Use VSOCK when is available in the host.#497
Use VSOCK when is available in the host.#497bergwolf merged 10 commits intokata-containers:masterfrom
Conversation
|
Thanks guys! Will take a look today ;) |
virtcontainers/qemu.go
Outdated
| defer func(qemu *qemu) { | ||
| if q.qmpMonitorCh.qmp != nil { | ||
| q.qmpMonitorCh.qmp.Shutdown() | ||
| q.qmpMonitorCh.qmp = nil |
There was a problem hiding this comment.
is this specific to the vsock addition? Can you clarify why this is part of the initial commit?
There was a problem hiding this comment.
I guess you're trying to fix a wrong behavior that you have seen somewhere? If this is needed, it should be part of a separate commit with the reason for this.
There was a problem hiding this comment.
We use the qmp socket later to hotoplug the vsock device
Because we call Shutdown to close the qmp channel, later when we try to inialize the qmp connection again we dont do it because the qmp instance already exist but with the channel closed leading to fail to use it.
There was a problem hiding this comment.
@jcvenegas This seems to be an existing bug, can you put this in a separate commit with the explanation you provided above as the commit message.
There was a problem hiding this comment.
sweet, not needed anymore.
There was a problem hiding this comment.
Yeah #501 has been merged, you can simply remove the commit now :) (after rebasing obviously!)
virtcontainers/qemu.go
Outdated
| return 0, err | ||
| } | ||
|
|
||
| q.qmpMonitorCh.qmp = qmp |
There was a problem hiding this comment.
I see that we aren't consistent on the QMP channel setup throughout the file, and that this appears to be boiler plate code. Should we standardize? See hotplugAddMemory and hotplugBlockDevice. WDYT?
There was a problem hiding this comment.
yes, I've seen the same with in the muitples places we setup a QMP channel. I agree we should refactor that to avoid code duplication.
There was a problem hiding this comment.
Yes, this should be definitely done to avoid bugs. It can be done in another PR though. Please open an issue to make sure we don't loose track of this.
There was a problem hiding this comment.
Or even as a first step, at least be consistent, since we seem to have a couple different patterns here...
devimc
force-pushed
the
vsock-runtime5
branch
2 times, most recently
from
2a0b5ff to
68dda5f
Compare
jcvenegas
force-pushed
the
vsock-runtime5
branch
2 times, most recently
from
0d57518 to
6cd9ae5
Compare
virtcontainers/hypervisor.go
Outdated
| // memoryDevice is memory device type | ||
| memoryDev | ||
|
|
||
| // vSockDev is vsock device type |
There was a problem hiding this comment.
there's two spaces between device and type
virtcontainers/qemu.go
Outdated
| defer func(qemu *qemu) { | ||
| if q.qmpMonitorCh.qmp != nil { | ||
| q.qmpMonitorCh.qmp.Shutdown() | ||
| q.qmpMonitorCh.qmp = nil |
There was a problem hiding this comment.
I guess you're trying to fix a wrong behavior that you have seen somewhere? If this is needed, it should be part of a separate commit with the reason for this.
virtcontainers/qemu.go
Outdated
|
|
||
| func (q *qemu) hotplugVSock(op operation) (uint32, error) { | ||
| if op == removeDevice { | ||
| return 0, errors.New("Not implemented") |
There was a problem hiding this comment.
Could you generate a more verbose message here. Also, I don't think we would want to implement it since we won't change the way we communicate with the agent during the VM lifetime. So I would simply say that it's not supported because there's no reason to do so.
virtcontainers/qemu.go
Outdated
| return 0, err | ||
| } | ||
|
|
||
| q.qmpMonitorCh.qmp = qmp |
There was a problem hiding this comment.
Yes, this should be definitely done to avoid bugs. It can be done in another PR though. Please open an issue to make sure we don't loose track of this.
virtcontainers/qemu.go
Outdated
| q.qmpMonitorCh.qmp = nil | ||
| }() | ||
| } | ||
| // TODO: Find a free contextID |
There was a problem hiding this comment.
I guess you can remove this TODO since you solved the issue later in the other commits, right ?
And you should re-order the commits to avoid such hardcoding of the cid.
virtcontainers/kata_agent.go
Outdated
| } | ||
| case kataVSOCK: | ||
| // TODO Add an hypervisor vsock | ||
| k.Logger().Debug("Using vSock device will be plugged later") |
There was a problem hiding this comment.
This makes me think, we should maybe try to also hotplug the serial ports in case we don't use vsock.
