From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.133.124]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 4AFB03E2ECC for ; Thu, 22 Jan 2026 16:23:19 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=170.10.133.124 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1769099009; cv=none; b=XihhIaxTgEh7FnFudxlI5VUCrEpuB6Y23awWNmugUGfqByREaCw9bdB5IW8koS5c1onbYtfSBDT6rdWOeUmCgxdN+JJ01bBdphRxDKB8b3hIu3amyTmk1qPrUfj4FcHJe6hxwKecORWV5giBNVVd7MY6/R6jfguEXVdYIXIXVJM= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1769099009; c=relaxed/simple; bh=0cpZL4CnoQJayvprLSYCcWhCM1ZKggb8ujo1E/u12io=; h=Date:From:To:Cc:Subject:Message-ID:References:MIME-Version: In-Reply-To:Content-Type:Content-Disposition; b=SIUZBxKHnUASEIhV+rsczYQ8PQEZ1Dgpy181oJv5V0WKhtMICf7/9uYb2OCWggdWzqg4u2ZkoeHF8BRZcn7px1tYZy/gLijcHogMqoDbPeiq0aboyO+QdxSeek1jxFgDBCUlSFD7PfmTg3OFShmMA9VkRBHcs/rTGHDe/LXF38I= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=redhat.com; spf=pass smtp.mailfrom=redhat.com; dkim=pass (1024-bit key) header.d=redhat.com header.i=@redhat.com header.b=ShuQBPwG; arc=none smtp.client-ip=170.10.133.124 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=redhat.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=redhat.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=redhat.com header.i=@redhat.com header.b="ShuQBPwG" DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1769098993; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=7WZme2OWA32GKcXEMiT1Hf8mk1aTvSRs5qR+MZWFuW0=; b=ShuQBPwGmoA0X3WK92cA7jfhFJSsS4BTxXYmN65THeaI2tyarN38+UK6OoXYtDuASTSXuF cB3GR8mZzpoQ95/daErqVYfQEOPflVOuv+nRe5XSiN/b98UrLD9wZZ94u8OTJwaEiX2fi1 D1um1uRlRP9msSzYgY+pdsfZerDENtQ= Received: from mail-wm1-f71.google.com (mail-wm1-f71.google.com [209.85.128.71]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-318-t01_0fnxP3yT8DSBBi3SFA-1; Thu, 22 Jan 2026 11:23:09 -0500 X-MC-Unique: t01_0fnxP3yT8DSBBi3SFA-1 X-Mimecast-MFC-AGG-ID: t01_0fnxP3yT8DSBBi3SFA_1769098989 Received: by mail-wm1-f71.google.com with SMTP id 5b1f17b1804b1-4801e2e3532so8326975e9.2 for ; Thu, 22 Jan 2026 08:23:09 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1769098988; x=1769703788; h=in-reply-to:content-disposition:mime-version:references:message-id :subject:cc:to:from:date:x-gm-gg:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=7WZme2OWA32GKcXEMiT1Hf8mk1aTvSRs5qR+MZWFuW0=; b=If/0YlrXtlCKMnhQe8qtmnRNBVpLEMLjW4GcxzklOauHvu9w/QXJHOT7UwcGvg8mYV j8/yrpcWC7U90bEdshwYAWXx0l7eHIHJzRG56KB4h3s1AD6icc7af/fkggkDxR+hddNj m+Skh2TaFJRqndm1qJoF6/q0NkfXNk/zxaMTETQQr7fLuyHzEL9bxpgc7UZlnsVzSJf3 PLBowr7QMxXJq+b5W76XyEuNz3MwjtWTV0Oh4llcZsAyJG3PFH1xwJPi70MwFHfvajUl CcNQcFA3cTXgQ9LULExRrI/1X3CPWj2WXmRCmb4axzQNsvuW+8CX7xX9YZ3i1DDrdsVX ZUEw== X-Forwarded-Encrypted: i=1; AJvYcCV3Epz+h2sAnb1Hmcsar/FjdOjCzjTV9oi6lCkqLBdmt0uu0GRkBq944D2Ig8ix7c63kBJDM7VU7eMEutTJ3A==@lists.linux.dev X-Gm-Message-State: AOJu0YzgzZb8diZe/GFd0ws2CkaoM7Hbx53SiUDhVSkkOHsDlMOtXD4z Qa2SS5nn6t+cKKNcj+V0jqUgQ2WnItVIaXB34i8p20PMTjjlSvP/dpRWZH8LPQpvFjr3ZTE8fQF hf6r0SQaOjkamH2YYrwhtASORy/pw1MICL0FPqr+CTJtznvd+xvB3OXDpJU5RKcc2IbGc X-Gm-Gg: AZuq6aKdgzl2+V1ix6+CaUC1gIjXSEBTWpgBx3xABF0iclxRhSaD2acJ2zCi9aJwGT0 XvURhnPu3IebsUd/Rqebc0D5OdyTqa7pDpT2Dz6/rOan0KYS0zzvWY7C4lc67BxMUrDZOfOeW3s 