| Vhost-user Protocol |
| =================== |
| |
| Copyright (c) 2014 Virtual Open Systems Sarl. |
| |
| This work is licensed under the terms of the GNU GPL, version 2 or later. |
| See the COPYING file in the top-level directory. |
| =================== |
| |
| This protocol is aiming to complement the ioctl interface used to control the |
| vhost implementation in the Linux kernel. It implements the control plane needed |
| to establish virtqueue sharing with a user space process on the same host. It |
| uses communication over a Unix domain socket to share file descriptors in the |
| ancillary data of the message. |
| |
| The protocol defines 2 sides of the communication, master and slave. Master is |
| the application that shares its virtqueues, in our case QEMU. Slave is the |
| consumer of the virtqueues. |
| |
| In the current implementation QEMU is the Master, and the Slave is intended to |
| be a software Ethernet switch running in user space, such as Snabbswitch. |
| |
| Master and slave can be either a client (i.e. connecting) or server (listening) |
| in the socket communication. |
| |
| Message Specification |
| --------------------- |
| |
| Note that all numbers are in the machine native byte order. A vhost-user message |
| consists of 3 header fields and a payload: |
| |
| ------------------------------------ |
| | request | flags | size | payload | |
| ------------------------------------ |
| |
| * Request: 32-bit type of the request |
| * Flags: 32-bit bit field: |
| - Lower 2 bits are the version (currently 0x01) |
| - Bit 2 is the reply flag - needs to be sent on each reply from the slave |
| - Bit 3 is the need_reply flag - see VHOST_USER_PROTOCOL_F_REPLY_ACK for |
| details. |
| * Size - 32-bit size of the payload |
| |
| |
| Depending on the request type, payload can be: |
| |
| * A single 64-bit integer |
| ------- |
| | u64 | |
| ------- |
| |
| u64: a 64-bit unsigned integer |
| |
| * A vring state description |
| --------------- |
| | index | num | |
| --------------- |
| |
| Index: a 32-bit index |
| Num: a 32-bit number |
| |
| * A vring address description |
| -------------------------------------------------------------- |
| | index | flags | size | descriptor | used | available | log | |
| -------------------------------------------------------------- |
| |
| Index: a 32-bit vring index |
| Flags: a 32-bit vring flags |
| Descriptor: a 64-bit user address of the vring descriptor table |
| Used: a 64-bit user address of the vring used ring |
| Available: a 64-bit user address of the vring available ring |
| Log: a 64-bit guest address for logging |
| |
| * Memory regions description |
| --------------------------------------------------- |
| | num regions | padding | region0 | ... | region7 | |
| --------------------------------------------------- |
| |
| Num regions: a 32-bit number of regions |
| Padding: 32-bit |
| |
| A region is: |
| ----------------------------------------------------- |
| | guest address | size | user address | mmap offset | |
| ----------------------------------------------------- |
| |
| Guest address: a 64-bit guest address of the region |
| Size: a 64-bit size |
| User address: a 64-bit user address |
| mmap offset: 64-bit offset where region starts in the mapped memory |
| |
| * Log description |
| --------------------------- |
| | log size | log offset | |
| --------------------------- |
| log size: size of area used for logging |
| log offset: offset from start of supplied file descriptor |
| where logging starts (i.e. where guest address 0 would be logged) |
| |
| * An IOTLB message |
| --------------------------------------------------------- |
| | iova | size | user address | permissions flags | type | |
| --------------------------------------------------------- |
| |
| IOVA: a 64-bit I/O virtual address programmed by the guest |
| Size: a 64-bit size |
| User address: a 64-bit user address |
