Kata-Containers on openSUSE - FOSDEM€¦ · 5 Why Virtualization Threat Model: untrusted code in a...
Transcript of Kata-Containers on openSUSE - FOSDEM€¦ · 5 Why Virtualization Threat Model: untrusted code in a...
![Page 1: Kata-Containers on openSUSE - FOSDEM€¦ · 5 Why Virtualization Threat Model: untrusted code in a (Kata) Container attacks the host Attack surface-- – Containers: the shared host](https://reader034.fdocuments.net/reader034/viewer/2022042710/5f63a50485588e7cc4128762/html5/thumbnails/1.jpg)
Kata-Containers on openSUSE
Ralf Haferkamp, Container Software Engineer, SUSEDario Faggioli, Virtualization Software Engineer, SUSE
![Page 2: Kata-Containers on openSUSE - FOSDEM€¦ · 5 Why Virtualization Threat Model: untrusted code in a (Kata) Container attacks the host Attack surface-- – Containers: the shared host](https://reader034.fdocuments.net/reader034/viewer/2022042710/5f63a50485588e7cc4128762/html5/thumbnails/2.jpg)
2
What is Kata Containers
A container runtime providing stronger isolation by using hardware virtualization techologies.
![Page 3: Kata-Containers on openSUSE - FOSDEM€¦ · 5 Why Virtualization Threat Model: untrusted code in a (Kata) Container attacks the host Attack surface-- – Containers: the shared host](https://reader034.fdocuments.net/reader034/viewer/2022042710/5f63a50485588e7cc4128762/html5/thumbnails/3.jpg)
3
Traditional Containers
![Page 4: Kata-Containers on openSUSE - FOSDEM€¦ · 5 Why Virtualization Threat Model: untrusted code in a (Kata) Container attacks the host Attack surface-- – Containers: the shared host](https://reader034.fdocuments.net/reader034/viewer/2022042710/5f63a50485588e7cc4128762/html5/thumbnails/4.jpg)
4
Kata Containers
![Page 5: Kata-Containers on openSUSE - FOSDEM€¦ · 5 Why Virtualization Threat Model: untrusted code in a (Kata) Container attacks the host Attack surface-- – Containers: the shared host](https://reader034.fdocuments.net/reader034/viewer/2022042710/5f63a50485588e7cc4128762/html5/thumbnails/5.jpg)
5
Why Virtualization● Threat Model: untrusted code in a (Kata) Container attacks the host● Attack surface--
– Containers: the shared host kernel: all syscalls (files, directories, MMIO, AIO, different kinds of sockets, different IPC mechanisms, futexes, shared memory, ioctls, TTY,…)
– Virtualization/Kata: the hypervisor + the VMM: hypercalls + devices.
● Defense in Depth– Containers: escape the container ==> Host!– Virtualization/Kata: escape the container ==> escape the hypervisor ==> Host
● Isolation++– Containers: crash the kernel ==> crash the host ==> DoS for everyone– Virtualization/Kata: crash the kernel ==> crash your VM only
![Page 6: Kata-Containers on openSUSE - FOSDEM€¦ · 5 Why Virtualization Threat Model: untrusted code in a (Kata) Container attacks the host Attack surface-- – Containers: the shared host](https://reader034.fdocuments.net/reader034/viewer/2022042710/5f63a50485588e7cc4128762/html5/thumbnails/6.jpg)
6
Lightweight VirtualizationLow CPU and Memory Overhead● Small and Fast VMs == More VMs == More Kata Containers
Small & Fast kernel● Little, tailored, optimized kernel image
● On openSUSE, currently, kvmsmall as temporary solution● Ship Kata upstream kernel?● Make one ourselves?
Small & Fast VMM● QEMU, rust-vmm, FireCracker, CloudHypervisor
● In openSUSE, currently QEMU● Firecracker (available, not fully functional)● QEMU MicroVM (when supported in Kata)
![Page 7: Kata-Containers on openSUSE - FOSDEM€¦ · 5 Why Virtualization Threat Model: untrusted code in a (Kata) Container attacks the host Attack surface-- – Containers: the shared host](https://reader034.fdocuments.net/reader034/viewer/2022042710/5f63a50485588e7cc4128762/html5/thumbnails/7.jpg)
7
OCI compatible
runC
OCI compatible runtimes
![Page 8: Kata-Containers on openSUSE - FOSDEM€¦ · 5 Why Virtualization Threat Model: untrusted code in a (Kata) Container attacks the host Attack surface-- – Containers: the shared host](https://reader034.fdocuments.net/reader034/viewer/2022042710/5f63a50485588e7cc4128762/html5/thumbnails/8.jpg)
8
What Kata Containers is NOT
It‘s NOT meant as a mechanism to run „normal“ VM workloads inside Kubernetes.