2hz5P5Swpn0fGLptEkK7LHGmUvV2wo9jbvuq3robU7MvusEcZbH6DtrQ84aD+d+lRug50ocRB68 Bc7e1LweGh1pd2Mjpln2EipprN17iI8+TsVMyWCinY8rgPI9d0AXv6Rbkyov3nYK2pmXdwfBz98 Vpn//FJpdmlc+yuNjL6aATSqkKs+yCQHfhYW03Mr2LUMomZVOaTuAvdqhcpkCvBb9GuNCaI6tcp pYFnkVF2LT9zjGlToqKtM694p1y52dbhqsQ== X-Received: by 2002:a05:600c:34d0:b0:47e:e779:36d with SMTP id 5b1f17b1804b1-4804c9afcf4mr2882725e9.23.1769098988423; Thu, 22 Jan 2026 08:23:08 -0800 (PST) X-Received: by 2002:a05:600c:34d0:b0:47e:e779:36d with SMTP id 5b1f17b1804b1-4804c9afcf4mr2882145e9.23.1769098987778; Thu, 22 Jan 2026 08:23:07 -0800 (PST) Received: from redhat.com (IGLD-80-230-34-155.inter.net.il. [80.230.34.155]) by smtp.gmail.com with ESMTPSA id 5b1f17b1804b1-4804252b02dsm57271945e9.5.2026.01.22.08.23.04 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 22 Jan 2026 08:23:06 -0800 (PST) Date: Thu, 22 Jan 2026 11:23:02 -0500 From: "Michael S. Tsirkin" To: Bobby Eshleman Cc: Stefano Garzarella , "David S. Miller" , Eric Dumazet , Jakub Kicinski , Paolo Abeni , Simon Horman , Stefan Hajnoczi , Jason Wang , Eugenio =?iso-8859-1?Q?P=E9rez?= , Xuan Zhuo , "K. Y. Srinivasan" , Haiyang Zhang , Wei Liu , Dexuan Cui , Bryan Tan , Vishnu Dasa , Broadcom internal kernel review list , Shuah Khan , Long Li , Jonathan Corbet , linux-kernel@vger.kernel.org, virtualization@lists.linux.dev, netdev@vger.kernel.org, kvm@vger.kernel.org, linux-hyperv@vger.kernel.org, linux-kselftest@vger.kernel.org, berrange@redhat.com, Sargun Dhillon , linux-doc@vger.kernel.org, Bobby Eshleman Subject: Re: [PATCH net-next v16 00/12] vsock: add namespace support to vhost-vsock and loopback Message-ID: <20260122112252-mutt-send-email-mst@kernel.org> References: <20260121-vsock-vmtest-v16-0-2859a7512097@meta.com> Precedence: bulk X-Mailing-List: virtualization@lists.linux.dev List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 In-Reply-To: <20260121-vsock-vmtest-v16-0-2859a7512097@meta.com> X-Mimecast-Spam-Score: 0 X-Mimecast-MFC-PROC-ID: JMCu2mAdpSt4aYY9-BYVxfybE0bW-5j_f1DBY32R8ms_1769098989 X-Mimecast-Originator: redhat.com Content-Type: text/plain; charset=us-ascii Content-Disposition: inline On Wed, Jan 21, 2026 at 02:11:40PM -0800, Bobby Eshleman wrote: > This series adds namespace support to vhost-vsock and loopback. It does > not add namespaces to any of the other guest transports (virtio-vsock, > hyperv, or vmci). > > The current revision supports two modes: local and global. Local > mode is complete isolation of namespaces, while global mode is complete > sharing between namespaces of CIDs (the original behavior). > > The mode is set using the parent namespace's > /proc/sys/net/vsock/child_ns_mode and inherited when a new namespace is > created. The mode of the current namespace can be queried by reading > /proc/sys/net/vsock/ns_mode. The mode can not change after the namespace > has been created. > > Modes are per-netns. This allows a system to configure namespaces > independently (some may share CIDs, others are completely isolated). > This also supports future possible mixed use cases, where there may be > namespaces in global mode spinning up VMs while there are mixed mode > namespaces that provide services to the VMs, but are not allowed to > allocate from the global CID pool (this