[libvirt] [PATCH] RFC: use a slirp helper process

Marc-André Lureau marcandre.lureau at redhat.com
Thu Apr 25 13:47:05 UTC 2019 

Hi

On Thu, Apr 25, 2019 at 3:22 PM Michal Privoznik <mprivozn at redhat.com> wrote:
>
> On 4/18/19 3:24 PM, marcandre.lureau at redhat.com wrote:
> > From: Marc-André Lureau <marcandre.lureau at redhat.com>
> >
> > I am throwing this away for discussions, and early feedback.
> >
> > With the upcoming release of libslirp[1], we have an opportunity to
> > run SLIRP networking in a separate process. This will allow for
> > stricter security policies for both qemu & slirp, as slirp is
> > notoriously not very safe (discussed on ML, various CVEs, and even the
> > code says so explicitly in the comments), yet people rely on it regularly.
>
> Do they? I mean, SLIRP is broken in libvirt for quite some time and we
> haven't noticed nor seen a bug about it. What is the typical use anyway?

"user" networking (<interface type='user'>) is not broken, it's
guestfwd that is not working for a while apparently.

Various projects use slirp forks, that's why we decided to make it
again a standalone project / library that can be shared. slirp4netns
(used by podman afaik), is perhaps the most worrisome to me.


> I can see some potential in combining -netdev user + -chardev where one
> could see/inject packets into a guest (if I got that correctly). But
> that can't work currently, because libvirt doesn't allow setting all the
> interesting bits (like subnet mask).
>
> >
> > For network type "user", libvirt could spawn an helper process (an
> > experimental version is [2]). It would setup a socket pair between
> > qemu and the helper and use -net socket. qemu could then be built
> > without libslirp! (imho, qemu should deprecate built-in -net user
> > support, and doesn't need to grow its own sub-process handling)
> >
> > This libvirt patch is a bit rough, I am not sure where things should
> > go. In particular, how to manage the subprocesses properly (security
> > aspects, and lifecycle etc), and how to deal with migration (prevent
> > migrating from non-helper to helper version etc).
> >
> > It seems guestfwd has been non-functional for a while. This is also
> > something that the current experimental helper doesn't support
> > atm. Doing all the various "channel" types that libvirt/qemu support
> > would be tedious, and probably unnecessary. But the underlying
> > libslirp library support redirections the same way qemu does today, so
> > it could be added if necessary.
> >
> > At this point, the slirp-helper doesn't handle migration. But is it
> > really worth it? From a guest POV, it would look like packet lost or
> > disconnection. Adding migration handling is possible, to avoid a
> > disconnection event. How should it be done? via a libvirt provided
> > socket for storage? via its own file transferred by libvirt? via qemu
> > somehow (qemu wouldn't really know about the external process but
> > would copy around the migration bits?).
> >
> > Does the helper need to have a "standard" & capabilities, similar to
> > what is proposed for vhost-user [3]? This would allow for easier
> > competing implementation to emerge (I have plans in mind, not using
> > libslirp).
> >
> > Thanks for the feedback!
> >
> > [1] https://gitlab.freedesktop.org/slirp/libslirp
> > [2] https://github.com/elmarco/libslirp-rs
> > [3] https://git.qemu.org/?p=qemu.git;a=blob;f=docs/interop/vhost-user.json
> >
> > Signed-off-by: Marc-André Lureau <marcandre.lureau at redhat.com>
> > ---
> >   m4/virt-driver-qemu.m4             |  5 ++
> >   src/qemu/libvirtd_qemu.aug         |  1 +
> >   src/qemu/qemu.conf                 |  3 ++
> >   src/qemu/qemu_capabilities.c       |  6 +++
> >   src/qemu/qemu_capabilities.h       |  1 +
> >   src/qemu/qemu_command.c            | 38 +++++++++++---
> >   src/qemu/qemu_command.h            |  3 +-
> >   src/qemu/qemu_conf.c               |  7 ++-
> >   src/qemu/qemu_conf.h               |  1 +
> >   src/qemu/qemu_domain.c             | 11 ++++
> >   src/qemu/qemu_domain.h             |  3 ++
> >   src/qemu/qemu_hotplug.c            |  5 +-
> >   src/qemu/qemu_interface.c          | 80 ++++++++++++++++++++++++++++++
> >   src/qemu/qemu_interface.h          |  6 +++
> >   src/qemu/test_libvirtd_qemu.aug.in |  1 +
> >   15 files changed, 161 insertions(+), 10 deletions(-)
>
> The code looks more or less okaysh, but I'd rather discuss the future of
> slirp for now.
>

Well, that's what I propose to discuss with this proposal. Make
current libslirp usage safer by using it as a subprocess, continue to
improve/fix it, and allow competing implementation to emerge.

thanks for the feedback

More information about the libvir-list mailing list