Skip to content

Commit

Permalink
guest/net: New implementation of network setup with SLAAC and own DHC…
Browse files Browse the repository at this point in the history 
…P client

The existing implementation has a couple of issues:

- it doesn't support IPv6 or SLAAC

- it relies on either dhclient(8) or dhcpcd(8), which need a
  significant amount of time to configure the network as they are
  rather generic DHCP clients

- on top of this, dhcpcd, by default, unless --noarp is given, will
  spend five seconds ARP-probing the address it just received before
  configuring it

Replace the IPv4 part with a minimalistic, 73-line DHCP client that
just does what we need, using option 80 (Rapid Commit) to speed up
the whole exchange.

Add IPv6 support (including IPv4-only, and IPv6-only modes) relying
on the kernel to perform SLAAC. Safely avoid DAD (we're the only
node on the link) by disabling router solicitations, starting SLAAC,
and re-enabling them once addresses are configured.

Instead of merely triggering the network setup and proceeding, wait
until everything is configured, so that connectivity is guaranteed to
be ready before any further process runs in the guest, say:

  $ ./target/debug/muvm -- ping -c1 2a01:4f8:222:904::2
  PING 2a01:4f8:222:904::2 (2a01:4f8:222:904::2) 56 data bytes
  64 bytes from 2a01:4f8:222:904::2: icmp_seq=1 ttl=255 time=0.256 ms

  --- 2a01:4f8:222:904::2 ping statistics ---
  1 packets transmitted, 1 received, 0% packet loss, time 0ms
  rtt min/avg/max/mdev = 0.256/0.256/0.256/0.000 ms

The whole procedure now takes approximately 1.5 to 2 ms (for both
IPv4 and IPv6), with the DHCP exchange and configuration taking
somewhere around 300-500 µs out of that, instead of hundreds of
milliseconds to seconds.

Matching support in passt for option 80 (RFC 4039) and for the DHCP
"broadcast" flag (RFC 2131) needs this series:

  https://archives.passt.top/passt-dev/[email protected]/

[I'll update this commit message once we have an upstream release
with it]

Signed-off-by: Stefano Brivio <[email protected]>
  • Loading branch information
@sbrivio-rh
sbrivio-rh committed Nov 25, 2024
1 parent 8b49072 commit ca7ea9c
Show file tree
Hide file tree
Showing 2 changed files with 216 additions and 60 deletions.
3 changes: 2 additions & 1 deletion crates/muvm/Cargo.toml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,7 @@ name = "muvm"
version = "0.1.3"
authors = ["Sergio Lopez <[email protected]>", "Teoh Han Hui <[email protected]>", "Sasha Finkelstein <[email protected]>", "Asahi Lina <[email protected]>"]
edition = "2021"
rust-version = "1.77.0"
rust-version = "1.80.0"
description = "Run programs from your system in a microVM"
repository = "https://github.com/AsahiLinux/muvm"
license = "MIT"
Expand All @@ -15,6 +15,7 @@ byteorder = { version = "1.5.0", default-features = false, features = ["std"] }
env_logger = { version = "0.11.3", default-features = false, features = ["auto-color", "humantime", "unstable-kv"] }
krun-sys = { path = "../krun-sys", version = "1.9.1", default-features = false, features = [] }
log = { version = "0.4.21", default-features = false, features = ["kv"] }
neli = { version = "0.7.0-rc2", default-features = false, features = [] }
nix = { version = "0.29.0", default-features = false, features = ["user"] }
procfs = { version = "0.17.0", default-features = false, features = [] }
rustix = { version = "0.38.34", default-features = false, features = ["fs", "mount", "process", "std", "stdio", "system", "use-libc-auxv"] }
Expand Down
273 changes: 214 additions & 59 deletions crates/muvm/src/guest/net.rs
View file
Original file line number Diff line number Diff line change
@@ -1,14 +1,97 @@
use std::fs;
use std::io::Write;
use std::os::unix::process::ExitStatusExt as _;
use std::process::Command;
use std::net::{UdpSocket, Ipv4Addr};
use std::time::Duration;

