[Qemu-devel] Connecting virtio-9p-pci to a remote 9p server

[Chris Webb <chris@arachsys.com>]

We're planning to implement shared filesystems for guests on our virtualized
hosting platform, stored on a central fileserver separate from the hosts.

Whilst we can mount the shares on each host and then use qemu's 9p
passthrough/proxy support to access the mountpoint, going via the host
kernel and vfs like this feels quite inefficient. We would be converting
back and forth between vfs and 9p models several times needlessly.

Instead, I'm wondering about the feasibility of connecting the 9p stream
directly from qemu's virtio-9p-pci device to a socket opened on a
9p-over-TCP export from the fileserver. Am I right in thinking that qemu's
-fsdev proxy gives me access to a file descriptor attached to the 9p stream
to/from the guest, or is the protocol between virtfs-proxy-helper and qemu
re-encoded within qemu first?

Secondly, assuming I can somehow get at the 9p streams directly (either with
an existing option or by adding a new one), I'd like to restrict guests to
the relevant user's subdirectory on the fileserver, and have been thinking
about doing this by filtering the 9p stream to restrict 'attach' operations.

Fortunately, 9p uses client-chosen fids rather than server filesystem inode
numbers which would immediately scupper any simple attempts to implement a
secure chroot proxy of this kind. Looking at the 9p2000.L protocol, it
doesn't look obviously difficult, but I've not really worked with 9p before,
and could well be missing security complications. (I'm not sure whether
there's risk of symlinks being interpreted server side rather than client
side, for example.)

I'd also be interested in any more general thoughts on this kind of thing.
If we're going to work on it, it would be nice for us to write something
that would be more widely useful to others rather than just create an
in-house hack.

Cheers,

Chris.