Our great sponsors
-
-
linux-hardened
Minimal supplement to upstream Kernel Self Protection Project changes. Features already provided by SELinux + Yama and archs other than multiarch arm64 / x86_64 aren't in scope. Only tags have stable history. Shared IRC channel with KSPP: irc.libera.chat #linux-hardening
-
InfluxDB
Power Real-Time Data Analytics at Scale. Get real-time insights from all types of time series data with InfluxDB. Ingest, query, and analyze billions of data points in real-time with unbounded cardinality.
-
firecracker-containerd
firecracker-containerd enables containerd to manage containers as Firecracker microVMs
-
-
-
WorkOS
The modern identity platform for B2B SaaS. The APIs are flexible and easy-to-use, supporting authentication, user identity, and complex enterprise features like SSO and SCIM provisioning.
, "should represent the path to a file that contains a JSON which stores the entire configuration for all of the microVM's resources" (okay this is fair enough). Also, they stipulate, "**The JSON must contain the configuration for the guest kernel and rootfs, as these are mandatory, but all of the other resources are optional, so it's your choice if you want to configure them or not. Because using this configuration method will also start the microVM, you need to specify all desired pre-boot configurable resources in that JSON.**" **File Names for the Pre-Boot Resources** (included within the greater repo here): 1. **firecracker.yaml** - Names of resources are contained here ; 'file nad the names of their fields are the same that are used in API requests' (cool) 2. **tests/framework/vm_config.json** (boilerplate config file to guide us - great) > *"After the machine is booted, you can still use the socket to send API requests for post-boot operations."* (this honestly feels clunky as a mf) ### Conclusion Somewhat of a pain in the ass (just looking through the directions); the fact that we'd have to go grab a uncompressed kernel image + file system image (ext4) is kind of a fucking hassle / burden. Was hoping for a solution more akin to Docker where it can just be spun up real quick & then deployed. But they claim that this 'jailer' feature (that they keep hyping) will **ensure** (I guess?) that whatever is done within the container will remain within the container (and not escape). I haven't seen anything that sticks out about this project that leads me to believe that it possesses that capability, but I definitely don't want to rule it out. ### Extra Documentation + Information 1. **OSv Running on 'Firecracker'** (yay more work though) - http://blog.osv.io/blog/2019/04/19/making-OSv-run-on-firecraker/ 2. **Building OSv Images Using Docker** - http://blog.osv.io/blog/2015/04/27/docker/ 3. **firecracker containerd** (this is something that's probably important for the overall mission of what we want to accomplish here) - https://github.com/firecracker-microvm/firecracker-containerd ### Firecracker Containerd **Description** - "*firecracker-containerd enables containerd to manage containers as Firecracker microVMs*" - "This repository enables the use of a container runtime, containerd, to manage Firecracker microVMs. Like traditional containers, Firecracker microVMs offer fast start-up and shut-down and minimal overhead. Unlike traditional containers, however, they can provide an additional layer of isolation via the KVM hypervisor." **They Also Identify Potential Use-Cases in the Repo Such as** 1. "*Sandbox a partially or fully untrusted third party container in its own microVM. This would reduce the likelihood of leaking secrets via the third party container, for example.*" 2. "*Bin-pack disparate container workloads on the same host, while maintaining a high level of isolation between containers. Because the overhead of Firecracker is low, the achievable container density per host should be comparable to running containers using kernel-based container runtimes, without the isolation compromise of such solutions. Multi-tenant hosts would particularly benefit from this use case.*" Really interesting feature of this repo here is: "*A root file filesystem image builder that constructs a firecracker microVM root filesystem containing runc and the firecracker-containerd agent.*" (that could save a lot of time on that whole filesystem image thing that they were mentioning prior) **Additional Links of Importance** 1. **Getting Started Guide** - https://github.com/firecracker-microvm/firecracker-containerd/blob/main/docs/getting-started.md 2. **Quickstart Guide** - https://github.com/firecracker-microvm/firecracker-containerd/blob/main/docs/quickstart.md 3. **A Root Filesystem Image Builder** - https://github.com/firecracker-microvm/firecracker-containerd/blob/main/tools/image-builder 4. **Runtime Linking Containerd** - https://github.com/firecracker-microvm/firecracker-containerd/blob/main/runtime **Documentation All Located Here** - https://github.com/firecracker-microvm/firecracker-containerd/tree/main/docs (definitely fucking needed because there's a lot here to wrap one's head around) - **Design Approaches Doc** - https://github.com/firecracker-microvm/firecracker-containerd/blob/main/docs/design-approaches.md - **Shim Architecture** - https://github.com/firecracker-microvm/firecracker-containerd/blob/main/docs/shim-design.md - **Launching 4k VMs Using Firecracker** - https://github.com/firecracker-microvm/firecracker-demo - **firectl** (CLI options for manipulating this tool from terminal ; this is important as well) - https://github.com/firecracker-microvm/firectl [damn, there's a lot that came with this here!]
