svn commit: r361275 - in head/sys: conf dev/hyperv/hvsock dev/hyperv/include dev/hyperv/vmbus modules/hyperv modules/hyperv/hvsock sys

Sat May 30 19:10:41 UTC 2020

> -----Original Message-----
> From: Kyle Evans <kevans at freebsd.org>
> Sent: Saturday, May 30, 2020 2:33 AM
> To: Wei Hu <weh at microsoft.com>
> Cc: src-committers <src-committers at freebsd.org>; svn-src-all <svn-src-
> all at freebsd.org>; svn-src-head <svn-src-head at freebsd.org>
> Subject: Re: svn commit: r361275 - in head/sys: conf dev/hyperv/hvsock
> dev/hyperv/include dev/hyperv/vmbus modules/hyperv
> modules/hyperv/hvsock sys
> 
> On Fri, May 29, 2020 at 12:08 PM Wei Hu <weh at microsoft.com> wrote:
> > > -----Original Message-----
> > > > > [... snip ...]
> > > > > +void
> > > > > +hvs_trans_init(void)
> > > > > +{
> > > > > +       /* Skip initialization of globals for non-default instances. */
> > > > > +       if (!IS_DEFAULT_VNET(curvnet))
> > > > > +               return;
> > > > > +
> > > > > +       if (vm_guest != VM_GUEST_HV)
> > > > > +               return;
> > > > > +
> > > > > +       HVSOCK_DBG(HVSOCK_DBG_VERBOSE,
> > > > > +           "%s: HyperV Socket hvs_trans_init called\n",
> > > > > + __func__);
> > > > > +
> > > > > +       /* Initialize Globals */
> > > > > +       previous_auto_bound_port = MAX_PORT;
> > > > > +       sx_init(&hvs_trans_socks_sx, "hvs_trans_sock_sx");
> > > > > +       mtx_init(&hvs_trans_socks_mtx,
> > > > > +           "hvs_trans_socks_mtx", NULL, MTX_DEF);
> > > > > +       LIST_INIT(&hvs_trans_bound_socks);
> > > > > +       LIST_INIT(&hvs_trans_connected_socks);
> > > > > +}
> > > > > +
> > > >
> > > > I have a suspicion that all of these should really be per-vnet for
> > > > correct semantics with VIMAGE, with the IS_DEFAULT_VNET check
> > > > earlier dropped completely. I haven't read around the rest all
> > > > that much, but this would at least seem to prevent port re-use by
> > > > a different vnet, which is perhaps "good enough" but I think this
> > > > is something that should be fixed in the mid-term.
> > > >
> > >
> > > I have a follow-up concern about whether this is actually going to
> > > be maintained... it's been a full week with not even an
> > > acknowledgement or rebuttal of any of the concerns I've raised, with
> > > some of them being completely trivial to address in the short-term.
> > > I don't think that we really want this in the tree in its current state given
> this level of engagement.
> > >
> > Sorry for my late response, Kyle. I read your comments last week. To
> > be honest I am not familiar to VNET and VIMAGE, so I don't quite
> > understand. I got distracted into other work so my response to this was
> delayed.
> >
> > Do you mean to drop these two lines?
> >        if (!IS_DEFAULT_VNET(curvnet))
> >                return
> > I copied these from other socket init code. If they are not necessary I can
> remove them.
> >
> 
> Alright, let's rewind a little bit here. =-) Consider while reading the below that I
> have no idea what the host-side of these sockets look like beyond what I just
> very quickly skimmed from [0].
> 
> It's a little more involved than that; consider each vnet as its own independent
> network stack that's largely isolated from other vnets.
> The host starts out with a vnet, vnet0 (the default vnet), and root may spawn
> additional vnets attached to jails to allow the jail to operate its own network
> stack as well. Your pr_init will get called once per vnet spawned, including the
> obvious default vnet, which is why the check is there in the first place -- you
> may have some global state that only needs to be initialized once, at which
> point you would exclude non-default vnets from executing those bits.
> 
> The more I think about it, though, the more I wonder if hvsock makes sense at
> all in non-default vnet contexts and whether hvs_trans_attach should really be
> attaching to sockets outside of the default vnet. You can bind in your FreeBSD
> HyperV guest to a port, and a host service's option for connecting is specifying
> guest GUID + port; there's not really any wiggle room for multiple entities
> within a guest to be binding to a given port anyways. It may very well be the
> case that the status quo is the optimal outcome.
> 
> Given that, does it make sense that the host connects via the guest GUID and
> can potentially end up connected to some jail of unknown trust operating its
> own network stack?
> 
> As a final scattered thought for the hour, does the Linux implementation of this
> stuff do anything to give a guest admin visibility into existing HyperV sockets on
> the system? AFAICT here, there's no sockstat integration or anything else that
> might export hvsock information to userland, so one's only option to tracking
> down whether a HyperV socket even exists and to which process it belongs
> would appear to be probing around in the kernel.
> 
The HyperV host only connects to guest using the guest unique GUID and a port
number. Once connection is requested, host sends a virtualized vmbus device offer 
to guest using different mechanism. On the guest side when the device office is in, 
it checks if the port is bound, then a communication channel on vmbus is established 
and a new socket is created. Two sides can talk over this channel after that. The 
same applies to the guest to host connection. 

The guest admin has no visibility of existing HyperV sockets on host side. 

Thanks,
Wei