Re: [PATCH v2 09/10] net: Add passt network backend
Laurent Vivier <lvivier@redhat.com> writes:
On 24/06/2025 10:16, Markus Armbruster wrote:
Laurent Vivier <lvivier@redhat.com> writes:
This commit introduces support for passt as a new network backend. passt is an unprivileged, user-mode networking solution that provides connectivity for virtual machines by launching an external helper process.
The implementation reuses the generic stream data handling logic. It launches the passt binary using GSubprocess, passing it a file descriptor from a socketpair() for communication. QEMU connects to the other end of the socket pair to establish the network data stream.
The PID of the passt daemon is tracked via a temporary file to ensure it is terminated when QEMU exits.
Signed-off-by: Laurent Vivier <lvivier@redhat.com>
[...]
diff --git a/qapi/net.json b/qapi/net.json index 97ea1839813b..76d7654414f7 100644 --- a/qapi/net.json +++ b/qapi/net.json @@ -112,6 +112,125 @@ 'data': { 'str': 'str' } }
+## +# @NetDevPasstOptions: +# +# Unprivileged user-mode network connectivity using passt +# +# @path: path to passt binary
I'd prefer a more descriptive name.
Elsewhere in this file, we refer to programs like this:
# @script: script to initialize the interface # # @downscript: script to shut down the interface
passt isn't a script, of course.
I don't know, perhaps
# @passt-filename: the passt program to run.
or even
# @passt: Filename of the passt program to run.
+# +# @quiet: don't print informational messages
What does the printing? A peek at the code I snipped suggests this flag is passed to the passt binary as --quiet. Correct?
+# +# @debug: be verbose +# +# @trace: extra verbose
Likewise for these two.
+# +# @vhost-user: enable vhost-user
[...]
+# @udp-ports: UDP ports to forward
Is there anything in this struct that configures qemu-system-FOO itself, i.e. isn't just passed to passt?
Yes, all parameters are just passed to passt.
Do you think it's better not to add all these parameters to netdev backend but only one generic containing the passt command line parameters?
I'm not sure. Thoughts from libvirt's perspective?
On Tue, Jun 24, 2025 at 01:55:20PM +0200, Markus Armbruster wrote:
Laurent Vivier <lvivier@redhat.com> writes:
On 24/06/2025 10:16, Markus Armbruster wrote:
Laurent Vivier <lvivier@redhat.com> writes:
This commit introduces support for passt as a new network backend. passt is an unprivileged, user-mode networking solution that provides connectivity for virtual machines by launching an external helper process.
The implementation reuses the generic stream data handling logic. It launches the passt binary using GSubprocess, passing it a file descriptor from a socketpair() for communication. QEMU connects to the other end of the socket pair to establish the network data stream.
The PID of the passt daemon is tracked via a temporary file to ensure it is terminated when QEMU exits.
Signed-off-by: Laurent Vivier <lvivier@redhat.com>
[...]
diff --git a/qapi/net.json b/qapi/net.json index 97ea1839813b..76d7654414f7 100644 --- a/qapi/net.json +++ b/qapi/net.json @@ -112,6 +112,125 @@ 'data': { 'str': 'str' } }
+## +# @NetDevPasstOptions: +# +# Unprivileged user-mode network connectivity using passt +# +# @path: path to passt binary
I'd prefer a more descriptive name.
Elsewhere in this file, we refer to programs like this:
# @script: script to initialize the interface # # @downscript: script to shut down the interface
passt isn't a script, of course.
I don't know, perhaps
# @passt-filename: the passt program to run.
or even
# @passt: Filename of the passt program to run.
+# +# @quiet: don't print informational messages
What does the printing? A peek at the code I snipped suggests this flag is passed to the passt binary as --quiet. Correct?
+# +# @debug: be verbose +# +# @trace: extra verbose
Likewise for these two.
+# +# @vhost-user: enable vhost-user
[...]
+# @udp-ports: UDP ports to forward
Is there anything in this struct that configures qemu-system-FOO itself, i.e. isn't just passed to passt?
Yes, all parameters are just passed to passt.
Do you think it's better not to add all these parameters to netdev backend but only one generic containing the passt command line parameters?
I'm not sure.
Thoughts from libvirt's perspective?
We already have passt support in libvirt that leverages the existing vhost-user netdev backend to connect up QEMU. I see this backend requires QEMU to be able to spawn the passt binary itselfm, which is not something libvirt would allow via our security confinement of QEMU. So that would rule out our ability to consume this netdev backend, as currently written Is there anything QEMU can do with this passt netdev, that can't be done via the vhost-user backend ? ie is this merely syntax sugar to make it easier for humans launching QEMU, or is there some feature / performance benefit ? With regards, Daniel -- |: https://berrange.com -o- https://www.flickr.com/photos/dberrange :| |: https://libvirt.org -o- https://fstop138.berrange.com :| |: https://entangle-photo.org -o- https://www.instagram.com/dberrange :|
On 24/06/2025 14:03, Daniel P. Berrangé wrote:
On Tue, Jun 24, 2025 at 01:55:20PM +0200, Markus Armbruster wrote:
Laurent Vivier <lvivier@redhat.com> writes:
On 24/06/2025 10:16, Markus Armbruster wrote:
Laurent Vivier <lvivier@redhat.com> writes:
This commit introduces support for passt as a new network backend. passt is an unprivileged, user-mode networking solution that provides connectivity for virtual machines by launching an external helper process.
