当前位置:网站首页>Sandboxed container: container or virtual machine
Sandboxed container: container or virtual machine
2022-06-26 16:45:00 【Cloud primary pointing North】
With IT Technological development ,AI、 Blockchain, big data and other technologies increase the demand for millisecond expansion of applications , Developers are also under pressure to quickly launch new features . Hybrid clouds are the new normal , Digital transformation is a necessary condition for maintaining competitiveness , Virtualization has become the basic technology for these challenges .
In a virtualized world , There are two familiar words : Virtual machines and containers . The former is the virtualization of hardware , The latter is more like the virtualization of the operating system . Both provide sandbox capabilities : Virtual machines are provided through hardware level abstraction , The container uses a common kernel to provide process level isolation . Many people think of containers as “ Lightweight virtual machines ”, Usually we think the container is safe , Is that the same as we thought ?
Containers : Lightweight virtual machines ?
Containers are packaged 、 A modern way to share and deploy applications , Help enterprises realize rapid development 、 standard 、 Flexible service interaction . Containerization is based on Linux The namespace of (namespace) And the control group (cgroup) On the design of .

Namespace creates an almost isolated user space , And provide special system resources for applications , Such as file system 、 Network stack 、 process ID And the user ID. With the introduction of user namespaces , Kernel version 3.8 Provides support for container functionality :Mount(mnt)、 process ID(pid)、Network(net)、 Interprocess communication (ipc)、UTS、 user ID(user)6 Namespace ( Now it has reached 8 individual , Later joined cgroup and time Namespace ).
cgroup Then implement resource restrictions on the application 、 priority 、 Bookkeeping and control .cgroup Can be controlled CPU、 Memory 、 Equipment, network and other resources .
Use at the same time namespace and cgroup It enables us to run multiple applications safely on one host , And each application is located in an isolated environment .
Virtual machines provide more powerful isolation

Although the container is great , Lightweight enough . But through the above description , Multiple containers on the same host are actually Share the same operating system kernel , Just virtualization at the operating system level . Although namespaces provide a high degree of isolation , But there are still resources that the container can access , These resources do not provide a namespace . These resources are common to all containers on the host , Like the kernel Keyring、/proc、 system time 、 The kernel module 、 Hardware .
We all know there is no 100% Safe software , The same is true for container applications , From application source code to dependency library to container base Mirror image , Even the container engine itself may have security vulnerabilities . The risk of container escape is much higher than that of virtual machines , Hackers can exploit these escape vulnerabilities , The external resources of the operation container, that is, the resources on the host . Except for loopholes , Sometimes improper use will also bring security risks , For example, the container is assigned too high permissions (CAP_SYS_ADMIN function 、 Privileges ), Can cause the container to escape .
Virtual machines rely on hardware level virtualization , The implemented hardware isolation provides a stronger security boundary than namespace isolation . Compare with container , Virtual machines provide a higher degree of isolation , Just because it has My own kernel .
thus it can be seen , Containers are not really “ Sandbox ”, Also not Not a lightweight virtual machine . Is it possible to add a safer boundary to the container , Isolate from the host operating system as much as possible , Achieve strong isolation similar to virtual machines , Make it real “ Sandbox ”?

Sandboxed containers
The answer is yes. , It's a sandbox container . Like a virtual machine, this container has its own kernel , This layer of kernel becomes User space kernel . This layer of kernel should keep the container lightweight , Write... Using modern programming techniques , It's very light , Only used as a strong isolation layer between the container and the host .
And support OCI and CRI standard , It can be done with Docker and Kubernetes And other container tools are well integrated .

Here is a brief introduction gVisor and Kata Containers.
gVisor
gVisor It's using Go Written application kernel , Realized Linux Most of the interfaces of the operating system . It contains a runsc Of OCI Runtime , It provides an isolation layer between the application and the host kernel .runsc It's also realized with Docker and Kubernetes Integration of , You can easily run sandbox containers .

gVisor A separate operating system kernel is provided for each container . Application and gVisor Interact with the virtual environment provided by the kernel , Not directly accessing the host's kernel .gVisor It also limits and manages file and network operations , Ensure that there are two isolation layers between the container application and the host operating system . By reducing and limiting the interaction between the application and the host kernel , Minimize the attack surface of attackers bypassing the container isolation mechanism .
Unlike most kernels ,gVisor No fixed physical resources are required ; contrary , It takes advantage of existing host kernel functions , And run as a normal process . let me put it another way ,gVisor With Linux In this way Linux.
gVisor A sandbox consists of multiple processes , Together, these processes form an environment in which one or more containers can run .
Each sandbox has its own instance :
- Sentry: The kernel that runs the container , Intercept and respond to the system call of the application .
Each container in the sandbox has its own instance :
- Gofer: Provides access to the container file system .

