Re: [PATCH net-next v16 01/12] vsock: add netns to vsock core

[PATCH net-next v16 00/12] vsock: add namespace support to vhost-vsock and loopback · Bobby Eshleman <hidden> · 2026-01-21
[PATCH net-next v16 02/12] virtio: set skb owner of virtio_transport_reset_no_sock() reply · Bobby Eshleman <hidden> · 2026-01-21
[PATCH net-next v16 01/12] vsock: add netns to vsock core · Bobby Eshleman <hidden> · 2026-01-21
Re: [PATCH net-next v16 01/12] vsock: add netns to vsock core · Stefano Garzarella <sgarzare@redhat.com> · 2026-02-17
Re: [PATCH net-next v16 01/12] vsock: add netns to vsock core · Jakub Kicinski <kuba@kernel.org> · 2026-02-17
[PATCH net-next v16 04/12] selftests/vsock: increase timeout to 1200 · Bobby Eshleman <hidden> · 2026-01-21
[PATCH net-next v16 05/12] selftests/vsock: add namespace helpers to vmtest.sh · Bobby Eshleman <hidden> · 2026-01-21
[PATCH net-next v16 07/12] selftests/vsock: add vm_dmesg_{warn,oops}_count() helpers · Bobby Eshleman <hidden> · 2026-01-21
[PATCH net-next v16 06/12] selftests/vsock: prepare vm management helpers for namespaces · Bobby Eshleman <hidden> · 2026-01-21
[PATCH net-next v16 09/12] selftests/vsock: add tests for proc sys vsock ns_mode · Bobby Eshleman <hidden> · 2026-01-21
[PATCH net-next v16 08/12] selftests/vsock: use ss to wait for listeners instead of /proc/net · Bobby Eshleman <hidden> · 2026-01-21
[PATCH net-next v16 10/12] selftests/vsock: add namespace tests for CID collisions · Bobby Eshleman <hidden> · 2026-01-21
[PATCH net-next v16 12/12] selftests/vsock: add tests for namespace deletion · Bobby Eshleman <hidden> · 2026-01-21
[PATCH net-next v16 11/12] selftests/vsock: add tests for host <-> vm connectivity with namespaces · Bobby Eshleman <hidden> · 2026-01-21
[PATCH net-next v16 03/12] vsock: add netns support to virtio transports · Bobby Eshleman <hidden> · 2026-01-22
Re: [PATCH net-next v16 00/12] vsock: add namespace support to vhost-vsock and loopback · Stefano Garzarella <sgarzare@redhat.com> · 2026-01-22
Re: [PATCH net-next v16 00/12] vsock: add namespace support to vhost-vsock and loopback · Bobby Eshleman <hidden> · 2026-01-22
Re: [PATCH net-next v16 00/12] vsock: add namespace support to vhost-vsock and loopback · "Michael S. Tsirkin" <mst@redhat.com> · 2026-01-22
Re: [PATCH net-next v16 00/12] vsock: add namespace support to vhost-vsock and loopback · patchwork-bot+netdevbpf@kernel.org · 2026-01-27

From: Stefano Garzarella <sgarzare@redhat.com>
Date: 2026-02-17 15:08:44
Also in: kvm, linux-doc, linux-hyperv, linux-kselftest, lkml, virtualization

Hi,

On Wed, Jan 21, 2026 at 02:11:41PM -0800, Bobby Eshleman wrote:

From: Bobby Eshleman <redacted>

Add netns logic to vsock core. Additionally, modify transport hook
prototypes to be used by later transport-specific patches (e.g.,
*_seqpacket_allow()).

Namespaces are supported primarily by changing socket lookup functions
(e.g., vsock_find_connected_socket()) to take into account the socket
namespace and the namespace mode before considering a candidate socket a
"match".

This patch also introduces the sysctl /proc/sys/net/vsock/ns_mode to
report the mode and /proc/sys/net/vsock/child_ns_mode to set the mode
for new namespaces.

talking about this new feature with Daan (in CC) we were discussing a 
possible change to `child_ns_mode`.

Currently, if two or more administrator processes in the same namespace 
set `child_ns_mode`, they compete. Obviously, after unshare()/clone(), 
the process can always access `ns_mode` to check if everything went well 
and eventually retry.

Daan suggested a more conservative approach, allowing `child_ns_mode` to 
be written only once (a bit like we did in the old version when the 
child could change the mode only once). This way, most users who want 
isolation write `local` in `child_ns_mode` at startup in the init_ns. At 
that point the user  and can be sure that no other process (including 
administrators, e.g., container managers) can change it, so all new 
namespaces will have `local` mode.

I think we should support this option in some way, because it seems to 
simplify the user space in most common cases (ensure isolation). I see 
few options for doing this:

1. Change the behavior of `child_ns_mode` to be written only once, but 
this would limit other possible use cases where `child_ns_mode` can be 
changed more than once (I don't know if Bobby had any in mind).

2. Add a new sysctl `child_ns_mode_lockin` (or something similar), which 
can only be written once with a mode (local or global). A write on this 
will also locks `child_ns_mode`, of course.

3. Add a new `local-locked` mode, reusing the same sysctl.


If we go for 1, maybe we can do it in 7.0, or not?

2 and 3, on the other hand, may have to wait until the next release.

What do you think? Any comments?

Thanks,
Stefano

`h`	back out one level
`j`	next message in thread
`k`	previous message in thread
`l`	drill in
`Esc`	close help / fold thread tree
`?`	toggle this help