't had much motivation to
fix it.

Pic with redactions attached.

Andrew
print_vm_stats.png
print_vm_stats.py

Joanna Rutkowska

unread,
Feb 11, 2016, 11:52:22 AM2/11/16
to Andrew, qubes...@googlegroups.com
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Hate to break it to you, but you're not quarantining ME by assigning the ME host
controller device to a VM, as seen on your screenshot. This device is a mere
interface for the OS to talk to the ME, but ME is still free to do whatever DMA
it wants. Sorry. I once believed this would work too... :/

joanna.
-----BEGIN PGP SIGNATURE-----

iQIcBAEBCAAGBQJWvLw9AAoJEDOT2L8N3GcYygUQAKR/KEfVg5e8TSruXmowcPJw
VFCqKChZDInGeWk+xKnAGxtfZJ6nvxOjcreqyLqmY26ij8sYwQoCs/ZHLSRjfCVB
qjTDZD71Ey2tyLLEMmcFkgn3uQIdQWnH1Mu7PzFTNBp/auBcw+4p8JSl90qYmtmG
Ux1Cfy5zngNrBzrTLEjZaigpTNaZ9+7Kf3bOyEeK4BBiUxoWq4AXHgPcnsjs69CN
dwpwznOS4VKGEFqhbbevSvxdwPqlHT1MUfdEa/wR2/p1Ns+bYX3MFA8urcKsNoOr
JIi/HN1ZFHSeq4oVuZkKaDUBP6vIFUJNrR44CH861sh8XIZ4NSeCs/s89/uL0YJg
S+0nnpOBQwPnZTWslV034O2CCPqkzVIw58zFnQ9rS5CeM8UVRVS08j7raQECYGqx
8IV+0QeL/MLPhNCj06lk1AbBgq5LQfYOi+5zoJPguwya0ycwOFnzh0yKDTi/aB9F
sGEmGpe6BZ6Q5ImD6T0jiuYzIOkjfvl6jwxgDmhAnX7RJsRbUL/BwHIWVcxBGg+e
0Igkrz0qhHdqPeGOYLNGWIqfphdr+TNbsEtN6whC4yV/Lv0ZSZCATVBZ5v4ak5ji
rVxTwkArKXVtbkM7hUdVWR9K/rV5vINNoN9Zh0uwzbNbyHHjwBrzuUJeC2hmRxCl
Gv/kf4LHrnS3ilvMf08n
=fMCP
-----END PGP SIGNATURE-----

Andrew

unread,
Feb 11, 2016, 12:05:45 PM2/11/16
to qubes...@googlegroups.com
Joanna Rutkowska:
> On Thu, Feb 11, 2016 at 01:56:11PM +0000, Andrew wrote:
>> Marek Marczykowski-Górecki:
>>> On Thu, Feb 11, 2016 at 12:20:40PM +0100, Zrubi wrote:
>>>> Hi,
>>>
>>>> I want to visualize the internal Qubes network topology.
>>>> Is there any better way to get the actual topology than parsing the
>>>> output of `qvm-ls -n`
>>>
>>> Unfortunately no, at least not yet. We'd love to have something like
>>> that in Qubes Manager in Qubes 4.0, but that's just a wishlist entry
>>> for now...
>>>
>>>
>
>> I've made my own hacky script for visualizing network and PCI
>> attachments. Maybe this will tide you over until there's something more
>> official?
>
>> It's not completely bug-free; there is a spacing issue for ProxyVMs, but
>> visually I think it looks just fine and haven't had much motivation to
>> fix it.
>
>> Pic with redactions attached.
>
>> Andrew
>
>
> Hate to break it to you, but you're not quarantining ME by assigning the ME host
> controller device to a VM, as seen on your screenshot. This device is a mere
> interface for the OS to talk to the ME, but ME is still free to do whatever DMA
> it wants. Sorry. I once believed this would work too... :/
>
> joanna.
>

Oh, I'm well aware of this. I think I even asked about this explicitly
on the list before (and you were probably the one to reply that it's
ineffective). It may indeed be Quixotic, but it can't hurt, right? ;)

Andrew

Eric Shelton

unread,
Feb 11, 2016, 1:17:35 PM2/11/16
to qubes-devel, kyb...@riseup.net
Actually, the thinking behind it seems very Qubes-like to me - take all unused PCI devices out of dom0.  We can do it, so why not?  Although the above example does this at a cost of 141M of memory, that could be minimized by using a "do nothing" unikernel (for example, the unikernel-based firewall has been run with just 20MB of memory).

I thought it was worthy of creating an issue: https://github.com/QubesOS/qubes-issues/issues/1743

Eric

Manuel Amador (Rudd-O)

unread,
Feb 11, 2016, 6:47:50 PM2/11/16
to qubes...@googlegroups.com
On 02/11/2016 01:42 PM, Marek Marczykowski-Górecki wrote:
>
> Unfortunately no, at least not yet. We'd love to have something like
> that in Qubes Manager in Qubes 4.0, but that's just a wishlist entry
> for now...
>

Something that would create Graphviz graphs and display them with dot or
neato would be phenomenal.

