virtio-fs A Shared File System for Virtual Machines Stefan - - PowerPoint PPT Presentation

virtio fs
SMART_READER_LITE
LIVE PREVIEW

virtio-fs A Shared File System for Virtual Machines Stefan - - PowerPoint PPT Presentation

Oct 17, 2023 988 likes •1.22k views

FOSDEM 20 virtio-fs A Shared File System for Virtual Machines Stefan Hajnoczi stefanha@redhat.com 1 FOSDEM 20 About me I work in Red Hats virtualization team: virtio-fs virtio-blk tracing VIRTIO specification

slide-1
SLIDE 1

FOSDEM ‘20

A Shared File System for Virtual Machines

virtio-fs

Stefan Hajnoczi stefanha@redhat.com

1

slide-2
SLIDE 2

FOSDEM ‘20

I work in Red Hat’s virtualization team: virtio-fs virtio-blk tracing VIRTIO specification open source internships QEMU Linux

https:/ /vmsplice.net/ “stefanha” on IRC

About me

2

slide-3
SLIDE 3

FOSDEM ‘20

What is virtio-fs?

3

Share a host directory with the guest ➔ Run container images from host but isolated inside a guest ➔ File System as a Service ➔ Compile on host, test inside guest ➔ Get files into guest at install time ➔ Boot guest from directory on host See KVM Forum talk for “what” and “why”: https:/ /www.youtube.com/watch?v=969sXbNX01U

slide-4
SLIDE 4

FOSDEM ‘20

How to use virtio-fs

4

“I want to share /var/www with the guest” Not yet widely available in distros, but the proposed libvirt domain XML looks like this:

<filesystem type='mount' accessmode='passthrough'> <driver type='virtiofs'/> <source dir='/var/www'/> <target dir='website'/> <!-- not treated as a path --> </filesystem>

slide-5
SLIDE 5

FOSDEM ‘20

How to use virtio-fs (Part 2)

5

Mount the directory inside the guest:

guest# mount -t virtiofs website /var/www

And away you go!

slide-6
SLIDE 6

FOSDEM ‘20

Performance (with a grain of salt)

6

Out-of-the-box performance on NVMe. Virtio-fs cache=none, no DAX. Linux 5.5.0-rc4 based virtio-fs-dev branch

slide-7
SLIDE 7

FOSDEM ‘20

How do remote file systems work?

7

Two ingredients: 1. A transport for communication TCP/IP, USB, RDMA 2. A protocol for file system operations NFS, CIFS, MTP, FTP Server Client Transport Protocol

slide-8
SLIDE 8

FOSDEM ‘20

virtio-fs as a remote file system

8

Protocol is based on Linux FUSE Transport is VIRTIO with shared memory resources virtiofsd (host) Guest VIRTIO FUSE /w extensions

slide-9
SLIDE 9

FOSDEM ‘20

Linux File System in Userspace (FUSE)

9

Userspace file system interface: Merged in 2005 and widely available POSIX semantics + Linux extensions Extensible protocol Application File System fuse.ko

  • pen(“foo”)

FUSE_OPEN

slide-10
SLIDE 10

FOSDEM ‘20

FUSE Protocol

10

Protocol definitions in <linux/fuse.h>:

struct fuse_in_header { uint32_t len; uint32_t opcode; uint64_t unique; uint64_t nodeid; … };

Protocol is undocumented but ABI is stable Read fuse.ko source to understand protocol

slide-11
SLIDE 11

FOSDEM ‘20

Traditional FUSE

11

Userspace file system server process Communication over /dev/fuse character device: ▸ Server reads next request from /dev/fuse ▸ Server writes response to /dev/fuse Server-initiated requests are called notifications and are rare

slide-12
SLIDE 12

FOSDEM ‘20

The virtio-fs Device

12

Configuration space: ▸ Tag (mount identifier, e.g. “website”) Virtqueues: ▸ Requests ▸ Hiprio (FUSE_INTERRUPT) ▸ Notifications Driver places FUSE requests on requests virtqueue

slide-13
SLIDE 13

FOSDEM ‘20

Reading a File

13

Protocol flow: 1. FUSE_INIT to create session 2. FUSE_LOOKUP(FUSE_ROOT_ID, “foo”) -> nodeid 3. FUSE_OPEN(nodeid, O_RDONLY) -> fh 4. FUSE_READ(fh, offset, &buf, sizeof(buf)) -> nbytes nodeid is a handle to an inode fh is a handle to an open file

slide-14
SLIDE 14

FOSDEM ‘20

Bypassing the Guest Page Cache

14

Can we avoid communication with virtiofsd for every I/O? Can we avoid copying data to/from host? Yes! The “dax” mount option will: ▸ Map regions of files into guest memory space ▸ Allow guest mmap to directly access data There is a fixed-size DAX Window memory region where host pages are made available to the guest.

slide-15
SLIDE 15

FOSDEM ‘20

Reading a File with DAX

15

Protocol flow: 1. FUSE_INIT to create session 2. FUSE_LOOKUP(FUSE_ROOT_ID, “foo”) -> nodeid 3. FUSE_OPEN(nodeid, O_RDONLY) -> fh 4. FUSE_SETUPMAPPING(fh, offset, len, addr) 5. Memory access to [addr, addr+len)

slide-16
SLIDE 16

FOSDEM ‘20

Want Your Own Server?

16

Virtiofsd passes a directory through to the guest. But a custom server could: ▸ Implement its own file system without using file system syscalls on the host ▸ Directly connect to a distributed storage system ▸ Export a synthetic file system from the host See upcoming VIRTIO 1.2 specification for low-level details or use virtiofsd codebase as a starting point.

slide-17
SLIDE 17

FOSDEM ‘20

Thank you

17

Website: https:/ /virtio-fs.gitlab.io/ IRC: #virtio-fs on chat.freenode.net

slide-18
SLIDE 18

FOSDEM ‘20

virtiofsd needs privileges to access files with arbitrary uid/gid What if virtiofsd is compromised by an attacker? Sandboxing to the rescue: ▸ Mount namespace only allows access to shared directory (all other mounts are removed!) ▸ Empty net namespace prevents network connectivity ▸ PID namespace prevents ptrace of other processes ▸ seccomp whitelist only allows required syscalls

virtiofsd Sandboxing

18

slide-19
SLIDE 19

FOSDEM ‘20

virtiofsd Security Model

19

Guests have full uid/gid access to shared directory! Guests have no access outside shared directory. Best practices: ▸ Use dedicated file system for shared directory to prevent inode exhaustion or other Denial-of-Service attacks ▸ Parent directory of shared directory should have rwx------ permissions to prevent non-owners from accessing untrusted files ▸ Mount shared directory nosuid,nodev on host