rfc: virtio-vsock for RPC and IPC #33897

1. 
   Sjors commented at 10:11 am on November 18, 2025: member

   virtio-vsock provides a way for applications running on a guest VM and the host system to communicate with each other using the standard socket interface (socket, connect, bind, listen, accept). It defines a new socket address family (AF_VSOCK) and uses a (context id, port) pair of integers for identifying processes. The host system always has 2 as its context id while each guest VM is assigned a unique context id on startup.

   https://chromium.googlesource.com/chromiumos/platform2/+/9e91613d2da1b3d6cfb1c77681444e688ce99cf4/vm_tools/docs/vsock.md

   It was first suggested in #32802 (comment):

   I’m dockerizing Sjors ’s Stratum V2 sidecar (bitcoin-mine) such that it’s able to reach a Bitcoin Core node running on the host.

   My host is macOS, and Docker is Linux, which means they don’t have a shared kernel and their Unix socket descriptors don’t match.

   It shouldn’t be too hard to support AF_VSOCK (virtio sockets) for communication between vm host and guest processes. These should be more secure and more performant than TCP sockets.

   Perhaps it’s useful for RPC too.

2. willcl-ark added the label Brainstorming on Nov 18, 2025
3. willcl-ark added the label interfaces on Nov 18, 2025
4. 
   ryanofsky commented at 9:47 pm on November 18, 2025: contributor

   It should be pretty easy to support vsock if we want that. I think it would only require a change to the ipc::ParseAddress function and updates to documentation and tests.

   TCP support could also be added by modifying the ParseAddress function, but I’d be wary of doing that since it would not really be safe without authentication (https://github.com/bitcoin/bitcoin/issues/32802#issuecomment-3000963484).

   I’m not sure if vsock support would actually be helpful for docker on mac. It would depend on whether docker for mac exposes any vsock options. I believe some hypervisors like qemu do, and others like virtualbox just don’t.

5. 
   Sjors commented at 8:47 am on November 19, 2025: member

   it would not really be safe without authentication

   And encryption, since we can’t use SSL.

6. 
   enirox001 commented at 8:48 am on March 19, 2026: contributor

   I looked into whether Docker for Mac exposes vsock in a usable way, three things kick against it right now:

   • docker deprecated it in April 2025 and removed it in 4.44. QEMU had a proper vhost-vsock-pci device; Apple Virtualization Framework (the replacement) uses vsock internally but doesn’t expose /dev/vsock to containers or user processes.
   • on mac the topology is macOS → Linux VM → container. vsock is a two-party protocol, so a container binding vsock is talking to the Linux VM, not macOS where bitcoin-node is actually running.
   • docker’s default seccomp profile has blocked socket(AF_VSOCK, ...) since v23.0 (moby/moby#44562). Containers need --privileged or a custom profile to use it at all.

   The ipc::ParseAddress change describes would be straightforward, i have a draft with something already, but the Mac+Docker use case that motivated this issue can’t benefit from it until Docker exposes vsock properly or Apple’s Virtualization framework matures further.

7. 
   Sjors commented at 9:27 am on March 19, 2026: member

   until Docker exposes vsock properly

   But if I understand your comment correctly, they’ve gone the opposite direction and deprecated it? Should I just close this?

8. 
   enirox001 commented at 9:39 am on March 19, 2026: contributor

   The use case that motivated this issue can’t benefit from vsock until Docker resolves these limitations. Would suggest closing for now.
9. Sjors closed this on Mar 19, 2026

   ---

Contributors
Sjors ryanofsky enirox001

Labels
Brainstorming interfaces