Kata Containers
Kata Containers As lightweight and fast as a container , And integrate with container management -- Include Docker and Kubernetes And other popular container choreography tools -- It also provides the same security as virtual machines .

Kata Containers And OCI、 Container runtime interface (CRI) And container network interface (CNI) Fully integrated . It supports various types of network models ( for example ,passthrough、MacVTap、 The bridge 、tc Mirror image ) And configurable guest kernel , So that applications that need a special network model or kernel version can run on it . The figure above shows Kata VM How containers in interact with existing orchestration platforms .
Kata There's a... On the mainframe kata Run time to start and configure a new container . about Kata VM Every container in , There is a corresponding... On the host Kata Shim.Kata Shim Receive from client ( for example docker or kubectl) Of API request , And pass VSock Forward the request to Kata VM Agent inside .Kata The container has been further optimized , In order to reduce VM Starting time .
Kata Containers From the merger of two open source projects :Intel Of Clear containers and Hyper runV. The former focuses on performance ( Boot time is less than 100ms) And security ; The latter supports different CPU Architecture and management system , Put technology independence first .Kata Containers It can be said that it integrates the two .

Compared with traditional containers ,Kata Container The isolation of virtual machines , It integrates the security of virtual machine and the performance of container .
summary
Compared with ordinary containers , Sandbox containers provide greater isolation , This strong isolation provides higher security . At the same time, this kind of container technical support OCI and CRI standard , It can be used with existing container tools and Kubernetes Good integration .
The article is issued in official account
The cloud points north
边栏推荐
- LeetCode Algorithm 24. 两两交换链表中的节点
- 构造函数和析构函数
- Hyperf框架使用阿里云OSS上传失败
- 对话长安马自达高层,全新产品将在Q4发布,空间与智能领跑日系
- 数字藏品与NFT到底有何区别
- Convert the decimal positive integer m into the number in the forward K (2 < =k < =9) system and output it in bits
- day10每日3题(3):数组中的字符串匹配
- 国内首款开源 MySQL HTAP 数据库即将发布,三大看点提前告知
- Scala Foundation (2): variables et types de données
- 5G未平6G再启,中国引领无线通信,6G的最大优势在哪里?
猜你喜欢

基于Kubebuilder开发Operator(入门使用)

Teach you to learn dapr - 1 The era of net developers

pybullet机器人仿真环境搭建 5.机器人位姿可视化

MS|谢黎炜组发现混合益生菌制剂及其代谢产物可缓解结肠炎
![[graduation season] a word for graduates: the sky is high enough for birds to fly, and the sea is wide enough for fish to leap](/img/b6/21e51fa7f79d4a4b950f061703f0fb.png)
[graduation season] a word for graduates: the sky is high enough for birds to fly, and the sea is wide enough for fish to leap

C语言 头哥习题答案截图

GUI+SQLServer考试系统

国内首款开源 MySQL HTAP 数据库即将发布,三大看点提前告知

Kubecon China 2021 Alibaba cloud special session is coming! These first day highlights should not be missed
![[Li Kou brush question] monotone stack: 84 The largest rectangle in the histogram](/img/75/440e515c82b5613b117728ba760786.png)
[Li Kou brush question] monotone stack: 84 The largest rectangle in the histogram
随机推荐
Call the random function to generate 20 different integers and put them in the index group of institute a
知道这几个命令让你掌握Shell自带工具
基于STM32+华为云IOT设计的云平台监控系统
基于Kubebuilder开发Operator(入门使用)
Mono 的一些实例方法
Science | 红树林中发现的巨型细菌挑战传统无核膜观念
What is the preferential account opening policy of securities companies now? Is it safe to open an account online now?
Qt 5.9.8 安装教程
《软件工程》期末重点复习笔记
Knowing these commands allows you to master shell's own tools
经典同步问题
How to implement interface current limiting?
Calculate the average of N numbers in the index group of X, and return the number that is less than the average and closest to the average through formal parameters
[from deleting the database to running] the end of MySQL Foundation (the first step is to run.)
y=1/100*100+1/200*200+1/300*300+.....+ 1/m*m
Gui+sqlserver examination system
Niuke Xiaobai monthly race 50
并发编程整体脉络
1-12vmware adds SSH function
Hyperf框架使用阿里云OSS上传失败