mode is not implemented in this > series). > > Additionally, added tests for the new namespace features: > > tools/testing/selftests/vsock/vmtest.sh > 1..25 > ok 1 vm_server_host_client > ok 2 vm_client_host_server > ok 3 vm_loopback > ok 4 ns_host_vsock_ns_mode_ok > ok 5 ns_host_vsock_child_ns_mode_ok > ok 6 ns_global_same_cid_fails > ok 7 ns_local_same_cid_ok > ok 8 ns_global_local_same_cid_ok > ok 9 ns_local_global_same_cid_ok > ok 10 ns_diff_global_host_connect_to_global_vm_ok > ok 11 ns_diff_global_host_connect_to_local_vm_fails > ok 12 ns_diff_global_vm_connect_to_global_host_ok > ok 13 ns_diff_global_vm_connect_to_local_host_fails > ok 14 ns_diff_local_host_connect_to_local_vm_fails > ok 15 ns_diff_local_vm_connect_to_local_host_fails > ok 16 ns_diff_global_to_local_loopback_local_fails > ok 17 ns_diff_local_to_global_loopback_fails > ok 18 ns_diff_local_to_local_loopback_fails > ok 19 ns_diff_global_to_global_loopback_ok > ok 20 ns_same_local_loopback_ok > ok 21 ns_same_local_host_connect_to_local_vm_ok > ok 22 ns_same_local_vm_connect_to_local_host_ok > ok 23 ns_delete_vm_ok > ok 24 ns_delete_host_ok > ok 25 ns_delete_both_ok > SUMMARY: PASS=25 SKIP=0 FAIL=0 > > Thanks again for everyone's help and reviews! > > Suggested-by: Sargun Dhillon > Signed-off-by: Bobby Eshleman Acked-by: Michael S. Tsirkin > > Changes in v16: > - updated comments/docs/commit msg (vsock_find_* funcs, init net > mode, why change random port alloc) > - removed init ns mode cmdline > - fixed the missing ${ns} arg for vm_ssh in vmtest.sh > - Link to v15: https://lore.kernel.org/r/20260116-vsock-vmtest-v15-0-bbfd1a668548@meta.com > > Changes in v15: > - see per-patch change notes in 'vsock: add netns to vsock core' > - Link to v14: https://lore.kernel.org/r/20260112-vsock-vmtest-v14-0-a5c332db3e2b@meta.com > > Changes in v14: > - squashed 'vsock: add per-net vsock NS mode state' into 'vsock: add > netns to vsock core' (MST) > - remove RFC tag > - fixed base-commit (still had b4 configured to depend on old vmtest.sh > series) > - Link to v13: https://lore.kernel.org/all/20251223-vsock-vmtest-v13-0-9d6db8e7c80b@meta.com/ > > Changes in v13: > - add support for immutable sysfs ns_mode and inheritance from sysfs child_ns_mode > - remove passing around of net_mode, can be accessed now via > vsock_net_mode(net) since it is immutable > - update tests for new uAPI > - add one patch to extend the kselftest timeout (it was starting to > fail with the new tests added) > - Link to v12: https://lore.kernel.org/r/20251126-vsock-vmtest-v12-0-257ee21cd5de@meta.com > > Changes in v12: > - add ns mode checking to _allow() callbacks to reject local mode for > incompatible transports (Stefano) > - flip vhost/loopback to return true for stream_allow() and > seqpacket_allow() in "vsock: add netns support to virtio transports" > (Stefano) > - add VMADDR_CID_ANY + local mode documentation in af_vsock.c (Stefano) > - change "selftests/vsock: add tests for host <-> vm connectivity with > namespaces" to skip test 29 in vsock_test for namespace local > vsock_test calls in a host local-mode namespace. There is a > false-positive edge case for that test encountered with the > ->stream_allow() approach. More details in that patch. > - updated