The implementation reuses the generic stream data handling logic. It launches the passt binary using GSubprocess, passing it a file descriptor from a socketpair() for communication. QEMU connects to the other end of the socket pair to establish the network data stream.
The PID of the passt daemon is tracked via a temporary file to ensure it is terminated when QEMU exits.
Signed-off-by: Laurent Vivier <lvivier@redhat.com>
[...]
diff --git a/qapi/net.json b/qapi/net.json index 97ea1839813b..76d7654414f7 100644 --- a/qapi/net.json +++ b/qapi/net.json @@ -112,6 +112,125 @@ 'data': { 'str': 'str' } }
+## +# @NetDevPasstOptions: +# +# Unprivileged user-mode network connectivity using passt +# +# @path: path to passt binary
I'd prefer a more descriptive name.
Elsewhere in this file, we refer to programs like this:
# @script: script to initialize the interface # # @downscript: script to shut down the interface
passt isn't a script, of course.
I don't know, perhaps
# @passt-filename: the passt program to run.
or even
# @passt: Filename of the passt program to run.
+# +# @quiet: don't print informational messages
What does the printing? A peek at the code I snipped suggests this flag is passed to the passt binary as --quiet. Correct?
+# +# @debug: be verbose +# +# @trace: extra verbose
Likewise for these two.
+# +# @vhost-user: enable vhost-user
[...]
+# @udp-ports: UDP ports to forward
Is there anything in this struct that configures qemu-system-FOO itself, i.e. isn't just passed to passt?
Yes, all parameters are just passed to passt.
Do you think it's better not to add all these parameters to netdev backend but only one generic containing the passt command line parameters?
I'm not sure.
Thoughts from libvirt's perspective?
We already have passt support in libvirt that leverages the existing vhost-user netdev backend to connect up QEMU.
I see this backend requires QEMU to be able to spawn the passt binary itselfm, which is not something libvirt would allow via our security confinement of QEMU. So that would rule out our ability to consume this netdev backend, as currently written
Is there anything QEMU can do with this passt netdev, that can't be done via the vhost-user backend ? ie is this merely syntax sugar to make it easier for humans launching QEMU, or is there some feature / performance benefit ?
The idea is only to allow user to run directly QEMU with passt in the same way it's done with the netdev user. There is no other benefit than the easier interface for humans. For instance, we want to run '-nic passt' as we can run '-nic user'. Thanks, Laurent
Laurent Vivier <lvivier@redhat.com> writes:
On 24/06/2025 14:03, Daniel P. Berrangé wrote:
On Tue, Jun 24, 2025 at 01:55:20PM +0200, Markus Armbruster wrote:
Laurent Vivier <lvivier@redhat.com> writes:
On 24/06/2025 10:16, Markus Armbruster wrote:
Laurent Vivier <lvivier@redhat.com> writes:
This commit introduces support for passt as a new network backend. passt is an unprivileged, user-mode networking solution that provides connectivity for virtual machines by launching an external helper process.
The implementation reuses the generic stream data handling logic. It launches the passt binary using GSubprocess, passing it a file descriptor from a socketpair() for communication. QEMU connects to the other end of the socket pair to establish the network data stream.
The PID of the passt daemon is tracked via a temporary file to ensure it is terminated when QEMU exits.
Signed-off-by: Laurent Vivier <lvivier@redhat.com>
[...]
diff --git a/qapi/net.json b/qapi/net.json index 97ea1839813b..76d7654414f7 100644 --- a/qapi/net.json +++ b/qapi/net.json @@ -112,6 +112,125 @@ 'data': { 'str': 'str' } } +## +# @NetDevPasstOptions: +# +# Unprivileged user-mode network connectivity using passt +# +# @path: path to passt binary
I'd prefer a more descriptive name.
Elsewhere in this file, we refer to programs like this:
# @script: script to initialize the interface # # @downscript: script to shut down the interface
passt isn't a script, of course.
I don't know, perhaps
# @passt-filename: the passt program to run.
or even
# @passt: Filename of the passt program to run.
+# +# @quiet: don't print informational messages
What does the printing? A peek at the code I snipped suggests this flag is passed to the passt binary as --quiet. Correct?
+# +# @debug: be verbose +# +# @trace: extra verbose
Likewise for these two.
+# +# @vhost-user: enable vhost-user
[...]
+# @udp-ports: UDP ports to forward
Is there anything in this struct that configures qemu-system-FOO itself, i.e. isn't just passed to passt?
Yes, all parameters are just passed to passt.
Do you think it's better not to add all these parameters to netdev backend but only one generic containing the passt command line parameters?
I'm not sure.
Thoughts from libvirt's perspective?