There was a problem hiding this comment.
nop, serial ports don't need a unique context ID, from #383
Since we don't know the context IDs that are being used by other processes, we have to check if the context ID we are about to use is free (ioctl VHOST_VSOCK_SET_GUEST_CID)
even implementing above points, we might face race conditions with other processes, because of ioctl VHOST_VSOCK_SET_GUEST_CID doesn't lock the context ID and other process can use it before we launch the QEMU process, to avoid this issue vsocks must be hot plugged
There was a problem hiding this comment.
The idea is not increase the boot time for the serial port case, so we decied to not hotplug and detect if vsock will be used early in the setup. An extra validation that may help is to not add a serial port vsock is supported to reduce memory footprint.
There was a problem hiding this comment.
Sorry if I was not clear but I'm just saying that in the case this switch find we'll use serial port, we could also hotplug the serial port, instead of cold plugging it.
Problem is, if we do that, the logic you introduced from the agent (first checking serial and then checking vsock) would not work. It'd be nice to have a way to indicate to the agent which type of communication is being used...
virtcontainers/kata_agent.go
Outdated
| type9pFs = "9p" | ||
| vsockSocketScheme = "vsock" | ||
| vSockDevicePath = "/dev/vsock" | ||
| vSockPort = 1024 |
There was a problem hiding this comment.
This needs to be in sync with the agent, right? If that's the case, we should define it on the agent side and import this through the agent vendoring.
virtcontainers/qemu.go
Outdated
| func findContextID() (uint32, error) { | ||
| // Fixme | ||
| return 3, nil | ||
| func (q *qemu) findContextID() (uint32, error) { |
There was a problem hiding this comment.
Could you please add a big chunk of comment here to explain why this function is needed and what it does to work around the issue.
virtcontainers/kata_agent.go
Outdated
| return uint32(cid), uint32(port), nil | ||
| } | ||
|
|
||
| func supportsVsocks() bool { |
There was a problem hiding this comment.
Ah nice, I see that you have added the configuration I was mentioning in my previous comment, that's good !
cli/config.go
Outdated
| } | ||
|
|
||
| useVSOCK := false | ||
| if h.useVSOCK() && utils.SupportsVsocks() { |
There was a problem hiding this comment.
I think it could be good to print some log here in case the user wants to use vsock but the system actually does not allow it because there is no vsock support.
Otherwise, the user might think enabling the flag will work, but in reality the legacy case with the proxy and serial port will be used.
There was a problem hiding this comment.
Something like this:
if h.useVSOCK() {
if utils.SupportsVsocks() {
kataLog.Info("vsock supported")
useVSOCK = true
} else {
kataLog.Warn("No vsock support, falling back to legacy serial port")
}
virtcontainers/sandbox.go
Outdated
|
|
||
| s.Logger().Info("VM started") | ||
|
|
||
| data, err := s.hypervisor.hotplugAddDevice(nil, vSockDev) |
There was a problem hiding this comment.
Agree, this should be taken care by the agent.
virtcontainers/kata_agent.go
Outdated
| return uint32(cid), uint32(port), nil | ||
| } | ||
|
|
||
| func supportsVsocks() bool { |
There was a problem hiding this comment.
So you have deleted function supportsVsocks introduced in a previous commit and added SupportsVsocks here.
Could you rebase/reorganise your commits so that we just have SupportsVsocks
| return virtLog.WithField("subsystem", "kata_agent") | ||
| } | ||
|
|
||
| func parseVSOCKAddr(sock string) (uint32, uint32, error) { |
There was a problem hiding this comment.
Can you do add -p style commits so that this function is not introduced in the first place?
|
Build failed (third-party-check pipeline) integration testing with
|
|
PSS Measurement: Memory inside container: |
|
PSS Measurement: Memory inside container: |
|
PSS Measurement: Memory inside container: |
|
PSS Measurement: Memory inside container: |
|
PSS Measurement: Memory inside container: |
|
Build succeeded (third-party-check pipeline).
|
virtcontainers/kata_agent.go
Outdated
| sandbox.Logger().Info("Got context ID ", contextID) | ||
| s.contextID = contextID | ||
| s.port = uint32(vSockPort) | ||
| k.vmSocket = s |
There was a problem hiding this comment.
Please persist the vsock CID and port info so that we know how to reconnect to an existing guest.
There was a problem hiding this comment.
@bergwolf it already save the URL to reconnect in the state.URL.