| Permissions: a 8-bit value: |
| - 0: No access |
| - 1: Read access |
| - 2: Write access |
| - 3: Read/Write access |
| Type: a 8-bit IOTLB message type: |
| - 1: IOTLB miss |
| - 2: IOTLB update |
| - 3: IOTLB invalidate |
| - 4: IOTLB access fail |
| |
| In QEMU the vhost-user message is implemented with the following struct: |
| |
| typedef struct VhostUserMsg { |
| VhostUserRequest request; |
| uint32_t flags; |
| uint32_t size; |
| union { |
| uint64_t u64; |
| struct vhost_vring_state state; |
| struct vhost_vring_addr addr; |
| VhostUserMemory memory; |
| VhostUserLog log; |
| struct vhost_iotlb_msg iotlb; |
| }; |
| } QEMU_PACKED VhostUserMsg; |
| |
| Communication |
| ------------- |
| |
| The protocol for vhost-user is based on the existing implementation of vhost |
| for the Linux Kernel. Most messages that can be sent via the Unix domain socket |
| implementing vhost-user have an equivalent ioctl to the kernel implementation. |
| |
| The communication consists of master sending message requests and slave sending |
| message replies. Most of the requests don't require replies. Here is a list of |
| the ones that do: |
| |
| * VHOST_USER_GET_FEATURES |
| * VHOST_USER_GET_PROTOCOL_FEATURES |
| * VHOST_USER_GET_VRING_BASE |
| * VHOST_USER_SET_LOG_BASE (if VHOST_USER_PROTOCOL_F_LOG_SHMFD) |
| |
| [ Also see the section on REPLY_ACK protocol extension. ] |
| |
| There are several messages that the master sends with file descriptors passed |
| in the ancillary data: |
| |
| * VHOST_USER_SET_MEM_TABLE |
| * VHOST_USER_SET_LOG_BASE (if VHOST_USER_PROTOCOL_F_LOG_SHMFD) |
| * VHOST_USER_SET_LOG_FD |
| * VHOST_USER_SET_VRING_KICK |
| * VHOST_USER_SET_VRING_CALL |
| * VHOST_USER_SET_VRING_ERR |
| * VHOST_USER_SET_SLAVE_REQ_FD |
| |
| If Master is unable to send the full message or receives a wrong reply it will |
| close the connection. An optional reconnection mechanism can be implemented. |
| |
| Any protocol extensions are gated by protocol feature bits, |
| which allows full backwards compatibility on both master |
| and slave. |
| As older slaves don't support negotiating protocol features, |
| a feature bit was dedicated for this purpose: |
| #define VHOST_USER_F_PROTOCOL_FEATURES 30 |
| |
| Starting and stopping rings |
| ---------------------- |
| Client must only process each ring when it is started. |
| |
| Client must only pass data between the ring and the |
| backend, when the ring is enabled. |
| |
| If ring is started but disabled, client must process the |
| ring without talking to the backend. |
| |
| For example, for a networking device, in the disabled state |
| client must not supply any new RX packets, but must process |
| and discard any TX packets. |
| |
| If VHOST_USER_F_PROTOCOL_FEATURES has not been negotiated, the ring is initialized |
| in an enabled state. |
| |
| If VHOST_USER_F_PROTOCOL_FEATURES has been negotiated, the ring is initialized |
| in a disabled state. Client must not pass data to/from the backend until ring is enabled by |
| VHOST_USER_SET_VRING_ENABLE with parameter 1, or after it has been disabled by |
| VHOST_USER_SET_VRING_ENABLE with parameter 0. |
| |
| Each ring is initialized in a stopped state, client must not process it until |
| ring is started, or after it has been stopped. |
| |
| Client must start ring upon receiving a kick (that is, detecting that file |
| descriptor is readable) on the descriptor specified by |
| VHOST_USER_SET_VRING_KICK, and stop ring upon receiving |
| VHOST_USER_GET_VRING_BASE. |
| |
| While processing the rings (whether they are enabled or not), client must |
| support changing some configuration aspects on the fly. |
| |
| Multiple queue support |
| ---------------------- |
| |
| Multiple queue is treated as a protocol extension, hence the slave has to |
| implement protocol features first. The multiple queues feature is supported |
| only when the protocol feature VHOST_USER_PROTOCOL_F_MQ (bit 0) is set. |
