9
2
Fork
You've already forked platform
2

Native unixsock/tcp tunnel between client and platform #266

Open
opened 2026年06月07日 00:22:07 +02:00 by lrvick · 3 comments

We effectively need:
server( proxy:8080 <-vsock-> enclave(app:unix.sock) <-tcp:8080-> client( tcp -> app:unix.sock)

Also caution CLI should be able to run as a daemon on the client side, and perform health checks based on connectivity to the remote socket or tcp connection it is forwarding. Should function very much like tcp+socket forwarding in ssh.

Then a user can run mysql, nginx, postgres etc in an enclave with a minimal library kernel, no idea what a network stack is, that just listens on a unix socket, and users can plumb that socket securely with end to end encryption to k8s or anywhere else they need comms to that enclave daemon.

IMO this unlocks a ton of use cases, and lets us eliminate a lot of attack surface in the process, as exposing tcp ports to the outside world is the wrong call for most internal use services. Unix sockets tunneled point to point between secure environments without having to care about firewalls, however, is super useful.

We effectively need: server( proxy:8080 <-vsock-> enclave(app:unix.sock) <-tcp:8080-> client( tcp -> app:unix.sock) Also caution CLI should be able to run as a daemon on the client side, and perform health checks based on connectivity to the remote socket or tcp connection it is forwarding. Should function very much like tcp+socket forwarding in ssh. Then a user can run mysql, nginx, postgres etc in an enclave with a minimal library kernel, no idea what a network stack is, that just listens on a unix socket, and users can plumb that socket securely with end to end encryption to k8s or anywhere else they need comms to that enclave daemon. IMO this unlocks a ton of use cases, and lets us eliminate a lot of attack surface in the process, as exposing tcp ports to the outside world is the wrong call for most internal use services. Unix sockets tunneled point to point between secure environments without having to care about firewalls, however, is super useful.
lrvick changed title from (削除) Native unixsock/tcp tunnel between client and platform. #23 (削除ここまで) to Native unixsock/tcp tunnel between client and platform 2026年06月07日 00:22:42 +02:00
Author
Owner
Copy link
Prior art reference: https://github.com/tkhq/qos/blob/main/src/qos_enclave/src/main.rs

Yes, 100% needed. Should it leverage Steve? The steve-sdk rust client could be embedded in the caution verify CLI I guess.

However today steve is request/response based, it doesn't fit a raw unix/tcp byte stream (postgres/mysql are stateful), so a streaming data plane is required before this works

Yes, 100% needed. Should it leverage Steve? The steve-sdk rust client could be embedded in the caution verify CLI I guess. However today steve is request/response based, it doesn't fit a raw unix/tcp byte stream (postgres/mysql are stateful), so a streaming data plane is required before this works

that just listens on a unix socket

or vsock, and it leverages existing port binding mechanisms.

I need a proper network flow diagram to understand how this works. Random arrows pointing in various directions is insufficient and does not reveal what's not provided by vsock and socat.

> that just listens on a unix socket or vsock, and it leverages existing port binding mechanisms. I need a proper network flow diagram to understand how this works. Random arrows pointing in various directions is insufficient and does not reveal what's not provided by vsock and socat.
Sign in to join this conversation.
No Branch/Tag specified
main
anton/feat/multi-user
feat/legal-publish-doc
fix/issue-119-logout-confirmation
fix/paddle-customdata-credit-mint
fix/issue-116-duplicate-ssh-key
fix/issue-265-http-port-private
fix/issue-330-remove-build-binary
feat/paddle-byoc-subscriptions
fix/issue-307-remove-apps
feat/issue-164-account-id
feat/add-tofu-lockfile-cache
feat/webauthn-discoverable-login
docs/issue-339-install-instructions
fix/issue-336-split-qr-login-tokens
fix/verify-app-source-preflight
fix/many-git-push-deploy
fix/issue-334-email-verification-throttle
fix/issue-273-billing-url
fix/issue-333-final-usage-collection
fix/issue-270-low-credit-email
fix/issue-301-remove-auto-topup
fix/issue-320-byoc-auth-first
fix/issue-348-git-progress-checklist
fix/issue-321-byoc-caution-hcl
fix/issue-332-resource-id-suspension
fix/eif-app-mode-normalization
feat/cli-stagex-container
fix/eif-s3-layer-cache
fix/authz-role-checks
fix/cli-hangs-unsupported-ssh-url
feat/print-platform-commit-dashboard
fix/config-domain-validation
anton/support-ssh-destroy-get
fix/cli-config-dir
feat/publish-build-inputs
feat/locksmith-polishing
fix/procfile-run-command-no-split
anton/byoc-require-login
fix/hcl-init-template
feat/egress-default-deny
ryansquared/hcl
quotas
anton/feat/region-routing-resource-unavailable-alert
fix/attestation-502-dashboard
ryansquared/systemdize
fix/verify-git-credential-hang
anton/fix-low-credits-alert
xenushka/rename-byoc
ryansquared/add-download-eif
add-debug-flag
test/pr1-integration-harness
anton/fix/only-pass-required-env-vars
ryansquared/add-database-bucket
No results found.
Labels
Clear labels
Compat/Breaking
Breaking change that won't be backward compatible
Component/Enclave-Builder
This issue affects Enclave Builder (git-push and CLI)
Component/Infrastructure
This issue affects generic Caution hosted infra components
Deploy/BYOC
Relates to Caution Bring-your-own-compute
Deploy/Full-managed
Relates to Caution fully managed cloud
Deploy/Self-hosted
Relates to Caution deployed on self-hosted infra
Interface/API
This issue affects the API
Interface/CLI
This issue affects the command line interface
Interface/Git
This issue affects the Git `push` interface
Interface/Web
This issue affects the web dashboard
Kind/Bug
Something is not working
Kind/Documentation
Documentation changes
Kind/Enhancement
Improve existing functionality
Kind/Feature
New functionality
Kind/Security
This is security issue
Kind/Testing
Issue or pull request related to testing
Priority
Critical
The priority is critical
Priority
High
The priority is high
Priority
Low
The priority is low
Priority
Medium
The priority is medium
Reviewed
Confirmed
Issue has been confirmed
Reviewed
Duplicate
This issue or pull request already exists
Reviewed
Invalid
Invalid issue
Reviewed
Won't Fix
This issue won't be fixed
Status
Abandoned
Somebody has started to work on this but abandoned work
Status
Blocked
Something is blocking this issue or pull request
Status
Need More Info
Feedback is required to reproduce issue or to continue work
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
3 participants
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
caution/platform#266
Reference in a new issue
caution/platform
No description provided.
Delete branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?