We already have passt support in libvirt that leverages the existing vhost-user netdev backend to connect up QEMU.
I see this backend requires QEMU to be able to spawn the passt binary itselfm, which is not something libvirt would allow via our security confinement of QEMU. So that would rule out our ability to consume this netdev backend, as currently written
Is there anything QEMU can do with this passt netdev, that can't be done via the vhost-user backend ? ie is this merely syntax sugar to make it easier for humans launching QEMU, or is there some feature / performance benefit ?
The idea is only to allow user to run directly QEMU with passt in the same way it's done with the netdev user. There is no other benefit than the easier interface for humans.
For instance, we want to run '-nic passt' as we can run '-nic user'.
Good to know! Put it into the commit message, please. Hmm, it's good to know for management application developers, too. So we should also put it into documentation, I guess. Where? Looking... Oh, there's a section "Using passt as the user mode network stack"in docs/system/devices/net.rst. That section clearly needs an update for the new backend. Back to the design question how to pass configuration via qemu-system to the passt program with this new backend. Your patch replicates passt command line options as optional members of QAPI type NetDevPasstOptions. Any passt options not covered are inaccessible. Or rather inaccessible via QMP / HMP / CLI. You can still access them by pointing @passt to a wrapper script. This leads us to a possible alternative: make such a wrapper script the *only* way to configure passt. This is like NetdevTapOptions @script and @downscript. Mind, I'm not telling you it's a good idea, I'm merely trying to map the solution space! Instead of trying to make NetDevPasstOptions complete (so you need to fall back to a wrapper script only when using a version of passt with different options), we can limit it to a curated set of options. We'd need to decide which ones :) You pointed out yet another alternative: pass through the passt command line directly. Two obvious ways: a single shell command string to be passed to system(3), or an array of strings to be passed to execv(3). system(3) is a terrible idea with untrusted input, but this is trusted input. Any other interface ideas? Since the backend is for human user convenience: which of these ways would be convenient for human users?
On Wed, 25 Jun 2025 08:57:27 +0200 Markus Armbruster via Devel <devel@lists.libvirt.org> wrote:
[...]
Back to the design question how to pass configuration via qemu-system to the passt program with this new backend.
Your patch replicates passt command line options as optional members of QAPI type NetDevPasstOptions. Any passt options not covered are inaccessible.
Or rather inaccessible via QMP / HMP / CLI. You can still access them by pointing @passt to a wrapper script.
This leads us to a possible alternative: make such a wrapper script the *only* way to configure passt. This is like NetdevTapOptions @script and @downscript. Mind, I'm not telling you it's a good idea, I'm merely trying to map the solution space!
I'd prefer this idea to having explicit QEMU support (code) for each passt option, mostly because a. it's a lot of code and b. passt doesn't completely guarantee backwards compatibility, only to a reasonable extent (the general idea is to deprecate options first, then to make them disappear in a couple of years). Still, I see three main issues with it: 1. you would still need to distribute an example of a wrapper script, and that will eventually get outdated as well 2. it's complicated and somewhat surprising. You would probably need to configure different wrapper scripts (or functions in scripts?) depending on what guest you're running 3. that would be the usual fun with LSMs. What SELinux label would the script have? Should we define a separate AppArmor policy for it? Or make it a subprofile...?
Instead of trying to make NetDevPasstOptions complete (so you need to fall back to a wrapper script only when using a version of passt with different options), we can limit it to a curated set of options. We'd need to decide which ones :)
You pointed out yet another alternative: pass through the passt command line directly. Two obvious ways: a single shell command string to be passed to system(3), or an array of strings to be passed to execv(3).
...so I'd much prefer this approach (it's actually an alternative I was suggesting to Laurent in some offline chats earlier). We did the same in Podman for pasta(1) (same binary as passt(1), different command, for containers): https://github.com/containers/common/blob/2d2b7a488601a3557301420fce6acb58d0... where you would do, say: podman --net=pasta:--pcap,/tmp/pasta.pcap,--no-dhcpv6,... This one looks simple, the documentation of options is always updated and maintained as part of passt's documentation, and there's no need to change anything in QEMU if we introduce new options or deprecate some. I would use an array of strings (same as it's done for Podman) rather than a flat argument for system(3), because:
system(3) is a terrible idea with untrusted input, but this is trusted input.
...even if it's trusted input, a single, long argument with quotes is more error-prone than separate arguments, I think.
Any other interface ideas?
Since the backend is for human user convenience: which of these ways would be convenient for human users?
As I'm familiar with passt(1) options, passing options through is the most convenient for me, personally. I often use passt without libvirt exactly because it's awkward to pass, say, debugging options (I have to use some horrible /usr/local/bin/passt wrapper script with a switch case inferring the name of the guest from the socket path given as argument, and sometimes it's unpractical): https://issues.redhat.com/browse/RHEL-52281 and it's especially awkward to help users debugging things this way, so it would be nice if QEMU could make it convenient, instead. -- Stefano
participants (4)
-
Daniel P. Berrangé -
Laurent Vivier -
Markus Armbruster -
Stefano Brivio