so that we can use it liberally in CLI) > **Additionally, here's a 'building from the source section** - https://github.com/firecracker-microvm/firecracker/blob/main/docs/getting-started.md#building-from-source ### Running Firecracker > "*In production, Firecracker is designed to be run securely, inside an execution jail, carefully set up by the jailer binary. This is how our integration test suite does it. However, if you just want to see Firecracker booting up a guest Linux machine, you can do that as well.*" 1. We need to first obtain an "uncompressed Linux kernel binary, and an ext4 file system image (to use as rootfs)" ; great, these are two things that we need to seek out before we move forward in our 'adventure' (*this really feels like a "quest" of some sort, like the ones that they forced you to play on Runescape back in the days*) **How to Decompress Linux Kernel** (explicit instructions to be honest here) - https://0xax.gitbooks.io/linux-insides/content/Booting/linux-bootstrap-5.html **Linux-Hardened Kernel** - https://github.com/anthraxx/linux-hardened (this is something that they're all still actively working on at this very point in time) They also say that we need an 'ext4 file system image' (where do we obtain this from?) - found it **Full Guide on How to Create an EXT4 filesystem image here** -https://fabianlee.org/2020/01/13/linux-mounting-a-loopback-ext4-xfs-filesystem-to-isolate-or-enforce-storage-limits/ Assuming that the above has been handled, the directions insist that we create two separate shell prompts, (one to run Firecracker, and another one to control it [by writing to the API socket]; both shells have to run "in the same directory where the firecracker binary was placed") ^^ What? - This is a pain in the ass because this is something that they should've mentioned earlier (obv. everyone is going to move a binary where the rest of their binaries go ; and you're not going to just load up some random project to be used in that manner) - Not even sure what the end goal of opening up an API socket here would really be But fuck it, let's just assume that we play ball and we adhere to all of these (additional) steps that we're being put through (just for the setup up this virtualization tool!). ### Following Through on the Next Steps 1. Ensuring that Firecracker can create its own API ``` bash rm -f /tmp/firecracker.socket
, "should represent the path to a file that contains a JSON which stores the entire configuration for all of the microVM's resources" (okay this is fair enough). Also, they stipulate, "**The JSON must contain the configuration for the guest kernel and rootfs, as these are mandatory, but all of the other resources are optional, so it's your choice if you want to configure them or not. Because using this configuration method will also start the microVM, you need to specify all desired pre-boot configurable resources in that JSON.**" **File Names for the Pre-Boot Resources** (included within the greater repo here): 1. **firecracker.yaml** - Names of resources are contained here ; 'file nad the names of their fields are the same that are used in API requests' (cool) 2. **tests/framework/vm_config.json** (boilerplate config file to guide us - great) > *"After the machine is booted, you can still use the socket to send API requests for post-boot operations."