socketforward: add bidirectional UDS forwarding

Introduce the SocketForward ttrpc service that relays UNIX domain socket
connections between host and container over vsock streams. The host side
(shim) parses OCI annotations to configure forwards, while the VM side
(vminitd) resolves paths from its own configuration using forward
identifiers.

For host-to-container connections, the VM enters the target container's
mount namespace via setns to dial the socket. For container-to-host
connections, vminitd creates listener sockets at VM-global paths with
bind mounts into the container, and streams connection notifications to
the host via the Listen RPC.

Signed-off-by: Albin Kerouanton <albin.kerouanton@docker.com>

Author: akerouanton

api/next.txtpb

@@ -0,0 +1,86 @@
+/*
+	Copyright The containerd Authors.
+
+	Licensed under the Apache License, Version 2.0 (the "License");
+	you may not use this file except in compliance with the License.
+	You may obtain a copy of the License at
+
+		http://www.apache.org/licenses/LICENSE-2.0
+
+	Unless required by applicable law or agreed to in writing, software
+	distributed under the License is distributed on an "AS IS" BASIS,
+	WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+	See the License for the specific language governing permissions and
+	limitations under the License.
+*/
+
+syntax = "proto3";
+
+package nerdbox.services.socketforward.v1;
+
+import "google/protobuf/empty.proto";
+
+option go_package = "github.com/containerd/nerdbox/api/services/socketforward/v1;socketforward";
+
+// SocketForward provides UNIX domain socket forwarding across the VM boundary
+// over vsock streams. Container processes connect to listener sockets created
+// by vminitd; connections are relayed to the corresponding host-side socket.
+//
+// The ttrpc server runs inside the VM (vminitd) and the ttrpc client runs on
+// the host (shim). All RPCs are initiated by the host:
+//
+//   - Bind: the host tells the VM which sockets to set up. The VM creates
+//     UNIX listener sockets at the internal container-side paths so that runc
+//     can bind-mount them into the container. This must be called before the
+//     container is created.
+//   - Accept: the host opens a server-streaming channel to receive
+//     notifications when a process inside the container connects to a
+//     forwarded socket.
+//
+// Each side resolves socket paths from its own configuration using the
+// forward_id.
+service SocketForward {
+	// Bind sets up the socket forward entries on the VM side. The VM creates
+	// UNIX listener sockets at the paths given in socket_path. This RPC returns
+	// only after all socket files have been created, so the caller can safely
+	// proceed with container creation (runc bind mounts).
+	rpc Bind(BindRequest) returns (google.protobuf.Empty);
+
+	// Accept opens a server-streaming channel. When a process inside the
+	// container connects to a forwarded listener socket, the VM sends a
+	// ConnectRequest containing the stream_id and forward_id. The host
+	// resolves the target host socket from its own configuration using
+	// forward_id, dials it, and opens a vsock stream with the given stream_id
+	// so the relay can start.
+	rpc Accept(google.protobuf.Empty) returns (stream ConnectRequest);
+}
+
+// BindRequest is sent by the host before container creation to set up socket
+// forwards on the VM side.
+message BindRequest {
+	repeated Socket sockets = 1;
+}
+
+// Socket describes a single forwarded UNIX socket.
+message Socket {
+	// Opaque identifier for this forward. Each side uses it to resolve the local
+	// socket path from its own configuration.
+	string forward_id = 1;
+	// Path of the UNIX listener socket in the VM's root filesystem
+	// (/run/socketfwd/{forward_id}.sock). vminitd creates the socket here;
+	// the shim has already rewritten the uds mount to a bind mount from
+	// this path to the user-specified destination inside the container.
+	string socket_path = 2;
+}
+
+// ConnectRequest is the streamed output of Accept. It notifies the host of a
+// new container-initiated connection.
+message ConnectRequest {
+	// ID of the vsock stream. The host must open a stream with this ID after
+	// receiving the notification so that the relay can start.
+	string stream_id = 1;
+	// Identifier of the socket forward entry. The host uses this to resolve the
+	// target host socket path from its own configuration rather than trusting a
+	// path supplied by the VM.
+	string forward_id = 2;
+}

api/proto/nerdbox/services/socketforward/v1/socketforward.proto

@@ -0,0 +1,18 @@
+/*
+   Copyright The containerd Authors.
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.
+*/
+
+// Package socketforward defines the socketforward service.
+package socketforward