net_tap: change TapHandle from device name to pre-opened fd#3181
Open
jstarks wants to merge 3 commits intomicrosoft:mainfrom
Open
net_tap: change TapHandle from device name to pre-opened fd#3181jstarks wants to merge 3 commits intomicrosoft:mainfrom
jstarks wants to merge 3 commits intomicrosoft:mainfrom
Conversation
Contributor
There was a problem hiding this comment.
Pull request overview
Moves TAP device opening out of the net_tap resolver and into the caller by changing TapHandle (in net_backend_resources) to carry a pre-opened OwnedFd, enabling more control over namespaces/permissions and supporting fd passing scenarios. It also tightens TAP-related code from cfg(unix) to Linux-only since TAP relies on Linux /dev/net/tun ioctls.
Changes:
- Change
TapHandlefrom device name (String) to a pre-openedOwnedFd, and update the TAP resolver to use it directly. - Move TAP opening to
openvmm_entry(CLI and ttrpc/grpc paths) so the entrypoint controls how the fd is obtained. - Restrict
net_tapand TAP resources totarget_os = "linux"and update dependencies accordingly.
Reviewed changes
Copilot reviewed 7 out of 8 changed files in this pull request and generated 3 comments.
Show a summary per file
| File | Description |
|---|---|
| vm/devices/net/net_tap/src/resolver.rs | Stop opening TAP by name; construct Tap from the fd in TapHandle. |
| vm/devices/net/net_tap/src/lib.rs | Make the crate Linux-only (cfg(target_os = "linux")). |
| vm/devices/net/net_tap/Cargo.toml | Switch target-specific deps/dev-deps from cfg(unix) to Linux-only. |
| vm/devices/net/net_backend_resources/src/lib.rs | Change TapHandle to carry OwnedFd; gate the tap module to Linux. |
| openvmm/openvmm_entry/src/ttrpc/mod.rs | Open TAP in the entrypoint for ttrpc/grpc NIC configs and pass fd via TapHandle. |
| openvmm/openvmm_entry/src/lib.rs | Open TAP in CLI parsing on Linux; produce a clear error on non-Linux. |
| openvmm/openvmm_entry/Cargo.toml | Add net_tap dependency only on Linux. |
| Cargo.lock | Lockfile updated to include net_tap as a dependency of openvmm_entry. |
chris-oo
reviewed
Apr 2, 2026
Member
chris-oo
left a comment
chris-oo
left a comment
There was a problem hiding this comment.
Looks reasonable to me, but do we need the tap filename as part of the context, or is it part of the upper chained context?
TapHandle in net_backend_resources carried a device name string and the resolver opened the TAP device. Change it to carry a pre-opened OwnedFd so the opener (openvmm_entry or a test harness) controls namespace and permission details. This resolves a long-standing TODO and enables fd passing from Kata and similar environments. Also tighten both TapHandle and net_tap from cfg(unix) to cfg(target_os = "linux") since TAP uses Linux-specific /dev/net/tun ioctls.
Member
Author
|
Added the context to the errors. |
chris-oo
approved these changes
Apr 3, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
TapHandleinnet_backend_resourcescarried a device name string and the resolver opened the TAP device. Change it to carry a pre-openedOwnedFdso the opener (openvmm_entryor a test harness) controls namespace and permission details. This resolves a long-standing TODO and enables fd passing from Kata and similar environments.Also tighten both
TapHandleandnet_tapfromcfg(unix)tocfg(target_os = "linux")since TAP uses Linux-specific /dev/net/tun ioctls.