* (this honestly feels clunky as a mf) ### Conclusion Somewhat of a pain in the ass (just looking through the directions); the fact that we'd have to go grab a uncompressed kernel image + file system image (ext4) is kind of a fucking hassle / burden. Was hoping for a solution more akin to Docker where it can just be spun up real quick & then deployed. But they claim that this 'jailer' feature (that they keep hyping) will **ensure** (I guess?) that whatever is done within the container will remain within the container (and not escape). I haven't seen anything that sticks out about this project that leads me to believe that it possesses that capability, but I definitely don't want to rule it out. ### Extra Documentation + Information 1. **OSv Running on 'Firecracker'** (yay more work though) - http://blog.osv.io/blog/2019/04/19/making-OSv-run-on-firecraker/ 2. **Building OSv Images Using Docker** - http://blog.osv.io/blog/2015/04/27/docker/ 3. **firecracker containerd** (this is something that's probably important for the overall mission of what we want to accomplish here) - https://github.com/firecracker-microvm/firecracker-containerd ### Firecracker Containerd **Description** - "*firecracker-containerd enables containerd to manage containers as Firecracker microVMs*" - "This repository enables the use of a container runtime, containerd, to manage Firecracker microVMs. Like traditional containers, Firecracker microVMs offer fast start-up and shut-down and minimal overhead. Unlike traditional containers, however, they can provide an additional layer of isolation via the KVM hypervisor." **They Also Identify Potential Use-Cases in the Repo Such as** 1. "*Sandbox a partially or fully untrusted third party container in its own microVM. This would reduce the likelihood of leaking secrets via the third party container, for example.*" 2. "*Bin-pack disparate container workloads on the same host, while maintaining a high level of isolation between containers. Because the overhead of Firecracker is low, the achievable container density per host should be comparable to running containers using kernel-based container runtimes, without the isolation compromise of such solutions. Multi-tenant hosts would particularly benefit from this use case.*" Really interesting feature of this repo here is: "*A root file filesystem image builder that constructs a firecracker microVM root filesystem containing runc and the firecracker-containerd agent.*" (that could save a lot of time on that whole filesystem image thing that they were mentioning prior) **Additional Links of Importance** 1. **Getting Started Guide** - https://github.com/firecracker-microvm/firecracker-containerd/blob/main/docs/getting-started.md 2. **Quickstart Guide** - https://github.com/firecracker-microvm/firecracker-containerd/blob/main/docs/quickstart.md 3. **A Root Filesystem Image Builder** - https://github.com/firecracker-microvm/firecracker-containerd/blob/main/tools/image-builder 4. **Runtime Linking Containerd** - https://github.com/firecracker-microvm/firecracker-containerd/blob/main/runtime **Documentation All Located Here** - https://github.com/firecracker-microvm/firecracker-containerd/tree/main/docs (definitely fucking needed because there's a lot here to wrap one's head around) - **Design Approaches Doc** - https://github.com/firecracker-microvm/firecracker-containerd/blob/main/docs/design-approaches.md - **Shim Architecture** - https://github.com/firecracker-microvm/firecracker-containerd/blob/main/docs/shim-design.md - **Launching 4k VMs Using Firecracker** - https://github.com/firecracker-microvm/firecracker-demo - **firectl** (CLI options for manipulating this tool from terminal ; this is important as well) - https://github.com/firecracker-microvm/firectl [damn, there's a lot that came with this here!]