use anyhow::{anyhow, Context, Result};
use log::debug;
use anyhow::{Context, Result};
use rustix::system::sethostname;

use crate::utils::env::find_in_path;
use crate::utils::fs::find_executable;
use neli::{
consts::{
nl::NlmF,
rtnl::{Arphrd, Ifa, IfaF, Iff, Rta, RtAddrFamily, Rtm, RtmF, Rtn,
Rtprot, RtScope, RtTable},
socket::NlFamily,
},
nl::{NlPayload, Nlmsghdr},
router::synchronous::{NlRouter, NlRouterReceiverHandle},
rtnl::{Ifaddrmsg, IfaddrmsgBuilder, Ifinfomsg, IfinfomsgBuilder,
RtattrBuilder, Rtmsg, RtmsgBuilder},
utils::Groups,
types::RtBuffer,
};

/// Set interface flags for eth0 (interface index 2) with a given mask
fn flags_eth0(rtnl: &NlRouter, mask: Iff, set: Iff) -> Result<()> {
let ifinfomsg = IfinfomsgBuilder::default()
.ifi_family(RtAddrFamily::Unspecified)
.ifi_type(Arphrd::Ether).ifi_index(2)
.ifi_change(mask).ifi_flags(set)
.build()?;

let _: NlRouterReceiverHandle<Rtm, Ifinfomsg> =
rtnl.send(Rtm::Newlink, NlmF::REQUEST, NlPayload::Payload(ifinfomsg))?;

Ok(())
}

/// Add or delete IPv4 routes for eth0 (interface index 2)
fn route4_eth0(rtnl: &NlRouter, what: Rtm, gw: Ipv4Addr) -> Result<()> {
let rtmsg = RtmsgBuilder::default()
.rtm_family(RtAddrFamily::Inet)
.rtm_dst_len(0).rtm_src_len(0).rtm_tos(0)
.rtm_table(RtTable::Main).rtm_protocol(Rtprot::Boot)
.rtm_scope(RtScope::Universe).rtm_type(Rtn::Unicast)
.rtm_flags(RtmF::empty())
.rtattrs(RtBuffer::from_iter([
RtattrBuilder::default()
.rta_type(Rta::Oif)
.rta_payload(2)
.build()?,
RtattrBuilder::default()
.rta_type(Rta::Dst)
.rta_payload(Ipv4Addr::UNSPECIFIED.octets().to_vec())
.build()?,
RtattrBuilder::default()
.rta_type(Rta::Gateway)
.rta_payload(gw.octets().to_vec())
.build()?
]))
.build()?;

let _: NlRouterReceiverHandle<Rtm, Rtmsg> =
rtnl.send(what, NlmF::CREATE | NlmF::REQUEST,
NlPayload::Payload(rtmsg))?;

Ok(())
}

/// Add or delete IPv4 addresses for eth0 (interface index 2)
fn addr4_eth0(rtnl: &NlRouter, what: Rtm, addr: Ipv4Addr, prefix_len: u8)
-> Result<()> {
let ifaddrmsg = IfaddrmsgBuilder::default()
.ifa_family(RtAddrFamily::Inet)
.ifa_prefixlen(prefix_len)
.ifa_scope(RtScope::Universe)
.ifa_index(2)
.rtattrs(RtBuffer::from_iter([
RtattrBuilder::default()
.rta_type(Ifa::Local)
.rta_payload(addr.octets().to_vec())
.build()?,
RtattrBuilder::default()
.rta_type(Ifa::Address)
.rta_payload(addr.octets().to_vec())
.build()?,
]))
.build()?;

let _: NlRouterReceiverHandle<Rtm, Ifaddrmsg> =
rtnl.send(what, NlmF::CREATE | NlmF::REQUEST,
NlPayload::Payload(ifaddrmsg))?;

