Execute Docker Containers as QEMU MicroVMs (opens in new tab)

(mergeboard.com)

178 pointsDarkPlayer5y ago63 comments

63 comments

46 comments · 12 top-level

encryptluks25y ago· 14 in thread

Why not run containers in VMs in containers in VMs? :)

Seriously, VMs are hardly as secure as many people want to believe unless you're utilizing enclaves and even that has vulnerabilities. I think a better approach is Seccomp and whatever other filtering makes sense.

handrous5y ago

A while back I did some looking at FreeBSD jails to try to figure out why they don't have more mindshare (especially when paired with the nigh-superpower-granting ZFS).

I came away baffled that they weren't more widely-promoted, compared with Docker and friends. After thinking about it for a while, all I can figure is they're so straightforward to use and well-documented that there's no room to make one's name, or to make a buck, re-packaging them or wrapping them in complex tools, so there's little money or glory (= personal marketing via open-source project leadership/contributions) in promoting them.

[EDIT] that is: what would be a blog post in LXC/Docker land... doesn't exist, because it's covered perfectly well in the docs. What would be a simple open-source tool... becomes a blog post, because it's short, simple, and clear enough not to merit special software, but just a quick guide to existing tools. What would be a business, becomes a simple open-source tool without enough of a difficulty/convenience "moat" to support a business.

boardwaalk5y ago

I suspect the answer includes it not being Linux, even with the compatibility layer available.

1 more reply

tyingq5y ago

If technically best in the container space mattered, Illumos would be everywhere...

2 more replies

tptacek5y ago

Jails are still shared-kernel isolation. Docker's reputation is mired in its earlier implementations, when it wasn't really even intended for multitenant isolation. Modern Docker, running with unprivileged containers (which is the norm), is substantially hardened. The real win over Docker is losing the shared kernel, which is what lots of people are doing, so the win to Jails is marginal.

nicolaslem5y ago

TrueNAS exposed me to FreeBSD jails but what put me off is that there does not seem to be an equivalent of "docker build".

Jails seem to be treated like OpenVZ containers in the Linux world: a lighter alternative to virtual machines, not a way to build and distribute applications like Docker.

This is just my take after playing a few hours with jails, I would happily be proven wrong.

LargoLasskhyfv5y ago

Heretics! Vicitimizing all the Fashionistas! Where would be the fun of endless shiny new things? The thrill of employing l33t google skillz to find just another solution to cut&paste in haste, with no wasted time reading boring old style manuals and documentation. Attention deficit is the hottest shit! Deal with it!

tptacek5y ago

I don't know what people generally believe.

But the attack surface of a Linux kernel is very large, is pretty unpredictable, and can't be coherently masked out with rules (my favorite example Jann Horn's VM reference count bug, which was a simple concurrency flaw in the core virtual memory system). By comparison, a Linux KVM hypervisor is not just a subset of the kernel by definition, but also a much smaller codebase, a tiny fraction of the whole kernel.

Replacing shared-kernel isolation like seccomp-filtered containers with VMs is, architecturally, simply the replacement of a large trusted computing base with a smaller one. If the overhead is acceptable, it's hard to argue with from a security perspective.

gorkish5y ago

OK; https://github.com/harvester/harvester

Security and performance aren't the only driving forces; there are a lot of technical and operational benefits to the abstraction and standard interfaces that you get when running stacks that might otherwise look like someone took an Xzibit meme too far.

Also remember on a modern system, there are often at least 2 additional layers at work abstracting interfaces to the "bare metal" OS already.

encryptluks25y ago

I'm not disagreeing that abstraction can be useful, but the overhead of a VM is unnecessary if utilizing the full potential of containers. Afterall, the Linux Kernel is acting as the hypervisor already, so might as well trust it enough to properly sandbox containers too and use the right functionality to do so. I also think that running a virtualization layer adds quite a bit of complexity, so while it is cool that projects and companies have made it work and integrated it with a container solution, eliminating the VM layer altogether seems more ideal IMO.

riobard5y ago

That's the approach taken by Google's gVisor (at the cost of I/O and network performance).

tptacek5y ago

No, that's really not at all what gVisor is. gVisor is best thought of as user-mode Linux --- a complete reimplementation of most of the OS kernel. It's not a system call filter; it's something much closer to a VM than to seccomp.

gVisor is a very cool codebase. As an illustration of the approach: it includes its own TCP/IP stack; we use it in our command-line dev tool to allow people to SSH to their VMs over WireGuard without having to install WireGuard or obtain privileges to manage WireGuard.

fsociety5y ago

gVisor, for better or for worse, does a whole lot of other things than just seccomp filtering, and it shows in performance tests.

encryptluks25y ago

gVisor does more than filtering, they basically reimplemented the syscalls in an application kernel. At least with seccomp the performance overhead is minimal.