cover letter with new test output > - Link to v11: https://lore.kernel.org/r/20251120-vsock-vmtest-v11-0-55cbc80249a7@meta.com > > Changes in v11: > - vmtest: add a patch to use ss in wait_for_listener functions and > support vsock, tcp, and unix. Change all patches to use the new > functions. > - vmtest: add a patch to re-use vm dmesg / warn counting functions > - Link to v10: https://lore.kernel.org/r/20251117-vsock-vmtest-v10-0-df08f165bf3e@meta.com > > Changes in v10: > - Combine virtio common patches into one (Stefano) > - Resolve vsock_loopback virtio_transport_reset_no_sock() issue > with info->vsk setting. This eliminates the need for skb->cb, > so remove skb->cb patches. > - many line width 80 fixes > - Link to v9: https://lore.kernel.org/all/20251111-vsock-vmtest-v9-0-852787a37bed@meta.com > > Changes in v9: > - reorder loopback patch after patch for virtio transport common code > - remove module ordering tests patch because loopback no longer depends > on pernet ops > - major simplifications in vsock_loopback > - added a new patch for blocking local mode for guests, added test case > to check > - add net ref tracking to vsock_loopback patch > - Link to v8: https://lore.kernel.org/r/20251023-vsock-vmtest-v8-0-dea984d02bb0@meta.com > > Changes in v8: > - Break generic cleanup/refactoring patches into standalone series, > remove those from this series > - Link to dependency: https://lore.kernel.org/all/20251022-vsock-selftests-fixes-and-improvements-v1-0-edeb179d6463@meta.com/ > - Link to v7: https://lore.kernel.org/r/20251021-vsock-vmtest-v7-0-0661b7b6f081@meta.com > > Changes in v7: > - fix hv_sock build > - break out vmtest patches into distinct, more well-scoped patches > - change `orig_net_mode` to `net_mode` > - many fixes and style changes in per-patch change sets (see individual > patches for specific changes) > - optimize `virtio_vsock_skb_cb` layout > - update commit messages with more useful descriptions > - vsock_loopback: use orig_net_mode instead of current net mode > - add tests for edge cases (ns deletion, mode changing, loopback module > load ordering) > - Link to v6: https://lore.kernel.org/r/20250916-vsock-vmtest-v6-0-064d2eb0c89d@meta.com > > Changes in v6: > - define behavior when mode changes to local while socket/VM is alive > - af_vsock: clarify description of CID behavior > - af_vsock: use stronger langauge around CID rules (dont use "may") > - af_vsock: improve naming of buf/buffer > - af_vsock: improve string length checking on proc writes > - vsock_loopback: add space in struct to clarify lock protection > - vsock_loopback: do proper cleanup/unregister on vsock_loopback_exit() > - vsock_loopback: use virtio_vsock_skb_net() instead of sock_net() > - vsock_loopback: set loopback to NULL after kfree() > - vsock_loopback: use pernet_operations and remove callback mechanism > - vsock_loopback: add macros for "global" and "local" > - vsock_loopback: fix length checking > - vmtest.sh: check for namespace support in vmtest.sh > - Link to v5: https://lore.kernel.org/r/20250827-vsock-vmtest-v5-0-0ba580bede5b@meta.com > > Changes in v5: > - /proc/net/vsock_ns_mode -> /proc/sys/net/vsock/ns_mode > - vsock_global_net -> vsock_global_dummy_net > - fix netns lookup in