| |
| The max number of queues the slave supports can be queried with message |
| VHOST_USER_GET_PROTOCOL_FEATURES. Master should stop when the number of |
| requested queues is bigger than that. |
| |
| As all queues share one connection, the master uses a unique index for each |
| queue in the sent message to identify a specified queue. One queue pair |
| is enabled initially. More queues are enabled dynamically, by sending |
| message VHOST_USER_SET_VRING_ENABLE. |
| |
| Migration |
| --------- |
| |
| During live migration, the master may need to track the modifications |
| the slave makes to the memory mapped regions. The client should mark |
| the dirty pages in a log. Once it complies to this logging, it may |
| declare the VHOST_F_LOG_ALL vhost feature. |
| |
| To start/stop logging of data/used ring writes, server may send messages |
| VHOST_USER_SET_FEATURES with VHOST_F_LOG_ALL and VHOST_USER_SET_VRING_ADDR with |
| VHOST_VRING_F_LOG in ring's flags set to 1/0, respectively. |
| |
| All the modifications to memory pointed by vring "descriptor" should |
| be marked. Modifications to "used" vring should be marked if |
| VHOST_VRING_F_LOG is part of ring's flags. |
| |
| Dirty pages are of size: |
| #define VHOST_LOG_PAGE 0x1000 |
| |
| The log memory fd is provided in the ancillary data of |
| VHOST_USER_SET_LOG_BASE message when the slave has |
| VHOST_USER_PROTOCOL_F_LOG_SHMFD protocol feature. |
| |
| The size of the log is supplied as part of VhostUserMsg |
| which should be large enough to cover all known guest |
| addresses. Log starts at the supplied offset in the |
| supplied file descriptor. |
| The log covers from address 0 to the maximum of guest |
| regions. In pseudo-code, to mark page at "addr" as dirty: |
| |
| page = addr / VHOST_LOG_PAGE |
| log[page / 8] |= 1 << page % 8 |
| |
| Where addr is the guest physical address. |
| |
| Use atomic operations, as the log may be concurrently manipulated. |
| |
| Note that when logging modifications to the used ring (when VHOST_VRING_F_LOG |
| is set for this ring), log_guest_addr should be used to calculate the log |
| offset: the write to first byte of the used ring is logged at this offset from |
| log start. Also note that this value might be outside the legal guest physical |
| address range (i.e. does not have to be covered by the VhostUserMemory table), |
| but the bit offset of the last byte of the ring must fall within |
| the size supplied by VhostUserLog. |
| |
| VHOST_USER_SET_LOG_FD is an optional message with an eventfd in |
| ancillary data, it may be used to inform the master that the log has |
| been modified. |
| |
| Once the source has finished migration, rings will be stopped by |
| the source. No further update must be done before rings are |
| restarted. |
| |
| IOMMU support |
| ------------- |
| |
| When the VIRTIO_F_IOMMU_PLATFORM feature has been negotiated, the master |
| sends IOTLB entries update & invalidation by sending VHOST_USER_IOTLB_MSG |
| requests to the slave with a struct vhost_iotlb_msg as payload. For update |
| events, the iotlb payload has to be filled with the update message type (2), |
| the I/O virtual address, the size, the user virtual address, and the |
| permissions flags. Addresses and size must be within vhost memory regions set |
| via the VHOST_USER_SET_MEM_TABLE request. For invalidation events, the iotlb |
| payload has to be filled with the invalidation message type (3), the I/O virtual |
| address and the size. On success, the slave is expected to reply with a zero |
| payload, non-zero otherwise. |
| |
| The slave relies on the slave communcation channel (see "Slave communication" |
| section below) to send IOTLB miss and access failure events, by sending |
| VHOST_USER_SLAVE_IOTLB_MSG requests to the master with a struct vhost_iotlb_msg |
| as payload. For miss events, the iotlb payload has to be filled with the miss |