1 more reply

dboreham5y ago

Machine Turducken.

riobard5y ago· 6 in thread

A few years ago I invested in a small startup called `hyper.sh`. It open sourced a container runtime called `runV` which provided exactly this: security of virtual machines plus convenience of containers.

The project later merged with Intel Clear Container to become what's now called Kata Containers (https://katacontainers.io/) and is now widely used by several Internet giants like Alibaba and Baidu.

The startup was acquired by Ant Finance a couple of years ago.

(I recorded a podcast with one of hyper.sh engineer if you can listen to Mandarin https://pan.icu/25)

temp_praneshp5y ago

Probably off topic: Back in 2014-15 at my first job, when I was working on openstack, they used to show up at the summits. They were super smart and very generous with their time when I had questions. I wondered sometime in 2020 what happened to them, I'm happy they had a decent exit.

XorNot5y ago

I used runV with drone.io (on top of Media) to run distributed on-demand VM builders for GitHub enterprise (we were building physical machine images to deploy so needed VM isolation).

It actually worked great, and I've struggled to get as quite a flexible CI system at other jobs since then (the big advantage was it looked like Docker, so with compose you could either spin a metal-like nested VM or just pull in some DB containers in your build instance).

cptnapalm5y ago

I was looking at Kata containers a few days ago. I'm pretty new to trying to use VMs/containers for services; purely hobby level. Couldn't figure out how to use them, but that's not necessarily a knock on them as I also can't get OpenBSD wireguard to work either.

polskibus5y ago

How does it differ from Firecracker?

riobard5y ago

I'm not familiar with later development, but AFAIK Firecracker came much later and now you can actually use Firecracker as Kata Container's hypervisor in addition to QEMU.

lifty5y ago

I worked with their tech, testing it, and I loved the product. It was definitely ahead of its time. Similar in some ways to what Fly is doing these days, without the edge.

forty5y ago· 5 in thread

Isn't firecracker an AWS tech?

bhawks5y ago

If you're splitting hairs firecracker (aws) is an offshoot of crosvm from chrome/Google which actually was a greenfield vmm :) anyway memory safe virtualization for the win.

cpach5y ago

That’s correct.

https://github.com/firecracker-microvm/firecracker

remram5y ago

The article wrongly states that Fly.io created firecracker.

jjacobson935y ago

Yeah, the author is incorrect. Fly.io uses Firecracker but they didn’t create it.

tptacek5y ago

Whoah, missed that.

ashishbijlani5y ago· 4 in thread

> Can we somehow combine the advantages of the docker ecosystem with VMs?

Shameless plug: this is exactly what our goal is with https://kwarantine.xyz We are creating a new hypervisor (from scratch) that can run strongly isolated Docker/LXC containers.

amscanne5y ago

The "fork" sounds like you blue pill the OS for each container? I'm assuming the concept is like Cappsule [1] or Bromium [2]?

[1] https://cappsule.github.io/ [2] https://en.wikipedia.org/wiki/Bromium#/media/File:Bromium-en...

ashishbijlani5y ago

fork here is COW on the host kernel (i.e., copying EPT entries). We will post detailed technical documentation soon.

mikepurvis5y ago

Is this what gvisor is? https://github.com/google/gvisor

ashishbijlani5y ago

No, gVisor is from Google. They emulate system calls in user-space and use VMs, which increases runtime performance overhead. We use hardware virtualization to directly run containers -- no I/O emulation, no expensive VM exits, scale as needed. Initial comparison with FC/GVisor/Xen here: https://github.com/ashishbijlani/kwarantine

