virt-ls has felt a little unloved for a long time. With this patch series, it turns into quite a useful tool for doing forensics and monitoring of VMs, and looking for changes to files. I have added the 'virt-ls -lR' output mode (the combination of -l and -R was previously unused). In this mode you get a recursive list of files and directories, with extra stat information and optionally a file checksum. The output is designed to be easily grepped to look for common patterns. For example, to display all setuid and setgid executables in a virtual machine you can do: # virt-ls -lR -d guest / | grep '^- [42]' - 4755 12544 /bin/cgexec - - 4755 32448 /bin/fusermount - - 4755 78648 /bin/mount - - 4755 43160 /bin/ping - - 4755 47888 /bin/ping6 - - 4755 34904 /bin/su - - 4755 50432 /bin/umount - [etc] To display all public writable directories: # virt-ls -lR -d guest / | grep '^d ...7' d 1777 12288 /tmp - d 1777 4096 /tmp/.ICE-unix - d 1777 4096 /tmp/.X11-unix - d 1777 4096 /var/tmp - To display files larger than 10MB in home directories: # virt-ls -lR -d myguest /home | awk '$3 > 10*1024*1024' You can also use this to look for file changes, eg. between a snapshot and a later version of a VM: # virt-ls -lR -a snapshot.img / --uids --time-t --checksum > old # virt-ls -lR -a current.img / --uids --time-t --checksum > new # diff -u old new | less There is also a --csv option for serious work. Rich. -- Richard Jones, Virtualization Group, Red Hat http://people.redhat.com/~rjones virt-p2v converts physical machines to virtual machines. Boot with a live CD or over the network (PXE) and turn machines into Xen guests. http://et.redhat.com/~rjones/virt-p2v