, "should represent the path to a file that contains a JSON which stores the entire configuration for all of the microVM's resources" (okay this is fair enough). Also, they stipulate, "**The JSON must contain the configuration for the guest kernel and rootfs, as these are mandatory, but all of the other resources are optional, so it's your choice if you want to configure them or not. Because using this configuration method will also start the microVM, you need to specify all desired pre-boot configurable resources in that JSON.**" **File Names for the Pre-Boot Resources** (included within the greater repo here): 1. **firecracker.yaml** - Names of resources are contained here ; 'file nad the names of their fields are the same that are used in API requests' (cool) 2. **tests/framework/vm_config.json** (boilerplate config file to guide us - great) > *"After the machine is booted, you can still use the socket to send API requests for post-boot operations."* (this honestly feels clunky as a mf) ### Conclusion Somewhat of a pain in the ass (just looking through the directions); the fact that we'd have to go grab a uncompressed kernel image + file system image (ext4) is kind of a fucking hassle / burden. Was hoping for a solution more akin to Docker where it can just be spun up real quick & then deployed. But they claim that this 'jailer' feature (that they keep hyping) will **ensure** (I guess?) that whatever is done within the container will remain within the container (and not escape). I haven't seen anything that sticks out about this project that leads me to believe that it possesses that capability, but I definitely don't want to rule it out. ### Extra Documentation + Information 1. **OSv Running on 'Firecracker'** (yay more work though) - http://blog.osv.io/blog/2019/04/19/making-OSv-run-on-firecraker/ 2. **Building OSv Images Using Docker** - http://blog.osv.io/blog/2015/04/27/docker/ 3. **firecracker containerd** (this is something that's probably important for the overall mission of what we want to accomplish here) - https://github.com/firecracker-microvm/firecracker-containerd ### Firecracker Containerd **Description** - "*firecracker-containerd enables containerd to manage containers as Firecracker microVMs*" - "This repository enables the use of a container runtime, containerd, to manage Firecracker microVMs. Like traditional containers, Firecracker microVMs offer fast start-up and shut-down and minimal overhead. Unlike traditional containers, however, they can provide an additional layer of isolation via the KVM hypervisor." **They Also Identify Potential Use-Cases in the Repo Such as** 1. "*Sandbox a partially or fully untrusted third party container in its own microVM. This would reduce the likelihood of leaking secrets via the third party container, for example.*" 2. "*Bin-pack disparate container workloads on the same host, while maintaining a high level of isolation between containers. Because the overhead of Firecracker is low, the achievable container density per host should be comparable to running containers using kernel-based container runtimes, without the isolation compromise of such solutions. Multi-tenant hosts would particularly benefit from this use case.*" Really interesting feature of this repo here is: "*A root file filesystem image builder that constructs a firecracker microVM root filesystem containing runc and the firecracker-containerd agent.*" (that could save a lot of time on that whole filesystem image thing that they were mentioning prior) **Additional Links of Importance** 1. **Getting Started Guide** - https://github.com/firecracker-microvm/firecracker-containerd/blob/main/docs/getting-started.md 2. **Quickstart Guide** - https://github.com/firecracker-microvm/firecracker-containerd/blob/main/docs/quickstart.md 3. **A Root Filesystem Image Builder** - https://github.com/firecracker-microvm/firecracker-containerd/blob/main/tools/image-builder 4. **Runtime Linking Containerd** - https://github.com/firecracker-microvm/firecracker-containerd/blob/main/runtime **Documentation All Located Here** - https://github.com/firecracker-microvm/firecracker-containerd/tree/main/docs (definitely fucking needed because there's a lot here to wrap one's head around) - **Design Approaches Doc** - https://github.com/firecracker-microvm/firecracker-containerd/blob/main/docs/design-approaches.md - **Shim Architecture** - https://github.com/firecracker-microvm/firecracker-containerd/blob/main/docs/shim-design.md - **Launching 4k VMs Using Firecracker** - https://github.com/firecracker-microvm/firecracker-demo - **firectl** (CLI options for manipulating this tool from terminal ; this is important as well) - https://github.com/firecracker-microvm/firectl [damn, there's a lot that came with this here!]
