sysbox
kata-containers
Our great sponsors
sysbox | kata-containers | |
---|---|---|
22 | 11 | |
2,471 | 4,768 | |
3.2% | 3.6% | |
8.5 | 10.0 | |
5 days ago | about 12 hours ago | |
Shell | Rust | |
Apache License 2.0 | Apache License 2.0 |
Stars - the number of stars that a project has on GitHub. Growth - month over month growth in stars.
Activity is a relative number indicating how actively a project is being developed. Recent commits have higher weight than older ones.
For example, an activity of 9.0 indicates that a project is amongst the top 10% of the most actively developed projects that we are tracking.
sysbox
-
Podman Desktop: A Free OSS Alternative to Docker Desktop
You are probably referring to Sysbox (https://github.com/nestybox/sysbox), which I believe will meet your requirements (systemd, inner containers, security, etc).
Btw, Sysbox is already supported in Docker-Desktop (business tier only), so you can easily do what you want with this instruction:
$ docker run -it --rm -e SYSBOX_SYSCONT_MODE=TRUE nestybox/ubuntu-focal-systemd-docker:latest bash
Disclaimer: I'm Sysbox's co-creator and currently working for Docker.
- What companies are using golang and have source code in github?
-
SELinux is unmanageable; just turn it off if it gets in your way
One project in this space that looked quite promising to me is sysbox[0]. I've used them once for a gitlab runner set-up similar to what is described in their blog[1].
It's currently working great and I have not had any major crashes/incidents for at least the past 8 months.
-
Jenkins in Docker: Running Docker in a Jenkins container
Today, things are very different. Docker-in-Docker has a more secure and safe approach with rootless containers and freemium tools like sysbox. Tools like sysbox let you run Docker-in-Docker without the -privileged flag and optimizes specific scenarios, like running multiple nodes of a Kubernetes cluster as ordinary containers.
-
Run untrusted code in sandbox
Right now I am going with sysbox rootless containers. https://github.com/nestybox/sysbox
-
Real-world stories of how we’ve compromised CI/CD pipelines
We’ve been using Sysbox (https://github.com/nestybox/sysbox) for our Buildkite based CI/CD setup, allows docker-in-docker without privileged containers. Paired with careful IAM/STS design we’ve ended up with isolated job containers with their own IAM roles limited to least-privilege.
-
Run Portainer from Portainer stack (chicken or egg)
This is what I would do instead. Install Sysbox in your host (assuming Linux) and launch a system-container inside of which all your app containers will live, including a dedicated docker engine and portainer itself. By doing this you are isolating your host, while at the same time, you are achieving your goal of encapsulating your entire stack in a single docker image, which you can now take with you anywhere and re-instantiate by doing a simple docker run.
-
Weird question: Is it possible to run docker inside of a docker instance?
See http://jpetazzo.github.io/2015/09/03/do-not-use-docker-in-docker-for-ci/ and https://github.com/nestybox/sysbox
-
How can I limit the container run time?
Maybe sysbox can do what you want.
-
Checking Your --privileged Container
He updated it last year to add: >Update (July 2020) : when I wrote this blog post in 2015, the only way to run Docker-in-Docker was to use the -privileged flag in Docker. Today, the landscape is very different. Container security and sandboxing advanced very significantly, with e.g. rootless containers and tools like sysbox. The latter lets you run Docker-in-Docker without the -privileged flag, and even comes with optimizations for some specific scenarios, like running multiple nodes of a Kubernetes cluster as ordinary containers. This article has been updated to reflect that!
kata-containers
- Maestro: A Linux-compatible kernel in Rust
-
Fly Kubernetes
Seems like Fly.io Machines are trying reimplement Kata Containers with the Firecracker backend [0].
Kata has a guest image and guest agent to run multiple isolated containers [1].
[0] https://katacontainers.io/
[1] https://github.com/kata-containers/kata-containers/blob/main...
-
Kata Containers: Virtual Machines (VMs) that feel and perform like containers
If you install kata with https://github.com/kata-containers/kata-containers/blob/main...
Then you just use it with:
docker run --runtime io.containerd.kata.v2 --rm -it hello-world
Kara used “DAX” to directly share access of the host filesystem to the guest kernel. I thought this was pretty interesting, but it sounds like a possible spot to start a jailbreak.
> Mapping as a direct access device allows the guest to directly access the host memory pages (such as via Execute In Place (XIP)), bypassing the guest kernel's page cache. This zero copy provides both time and space optimizations.
> Mapping as a direct access device inside the VM allows pages from the host to be demand loaded using page faults, rather than having to make requests via a virtualized device (causing expensive VM exits/hypercalls), thus providing a speed optimization.
