diff options
Diffstat (limited to 'docs/interop')
| -rw-r--r-- | docs/interop/dbus-vmstate.rst | 74 | ||||
| -rw-r--r-- | docs/interop/dbus.rst | 110 | ||||
| -rw-r--r-- | docs/interop/index.rst | 2 |
3 files changed, 186 insertions, 0 deletions
diff --git a/docs/interop/dbus-vmstate.rst b/docs/interop/dbus-vmstate.rst new file mode 100644 index 0000000000..1d719c1c60 --- /dev/null +++ b/docs/interop/dbus-vmstate.rst @@ -0,0 +1,74 @@ +============= +D-Bus VMState +============= + +Introduction +============ + +The QEMU dbus-vmstate object's aim is to migrate helpers' data running +on a QEMU D-Bus bus. (refer to the :doc:`dbus` document for +some recommendations on D-Bus usage) + +Upon migration, QEMU will go through the queue of +``org.qemu.VMState1`` D-Bus name owners and query their ``Id``. It +must be unique among the helpers. + +It will then save arbitrary data of each Id to be transferred in the +migration stream and restored/loaded at the corresponding destination +helper. + +For now, the data amount to be transferred is arbitrarily limited to +1Mb. The state must be saved quickly (a fraction of a second). (D-Bus +imposes a time limit on reply anyway, and migration would fail if data +isn't given quickly enough.) + +dbus-vmstate object can be configured with the expected list of +helpers by setting its ``id-list`` property, with a comma-separated +``Id`` list. + +Interface +========= + +On object path ``/org/qemu/VMState1``, the following +``org.qemu.VMState1`` interface should be implemented: + +.. code:: xml + + <interface name="org.qemu.VMState1"> + <property name="Id" type="s" access="read"/> + <method name="Load"> + <arg type="ay" name="data" direction="in"/> + </method> + <method name="Save"> + <arg type="ay" name="data" direction="out"/> + </method> + </interface> + +"Id" property +------------- + +A string that identifies the helper uniquely. (maximum 256 bytes +including terminating NUL byte) + +.. note:: + + The helper ID namespace is a separate namespace. In particular, it is not + related to QEMU "id" used in -object/-device objects. + +Load(in u8[] bytes) method +-------------------------- + +The method called on destination with the state to restore. + +The helper may be initially started in a waiting state (with +an --incoming argument for example), and it may resume on success. + +An error may be returned to the caller. + +Save(out u8[] bytes) method +--------------------------- + +The method called on the source to get the current state to be +migrated. The helper should continue to run normally. + +An error may be returned to the caller. diff --git a/docs/interop/dbus.rst b/docs/interop/dbus.rst new file mode 100644 index 0000000000..76a5bde625 --- /dev/null +++ b/docs/interop/dbus.rst @@ -0,0 +1,110 @@ +===== +D-Bus +===== + +Introduction +============ + +QEMU may be running with various helper processes involved: + - vhost-user* processes (gpu, virtfs, input, etc...) + - TPM emulation (or other devices) + - user networking (slirp) + - network services (DHCP/DNS, samba/ftp etc) + - background tasks (compression, streaming etc) + - client UI + - admin & cli + +Having several processes allows stricter security rules, as well as +greater modularity. + +While QEMU itself uses QMP as primary IPC (and Spice/VNC for remote +display), D-Bus is the de facto IPC of choice on Unix systems. The +wire format is machine friendly, good bindings exist for various +languages, and there are various tools available. + +Using a bus, helper processes can discover and communicate with each +other easily, without going through QEMU. The bus topology is also +easier to apprehend and debug than a mesh. However, it is wise to +consider the security aspects of it. + +Security +======== + +A QEMU D-Bus bus should be private to a single VM. Thus, only +cooperative tasks are running on the same bus to serve the VM. + +D-Bus, the protocol and standard, doesn't have mechanisms to enforce +security between peers once the connection is established. Peers may +have additional mechanisms to enforce security rules, based for +example on UNIX credentials. + +The daemon can control which peers can send/recv messages using +various metadata attributes, however, this is alone is not generally +sufficient to make the deployment secure. The semantics of the actual +methods implemented using D-Bus are just as critical. Peers need to +carefully validate any information they received from a peer with a +different trust level. + +dbus-daemon policy +------------------ + +dbus-daemon can enforce various policies based on the UID/GID of the +processes that are connected to it. It is thus a good idea to run +helpers as different UID from QEMU and set appropriate policies. + +Depending on the use case, you may choose different scenarios: + + - Everything the same UID + + - Convenient for developers + - Improved reliability - crash of one part doens't take + out entire VM + - No security benefit over traditional QEMU, unless additional + unless additional controls such as SELinux or AppArmor are + applied + + - Two UIDs, one for QEMU, one for dbus & helpers + + - Moderately improved user based security isolation + + - Many UIDs, one for QEMU one for dbus and one for each helpers + + - Best user based security isolation + - Complex to manager distinct UIDs needed for each VM + +For example, to allow only ``qemu`` user to talk to ``qemu-helper`` +``org.qemu.Helper1`` service, a dbus-daemon policy may contain: + +.. code:: xml + + <policy user="qemu"> + <allow send_destination="org.qemu.Helper1"/> + <allow receive_sender="org.qemu.Helper1"/> + </policy> + + <policy user="qemu-helper"> + <allow own="org.qemu.Helper1"/> + </policy> + + +dbus-daemon can also perfom SELinux checks based on the security +context of the source and the target. For example, ``virtiofs_t`` +could be allowed to send a message to ``svirt_t``, but ``virtiofs_t`` +wouldn't be allowed to send a message to ``virtiofs_t``. + +See dbus-daemon man page for details. + +Guidelines +========== + +When implementing new D-Bus interfaces, it is recommended to follow +the "D-Bus API Design Guidelines": +https://dbus.freedesktop.org/doc/dbus-api-design.html + +The "org.qemu.*" prefix is reserved for services implemented & +distributed by the QEMU project. + +QEMU Interfaces +=============== + +:doc:`dbus-vmstate` diff --git a/docs/interop/index.rst b/docs/interop/index.rst index 3e33fb5933..049387ac6d 100644 --- a/docs/interop/index.rst +++ b/docs/interop/index.rst @@ -13,6 +13,8 @@ Contents: :maxdepth: 2 bitmaps + dbus + dbus-vmstate live-block-operations pr-helper qemu-ga |