Ok(())
}

pub fn configure_network() -> Result<()> {
// Allow unprivileged users to use ping, as most distros do by default.
Expand All @@ -33,63 +116,135 @@ pub fn configure_network() -> Result<()> {
sethostname(hostname.as_bytes()).context("Failed to set hostname")?;
}

let dhcpcd_path = find_in_path("dhcpcd").context("Failed to check existence of `dhcpcd`")?;
let dhcpcd_path = if let Some(dhcpcd_path) = dhcpcd_path {
Some(dhcpcd_path)
} else {
find_executable("/sbin/dhcpcd").context("Failed to check existence of `/sbin/dhcpcd`")?
};
if let Some(dhcpcd_path) = dhcpcd_path {
let output = Command::new(dhcpcd_path)
.args(["-M", "--nodev", "eth0"])
.output()
.context("Failed to execute `dhcpcd` as child process")?;
debug!(output:?; "dhcpcd output");
if !output.status.success() {
let err = if let Some(code) = output.status.code() {
anyhow!("`dhcpcd` process exited with status code: {code}")
} else {
anyhow!(
"`dhcpcd` process terminated by signal: {}",
output
.status
.signal()
.expect("either one of status code or signal should be set")
)
};
Err(err)?;
}
let (rtnl, _) = NlRouter::connect(NlFamily::Route, None, Groups::empty())?;
rtnl.enable_strict_checking(true)?;

return Ok(());
// Disable neighbour solicitations (dodge DAD), bring up link to start SLAAC
{
// IFF_NOARP | IFF_UP in one shot delays router solicitations, avoid it
flags_eth0(&rtnl, Iff::NOARP, Iff::NOARP)?;
flags_eth0(&rtnl, Iff::UP, Iff::UP)?;
}

let dhclient_path =
find_in_path("dhclient").context("Failed to check existence of `dhclient`")?;
let dhclient_path = if let Some(dhclient_path) = dhclient_path {
Some(dhclient_path)
} else {
find_executable("/sbin/dhclient")
.context("Failed to check existence of `/sbin/dhclient`")?
};
let dhclient_path =
dhclient_path.ok_or_else(|| anyhow!("could not find required `dhcpcd` or `dhclient`"))?;
let output = Command::new(dhclient_path)
.output()
.context("Failed to execute `dhclient` as child process")?;
debug!(output:?; "dhclient output");
if !output.status.success() {
let err = if let Some(code) = output.status.code() {
anyhow!("`dhclient` process exited with status code: {code}")
// Configure IPv4 using DHCP with Rapid Commit (DISCOVER -> ACK)
{
// Temporary link-local address and route avoid the need for raw sockets
route4_eth0(&rtnl, Rtm::Newroute, Ipv4Addr::UNSPECIFIED)?;
addr4_eth0(&rtnl, Rtm::Newaddr, Ipv4Addr::new(169, 254, 1, 1), 16)?;

// Send request (DHCPDISCOVER)
let socket = UdpSocket::bind("0.0.0.0:68").expect("Failed to bind");
let mut buf = [0; 576 /* RFC 2131, Section 2 */ ];

const REQUEST: [u8; 300 /* From RFC 951: >= 60 B of options */ ] = [
1 /* REQUEST */, 0x1 /* Ethernet */, 6 /* hlen */, 0 /* Hops */,
1, 2, 3, 4 /* XID */, 0, 0 /* Seconds */, 0x80, 0x0 /* Flags */,
0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0, /* All-zero (four) addresses */
0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0, /* 16B HW address: who cares */
/* 32 bytes per row: 64B 'sname', plus 128B 'file' (RFC 1531) */
0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,
0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,
0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,
0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,
0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,
0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,
0x63, 0x82, 0x53, 0x63, /* DHCP (magic) cookie, then options: */
53, 1, 1 /* DISCOVER */, 80, 0 /* Rapid commit */, 0xff, // Done
0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,
0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0 /* 54B paaaadding */
];

socket.set_broadcast(true)?;
socket.send_to(&REQUEST, "255.255.255.255:67")?;

