Our great sponsors
- SonarLint - Clean code begins in your IDE with SonarLint
- InfluxDB - Access the most powerful time series database as a service
- ONLYOFFICE ONLYOFFICE Docs — document collaboration in your environment
- CodiumAI - TestGPT | Generating meaningful tests for busy devs
|4 days ago||3 days ago|
|Apache License 2.0||Apache License 2.0|
Stars - the number of stars that a project has on GitHub. Growth - month over month growth in stars.
Activity is a relative number indicating how actively a project is being developed. Recent commits have higher weight than older ones.
For example, an activity of 9.0 indicates that a project is amongst the top 10% of the most actively developed projects that we are tracking.
Tart – open source virtualization for Apple Silicon
5 projects | reddit.com/r/devops | 10 May 2022
One of the most interesting/unique features is the integration with OCI-compatible container registries. Tart can pull/push virtual machines from/to a registry. This feature was inspired by OCI Artifacts initiative.
OS in Go? Why Not
2 projects | news.ycombinator.com | 21 May 2023
There's two major production-ready Go-based operating system(-ish) projects:
- Google's gVisor (a re-implementation of a significant subset of the Linux syscall ABI for isolation, also mentioned in the article)
- USBArmory's Tamago (a single-threaded bare-metal Go runtime for SOCs)
Both of these are security-focused with a clear trade off: sacrifice some performance for memory safe and excellent readability (and auditability). I feel like that's the sweet spot for low-level Go - projects that need memory safety but would rather trade some performance for simplicity.
Tunwg: Expose your Go HTTP servers online with end to end TLS
2 projects | reddit.com/r/golang | 2 May 2023
It uses gVisor to create a TCP/IP stack in userspace, and starts a wireguard interface on it, which the HTTP server from http.Serve listens on. The library will print a URL after startup, where you can access your server. You can create multiple listeners in one binary.
How does go playground work?
3 projects | reddit.com/r/golang | 30 Apr 2023
The playground compiles the program with GOOS=linux, GOARCH=amd64 and runs the program with gVisor. Detailed documentation is available at the gVisor site.
Searchable Linux Syscall Table for x86 and x86_64
7 projects | news.ycombinator.com | 14 Apr 2023
Multi-tenancy in Kubernetes
13 projects | dev.to | 10 Apr 2023
You could use a container sandbox like gVisor, light virtual machines as containers (Kata containers, firecracker + containerd) or full virtual machines (virtlet as a CRI).
Firecracker internals: deep dive inside the technology powering AWS Lambda(2021)
9 projects | news.ycombinator.com | 27 Feb 2023
An analogous project from Google with similar use cases is gvisor, which IIRC underlies Cloud Run: https://gvisor.dev/
Why did the Krustlet project die?
6 projects | reddit.com/r/kubernetes | 14 Jan 2023
Yeah, runtimeClass lets you specify which CRI plugin you want based on what you have available. Here's an example from the containerd documentation - you could have one node that can run containers under standard runc, gvisor, kata containers, or WASM. Without runtimeClass, you'd need either some form of custom solution or four differently configured nodes to run those different runtimes. That's how krustlet did it - you'd have kubelet/containerd nodes and krustlet/wasm nodes, and could only run the appropriate workload on each node type.
Do I need kata containers?
2 projects | reddit.com/r/kubernetes | 11 Jan 2023
It all depends on your use-case and expectations. You should definitely check out gvisor. It creates a userpace isolated kernels for every container, thus making it sandboxed. The workloads then still run inside a container, not a stripped down OCI compatible VM as in kata.
I'm releasing cargo-sandbox
9 projects | reddit.com/r/rust | 2 Jan 2023
The Linux kernel has a huge attack surface, and privilege escalation vulnerabilities abound. This is why https://gvisor.dev/ exists - it's a memory-safe proxy for Linux syscalls. This is also why Chrome OS runs its Linux environment in a custom hypervisor written in Rust instead of containers.
Userspace isn't slow, some kernel interfaces are
4 projects | news.ycombinator.com | 13 Dec 2022
I can chime in with some optimizations (linux).
For normal UDP sockets UDP_GRO and UDP_SEGMENT can be faster than sendmmsg/recvmmsg.
In Gvisor they decided that read/write from tun is slow so they did PACKET_MMAP on raw socket instead. AFAIU they just ignore tap device and run a raw socket on it. Dumping packet from raw socket has faster interface than the device itself.
What are some alternatives?
firecracker - Secure and fast microVMs for serverless computing.
podman - Podman: A tool for managing OCI containers and pods.
wsl-vpnkit - Provides network connectivity to WSL 2 when blocked by VPN
kata-containers - Kata Containers is an open source project and community working to build a standard implementation of lightweight Virtual Machines (VMs) that feel and perform like containers, but provide the workload isolation and security advantages of VMs. https://katacontainers.io/
containerd - An open and reliable container runtime
sysbox - An open-source, next-generation "runc" that empowers rootless containers to run workloads such as Systemd, Docker, Kubernetes, just like VMs.
KubeArmor - Cloud-native Runtime Security Enforcement System. [CNCF Sandbox Project]
WSL - Issues found on WSL
podman-desktop - launch and setup vms for podman
unikernels - State of the art for unikernels
for-mac - Bug reports for Docker Desktop for Mac
UTM - Virtual machines for iOS and macOS