> Utilizing mmap(2)'s MAP_SHARED shared memory option on the host allows the host to efficiently share pages.
From https://github.com/kata-containers/kata-containers/tree/main...
> Last time I looked (a few months ago), the documentation was pretty sparse or outdated.
It still is, though it works somewhat seamlessly when installing with https://github.com/kata-containers/kata-containers/blob/main...
Though only one of the hypervisors works well.
-
Kata Containers vs gVisor?
As I understand,Kata Containers
-
Firecracker MicroVMs
Kubernetes using Kata containers as a containerd backend
https://github.com/kata-containers/kata-containers/blob/main...
-
Container security best practices: Ultimate guide
My home k8s cluster is now "locked down" using micro-vms (kata-containers[0]), pod level firewalling (cilium[1]), permission-limited container users, and mostly immutable environments. Given how quickly I rolled this out; the tools to enhance cluster environment security seem more accessible now than my previous research a few years ago.
I know it's not exactly a production setup, but I really do feel that it's the most secure runtime environment I've ever had accessible at home. Probably more so than my desktops, which you could argue undermines most of my effort, but I like to think I'm pretty careful.
In the beginning I was very skeptical, but being able to just build a docker/OCI image and then manage its relationships with other services with "one pane of glass" that I can commit to git is so much simpler to me than my previous workflows. My previous setup involved messing with a bunch of tools like packer, cloud-init, terraform, ansible, libvirt, whatever firewall frontend was on the OS, and occasionally sshing in for anything not covered.
-
Docker Without Docker
I'm really impressed by fly.io, and the candidness with which they share some of their really awesome technology. Being container-first is the next step for PaaS IMO and they are ahead of the pack.
I aim to build a platform like theirs someday (probably not any time soon) but I don't think I'd do any of what they're doing -- it feels unnecessary. Bear with me as I recently learned that they use nomad[0] and some of these suggestions are kubernetes projects but I'd love to hear why the following technologies were decided against (if they were):
- kata-containers[1] (it does the whole container -> VM flow for you, automatically, nemu, firecracker) with multiple VMM options[2]
- linuxkit[3] (let's say you didn't go with kata-containers, this is another container->VM path)
- firecracker-containerd[4] (very minimal keep-your-container-but-run-it-as-a-VM)
- kubevirt[5] (if you just want to actually run VMs, regardless of how you built them)
- Ceph[6] for storage -- make LVM pools and just give them to Ceph, you'll get blocks, distributed filesystems (CephFS), and object gateways (S3/Swift) out of it (in the k8s space Rook manages this)
As an aside to all this, there's also LXD, which supports running "system" (user namespace isolated) containers, VMs (somewhat recent[7][8]), live migration via criu[9], management/migration of underlying filesystems, runs on LVM or zfs[10], it's basically all-in-one, but does fall behind in terms of ecosystem since everyone else is aboard the "cloud native"/"works-with-kubernetes" train.
I've basically how I plan to run a service like fly.io if I ever did -- so maybe my secret is out, but I sure would like to know just how much of this fly.io got built on (if any of it), and/or what was turned down.
[0]: https://news.ycombinator.com/item?id=26745514
[1]: https://github.com/kata-containers/kata-containers
[2]: https://github.com/kata-containers/kata-containers/blob/2fc7...
[3]: https://github.com/linuxkit/linuxkit
[4]: https://github.com/firecracker-microvm/firecracker-container...
[5]: https://github.com/kubevirt/kubevirt
[7]: https://discuss.linuxcontainers.org/t/running-virtual-machin...
[8]: https://github.com/lxc/lxd/issues/6205
-
Checking Your --privileged Container
Kata Containers https://github.com/kata-containers/kata-containers
What are some alternatives?
firecracker-containerd - firecracker-containerd enables containerd to manage containers as Firecracker microVMs
kubevirt - Kubernetes Virtualization API and runtime in order to define and manage virtual machines.
lxd - Powerful system container and virtual machine manager [Moved to: https://github.com/canonical/lxd]
containerd - An open and reliable container runtime
gvisor - Application Kernel for Containers
dind - Docker in Docker
ignite - Ignite a Firecracker microVM
cloud-hypervisor - A Virtual Machine Monitor for modern Cloud workloads. Features include CPU, memory and device hotplug, support for running Windows and Linux guests, device offload with vhost-user and a minimal compact footprint. Written in Rust with a strong focus on security.
gatekeeper - 🐊 Gatekeeper - Policy Controller for Kubernetes
firecracker-container