mystikos icon indicating copy to clipboard operation
mystikos copied to clipboard

Published 20 hours ago verified publisher icon deislabs

Allow enclave-host communication via a UDS created in the host

Open jxyang opened this issue 2 years ago • 3 comments

The current Unix Domain Socket (UDS), a.k.a, AF_LOCAL, allows communication inside the enclave only. Kubernest allows a UDS created by a daemon to be mapped into a pod and communicate with containers inside it. The path to the UDS is specified in the job description yaml file.

We should further map the UDS path into the enclave so the enclave application could communicate with, e.g., write logs to, the outside world. We can minimize the security implications by whitelisting the UDS path in config.json.

jxyang avatar May 19 '22 22:05 jxyang

Is the socket created on the host? UDS as implemented allows IPC only between processes within Mystikos.

vtikoo avatar May 19 '22 22:05 vtikoo

Is the socket created on the host? UDS as implemented allows IPC only between processes within Mystikos.

Yes. UDS in this case is created by a Kubernetes daemon.

jxyang avatar May 19 '22 23:05 jxyang

Maybe we can write down some assumptions about the use case.

  • is the Mystikos app a client or a server
  • if the Mystikos app is a server does it attempt to create a UDS path with mknod or with bind?
  • if the Mystikos app does a mknod(), then this feature will be used in conjunction with mounting of hostfs.

mikbras avatar May 23 '22 20:05 mikbras