Express YourSelf !

Traditional container shares host kernel

gVisor has application kernel Sentry to execute system calls, securely.

kata has hardware virtualization to provide kernel per container.

gVisor https://github.com/google/gvisor

- Application kernel (Sentry). It includes Netstack (user space network stack)

- implements OCI runtime runsc

- isolation between app and host kernel (Gofer for access to filesystem) with seccomp

- Each pod is gVisor instance and container inside pod is process. 

- Often used with SELinux or seccomp

- gVisor uses runsc binary instead of runc

- Sentry and Gofer communicates using 9P protocol (common n/w protocol by Bell Labs)

- more overhead to execute system calls using gVisor

Follow steps as per https://sbulav.github.io/certifications/cks-gvisor/ at all worker node. 

We can see on worker node runsc-gopher and runsc-sandbox (santry) processes are running. 

Kata https://katacontainers.io/

Speed of containers and security of VMs

Lightweight VM, plug into container eco system

hypervisors: QEMU, NEMU, Firecracker 

Works with Docker and cri-o architecture. cri-o and containerd engine.

Intel's clear container is now part of kata container.

Kata containers are part of OSF Open Stack Foundation. 

PouchContainer http://pouchcontainer.io/

Open source container engine by Alibaba.

Strong isolation

less runtime overhead

incremental image distribution

cross platform and cross OS

compatible with OCI spec

* Rich container: Can have multiple process + init process. Package fat application easily. 

* Strong isolation: Can create VM

* Compatible with many kernel versions

* P2P image distribution 

Use with K8s: https://github.com/alibaba/pouch/blob/master/docs/kubernetes/pouch_with_kubernetes_deploying.md

Firecracker https://github.com/firecracker-microvm/firecracker-containerd

to manage Firecracker microVM using containerd

Unik https://github.com/solo-io/unik

- Tool to compile app source into unikernels and microVM. Not binaries. 

Unikernels are lightweight, immutable operating systems compiled specifically to run a single application. No ssh/telnet. Mostly no File System. single binary | process | address space | mode, no forked. no shell, so no "shell injection". Less code, so less bug so less likely buffer overflow. 

- Simple docker-like CLI

- Good for IoT smart devices

1. Go code to Firecracker microVM

2. Python, Node.js, Go to rump (rumprun) unikernel

3. Java, Node.js, C, C++ to OSv unikernel

4. C++ to IncludeOS unikernel

5. OCaml to MirageOS unikernel

Supported Providers: Firecracker, Virtualbox, AWS, Google Cloud, vSphere, QEMU, UKVM, Xen, OpenStack, Photon Controller   

=========

RuntimeClass

Enable at (1) Kube-apiserver and (2) kubelet

High level container runtime containerd support it. (1) cri-o and (2) docker are yet to support custom runtime configuration. 

apiVersion: node.k8s.io/v1beta1
kind: RuntimeClass
metadata:
  name: gvisor
handler: runsc //CRI Configuration 

=======

apiVersion: v1

kind: Pod

metadata:

  name: mypod

spec:

  runtimeClassName: gvisor

CRI Configuration 

* dockershim : Default. Does not support runtime handler 

* containerd: [plugins.cri.containerd.runtimes.${HANDLER_NAME}] section at file /etc/containerd/config.toml

Reference: https://github.com/containerd/cri/blob/master/docs/config.md

* cri-o: 

[crio.runtime.runtimes.${HANDLER_NAME}]

  runtime_path = "${PATH_TO_BINARY}"

section at file /etc/crio/crio.conf

Reference: https://github.com/cri-o/cri-o/blob/master/docs/crio.conf.5.md#crioruntime-table