// Keep IPv6-only fast
let _ = socket.set_read_timeout(Some(Duration::from_millis(100)));

// Get and process response (DHCPACK) if any
if let Ok((len, _)) = socket.recv_from(&mut buf) {
let msg = &mut buf[..len];

let addr = Ipv4Addr::new(msg[16], msg[17], msg[18], msg[19]);
let mut netmask = Ipv4Addr::UNSPECIFIED;
let mut router = Ipv4Addr::UNSPECIFIED;
let mut p: usize = 240;

while p < len {
let o = msg[p];
let mut l: u8;
l = msg[p + 1];

if o == 1 { // Option 1: Subnet Mask
netmask = Ipv4Addr::new(msg[p + 2], msg[p + 3],
msg[p + 4], msg[p + 5]);
} else if o == 3 { // Option 3: Router
router = Ipv4Addr::new(msg[p + 2], msg[p + 3],
msg[p + 4], msg[p + 5]);
} else if o == 0xff { // Option 255: End (of options)
break;
}

l += 2; // Length doesn't include code and length field itself
p += l as usize;
}

let prefix_len : u8 = netmask.to_bits().leading_ones() as u8;

// Drop temporary address and route, configure what we got instead
route4_eth0(&rtnl, Rtm::Delroute, Ipv4Addr::UNSPECIFIED)?;
addr4_eth0(&rtnl, Rtm::Deladdr, Ipv4Addr::new(169, 254, 1, 1), 16)?;

addr4_eth0(&rtnl, Rtm::Newaddr, addr, prefix_len)?;
route4_eth0(&rtnl, Rtm::Newroute, router)?;
} else {
anyhow!(
"`dhclient` process terminated by signal: {}",
output
.status
.signal()
.expect("either one of status code or signal should be set")
)
};
Err(err)?;
// Clean up: we're clearly too cool for IPv4
route4_eth0(&rtnl, Rtm::Delroute, Ipv4Addr::UNSPECIFIED)?;
addr4_eth0(&rtnl, Rtm::Deladdr, Ipv4Addr::new(169, 254, 1, 1), 16)?;
}
}

// Wait for SLAAC to complete or fail: we're done only once network is ready
{
let mut global_seen = false;
let mut global_wait = true;
let mut ll_seen = false;

// Busy-netlink-loop until we see a link-local address, and a global
// unicast address as long as we might expect one (see below)
while !ll_seen || (global_wait && !global_seen) {
let ifaddrmsg = IfaddrmsgBuilder::default()
.ifa_family(RtAddrFamily::Inet6)
.ifa_prefixlen(0)
.ifa_scope(RtScope::Universe)
.ifa_index(2)
.build()?;

let recv = rtnl.send(Rtm::Getaddr, NlmF::ROOT,
NlPayload::Payload(ifaddrmsg))?;

for response in recv {
let header: Nlmsghdr<Rtm, Ifaddrmsg> = response?;
if let NlPayload::Payload(p) = header.nl_payload() {
if p.ifa_scope() == &RtScope::Link {
// A non-tentative link-local address implies we sent a
// router solicitation that didn't get any response
// (IPv4-only)? Stop waiting for the router in that case
if *p.ifa_flags() & IfaF::TENTATIVE != IfaF::TENTATIVE {
global_wait = false;
}

ll_seen = true;
} else if p.ifa_scope() == &RtScope::Universe {
global_seen = true;
}
}
}
}
}

// Re-enable neighbour solicitations and ARP requests
{
flags_eth0(&rtnl, Iff::NOARP, Iff::empty())?;
}

Ok(())
Expand Down

0 comments on commit ca7ea9c

Please sign in to comment.