03-Exploring the Next Generation of Secure Containers - gVisor and Kata Fusion-Xuewei NiuHang SU.pdf

《03-Exploring the Next Generation of Secure Containers - gVisor and Kata Fusion-Xuewei NiuHang SU.pdf》由会员分享，可在线阅读，更多相关《03-Exploring the Next Generation of Secure Containers - gVisor and Kata Fusion-Xuewei NiuHang SU.pdf（27页珍藏版）》请在三个皮匠报告上搜索。

1、Exploring the Next Generation of Secure Containers:gVisor and Kata FusionXuewei Niu Software Engineer,Ant GroupHang Su Software Engineer,Ant GroupTiwei Bie*Staff Engineer,Ant GroupSecure Containers Overview01User-mode Linux03Inside Existing Solutions02ContentNanoPVM04Secure Containers OverviewPart 0

2、1Why secure containers?Secure containers are more than security Security isolation prevents sensitive instruction escapes Executing untrusted code Multi-tenancy Performance isolation prevents scheduling,networking,I/O interference Online-offline hybrid deployment Fault isolation prevents shared kern

3、el crashes/faultsSecure Containers OverviewHost KernelworkloadIsolation LayerworkloadWorkloadsworkloadworkloadWorkloadsIsolation LayerSecure Containers OverviewAt the mean time Runtime overheads cause increased latency,reduced throughput or density Resource footprints from additional components,e.g.

4、guest kernel/Sentry*Data from gVisor Documentationhttps:/gvisor.dev/docs/architecture_guide/performance/Inside Existing SolutionsPart 02Brief Introduction to gVisor and Kata ContainersInside Existing SolutionsSecure Containers LandscapeInside Existing Solutions:Kata Containers The speed of container

5、s,the security of VMs Kata provides a virtual machine:a typical model with a clear layered structure VMM provides virtual devices Guest kernel provides dedicated runtime environment Most of the work is focused on reducing overheads MicroVMs:Firecracker(for FaaS),Cloud-hypervisor(for general tasks),e

6、tc.Disabled unnecessary kernel configsVMMGuest KernelWorkloadsHost KernelInside Existing Solutions:gVisor gVisor is an independent kernel running in user-space,exposing a Linux-likeinterface.gVisor provides a virtual kernel with merged VMM and guest kernel layers.The model eliminates unnecessary vir