Skip to content

ra-rpc: populate Unix peer creds for UDS endpoints #627

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
kvinwang merged 5 commits into from
Apr 1, 2026
+292 −21
Merged

ra-rpc: populate Unix peer creds for UDS endpoints #627

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
9641dac
ra-rpc: add Unix peer cred to RemoteEndpoint::Unix
kvinwang Apr 1, 2026
900cd55
ra-rpc: fmt RemoteEndpoint/rocket_helper
kvinwang Apr 1, 2026
8a3c4ac
ra-rpc: populate Unix peer creds for UDS listeners
kvinwang Apr 1, 2026
d6118c5
ra-rpc: drop redundant unix cfg gates
kvinwang Apr 1, 2026
ee54e4b
guest-agent: preserve non-unix internal listener support
kvinwang Apr 1, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
65 changes: 48 additions & 17 deletions guest-agent/src/server.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -10,10 +10,11 @@ use crate::http_routes;
use crate::rpc_service::{AppState, ExternalRpcHandler, InternalRpcHandler, InternalRpcHandlerV0};
use crate::socket_activation::{ActivatedSockets, ActivatedUnixListener};
use anyhow::{anyhow, Context, Result};
use ra_rpc::rocket_helper::UnixPeerCredListener;
use rocket::{
fairing::AdHoc,
figment::Figment,
listener::{Bind, DefaultListener},
listener::{unix::UnixListener, Bind, DefaultListener, Endpoint},
};
use rocket_vsock_listener::VsockListener;
use sd_notify::{notify as sd_notify, NotifyState};
Expand Down Expand Up @@ -43,7 +44,7 @@ async fn run_internal_v0(

if let Some(std_listener) = activated_socket {
info!("Using systemd-activated socket for tappd.sock");
let listener = ActivatedUnixListener::new(std_listener)?;
let listener = UnixPeerCredListener::new(ActivatedUnixListener::new(std_listener)?);
sock_ready_tx.send(()).ok();
ignite
.launch_on(listener)
Expand All @@ -52,14 +53,29 @@ async fn run_internal_v0(
} else {
let endpoint = DefaultListener::bind_endpoint(&ignite)
.map_err(|err| anyhow!("Failed to get endpoint: {err}"))?;
let listener = DefaultListener::bind(&ignite)
.await
.map_err(|err| anyhow!("Failed to bind on {endpoint}: {err}"))?;
sock_ready_tx.send(()).ok();
ignite
.launch_on(listener)
.await
.map_err(|err| anyhow!(err.to_string()))?;
match endpoint {
Endpoint::Unix(_) => {
let listener = UnixPeerCredListener::new(
<UnixListener as Bind>::bind(&ignite)
.await
.map_err(|err| anyhow!("Failed to bind on {endpoint}: {err}"))?,
);
ignite
.launch_on(listener)
.await
.map_err(|err| anyhow!(err.to_string()))?;
}
_ => {
let listener = DefaultListener::bind(&ignite)
.await
.map_err(|err| anyhow!("Failed to bind on {endpoint}: {err}"))?;
ignite
.launch_on(listener)
.await
.map_err(|err| anyhow!(err.to_string()))?;
}
}
}
Ok(())
}
Expand All @@ -80,7 +96,7 @@ async fn run_internal(

if let Some(std_listener) = activated_socket {
info!("Using systemd-activated socket for dstack.sock");
let listener = ActivatedUnixListener::new(std_listener)?;
let listener = UnixPeerCredListener::new(ActivatedUnixListener::new(std_listener)?);
sock_ready_tx.send(()).ok();
ignite
.launch_on(listener)
Expand All @@ -89,14 +105,29 @@ async fn run_internal(
} else {
let endpoint = DefaultListener::bind_endpoint(&ignite)
.map_err(|err| anyhow!("Failed to get endpoint: {err}"))?;
let listener = DefaultListener::bind(&ignite)
.await
.map_err(|err| anyhow!("Failed to bind on {endpoint}: {err}"))?;
sock_ready_tx.send(()).ok();
ignite
.launch_on(listener)
.await
.map_err(|err| anyhow!(err.to_string()))?;
match endpoint {
Endpoint::Unix(_) => {
let listener = UnixPeerCredListener::new(
<UnixListener as Bind>::bind(&ignite)
.await
.map_err(|err| anyhow!("Failed to bind on {endpoint}: {err}"))?,
);
ignite
.launch_on(listener)
.await
.map_err(|err| anyhow!(err.to_string()))?;
}
_ => {
let listener = DefaultListener::bind(&ignite)
.await
.map_err(|err| anyhow!("Failed to bind on {endpoint}: {err}"))?;
ignite
.launch_on(listener)
.await
.map_err(|err| anyhow!(err.to_string()))?;
}
}
}
Ok(())
}
Expand Down
23 changes: 21 additions & 2 deletions ra-rpc/src/lib.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -22,12 +22,31 @@ pub mod client;
#[cfg(feature = "openapi")]
pub mod openapi;

#[derive(Debug, Clone, PartialEq, Eq)]
pub struct UnixPeerCred {
/// Peer process ID (platform-independent representation)
pub pid: u64,
/// Peer user ID
pub uid: u64,
/// Peer group ID
pub gid: u64,
}

#[derive(Debug, Clone, PartialEq, Eq)]
pub enum RemoteEndpoint {
Tcp(SocketAddr),
Quic(SocketAddr),
Unix(PathBuf),
Vsock { cid: u32, port: u32 },
/// Unix domain socket endpoint.
///
/// When available, `peer` can carry SO_PEERCRED (pid/uid/gid) of the caller.
Unix {
path: PathBuf,
peer: Option<UnixPeerCred>,
},
Vsock {
cid: u32,
port: u32,
},
Other(String),
}

Expand Down
Loading
Loading