socketforward: add bidirectional UDS forwarding

Introduce the SocketForward ttrpc service that relays UNIX domain socket
connections between host and container over vsock streams. The host side
(shim) parses OCI annotations to configure forwards, while the VM side
(vminitd) resolves paths from its own configuration using forward
identifiers.

For host-to-container connections, the VM enters the target container's
mount namespace via setns to dial the socket. For container-to-host
connections, vminitd creates listener sockets at VM-global paths with
bind mounts into the container, and streams connection notifications to
the host via the Listen RPC.

Signed-off-by: Albin Kerouanton <albin.kerouanton@docker.com>

Author: akerouanton

api/next.txtpb

@@ -850,6 +850,342 @@ file: {
     is_syntax_unspecified: false
   }
 }
+file: {
+  name: "proto/nerdbox/services/socketforward/v1/socketforward.proto"
+  package: "nerdbox.services.socketforward.v1"
+  dependency: "google/protobuf/empty.proto"
+  message_type: {
+    name: "ConnectRequest"
+    field: {
+      name: "stream_id"
+      number: 1
+      label: LABEL_OPTIONAL
+      type: TYPE_STRING
+      json_name: "streamId"
+    }
+    field: {
+      name: "forward_id"
+      number: 2
+      label: LABEL_OPTIONAL
+      type: TYPE_STRING
+      json_name: "forwardId"
+    }
+    field: {
+      name: "container_id"
+      number: 3
+      label: LABEL_OPTIONAL
+      type: TYPE_STRING
+      json_name: "containerId"
+    }
+  }
+  service: {
+    name: "SocketForward"
+    method: {
+      name: "Connect"
+      input_type: ".nerdbox.services.socketforward.v1.ConnectRequest"
+      output_type: ".google.protobuf.Empty"
+    }
+    method: {
+      name: "Listen"
+      input_type: ".google.protobuf.Empty"
+      output_type: ".nerdbox.services.socketforward.v1.ConnectRequest"
+      server_streaming: true
+    }
+  }
+  options: {
+    go_package: "github.com/containerd/nerdbox/api/services/socketforward/v1;socketforward"
+  }
+  source_code_info: {
+    location: {
+      span: 16
+      span: 0
+      span: 73
+      span: 1
+    }
+    location: {
+      path: 12
+      span: 16
+      span: 0
+      span: 18
+      leading_detached_comments: "\nCopyright The containerd Authors.\n\nLicensed under the Apache License, Version 2.0 (the \"License\");\nyou may not use this file except in compliance with the License.\nYou may obtain a copy of the License at\n\nhttp://www.apache.org/licenses/LICENSE-2.0\n\nUnless required by applicable law or agreed to in writing, software\ndistributed under the License is distributed on an \"AS IS\" BASIS,\nWITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\nSee the License for the specific language governing permissions and\nlimitations under the License.\n"
+    }
+    location: {
+      path: 2
+      span: 18
+      span: 0
+      span: 42
+    }
+    location: {
+      path: 3
+      path: 0
+      span: 20
+      span: 0
+      span: 37
+    }
+    location: {
+      path: 8
+      span: 22
+      span: 0
+      span: 96
+    }
+    location: {
+      path: 8
+      path: 11
+      span: 22
+      span: 0
+      span: 96
+    }
+    location: {
+      path: 6
+      path: 0
+      span: 39
+      span: 0
+      span: 54
+      span: 1
+      leading_comments: " SocketForward provides bidirectional UNIX domain socket forwarding\n across the VM boundary over vsock streams.\n\n The ttrpc server runs inside the VM (vminitd) and the ttrpc client\n runs on the host (shim). Both RPCs are initiated by the host:\n\n   - Connect (host-to-container): the host asks the VM to dial a\n     container-side socket on its behalf.\n   - Listen (container-to-host): the host opens a server-streaming\n     channel to receive notifications when a process inside the\n     container connects to a forwarded socket.\n\n Socket forward entries are passed to vminitd via init args. Each\n side resolves socket paths from its own configuration using the\n forward_id.\n"
+    }
+    location: {
+      path: 6
+      path: 0
+      path: 1
+      span: 39
+      span: 8
+      span: 21
+    }
+    location: {
+      path: 6
+      path: 0
+      path: 2
+      path: 0
+      span: 45
+      span: 8
+      span: 68
+      leading_comments: " Connect tells the VM to dial the container-side UNIX socket\n identified by forward_id and relay data through the vsock\n stream identified by stream_id. The host must open the vsock\n stream BEFORE calling this RPC. The container_id field must\n be set so the VM can enter the container's mount namespace.\n"
