When using a kernel build with TSIv3 and libkrun, I'm unable to perform certain simple operations in the guest:
curl https://google.comps aux/bin/bash
Both of these hang with no output. Enabling libkrun logs show that both of these make indirect use of DNS and result in the use of /var/run/nscd/socket. On the host, libkrun errors, with the message: AFUNIX sockets aren't yet supported on MacOS. AFAICT, this failure doesn't seem to get propagated back to the guest because the guest remains in a hung state on failures of this sort.
I have been able to demonstrate to myself that AF_UNIX hijacking is the culprit. I modified the 0010-tsi-allow-hijacking-sockets-tsi_hijack.patch to skip hijacking AF_UNIX. Doing so allowed these basic operations to work.
When doing curl https://google.com in such a setup, I notice that I get whole bunch of ERROR level devices::virtio::vsock::tsi_stream logs with the message EventSet::OUT while not connecting.
Perhaps an interesting middle-ground would be TSIv3 where there's an extra config to opt into / out of AF_UNIX hijacking.
When using a kernel build with TSIv3 and
libkrun, I'm unable to perform certain simple operations in the guest:curl https://google.comps aux/bin/bashBoth of these hang with no output. Enabling
libkrunlogs show that both of these make indirect use of DNS and result in the use of/var/run/nscd/socket. On the host, libkrun errors, with the message:AFUNIX sockets aren't yet supported on MacOS. AFAICT, this failure doesn't seem to get propagated back to the guest because the guest remains in a hung state on failures of this sort.I have been able to demonstrate to myself that
AF_UNIXhijacking is the culprit. I modified the0010-tsi-allow-hijacking-sockets-tsi_hijack.patchto skip hijackingAF_UNIX. Doing so allowed these basic operations to work.When doing
curl https://google.comin such a setup, I notice that I get whole bunch of ERROR leveldevices::virtio::vsock::tsi_streamlogs with the messageEventSet::OUT while not connecting.Perhaps an interesting middle-ground would be TSIv3 where there's an extra config to opt into / out of
AF_UNIXhijacking.