fix(macos): restore bridge networking with shim-hosted netproxy

Author: RoyLin

src/Cargo.lock

@@ -12,7 +12,7 @@ members = [
 resolver = "2"
 
 [workspace.package]
-version = "0.8.9"
+version = "0.8.10"
 edition = "2021"
 authors = ["A3S Lab Team"]
 license = "MIT"

src/Cargo.toml

@@ -40,7 +40,6 @@ pub fn spawn_health_checker(
 
 #[cfg(not(windows))]
 async fn run_health_loop(box_id: String, exec_socket_path: PathBuf, hc: HealthCheck) {
-    use std::path::Path;
     use std::time::Duration;
 
     // Honour start_period before the first probe

src/cli/src/health.rs

@@ -10,6 +10,8 @@
 //! - [`VmHandler`] — lifecycle operations on a running VM
 
 use std::net::Ipv4Addr;
+#[cfg(target_os = "macos")]
+use std::os::fd::RawFd;
 use std::path::PathBuf;
 
 use async_trait::async_trait;
@@ -51,11 +53,21 @@ pub struct TeeInstanceConfig {
     pub tee_type: String,
 }
 
-/// Network instance configuration for passt-based networking.
+/// Network instance configuration for the network backend (passt on Linux, gvproxy on macOS).
 #[derive(Debug, Clone, Serialize, Deserialize)]
 pub struct NetworkInstanceConfig {
-    /// Path to the passt Unix socket.
-    pub passt_socket_path: PathBuf,
+    /// Path to the network backend Unix socket (passt on Linux, gvproxy on macOS).
+    pub net_socket_path: PathBuf,
+
+    /// Pre-opened Unix datagram socket fd inherited by the shim on macOS.
+    #[cfg(target_os = "macos")]
+    #[serde(default)]
+    pub net_socket_fd: Option<RawFd>,
+
+    /// Proxy-side Unix datagram socket fd inherited by the shim on macOS.
+    #[cfg(target_os = "macos")]
+    #[serde(default)]
+    pub net_proxy_fd: Option<RawFd>,
 
     /// Assigned IPv4 address for this VM.
     pub ip_address: Ipv4Addr,
@@ -127,8 +139,8 @@ pub struct InstanceSpec {
     #[serde(default)]
     pub user: Option<String>,
 
-    /// Network configuration for passt-based networking.
-    /// None = TSI mode (default), Some = passt virtio-net mode.
+    /// Network configuration for virtio-net networking.
+    /// None = TSI mode (default), Some = virtio-net mode (passt on Linux, gvproxy on macOS).
     #[serde(default)]
     pub network: Option<NetworkInstanceConfig>,
 
@@ -371,7 +383,11 @@ mod tests {
     fn test_instance_spec_with_network() {
         let spec = InstanceSpec {
             network: Some(NetworkInstanceConfig {
-                passt_socket_path: PathBuf::from("/tmp/passt.sock"),
+                net_socket_path: PathBuf::from("/tmp/net.sock"),
+                #[cfg(target_os = "macos")]
+                net_socket_fd: Some(42),
+                #[cfg(target_os = "macos")]
+                net_proxy_fd: Some(43),
                 ip_address: "10.0.0.2".parse().unwrap(),
                 gateway: "10.0.0.1".parse().unwrap(),
                 prefix_len: 24,
@@ -385,6 +401,10 @@ mod tests {
         let deserialized: InstanceSpec = serde_json::from_str(&json).unwrap();
 
         let net = deserialized.network.unwrap();
+        #[cfg(target_os = "macos")]
+        assert_eq!(net.net_socket_fd, Some(42));
+        #[cfg(target_os = "macos")]
+        assert_eq!(net.net_proxy_fd, Some(43));
         assert_eq!(net.ip_address, "10.0.0.2".parse::<Ipv4Addr>().unwrap());
         assert_eq!(net.gateway, "10.0.0.1".parse::<Ipv4Addr>().unwrap());
         assert_eq!(net.prefix_len, 24);

src/core/src/vmm.rs

@@ -441,7 +441,34 @@ fn mount_virtio_fs_shares() -> Result<(), Box<dyn std::error::Error>> {
                 std::fs::create_dir_all("/mnt/newroot/sys").ok();
                 std::fs::create_dir_all("/mnt/newroot/dev").ok();
 
