cloud-hypervisor: respect microvm.vsock.cid instead of hardcoding

Ramblurr · Ramblurr · commit d1908aecabaf · 2025-07-18T10:45:04.000+02:00
Previously, cloud-hypervisor always configured vsock with cid=3, causing problems when runnning multiple VMs from running on the same host due to CID conflicts. This change respects `microvm.vsock.cid` when set and allows users to configure vsock via `microvm.cloud-hypervisor.extraArgs`. The implementation: - Uses `microvm.vsock.cid` when specified - Extracts and merges `--vsock` options from extraArgs - Throws an error if both vsock.cid and --vsock cid=... are provided - Warns users when vsock is not configured (disabling systemd-notify) Fixes: microvm-nix#378 Builds on and requires PR microvm-nix#336 (for the extractOptValues function)
diff --git a/lib/default.nix b/lib/default.nix
@@ -133,4 +133,26 @@ rec {
           processArgs (builtins.tail args) values (acc ++ [(builtins.head args)]);
     in
       processArgs extraArgs [] [];
+
+  /*
+    extractParamValue - Extract a parameter value from comma-separated key=value options
+
+    Description:
+      Extracts the value of a specified parameter from a comma-separated string
+      of key=value pairs (e.g., "key1=val1,key2=val2"). Returns the first match.
+
+    Parameters:
+      param :: String - The parameter name to search for
+      opts :: String -  The options string
+
+    Returns:
+      String | null - The parameter value if found, null otherwise
+
+    Example:
+      extractParamValue "socket" "cid=5,socket=notify.vsock" => "notify.vsock"
+  */
+  extractParamValue = param: opts:
+    if opts == "" || opts == null then null
+    else let m = builtins.match ".*${param}=([^,]+).*" opts;
+         in if m == null then null else builtins.head m;
 }
diff --git a/lib/runner.nix b/lib/runner.nix
@@ -8,13 +8,13 @@ let
 
   inherit (microvmConfig) hostName;
 
-  inherit (import ./. { inherit lib; }) createVolumesScript makeMacvtap withDriveLetters extractOptValues;
+  inherit (import ./. { inherit lib; }) createVolumesScript makeMacvtap withDriveLetters extractOptValues extractParamValue;
   inherit (makeMacvtap {
     inherit microvmConfig hypervisorConfig;
   }) openMacvtapFds macvtapFds;
 
   hypervisorConfig = import (./runners + "/${microvmConfig.hypervisor}.nix") {
-    inherit pkgs microvmConfig macvtapFds withDriveLetters extractOptValues;
+    inherit pkgs microvmConfig macvtapFds withDriveLetters extractOptValues extractParamValue;
   };
 
   inherit (hypervisorConfig) command canShutdown shutdownCommand;
diff --git a/lib/runners/cloud-hypervisor.nix b/lib/runners/cloud-hypervisor.nix
@@ -2,14 +2,21 @@
 , microvmConfig
 , macvtapFds
 , extractOptValues
+, extractParamValue
 , ...
 }:
 
 let
   inherit (pkgs) lib;
-  inherit (microvmConfig) vcpu mem balloon initialBalloonMem deflateOnOOM hotplugMem hotpluggedMem user interfaces volumes shares socket devices hugepageMem graphics storeDisk storeOnDisk kernel initrdPath;
+  inherit (microvmConfig) vcpu mem balloon initialBalloonMem deflateOnOOM hotplugMem hotpluggedMem user interfaces volumes shares socket devices hugepageMem graphics storeDisk storeOnDisk kernel initrdPath vsock;
   inherit (microvmConfig.cloud-hypervisor) platformOEMStrings extraArgs;
 
+  # extract all the extra args that we merge with up front
+  processedExtraArgs = builtins.foldl'
+    (args: opt: (extractOptValues opt args).args)
+    extraArgs
+    ["--vsock" "--platform"];
+
   hasUserConsole = (extractOptValues "--console" extraArgs).values != [];
   hasUserSerial = (extractOptValues "--serial" extraArgs).values != [];
   userSerial = if hasUserSerial then (extractOptValues "--serial" extraArgs).values else "";
@@ -30,6 +37,24 @@ let
 
   kernelCmdLine = "${kernelConsole} reboot=t panic=-1 ${builtins.unsafeDiscardStringContext (toString microvmConfig.kernelParams)}";
 