| message type (1), the I/O virtual address and the permissions flags. For access |
| failure event, the iotlb payload has to be filled with the access failure |
| message type (4), the I/O virtual address and the permissions flags. |
| For synchronization purpose, the slave may rely on the reply-ack feature, |
| so the master may send a reply when operation is completed if the reply-ack |
| feature is negotiated and slaves requests a reply. For miss events, completed |
| operation means either master sent an update message containing the IOTLB entry |
| containing requested address and permission, or master sent nothing if the IOTLB |
| miss message is invalid (invalid IOVA or permission). |
| |
| The master isn't expected to take the initiative to send IOTLB update messages, |
| as the slave sends IOTLB miss messages for the guest virtual memory areas it |
| needs to access. |
| |
| Slave communication |
| ------------------- |
| |
| An optional communication channel is provided if the slave declares |
| VHOST_USER_PROTOCOL_F_SLAVE_REQ protocol feature, to allow the slave to make |
| requests to the master. |
| |
| The fd is provided via VHOST_USER_SET_SLAVE_REQ_FD ancillary data. |
| |
| A slave may then send VHOST_USER_SLAVE_* messages to the master |
| using this fd communication channel. |
| |
| Protocol features |
| ----------------- |
| |
| #define VHOST_USER_PROTOCOL_F_MQ 0 |
| #define VHOST_USER_PROTOCOL_F_LOG_SHMFD 1 |
| #define VHOST_USER_PROTOCOL_F_RARP 2 |
| #define VHOST_USER_PROTOCOL_F_REPLY_ACK 3 |
| #define VHOST_USER_PROTOCOL_F_MTU 4 |
| #define VHOST_USER_PROTOCOL_F_SLAVE_REQ 5 |
| |
| Master message types |
| -------------------- |
| |
| * VHOST_USER_GET_FEATURES |
| |
| Id: 1 |
| Equivalent ioctl: VHOST_GET_FEATURES |
| Master payload: N/A |
| Slave payload: u64 |
| |
| Get from the underlying vhost implementation the features bitmask. |
| Feature bit VHOST_USER_F_PROTOCOL_FEATURES signals slave support for |
| VHOST_USER_GET_PROTOCOL_FEATURES and VHOST_USER_SET_PROTOCOL_FEATURES. |
| |
| * VHOST_USER_SET_FEATURES |
| |
| Id: 2 |
| Ioctl: VHOST_SET_FEATURES |
| Master payload: u64 |
| |
| Enable features in the underlying vhost implementation using a bitmask. |
| Feature bit VHOST_USER_F_PROTOCOL_FEATURES signals slave support for |
| VHOST_USER_GET_PROTOCOL_FEATURES and VHOST_USER_SET_PROTOCOL_FEATURES. |
| |
| * VHOST_USER_GET_PROTOCOL_FEATURES |
| |
| Id: 15 |
| Equivalent ioctl: VHOST_GET_FEATURES |
| Master payload: N/A |
| Slave payload: u64 |
| |
| Get the protocol feature bitmask from the underlying vhost implementation. |
| Only legal if feature bit VHOST_USER_F_PROTOCOL_FEATURES is present in |
| VHOST_USER_GET_FEATURES. |
| Note: slave that reported VHOST_USER_F_PROTOCOL_FEATURES must support |
| this message even before VHOST_USER_SET_FEATURES was called. |
| |
| * VHOST_USER_SET_PROTOCOL_FEATURES |
| |
| Id: 16 |
| Ioctl: VHOST_SET_FEATURES |
| Master payload: u64 |
| |
| Enable protocol features in the underlying vhost implementation. |
| Only legal if feature bit VHOST_USER_F_PROTOCOL_FEATURES is present in |
| VHOST_USER_GET_FEATURES. |
| Note: slave that reported VHOST_USER_F_PROTOCOL_FEATURES must support |
| this message even before VHOST_USER_SET_FEATURES was called. |
| |
| * VHOST_USER_SET_OWNER |
| |
| Id: 3 |
| Equivalent ioctl: VHOST_SET_OWNER |
| Master payload: N/A |
| |
| Issued when a new connection is established. It sets the current Master |
| as an owner of the session. This can be used on the Slave as a |
| "session start" flag. |
| |
| * VHOST_USER_RESET_OWNER |
| |
| Id: 4 |
| Master payload: N/A |
| |
| This is no longer used. Used to be sent to request disabling |
| all rings, but some clients interpreted it to also discard |
| connection state (this interpretation would lead to bugs). |
| It is recommended that clients either ignore this message, |
| or use it to disable all rings. |
| |
| * VHOST_USER_SET_MEM_TABLE |
| |
| Id: 5 |
