kuasar
gvisor
kuasar | gvisor | |
---|---|---|
5 | 74 | |
1,273 | 15,890 | |
1.3% | 0.7% | |
8.4 | 9.9 | |
about 1 month ago | 4 days ago | |
Rust | Go | |
Apache License 2.0 | Apache License 2.0 |
Stars - the number of stars that a project has on GitHub. Growth - month over month growth in stars.
Activity is a relative number indicating how actively a project is being developed. Recent commits have higher weight than older ones.
For example, an activity of 9.0 indicates that a project is amongst the top 10% of the most actively developed projects that we are tracking.
kuasar
- My VM is lighter (and safer) than your container
-
The advantage of WASM compared with container runtimes
Right now most early examples alas boot a container with a wasm runtime for each wasm instance, which is a sad waste. The whole advantage of wasm should be very lightweight low overhead wasm runtime instances atop a common wasm process. Having a process or container for each instance loses a ton of the benefit, makes it not much better than a regular container.
Thankfully there is work like the Containerd Sandbox API which enables new architectures like this. https://github.com/containerd/containerd/issues/4131
It's still being used to spawn a wasm processes per instance for now, but container runtime project Kuasar is already using the Sandbox API to save significant resources, and has already chimed in in comments on HN to express a desire to have shared-process/multi-wasm-instamxe runtimes, which could indeed allow sub ms spawning that could enable instance per request architectures. https://github.com/kuasar-io/kuasar
- FLaNK Stack Weekly for 30 April 2023
- Kuasar - A Container Runtime in Rust
- Kuasar: An efficient multi-sandbox container runtime
gvisor
-
Lies we tell ourselves to keep using Golang
To be pedantic for a moment...
> You can't use Go to write a kernel ...
Not a production kernel, but MIT did use Go to "study the performance trade-offs of using a high-level language with garbage collection to implement a kernel" [1]
There is also gVisor [2] which implements, as best as I can describe, a kernel in user space. It's intent is to intercept syscalls made in containers and to redirect its execution in a sandbox.
> ... program a microcontroller ...
I'm not sure if one would classify this as a microcontroller, but USB Armory did write a, iirc, Go compliant runtime for bare metal ARM and RISC-V [3]
[1] https://github.com/mit-pdos/biscuit
[2] https://gvisor.dev/
[3] https://github.com/usbarmory/tamago
-
Comparing 3 Docker container runtimes - Runc, gVisor and Kata Containers
Although the documentation also mentions "youki", that is mentioned as a "drop-in replacement" of the default runtime basically doing the same, so let's stick with runc. The second runtime will be Kata runtime from Kata containers, since it runs small virtual machines which is good for showing how differently it uses the CPU and memory. This also adds a higher level of isolation with some downsides as well. And the third runtime will be runsc from gVisor which is a perfect third runtime to see how we can run containers and still have a little more secure isolation. I will show how we can recognize the differences by running commands from the isolated environments and from the host.
-
GVisor: Linux-Compatible Sandbox
I find the README of the repo much better to quickly understand what this software is and isn't.
https://github.com/google/gvisor
-
Unfashionably secure: why we use isolated VMs
If you think about it virtualization is just a narrowing of the application-kernel interface. In a standard setting the application has a wide kernel interface available to it with dozens (ex. seccomp) to 100's of syscalls. A vulnerablility in any one of which could result in complete system compromise.
With virtualization the attack surface is narrowed to pretty much just the virtualization interface.
The problem with current virtualization (or more specifically, the VMM's) is that it can be cumbersome, for example memory management is a serious annoyance. The kernel is built to hog memory for cache and etc. but you don't want the guest to be doing that - since you want to overcommit memory as guests will rarely use 100% of what is given to them (especially when the guest is just a jailed singular application), workarounds such as free page reporting and drop_caches hacks exist.
I would expect eventually to see high performance custom kernels for a application jails - for example: gVisor[1] acts as a syscall interceptor (and can use KVM too!) and a custom kernel. Or a modified linux kernel with patched pain points for the guest.
[1] <https://gvisor.dev/>
- Syd the perhaps most sophisticated sandbox for Linux
-
Hacking Alibaba Cloud's Kubernetes Cluster
Hillai: Following our research, Alibaba took several steps to address the vulnerabilities we discovered. They limited image pull secret permissions to read-only access, preventing unauthorized uploads. Additionally, they implemented a secure container technology similar to Google's gVisor project. This technology hardens containers and makes them more difficult to escape from, adding another layer of security.
-
We Improved the Performance of a Userspace TCP Stack in Go by 5X
If you want to use netstack without Bazel, just use the go branch:
https://github.com/google/gvisor/tree/go
go get gvisor.dev/gvisor/pkg/tcpip@go
The go branch is auto generated with all of the generated code checked in.
- My VM is lighter (and safer) than your container
-
Maestro: A Linux-compatible kernel in Rust
Isn't gVisor kind of this as well?
"gVisor is an application kernel for containers. It limits the host kernel surface accessible to the application while still giving the application access to all the features it expects. Unlike most kernels, gVisor does not assume or require a fixed set of physical resources; instead, it leverages existing host kernel functionality and runs as a normal process. In other words, gVisor implements Linux by way of Linux."
https://github.com/google/gvisor
- Google/Gvisor: Application Kernel for Containers
What are some alternatives?
pandas-ai - Chat with your database (SQL, CSV, pandas, polars, mongodb, noSQL, etc). PandasAI makes data analysis conversational using LLMs (GPT 3.5 / 4, Anthropic, VertexAI) and RAG.
firecracker - Secure and fast microVMs for serverless computing.
agorakube - Agorakube is a Certified Kubernetes Distribution built on top of CNCF ecosystem that provides an enterprise grade solution following best practices to manage a conformant Kubernetes cluster for on-premise and public cloud providers.
podman - Podman: A tool for managing OCI containers and pods.
oxia - Oxia - Metadata store and coordination system
wsl-vpnkit - Provides network connectivity to WSL 2 when blocked by VPN
HealthGPT - Query your Apple Health data with natural language 💬 🩺
kata-containers - Kata Containers is an open source project and community working to build a standard implementation of lightweight Virtual Machines (VMs) that feel and perform like containers, but provide the workload isolation and security advantages of VMs. https://katacontainers.io/
keras-ocr - A packaged and flexible version of the CRAFT text detector and Keras CRNN recognition model.
sysbox - An open-source, next-generation "runc" that empowers rootless containers to run workloads such as Systemd, Docker, Kubernetes, just like VMs.
containerd - An open and reliable container runtime