![Page 9: Kata-Containers on openSUSE - FOSDEM€¦ · 5 Why Virtualization Threat Model: untrusted code in a (Kata) Container attacks the host Attack surface-- – Containers: the shared host](https://reader034.fdocuments.net/reader034/viewer/2022042710/5f63a50485588e7cc4128762/html5/thumbnails/9.jpg)
9
Kata Architecture
The above architecture is looking slightly differnent when container-shim-kata-v2 (shimv2) is used e.g. with containerd
cri-o
conmon
conmon
gRPC via vsock
![Page 10: Kata-Containers on openSUSE - FOSDEM€¦ · 5 Why Virtualization Threat Model: untrusted code in a (Kata) Container attacks the host Attack surface-- – Containers: the shared host](https://reader034.fdocuments.net/reader034/viewer/2022042710/5f63a50485588e7cc4128762/html5/thumbnails/10.jpg)
10
Kata Architecture● kata-runtime creates a VM per pod (using a pretty minimal kernel and initrd)
● Inside the VM the kata-agent responsible for launching containers and multiplex I/O streams to the outside (either via vsock or virtio-serial)
● If a pod has multiple containers all of the containers are launched within the same VM
● On the host kata-shib communicates with the kata-agent inside the VM. Providing a seamless interface for the upper layer services (cri-o, docker, podman)
![Page 11: Kata-Containers on openSUSE - FOSDEM€¦ · 5 Why Virtualization Threat Model: untrusted code in a (Kata) Container attacks the host Attack surface-- – Containers: the shared host](https://reader034.fdocuments.net/reader034/viewer/2022042710/5f63a50485588e7cc4128762/html5/thumbnails/11.jpg)
11
Kata Details● Storage (i.e. the container rootfs and volumes) is shared with the VMs via
9pfs. (when using QEMU/KVM)
● 9pfs has some know performance issues. Work is on the way to move to virtio-fs in the future.
● For networking, kata transparently connects the veth pair from the host to the TAP interface of the VM
![Page 12: Kata-Containers on openSUSE - FOSDEM€¦ · 5 Why Virtualization Threat Model: untrusted code in a (Kata) Container attacks the host Attack surface-- – Containers: the shared host](https://reader034.fdocuments.net/reader034/viewer/2022042710/5f63a50485588e7cc4128762/html5/thumbnails/12.jpg)
12
Kata-containers on openSUSE● Tumbleweed is tracking the latest release
● Leap Packages available via the devel:kubic Project in OBShttps://download.opensuse.org/repositories/devel:/kubic/openSUSE_Leap_15.1
● Packages:
– katacontainers.rpm
– katacontainers-image-initrd.rpm for a prebuilt kernel and initrd
![Page 13: Kata-Containers on openSUSE - FOSDEM€¦ · 5 Why Virtualization Threat Model: untrusted code in a (Kata) Container attacks the host Attack surface-- – Containers: the shared host](https://reader034.fdocuments.net/reader034/viewer/2022042710/5f63a50485588e7cc4128762/html5/thumbnails/13.jpg)
1313
Demo
![Page 14: Kata-Containers on openSUSE - FOSDEM€¦ · 5 Why Virtualization Threat Model: untrusted code in a (Kata) Container attacks the host Attack surface-- – Containers: the shared host](https://reader034.fdocuments.net/reader034/viewer/2022042710/5f63a50485588e7cc4128762/html5/thumbnails/14.jpg)
14
Podman
![Page 15: Kata-Containers on openSUSE - FOSDEM€¦ · 5 Why Virtualization Threat Model: untrusted code in a (Kata) Container attacks the host Attack surface-- – Containers: the shared host](https://reader034.fdocuments.net/reader034/viewer/2022042710/5f63a50485588e7cc4128762/html5/thumbnails/15.jpg)
1515
Kubernetes/Kubic