lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <b08eda42-9cc7-7a9a-b5b1-5adc44050896@oracle.com>
Date:   Fri, 21 Feb 2020 11:49:06 -0800
From:   ted.h.kim@...cle.com
To:     Ján Tomko <jtomko@...hat.com>,
        Stefan Hajnoczi <stefanha@...hat.com>
Cc:     sgarzare@...hat.com, netdev@...r.kernel.org,
        Boris Ostrovsky <boris.ostrovsky@...cle.com>
Subject: Re: vsock CID questions

Hi Jan,

Thanks for responding - let me see if I am understanding correctly.


I think you are saying on migration the process of determining the CID 
assigned is the same as when you start a domain.

<cid auto='yes'> means assignment to the first available value.
It also seems for auto='yes' that any address='<value>' part of the CID 
definition is ignored, even as a suggested value.
(I always get CID 3 when starting auto='yes' and no other domains have 
started, even if there is an specific address in the definition, e.g. 
address='12'.)

But if auto='no', either the domain gets the address field value or if 
the value is already assigned, the domain will fail to start/migrate.

Is that right?


In cases, where auto='yes', it does not seem that the host/hypervisor 
can find out what CID value was assigned to a domain. Even parsing the 
XML only reveals that it was auto-assigned and no specific value can be 
determined.

Is this correct?

If this is the case, I would advocate for a specific API which can 
lookup the current CID of a domain.
Otherwise the host/hypervisor cannot tell which  auto='yes' domain is on 
the other end of the connected socket, when there is more than one.


Thanks.
-ted


On 2/20/20 8:09 AM, Ján Tomko wrote:
> On Wed, Feb 19, 2020 at 03:43:17PM +0000, Stefan Hajnoczi wrote:
>> On Tue, Feb 18, 2020 at 02:45:38PM -0800, ted.h.kim@...cle.com wrote:
>>> 1. Is there an API to lookup CIDs of guests from the host side (in 
>>> libvirt)?
>>
>> I wonder if it can be queried from libvirt (at a minimum the domain XML
>> might have the CID)?  I have CCed Ján Tomko who worked on the libvirt
>> support:
>>
>> https://libvirt.org/formatdomain.html#vsock
>>
>
> Yes, libvirt has to know the CIDs of the guest and presents them in the
> domain XML:
> <domain type='kvm'>
>   <name>test</name>
>   ...
>   <devices>
>     ...
>     <vsock model='virtio'>
>       <cid auto='no' address='4'/>
>       <address type='pci' domain='0x0000' bus='0x00' slot='0x07' 
> function='0x0'/>
>     </vsock>
>   </devices>
> </domain>
>
>>> 2. In the vsock(7) man page, it says the CID might change upon 
>>> migration, if
>>> it is not available.
>>> Is there some notification when CID reassignment happens?
>>
>> All established connections are reset across live migration -
>> applications will notice :).
>>
>> Listen sockets stay open but automatically listen on the new CID.
>>
>>> 3. if CID reassignment happens, is this persistent? (i.e. will I see 
>>> updated
>>> vsock definition in XML for the guest)
>>
>> Another question for Ján.
>
> Depends on the setting.
> For <cid auto='yes'/>, libvirt will try to acquire the first available 
> CID
> for the guest and pass it to QEMU.
> For <cid auto='no'/>, no reassignment should happend and the CID
> requested in the domain XML on the source will be used (or fail to be
> used) on the destination.
>
> Jano
>
>>
>>> 4. I would like to minimize the chance of CID collision. If I 
>>> understand
>>> correctly, the CID is a 32-bit unsigned. So for my application, it 
>>> might
>>> work to put an IPv4 address. But if I adopt this convention, then I 
>>> need to
>>> look forward to possibly using IPv6. Anyway, would it be hard to 
>>> potentially
>>> expand the size of the CID to 64 bits or even 128?
>>
>> A little hard, since the struct sockaddr_vm that userspace applications
>> use has a 32-bit CID field.  This is because the existing VMware VMCI
>> vsock implementation has 32-bit CIDs.
>>
>> virtio-vsock is ready for 64-bit CIDs (the packet header fields are
>> already 64-bit) but changes to net/vmw_vsock/ core code and to the
>> userspace ABI would be necessary.
>>
>> Stefan
>
>
-- 
Ted H. Kim, PhD
ted.h.kim@...cle.com
+1 310-258-7515

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