Codecov Report
@@ Coverage Diff @@
## master #497 +/- ##
==========================================
- Coverage 66.66% 66.53% -0.14%
==========================================
Files 93 94 +1
Lines 9608 9672 +64
==========================================
+ Hits 6405 6435 +30
- Misses 2516 2546 +30
- Partials 687 691 +4 |
|
PSS Measurement: Memory inside container: |
devimc
force-pushed
the
vsock-runtime5
branch
2 times, most recently
from
5f9d66a to
52ac223
Compare
|
PSS Measurement: Memory inside container: |
|
Build failed (third-party-check pipeline) integration testing with
|
devimc
force-pushed
the
vsock-runtime5
branch
2 times, most recently
from
c6cc48b to
4fa5a30
Compare
|
PSS Measurement: Memory inside container: |
|
Build failed (third-party-check pipeline) integration testing with
|
|
CI looks good :) |
|
LGTM. @devimc please fix up |
add vhostfd and disable-modern to vhost-vsock-pci shortlog: 3830b44 qemu: add vhostfd and disable-modern to vhost-vsock-pci f700a97 qemu/qmp: implement function to hotplug vsock-pci Signed-off-by: Julio Montes <julio.montes@intel.com>
Implement function to check if the system has support for vsocks. This function looks for vsock and vhost-vsock devices returning true if those exist, otherwise false. Signed-off-by: Jose Carlos Venegas Munoz <jose.carlos.venegas.munoz@intel.com> Signed-off-by: Julio Montes <julio.montes@intel.com>
FindContextID generates a random number between 3 and max uint32 and uses it as context ID. Using ioctl findContextID checks if the context ID is free, if the context ID is being used by other process, this function iterates from over all valid context IDs until one is available. `/dev/vhost-vsock` is used to check what context IDs are free, we need it to ensure we are using a unique context ID to create the vsocks. Signed-off-by: Julio Montes <julio.montes@intel.com>
We already save the URL used to connect to the agent in the `state.URL` this variable is the used to connect the shim to agnet independently the socket type (VSOCK or serial) Signed-off-by: Jose Carlos Venegas Munoz <jose.carlos.venegas.munoz@intel.com>
|
PSS Measurement: Memory inside container: |
Add `use_vsock` option to enable or disable the use of vsocks for communication between host and guest. Signed-off-by: Jose Carlos Venegas Munoz <jose.carlos.venegas.munoz@intel.com> Signed-off-by: Julio Montes <julio.montes@intel.com>
In order to see what proxy was started or not, we should log its type and the URL Signed-off-by: Jose Carlos Venegas Munoz <jose.carlos.venegas.munoz@intel.com> Signed-off-by: Julio Montes <julio.montes@intel.com>
add extra field in KataAgentConfig structure to specify if the kata agent have to use a vsock instead of serial port. Signed-off-by: Julio Montes <julio.montes@intel.com>
`appendVSockPCI` function can be used to cold plug vocks, vhost file descriptor holds the context ID and it's inherit by QEMU process, ID must be unique and disable-modern prevents qemu from relying on fast MMIO. Signed-off-by: Julio Montes <julio.montes@intel.com>
parseVSOCKAddr function is no more needed since now agent config contains a field to identify if vsocks should be used or not. Signed-off-by: Julio Montes <julio.montes@intel.com>
|
Build failed (third-party-check pipeline) integration testing with
|
When the hypervisor option `use_vsock` is true the runtime will check for vsock support. If vsock is supported, not proxy will be used and the shims will connect to the VM using VSOCKS. This flag is true by default, so will use VSOCK when possible and no proxy will be started. fixes kata-containers#383 Signed-off-by: Jose Carlos Venegas Munoz jose.carlos.venegas.munoz@intel.com Signed-off-by: Julio Montes <julio.montes@intel.com>
|
PSS Measurement: Memory inside container: |
|
Build succeeded (third-party-check pipeline).
|
|
CI green. Let's merge it ignoring the tiny codecov drop. It removes some dead code and the UT along with it. I guess that's why it's getting the tiny codecov/project drop. |
|
@chavafg I think we should create a new Jenkins job for our CI so that we test in parallel the setup with and without VSOCK. |
|
Opened kata-containers/ci#54 to add the new job. |
9 participants
This PR completes the support to use vsock and no proxy configuration.
In order to create add VSOCK support we added:
coldplug support for VSOCK socket device.
Implemented a way to find a context ID based in a random search.
A random number is generated between 3 and max
uint32(4'294,967,295)and uses it as context ID. The range is large enough to have a low collision probability. Using
ioctlchecks if the context ID is free, else find the immediate next free context ID.When the hypervisor option
use_vsockis true the runtime will check for vsock support . If vsock is supported, not proxy will be used and the shims will connect to the VM using VSOCKS. This flag is true by default, so will use VSOCK when possible.The
kata-envsubcommand now shows information about if VSOCK will be used or not.fixes #383
Signed-off-by: Jose Carlos Venegas Munoz jose.carlos.venegas.munoz@intel.com
Signed-off-by: Julio Montes julio.montes@intel.com