socketforward: add UDS forwarding#151
Draft
akerouanton wants to merge 1 commit intocontainerd:mainfrom
Draft
Conversation
akerouanton
changed the title
akerouanton
force-pushed
the
uds-bind-mounting
branch
from
dc85824 to
1d06b44
Compare
There was a problem hiding this comment.
Pull request overview
This PR introduces a new “socketforward” subsystem to relay UNIX domain socket connections across the VM boundary via vsock streams, coordinated between the host shim and a vminitd-side ttrpc service.
Changes:
- Add a new
SocketForwardttrpc service (Connect+ server-streamingListen) and VM-side forwarding implementation. - Add shim-side OCI-annotation parsing, bind-mount wiring, and runtime forwarding loops for both directions.
- Plumb socket-forward configuration into vminitd via plugin properties and add documentation.
Reviewed changes
Copilot reviewed 15 out of 15 changed files in this pull request and generated 10 comments.
Show a summary per file
| File | Description |
|---|---|
| plugins/vminit/socketforward/plugin.go | Registers the VM-side socketforward ttrpc plugin and wires it to shutdown/task/streaming dependencies. |
| plugins/types.go | Adds a new plugin property key for passing socket-forward configuration into vminitd. |
| internal/vminit/task/service.go | Exposes container init PID lookup used for mount-namespace dialing. |
| internal/vminit/socketforward/socketforward.go | Implements VM-side socket forwarding service, listeners, and relaying over vsock streams. |
| internal/shim/task/socketforward.go | Implements shim-side annotation parsing, init arg generation, and host-side forwarding loops. |
| internal/shim/task/service.go | Integrates socket forwarding lifecycle into container creation/shutdown logic. |
| cmd/vminitd/socket_forward.go | Adds -socket-forward flag parsing and entry types for vminitd. |
| cmd/vminitd/main.go | Plumbs socket-forward entries into plugin properties and registers the new vminit plugin. |
| docs/socket-forwarding.md | Documents how to configure and use socket forwarding. |
| api/proto/nerdbox/services/socketforward/v1/socketforward.proto | Defines the SocketForward service and ConnectRequest message. |
| api/services/socketforward/v1/* | Adds generated protobuf + ttrpc code and package docs for the new API. |
| api/next.txtpb | Updates API descriptor snapshot to include the new socketforward service. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
akerouanton
force-pushed
the
uds-bind-mounting
branch
from
1d06b44 to
454f36b
Compare
akerouanton
added a commit
that referenced
this pull request
Apr 8, 2026
akerouanton
force-pushed
the
uds-bind-mounting
branch
from
454f36b to
46baba4
Compare
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 15 out of 15 changed files in this pull request and generated 5 comments.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
dmcgowan
reviewed
Apr 8, 2026
akerouanton
force-pushed
the
uds-bind-mounting
branch
2 times, most recently
from
80e1b13 to
9343696
Compare
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 13 out of 13 changed files in this pull request and generated 9 comments.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Comment on lines
+166
to
+167
| This is the most common pattern. Container stdio and host-to-container | ||
| socket forwarding (`Connect` RPC) both use it. |
There was a problem hiding this comment.
This section references host-to-container socket forwarding via a Connect RPC, but the socketforward service/proto in this PR only defines Bind + Accept (and the shim/VM implementation shown is container-to-host). Update this doc to match the implemented RPCs/patterns, or add the missing Connect RPC implementation if that’s the intended design.
Suggested change
| This is the most common pattern. Container stdio and host-to-container | |
| socket forwarding (`Connect` RPC) both use it. | |
| This is the most common pattern. Container stdio uses it. |
Introduce the SocketForward ttrpc service that relays UNIX domain socket connections between host and container over vsock streams. The host side (shim) parses OCI annotations to configure forwards, while the VM side (vminitd) resolves paths from its own configuration using forward identifiers. For host-to-container connections, the VM enters the target container's mount namespace via setns to dial the socket. For container-to-host connections, vminitd creates listener sockets at VM-global paths with bind mounts into the container, and streams connection notifications to the host via the Listen RPC. Signed-off-by: Albin Kerouanton <albin.kerouanton@docker.com>
akerouanton
force-pushed
the
uds-bind-mounting
branch
from
9343696 to
38dd6a6
Compare
akerouanton
changed the title
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Adds UDS socket forwarding: vminitd relays connections from inside the container to the corresponding host-side socket, enabling UDS sockets to be bind-mounted across the VM boundary.
Container-side sockets are declared as OCI mounts with
type=uds:source: path of the target UNIX socket on the hostdestination: path where the socket should appear inside the containerThe shim rewrites each
udsmount to an ordinary bind mount before passing the spec to runc. The bind mount source is a VM-internal listener socket at/run/socketfwd/{forward_id}.sock; vminitd creates that socket via theBindRPC before container creation so runc can complete the bind mount.When a container process connects to the forwarded socket, vminitd notifies the shim via the
Acceptstreaming RPC. The shim resolves theforward_idto a host-side path from its own configuration (never trusting a path from the VM), dials the host socket, opens a vsock stream, and relays data bidirectionally.The
forward_idis derived fromSHA256(container_id + ":" + destination)so that the same socket mount on two containers within the same VM gets a distinct identifier.