Re: [PATCH nfs-utils v3 00/14] add NFS over AF_VSOCK support

From: Stefan Hajnoczi <stefanha@redhat.com>
To: "J. Bruce Fields" <bfields@fieldses.org>
Cc: NeilBrown <neilb@suse.com>,
	"Daniel P. Berrange" <berrange@redhat.com>,
	Chuck Lever <chuck.lever@oracle.com>,
	Steven Whitehouse <swhiteho@redhat.com>,
	Steve Dickson <SteveD@redhat.com>,
	Linux NFS Mailing List <linux-nfs@vger.kernel.org>,
	Matt Benjamin <mbenjami@redhat.com>,
	Jeff Layton <jlayton@redhat.com>,
	Justin Mitchell <jumitche@redhat.com>
Subject: Re: [PATCH nfs-utils v3 00/14] add NFS over AF_VSOCK support
Date: Tue, 26 Sep 2017 11:56:26 +0100	[thread overview]
Message-ID: <20170926105626.GH16834@stefanha-x1.localdomain> (raw)
In-Reply-To: <20170926034026.GA19283@fieldses.org>

On Mon, Sep 25, 2017 at 11:40:26PM -0400, J. Bruce Fields wrote:
> On Tue, Sep 26, 2017 at 12:08:07PM +1000, NeilBrown wrote:
> > On Fri, Sep 22 2017, Daniel P. Berrange wrote:
> > Rather than a flag, it might work to use network namespaces.
> > Very early in the init sequence the filesystem gets mounted using the
> > IPv6 link-local address on a client->host interface, and then a new
> > network namespace is created which does not include that interface, and
> > which everything else including firewall code runs in.  Maybe.
> 
> That seems closer, since it allows you to hide the interface from most
> of the guest while letting some special software--qemu guest agent?--
> still work with it.  That agent would also need to be the one to do the
> mount, and would need to be able to make that mount usable to the rest
> of the guest.
> 
> Sounds doable to me?
> 
> There's still the problem of the paranoid security bureaucracy.
> 
> It should be pretty easy to demonstrate that the host only allows
> point-to-point traffic on these interfaces.  I'd hope that that, plus
> the appeal of the feature, would be enough to win out in the end.  This
> is not a class of problem that I have experience dealing with, though!

Programs wishing to use host<->guest networking might still need the
main network namespace for UNIX domain sockets and other communication.

For example, the QEMU guest agent has a command to report the IP
addresses of the guest.  It must access the main network namespace to
collect this information while using a host<->guest socket to
communicate with the hypervisor.

I think this can be achieved as follows:
1. open /proc/self/ns/net (stash the file descriptor)
2. open /var/run/netns/hvnet & call setns(2) to switch namespaces
3. socket(AF_INET6, SOCK_STREAM, 0) to create host<->guest socket
4. call setns(2) to switch back to main namespace

In other words, the program stays mostly in the main network namespace
and only enters the host<->guest namespace to create sockets.

setns(2) with a network namespace requires CAP_SYS_ADMIN so it's not
very practical.

Is there an alternative that makes using the host<->guest network
namespace less clunky?

Stefan