[Libguestfs] [PATCH nbdkit] Add support for AF_VSOCK.
Richard W.M. Jones
rjones at redhat.com
Fri Oct 18 16:39:05 UTC 2019
On Fri, Oct 18, 2019 at 11:16:16AM -0500, Eric Blake wrote:
> On 10/18/19 10:38 AM, Richard W.M. Jones wrote:
> >On platforms which support it (only Linux currently) nbdkit can act as
> >a vsock server. Guests running on the host see a raw NBD socket which
> >it can connect to by opening an AF_VSOCK connection. (Although only
> >libnbd supports this).
> >
> >The current limitations are:
> >
> > * nbdkit can only act as a host (cid == VMADDR_CID_HOST == 2).
>
> How hard would it be to allow a different cid to run a server on the
> guest and client on the host?
Actually thinking about it, my code is wrong anyway. I believe it
should use VMADDR_CID_ANY as the cid (like INADDR_ANY), in which case
it can be used from a guest. Stefan is that the way to go?
> > * There is no access control. Any guest which has vsock enabled can
> > open the socket.
>
> Well, there's TLS if you need it.
Also this is controlled to some extent by the hypervisor administrator
since they can turn vsock off and on (as a whole feature) per guest.
> >+If you see the error C<unable to open vhost-vsock device> then you may
> >+have to unload the VMCI transport:
> >+
> >+ modprobe -r vmw_vsock_vmci_transport
>
> Is that in the host or in the guest?
Host. Actually this is a bug which Stefan is looking into, so maybe
we can just link to the BZ if there is one.
> >@@ -247,6 +252,74 @@ bind_tcpip_socket (size_t *nr_socks)
> > return socks;
> > }
> >+int *
> >+bind_vsock (size_t *nr_socks)
> >+{
> >+#ifdef AF_VSOCK
> >+ uint32_t vsock_port;
> >+ int sock;
> >+ int *ret;
> >+ struct sockaddr_vm addr;
> >+
> >+ if (port == NULL)
> >+ vsock_port = 10809;
> >+ else {
> >+ /* --port parameter must be numeric for vsock, unless
> >+ * /etc/services is extended but that seems unlikely. XXX
> >+ */
> >+ if (nbdkit_parse_uint32_t ("port", port, &vsock_port) == -1)
> >+ exit (EXIT_FAILURE);
> >+ }
> >+
> >+#ifdef SOCK_CLOEXEC
> >+ sock = socket (AF_VSOCK, SOCK_STREAM|SOCK_CLOEXEC, 0);
> >+#else
> >+ /* Fortunately, this code is only run at startup, so there is no
> >+ * risk of the fd leaking to a plugin's fork()
> >+ */
> >+ sock = set_cloexec (socket (AF_VSOCK, SOCK_STREAM, 0));
>
> Even better, all known platforms with AF_VSOCK have SOCK_CLOEXEC.
> Make this #else just be an #error.
Very true! I will fix this one.
> >+#endif
> >+ if (sock == -1) {
> >+ perror ("bind_unix_socket: socket");
> >+ exit (EXIT_FAILURE);
> >+ }
>
> Also, it wouldn't be that much harder for a followup patch exposing:
>
> nbdkit nbd vsock_cid=... vsock_port=...
>
> to have our passthrough wrapper call into libnbd's
> nbd_connect_vsock, and let nbdkit transparently convert from vsock
> server to TCP/Unix client.
Yup.
Rich.
--
Richard Jones, Virtualization Group, Red Hat http://people.redhat.com/~rjones
Read my programming and virtualization blog: http://rwmj.wordpress.com
Fedora Windows cross-compiler. Compile Windows programs, test, and
build Windows installers. Over 100 libraries supported.
http://fedoraproject.org/wiki/MinGW
More information about the Libguestfs
mailing list