socketforward: add bidirectional UDS forwarding#151
Draft
akerouanton wants to merge 1 commit intocontainerd:mainfrom
Draft
socketforward: add bidirectional UDS forwarding#151akerouanton wants to merge 1 commit intocontainerd:mainfrom
akerouanton wants to merge 1 commit intocontainerd:mainfrom
Conversation
akerouanton
changed the title
akerouanton
force-pushed
the
uds-bind-mounting
branch
from
dc85824 to
1d06b44
Compare
There was a problem hiding this comment.
Pull request overview
This PR introduces a new “socketforward” subsystem to relay UNIX domain socket connections across the VM boundary via vsock streams, coordinated between the host shim and a vminitd-side ttrpc service.
Changes:
- Add a new
SocketForwardttrpc service (Connect+ server-streamingListen) and VM-side forwarding implementation. - Add shim-side OCI-annotation parsing, bind-mount wiring, and runtime forwarding loops for both directions.
- Plumb socket-forward configuration into vminitd via plugin properties and add documentation.
Reviewed changes
Copilot reviewed 15 out of 15 changed files in this pull request and generated 10 comments.
Show a summary per file
| File | Description |
|---|---|
| plugins/vminit/socketforward/plugin.go | Registers the VM-side socketforward ttrpc plugin and wires it to shutdown/task/streaming dependencies. |
| plugins/types.go | Adds a new plugin property key for passing socket-forward configuration into vminitd. |
| internal/vminit/task/service.go | Exposes container init PID lookup used for mount-namespace dialing. |
| internal/vminit/socketforward/socketforward.go | Implements VM-side socket forwarding service, listeners, and relaying over vsock streams. |
| internal/shim/task/socketforward.go | Implements shim-side annotation parsing, init arg generation, and host-side forwarding loops. |
| internal/shim/task/service.go | Integrates socket forwarding lifecycle into container creation/shutdown logic. |
| cmd/vminitd/socket_forward.go | Adds -socket-forward flag parsing and entry types for vminitd. |
| cmd/vminitd/main.go | Plumbs socket-forward entries into plugin properties and registers the new vminit plugin. |
| docs/socket-forwarding.md | Documents how to configure and use socket forwarding. |
| api/proto/nerdbox/services/socketforward/v1/socketforward.proto | Defines the SocketForward service and ConnectRequest message. |
| api/services/socketforward/v1/* | Adds generated protobuf + ttrpc code and package docs for the new API. |
| api/next.txtpb | Updates API descriptor snapshot to include the new socketforward service. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
akerouanton
force-pushed
the
uds-bind-mounting
branch
from
1d06b44 to
454f36b
Compare
akerouanton
added a commit
that referenced
this pull request
Apr 8, 2026
akerouanton
force-pushed
the
uds-bind-mounting
branch
from
454f36b to
46baba4
Compare
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 15 out of 15 changed files in this pull request and generated 5 comments.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Comment on lines
+89
to
+98
| for _, e := range entries { | ||
| svc.containerPaths[e.ID] = e.ContainerPath | ||
|
|
||
| // Start listener sockets for container-to-host entries. | ||
| if e.Direction == "container-to-host" { | ||
| if err := svc.bind(ctx, e.ID, e.ContainerPath); err != nil { | ||
| return nil, fmt.Errorf("binding socket forward listener at %s: %w", e.ContainerPath, err) | ||
| } | ||
| } | ||
| } |
There was a problem hiding this comment.
Duplicate forward IDs in entries will silently overwrite containerPaths[e.ID], potentially binding one path but later resolving a different one for Connect. It’d be safer to detect duplicates here and return a clear error that includes the conflicting ID (and ideally both paths).
dmcgowan
reviewed
Apr 8, 2026
cmd/vminitd/main.go
Outdated
| flag.IntVar(&config.VSockContextID, "vsock-cid", 0, "vsock context ID for vsock listen") | ||
| flag.Var(&config.Networks, "network", "network interfaces to set up") | ||
| flag.BoolVar(&config.DumpInfo, "dump-info", false, "dump information about the system") | ||
| flag.Var(&config.SocketForwards, "socket-forward", "socket forwards: <direction>:<id>:<container_path>") |
Member
There was a problem hiding this comment.
Can you either add this to the socketforward service or the bundle service. This is container specific and should not be in the init args.
Introduce the SocketForward ttrpc service that relays UNIX domain socket connections between host and container over vsock streams. The host side (shim) parses OCI annotations to configure forwards, while the VM side (vminitd) resolves paths from its own configuration using forward identifiers. For host-to-container connections, the VM enters the target container's mount namespace via setns to dial the socket. For container-to-host connections, vminitd creates listener sockets at VM-global paths with bind mounts into the container, and streams connection notifications to the host via the Listen RPC. Signed-off-by: Albin Kerouanton <albin.kerouanton@docker.com>
akerouanton
force-pushed
the
uds-bind-mounting
branch
from
46baba4 to
80e1b13
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
SocketForwardttrpc service withConnect(host-to-container) andListen(container-to-host) RPCs for relaying UNIX domain socket connections over vsock streamsio.containerd.nerdbox.socketforward.<id>) and passed to vminitd as init args; each side resolves socket paths from its own configuration using forward identifierssetnsto dial the socket