2 more replies

gravypod5y ago· 3 in thread

Something I'd be very interested in: building a PXE image from something declarative like Dockerfiles.

justincormack5y ago

Try LinuxKit https://github.com/linuxkit/linuxkit

laurencerowe5y ago

Google Container Optimized OS is basically this I think. It's what's used when you start a GCE instance with a docker image.

https://cloud.google.com/container-optimized-os/

jonjonsonjr5y ago

I don't think I'd ever call a Dockerfile declarative.

eatonphil5y ago· 1 in thread

There are a few existing projects out there like this (running Docker images as virtual machines, specifically) if folks are interested. Slim [0] is the one I can remember off the top of my head. I think there are a couple more.

Still, neat to have the walkthrough here in this post.

https://github.com/ottomatica/slim

hardwaresofton5y ago

A couple more:

https://github.com/containers/krunvm

https://github.com/weaveworks/ignite

rwmj5y ago· 1 in thread

https://katacontainers.io/ ?

bonzini5y ago

Yes, indeed. However it's nice to see directly the mechanisms that let Kata do its magic.

tptacek5y ago

As I understand the landscape here, the big enabling win of microvms is faster boot time; there's a cool qemu-lite slide deck that goes into detail about how they cut down boot time:

https://www.linux-kvm.org/images/d/d2/03x05B-Chao_Peng-Light...

The big win was slashing away the BIOS stuff.

We use AWS's Firecracker to turn our customers Docker containers into Firecracker microvms (Firecracker is Amazon's Rust VMM, the engine for Fargate and Lambda). Anecdotally: in my dev environment, the difference between Firecracker boot times and native Docker container startup is imperceptible; the logging we do swamps the VM boot stuff. It's very fast.

stefanha5y ago

For an even more lightweight approach to running containers in VMs see: https://github.com/containers/krunvm

It's powered by https://github.com/containers/libkrun.

thekevjames5y ago

I had fun exploring Docker->VM conversion a while back [1], though the larger goal in my case was to be able to make the build path to custom GCP VM Images a bit simpler. Exciting to see other cases where folks are finding this sort of flow useful!

1: https://thekev.in/blog/2019-08-05-dockerfile-bootable-vm/ind...

dzonga5y ago

I understand, it's cool to do content marketing. but folks proof-read your articles. Firecracker was created by AWS and rightly states so on the page.

OldGoodNewBad5y ago

I think a lot of folks are going out of their way to misunderstand what happened. Yes there are other similar projects and containers. No, none come from a long established COMMUNITY RUN PROJECT. This is something akin to the difference between VirtualBox and OpenBSD’s vmd. Ones a product with a “free” tier, the other is a community project.

j / k navigate · click thread line to collapse

63 comments

46 comments · 12 top-level

encryptluks25y ago· 14 in thread

Why not run containers in VMs in containers in VMs? :)

handrous5y ago

A while back I did some looking at FreeBSD jails to try to figure out why they don't have more mindshare (especially when paired with the nigh-superpower-granting ZFS).

boardwaalk5y ago

I suspect the answer includes it not being Linux, even with the compatibility layer available.

1 more reply

tyingq5y ago

If technically best in the container space mattered, Illumos would be everywhere...

2 more replies

tptacek5y ago

nicolaslem5y ago

TrueNAS exposed me to FreeBSD jails but what put me off is that there does not seem to be an equivalent of "docker build".

Jails seem to be treated like OpenVZ containers in the Linux world: a lighter alternative to virtual machines, not a way to build and distribute applications like Docker.

This is just my take after playing a few hours with jails, I would happily be proven wrong.

LargoLasskhyfv5y ago

tptacek5y ago

I don't know what people generally believe.

gorkish5y ago

OK; https://github.com/harvester/harvester

Also remember on a modern system, there are often at least 2 additional layers at work abstracting interfaces to the "bare metal" OS already.

encryptluks25y ago

riobard5y ago

That's the approach taken by Google's gVisor (at the cost of I/O and network performance).

tptacek5y ago

fsociety5y ago

gVisor, for better or for worse, does a whole lot of other things than just seccomp filtering, and it shows in performance tests.

encryptluks25y ago

gVisor does more than filtering, they basically reimplemented the syscalls in an application kernel. At least with seccomp the performance overhead is minimal.

