Comments (4)
MalteJ
commented on June 3, 2024
Is this about the connection between auraed on the host system and auraed on the guest (MicroVM)?
There are two options:
- ethernet connection
- socket connection
With firecracker, an ethernet connection is probably the default connection between the host and a MicroVM. It was also the only option in the beginning, when AWS open sourced firecracker. For an ethernet connection, you need a tap device on a host. Via the Firecracker API this tap device will be connected to a virtio-net device, which is attached to the MicroVM. This virtio-net device will appear as a NIC in the VM.
A socket connection between host and MicroVM was added later on to firecracker. Probably it's not used by AWS in production. This works with virtio-vsock and provides a socket connection where one end resides on the host and the other end is within the VM. There are security concerns regarding this type of connection. I am no expert and I cannot explain what's the problem or possible attack vector. I just wouldn't use it.
So, I would vote for using an ethernet connection between the host and the VM. To connect to the nested auraed we can use IPv6 link-local addressing (fe80:: addresses). Those addresses will not be routed and therefore a connection can only be established locally. We can decide on well-known link local addresses to be assigned to auraed and nested auraed (e.g. fe80::1/64) or use stateless autoconfiguration and monitor the IPv6 neighbor discovery packets to find the addresses.
from aurae.
MalteJ
commented on June 3, 2024
See also #433 (comment)
from aurae.
MalteJ
commented on June 3, 2024
When you have a DPU that is controlling the host system, you will definitely have an Ethernet connection between the DPU and the host system. Some DPUs also provide an additional proprietary communication channel for control plane communication. But the common thing you will always have, are Ethernet connections.
From a security perspective I think Ethernet connections are fine. Lots of people invest lots of time to harden the Linux kernel's Ethernet stack.
from aurae.
JeroenSoeters
commented on June 3, 2024
In my experiments with cloud hypervisor I have also been using the TAP/virtio approach over IPv6 link-local.
Cloud-hypervisor has support for vhost-net as well (FC doesn't) so that is something we could look at as well: https://github.com/cloud-hypervisor/cloud-hypervisor/blob/main/docs/device_model.md#vhost-user-net
from aurae.
Related Issues (20)
- Clone init::Context into AuraeRuntime HOT 2
- Implement Cache for CRI HOT 5
- Formalize Nivenly Foundation
- RFC: eBPF architecture HOT 5
- Cargo.nix Why does it need to live here? HOT 12
- Execution Authentication HOT 1
- Concerns About CPU Quota Implementation HOT 2
- What does "Pod Sandbox" mean to Aurae? HOT 12
- Utilize `deno_runtime::MainWorker` to enable more Deno features when running AuraeScript files HOT 1
- Create "Container Service" HOT 1
- Refactor "Pod Sandbox" to use Virtualization HOT 9
- Implement the VmsService HOT 2
- RUSTSEC-2023-0018 - Package remove_dir_all vulnerable
- Generate New TLS Material for Secure Communication with Nested Auraed Cells HOT 1
- Cargo check deny (Security Advisories)
- Inefficient Builds (15 mins) HOT 4
- libcontainer dependency was updated and our cargo.toml is only pinned to the branch, not the commit HOT 2
- SPDX License Identifiers in the Source Code HOT 2
- buf update breaks many things HOT 3
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from aurae.