Persistent reservation helper protocol

QEMU’s SCSI passthrough devices, scsi-block and scsi-generic, can delegate implementation of persistent reservations to an external (and typically privileged) program. Persistent Reservations allow restricting access to block devices to specific initiators in a shared storage setup.

For a more detailed reference please refer the the SCSI Primary Commands standard, specifically the section on Reservations and the “PERSISTENT RESERVE IN” and “PERSISTENT RESERVE OUT” commands.

This document describes the socket protocol used between QEMU’s pr-manager-helper object and the external program.

Connection and initialization

All data transmitted on the socket is big-endian.

After connecting to the helper program’s socket, the helper starts a simple feature negotiation process by writing four bytes corresponding to the features it exposes (supported_features). QEMU reads it, then writes four bytes corresponding to the desired features of the helper program (requested_features).

If a bit is 1 in requested_features and 0 in supported_features, the corresponding feature is not supported by the helper and the connection is closed. On the other hand, it is acceptable for a bit to be 0 in requested_features and 1 in supported_features; in this case, the helper will not enable the feature.

Right now no feature is defined, so the two parties always write four zero bytes.

Command format

It is invalid to send multiple commands concurrently on the same socket. It is however possible to connect multiple sockets to the helper and send multiple commands to the helper for one or more file descriptors.

A command consists of a request and a response. A request consists of a 16-byte SCSI CDB. A file descriptor must be passed to the helper together with the SCSI CDB using ancillary data.

The CDB has the following limitations:

  • the command (stored in the first byte) must be one of 0x5E (PERSISTENT RESERVE IN) or 0x5F (PERSISTENT RESERVE OUT).
  • the allocation length (stored in bytes 7-8 of the CDB for PERSISTENT RESERVE IN) or parameter list length (stored in bytes 5-8 of the CDB for PERSISTENT RESERVE OUT) is limited to 8 KiB.

For PERSISTENT RESERVE OUT, the parameter list is sent right after the CDB. The length of the parameter list is taken from the CDB itself.

The helper’s reply has the following structure:

  • 4 bytes for the SCSI status
  • 4 bytes for the payload size (nonzero only for PERSISTENT RESERVE IN and only if the SCSI status is 0x00, i.e. GOOD)
  • 96 bytes for the SCSI sense data
  • if the size is nonzero, the payload follows

The sense data is always sent to keep the protocol simple, even though it is only valid if the SCSI status is CHECK CONDITION (0x02).

The payload size is always less than or equal to the allocation length specified in the CDB for the PERSISTENT RESERVE IN command.

If the protocol is violated, the helper closes the socket.