krun: implement support for passt networking

slp · slp · commit 51d3b56ce3f0 · 2026-03-13T12:23:17.000+01:00
Introduce a new configuration flag (krun.use_passt) that enables users
to request the microVM to use passt based networking instead of TSI.

Right now, the container needs to configure the network by itself, but
the next version of libkrun will embed a DHCP client in init.c

Signed-off-by: Sergio Lopez &lt;slp@redhat.com&gt;
diff --git a/src/libcrun/handlers/krun.c b/src/libcrun/handlers/krun.c
@@ -24,6 +24,7 @@
 #include "../linux.h"
 #include <unistd.h>
 #include <sys/stat.h>
+#include <sys/socket.h>
 #include <errno.h>
 #include <sys/param.h>
 #include <sys/types.h>
@@ -68,6 +69,9 @@
 #define KRUN_FLAVOR_AWS_NITRO "aws-nitro"
 #define KRUN_FLAVOR_SEV "sev"
 
+#define PASST_FD_PARENT 0
+#define PASST_FD_CHILD 1
+
 struct krun_config
 {
   void *handle;
@@ -80,6 +84,7 @@ struct krun_config
   int32_t ctx_id_awsnitro;
   bool has_kvm;
   bool has_awsnitro;
+  int passt_fds[2];
   yajl_val config_tree;
   bool use_passt;
 };
@@ -221,7 +226,7 @@ libkrun_parse_resource_configuration (yajl_val *config_tree, libcrun_container_t
         /* Annotations value is not a valid integer. */
         error (EXIT_FAILURE, 0, "krun annotation %s value cannot be converted to an integer", annotation);
 
-      if (val <= 0)
+      if (val < 0)
         error (EXIT_FAILURE, 0, "krun annotation %s value must be a positive integer", annotation);
 
       return val;
@@ -244,6 +249,7 @@ libkrun_configure_vm (uint32_t ctx_id, void *handle, struct krun_config *kconf,
 {
   runtime_spec_schema_config_schema *def = container->container_def;
   int32_t (*krun_set_vm_config) (uint32_t ctx_id, uint8_t num_vcpus, uint32_t ram_mib);
+  int32_t (*krun_add_net_unixstream) (uint32_t ctx_id, const char *c_path, int fd, uint8_t *const c_mac, uint32_t features, uint32_t flags);
   int cpus, ram_mib, gpu_flags, ret;
   cpu_set_t set;
   const char *path_cpus[] = { "cpus", (const char *) 0 };
@@ -293,6 +299,16 @@ libkrun_configure_vm (uint32_t ctx_id, void *handle, struct krun_config *kconf,
         return crun_make_error (err, -ret, "could not enable virtio gpu");
     }
 
+  if (kconf->use_passt)
+    {
+      krun_add_net_unixstream = dlsym (handle, "krun_add_net_unixstream");
+
+      uint8_t mac[] = { 0x5a, 0x94, 0xef, 0xe4, 0x0c, 0xee };
+      ret = krun_add_net_unixstream (ctx_id, NULL, kconf->passt_fds[PASST_FD_PARENT], &mac[0], COMPAT_NET_FEATURES, 0);
+      if (UNLIKELY (ret < 0))
+        error (EXIT_FAILURE, -ret, "could not set krun net configuration");
+    }
+
   if (kconf->config_tree != NULL)
     {
       /* Try to configure an external kernel. If the configuration file doesn't
@@ -502,6 +518,73 @@ libkrun_exec (void *cookie, libcrun_container_t *container, const char *pathname
   return ret;
 }
 
