cyclone
kata-containers
cyclone | kata-containers | |
---|---|---|
7 | 11 | |
1 | 4,922 | |
- | 2.2% | |
10.0 | 10.0 | |
about 10 years ago | about 6 hours ago | |
C | Rust | |
GNU General Public License v3.0 only | Apache License 2.0 |
Stars - the number of stars that a project has on GitHub. Growth - month over month growth in stars.
Activity is a relative number indicating how actively a project is being developed. Recent commits have higher weight than older ones.
For example, an activity of 9.0 indicates that a project is amongst the top 10% of the most actively developed projects that we are tracking.
cyclone
-
Maestro: A Linux-compatible kernel in Rust
One of the inspirations for Rust, as I recall, was Cyclone: https://cyclone.thelanguage.org/
Which was/is a "safe" dialect of C; basically C extended with a bunch of the stuff that made it into Rust (algebraic datatypes, pattern matching, etc.) Though its model of safety is not the borrow checker model that Rust has.
Always felt to me like something like Cyclone would be the natural direction for OS development to head in, as it fits better with existing codebases and skillsets.
In any case, I'm happy to see this stuff happening in Rust.
-
C for All
It sounds like they re-invented Cyclone.
https://cyclone.thelanguage.org
-
Is it possible to have a superset of the C programming languages standard that is as safe as Rust?
Looks like it was a research project and is now abandoned: http://cyclone.thelanguage.org
-
Need to learn FAST... Any recommendations for a free interactive rust course?
The borrow checker is Rust's secret sauce. It's the one thing no other language has. (Except Cyclone I think, which is an unmaintained research language.)
- What do you think about a C transpiler?
-
Is my method of programming wrong?
Also, lifetimes are not the mechanism by which Rust ensures safety - it's a necessary side-effect of the approach that Rust has taken, and this has nothing to do with the issues that "plague" other languages. Region-based memory management techniques are neither new nor really innovative. https://cyclone.thelanguage.org/, which directly inspired Rust, had them, and the authors gave up working on it because the ergonomics were terrible, as is the case with Rust. Lifetimes are needed for the Rust compiler to reason about what it can reasonably allow at compile time, but it, along with the Borrow Checker (which provides the actual safety net) ensures that whole swathes of valid programs are disallowed because the Rust compiler is not smart enough (and probably never will be) to check that these programs are valid.
- A Formal Model of Checked C
kata-containers
- Maestro: A Linux-compatible kernel in Rust
-
Fly Kubernetes
Seems like Fly.io Machines are trying reimplement Kata Containers with the Firecracker backend [0].
Kata has a guest image and guest agent to run multiple isolated containers [1].
[0] https://katacontainers.io/
[1] https://github.com/kata-containers/kata-containers/blob/main...
-
Kata Containers: Virtual Machines (VMs) that feel and perform like containers
> Last time I looked (a few months ago), the documentation was pretty sparse or outdated.
It still is, though it works somewhat seamlessly when installing with https://github.com/kata-containers/kata-containers/blob/main...
Though only one of the hypervisors works well.
-
Method to block possible internet traffic from LLaMA on MacOS
Better to use a secure VM, can even get container-like VMs with kata-containers
-
Kata Containers vs gVisor?
As I understand,Kata Containers
-
Firecracker MicroVMs
Kubernetes using Kata containers as a containerd backend
https://github.com/kata-containers/kata-containers/blob/main...
-
Container security best practices: Ultimate guide
My home k8s cluster is now "locked down" using micro-vms (kata-containers[0]), pod level firewalling (cilium[1]), permission-limited container users, and mostly immutable environments. Given how quickly I rolled this out; the tools to enhance cluster environment security seem more accessible now than my previous research a few years ago.
I know it's not exactly a production setup, but I really do feel that it's the most secure runtime environment I've ever had accessible at home. Probably more so than my desktops, which you could argue undermines most of my effort, but I like to think I'm pretty careful.
In the beginning I was very skeptical, but being able to just build a docker/OCI image and then manage its relationships with other services with "one pane of glass" that I can commit to git is so much simpler to me than my previous workflows. My previous setup involved messing with a bunch of tools like packer, cloud-init, terraform, ansible, libvirt, whatever firewall frontend was on the OS, and occasionally sshing in for anything not covered.
[0] https://github.com/kata-containers/kata-containers
-
Docker Without Docker
I'm really impressed by fly.io, and the candidness with which they share some of their really awesome technology. Being container-first is the next step for PaaS IMO and they are ahead of the pack.
I aim to build a platform like theirs someday (probably not any time soon) but I don't think I'd do any of what they're doing -- it feels unnecessary. Bear with me as I recently learned that they use nomad[0] and some of these suggestions are kubernetes projects but I'd love to hear why the following technologies were decided against (if they were):
- kata-containers[1] (it does the whole container -> VM flow for you, automatically, nemu, firecracker) with multiple VMM options[2]
- linuxkit[3] (let's say you didn't go with kata-containers, this is another container->VM path)
- firecracker-containerd[4] (very minimal keep-your-container-but-run-it-as-a-VM)
- kubevirt[5] (if you just want to actually run VMs, regardless of how you built them)
- Ceph[6] for storage -- make LVM pools and just give them to Ceph, you'll get blocks, distributed filesystems (CephFS), and object gateways (S3/Swift) out of it (in the k8s space Rook manages this)
As an aside to all this, there's also LXD, which supports running "system" (user namespace isolated) containers, VMs (somewhat recent[7][8]), live migration via criu[9], management/migration of underlying filesystems, runs on LVM or zfs[10], it's basically all-in-one, but does fall behind in terms of ecosystem since everyone else is aboard the "cloud native"/"works-with-kubernetes" train.
I've basically how I plan to run a service like fly.io if I ever did -- so maybe my secret is out, but I sure would like to know just how much of this fly.io got built on (if any of it), and/or what was turned down.
[0]: https://news.ycombinator.com/item?id=26745514
[1]: https://github.com/kata-containers/kata-containers
[2]: https://github.com/kata-containers/kata-containers/blob/2fc7...
[3]: https://github.com/linuxkit/linuxkit
[4]: https://github.com/firecracker-microvm/firecracker-container...
[5]: https://github.com/kubevirt/kubevirt
[6]: https://docs.ceph.com/
[7]: https://discuss.linuxcontainers.org/t/running-virtual-machin...
[8]: https://github.com/lxc/lxd/issues/6205
[9]: https://criu.org/Main_Page
[10]: https://linuxcontainers.org/lxd/docs/master/storage
-
Checking Your --privileged Container
Kata Containers https://github.com/kata-containers/kata-containers
What are some alternatives?
cyclonic - WIP port of cyclone to modern platforms
firecracker-containerd - firecracker-containerd enables containerd to manage containers as Firecracker microVMs
cedro - C programming language extension: Cedro pre-processor
kubevirt - Kubernetes Virtualization API and runtime in order to define and manage virtual machines.
cake - Cake a C23 front end and transpiler written in C
lxd - Powerful system container and virtual machine manager [Moved to: https://github.com/canonical/lxd]
cyclone
sysbox - An open-source, next-generation "runc" that empowers rootless containers to run workloads such as Systemd, Docker, Kubernetes, just like VMs.
BorrowScript - TypeScript with a Borrow Checker. Multi-threaded, Tiny binaries. No GC. Easy to write.
gvisor - Application Kernel for Containers
checkedc-clang - This repo contains a version of clang that is being modified to support Checked C. Checked C is an extension to C that lets programmers write C code that is guaranteed by the compiler to be type-safe.
ignite - Ignite a Firecracker microVM