Hi Matt, When creating a snapshot with memory, 2 additional images are created: 1. for the VM configuration/metadata 2. for the memory dump In oVirt 3.6 and below you'll notice a field called memory_vol_handle in the snapshots table that points to these images. It is of the follow format: <storage_domain_id>,<storage_pool_id>,<memory_dump_disk_id>,<memory_dump_volume_id>,<memory_conf_disk_id>,<memory_conf_volume_id> In master branch, you'll find two fields in the snapshots table called memory_dump_disk_id and memory_metadata_disk_id that contain the disk IDs. We plan to remove the memory_vol_handle field from the snapshots table soon, so please do not rely on it. Regards, Arik ----- Original Message -----

Hi everyone! I am working on developing a plugin for the cuckoo sandbox ( http://cuckoosandbox.org ), that will allow users to select oVirt as a virtualiztion solution. I have it working, for the most part, but one area where I need some guidance is in retrieving memory images. I know that when you take a snapshot, you can request that the memory be stored as well.

My issue is that I don't see a way to retrieve the memory, so that it can be feed into analysis tools like Volatility ( http://www.volatilityfoundation.org/ ). Does anyone have any pointers for me?

Thanks!

--Matt

_______________________________________________ Devel mailing list Devel@ovirt.org http://lists.ovirt.org/mailman/listinfo/devel

On Wed, Mar 16, 2016 at 9:56 PM, Matt Mossholder <matt@mossholder.com> wrote:

Hi everyone! I am working on developing a plugin for the cuckoo sandbox (http://cuckoosandbox.org), that will allow users to select oVirt as a virtualiztion solution. I have it working, for the most part, but one area where I need some guidance is in retrieving memory images. I know that when you take a snapshot, you can request that the memory be stored as well.

My issue is that I don't see a way to retrieve the memory, so that it can be feed into analysis tools like Volatility (http://www.volatilityfoundation.org/). Does anyone have any pointers for me?

Memory snapshots are stored in special ovirt disks images in shared storage. I think the best way to access them is to attach the memory volume to another vm as a disk, and accessing the disk contents from that vm. When you finish with the disk you can hotunplug it from the vm. We use similar way to backup volumes with regular disks, hopefully this is possible with memory volumes. See https://www.ovirt.org/develop/release-management/features/storage/backup-res... If this is not possible within engine, you can get access to the memory volumes by using the prepareImage and teardownImage apis using vdsClient. 1. find the memory snapshot volume uuids (available in vdsm log, look for VM.snapshot) probably available via engine apis 2. prepare the image vdsClient -s 0 prepareImage ... (see online help for the arguments) This returns the path to the image 3. read the data from the path using dd (it may be block device) 4. tear down the image vdsClient -s 0 teardownImage ... (see online help for the arguments) Note that doing this behind engine back is not a good idea, but it may be good enough for your use case. In 4.0 you will have to ability to upload and download images using http, this should be the easiest way to access the memory volumes. For more info you can check the ovirt-imageio project: - https://www.ovirt.org/develop/release-management/features/image-upload/ - git clone https://gerrit.ovirt.org/ovirt-imageio Nir