| Equivalent ioctl: VHOST_SET_MEM_TABLE |
| Master payload: memory regions description |
| |
| Sets the memory map regions on the slave so it can translate the vring |
| addresses. In the ancillary data there is an array of file descriptors |
| for each memory mapped region. The size and ordering of the fds matches |
| the number and ordering of memory regions. |
| |
| * VHOST_USER_SET_LOG_BASE |
| |
| Id: 6 |
| Equivalent ioctl: VHOST_SET_LOG_BASE |
| Master payload: u64 |
| Slave payload: N/A |
| |
| Sets logging shared memory space. |
| When slave has VHOST_USER_PROTOCOL_F_LOG_SHMFD protocol |
| feature, the log memory fd is provided in the ancillary data of |
| VHOST_USER_SET_LOG_BASE message, the size and offset of shared |
| memory area provided in the message. |
| |
| |
| * VHOST_USER_SET_LOG_FD |
| |
| Id: 7 |
| Equivalent ioctl: VHOST_SET_LOG_FD |
| Master payload: N/A |
| |
| Sets the logging file descriptor, which is passed as ancillary data. |
| |
| * VHOST_USER_SET_VRING_NUM |
| |
| Id: 8 |
| Equivalent ioctl: VHOST_SET_VRING_NUM |
| Master payload: vring state description |
| |
| Set the size of the queue. |
| |
| * VHOST_USER_SET_VRING_ADDR |
| |
| Id: 9 |
| Equivalent ioctl: VHOST_SET_VRING_ADDR |
| Master payload: vring address description |
| Slave payload: N/A |
| |
| Sets the addresses of the different aspects of the vring. |
| |
| * VHOST_USER_SET_VRING_BASE |
| |
| Id: 10 |
| Equivalent ioctl: VHOST_SET_VRING_BASE |
| Master payload: vring state description |
| |
| Sets the base offset in the available vring. |
| |
| * VHOST_USER_GET_VRING_BASE |
| |
| Id: 11 |
| Equivalent ioctl: VHOST_USER_GET_VRING_BASE |
| Master payload: vring state description |
| Slave payload: vring state description |
| |
| Get the available vring base offset. |
| |
| * VHOST_USER_SET_VRING_KICK |
| |
| Id: 12 |
| Equivalent ioctl: VHOST_SET_VRING_KICK |
| Master payload: u64 |
| |
| Set the event file descriptor for adding buffers to the vring. It |
| is passed in the ancillary data. |
| Bits (0-7) of the payload contain the vring index. Bit 8 is the |
| invalid FD flag. This flag is set when there is no file descriptor |
| in the ancillary data. This signals that polling should be used |
| instead of waiting for a kick. |
| |
| * VHOST_USER_SET_VRING_CALL |
| |
| Id: 13 |
| Equivalent ioctl: VHOST_SET_VRING_CALL |
| Master payload: u64 |
| |
| Set the event file descriptor to signal when buffers are used. It |
| is passed in the ancillary data. |
| Bits (0-7) of the payload contain the vring index. Bit 8 is the |
| invalid FD flag. This flag is set when there is no file descriptor |
| in the ancillary data. This signals that polling will be used |
| instead of waiting for the call. |
| |
| * VHOST_USER_SET_VRING_ERR |
| |
| Id: 14 |
| Equivalent ioctl: VHOST_SET_VRING_ERR |
| Master payload: u64 |
| |
| Set the event file descriptor to signal when error occurs. It |
| is passed in the ancillary data. |
| Bits (0-7) of the payload contain the vring index. Bit 8 is the |
| invalid FD flag. This flag is set when there is no file descriptor |
| in the ancillary data. |
| |
| * VHOST_USER_GET_QUEUE_NUM |
| |
| Id: 17 |
| Equivalent ioctl: N/A |
| Master payload: N/A |
| Slave payload: u64 |
| |
| Query how many queues the backend supports. This request should be |
| sent only when VHOST_USER_PROTOCOL_F_MQ is set in queried protocol |
| features by VHOST_USER_GET_PROTOCOL_FEATURES. |
| |
| * VHOST_USER_SET_VRING_ENABLE |
| |
| Id: 18 |
| Equivalent ioctl: N/A |
| Master payload: vring state description |
| |
| Signal slave to enable or disable corresponding vring. |
| This request should be sent only when VHOST_USER_F_PROTOCOL_FEATURES |
| has been negotiated. |
| |
| * VHOST_USER_SEND_RARP |
| |
| Id: 19 |
| Equivalent ioctl: N/A |
| Master payload: u64 |
| |
| Ask vhost user backend to broadcast a fake RARP to notify the migration |
| is terminated for guest that does not support GUEST_ANNOUNCE. |
