kata-containers
sysbox
kata-containers | sysbox | |
---|---|---|
13 | 23 | |
5,414 | 2,736 | |
2.5% | 2.2% | |
10.0 | 8.7 | |
3 days ago | 11 days ago | |
Rust | Shell | |
Apache License 2.0 | Apache License 2.0 |
Stars - the number of stars that a project has on GitHub. Growth - month over month growth in stars.
Activity is a relative number indicating how actively a project is being developed. Recent commits have higher weight than older ones.
For example, an activity of 9.0 indicates that a project is amongst the top 10% of the most actively developed projects that we are tracking.
kata-containers
-
Unfashionably secure: why we use isolated VMs
> I actually wonder how much "overhead" a VM actually has. i.e. a linux kernel that doesn't do anything (say perhaps just boots to an init that mounts proc and every n seconds read in/prints out /proc/meminfo) how much memory would the kernel actually be using?
There's already some memory sharing available using DAX in Kata Containers at least: https://github.com/kata-containers/kata-containers/blob/main...
- My VM is lighter (and safer) than your container
- Maestro: A Linux-compatible kernel in Rust
-
Fly Kubernetes
Seems like Fly.io Machines are trying reimplement Kata Containers with the Firecracker backend [0].
Kata has a guest image and guest agent to run multiple isolated containers [1].
[0] https://katacontainers.io/
[1] https://github.com/kata-containers/kata-containers/blob/main...
-
Kata Containers: Virtual Machines (VMs) that feel and perform like containers
> Last time I looked (a few months ago), the documentation was pretty sparse or outdated.
It still is, though it works somewhat seamlessly when installing with https://github.com/kata-containers/kata-containers/blob/main...
Though only one of the hypervisors works well.
-
Method to block possible internet traffic from LLaMA on MacOS
Better to use a secure VM, can even get container-like VMs with kata-containers
-
Kata Containers vs gVisor?
As I understand,Kata Containers
-
Firecracker MicroVMs
Kubernetes using Kata containers as a containerd backend
https://github.com/kata-containers/kata-containers/blob/main...
-
Container security best practices: Ultimate guide
My home k8s cluster is now "locked down" using micro-vms (kata-containers[0]), pod level firewalling (cilium[1]), permission-limited container users, and mostly immutable environments. Given how quickly I rolled this out; the tools to enhance cluster environment security seem more accessible now than my previous research a few years ago.
I know it's not exactly a production setup, but I really do feel that it's the most secure runtime environment I've ever had accessible at home. Probably more so than my desktops, which you could argue undermines most of my effort, but I like to think I'm pretty careful.
In the beginning I was very skeptical, but being able to just build a docker/OCI image and then manage its relationships with other services with "one pane of glass" that I can commit to git is so much simpler to me than my previous workflows. My previous setup involved messing with a bunch of tools like packer, cloud-init, terraform, ansible, libvirt, whatever firewall frontend was on the OS, and occasionally sshing in for anything not covered.
[0] https://github.com/kata-containers/kata-containers
- Docker Without Docker
sysbox
-
Running Untrusted JavaScript Code
Moreover, you might benefit from taking a look at sysbox, a VM-like container runtime that provides a more secure environment. Sysbox is worth it, especially if the main app is running in a container, which means that you'll be running Docker in Docker.
-
Podman Desktop: A Free OSS Alternative to Docker Desktop
You are probably referring to Sysbox (https://github.com/nestybox/sysbox), which I believe will meet your requirements (systemd, inner containers, security, etc).
Btw, Sysbox is already supported in Docker-Desktop (business tier only), so you can easily do what you want with this instruction:
$ docker run -it --rm -e SYSBOX_SYSCONT_MODE=TRUE nestybox/ubuntu-focal-systemd-docker:latest bash
Disclaimer: I'm Sysbox's co-creator and currently working for Docker.
- Sysbox: VM-Like Containers
- What companies are using golang and have source code in github?
-
SELinux is unmanageable; just turn it off if it gets in your way
One project in this space that looked quite promising to me is sysbox[0]. I've used them once for a gitlab runner set-up similar to what is described in their blog[1].
It's currently working great and I have not had any major crashes/incidents for at least the past 8 months.
[0]: https://github.com/nestybox/sysbox
[1]: https://blog.nestybox.com/2020/10/21/gitlab-dind.html
-
Jenkins in Docker: Running Docker in a Jenkins container
Today, things are very different. Docker-in-Docker has a more secure and safe approach with rootless containers and freemium tools like sysbox. Tools like sysbox let you run Docker-in-Docker without the -privileged flag and optimizes specific scenarios, like running multiple nodes of a Kubernetes cluster as ordinary containers.
-
Run untrusted code in sandbox
Right now I am going with sysbox rootless containers. https://github.com/nestybox/sysbox
-
Real-world stories of how we’ve compromised CI/CD pipelines
We’ve been using Sysbox (https://github.com/nestybox/sysbox) for our Buildkite based CI/CD setup, allows docker-in-docker without privileged containers. Paired with careful IAM/STS design we’ve ended up with isolated job containers with their own IAM roles limited to least-privilege.
-
Individual Docker Desktops vs hosting on a server?
A good alternative to the VM approach is to use Kubernetes + Sysbox (a next-gen "runc", free, open-source).
- Sysbox now works on K8s v1.21
What are some alternatives?
firecracker-containerd - firecracker-containerd enables containerd to manage containers as Firecracker microVMs
containerd - An open and reliable container runtime
kubevirt - Kubernetes Virtualization API and runtime in order to define and manage virtual machines.
gvisor - Application Kernel for Containers
lxd - Powerful system container and virtual machine manager [Moved to: https://github.com/canonical/lxd]
dind - Docker in Docker
gatekeeper - 🐊 Gatekeeper - Policy Controller for Kubernetes
ignite - Ignite a Firecracker microVM
snekbox - Easy, safe evaluation of arbitrary Python code
cloud-hypervisor - A Virtual Machine Monitor for modern Cloud workloads. Features include CPU, memory and device hotplug, support for running Windows and Linux guests, device offload with vhost-user and a minimal compact footprint. Written in Rust with a strong focus on security.
vm2 - Advanced vm/sandbox for Node.js