Fix: Block confidential VMs to install qemu guest agent tools and prevent them to be migrated.

Andres D. Molins · aliel · commit 240c8a8500eb · 2026-02-18T12:39:56.000+01:00
diff --git a/src/aleph/vm/controllers/qemu/cloudinit.py b/src/aleph/vm/controllers/qemu/cloudinit.py
@@ -32,7 +32,7 @@ def get_hostname_from_hash(vm_hash: ItemHash) -> str:
     return base64.b32encode(item_hash_binary).decode().strip("=").lower()
 
 
-def encode_user_data(hostname, ssh_authorized_keys, has_gpu: bool = False) -> bytes:
+def encode_user_data(hostname, ssh_authorized_keys, has_gpu: bool = False, install_guest_agent: bool = True) -> bytes:
     """Creates user data configuration file for cloud-init tool"""
     config: dict[str, str | bool | list[str] | list[list[str]]] = {
         "hostname": hostname,
@@ -41,8 +41,6 @@ def encode_user_data(hostname, ssh_authorized_keys, has_gpu: bool = False) -> by
         "ssh_authorized_keys": ssh_authorized_keys,
         "resize_rootfs": True,
         "package_update": True,
-        "packages": ["qemu-guest-agent"],
-        "runcmd": ["systemctl start qemu-guest-agent.service"],
     }
 
     # Add kernel boot parameters for GPU instances to speed up PCI enumeration
@@ -68,6 +66,10 @@ def encode_user_data(hostname, ssh_authorized_keys, has_gpu: bool = False) -> by
             ],
         ]
 
+    if install_guest_agent:
+        config["packages"] = ["qemu-guest-agent"]
+        config["runcmd"] = ["systemctl start qemu-guest-agent.service"]
+
     cloud_config_header = "#cloud-config\n"
     config_output = yaml.safe_dump(config, default_flow_style=False, sort_keys=False)
     content = (cloud_config_header + config_output).encode()
@@ -119,13 +121,14 @@ async def create_cloud_init_drive_image(
     route,
     ssh_authorized_keys,
     has_gpu: bool = False,
+    install_guest_agent: bool = True,
 ):
     with (
         NamedTemporaryFile() as user_data_config_file,
         NamedTemporaryFile() as network_config_file,
         NamedTemporaryFile() as metadata_config_file,
     ):
-        user_data = encode_user_data(hostname, ssh_authorized_keys, has_gpu=has_gpu)
+        user_data = encode_user_data(hostname, ssh_authorized_keys, has_gpu=has_gpu, install_guest_agent=install_guest_agent)
         user_data_config_file.write(user_data)
         user_data_config_file.flush()
         network_config = create_network_file(ip, ipv6, ipv6_gateway, nameservers, route)
@@ -148,7 +151,7 @@ async def create_cloud_init_drive_image(
 
 
 class CloudInitMixin(AlephVmControllerInterface):
-    async def _create_cloud_init_drive(self) -> Drive:
+    async def _create_cloud_init_drive(self, install_guest_agent: bool = True) -> Drive:
         """Creates the cloud-init volume to configure and set up the VM"""
         ssh_authorized_keys = self.resources.message_content.authorized_keys or []
         if settings.USE_DEVELOPER_SSH_KEYS:
@@ -178,6 +181,7 @@ async def _create_cloud_init_drive(self) -> Drive:
             route,
             ssh_authorized_keys,
             has_gpu=has_gpu,
+            install_guest_agent=install_guest_agent,
         )
 
         return Drive(
diff --git a/src/aleph/vm/controllers/qemu_confidential/instance.py b/src/aleph/vm/controllers/qemu_confidential/instance.py
@@ -91,7 +91,7 @@ async def configure(self, incoming_migration_port: int | None = None):
         logger.debug(f"Making Qemu configuration: {self}")
         monitor_socket_path = settings.EXECUTION_ROOT / (str(self.vm_id) + "-monitor.socket")
 
-        cloud_init_drive = await self._create_cloud_init_drive()
+        cloud_init_drive = await self._create_cloud_init_drive(install_guest_agent=False)
 
         image_path = str(self.resources.rootfs_path)
         firmware_path = str(self.resources.firmware_path)
diff --git a/src/aleph/vm/orchestrator/views/migration.py b/src/aleph/vm/orchestrator/views/migration.py
@@ -156,6 +156,17 @@ async def allocate_migration(request: web.Request) -> web.Response:
                     status=HTTPStatus.BAD_REQUEST,
                 )
 
+            # Reject confidential VMs - they cannot be live-migrated
+            if message.content.environment.trusted_execution is not None:
+                return web.json_response(
+                    {
+                        "status": "error",
+                        "error": "Live migration is not supported for confidential VMs",
+                        "vm_hash": str(vm_hash),
+                    },
+                    status=HTTPStatus.BAD_REQUEST,
+                )
+
             # Create VM prepared for incoming migration
             execution = await pool.create_a_vm(
                 vm_hash=vm_hash,
@@ -247,6 +258,17 @@ async def migration_start(request: web.Request) -> web.Response:
             status=HTTPStatus.BAD_REQUEST,
         )
 
+    # Reject confidential VMs - they cannot be live-migrated
+    if execution.is_confidential:
+        return web.json_response(
+            {
+                "status": "error",
+                "error": "Live migration is not supported for confidential VMs",
+                "vm_hash": str(vm_hash),
+            },
+            status=HTTPStatus.BAD_REQUEST,
+        )
+
     # Check that VM object exists
     if not execution.vm:
         return web.json_response(
