On Wed, Jan 21, 2026 at 02:11:40PM -0800, Bobby Eshleman wrote: > This series adds namespace support to vhost-vsock and loopback. It does > not add namespaces to any of the other guest transports (virtio-vsock, > hyperv, or vmci). > > The current revision supports two modes: local and global. Local > mode is complete isolation of namespaces, while global mode is complete > sharing between namespaces of CIDs (the original behavior). > > The mode is set using the parent namespace's > /proc/sys/net/vsock/child_ns_mode and inherited when a new namespace is > created. The mode of the current namespace can be queried by reading > /proc/sys/net/vsock/ns_mode. The mode can not change after the namespace > has been created. > > Modes are per-netns. This allows a system to configure namespaces > independently (some may share CIDs, others are completely isolated). > This also supports future possible mixed use cases, where there may be > namespaces in global mode spinning up VMs while there are mixed mode > namespaces that provide services to the VMs, but are not allowed to > allocate from the global CID pool (this mode is not implemented in this > series). > > Additionally, added tests for the new namespace features: > > tools/testing/selftests/vsock/vmtest.sh > 1..25 > ok 1 vm_server_host_client > ok 2 vm_client_host_server > ok 3 vm_loopback > ok 4 ns_host_vsock_ns_mode_ok > ok 5 ns_host_vsock_child_ns_mode_ok > ok 6 ns_global_same_cid_fails > ok 7 ns_local_same_cid_ok > ok 8 ns_global_local_same_cid_ok > ok 9 ns_local_global_same_cid_ok > ok 10 ns_diff_global_host_connect_to_global_vm_ok > ok 11 ns_diff_global_host_connect_to_local_vm_fails > ok 12 ns_diff_global_vm_connect_to_global_host_ok > ok 13 ns_diff_global_vm_connect_to_local_host_fails > ok 14 ns_diff_local_host_connect_to_local_vm_fails > ok 15 ns_diff_local_vm_connect_to_local_host_fails > ok 16 ns_diff_global_to_local_loopback_local_fails > ok 17 ns_diff_local_to_global_loopback_fails > ok 18 ns_diff_local_to_local_loopback_fails > ok 19 ns_diff_global_to_global_loopback_ok > ok 20 ns_same_local_loopback_ok > ok 21 ns_same_local_host_connect_to_local_vm_ok > ok 22 ns_same_local_vm_connect_to_local_host_ok > ok 23 ns_delete_vm_ok > ok 24 ns_delete_host_ok > ok 25 ns_delete_both_ok > SUMMARY: PASS=25 SKIP=0 FAIL=0 > > Thanks again for everyone's help and reviews! > > Suggested-by: Sargun Dhillon <[email protected]> > Signed-off-by: Bobby Eshleman <[email protected]>
Acked-by: Michael S. Tsirkin <[email protected]> > > Changes in v16: > - updated comments/docs/commit msg (vsock_find_* funcs, init net > mode, why change random port alloc) > - removed init ns mode cmdline > - fixed the missing ${ns} arg for vm_ssh in vmtest.sh > - Link to v15: > https://lore.kernel.org/r/[email protected] > > Changes in v15: > - see per-patch change notes in 'vsock: add netns to vsock core' > - Link to v14: > https://lore.kernel.org/r/[email protected] > > Changes in v14: > - squashed 'vsock: add per-net vsock NS mode state' into 'vsock: add > netns to vsock core' (MST) > - remove RFC tag > - fixed base-commit (still had b4 configured to depend on old vmtest.sh > series) > - Link to v13: > https://lore.kernel.org/all/[email protected]/ > > Changes in v13: > - add support for immutable sysfs ns_mode and inheritance from sysfs > child_ns_mode > - remove passing around of net_mode, can be accessed now via > vsock_net_mode(net) since it is immutable > - update tests for new uAPI > - add one patch to extend the kselftest timeout (it was starting to > fail with the new tests added) > - Link to v12: > https://lore.kernel.org/r/[email protected] > > Changes in v12: > - add ns mode checking to _allow() callbacks to reject local mode for > incompatible transports (Stefano) > - flip vhost/loopback to return true for stream_allow() and > seqpacket_allow() in "vsock: add netns support to virtio transports" > (Stefano) > - add VMADDR_CID_ANY + local mode documentation in af_vsock.c (Stefano) > - change "selftests/vsock: add tests for host <-> vm connectivity with > namespaces" to skip test 29 in vsock_test for namespace local > vsock_test calls in a host local-mode namespace. There is a > false-positive edge case for that test encountered with the > ->stream_allow() approach. More details in that patch. > - updated cover letter with new test output > - Link to v11: > https://lore.kernel.org/r/[email protected] > > Changes in v11: > - vmtest: add a patch to use ss in wait_for_listener functions and > support vsock, tcp, and unix. Change all patches to use the new > functions. > - vmtest: add a patch to re-use vm dmesg / warn counting functions > - Link to v10: > https://lore.kernel.org/r/[email protected] > > Changes in v10: > - Combine virtio common patches into one (Stefano) > - Resolve vsock_loopback virtio_transport_reset_no_sock() issue > with info->vsk setting. This eliminates the need for skb->cb, > so remove skb->cb patches. > - many line width 80 fixes > - Link to v9: > https://lore.kernel.org/all/[email protected] > > Changes in v9: > - reorder loopback patch after patch for virtio transport common code > - remove module ordering tests patch because loopback no longer depends > on pernet ops > - major simplifications in vsock_loopback > - added a new patch for blocking local mode for guests, added test case > to check > - add net ref tracking to vsock_loopback patch > - Link to v8: > https://lore.kernel.org/r/[email protected] > > Changes in v8: > - Break generic cleanup/refactoring patches into standalone series, > remove those from this series > - Link to dependency: > https://lore.kernel.org/all/20251022-vsock-selftests-fixes-and-improvements-v1-0-edeb179d6...