1VIRTIOFSD(1) QEMU VIRTIOFSD(1)
2
6 virtiofsd - QEMU virtio-fs shared file system daemon
7
9 virtiofsd [OPTIONS]
10
12 Share a host directory tree with a guest through a virtio-fs device.
13 This program is a vhost-user backend that implements the virtio-fs de‐
14 vice. Each virtio-fs device instance requires its own virtiofsd
15 process.
16 This program is designed to work with QEMU's --device vhost-user-fs-pci
18 but should work with any virtual machine monitor (VMM) that supports
19 vhost-user. See the Examples section below.
20 This program must be run as the root user. The program drops privi‐
22 leges where possible during startup although it must be able to create
23 and access files with any uid/gid:
24 • The ability to invoke syscalls is limited using seccomp(2).
26 • Linux capabilities(7) are dropped.
28 In "namespace" sandbox mode the program switches into a new file system
30 namespace and invokes pivot_root(2) to make the shared directory tree
31 its root. A new pid and net namespace is also created to isolate the
32 process.
33 In "chroot" sandbox mode the program invokes chroot(2) to make the
35 shared directory tree its root. This mode is intended for container en‐
36 vironments where the container runtime has already set up the name‐
37 spaces and the program does not have permission to create namespaces
38 itself.
39 Both sandbox modes prevent "file system escapes" due to symlinks and
41 other file system objects that might lead to files outside the shared
42 directory.
43
45 -h, --help
46 Print help.
47 -V, --version
49 Print version.
50 -d Enable debug output.
52 --syslog
54 Print log messages to syslog instead of stderr.
55 -o OPTION
57 • debug - Enable debug output.
59 • flock|no_flock - Enable/disable flock. The default is
61 no_flock.
62 • modcaps=CAPLIST Modify the list of capabilities allowed;
64 CAPLIST is a colon separated list of capabilities, each pre‐
65 ceded by either + or -, e.g. ''+sys_admin:-chown''.
66 • log_level=LEVEL - Print only log messages matching LEVEL or
68 more severe. LEVEL is one of err, warn, info, or debug. The
69 default is info.
70 • posix_lock|no_posix_lock - Enable/disable remote POSIX locks.
72 The default is no_posix_lock.
73 • readdirplus|no_readdirplus - Enable/disable readdirplus. The
75 default is readdirplus.
76 • sandbox=namespace|chroot - Sandbox mode: - namespace: Create
78 mount, pid, and net namespaces and pivot_root(2) into the
79 shared directory. - chroot: chroot(2) into shared directory
80 (use in containers). The default is "namespace".
81 • source=PATH - Share host directory tree located at PATH. This
83 option is required.
84 • timeout=TIMEOUT - I/O timeout in seconds. The default depends
86 on cache= option.
87 • writeback|no_writeback - Enable/disable writeback cache. The
89 cache allows the FUSE client to buffer and merge write re‐
90 quests. The default is no_writeback.
91 • xattr|no_xattr - Enable/disable extended attributes (xattr) on
93 files and directories. The default is no_xattr.
94 --socket-path=PATH
96 Listen on vhost-user UNIX domain socket at PATH.
97 --socket-group=GROUP
99 Set the vhost-user UNIX domain socket gid to GROUP.
100 --fd=FDNUM
102 Accept connections from vhost-user UNIX domain socket file de‐
103 scriptor FDNUM. The file descriptor must already be listening
104 for connections.
105 --thread-pool-size=NUM
107 Restrict the number of worker threads per request queue to NUM.
108 The default is 64.
109 --cache=none|auto|always
111 Select the desired trade-off between coherency and performance.
112 none forbids the FUSE client from caching to achieve best co‐
113 herency at the cost of performance. auto acts similar to NFS
114 with a 1 second metadata cache timeout. always sets a long
115 cache lifetime at the expense of coherency. The default is
116 auto.
117
119 By default the name of xattr's used by the client are passed through to
120 the server file system. This can be a problem where either those xattr
121 names are used by something on the server (e.g. selinux client/server
122 confusion) or if the virtiofsd is running in a container with re‐
123 stricted privileges where it cannot access some attributes.
124 A mapping of xattr names can be made using -o xattrmap=mapping where
126 the mapping string consists of a series of rules.
127 The first matching rule terminates the mapping. The set of rules must
129 include a terminating rule to match any remaining attributes at the
130 end.
131 Each rule consists of a number of fields separated with a separator
133 that is the first non-white space character in the rule. This separa‐
134 tor must then be used for the whole rule. White space may be added be‐
135 fore and after each rule.
