Skip to content

Implement support for TSIv3 #410

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 9 commits into
base: main
Choose a base branch
from
Open

Implement support for TSIv3 #410

wants to merge 9 commits into from

Conversation

slp
Copy link
Collaborator

@slp slp commented Sep 12, 2025

To support sockets beyond AF_INET, TSIv3 generalizes socketaddresses behind an abstract sockaddr type, just as the kernel does internally.

We need to follow suit here, and luckily we can rely on nix's SockaddrStorage to do most of the abstraction work for us.

Then, building on top of that, we implement support for AF_INET6 and AF_UNIX.

This is an ABI breaking change, so we also require the libkrunfw counterpart containers/libkrunfw#101

@slp slp force-pushed the tsi-v3 branch 5 times, most recently from ad10aec to cf52662 Compare September 17, 2025 15:26
@slp slp force-pushed the tsi-v3 branch 2 times, most recently from 15c9e2b to 95d5247 Compare September 30, 2025 15:08
@slp slp marked this pull request as ready for review September 30, 2025 15:15
mtjhrc
mtjhrc reviewed Oct 7, 2025
View reviewed changes
mtjhrc
mtjhrc reviewed Oct 7, 2025
View reviewed changes
slp added 7 commits October 8, 2025 16:03
@slp
vsock/tsi: generalize socket addresses
1ee195f 
To support sockets beyond AF_INET, TSIv3 generalizes socket
addresses behind an abstract sockaddr type, just as the kernel
does internally.

We need to follow suit here, and luckily we can rely on nix's
SockaddrStorage to do most of the abstraction work for us.

Signed-off-by: Sergio Lopez <[email protected]>
@slp
vsock/tsi: add support for AF_INET6 and AF_UNIX
b3fb238 
With TSIv3, we can trivially support other socket addresses with
very little additional code. Let's take the opportunity to support
both AF_INET6 and AF_UNIX.

Signed-off-by: Sergio Lopez <[email protected]>
@slp
devices/vsock: make TSI enablement explicit
497905b 
There are scenarios in which we want to have a vsock device for unix
ipc to port mapping, but we don't want to use TSI. Make TSI enablement
explicit.

Signed-off-by: Sergio Lopez <[email protected]>
@slp
devices/vsock: always reply to TSI control messages
36cccac 
For TSI control messages that require an answer (connect, listen,
accept and getname), reply with an error message even if the proxy
is not present.

Until now, under normal circumstances, we should never receive one of
those requests without a proxy, but in the next commit we're going to
start rejecting the creation of proxies under certain circumstances, so
we need to do this first.

Signed-off-by: Sergio Lopez <[email protected]>
@slp
devices/vsock: selectively enable AF_UNIX in TSI
a12ef26 
AF_UNIX transparency is only supported when running in a containerized
environment. We detect such case by checking we only have a single
virtio-fs device, and that device is pointing to "/", which is the
scenario when running under podman+crun.

In libkrun 2.x, the whole network configuration, including the TSI
features, should be exposed to the users explicitly.

Signed-off-by: Sergio Lopez <[email protected]>
@slp
devices/vsock: refactor TcpProxy as TsiStreamProxy
4222ac0 
Since TcpProxy now supports more than TCP, let's refactor it as
TsiStreamProxy.

Signed-off-by: Sergio Lopez <[email protected]>
@slp
devices/vsock: refactor UdpProxy as TsiDgramProxy
515965b 
Since UdpProxy now supports more than UDP, let's refactor it as
TsiDgramProxy.

Signed-off-by: Sergio Lopez <[email protected]>
slp added 2 commits October 9, 2025 11:52
@slp
devices/vsock: remove log message duplicities
629c1ff 
Since env_logger already indicates the module emitting the message,
avoid putting it manually in the message string.

Signed-off-by: Sergio Lopez <[email protected]>
@slp
libkrun: bump libkrunfw to 5.x.x
0cdd073 
TSIv3 is an ABI breaking change, so it's provided by a different
major version of libkrunfw.

Signed-off-by: Sergio Lopez <[email protected]>
@slp
Copy link
Collaborator Author

slp commented Oct 10, 2025

@mtjhrc do you need more changes in this PR?

@mtjhrc
Copy link
Collaborator

mtjhrc commented Oct 10, 2025

Code LGTM!
I wanted to test it / play around with it a bit (like you asked), before approving it. I should get to it later today.

I am also wondering what happens to anonymous namespace unix domain sockets. Does the kernel side attempt to hijack them into TSI too?

@mtjhrc mtjhrc mentioned this pull request Oct 15, 2025
Open
mtjhrc
mtjhrc requested changes Oct 15, 2025
View reviewed changes
Copy link
Collaborator

@mtjhrc mtjhrc left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I am also wondering what happens to anonymous namespace unix domain sockets. Does the kernel side attempt to hijack them into TSI too?

I have managed to test this, yes they are hijacked too, forwarding them works correctly (works with podman --network host).

Regarding the PR, there is an issue when resolving paths of unix domain sockets (even within the guest) see containers/libkrunfw#103

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@mtjhrc mtjhrc mtjhrc requested changes

@jakecorrenti jakecorrenti Awaiting requested review from jakecorrenti jakecorrenti is a code owner

@MatiasVara MatiasVara Awaiting requested review from MatiasVara MatiasVara is a code owner

@tylerfanelli tylerfanelli Awaiting requested review from tylerfanelli tylerfanelli is a code owner

Requested changes must be addressed to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@slp @mtjhrc