How to enable QEMU Guest Agent guest-exec on RHEL-based distributions

    This article explains how to enable the guest-exec command for the QEMU Guest Agent on RHEL-based distributions (AlmaLinux, CloudLinux, CentOS, Rocky Linux, etc.) when it is disabled by default.

    Symptoms

    • Running qm guest exec <VMID> -- <command> from Proxmox returns:
      Agent error: The command guest-exec has been disabled for this instance
    • The QEMU guest agent is installed, running, and responding to pings (guest-ping works)
    • Affects AlmaLinux, CloudLinux, CentOS, Rocky Linux, and other RHEL derivatives

    Cause

    RHEL-based distributions ship the QEMU guest agent with restricted RPC commands in /etc/sysconfig/qemu-ga. The mechanism varies by OS version:

    OS Version Config Variable Flag Style guest-exec Default
    CentOS/RHEL 7 BLACKLIST_RPC --blacklist= Blocked
    AlmaLinux/CloudLinux/RHEL 8 BLACKLIST_RPC --blacklist= Blocked
    AlmaLinux/CloudLinux/RHEL 9 FILTER_RPC_ARGS --allow-rpcs= Not in allow-list
    AlmaLinux/CloudLinux/RHEL 10 FILTER_RPC_ARGS --allow-rpcs= Partially allowed

    Fix by OS version

    CentOS 7 / RHEL 7

    Mechanism: Blocklist with BLACKLIST_RPC

    Default config:

    BLACKLIST_RPC=guest-file-open,guest-file-close,guest-file-read,guest-file-write,guest-file-seek,guest-file-flush,guest-exec,guest-exec-status

    How to check:

    grep BLACKLIST_RPC /etc/sysconfig/qemu-ga

    Fix with sed:

    sed -i 's/^BLACKLIST_RPC=.*/BLACKLIST_RPC=/' /etc/sysconfig/qemu-ga
systemctl restart qemu-guest-agent

    Manual fix: Open /etc/sysconfig/qemu-ga and replace the BLACKLIST_RPC=... line with BLACKLIST_RPC=, then restart the agent.

    AlmaLinux 8 / CloudLinux 8 / RHEL 8

    Mechanism: Blocklist with BLACKLIST_RPC

    Default config:

    BLACKLIST_RPC=guest-file-open,guest-file-close,guest-file-read,guest-file-write,guest-file-seek,guest-file-flush,guest-exec,guest-exec-status

    How to check:

    grep BLACKLIST_RPC /etc/sysconfig/qemu-ga

    Fix with sed:

    sed -i 's/^BLACKLIST_RPC=.*/BLACKLIST_RPC=/' /etc/sysconfig/qemu-ga
systemctl restart qemu-guest-agent

    Manual fix: Open /etc/sysconfig/qemu-ga and replace the BLACKLIST_RPC=... line with BLACKLIST_RPC=, then restart the agent.

    AlmaLinux 9 / CloudLinux 9 / RHEL 9

    Mechanism: Allow-list with FILTER_RPC_ARGS

    Default config:

    bash
    FILTER_RPC_ARGS="--allow-rpcs=guest-sync-delimited,guest-sync,guest-ping,guest-get-time,guest-set-time,guest-info,guest-shutdown,guest-fsfreeze-status,guest-fsfreeze-freeze,guest-fsfreeze-freeze-list,guest-fsfreeze-thaw,guest-fstrim,guest-suspend-disk,guest-suspend-ram,guest-suspend-hybrid,guest-network-get-interfaces,guest-get-vcpus,guest-set-vcpus,guest-get-disks,guest-get-fsinfo,guest-set-user-password,guest-get-memory-blocks,guest-set-memory-blocks,guest-get-memory-block-info,guest-get-host-name,guest-get-users,guest-get-timezone,guest-get-osinfo,guest-get-devices,guest-ssh-get-authorized-keys,guest-ssh-add-authorized-keys,guest-ssh-remove-authorized-keys,guest-get-diskstats,guest-get-cpustats"

    Missing RPCs: guest-exec, guest-exec-status, guest-file-open, guest-file-close, guest-file-read, guest-file-write

    How to check:

    grep FILTER_RPC_ARGS /etc/sysconfig/qemu-ga | grep -o 'guest-exec'
# No output = needs fixing

    Fix with sed:

    sed -i 's/guest-get-cpustats"/guest-get-cpustats,guest-exec,guest-exec-status,guest-file-open,guest-file-close,guest-file-read,guest-file-write"/' /etc/sysconfig/qemu-ga
systemctl restart qemu-guest-agent

    Manual fix: Open /etc/sysconfig/qemu-ga, find the FILTER_RPC_ARGS line ending with guest-get-cpustats", and add ,guest-exec,guest-exec-status,guest-file-open,guest-file-close,guest-file-read,guest-file-write before the closing quote.

    AlmaLinux 10 / CloudLinux 10 / RHEL 10

    Mechanism: Allow-list with FILTER_RPC_ARGS

    Default config includes: guest-exec, guest-file-open, guest-file-read, guest-file-close

    Missing RPCs: guest-exec-status, guest-file-write

    How to check:

    grep FILTER_RPC_ARGS /etc/sysconfig/qemu-ga | grep -oE 'guest-(exec|file)[a-z-]*' | sort
# If guest-exec-status or guest-file-write are missing, it needs fixing

    Fix with sed:

    sed -i 's/guest-file-close"/guest-file-close,guest-exec-status,guest-file-write"/' /etc/sysconfig/qemu-ga
systemctl restart qemu-guest-agent

    Manual fix: Open /etc/sysconfig/qemu-ga, find the FILTER_RPC_ARGS line ending with guest-file-close", and add ,guest-exec-status,guest-file-write before the closing quote.

    Verification

    From the Proxmox host:

    # Should return output instead of "disabled" error
qm guest exec <VMID> -- echo ok

    From inside the VM:

    # Verify the running process has the updated flags
ps aux | grep qemu-ga

# Check the config
cat /etc/sysconfig/qemu-ga | grep -E 'BLACKLIST|FILTER'

    Additional notes

    • The config file location is /etc/sysconfig/qemu-ga on all RHEL-based distributions.
    • Package updates (dnf update qemu-guest-agent) may overwrite /etc/sysconfig/qemu-ga and re-apply the default restrictions. After updates, verify the configuration.
    • On CentOS 7 and RHEL 8 derivatives, the agent uses --blacklist= which was renamed to --block-rpcs= in RHEL 9. The old flag still works but is deprecated.
    Published