Traditional container shares host kernel
gVisor has application kernel Sentry to execute system calls, securely.
kata has hardware virtualization to provide kernel per container.
gVisor https://github.com/google/gvisor
- Application kernel (Sentry). It includes Netstack (user space network stack)
- implements OCI runtime runsc
- isolation between app and host kernel (Gofer for access to filesystem) with seccomp
- Each pod is gVisor instance and container inside pod is process.
- Often used with SELinux or seccomp
- gVisor uses runsc binary instead of runc
- Sentry and Gofer communicates using 9P protocol (common n/w protocol by Bell Labs)
- more overhead to execute system calls using gVisor
Follow steps as per https://sbulav.github.io/certifications/cks-gvisor/ at all worker node.
We can see on worker node runsc-gopher and runsc-sandbox (santry) processes are running.
Kata https://katacontainers.io/
Speed of containers and security of VMs
Lightweight VM, plug into container eco system
hypervisors: QEMU, NEMU, Firecracker
Works with Docker and cri-o architecture. cri-o and containerd engine.
Intel's clear container is now part of kata container.
Kata containers are part of OSF Open Stack Foundation.
PouchContainer http://pouchcontainer.io/
Open source container engine by Alibaba.
Strong isolation
less runtime overhead
incremental image distribution
cross platform and cross OS
compatible with OCI spec
* Rich container: Can have multiple process + init process. Package fat application easily.
* Strong isolation: Can create VM
* Compatible with many kernel versions
* P2P image distribution
Use with K8s: https://github.com/alibaba/pouch/blob/master/docs/kubernetes/pouch_with_kubernetes_deploying.md
Firecracker https://github.com/firecracker-microvm/firecracker-containerd
to manage Firecracker microVM using containerd
Unik https://github.com/solo-io/unik
- Tool to compile app source into unikernels and microVM. Not binaries.
Unikernels are lightweight, immutable operating systems compiled specifically to run a single application. No ssh/telnet. Mostly no File System. single binary | process | address space | mode, no forked. no shell, so no "shell injection". Less code, so less bug so less likely buffer overflow.
- Simple docker-like CLI
- Good for IoT smart devices
1. Go code to Firecracker microVM
2. Python, Node.js, Go to rump (rumprun) unikernel
3. Java, Node.js, C, C++ to OSv unikernel
4. C++ to IncludeOS unikernel
5. OCaml to MirageOS unikernel
Supported Providers: Firecracker, Virtualbox, AWS, Google Cloud, vSphere, QEMU, UKVM, Xen, OpenStack, Photon Controller
=========
RuntimeClass
Enable at (1) Kube-apiserver and (2) kubelet
High level container runtime containerd support it. (1) cri-o and (2) docker are yet to support custom runtime configuration.
apiVersion: node.k8s.io/v1beta1
kind: RuntimeClass
metadata:
name: gvisor
handler: runsc //CRI Configuration
=======
apiVersion: v1
kind: Pod
metadata:
name: mypod
spec:
runtimeClassName: gvisor
CRI Configuration
* dockershim : Default. Does not support runtime handler
* containerd: [plugins.cri.containerd.runtimes.${HANDLER_NAME}] section at file /etc/containerd/config.toml
Reference: https://github.com/containerd/cri/blob/master/docs/config.md
* cri-o:
[crio.runtime.runtimes.${HANDLER_NAME}]
runtime_path = "${PATH_TO_BINARY}"
section at file /etc/crio/crio.conf
Reference: https://github.com/cri-o/cri-o/blob/master/docs/crio.conf.5.md#crioruntime-table
No comments:
Post a Comment