Skip to content

Bug: vAccel vsock CID collisions due to small hash space in idToGuestCID #795

Description

@Priya-Sharma25

Description

While looking through the vAccel implementation, I noticed a collision issue in pkg/unikontainers/vaccel.go. The idToGuestCID function maps the 64-char container ID to a vsock Guest CID by summing the character values and doing a modulo 97:

val := (sum % 97) + 3

Because this limits the CID space to only 97 possible values, we hit the Birthday Paradox pretty hard. With just 12 running vAccel containers, there's a 50% chance of a CID collision. At 20-30 containers, a collision is almost guaranteed.

If two containers get assigned the same vsock CID, their vAccel RPC communication will interfere with each other and break.

Steps to reproduce

You can verify this statically without even running a container. If you generate a few standard 64-character container IDs and pass them through idToGuestCID(), you'll get collisions very quickly.

For example, both of these container IDs result in Guest CID 59:

  • 7c0a766c0569f883ea6d29b59f73e62e13845e18c39278e1e9ba7b7109314255
  • 60542bd0f913ed3a3a893132dc9726d8a58bcb0035dad42b9c241807fc73ce46

Proposed Fix

We should replace the ASCII sum with a proper hash function (like hash/fnv). Using a 32-bit FNV-1a hash would expand the CID space to over 2 billion, which completely eliminates the collision risk for standard node deployments.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions