Re: [Libguestfs] [PATCH nbdkit] Add support for AF_VSOCK.
On Fri, Oct 18, 2019 at 11:16:16AM -0500, Eric Blake wrote:
On 10/18/19 10:38 AM, Richard W.M. Jones wrote:
>On platforms which support it (only Linux currently) nbdkit can act as
>a vsock server. Guests running on the host see a raw NBD socket which
>it can connect to by opening an AF_VSOCK connection. (Although only
>libnbd supports this).
>
>The current limitations are:
>
> * nbdkit can only act as a host (cid == VMADDR_CID_HOST == 2).
How hard would it be to allow a different cid to run a server on the
guest and client on the host?
Actually thinking about it, my code is wrong anyway. I believe it
should use VMADDR_CID_ANY as the cid (like INADDR_ANY), in which case
it can be used from a guest. Stefan is that the way to go?
> * There is no access control. Any guest which has vsock
enabled can
> open the socket.
Well, there's TLS if you need it.
Also this is controlled to some extent by the hypervisor administrator
since they can turn vsock off and on (as a whole feature) per guest.
>+If you see the error C<unable to open vhost-vsock device>
then you may
>+have to unload the VMCI transport:
>+
>+ modprobe -r vmw_vsock_vmci_transport
Is that in the host or in the guest?
Host. Actually this is a bug which Stefan is looking into, so maybe
we can just link to the BZ if there is one.
>@@ -247,6 +252,74 @@ bind_tcpip_socket (size_t *nr_socks)
> return socks;
> }
>+int *
>+bind_vsock (size_t *nr_socks)
>+{
>+#ifdef AF_VSOCK
>+ uint32_t vsock_port;
>+ int sock;
>+ int *ret;
>+ struct sockaddr_vm addr;
>+
>+ if (port == NULL)
>+ vsock_port = 10809;
>+ else {
>+ /* --port parameter must be numeric for vsock, unless
>+ * /etc/services is extended but that seems unlikely. XXX
>+ */
>+ if (nbdkit_parse_uint32_t ("port", port, &vsock_port) == -1)
>+ exit (EXIT_FAILURE);
>+ }
>+
>+#ifdef SOCK_CLOEXEC
>+ sock = socket (AF_VSOCK, SOCK_STREAM|SOCK_CLOEXEC, 0);
>+#else
>+ /* Fortunately, this code is only run at startup, so there is no
>+ * risk of the fd leaking to a plugin's fork()
>+ */
>+ sock = set_cloexec (socket (AF_VSOCK, SOCK_STREAM, 0));
Even better, all known platforms with AF_VSOCK have SOCK_CLOEXEC.
Make this #else just be an #error.
Very true! I will fix this one.
>+#endif
>+ if (sock == -1) {
>+ perror ("bind_unix_socket: socket");
>+ exit (EXIT_FAILURE);
>+ }
Also, it wouldn't be that much harder for a followup patch exposing:
nbdkit nbd vsock_cid=... vsock_port=...
to have our passthrough wrapper call into libnbd's
nbd_connect_vsock, and let nbdkit transparently convert from vsock
server to TCP/Unix client.
Yup.
Rich.
--
Richard Jones, Virtualization Group, Red Hat http://people.redhat.com/~rjones
Read my programming and virtualization blog: http://rwmj.wordpress.com
Fedora Windows cross-compiler. Compile Windows programs, test, and
build Windows installers. Over 100 libraries supported.
http://fedoraproject.org/wiki/MinGW