Commit a07c33c6 authored by Stefano Garzarella's avatar Stefano Garzarella Committed by Jakub Kicinski
Browse files

vsock: document namespace mode sysctls 



Add documentation for the vsock per-namespace sysctls (`ns_mode` and
`child_ns_mode`) to Documentation/admin-guide/sysctl/net.rst.
These sysctls were introduced by commit eafb64f4 ("vsock: add
netns to vsock core").

Document the two namespace modes (`global` and `local`), the
inheritance behavior of `child_ns_mode`, and the restriction preventing
local namespaces from setting `child_ns_mode` to `global`.

Signed-off-by: default avatarStefano Garzarella <sgarzare@redhat.com>
Tested-by: default avatarRandy Dunlap <rdunlap@infradead.org>
Acked-by: default avatarRandy Dunlap <rdunlap@infradead.org>
Link: https://patch.msgid.link/20260216163147.236844-1-sgarzare@redhat.com


Signed-off-by: default avatarJakub Kicinski <kuba@kernel.org>
parent ffe68c37

Documentation/admin-guide/sysctl/net.rst

+50 −2
Original line number Diff line number Diff line
@@ -40,8 +40,8 @@ Table : Subdirectories in /proc/sys/net 
 bridge    Bridging              rose       X.25 PLP layer

 core      General parameter     tipc       TIPC

 ethernet  Ethernet protocol     unix       Unix domain sockets

 ipv4      IP version 4          x25        X.25 protocol

 ipv6      IP version 6

 ipv4      IP version 4          vsock      VSOCK sockets

 ipv6      IP version 6          x25        X.25 protocol

 ========= =================== = ========== ===================



1. /proc/sys/net/core - Network core options
@@ -551,3 +551,51 @@ originally may have been issued in the correct sequential order. 
If named_timeout is nonzero, failed topology updates will be placed on a defer

queue until another event arrives that clears the error, or until the timeout

expires. Value is in milliseconds.



6. /proc/sys/net/vsock - VSOCK sockets

--------------------------------------



VSOCK sockets (AF_VSOCK) provide communication between virtual machines and

their hosts. The behavior of VSOCK sockets in a network namespace is determined

by the namespace's mode (``global`` or ``local``), which controls how CIDs

(Context IDs) are allocated and how sockets interact across namespaces.



ns_mode

-------



Read-only. Reports the current namespace's mode, set at namespace creation

and immutable thereafter.



Values:



	- ``global`` - the namespace shares system-wide CID allocation and

	  its sockets can reach any VM or socket in any global namespace.

	  Sockets in this namespace cannot reach sockets in local

	  namespaces.

	- ``local`` - the namespace has private CID allocation and its

	  sockets can only connect to VMs or sockets within the same

	  namespace.



The init_net mode is always ``global``.



child_ns_mode

-------------



Controls what mode newly created child namespaces will inherit. At namespace

creation, ``ns_mode`` is inherited from the parent's ``child_ns_mode``. The

initial value matches the namespace's own ``ns_mode``.



Values:



	- ``global`` - child namespaces will share system-wide CID allocation

	  and their sockets will be able to reach any VM or socket in any

	  global namespace.

	- ``local`` - child namespaces will have private CID allocation and

	  their sockets will only be able to connect within their own

	  namespace.



Changing ``child_ns_mode`` only affects namespaces created after the change;

it does not modify the current namespace or any existing children.



A namespace with ``ns_mode`` set to ``local`` cannot change

``child_ns_mode`` to ``global`` (returns ``-EPERM``).