-                // Move mounts
+                // Move mounts: MS_PRIVATE first to allow MS_MOVE on shared mounts (sysfs).
+                let mut proc_moved = false;
+                let mut sys_moved = false;
+                let mut dev_moved = false;
+
+                // Make mounts private so MS_MOVE works
+                let _ = mount(
+                    Some(""),
+                    "/proc",
+                    None::<&str>,
+                    MsFlags::MS_PRIVATE,
+                    None::<&str>,
+                );
+                let _ = mount(
+                    Some(""),
+                    "/sys",
+                    None::<&str>,
+                    MsFlags::MS_PRIVATE | MsFlags::MS_REC,
+                    None::<&str>,
+                );
+                let _ = mount(
+                    Some(""),
+                    "/dev",
+                    None::<&str>,
+                    MsFlags::MS_PRIVATE,
+                    None::<&str>,
+                );
+
                 if let Err(e) = mount(
                     Some("/proc"),
                     "/mnt/newroot/proc",
@@ -450,6 +477,8 @@ fn mount_virtio_fs_shares() -> Result<(), Box<dyn std::error::Error>> {
                     None::<&str>,
                 ) {
                     warn!("Failed to move /proc: {}", e);
+                } else {
+                    proc_moved = true;
                 }
 
                 if let Err(e) = mount(
@@ -460,6 +489,8 @@ fn mount_virtio_fs_shares() -> Result<(), Box<dyn std::error::Error>> {
                     None::<&str>,
                 ) {
                     warn!("Failed to move /sys: {}", e);
+                } else {
+                    sys_moved = true;
                 }
 
                 if let Err(e) = mount(
@@ -470,16 +501,56 @@ fn mount_virtio_fs_shares() -> Result<(), Box<dyn std::error::Error>> {
                     None::<&str>,
                 ) {
                     warn!("Failed to move /dev: {}", e);
+                } else {
+                    dev_moved = true;
                 }
 
                 // Change directory to new root
                 std::env::set_current_dir("/mnt/newroot")?;
 
-                // Pivot root
+                // Pivot root via chroot
                 use nix::unistd::{chdir, chroot};
                 chroot("/mnt/newroot")?;
                 chdir("/")?;
 
+                // Re-mount any filesystems that couldn't be moved (MS_MOVE failed).
+                // This ensures /proc, /sys, /dev are available in the new rootfs.
+                if !proc_moved {
+                    if let Err(e) = mount(
+                        Some("proc"),
+                        "/proc",
+                        Some("proc"),
+                        MsFlags::empty(),
+                        None::<&str>,
+                    ) {
+                        warn!("Failed to remount /proc after chroot: {}", e);
+                    }
+                }
+                if !sys_moved {
+                    if let Err(e) = mount(
+                        Some("sysfs"),
+                        "/sys",
+                        Some("sysfs"),
+                        MsFlags::empty(),
+                        None::<&str>,
+                    ) {
+                        warn!("Failed to remount /sys after chroot: {}", e);
+                    } else {
+                        info!("Remounted /sys after chroot (MS_MOVE failed)");
+                    }
+                }
+                if !dev_moved {
+                    if let Err(e) = mount(
+                        Some("devtmpfs"),
+                        "/dev",
+                        Some("devtmpfs"),
+                        MsFlags::empty(),
+                        None::<&str>,
+                    ) {
+                        warn!("Failed to remount /dev after chroot: {}", e);
+                    }
+                }
+
                 info!("Successfully pivoted to new root filesystem");
             }
             Err(e) => {