, "should represent the path to a file that contains a JSON which stores the entire configuration for all of the microVM's resources" (okay this is fair enough). Also, they stipulate, "**The JSON must contain the configuration for the guest kernel and rootfs, as these are mandatory, but all of the other resources are optional, so it's your choice if you want to configure them or not. Because using this configuration method will also start the microVM, you need to specify all desired pre-boot configurable resources in that JSON.**" **File Names for the Pre-Boot Resources** (included within the greater repo here): 1. **firecracker.yaml** - Names of resources are contained here ; 'file nad the names of their fields are the same that are used in API requests' (cool) 2. **tests/framework/vm_config.json** (boilerplate config file to guide us - great) > *"After the machine is booted, you can still use the socket to send API requests for post-boot operations."* (this honestly feels clunky as a mf) ### Conclusion Somewhat of a pain in the ass (just looking through the directions); the fact that we'd have to go grab a uncompressed kernel image + file system image (ext4) is kind of a fucking hassle / burden. Was hoping for a solution more akin to Docker where it can just be spun up real quick & then deployed. But they claim that this 'jailer' feature (that they keep hyping) will **ensure** (I guess?) that whatever is done within the container will remain within the container (and not escape). I haven't seen anything that sticks out about this project that leads me to believe that it possesses that capability, but I definitely don't want to rule it out. ### Extra Documentation + Information 1. **OSv Running on 'Firecracker'** (yay more work though) - http://blog.osv.io/blog/2019/04/19/making-OSv-run-on-firecraker/ 2. **Building OSv Images Using Docker** - http://blog.osv.io/blog/2015/04/27/docker/ 3. **firecracker containerd** (this is something that's probably important for the overall mission of what we want to accomplish here) - https://github.com/firecracker-microvm/firecracker-containerd ### Firecracker Containerd **Description** - "*firecracker-containerd enables containerd to manage containers as Firecracker microVMs*" - "This repository enables the use of a container runtime, containerd, to manage Firecracker microVMs. Like traditional containers, Firecracker microVMs offer fast start-up and shut-down and minimal overhead. Unlike traditional containers, however, they can provide an additional layer of isolation via the KVM hypervisor." **They Also Identify Potential Use-Cases in the Repo Such as** 1. "*Sandbox a partially or fully untrusted third party container in its own microVM. This would reduce the likelihood of leaking secrets via the third party container, for example.*" 2. "*Bin-pack disparate container workloads on the same host, while maintaining a high level of isolation between containers. Because the overhead of Firecracker is low, the achievable container density per host should be comparable to running containers using kernel-based container runtimes, without the isolation compromise of such solutions. Multi-tenant hosts would particularly benefit from this use case.*" Really interesting feature of this repo here is: "*A root file filesystem image builder that constructs a firecracker microVM root filesystem containing runc and the firecracker-containerd agent.*" (that could save a lot of time on that whole filesystem image thing that they were mentioning prior) **Additional Links of Importance** 1. **Getting Started Guide** - https://github.com/firecracker-microvm/firecracker-containerd/blob/main/docs/getting-started.md 2. **Quickstart Guide** - https://github.com/firecracker-microvm/firecracker-containerd/blob/main/docs/quickstart.md 3. **A Root Filesystem Image Builder** - https://github.com/firecracker-microvm/firecracker-containerd/blob/main/tools/image-builder 4. **Runtime Linking Containerd** - https://github.com/firecracker-microvm/firecracker-containerd/blob/main/runtime **Documentation All Located Here** - https://github.com/firecracker-microvm/firecracker-containerd/tree/main/docs (definitely fucking needed because there's a lot here to wrap one's head around) - **Design Approaches Doc** - https://github.com/firecracker-microvm/firecracker-containerd/blob/main/docs/design-approaches.md - **Shim Architecture** - https://github.com/firecracker-microvm/firecracker-containerd/blob/main/docs/shim-design.md - **Launching 4k VMs Using Firecracker** - https://github.com/firecracker-microvm/firecracker-demo - **firectl** (CLI options for manipulating this tool from terminal ; this is important as well) - https://github.com/firecracker-microvm/firectl [damn, there's a lot that came with this here!]