--
Rudd-O
http://rudd-o.com/

Zrubi

unread,
Feb 12, 2016, 9:48:58 AM2/12/16
to qubes...@googlegroups.com
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

On 02/12/2016 12:47 AM, Manuel Amador (Rudd-O) wrote:

> Something that would create Graphviz graphs and display them with
> dot or neato would be phenomenal.
>

Actually I'm working on something like this - but using python to be
conform with the other Qubes scripts.

My plans to create a script which can output
- - raw graph (dot) data
- - png/svg image

However I'm new in python and dot as well - but I need to get this
knowledge for my work anyway - so I have a win-win situation here ;)

I will share the result as soon as it produce some meaningful info.

- --
Zrubi
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQIcBAEBCAAGBQJWvfDNAAoJEC3TtYFBiXSvNlIP/ixorhIHxapj5MLfy+F4k+sg
qx+2YpBbK/fUQH4+3Cbi2JUm+C0zMzbpE+HgCHIRfUXUP+KBoAWdQMokib3oKX6N
A11L+UQA40MdO1iU7UfyKoaXpp6U6ADU1sKaOPC666gzGPgQVMciXwWSIzzI0NXr
LrGPfUNm9P3rHZMBDdM1JdoB242HDckqFZyKQpNeWEKBfMsyJ+PJLQ1LVYa2lSfD
wB/15dNAUveuB4PFtSsS/JTgZ6j67oVh5LlrljUbSHe65I3GqYiTl8HRZl0e9laU
lIXO16ZWXqeAtdSyg69xXagJbbh5+4Fs6/qHXD22MsaQgvSCaJHwrKYuZtzBqmmO
dXaj3txqZKHhOdwSPgUiqJHR6sjA9CCwTQveFKJhkmrGrciYU1Ox6SK3GQlcctGb
y16Rvf4p+2b7OlPtI84MdkMjBQrYxk7Ft1O1ehmvtM/HbNZuMObgICFT0Ls4xSVG
v7TzFac/kMwGcRESXn93iaLNGWjV0dmnZJZjIisw52pwpGBJctE4JV2XB0hHf51/
lRv2/8iLG2mkv0Y7A7kdxMwP6026p9IBK0SpkL2xx1m471iHUpLj0z1OkVJUo2Dp
JefamJRfM4XuwEZ3oz14UtCbgwxOZch3N7zu1k0RY2cBYSbz7AnLwBSSskFQ3OyX
JEebjMEBVhjLlCppIvs9
=4EXZ
-----END PGP SIGNATURE-----

Iestyn Best

unread,
May 23, 2016, 10:41:33 PM5/23/16
to qubes-devel
Sounds interesting. Please keep us updated of your progress. 

Laszlo Zrubecz

unread,
May 24, 2016, 6:04:24 AM5/24/16
to Iestyn Best, qubes-devel
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

On 05/24/2016 04:41 AM, Iestyn Best wrote:

> Sounds interesting. Please keep us updated of your progress.

It is pretty basic right now, but at least produce .dot style topology:

https://gist.github.com/Zrubi/6229d5400bde987b1aa8da516553b909



- --
Laszlo Zrubecz
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQIcBAEBCAAGBQJXRCcZAAoJEC3TtYFBiXSvcewP/jLYBWNSqVHSREJK49bqgjqh
mH+2bkmUUCU+hoO/X+bvdcW9lph+XaLxVd965sO/aA1JvV7wH4Vg10MVE7Qhq6Ms
RZlajK7OTvTSP4lOHR98pRPkS9ONaa0c7mR8zyyvN9n8TJTgAMVhOGO3Cu2WYUKa
Idh4fCdy3sSI5XeD2estWvUxgdYr6e+ElT7veQynUFpT7rF2Otc5C5jSMEzPXNfH
e+0TvqM8qa9v/c5PbUf67hixNC8zSyTiVK5slLKkvAKct1g7qJ9jmpSWFnOGKQmT
p/V6sbxStinuiBSAcl6hJnOAbCLRNyquWL7mEUqiJumFvnpgcbt5xTGpkNapWpnY
VpW6lrCYcHW2kX1umHJvP1HRdfF0puFblNLaQk9TSj1QX5fVL6L+DR1GtO0eTIGS
vz+/pEnggzbDWqWGedqLW2KiUSnsunxw5iX+nRXLwAizjcj7zmIq/0H+I7GLqaPB
CZ3FWFIpDpdofP5dnmhM1/+wuYF4R/Ou6lPAGt8l6sXOhGLIODiwHlU2EiaRN/3S
t24S+YpF2ZOMlVZ3ZS935FGCN4AzMko6xfNIfCvASHUlkF8SnqY6GK5mkNBoYbSm
/LTDusSrQcEY6tRowkkyKZgKF8G9FLFt+Z62/P6aWOIk6rfvAeUVP0dD8gi2/6IU
AwcN4q03sicVXHCG+Ark
=R95X
-----END PGP SIGNATURE-----
Reply all
Reply to author
Forward
0 new messages