From 9ae397341dfb68566df98158f71a47c2dfff1117 Mon Sep 17 00:00:00 2001 From: Andri Saar Date: Tue, 11 Jun 2024 15:50:42 +0000 Subject: [PATCH] Always add vsock device with Oak Containers, and default to it in stage1 This mirrors changes we've already done internally. Note that this still only affects stage1 and nothing else. Bug: 289334144 Change-Id: I083a34ab1392e802f5e17069c2322ddb15accacc --- Cargo.lock | 1 + oak_containers_launcher/Cargo.toml | 1 + oak_containers_launcher/src/qemu.rs | 30 +++++++++++++++-------------- 3 files changed, 18 insertions(+), 14 deletions(-) diff --git a/Cargo.lock b/Cargo.lock index e1403642698..53b5ce0c707 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -2480,6 +2480,7 @@ dependencies = [ "env_logger", "futures", "log", + "nix 0.27.1", "oak_attestation", "oak_crypto", "oak_grpc_utils", diff --git a/oak_containers_launcher/Cargo.toml b/oak_containers_launcher/Cargo.toml index 5751007efcc..7835fe46199 100644 --- a/oak_containers_launcher/Cargo.toml +++ b/oak_containers_launcher/Cargo.toml @@ -17,6 +17,7 @@ command-fds = { version = "*", features = ["tokio"] } env_logger = "*" futures = "*" log = "*" +nix = { version = "*", features = ["process"] } oak_attestation = { workspace = true } oak_crypto = { workspace = true } oak_proto_rust = { workspace = true } diff --git a/oak_containers_launcher/src/qemu.rs b/oak_containers_launcher/src/qemu.rs index 0389dd24420..88472aa3bb1 100644 --- a/oak_containers_launcher/src/qemu.rs +++ b/oak_containers_launcher/src/qemu.rs @@ -77,7 +77,8 @@ pub struct Params { #[arg(long, value_name = "PORT")] pub telnet_console: Option, - /// Optional virtio guest CID for virtio-vsock. + /// Optional virtio guest CID for virtio-vsock. If not assigned, defaults to + /// the current thread ID. /// Warning: This CID needs to be globally unique on the whole host! #[arg(long)] pub virtio_guest_cid: Option, @@ -237,12 +238,17 @@ impl Qemu { "-device", "virtio-net-pci,disable-legacy=on,iommu_platform=true,netdev=netdev,romfile=", ]); - if let Some(virtio_guest_cid) = params.virtio_guest_cid { - cmd.args([ - "-device", - &format!("vhost-vsock-pci,guest-cid={virtio_guest_cid},rombar=0"), - ]); - } + // The CID needs to be globally unique, so we default to the current thread ID + // (which should be unique on the system). This may have interesting + // interactions with async code though: if you start two VMMs in the same + // thread, it won't work. But we don't really have any other good sources of + // globally unique identifiers available for us, and starting multiple VMMs in + // one thread should be uncommon. + let virtio_guest_cid = params + .virtio_guest_cid + .unwrap_or_else(|| nix::unistd::gettid().as_raw().unsigned_abs()); + cmd.args(["-device", &format!("vhost-vsock-pci,guest-cid={virtio_guest_cid},rombar=0")]); + if let Some(pci_passthrough) = params.pci_passthrough { cmd.args(["-device", format!("vfio-pci,host={pci_passthrough}").as_str()]); } @@ -253,7 +259,7 @@ impl Qemu { cmd.args(["-initrd", params.initrd.into_os_string().into_string().unwrap().as_str()]); let ramdrive_size = params.ramdrive_size; - let mut cmdline = vec![ + let cmdline = vec![ params.telnet_console.map_or_else(|| "", |_| "debug").to_string(), "console=ttyS0".to_string(), "panic=-1".to_string(), @@ -262,14 +268,10 @@ impl Qemu { "brd.max_part=1".to_string(), format!("ip={vm_address}:::255.255.255.0::eth0:off"), "quiet".to_string(), + "--".to_string(), + format!("--launcher-addr=vsock://{VMADDR_CID_HOST}:{launcher_service_port}"), ]; - if params.virtio_guest_cid.is_some() { - cmdline.push("--".to_string()); - // Makes stage1 communicate to the launcher via virtio-vsock. - cmdline - .push(format!("--launcher-addr=vsock://{VMADDR_CID_HOST}:{launcher_service_port}")); - } cmd.args(["-append", cmdline.join(" ").as_str()]); log::debug!("QEMU command line: {:?}", cmd);