Sandboxed container: container or virtual machine

With IT Technological development ,AI、 Blockchain, big data and other technologies increase the demand for millisecond expansion of applications , Developers are also under pressure to quickly launch new features . Hybrid clouds are the new normal , Digital transformation is a necessary condition for maintaining competitiveness , Virtualization has become the basic technology for these challenges .

In a virtualized world , There are two familiar words ： Virtual machines and containers . The former is the virtualization of hardware , The latter is more like the virtualization of the operating system . Both provide sandbox capabilities ： Virtual machines are provided through hardware level abstraction , The container uses a common kernel to provide process level isolation . Many people think of containers as “ Lightweight virtual machines ”, Usually we think the container is safe , Is that the same as we thought ？

Containers ： Lightweight virtual machines ？

Containers are packaged 、 A modern way to share and deploy applications , Help enterprises realize rapid development 、 standard 、 Flexible service interaction . Containerization is based on Linux The namespace of （namespace） And the control group （cgroup） On the design of .

Namespace creates an almost isolated user space , And provide special system resources for applications , Such as file system 、 Network stack 、 process ID And the user ID. With the introduction of user namespaces , Kernel version 3.8 Provides support for container functionality ：Mount（mnt）、 process ID（pid）、Network（net）、 Interprocess communication （ipc）、UTS、 user ID（user）6 Namespace （ Now it has reached 8 individual , Later joined cgroup and time Namespace ）.

cgroup Then implement resource restrictions on the application 、 priority 、 Bookkeeping and control .cgroup Can be controlled CPU、 Memory 、 Equipment, network and other resources .

Use at the same time namespace and cgroup It enables us to run multiple applications safely on one host , And each application is located in an isolated environment .

Virtual machines provide more powerful isolation

Although the container is great , Lightweight enough . But through the above description , Multiple containers on the same host are actually Share the same operating system kernel , Just virtualization at the operating system level . Although namespaces provide a high degree of isolation , But there are still resources that the container can access , These resources do not provide a namespace . These resources are common to all containers on the host , Like the kernel Keyring、/proc、 system time 、 The kernel module 、 Hardware .

We all know there is no 100% Safe software , The same is true for container applications , From application source code to dependency library to container base Mirror image , Even the container engine itself may have security vulnerabilities . The risk of container escape is much higher than that of virtual machines , Hackers can exploit these escape vulnerabilities , The external resources of the operation container, that is, the resources on the host . Except for loopholes , Sometimes improper use will also bring security risks , For example, the container is assigned too high permissions （CAP_SYS_ADMIN function 、 Privileges ）, Can cause the container to escape .

Virtual machines rely on hardware level virtualization , The implemented hardware isolation provides a stronger security boundary than namespace isolation . Compare with container , Virtual machines provide a higher degree of isolation , Just because it has My own kernel .

thus it can be seen , Containers are not really “ Sandbox ”, Also not Not a lightweight virtual machine . Is it possible to add a safer boundary to the container , Isolate from the host operating system as much as possible , Achieve strong isolation similar to virtual machines , Make it real “ Sandbox ”？

Sandboxed containers

The answer is yes. , It's a sandbox container . Like a virtual machine, this container has its own kernel , This layer of kernel becomes User space kernel . This layer of kernel should keep the container lightweight , Write... Using modern programming techniques , It's very light , Only used as a strong isolation layer between the container and the host .

And support OCI and CRI standard , It can be done with Docker and Kubernetes And other container tools are well integrated .

Here is a brief introduction gVisor and Kata Containers.

gVisor

gVisor It's using Go Written application kernel , Realized Linux Most of the interfaces of the operating system . It contains a runsc Of OCI Runtime , It provides an isolation layer between the application and the host kernel .runsc It's also realized with Docker and Kubernetes Integration of , You can easily run sandbox containers .

gVisor A separate operating system kernel is provided for each container . Application and gVisor Interact with the virtual environment provided by the kernel , Not directly accessing the host's kernel .gVisor It also limits and manages file and network operations , Ensure that there are two isolation layers between the container application and the host operating system . By reducing and limiting the interaction between the application and the host kernel , Minimize the attack surface of attackers bypassing the container isolation mechanism .

Unlike most kernels ,gVisor No fixed physical resources are required ; contrary , It takes advantage of existing host kernel functions , And run as a normal process . let me put it another way ,gVisor With Linux In this way Linux.

gVisor A sandbox consists of multiple processes , Together, these processes form an environment in which one or more containers can run .

Each sandbox has its own instance ：

• Sentry： The kernel that runs the container , Intercept and respond to the system call of the application .

Each container in the sandbox has its own instance ：

• Gofer： Provides access to the container file system .

Kata Containers

Kata Containers As lightweight and fast as a container , And integrate with container management -- Include Docker and Kubernetes And other popular container choreography tools -- It also provides the same security as virtual machines .

Kata Containers And OCI、 Container runtime interface （CRI） And container network interface （CNI） Fully integrated . It supports various types of network models （ for example ,passthrough、MacVTap、 The bridge 、tc Mirror image ） And configurable guest kernel , So that applications that need a special network model or kernel version can run on it . The figure above shows Kata VM How containers in interact with existing orchestration platforms .

Kata There's a... On the mainframe kata Run time to start and configure a new container . about Kata VM Every container in , There is a corresponding... On the host Kata Shim.Kata Shim Receive from client （ for example docker or kubectl） Of API request , And pass VSock Forward the request to Kata VM Agent inside .Kata The container has been further optimized , In order to reduce VM Starting time .

Kata Containers From the merger of two open source projects ：Intel Of Clear containers and Hyper runV. The former focuses on performance （ Boot time is less than 100ms） And security ; The latter supports different CPU Architecture and management system , Put technology independence first .Kata Containers It can be said that it integrates the two .

Compared with traditional containers ,Kata Container The isolation of virtual machines , It integrates the security of virtual machine and the performance of container .

summary

Compared with ordinary containers , Sandbox containers provide greater isolation , This strong isolation provides higher security . At the same time, this kind of container technical support OCI and CRI standard , It can be used with existing container tools and Kubernetes Good integration .

The article is issued in official account The cloud points north