About 4 years ago I wrote some code that peeks into the memory of guests, reads out the kernel, and finds out useful stuff: symbols, process tables, kernel messages, network interfaces and so on. Actually I should say at this point you can already do this using the excellent crash tool, and if you have the debuginfo for all your guest kernels, you should use that tool. My code was trying to be more ambitious, because it heuristically examined the kernel memory, guessing the location of various structures.
Well, that code was not so successful. Heuristics only take you so far when you’re looking at something as complex and variable as the process table. One day I hope to make a big breakthrough to make it all possible.
Nevertheless, some things worked quite well: it was actually pretty easy to snoop out the kernel symbols, and once you’ve got those some of the more static kernel structures are easily accessible.
For the past few days I’ve been working on two tools derived from that.
virt-dmesg shows you the kernel messages from a running Linux virtual machine:
# virt-dmesg F14x64 | tail -5
<6>[ 11.609206] lo: Disabled Privacy Extensions
<6>[ 11.634902] ip6_tables: (C) 2000-2006 Netfilter Core Team
<6>[ 15.286998] eth0: link up, 100Mbps, full-duplex, lpa 0x05E1
<7>[ 21.898345] mtrr: no MTRR for f0000000,100000 found
<7>[ 25.714129] eth0: no IPv6 routers present
virt-uname shows the utsname structure:
# virt-uname Fedora14
Linux f14x64.home.annexia.org 18.104.22.168-83.fc14.x86_64 #1 SMP
Mon Feb 7 07:06:44 UTC 2011 x86_64 (none)
The main page for virt-dmesg and virt-uname is here, and there is also a git repository.
You will need a bunch of patches against libvirt to make it work. I have updated libvirt in Rawhide with all the required patches, and without that version of libvirt it definitely won’t work at all.
It works for many, but not all, guests that I’ve tried. The main problem is with guests that don’t enable the full kallsyms feature. If the guest doesn’t have all of the kernel configuration options below enabled, then you may have to fall back to dumping out the kernel and grepping through it with “strings”.