tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
1
fork

Configure Feed

Select the types of activity you want to include in your feed.

vsock: document namespace mode sysctls

Add documentation for the vsock per-namespace sysctls (`ns_mode` and
`child_ns_mode`) to Documentation/admin-guide/sysctl/net.rst.
These sysctls were introduced by commit eafb64f40ca4 ("vsock: add
netns to vsock core").

Document the two namespace modes (`global` and `local`), the
inheritance behavior of `child_ns_mode`, and the restriction preventing
local namespaces from setting `child_ns_mode` to `global`.

Signed-off-by: Stefano Garzarella <sgarzare@redhat.com>
Tested-by: Randy Dunlap <rdunlap@infradead.org>
Acked-by: Randy Dunlap <rdunlap@infradead.org>
Link: https://patch.msgid.link/20260216163147.236844-1-sgarzare@redhat.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>

authored by

Stefano Garzarella and committed by
Jakub Kicinski a07c33c6 ffe68c37

+50 -2
+50 -2
Documentation/admin-guide/sysctl/net.rst
··· 40 40 bridge Bridging rose X.25 PLP layer 41 41 core General parameter tipc TIPC 42 42 ethernet Ethernet protocol unix Unix domain sockets 43 - ipv4 IP version 4 x25 X.25 protocol 44 - ipv6 IP version 6 43 + ipv4 IP version 4 vsock VSOCK sockets 44 + ipv6 IP version 6 x25 X.25 protocol 45 45 ========= =================== = ========== =================== 46 46 47 47 1. /proc/sys/net/core - Network core options ··· 551 551 If named_timeout is nonzero, failed topology updates will be placed on a defer 552 552 queue until another event arrives that clears the error, or until the timeout 553 553 expires. Value is in milliseconds. 554 + 555 + 6. /proc/sys/net/vsock - VSOCK sockets 556 + -------------------------------------- 557 + 558 + VSOCK sockets (AF_VSOCK) provide communication between virtual machines and 559 + their hosts. The behavior of VSOCK sockets in a network namespace is determined 560 + by the namespace's mode (``global`` or ``local``), which controls how CIDs 561 + (Context IDs) are allocated and how sockets interact across namespaces. 562 + 563 + ns_mode 564 + ------- 565 + 566 + Read-only. Reports the current namespace's mode, set at namespace creation 567 + and immutable thereafter. 568 + 569 + Values: 570 + 571 + - ``global`` - the namespace shares system-wide CID allocation and 572 + its sockets can reach any VM or socket in any global namespace. 573 + Sockets in this namespace cannot reach sockets in local 574 + namespaces. 575 + - ``local`` - the namespace has private CID allocation and its 576 + sockets can only connect to VMs or sockets within the same 577 + namespace. 578 + 579 + The init_net mode is always ``global``. 580 + 581 + child_ns_mode 582 + ------------- 583 + 584 + Controls what mode newly created child namespaces will inherit. At namespace 585 + creation, ``ns_mode`` is inherited from the parent's ``child_ns_mode``. The 586 + initial value matches the namespace's own ``ns_mode``. 587 + 588 + Values: 589 + 590 + - ``global`` - child namespaces will share system-wide CID allocation 591 + and their sockets will be able to reach any VM or socket in any 592 + global namespace. 593 + - ``local`` - child namespaces will have private CID allocation and 594 + their sockets will only be able to connect within their own 595 + namespace. 596 + 597 + Changing ``child_ns_mode`` only affects namespaces created after the change; 598 + it does not modify the current namespace or any existing children. 599 + 600 + A namespace with ``ns_mode`` set to ``local`` cannot change 601 + ``child_ns_mode`` to ``global`` (returns ``-EPERM``).