1 more reply

dboreham5y ago

Machine Turducken.

riobard5y ago· 6 in thread

The project later merged with Intel Clear Container to become what's now called Kata Containers (https://katacontainers.io/) and is now widely used by several Internet giants like Alibaba and Baidu.

The startup was acquired by Ant Finance a couple of years ago.

(I recorded a podcast with one of hyper.sh engineer if you can listen to Mandarin https://pan.icu/25)

temp_praneshp5y ago

XorNot5y ago

I used runV with drone.io (on top of Media) to run distributed on-demand VM builders for GitHub enterprise (we were building physical machine images to deploy so needed VM isolation).

cptnapalm5y ago

polskibus5y ago

How does it differ from Firecracker?

riobard5y ago

I'm not familiar with later development, but AFAIK Firecracker came much later and now you can actually use Firecracker as Kata Container's hypervisor in addition to QEMU.

lifty5y ago

I worked with their tech, testing it, and I loved the product. It was definitely ahead of its time. Similar in some ways to what Fly is doing these days, without the edge.

forty5y ago· 5 in thread

Isn't firecracker an AWS tech?

bhawks5y ago

If you're splitting hairs firecracker (aws) is an offshoot of crosvm from chrome/Google which actually was a greenfield vmm :) anyway memory safe virtualization for the win.

cpach5y ago

That’s correct.

https://github.com/firecracker-microvm/firecracker

remram5y ago

The article wrongly states that Fly.io created firecracker.

jjacobson935y ago

Yeah, the author is incorrect. Fly.io uses Firecracker but they didn’t create it.

tptacek5y ago

Whoah, missed that.

ashishbijlani5y ago· 4 in thread

> Can we somehow combine the advantages of the docker ecosystem with VMs?

Shameless plug: this is exactly what our goal is with https://kwarantine.xyz We are creating a new hypervisor (from scratch) that can run strongly isolated Docker/LXC containers.

amscanne5y ago

The "fork" sounds like you blue pill the OS for each container? I'm assuming the concept is like Cappsule [1] or Bromium [2]?

[1] https://cappsule.github.io/ [2] https://en.wikipedia.org/wiki/Bromium#/media/File:Bromium-en...

ashishbijlani5y ago

fork here is COW on the host kernel (i.e., copying EPT entries). We will post detailed technical documentation soon.

mikepurvis5y ago

Is this what gvisor is? https://github.com/google/gvisor

ashishbijlani5y ago

2 more replies

gravypod5y ago· 3 in thread

Something I'd be very interested in: building a PXE image from something declarative like Dockerfiles.

justincormack5y ago

Try LinuxKit https://github.com/linuxkit/linuxkit

laurencerowe5y ago

Google Container Optimized OS is basically this I think. It's what's used when you start a GCE instance with a docker image.

https://cloud.google.com/container-optimized-os/

jonjonsonjr5y ago

I don't think I'd ever call a Dockerfile declarative.

eatonphil5y ago· 1 in thread

Still, neat to have the walkthrough here in this post.

https://github.com/ottomatica/slim

hardwaresofton5y ago

A couple more:

https://github.com/containers/krunvm

https://github.com/weaveworks/ignite

rwmj5y ago· 1 in thread

https://katacontainers.io/ ?

bonzini5y ago

Yes, indeed. However it's nice to see directly the mechanisms that let Kata do its magic.

tptacek5y ago

As I understand the landscape here, the big enabling win of microvms is faster boot time; there's a cool qemu-lite slide deck that goes into detail about how they cut down boot time:

https://www.linux-kvm.org/images/d/d2/03x05B-Chao_Peng-Light...

The big win was slashing away the BIOS stuff.

stefanha5y ago

For an even more lightweight approach to running containers in VMs see: https://github.com/containers/krunvm

It's powered by https://github.com/containers/libkrun.

thekevjames5y ago

1: https://thekev.in/blog/2019-08-05-dockerfile-bootable-vm/ind...

dzonga5y ago

I understand, it's cool to do content marketing. but folks proof-read your articles. Firecracker was created by AWS and rightly states so on the page.

OldGoodNewBad5y ago

j / k navigate · click thread line to collapse