Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Allow enclave-host communication via a UDS created in the host #1332

Open
jxyang opened this issue May 19, 2022 · 3 comments
Open

Allow enclave-host communication via a UDS created in the host #1332

jxyang opened this issue May 19, 2022 · 3 comments
Assignees
Labels
area/kernel Area: Kernel severity/moderate Severity: Moderate status/triaged Status: Triaged

Comments

@jxyang
Copy link
Contributor

jxyang commented May 19, 2022

The current Unix Domain Socket (UDS), a.k.a, AF_LOCAL, allows communication inside the enclave only. Kubernest allows a UDS created by a daemon to be mapped into a pod and communicate with containers inside it. The path to the UDS is specified in the job description yaml file.

We should further map the UDS path into the enclave so the enclave application could communicate with, e.g., write logs to, the outside world. We can minimize the security implications by whitelisting the UDS path in config.json.

@vtikoo
Copy link
Collaborator

vtikoo commented May 19, 2022

Is the socket created on the host? UDS as implemented allows IPC only between processes within Mystikos.

@jxyang
Copy link
Contributor Author

jxyang commented May 19, 2022

Is the socket created on the host? UDS as implemented allows IPC only between processes within Mystikos.

Yes. UDS in this case is created by a Kubernetes daemon.

@mikbras
Copy link
Contributor

mikbras commented May 23, 2022

Maybe we can write down some assumptions about the use case.

  • is the Mystikos app a client or a server
  • if the Mystikos app is a server does it attempt to create a UDS path with mknod or with bind?
  • if the Mystikos app does a mknod(), then this feature will be used in conjunction with mounting of hostfs.

@paulcallen paulcallen added status/triaged Status: Triaged area/kernel Area: Kernel severity/moderate Severity: Moderate labels Jun 13, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
area/kernel Area: Kernel severity/moderate Severity: Moderate status/triaged Status: Triaged
Projects
None yet
Development

No branches or pull requests

4 participants