feat: vsock support with CID allocation and UDS validation#8
Open
jasonhernandez wants to merge 2 commits intoaljoscha:mainfrom
Open
feat: vsock support with CID allocation and UDS validation#8jasonhernandez wants to merge 2 commits intoaljoscha:mainfrom
jasonhernandez wants to merge 2 commits intoaljoscha:mainfrom
Conversation
This was referenced Apr 14, 2026
Add vsock device support across both Firecracker (Linux) and AVF (macOS) backends, enabling structured host↔guest communication over a Unix domain socket instead of SSH polling. CLI: `ember vm create myvm --image base --vsock` YAML config: `vsock: true` UDS created at: `<state_dir>/vms/<name>/vsock.sock` Linux (Firecracker): - New `PUT /vsock` API call with guest CID and UDS path - Firecracker natively creates the UDS and bridges to guest AF_VSOCK macOS (AVF): - VZVirtioSocketDeviceConfiguration added to VM config - ember-vz implements a UDS bridge: accepts host connections on the UDS and proxies them to guest vsock port 1024, and accepts guest-initiated connections on port 1024 and bridges them back to the UDS Both platforms expose the same UDS interface — Thermite's code path is identical regardless of the underlying hypervisor. Co-Authored-By: Claude <noreply@anthropic.com>
Replace hardcoded guest_cid=3 with a proper CID allocator that assigns unique CIDs per VM, persisted in vsock/cids.json. Uses the new StateStore::update() method for atomic read-modify-write under exclusive flock, preventing TOCTOU races between concurrent processes. Also validates UDS path length against macOS sun_path limit (104 bytes) before allocating resources, and adds 6 integration tests covering CID uniqueness, reuse, inspect output, and end-to-end UDS connectivity.
jasonhernandez
force-pushed
the
feat/vsock-cid-allocator
branch
from
2d633f9 to
6b3a556
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Complete virtio-vsock support for host-guest communication, including proper CID allocation.
--vsockflag onember vm create/ember vm forkandvsock: trueYAML configPUT /vsockAPI — UDS at<state_dir>/vms/<name>/vsock.sockVZVirtioSocketDeviceConfiguration+ ember-vz bidirectional UDS↔vsock bridgevsock/cids.json, freed on delete, lowest-first reuse. Read-modify-write under exclusive flock (via newStateStore::updatemethod) to prevent TOCTOU races between concurrent processes.sun_pathlimit (104 bytes) before allocating resourcesBoth platforms expose the same UDS interface — Thermite sees identical behavior.
Files changed
crates/ember-core/src/state/vm.rsVsockInfostruct, field onVmMetadatacrates/ember-core/src/state/vsock.rsallocate/release, persisted tovsock/cids.jsoncrates/ember-core/src/state/store.rsupdate()method for atomic read-modify-write under flockcrates/ember-core/src/config/vm.rsvsock: Option<bool>in YAML configcrates/ember-core/src/error.rsVsockerror variantcrates/ember-linux/src/firecracker/api.rsVsocktype +put_vsock()crates/ember-linux/src/firecracker/config.rscrates/ember-linux/src/vm.rscrates/ember-macos/src/vm.rs--vsock-pathto ember-vzember-vz/Sources/EmberVZ/Start.swiftsrc/cli/vm.rs--vsockflag, CID allocation in create/fork/delete, UDS validation, vsock in inspecttests/vsock.rsTest plan
cargo test --workspace) — 9 CID allocator + 3 UDS validation + 17 existingcargo buildclean on macOS,cargo clippy --workspaceclean,cargo fmtcleancargo test --test vsock -- --ignoredon macOS with ember-vz builtcargo test --test vsock -- --ignoredon Linux with Firecracker + KVMRefs: Thermite SEC-254/SEC-257
🤖 Generated with Claude Code