Picking up Stefano's v1 [1], this series adds netns support to vhost-vsock. Unlike v1, this series does not address guest-to-host (g2h) namespaces, defering that for future implementation and discussion. Any vsock created with /dev/vhost-vsock is a global vsock, accessible from any namespace. Any vsock created with /dev/vhost-vsock-netns is a "scoped" vsock, accessible only to sockets in its namespace. If a global vsock or scoped vsock share the same CID, the scoped vsock takes precedence. If a socket in a namespace connects with a global vsock, the CID becomes unavailable to any VMM in that namespace when creating new vsocks. If disconnected, the CID becomes available again. Testing QEMU with /dev/vhost-vsock-netns support: https://github.com/beshleman/qemu/tree/vsock-netns Test: Scoped vsocks isolated by namespace host# ip netns add ns1 host# ip netns add ns2 host# ip netns exec ns1 \ qemu-system-x86_64 \ -m 8G -smp 4 -cpu host -enable-kvm \ -serial mon:stdio \ -drive if=virtio,file=${IMAGE1} \ -device vhost-vsock-pci,netns=on,guest-cid=15 host# ip netns exec ns2 \ qemu-system-x86_64 \ -m 8G -smp 4 -cpu host -enable-kvm \ -serial mon:stdio \ -drive if=virtio,file=${IMAGE2} \ -device vhost-vsock-pci,netns=on,guest-cid=15 host# socat - VSOCK-CONNECT:15:1234 2025/03/10 17:09:40 socat[255741] E connect(5, AF=40 cid:15 port:1234, 16): No such device host# echo foobar1 | sudo ip netns exec ns1 socat - VSOCK-CONNECT:15:1234 host# echo foobar2 | sudo ip netns exec ns2 socat - VSOCK-CONNECT:15:1234 vm1# socat - VSOCK-LISTEN:1234 foobar1 vm2# socat - VSOCK-LISTEN:1234 foobar2 Test: Global vsocks accessible to any namespace host# qemu-system-x86_64 \ -m 8G -smp 4 -cpu host -enable-kvm \ -serial mon:stdio \ -drive if=virtio,file=${IMAGE2} \ -device vhost-vsock-pci,guest-cid=15,netns=off host# echo foobar | sudo ip netns exec ns1 socat - VSOCK-CONNECT:15:1234 vm# socat - VSOCK-LISTEN:1234 foobar Test: Connecting to global vsock makes CID unavailble to namespace host# qemu-system-x86_64 \ -m 8G -smp 4 -cpu host -enable-kvm \ -serial mon:stdio \ -drive if=virtio,file=${IMAGE2} \ -device vhost-vsock-pci,guest-cid=15,netns=off vm# socat - VSOCK-LISTEN:1234 host# sudo ip netns exec ns1 socat - VSOCK-CONNECT:15:1234 host# ip netns exec ns1 \ qemu-system-x86_64 \ -m 8G -smp 4 -cpu host -enable-kvm \ -serial mon:stdio \ -drive if=virtio,file=${IMAGE1} \ -device vhost-vsock-pci,netns=on,guest-cid=15 qemu-system-x86_64: -device vhost-vsock-pci,netns=on,guest-cid=15: vhost-vsock: unable to set guest cid: Address already in use Signed-off-by: Bobby Eshleman <bobbyeshleman@xxxxxxxxx> --- Changes in v2: - only support vhost-vsock namespaces - all g2h namespaces retain old behavior, only common API changes impacted by vhost-vsock changes - add /dev/vhost-vsock-netns for "opt-in" - leave /dev/vhost-vsock to old behavior - removed netns module param - Link to v1: https://lore.kernel.org/r/20200116172428.311437-1-sgarzare@xxxxxxxxxx Changes in v1: - added 'netns' module param to vsock.ko to enable the network namespace support (disabled by default) - added 'vsock_net_eq()' to check the "net" assigned to a socket only when 'netns' support is enabled - Link to RFC: https://patchwork.ozlabs.org/cover/1202235/ --- Stefano Garzarella (3): vsock: add network namespace support vsock/virtio_transport_common: handle netns of received packets vhost/vsock: use netns of process that opens the vhost-vsock-netns device drivers/vhost/vsock.c | 96 +++++++++++++++++++++++++++------ include/linux/miscdevice.h | 1 + include/linux/virtio_vsock.h | 2 + include/net/af_vsock.h | 10 ++-- net/vmw_vsock/af_vsock.c | 85 +++++++++++++++++++++++------ net/vmw_vsock/hyperv_transport.c | 2 +- net/vmw_vsock/virtio_transport.c | 5 +- net/vmw_vsock/virtio_transport_common.c | 14 ++++- net/vmw_vsock/vmci_transport.c | 4 +- net/vmw_vsock/vsock_loopback.c | 4 +- 10 files changed, 180 insertions(+), 43 deletions(-) --- base-commit: 0ea09cbf8350b70ad44d67a1dcb379008a356034 change-id: 20250312-vsock-netns-45da9424f726 Best regards, -- Bobby Eshleman <bobbyeshleman@xxxxxxxxx>
