search

Pylons / waitress

Waitress - A WSGI server for Python 3
https://docs.pylonsproject.org/projects/waitress/en/latest/
Other
1.44k stars 164 forks source link

Support socket address family VSOCK #409

Open ananthb opened 1 year ago

ananthb commented 1 year ago

Add support for VSOCK stream sockets.

Fixes: #408

mmerickel commented 1 year ago

Can you please add your name to CONTRIBUTORS.txt? Thanks!

I'm not familiar with VSOCK sockets, gonna need to wait for @bertjwregeer to review this.

Also note the failing ci/cd jobs that need to be fixed.

ananthb commented 1 year ago

Can you please add your name to CONTRIBUTORS.txt? Thanks!

Sure thing.

I'm not familiar with VSOCK sockets,...

From waitress' point of view, they should be identical to UNIX sockets. The vsock address family is available to Linux VMs and the host machine when using the KVM virtualisation module. It allows the host machine and any VMs running on it to communicate without using the network. So its only available locally on Linux.

Also note the failing ci/cd jobs that need to be fixed.

Fixed.

ananthb commented 1 year ago

Fixed the new failure by limiting this feature to only CPython on Linux as it is unavailable elsewhere.

sudhirj commented 1 year ago

Adding a bit of context here... there's an upcoming paradigm called secure enclaves, where cloud providers set up specially isolated and secured VMs with no writable disks, no network access, and signed code execution.

These special VMs are suitable for processing very sensitive data like medical records, credit cards or anything else that too sensitive to want to process on a normal machine.

When running these VMs have no TCP sockets in them. The only way to communicate with them from the host machine is over a VSOCK socket. Works pretty much the same as any other socket, but is a different address family (integer, not IP address) and port scheme.

We want to run a Python server inside this secure VM, and asking waitress to listen on a VSOCK is by far the cleanest solution we've seen so far. We're dogfooding this PR internally.

https://aws.amazon.com/ec2/nitro/nitro-enclaves/

digitalresistor commented 7 months ago

I've merged main into this branch because I wanted to run CI/CD on this. However there are multiple failing tests. If you could fix it so that the tests successfully run on Github CI/CD then I would be happy to move forward with this.

ananthb commented 2 months ago

@digitalresistor I can fix those tests if you're still interested.