| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <zz5fnulfljo6hyxaveseq3dxfgljfs33m7ncsw6uod6wouaqhl@jzdmg6s7g5dw>
Date: Thu, 13 Mar 2025 16:37:16 +0100
From: Stefano Garzarella <sgarzare@...hat.com>
To: Bobby Eshleman <bobbyeshleman@...il.com>
Cc: Jakub Kicinski <kuba@...nel.org>,
"K. Y. Srinivasan" <kys@...rosoft.com>, Haiyang Zhang <haiyangz@...rosoft.com>,
Wei Liu <wei.liu@...nel.org>, Dexuan Cui <decui@...rosoft.com>,
Stefan Hajnoczi <stefanha@...hat.com>, "Michael S. Tsirkin" <mst@...hat.com>,
Jason Wang <jasowang@...hat.com>, Xuan Zhuo <xuanzhuo@...ux.alibaba.com>,
Eugenio PĂ©rez <eperezma@...hat.com>, Bryan Tan <bryan-bt.tan@...adcom.com>,
Vishnu Dasa <vishnu.dasa@...adcom.com>,
Broadcom internal kernel review list <bcm-kernel-feedback-list@...adcom.com>, "David S. Miller" <davem@...emloft.net>,
virtualization@...ts.linux.dev, netdev@...r.kernel.org, linux-kernel@...r.kernel.org,
linux-hyperv@...r.kernel.org, kvm@...r.kernel.org
Subject: Re: [PATCH v2 0/3] vsock: add namespace support to vhost-vsock
Hi Bobby,
first of all, thank you for starting this work again!
On Wed, Mar 12, 2025 at 07:28:33PM -0700, Bobby Eshleman wrote:
>Hey all,
>
>Apologies for forgetting the 'net-next' prefix on this one. Should I
>resend or no?
I'd say let's do a firts review cycle on this, then you can re-post.
Please check also maintainer cced, it looks like someone is missing:
https://patchwork.kernel.org/project/netdevbpf/patch/20250312-vsock-netns-v2-1-84bffa1aa97a@gmail.com/
>
>Best,
>Bobby
>
>On Wed, Mar 12, 2025 at 01:59:34PM -0700, Bobby Eshleman wrote:
>> Picking up Stefano's v1 [1], this series adds netns support to
>> vhost-vsock. Unlike v1, this series does not address guest-to-host (g2h)
>> namespaces, defering that for future implementation and discussion.
>>
>> Any vsock created with /dev/vhost-vsock is a global vsock, accessible
>> from any namespace. Any vsock created with /dev/vhost-vsock-netns is a
>> "scoped" vsock, accessible only to sockets in its namespace. If a global
>> vsock or scoped vsock share the same CID, the scoped vsock takes
>> precedence.
This inside the netns, right?
I mean if we are in a netns, and there is a VM A attached to
/dev/vhost-vsock-netns witch CID=42 and a VM B attached to
/dev/vhost-vsock also with CID=42, this means that VM A will not be
accessible in the netns, but it can be accessible outside of the netns,
right?
>>
>> If a socket in a namespace connects with a global vsock, the CID becomes
>> unavailable to any VMM in that namespace when creating new vsocks. If
>> disconnected, the CID becomes available again.
IIUC if an application in the host running in a netns, is connected to a
guest attached to /dev/vhost-vsock (e.g. CID=42), a new guest can't be
ask for the same CID (42) on /dev/vhost-vsock-netns in the same netns
till that connection is active. Is that right?
>>
>> Testing
>>
>> QEMU with /dev/vhost-vsock-netns support:
>> https://github.com/beshleman/qemu/tree/vsock-netns
You can also use unmodified QEMU using `vhostfd` parameter of
`vhost-vsock-pci` device:
# FD will contain the file descriptor to /dev/vhost-vsock-netns
exec {FD}<>/dev/vhost-vsock-netns
# pass FD to the device, this is used for example by libvirt
qemu-system-x86_64 -smp 2 -M q35,accel=kvm,memory-backend=mem \
-drive file=fedora.qcow2,format=qcow2,if=virtio \
-object memory-backend-memfd,id=mem,size=512M \
-device vhost-vsock-pci,vhostfd=${FD},guest-cid=42 -nographic
That said, I agree we can extend QEMU with `netns` param too.
BTW, I'm traveling, I'll be back next Tuesday and I hope to take a
deeper look to the patches.
