You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Extend the "Networking" section with the current state of the networking
support in libkrun, including the TSI limitations.
Signed-off-by: Sergio Lopez <[email protected]>
Copy file name to clipboardExpand all lines: README.md
+22-3Lines changed: 22 additions & 3 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -58,11 +58,30 @@ Each variant generates a dynamic library with a different name (and ```soname```
58
58
59
59
## Networking
60
60
61
-
In ```libkrun```, networking is provided by two different, mutually exclusive techniques:
61
+
In ```libkrun```, networking is provided by two different, mutually exclusive techniques:**virtio-vsock + TSI** and **virtio-net + passt/gvproxy**.
62
62
63
-
-**virtio-vsock + TSI**: A novel technique called **Transparent Socket Impersonation** which allows the VM to have network connectivity without a virtual interface. This technique supports both outgoing and incoming connections. It's possible for userspace applications running in the VM to transparently connect to endpoints outside the VM and receive connections from the outside to ports listening inside the VM. Requires a custom kernel (like the one bundled in **libkrunfw**) and it's limited to AF_INET SOCK_DGRAM and SOCK_STREAM sockets.
63
+
### virtio-vsock + TSI
64
64
65
-
-**virtio-net + passt/gvproxy**: A conventional virtual interface that allows the guest to communicate with the outside through the VMM using a supporting application like [passt](https://passt.top/passt/about/) or [gvproxy](https://github.com/containers/gvisor-tap-vsock).
65
+
This is a novel technique called **Transparent Socket Impersonation** which allows the VM to have network connectivity without a virtual interface. This technique supports both outgoing and incoming connections. It's possible for userspace applications running in the VM to transparently connect to endpoints outside the VM and receive connections from the outside to ports listening inside the VM.
66
+
67
+
#### Enabling TSI
68
+
69
+
TSI for AF_INET and AF_INET6 is automatically enabled when no network interface is added to the VM. TSI for AF_UNIX is enabled when, in addition to the previous condition, `krun_set_root` has been used to set `/` as root filesystem.
70
+
71
+
#### Known limitations
72
+
73
+
- Requires a custom kernel (like the one bundled in **libkrunfw**).
74
+
- It's limited to SOCK_DGRAM and SOCK_STREAM sockets and AF_INET, AF_INET6 and AF_UNIX address families (for instance, raw sockets aren't supported).
75
+
- Listening on SOCK_DGRAM sockets from the guest is not supported.
76
+
- When TSI is enabled for AF_UNIX sockets, only absolute path are supported as addresses.
77
+
78
+
### **virtio-net + passt/gvproxy**
79
+
80
+
A conventional virtual interface that allows the guest to communicate with the outside through the VMM using a supporting application like [passt](https://passt.top/passt/about/) or [gvproxy](https://github.com/containers/gvisor-tap-vsock).
81
+
82
+
#### Enabling virtio-net
83
+
84
+
Use `krun_add_net_unixstream` and/or `krun_add_net_unixdgram` to add a virtio-net interface connected to the userspace network proxy.
0 commit comments