136 Using ':' as the separator a rule is of the form:
138 :type:scope:key:prepend:
140 scope is:
142 •
144 'client' - match 'key' against a xattr name from the client for
146 setxattr/getxattr/removexattr
147 •
149 'server' - match 'prepend' against a xattr name from the server
151 for listxattr
152 •
154 'all' - can be used to make a single rule where both the server
156 and client matches are triggered.
157 type is one of:
159 • 'prefix' - is designed to prepend and strip a prefix; the modified
161 attributes then being passed on to the client/server.
162 • 'ok' - Causes the rule set to be terminated when a match is found
164 while allowing matching xattr's through unchanged. It is intended
165 both as a way of explicitly terminating the list of rules, and to al‐
166 low some xattr's to skip following rules.
167 • 'bad' - If a client tries to use a name matching 'key' it's denied
169 using EPERM; when the server passes an attribute name matching
170 'prepend' it's hidden. In many ways it's use is very like 'ok' as
171 either an explicit terminator or for special handling of certain pat‐
172 terns.
173 key is a string tested as a prefix on an attribute name originating on
175 the client. It maybe empty in which case a 'client' rule will always
176 match on client names.
177 prepend is a string tested as a prefix on an attribute name originating
179 on the server, and used as a new prefix. It may be empty in which case
180 a 'server' rule will always match on all names from the server.
181 e.g.:
183 :prefix:client:trusted.:user.virtiofs.:
184 will match 'trusted.' attributes in client calls and prefix them be‐
186 fore passing them to the server.
187 :prefix:server::user.virtiofs.:
189 will strip 'user.virtiofs.' from all server replies.
191 :prefix:all:trusted.:user.virtiofs.:
193 combines the previous two cases into a single rule.
195 :ok:client:user.::
197 will allow get/set xattr for 'user.' xattr's and ignore following
199 rules.
200 :ok:server::security.:
202 will pass 'securty.' xattr's in listxattr from the server and ignore
204 following rules.
205 :ok:all:::
207 will terminate the rule search passing any remaining attributes in
209 both directions.
210 :bad:server::security.:
212 would hide 'security.' xattr's in listxattr from the server.
214 A simpler 'map' type provides a shorter syntax for the common case:
216 :map:key:prepend:
218 The 'map' type adds a number of separate rules to add prepend as a pre‐
220 fix to the matched key (or all attributes if key is empty). There may
221 be at most one 'map' rule and it must be the last rule in the set.
222
224 1. Prefix all attributes with 'user.virtiofs.'
225 -o xattrmap=":prefix:all::user.virtiofs.::bad:all:::"
227 This uses two rules, using : as the field separator; the first rule
229 prefixes and strips 'user.virtiofs.', the second rule hides any
230 non-prefixed attributes that the host set.
231 This is equivalent to the 'map' rule:
233 :: -o xattrmap=":map::user.virtiofs.:"
235 2. Prefix 'trusted.' attributes, allow others through
237 "/prefix/all/trusted./user.virtiofs./
239 /bad/server//trusted./
240 /bad/client/user.virtiofs.//
241 /ok/all///"
242 Here there are four rules, using / as the field separator, and also
244 demonstrating that new lines can be included between rules. The first
245 rule is the prefixing of 'trusted.' and stripping of 'user.virtiofs.'.
246 The second rule hides unprefixed 'trusted.' attributes on the host.
247 The third rule stops a guest from explicitly setting the 'user.vir‐
248 tiofs.' path directly. Finally, the fourth rule lets all remaining at‐
249 tributes through.
250 This is equivalent to the 'map' rule:
252 :: -o xattrmap="/map/trusted./user.virtiofs./"
254 3. Hide 'security.' attributes, and allow everything else
256 "/bad/all/security./security./
258 /ok/all///'
259 The first rule combines what could be separate client and server rules
261 into a single 'all' rule, matching 'security.' in either client argu‐
262 ments or lists returned from the host. This stops the client seeing
263 any 'security.' attributes on the server and stops it setting any.
264
266 Export /var/lib/fs/vm001/ on vhost-user UNIX domain socket
267 /var/run/vm001-vhost-fs.sock:
268 host# virtiofsd --socket-path=/var/run/vm001-vhost-fs.sock -o source=/var/lib/fs/vm001
270 host# qemu-system-x86_64 \
271 -chardev socket,id=char0,path=/var/run/vm001-vhost-fs.sock \
272 -device vhost-user-fs-pci,chardev=char0,tag=myfs \
273 -object memory-backend-memfd,id=mem,size=4G,share=on \
274 -numa node,memdev=mem \
275 ...
276 guest# mount -t virtiofs myfs /mnt
277
279 Stefan Hajnoczi <stefanha@redhat.com>, Masayoshi Mizuma
280 <m.mizuma@jp.fujitsu.com>
281
283 2021, The QEMU Project Developers
2845.2.0 May 19, 2021 VIRTIOFSD(1)