Thanks,
Stefano
>>
>> Test: Scoped vsocks isolated by namespace
>>
>> host# ip netns add ns1
>> host# ip netns add ns2
>> host# ip netns exec ns1 \
>> qemu-system-x86_64 \
>> -m 8G -smp 4 -cpu host -enable-kvm \
>> -serial mon:stdio \
>> -drive if=virtio,file=${IMAGE1} \
>> -device
>> vhost-vsock-pci,netns=on,guest-cid=15
>> host# ip netns exec ns2 \
>> qemu-system-x86_64 \
>> -m 8G -smp 4 -cpu host -enable-kvm \
>> -serial mon:stdio \
>> -drive if=virtio,file=${IMAGE2} \
>> -device vhost-vsock-pci,netns=on,guest-cid=15
>>
>> host# socat - VSOCK-CONNECT:15:1234
>> 2025/03/10 17:09:40 socat[255741] E connect(5, AF=40 cid:15 port:1234, 16): No such device
>>
>> host# echo foobar1 | sudo ip netns exec ns1 socat - VSOCK-CONNECT:15:1234
>> host# echo foobar2 | sudo ip netns exec ns2 socat - VSOCK-CONNECT:15:1234
>>
>> vm1# socat - VSOCK-LISTEN:1234
>> foobar1
>> vm2# socat - VSOCK-LISTEN:1234
>> foobar2
>>
>> Test: Global vsocks accessible to any namespace
>>
>> host# qemu-system-x86_64 \
>> -m 8G -smp 4 -cpu host -enable-kvm \
>> -serial mon:stdio \)
>> -drive if=virtio,file=${IMAGE2} \
>> -device vhost-vsock-pci,guest-cid=15,netns=off
>>
>> host# echo foobar | sudo ip netns exec ns1 socat - VSOCK-CONNECT:15:1234
>>
>> vm# socat - VSOCK-LISTEN:1234
>> foobar
>>
>> Test: Connecting to global vsock makes CID unavailble to namespace
>>
>> host# qemu-system-x86_64 \
>> -m 8G -smp 4 -cpu host -enable-kvm \
>> -serial mon:stdio \
>> -drive if=virtio,file=${IMAGE2} \
>> -device vhost-vsock-pci,guest-cid=15,netns=off
>>
>> vm# socat - VSOCK-LISTEN:1234
>>
>> host# sudo ip netns exec ns1 socat - VSOCK-CONNECT:15:1234
>> host# ip netns exec ns1 \
>> qemu-system-x86_64 \
>> -m 8G -smp 4 -cpu host -enable-kvm \
>> -serial mon:stdio \
>> -drive if=virtio,file=${IMAGE1} \
>> -device vhost-vsock-pci,netns=on,guest-cid=15
>>
>> qemu-system-x86_64: -device vhost-vsock-pci,netns=on,guest-cid=15: vhost-vsock: unable to set guest cid: Address already in use
>>
>> Signed-off-by: Bobby Eshleman <bobbyeshleman@...il.com>
>> ---
>> Changes in v2:
>> - only support vhost-vsock namespaces
>> - all g2h namespaces retain old behavior, only common API changes
>> impacted by vhost-vsock changes
>> - add /dev/vhost-vsock-netns for "opt-in"
>> - leave /dev/vhost-vsock to old behavior
>> - removed netns module param
>> - Link to v1: https://lore.kernel.org/r/20200116172428.311437-1-sgarzare@redhat.com
>>
>> Changes in v1:
>> - added 'netns' module param to vsock.ko to enable the
>> network namespace support (disabled by default)
>> - added 'vsock_net_eq()' to check the "net" assigned to a socket
>> only when 'netns' support is enabled
>> - Link to RFC: https://patchwork.ozlabs.org/cover/1202235/
>>
>> ---
>> Stefano Garzarella (3):
>> vsock: add network namespace support
>> vsock/virtio_transport_common: handle netns of received packets
>> vhost/vsock: use netns of process that opens the vhost-vsock-netns device
>>
>> drivers/vhost/vsock.c | 96 +++++++++++++++++++++++++++------
>> include/linux/miscdevice.h | 1 +
>> include/linux/virtio_vsock.h | 2 +
>> include/net/af_vsock.h | 10 ++--
>> net/vmw_vsock/af_vsock.c | 85 +++++++++++++++++++++++------
>> net/vmw_vsock/hyperv_transport.c | 2 +-
>> net/vmw_vsock/virtio_transport.c | 5 +-
>> net/vmw_vsock/virtio_transport_common.c | 14 ++++-
>> net/vmw_vsock/vmci_transport.c | 4 +-
>> net/vmw_vsock/vsock_loopback.c | 4 +-
>> 10 files changed, 180 insertions(+), 43 deletions(-)
>> ---
>> base-commit: 0ea09cbf8350b70ad44d67a1dcb379008a356034
>> change-id: 20250312-vsock-netns-45da9424f726
>>
>> Best regards,
>> --
>> Bobby Eshleman <bobbyeshleman@...il.com>
>>
>
Powered by blists - more mailing lists