Proposal: Add vsock support to KubeVirt #191
Conversation
Signed-off-by: Roman Mohr <rmohr@google.com>
kubevirt-bot
added
the
dco-signoff: yes
|
/cc @rthallisey |
Signed-off-by: Roman Mohr <rmohr@google.com>
|
/lgtm |
|
|
||
| #### API changes | ||
|
|
||
| A `autoattachVsock` flag will be added to the VMI spec at `spec.domain.devices` which defaults to `false` to stay backward compatible. Also a `VsockCID` field will be added to the VMI status as `status.vsockCID` for CID allocation and lookup. |
There was a problem hiding this comment.
is there any chance that we'll need more fields associated with vsock other that "true|false" for attachment? if so, maybe we shouldn't use a boolean.
There was a problem hiding this comment.
libvirt has three fields, one for auto-cid selection, one for the virtio model and one for manual cid assignment. Model has to be in sync with other virtio devices and auto-assignment of the CID does not make sense in our design. We could not come up with additional use-cases where more fields would have to be on the VMI. For e.g. confidential computing I would expect that vsock as a whole has to be disabled, but that's about it ...
There was a problem hiding this comment.
Can you think about something?
There was a problem hiding this comment.
Could that be that we will need more than one vsock per guest at some point?
There was a problem hiding this comment.
Hm, it is technically possible to attach multiple vsock devices, but guest drivers don't have a concept of multiple vsock devices. See for instance https://bugzilla.redhat.com/show_bug.cgi?id=1455015.
There was a problem hiding this comment.
Ah, okay. I thought I read about multiple transports with vsock, but I might be wrong.
I guess we won't be able to have both the qemu guest agent and another agent using vsocks.
There was a problem hiding this comment.
The vsock device has ports like TCP/IP. We can have a lot of agents over the single device. That is probably what you read about.
|
/lgtm |
|
/approve The community has already been discussing this design (in google doc form) for a few days before this pr was created, and no strong objections have been raised. I put a |
kubevirt-bot
added
the
do-not-merge/hold
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: davidvossel The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
kubevirt-bot
added
the
approved
design-proposals/vsock/vsock.md
Outdated
|
|
||
| * The whole `vsock` features will live behind a feature gate | ||
| * By default the first 1024 ports of a vsock device are privileged. Services trying to connect to those require `CAP_NET_BIND_SERVICE`. | ||
| * We aim to block the `AF_VSOCK` `socket` syscall in containerd (https://github.com/containerd/containerd/issues/7442), however if that will happen is not sure. It is therefore right now the responsibility of the vendor to apply the required seccomp change to all unprivileged ports, or to verify that the `CAP_NET_BIND_SERVICE` privilege is handed out carefully enough |
There was a problem hiding this comment.
Why did you choose containerd? I think containers/common would also benefit and might even reach a broader spectrum of users. (Kubervirt itself doesn't use containerd for some time...)
There was a problem hiding this comment.
Yes KubeVirt uses cri-o in CI, but we use containerd and KubeVirt is not designed to only work with a specific CRI. This is an independent effort of this proposal to secure it for our purpose. I think it makes a lot of sense to also push this to other popular CRIs, but it is out of scope of this proposal :). But I explicitly wanted to mention this so that it can easily be picked up for other CRIs if there is interest.
There was a problem hiding this comment.
I see. I read the proposal as a community - meaning we == community, and in that sense, it would make more sense to aim for changes in crio(therefore containers/common). I can pick this up.
There was a problem hiding this comment.
Ah, I see the confusion now regarding to the usage of we. 👍
design-proposals/vsock/vsock.md
Outdated
| ### Possible next steps | ||
|
|
||
| * Allow running `qemu-guest-agent` over virtio-vsock too | ||
| * Introduce a general purpose mechanism via gRPC in virt-handler which allows efficient and scalable collection of version and readiness of registered third-party agents without having to alter virt-handler, or having to run additional node-local services. Also move the `qemu-guest-agent` polling behind this mechanism. |
There was a problem hiding this comment.
Nit qemu-quest-agent use case is mentioned above.
There was a problem hiding this comment.
Could you explain what you mean? Running qemu-guest-agent on vsock is an explicit non-goal, but I wanted to outline how a possible future integration in a more general guest-agent mechanism could look like.
There was a problem hiding this comment.
There are two points:
- Allow running
qemu-guest-agentover virtio-vsock too - end of the point "Also move the
qemu-guest-agentpolling behind this mechanism.
" <- feels redundant
There was a problem hiding this comment.
Hm, they are two different points though:
- This proposal does not change code-paths in virt-handler to allow running the qemu-guest-agent via vsock, that is the first point.
- Another point would be introducing a common polling mechanism, where no extra handling for the qemu-guest-agent would be there, it would use a common extensible mechanism.
That are just some rough ideas to highlight that while qemu-guest-agent is not tackled in this proposal, it is not in the way of doing so later.
There was a problem hiding this comment.
Now I got you. I still feel like the last part of the second point is redundant. Your comment explained it very well, maybe we can incorporate it into the points?
* Remove ambiguity of who is meant with "We" in the security section * Better explain how future steps beyond this proposal could look like Signed-off-by: Roman Mohr <rmohr@google.com>
|
/unhold |
kubevirt-bot
removed
the
do-not-merge/hold
Proposal to add vsock support to KubeVirt.
gdoc which was used for initial discussions: https://docs.google.com/document/d/1KfFsO6jKvie9EGMl9FOMtfqAYAMUFOTl2nIup14besA/edit