@meta.com/ > - Link to v7: > https://lore.kernel.org/r/[email protected] > > Changes in v7: > - fix hv_sock build > - break out vmtest patches into distinct, more well-scoped patches > - change `orig_net_mode` to `net_mode` > - many fixes and style changes in per-patch change sets (see individual > patches for specific changes) > - optimize `virtio_vsock_skb_cb` layout > - update commit messages with more useful descriptions > - vsock_loopback: use orig_net_mode instead of current net mode > - add tests for edge cases (ns deletion, mode changing, loopback module > load ordering) > - Link to v6: > https://lore.kernel.org/r/[email protected] > > Changes in v6: > - define behavior when mode changes to local while socket/VM is alive > - af_vsock: clarify description of CID behavior > - af_vsock: use stronger langauge around CID rules (dont use "may") > - af_vsock: improve naming of buf/buffer > - af_vsock: improve string length checking on proc writes > - vsock_loopback: add space in struct to clarify lock protection > - vsock_loopback: do proper cleanup/unregister on vsock_loopback_exit() > - vsock_loopback: use virtio_vsock_skb_net() instead of sock_net() > - vsock_loopback: set loopback to NULL after kfree() > - vsock_loopback: use pernet_operations and remove callback mechanism > - vsock_loopback: add macros for "global" and "local" > - vsock_loopback: fix length checking > - vmtest.sh: check for namespace support in vmtest.sh > - Link to v5: > https://lore.kernel.org/r/[email protected] > > Changes in v5: > - /proc/net/vsock_ns_mode -> /proc/sys/net/vsock/ns_mode > - vsock_global_net -> vsock_global_dummy_net > - fix netns lookup in vhost_vsock to respect pid namespaces > - add callbacks for vsock_loopback to avoid circular dependency > - vmtest.sh loads vsock_loopback module > - remove vsock_net_mode_can_set() > - change vsock_net_write_mode() to return true/false based on success > - make vsock_net_mode enum instead of u8 > - Link to v4: > https://lore.kernel.org/r/[email protected] > > Changes in v4: > - removed RFC tag > - implemented loopback support > - renamed new tests to better reflect behavior > - completed suite of tests with permutations of ns modes and vsock_test > as guest/host > - simplified socat bridging with unix socket instead of tcp + veth > - only use vsock_test for success case, socat for failure case (context > in commit message) > - lots of cleanup > > Changes in v3: > - add notion of "modes" > - add procfs /proc/net/vsock_ns_mode > - local and global modes only > - no /dev/vhost-vsock-netns > - vmtest.sh already merged, so new patch just adds new tests for NS > - Link to v2: > https://lore.kernel.org/kvm/[email protected] > > Changes in v2: > - only support vhost-vsock namespaces > - all g2h namespaces retain old behavior, only common API changes > impacted by vhost-vsock changes > - add /dev/vhost-vsock-netns for "opt-in" > - leave /dev/vhost-vsock to old behavior > - removed netns module param > - Link to v1: > https://lore.kernel.org/r/[email protected] > > Changes in v1: > - added 'netns' module param to vsock.ko to enable the > network namespace support (disabled by default) > - added 'vsock_net_eq()' to check the "net" assigned to a socket > only when 'netns' support is enabled > - Link to RFC: https://patchwork.ozlabs.org/cover/1202235/ > > --- > Bobby Eshleman (12): > vsock: add netns to vsock core > virtio: set skb owner of virtio_transport_reset_no_sock() reply > vsock: add netns support to virtio transports > selftests/vsock: increase timeout to 1200 > selftests/vsock: add namespace helpers to vmtest.sh > selftests/vsock: prepare vm management helpers for namespaces > selftests/vsock: add vm_dmesg_{warn,oops}_count() helpers > selftests/vsock: use ss to wait for listeners instead of /proc/net > selftests/vsock: add tests for proc sys vsock ns_mode > selftests/vsock: add namespace tests for CID collisions > selftests/vsock: add tests for host <-> vm connectivity with namespaces > selftests/vsock: add tests for namespace deletion > > MAINTAINERS | 1 + > drivers/vhost/vsock.c | 44 +- > include/linux/virtio_vsock.h | 9 +- > include/net/af_vsock.h | 61 +- > include/net/net_namespace.h | 4 + > include/net/netns/vsock.h | 21 + > net/vmw_vsock/af_vsock.c | 335 +++++++++- > net/vmw_vsock/hyperv_transport.c | 7 +- > net/vmw_vsock/virtio_transport.c | 22 +- > net/vmw_vsock/virtio_transport_common.c | 62 +- > net/vmw_vsock/vmci_transport.c | 26 +- > net/vmw_vsock/vsock_loopback.c | 22 +- > tools/testing/selftests/vsock/settings | 2 +- > tools/testing/selftests/vsock/vmtest.sh | 1055 > +++++++++++++++++++++++++++++-- > 14 files changed, 1531 insertions(+), 140 deletions(-) > --- > base-commit: d8f87aa5fa0a4276491fa8ef436cd22605a3f9ba > change-id: 20250325-vsock-vmtest-b3a21d2102c2 > > Best regards, > -- > Bobby Eshleman <[email protected]>