+    }
+    location: {
+      path: 6
+      path: 0
+      path: 2
+      path: 0
+      path: 1
+      span: 45
+      span: 12
+      span: 19
+    }
+    location: {
+      path: 6
+      path: 0
+      path: 2
+      path: 0
+      path: 2
+      span: 45
+      span: 20
+      span: 34
+    }
+    location: {
+      path: 6
+      path: 0
+      path: 2
+      path: 0
+      path: 3
+      span: 45
+      span: 45
+      span: 66
+    }
+    location: {
+      path: 6
+      path: 0
+      path: 2
+      path: 1
+      span: 53
+      span: 8
+      span: 74
+      leading_comments: " Listen opens a server-streaming channel. When a process inside\n the container connects to a forwarded listener socket, the VM\n sends a ConnectRequest (with container_id empty). The host\n then looks up the target host socket path using forward_id\n and opens a vsock stream with the given stream_id so the\n relay can start.\n"
+    }
+    location: {
+      path: 6
+      path: 0
+      path: 2
+      path: 1
+      path: 1
+      span: 53
+      span: 12
+      span: 18
+    }
+    location: {
+      path: 6
+      path: 0
+      path: 2
+      path: 1
+      path: 2
+      span: 53
+      span: 19
+      span: 40
+    }
+    location: {
+      path: 6
+      path: 0
+      path: 2
+      path: 1
+      path: 6
+      span: 53
+      span: 51
+      span: 57
+    }
+    location: {
+      path: 6
+      path: 0
+      path: 2
+      path: 1
+      path: 3
+      span: 53
+      span: 58
+      span: 72
+    }
+    location: {
+      path: 4
+      path: 0
+      span: 60
+      span: 0
+      span: 73
+      span: 1
+      leading_comments: " ConnectRequest describes a forwarded connection. It is used both as\n the input to Connect (host-to-container, container_id set) and as\n the streamed output of Listen (container-to-host, container_id\n empty).\n"
+    }
+    location: {
+      path: 4
+      path: 0
+      path: 1
+      span: 60
+      span: 8
+      span: 22
+    }
+    location: {
+      path: 4
+      path: 0
+      path: 2
+      path: 0
+      span: 64
+      span: 8
+      span: 29
+      leading_comments: " ID of the vsock stream. For Connect the host opens the stream\n before calling the RPC; for Listen the host must open a stream\n with this ID after receiving the notification.\n"
+    }
+    location: {
+      path: 4
+      path: 0
+      path: 2
+      path: 0
+      path: 5
+      span: 64
+      span: 8
+      span: 14
+    }
+    location: {
+      path: 4
+      path: 0
+      path: 2
+      path: 0
+      path: 1
+      span: 64
+      span: 15
+      span: 24
+    }
+    location: {
+      path: 4
+      path: 0
+      path: 2
+      path: 0
+      path: 3
+      span: 64
+      span: 27
+      span: 28
+    }
+    location: {
+      path: 4
+      path: 0
+      path: 2
+      path: 1
+      span: 68
+      span: 8
+      span: 30
+      leading_comments: " Identifier of the socket forward entry. Each side uses this to\n resolve the socket path from its own configuration rather than\n trusting a path supplied by the other side.\n"
+    }
+    location: {
+      path: 4
+      path: 0
+      path: 2
+      path: 1
+      path: 5
+      span: 68
+      span: 8
+      span: 14
+    }
+    location: {
+      path: 4
+      path: 0
+      path: 2
+      path: 1
+      path: 1
+      span: 68
+      span: 15
+      span: 25
+    }
+    location: {
+      path: 4
+      path: 0
+      path: 2
+      path: 1
+      path: 3
+      span: 68
+      span: 28
+      span: 29
+    }
+    location: {
+      path: 4
+      path: 0
+      path: 2
+      path: 2
+      span: 72
+      span: 8
+      span: 32
+      leading_comments: " ID of the container that owns the target socket. Set by the\n host on Connect so the VM can enter the container's mount\n namespace. Empty on Listen notifications.\n"
+    }
+    location: {
+      path: 4
+      path: 0
+      path: 2
+      path: 2
+      path: 5
+      span: 72
+      span: 8
+      span: 14
+    }
+    location: {
+      path: 4
+      path: 0
+      path: 2
+      path: 2
+      path: 1
+      span: 72
+      span: 15
+      span: 27
+    }
+    location: {
+      path: 4
+      path: 0
+      path: 2
+      path: 2
+      path: 3
+      span: 72
+      span: 30
+      span: 31
+    }
+  }
+  syntax: "proto3"
+  buf_extension: {
+    is_import: false
+    is_syntax_unspecified: false
+  }
+}
 file: {
   name: "proto/nerdbox/services/system/v1/info.proto"
   package: "containerd.vminitd.services.system.v1"