nitro: Preliminary networking support with passt, remove cached EIF #491
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Signed-off-by: Tyler Fanelli <tfanelli@redhat.com>
Add an optional boolean argument to enable networking with passt. Signed-off-by: Tyler Fanelli <tfanelli@redhat.com>
In order to re-use the existing APIs, copy the network builder from the VM resources into the object used for building nitro enclaves. Before copying the Net object over, ensure it is a UNIX stream socket, as nitro enclaves will require stream sockets for networking. Signed-off-by: Tyler Fanelli <tfanelli@redhat.com>
Instead of defining VMADDR_CID_PARENT and connecting to the heartbeat vsock through that value, connect to the host directly with VMADDR_CID_HOST within the enclave. Signed-off-by: Tyler Fanelli <tfanelli@redhat.com>
tylerfanelli
requested review from
MatiasVara,
jakecorrenti,
mtjhrc and
slp
as code owners
tylerfanelli
force-pushed
the
nitro-net
branch
from
c9fc43e to
fafd987
Compare
tylerfanelli
changed the title
tylerfanelli
force-pushed
the
nitro-net
branch
from
fafd987 to
41671b7
Compare
The only usable communication interface within enclaves is vsock. As such, networking "within" an enclave will rely on the host providing a networking proxy with traffic forwarded to/from a vsock communciation with the enclave. Initialize a TAP device within the enclave and facilitate TAP/passt communication via vsock. Signed-off-by: Tyler Fanelli <tfanelli@redhat.com>
Due to the large size of EIF files, it is untenable to cache it (even compressed) within the nitro/src directory. Instead, cache the file on the system and specify the path of it with the KRUN_NITRO_EIF_PATH environment variable. If this environment variable is not specified, default to /usr/share/krun-nitro.eif as the location of the cached EIF file. Signed-off-by: Tyler Fanelli <tfanelli@redhat.com>
tylerfanelli
force-pushed
the
nitro-net
branch
from
41671b7 to
c8c8cf9
Compare
Member
Author
|
@jakecorrenti This offers the preliminary support for you to rebase on top of. I'll revisit with a second patch series removing the unwraps and adding general cleanups after your PR is merged. The next changes will include both the application output and networking. If you approve, we can merge this series, rebase yours on top, and merge that as well. |
jakecorrenti
previously approved these changes
Dec 19, 2025
Member
jakecorrenti
left a comment
jakecorrenti
left a comment
There was a problem hiding this comment.
I stopped giving comments mid-way through after our meeting, but I didn't see anything in particular that would block from merging as long as we go back in with another PR like you said.
| ffi::{CString, OsStr}, | ||
| fs, | ||
| io::{self, ErrorKind, Read, Write}, | ||
| io::{self, Read, Write}, |
Member
There was a problem hiding this comment.
In a separate PR we should probably add a Clippy CI check for the nitro feature so that we can catch these things at review.
Comment on lines
+395
to
+402
| match device.lock().unwrap().backend() { | ||
| VirtioNetBackend::UnixstreamFd(_) | VirtioNetBackend::UnixstreamPath(_) => { | ||
| } | ||
| _ => { | ||
| error!("configured virtio-net backend must be unix stream"); | ||
| return Err(-libc::EINVAL); | ||
| } | ||
| }; |
Member
There was a problem hiding this comment.
Might look a little cleaner, but up to you :)
if !matches!(
device.lock().unwrap().backend(),
VirtioNetBackend::UnixstreamFd(_) | VirtioNetBackend::UnixstreamPath(_)
) {
error!("configured virtio-net backend must be unix stream");
return Err(-libc::EINVAL);
}
src/nitro/src/enclaves.rs
Outdated
| self.write_exec(&mut stream)?; | ||
|
|
||
| Ok(cid) | ||
| match fork::fork().unwrap() { |
Member
There was a problem hiding this comment.
Why do we need a new crate to do this? Can't we just use libc::fork()?
Signed-off-by: Tyler Fanelli <tfanelli@redhat.com>
jakecorrenti
approved these changes
Dec 19, 2025
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
No description provided.