lima icon indicating copy to clipboard operation
lima copied to clipboard

Published 20 hours ago verified publisher icon lima-vm

QEMU on Linux hosts should utilize vsock

Open AkihiroSuda opened this issue 1 month ago • 5 comments

Description

QEMU on Linux hosts should utilize vsock, especially for SSH over AF_VSOCK.

Ideally QEMU on macOS should utilize vsock too, but does not seem implemented. (And implementing it is not a trivial task)

AkihiroSuda avatar Oct 16 '25 07:10 AkihiroSuda

We can use the https://github.com/mdlayher/vsock library in Lima to handle SSH and port forwarding over AF_VSOCK. A new config option (e.g. useVsock: true) in the Lima YAML enables this feature, and it maintains backward compatibility by automatically falling back to TCP when vsock isn’t available or not preferred, with the option to deprecate or phase out TCP later based on user feedback?

Horiodino avatar Oct 29 '25 12:10 Horiodino

According to https://wiki.archlinux.org/title/QEMU#Accessing_SSH_via_vsock, Linux hosts can access the ssh of the QEMU guest via AF_VSOCK without port forwarding. QEMU options:

-device vhost-vsock-pci,id=vhost-vsock-pci0,guest-cid=555

connecting ssh to VM:

$ ssh user@vsock/555

I haven't tried these because I don't have an environment where they can be tested.

norio-nomura avatar Oct 30 '25 01:10 norio-nomura

Confirmed:

norio@ubuntu-questing:~/ghq/github.com/lima-vm/lima$ grep -o -E 'vsock\S+' ~/.lima/default/ha.stderr.log 
vsock-pci,id=vhost-vsock-pci0,guest-cid=3
norio@ubuntu-questing:~/ghq/github.com/lima-vm/lima$ ssh -i ~/.lima/_config/user norio@vsock/3
Welcome to Ubuntu 25.10 (GNU/Linux 6.17.0-5-generic x86_64)

 * Documentation:  https://docs.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/pro

 System information as of Fri Oct 31 19:05:31 JST 2025

  System load:           0.02
  Usage of /:            2.0% of 95.85GB
  Memory usage:          14%
  Swap usage:            0%
  Processes:             127
  Users logged in:       0
  IPv4 address for eth0: 192.168.5.15
  IPv6 address for eth0: fec0::5055:55ff:fe0b:1489

  => There is 1 zombie process.


0 updates can be applied immediately.


The list of available updates is more than a week old.
To check for new updates run: sudo apt update

Last login: Fri Oct 31 18:57:17 2025 from UNKNOWN
norio@lima-default:~$

To use AF_VSOCK on a Linux host, it is required that the user have permission to /dev/vhost-vsock.

norio@ubuntu-questing:~/ghq/github.com/lima-vm/lima$ ls -la /dev/vhost-vsock 
crw-rw---- 1 root kvm 10, 241 Oct 31 18:45 /dev/vhost-vsock

norio-nomura avatar Oct 31 '25 10:10 norio-nomura

It seems that vsock/3 is treated as an address.

norio@ubuntu-questing:~/ghq/github.com/lima-vm/lima$ ssh -i ~/.lima/_config/user norio@vsock/3 -p 23
Failed to connect to vsock:3:23: Connection reset by peer
mm_receive_fd: recvmsg: expected received 1 got 0
proxy dialer did not pass back a connection

norio-nomura avatar Oct 31 '25 10:10 norio-nomura

That's due to systemd-ssh-proxy which (according to the dropdown at the top right) showed up in systemd 256. Note also that is relevant for the host (not the VM). It basically accepts hosts that start with vsock/ (and vsock%) and redirects that to a helper program that handles making the connection, so it's basically fancy port forwarding.

mook-as avatar Oct 31 '25 18:10 mook-as