+
+  userVSockOpts = (extractOptValues "--vsock" extraArgs).values;
+  userVSockStr = if userVSockOpts == [] then null else builtins.head userVSockOpts;
+  userVSockPath = extractParamValue "socket" userVSockStr;
+  userVSockCID = extractParamValue "cid" userVSockStr;
+  vsockCID = if vsock.cid != null && userVSockCID != null
+             then throw "Cannot set vsock.cid and --vsock 'cid=${userVSockCID}...' at the same time"
+             else if vsock.cid != null
+                  then vsock.cid
+                  else userVSockCID;
+  supportsNotifySocket = vsockCID != null;
+  vsockPath = if userVSockPath != null then userVSockPath else "notify.vsock";
+  vsockOpts =
+    if vsockCID == null then
+      lib.warn "cloud-hypervisor supports systemd-notify via vsock, but `microvm.vsock.cid` must be set to enable this." ""
+    else
+      "cid=${toString vsockCID},socket=${vsockPath}";
+
   useHotPlugMemory = hotplugMem > 0;
 
   useVirtiofs = builtins.any ({ proto, ... }: proto == "virtiofs") shares;
@@ -101,14 +126,18 @@ let
     vulkan = true;
   };
 
-  supportsNotifySocket = true;
-
   oemStringValues = platformOEMStrings ++ lib.optional supportsNotifySocket "io.systemd.credential:vmm.notify_socket=vsock-stream:2:8888";
   oemStringOptions = lib.optional (oemStringValues != []) "oem_strings=[${lib.concatStringsSep "," oemStringValues}]";
   platformExtracted = extractOptValues "--platform" extraArgs;
   extraArgsWithoutPlatform = platformExtracted.args;
   userPlatformOpts = platformExtracted.values;
-  platformOps = lib.concatStringsSep "," (oemStringOptions ++ userPlatformOpts);
+  userPlatformStr = if userPlatformOpts == [] then "" else builtins.head userPlatformOpts;
+  userHasOemStrings = (extractParamValue "oem_strings" userPlatformStr) != null;
+  platformOps =
+    if userHasOemStrings then
+      throw "Use `microvm.cloud-hypervisor.platformOEMStrings` instead of passing oem_strings via --platform"
+    else
+      lib.concatStringsSep "," (oemStringOptions ++ userPlatformOpts);
 in {
   inherit tapMultiQueue;
 
@@ -122,13 +151,13 @@ in {
 
   '' + lib.optionalString supportsNotifySocket ''
     # Ensure notify sockets are removed if cloud-hypervisor didn't exit cleanly the last time
-    rm -f notify.vsock notify.vsock_8888
+    rm -f ${vsockPath} ${vsockPath}_8888
 
     # Start socat to forward systemd notify socket over vsock
     if [ -n "''${NOTIFY_SOCKET:-}" ]; then
       # -T2 is required because cloud-hypervisor does not handle partial
       # shutdown of the stream, like systemd v256+ does.
-      ${pkgs.socat}/bin/socat -T2 UNIX-LISTEN:notify.vsock_8888,fork UNIX-SENDTO:$NOTIFY_SOCKET &
+      ${pkgs.socat}/bin/socat -T2 UNIX-LISTEN:${vsockPath}_8888,fork UNIX-SENDTO:$NOTIFY_SOCKET &
     fi
   '' + lib.optionalString graphics.enable ''
     rm -f ${graphics.socket}
@@ -142,7 +171,6 @@ in {
     done
   '';
 
-  inherit supportsNotifySocket;
 
   command =
     if user != null
@@ -167,9 +195,7 @@ in {
       ++
       lib.optionals (!hasUserSerial) ["--serial" "tty"]
       ++
-      lib.optionals supportsNotifySocket [
-        "--vsock" "cid=3,socket=notify.vsock"
-      ]
+      lib.optionals (vsockOpts != "") ["--vsock" vsockOpts]
       ++
       lib.optionals graphics.enable [
         "--gpu" "socket=${graphics.socket}"
@@ -240,7 +266,7 @@ in {
           usb = throw "USB passthrough is not supported on cloud-hypervisor";
         }.${bus}) devices
       )
-    ) + " " + lib.escapeShellArgs extraArgsWithoutPlatform;
+    ) + " " + lib.escapeShellArgs processedExtraArgs;
 
   canShutdown = socket != null;
 
