Qemu-ga and Nethsecurity

sarz4fun · October 7, 2024, 6:27pm

hello everyone,
i noticed that in the latest build (23.05.5-ns.1.2.99-alpha1-56) of nethsecurity, the qemu guest agent for proxmox is not loaded.
With the commands from the terminal i managed to install and after restarting the vm, guest agent started working.
I wanted to ask if it is possible to keep the package installed or install it automatically when the image is updated. It is a bit complicated to remember to reinstall the package and restart the firewall every time the image is changed.

thanks

Andy_Wismer · October 7, 2024, 7:05pm

@sarz4fun

I fully agree with this.

Debian has, since version 12 an autodetect if running under Proxmox when installing a VM, and accodingly installs the qemu-guest-agent automatically…

It’s a one-liner to query if running under kvm, and accordingly update / reinstall the qemu-guest-agent. For the devs…

My 2 cents
Andy

sarz4fun · October 8, 2024, 5:21am

A solution can be to split images distribution in bare metal, kmv and VMware, removing all unnecesary modules for each distribution and integrate dedicated guest agents and drivers.

giacomo · October 8, 2024, 7:24am

Qemu tools were available inside the images since the beginning because it was easier for the development.
But running the image on a physical machine had a drawback: the tools were not able to run correctly, multiple errors were logged, and a useless daemon was running.

Many users asked the tools for VMware too.
So the safest path is to move both tools to extra optional packages.
This choice has multiple benefits:

image size have been reduced
no more errors on non-KVM machine
no more useless daemon running even if not needed

Also bear in mind that most installations run on physical hardware.
This is the actual status of installation based on phone home:

Pyhical 66%, KVM 25% (but here there are many dev installations), VMware 8%.

This is not possible for now, it’s a limitation of OpenWrt: [OpenWrt Wiki] Preserving OpenWrt packages
Creating a script that handle all the cases is quite hard and prone to error.

I have to disagree. We are not running a modern distro like Debian, working with OpenWrt is much like working on a Slackware in the nineties.

Yes this is a solution but a nightmare to maintain because OpenWrt build system can’t handle such situations.

I know it’s hard, but if you want, you can keep your custom build: Custom images | NethSecurity

sarz4fun · October 8, 2024, 4:02pm

Maybe some new flags on settings Page that enable specific scripts for qemu-ga, wmware, legacy nics or something else for example could be a an idea?

giacomo · October 9, 2024, 9:09am

If it’s a manual thing, the doc is already there on how to execute them

If the procedure should be automatic, the problem is to determinate when to execute such script. There isn’t a ready-to-use hook at the end of the upgrade process.

sarz4fun · October 9, 2024, 8:31pm

I understand the limitations, reading openwrt docs.
Another idea to help end users can be a warning message on system upgrade page with the list of custom installed packages.
Another idea can be a small package list, with install/remove button with a terminal emulation like openmediavault’s package manager.

giacomo · October 10, 2024, 7:06am

This is a good idea.

Even this one could be a good idea assuming the user didn’t manually mess up the configuration of repositories.

sarz4fun · October 10, 2024, 11:10am

Only for official addons of course.