+static int
+libkrun_start_passt (void *cookie, libcrun_container_t *container)
+{
+  struct krun_config *kconf = (struct krun_config *) cookie;
+  const char *path_use_passt[] = { "use_passt", (const char *) 0 };
+  pid_t pid;
+  char fd_as_str[16];
+  int use_passt;
+  int status;
+  int null;
+  int ret;
+
+  use_passt = libkrun_parse_resource_configuration (&kconf->config_tree, container, "krun.use_passt", path_use_passt);
+  if (use_passt > 0)
+    kconf->use_passt = 1;
+  else
+    return 0;
+
+  ret = socketpair (AF_UNIX, SOCK_STREAM, 0, kconf->passt_fds);
+  if (UNLIKELY (ret < 0))
+    return ret;
+  snprintf (fd_as_str, sizeof (fd_as_str), "%d", kconf->passt_fds[PASST_FD_CHILD]);
+
+  char *const argv[] = {
+    (char *) "passt",
+    (char *) "--no-dhcp-dns",
+    (char *) "-t",
+    (char *) "all",
+    (char *) "-u",
+    (char *) "all",
+    (char *) "--fd",
+    fd_as_str,
+    NULL
+  };
+
+  pid = fork ();
+  if (pid < 0)
+    return pid;
+  else if (pid == 0)
+    {
+      close (kconf->passt_fds[PASST_FD_PARENT]);
+
+      null = open ("/dev/null", O_WRONLY);
+      if (null == -1)
+        _exit (EXIT_FAILURE);
+
+      // Redirect passt's stdout and stderr to /dev/null, as closing them here
+      // instead will cause passt to exit with an error.
+      dup2 (null, STDOUT_FILENO);
+      dup2 (null, STDERR_FILENO);
+      close (null);
+
+      execvp ("passt", argv);
+      // Only reachable on error.
+      _exit (EXIT_FAILURE);
+    }
+
+  close (kconf->passt_fds[PASST_FD_CHILD]);
+
+  // Wait for passt to daemonize itself.
+  waitpid (pid, &status, 0);
+  if (! (WIFEXITED (status)) || WEXITSTATUS (status) != 0)
+    return -1;
+
+  return 0;
+}
+
 /* libkrun_create_kvm_device: explicitly adds kvm device.  */
 static int
 libkrun_configure_container (void *cookie, enum handler_configure_phase phase,
@@ -567,6 +650,10 @@ libkrun_configure_container (void *cookie, enum handler_configure_phase phase,
   if (phase != HANDLER_CONFIGURE_AFTER_MOUNTS)
     return 0;
 
+  ret = libkrun_start_passt (cookie, container);
+  if (UNLIKELY (ret < 0))
+    return crun_make_error (err, errno, "start passt");
+
   /* Do nothing if /dev/kvm is already present in spec */
   for (i = 0; i < def->linux->devices_len; i++)
     {
@@ -838,6 +925,35 @@ libkrun_modify_oci_configuration (void *cookie arg_unused, libcrun_context_t *co
   return 0;
 }
 
+static int
+libkrun_close_fds (void *cookie, libcrun_container_t *container, int preserve_fds, libcrun_error_t *err)
+{
+  struct krun_config *kconf = (struct krun_config *) cookie;
+  int first_fd_to_close = preserve_fds + 3;
+  int passt_fd;
+  int i;
+
+  if (kconf->use_passt)
+    {
+      passt_fd = kconf->passt_fds[PASST_FD_PARENT];
+
+      if (first_fd_to_close <= passt_fd)
+        {
+          for (i = first_fd_to_close; i < passt_fd; i++)
+            {
+              // If we're closing proc_fd, make sure to invalidate it.
+              if (i == container->proc_fd)
+                container->proc_fd = -1;
+              close (i);
+            }
+
+          first_fd_to_close = passt_fd + 1;
+        }
+    }
+
+  return mark_or_close_fds_ge_than (container, first_fd_to_close, true, err);
+}
+
 struct custom_handler_s handler_libkrun = {
   .name = "krun",
   .alias = NULL,
@@ -847,6 +963,7 @@ struct custom_handler_s handler_libkrun = {
   .run_func = libkrun_exec,
   .configure_container = libkrun_configure_container,
   .modify_oci_configuration = libkrun_modify_oci_configuration,
+  .close_fds = libkrun_close_fds,
 };
 
 #endif