vhost_vsock to respect pid namespaces > - add callbacks for vsock_loopback to avoid circular dependency > - vmtest.sh loads vsock_loopback module > - remove vsock_net_mode_can_set() > - change vsock_net_write_mode() to return true/false based on success > - make vsock_net_mode enum instead of u8 > - Link to v4: https://lore.kernel.org/r/20250805-vsock-vmtest-v4-0-059ec51ab111@meta.com > > Changes in v4: > - removed RFC tag > - implemented loopback support > - renamed new tests to better reflect behavior > - completed suite of tests with permutations of ns modes and vsock_test > as guest/host > - simplified socat bridging with unix socket instead of tcp + veth > - only use vsock_test for success case, socat for failure case (context > in commit message) > - lots of cleanup > > Changes in v3: > - add notion of "modes" > - add procfs /proc/net/vsock_ns_mode > - local and global modes only > - no /dev/vhost-vsock-netns > - vmtest.sh already merged, so new patch just adds new tests for NS > - Link to v2: > https://lore.kernel.org/kvm/20250312-vsock-netns-v2-0-84bffa1aa97a@gmail.com > > Changes in v2: > - only support vhost-vsock namespaces > - all g2h namespaces retain old behavior, only common API changes > impacted by vhost-vsock changes > - add /dev/vhost-vsock-netns for "opt-in" > - leave /dev/vhost-vsock to old behavior > - removed netns module param > - Link to v1: > https://lore.kernel.org/r/20200116172428.311437-1-sgarzare@redhat.com > > Changes in v1: > - added 'netns' module param to vsock.ko to enable the > network namespace support (disabled by default) > - added 'vsock_net_eq()' to check the "net" assigned to a socket > only when 'netns' support is enabled > - Link to RFC: https://patchwork.ozlabs.org/cover/1202235/ > > --- > Bobby Eshleman (12): > vsock: add netns to vsock core > virtio: set skb owner of virtio_transport_reset_no_sock() reply > vsock: add netns support to virtio transports > selftests/vsock: increase timeout to 1200 > selftests/vsock: add namespace helpers to vmtest.sh > selftests/vsock: prepare vm management helpers for namespaces > selftests/vsock: add vm_dmesg_{warn,oops}_count() helpers > selftests/vsock: use ss to wait for listeners instead of /proc/net > selftests/vsock: add tests for proc sys vsock ns_mode > selftests/vsock: add namespace tests for CID collisions > selftests/vsock: add tests for host <-> vm connectivity with namespaces > selftests/vsock: add tests for namespace deletion > > MAINTAINERS | 1 + > drivers/vhost/vsock.c | 44 +- > include/linux/virtio_vsock.h | 9 +- > include/net/af_vsock.h | 61 +- > include/net/net_namespace.h | 4 + > include/net/netns/vsock.h | 21 + > net/vmw_vsock/af_vsock.c | 335 +++++++++- > net/vmw_vsock/hyperv_transport.c | 7 +- > net/vmw_vsock/virtio_transport.c | 22 +- > net/vmw_vsock/virtio_transport_common.c | 62 +- > net/vmw_vsock/vmci_transport.c | 26 +- > net/vmw_vsock/vsock_loopback.c | 22 +- > tools/testing/selftests/vsock/settings | 2 +- > tools/testing/selftests/vsock/vmtest.sh | 1055 +++++++++++++++++++++++++++++-- > 14 files changed, 1531 insertions(+), 140 deletions(-) > --- > base-commit: d8f87aa5fa0a4276491fa8ef436cd22605a3f9ba > change-id: 20250325-vsock-vmtest-b3a21d2102c2 > > Best regards, > -- > Bobby Eshleman