| Only legal if feature bit VHOST_USER_F_PROTOCOL_FEATURES is present in |
| VHOST_USER_GET_FEATURES and protocol feature bit VHOST_USER_PROTOCOL_F_RARP |
| is present in VHOST_USER_GET_PROTOCOL_FEATURES. |
| The first 6 bytes of the payload contain the mac address of the guest to |
| allow the vhost user backend to construct and broadcast the fake RARP. |
| |
| * VHOST_USER_NET_SET_MTU |
| |
| Id: 20 |
| Equivalent ioctl: N/A |
| Master payload: u64 |
| |
| Set host MTU value exposed to the guest. |
| This request should be sent only when VIRTIO_NET_F_MTU feature has been |
| successfully negotiated, VHOST_USER_F_PROTOCOL_FEATURES is present in |
| VHOST_USER_GET_FEATURES and protocol feature bit |
| VHOST_USER_PROTOCOL_F_NET_MTU is present in |
| VHOST_USER_GET_PROTOCOL_FEATURES. |
| If VHOST_USER_PROTOCOL_F_REPLY_ACK is negotiated, slave must respond |
| with zero in case the specified MTU is valid, or non-zero otherwise. |
| |
| * VHOST_USER_SET_SLAVE_REQ_FD |
| |
| Id: 21 |
| Equivalent ioctl: N/A |
| Master payload: N/A |
| |
| Set the socket file descriptor for slave initiated requests. It is passed |
| in the ancillary data. |
| This request should be sent only when VHOST_USER_F_PROTOCOL_FEATURES |
| has been negotiated, and protocol feature bit VHOST_USER_PROTOCOL_F_SLAVE_REQ |
| bit is present in VHOST_USER_GET_PROTOCOL_FEATURES. |
| If VHOST_USER_PROTOCOL_F_REPLY_ACK is negotiated, slave must respond |
| with zero for success, non-zero otherwise. |
| |
| * VHOST_USER_IOTLB_MSG |
| |
| Id: 22 |
| Equivalent ioctl: N/A (equivalent to VHOST_IOTLB_MSG message type) |
| Master payload: struct vhost_iotlb_msg |
| Slave payload: u64 |
| |
| Send IOTLB messages with struct vhost_iotlb_msg as payload. |
| Master sends such requests to update and invalidate entries in the device |
| IOTLB. The slave has to acknowledge the request with sending zero as u64 |
| payload for success, non-zero otherwise. |
| This request should be send only when VIRTIO_F_IOMMU_PLATFORM feature |
| has been successfully negotiated. |
| |
| Slave message types |
| ------------------- |
| |
| * VHOST_USER_SLAVE_IOTLB_MSG |
| |
| Id: 1 |
| Equivalent ioctl: N/A (equivalent to VHOST_IOTLB_MSG message type) |
| Slave payload: struct vhost_iotlb_msg |
| Master payload: N/A |
| |
| Send IOTLB messages with struct vhost_iotlb_msg as payload. |
| Slave sends such requests to notify of an IOTLB miss, or an IOTLB |
| access failure. If VHOST_USER_PROTOCOL_F_REPLY_ACK is negotiated, |
| and slave set the VHOST_USER_NEED_REPLY flag, master must respond with |
| zero when operation is successfully completed, or non-zero otherwise. |
| This request should be send only when VIRTIO_F_IOMMU_PLATFORM feature |
| has been successfully negotiated. |
| |
| VHOST_USER_PROTOCOL_F_REPLY_ACK: |
| ------------------------------- |
| The original vhost-user specification only demands replies for certain |
| commands. This differs from the vhost protocol implementation where commands |
| are sent over an ioctl() call and block until the client has completed. |
| |
| With this protocol extension negotiated, the sender (QEMU) can set the |
| "need_reply" [Bit 3] flag to any command. This indicates that |
| the client MUST respond with a Payload VhostUserMsg indicating success or |
| failure. The payload should be set to zero on success or non-zero on failure, |
| unless the message already has an explicit reply body. |
| |
| The response payload gives QEMU a deterministic indication of the result |
| of the command. Today, QEMU is expected to terminate the main vhost-user |
| loop upon receiving such errors. In future, qemu could be taught to be more |
| resilient for selective requests. |
| |
| For the message types that already solicit a reply from the client, the |
| presence of VHOST_USER_PROTOCOL_F_REPLY_ACK or need_reply bit being set brings |
| no behavioural change. (See the 'Communication' section for details.) |