Jump to navigation Jump to search

vhost-user-vsock application

Summary: Develop a vhost-user-vsock application in Rust and integrate it with Kata Container

Kata Containers provides a secure container runtime using lightweight virtual machines that feel and perform like traditional containers. Kata Containers leverages KVM and supports multiple Virtual Machine Monitors, including QEMU. It uses virtio-vsock to create a communication channel between the runtime, running in the host, and the agent running in the guest.

Kata Containers focuses on security, so moving the device emulation into an external user space process is very attractive in order to reduce the attack surface.

This project aims to realize an application (i.e. vhost-user-vsock) that will leverage the vhost-user protocol to emulate the virtio-vsock device in an external process. It will provide the hybrid VSOCK interface over AF_UNIX introduced by Firecracker.

The QEMU part has already been implemented and tested with a proof of concept based on Cloud Hypervisor crates, that can be used as starting point for this project.

The new application should be written in Rust reusing as much as possible the crates available in rust-vmm. It's an umbrella project that provides a set of virtualization components that can be easily reused to speed up the implementation.

If time allows, we could integrate vhost-user-vsock into Kata Containers.

Possible roadmap:

  • vhost-user-vsock application (Rust)
    • Getting familiar with vsock and tools (ncat, tcpdump, wireshark)
    • Learning vhost-user protocol
    • Trying QEMU with the vhost-user-vsock PoC
    • Rust application development based on vhost-user-vsock PoC
      • Replace Cloud Hypervisor crates with rust-vmm crates (e.g. vhost)
      • Try to move other crates to rust-vmm (e.g. virtio-vsock)
      • Cleanups and tests
      • Publish vhost-user-vsock in the rust-vmm umbrella project
  • Kata Container integration (Go)
    • Getting familiar with kata-containers and its environment
      • Deploying and using Kata Containers on minikube
      • Able to modify the content of the projects and run the modified binaries on minikube
    • Runtime side work:
      • start the application daemon (similar to virtio-fs)
      • ensure it's receiving the correct SELinux labels (container_kvm_t label similar to virtio-fs)
    • GOVMM side:
      • add support to "vhost-user-vsock"
    • There may be some work needed on the agent related to this integration, but we hope everything will be transparent on that layer.



  • Skill level: intermediate
  • Language: Rust / Go
  • Mentors: Stefano Garzarella <>, Fabiano Fidêncio <>
    • IRC nick: sgarzare (OFTC/freenode), fidencio (OFTC/freenode)