gvisor-tap-vsock icon indicating copy to clipboard operation
gvisor-tap-vsock copied to clipboard
verified publisher icon containers

Running gvisor-tap-vsock with dgram socket for Apple Virtualization

Open balajiv113 opened this issue 3 years ago • 5 comments

Hi

I am trying to use gvisor-tap-vsock with VM Started by Apple Virtualization API. I was able to get the network up and running.

Working example code https://github.com/mac-vz/vz/tree/gvisor

How it is integrated now?

  • Apple Virtualization API provides support for raw packet handling via dgram socket (https://developer.apple.com/documentation/virtualization/vzfilehandlenetworkdeviceattachment?language=objc)
  • The above example create a dgram server socket and client socket
  • Client dgram is sent to Apple Virtualization API
  • Server dgram is wrapped to UDPConn in gvisor
  • Using bessProtocal to use non-streaming mode of read and write

But i noticed couple of issues like,

  • During SSH (ssh [email protected] -p 2223) am getting Bad packet length Connection corrupted
  • Https calls were failing with sslv3 alert bad record mac

If feel the way i create dgram / wrapping of UDPConn is the cause for these issues. Any help around here would help a lot.

Am happy to even provide a PR for official support after fixing issues :-)

Thanks in advance.

balajiv113 avatar Apr 30 '22 08:04 balajiv113

We are successfully using gvisor-tap-vsock+Code-Hex/vz in crc. However, we are not making use of https://developer.apple.com/documentation/virtualization/vzfilehandlenetworkdeviceattachment?language=obj , the main reason for that being that I only noticed it after having implemented differently, and I haven't had time to revisit this yet.

How this works in crc is that we run https://github.com/containers/gvisor-tap-vsock/tree/main/cmd/vm in the VM. This creates a TAP network device to capture all the VM network traffic, and then forwards it to the host over virtio vsock. On the host, the data comes over a unix socket which is then used by gvisor-tap-vsock.

cfergeau avatar May 06 '22 10:05 cfergeau

Ah nice. I missed that creating tap and forwarding via vsock. Will give a try with this model as well.

balajiv113 avatar May 06 '22 15:05 balajiv113

Yeah, it's definitely a different model, it should be possible to get gvisor-tap-vsock to work with https://developer.apple.com/documentation/virtualization/vzfilehandlenetworkdeviceattachment?language=objc without making any changes to the VM image itself.

cfergeau avatar May 06 '22 15:05 cfergeau

Thanks a lot for the reference. I was able to get the network up and was able to do ssh from host as well. But whenever i do

sudo apt-get update

gvisor gets terminated with the following error

r.CreateEndpoint() = connection was refused
cannot receive packets from , disconnecting: cannot read size from socket: EOF 
cannot read size from socket: EOF

balajiv113 avatar May 07 '22 06:05 balajiv113

Looks like this issue got resolved with latest gvisor and it is working via vz network attachment well. The iperf3 report looks solid as well. (Similar to the current one) https://github.com/containers/gvisor-tap-vsock/compare/main...balajiv113:gvisor-tap-vsock:main

Am happy to raise a PR as well for the same. PS: Referred & Incorporated the changes done in current gvisor upgrade PR

balajiv113 avatar Jul 24 '22 14:07 balajiv113

This issue is fixed as part of #135

balajiv113 avatar Aug 22 '22 14:08 balajiv113