VSOCK interface

[skobyda]

Vsock device support

Virtual socket support enables communication between the host and guest over a socket. Cockpit Machines now has support for setting up such a device.

The user can choose to configure a custom identifier, or let have it assigned automatically upon a VM's boot. The identifier is used by the host to uniquely identify vsock of a specific guest.

Please note that vsock still requires special vsock-aware software (e.g. socat) to communicate over the socket.

[skobyda]

The vsock facilitates communication between virtual machines and the host they are running on independent of virtual machine network configuration. Vsock Context Identifier is used to define the "address" of the vsock, e.g. when you have multiple running VMs with open vsocks, you are able identify each vsock from the host's point of view.

• You can have only one vsock attached to the VM.
• You can choose "Assign automatically". In this situation, libvirt will choose the lowest currently unused context identifier (i.e. no running VM currently has open vsock with such CID) upon a start of VM.
• When VM is not running, overview says context identifier will be assigned automatically. Once the VM is started, we show the context identifier which was automatically chosen by libvirt.

vsock_assign_automatically.webm

---

• Lowest context identifier is 3. CIDs 0-2 are reserved and user will not be able to select them.
• It's possible to assign the same CID to multiple VMs, as long as user doesn't plan to run them at the same time.

vsock_assign_manually.webm

---

• You can hotplug and unplug vsock to/from running VM, but you cannot edit vsock on a running VM. If you edit it, changes will take effect after rebooting the VM.

vsock_running.webm

[garrett]

Wow, we really need to do something about "general" being a place to shove things. I still don't understand the difference between "general" and "hypervisor details" either.

Can we work on fixing this (outside of this PR) as soon as possible? It's really beyond the point of being a scaling problem.

OK, now back to this PR: I have no idea what this is or what it is supposed to be used for. Please explain why and how someone would want and use this. ("To enable vsock" is not an answer. It would need to cover an actual task someone would want to do and/or solve a problem that someone has.)

Marking as "request changes", as we'll need to figure out what this is and (at least) change the messaging around it.

[skobyda]

OK, now back to this PR: I have no idea what this is or what it is supposed to be used for. Please explain why and how someone would want and use this. ("To enable vsock" is not an answer. It would need to cover an actual task someone would want to do and/or solve a problem that someone has.)

Generally, it's about setting up communication between the VM and host without having to setup the whole networking stack.
I made a list of very simplified use cases:

SSH
You can make connecting to VM thru ssh or copying files work without setting up networking. Imagine you have a VM in an isolated state where setting up networking for VM is not an option. Or just setting up a whole networking stack for a simple ssh is too complex and hard to maintain. Virtual sock is simpler. You can just setup a virtual socket:
You want to copy some files, e.g. network traffic dump from VM to a host

1. Configure virtual socket thru cockpit-machines
2. Setup socket-listen
   on VM: sudo socat SOCKET-LISTEN: .....
   on host: sudo socat TCP4-LISTEN:2222 .....
3. Now you can ssh into the VM: ssh root@localhost -p 2222, you can transfer files thru scp, etc. between host and VM all without complex networking.

Communication between custom programs
Normally, if you had 2 custom programs running on your system, and you want them to communicate, you could setup TCP/UDP/whatever socket communication between them. Now image however that one of these processes/programs is running in VM. you then:

1. Configure virtual socket thru cockpit-machines
2. open sockets in VM and host
3. Your programs can now communicate with each other

Another big reason for vsock is network file system.
Again, you have VM where setting up networking is not easy, but you want to setup NFS between your host and VM. You can achieve it:
(This is a simplification of https://gist.github.com/mcastelino/4be894576803acb2ed7162690c5cab31, I do not guarantee it's perfect correctness)

1. Configure virtual socket thru cockpit-machines
2. On host, create the nfs mount point on the host and invoke vsock-nfds deamon on host
3. In VM, mount the host's NFS share with options clienaddr=CID,proto=vsock, where CID specifies the Context identifier you have configured thru cockpit UI

[skobyda]

So in summary, vsock tries to achieve the same functionality which you can already achieve by normal VM's networking (establishing connection between a host and VM ). But configuring VM's networking is quite complex and hard to maintain, while vsocks are simple to configure.

[skobyda]

Fixed the last debian-testing flake, it should be green now

[skobyda]

@KKoukiou mind givind it code-review?

[skobyda]

All tests green

[martinpitt]

Thanks! Unfortunately there's a pixel test conflict. Code-wise this is mostly good, but I have some concerns about "selling" (explaining) this feature to users. Some documentation pointers about how to use it would really be nice. Like, some example how to SSH into a VM with a vsock.

[skobyda]

Oh, the tests will probably fail. Retracting review from @martinpitt until I fix them. But it's ready for design review from @garrett

[garrett]

It still has the error that if you click one button, it shows a spinner on both:

Additionally: What happens when you click cancel when the process is in action? (Shouldn't Cancel also be disabled? Same for the × icon.)

[skobyda]

It still has the error that if you click one button, it shows a spinner on both:

Additionally: What happens when you click cancel when the process is in action? (Shouldn't Cancel also be disabled? Same for the × icon.)

Ah yeah, nice catch. Fixed that:

Screencast.from.2023-05-11.15-58-21.webm

[garrett]

Thanks for solving the spinner problem.

Ideally, it'd check the checkbox when you click on the disabled number input and make cancel disabled whent he buttons are disabled too. But this is good enough and I'm going on PTO and I don't want to hold this up any longer. If you want to address those in follow-ups, that would be nice.

👍 Thanks! Looks good!

[martinpitt]

Thanks for the updates! This is that →← close from perfection. But let's let the current test run finish, to check for green-ness.

[martinpitt]

Cheers! Code changes LGTM, nice to split it out into a helper and re-use it. Tests are still failing, once they get green, I'm happy!

[martinpitt]

Dakujem!