sandbox - Ignite 和 gVisor 在用例方面有什么区别？

Question

我想知道 gVisor 之间是否有区别和 Weave Ignite就其用例而言(如果有的话)。对我来说，他们似乎都在尝试类似的事情:让虚拟化环境中的代码执行更加安全。

gVisor 通过引入 runsc 来实现这一点，这是一个启用沙盒容器的运行时，而 Ignite 则通过使用 Firecracker 来实现这一点。 ，在他们的上下文中似乎也被用作沙箱。

Answer 1

两者Firecracker和 gVisor这些技术以不同的方式提供沙箱/隔离。

• Firecracker(橙色框)是一个虚拟机管理器。
• gVisor(绿框)具有控制/过滤到达实际主机的系统调用的架构。

Weave Ignite是一个工具，可帮助您使用 Firecracker 在轻量级虚拟机内运行容器，并且还可以通过良好的用户体验来实现这一点，类似于使用 Docker。

github.com/weaveworks/ignite 的范围部分也提到了这一点

Scope

Ignite is different from Kata Containers or gVisor. They don't let you run real VMs, but only wrap a container in new layer providing some kind of security boundary (or sandbox).

Ignite on the other hand lets you run a full-blown VM, easily and super-fast, but with the familiar container UX. This means you can "move down one layer" and start managing your fleet of VMs powering e.g. a Kubernetes cluster, but still package your VMs like containers.

关于您问题的用例部分，我的感觉是，由于虚拟机提供了更强大的隔离功能，Ignite 可以更加适合生产。此外，gVisor 的方法似乎具有显着的性能成本，正如 The True Cost of Containing: A gVisor Case Study 中提到的那样。 :

Conclusion

• gVisor is arguably more secure than runc
• Unfortunately, our analysis shows that the true costs of effectively containing are high: system calls are 2.2× slower, memory allocations are 2.5× slower, large downloads are 2.8× slower, and file opens are 216× slower

<小时/>

Current Sandboxing Methods

Sandboxing with gVisor

Do I Need gVisor?

No. If you're running production workloads, don't even think about it! Right now, this is a metaphorical science experiment. That's not to say you may not want to use it as it matures. I don't have any problem with the way it's trying to solve process isolation and I think it's a good idea. There are also alternatives you should take the time to explore before adopting this technology in the future.

Where might I want to use it?

As an operator, you'll want to use gVisor to isolate application containers that aren't entirely trusted. This could be a new version of an open source project your organization has trusted in the past. It could be a new project your team has yet to completely vet or anything else you aren't entirely sure can be trusted in your cluster. After all, if you're running an open source project you didn't write (all of us), your team certainly didn't write it so it would be good security and good engineering to properly isolate and protect your environment in case there may be a yet unknown vulnerability.

<小时/>

<小时/>

进一步阅读

我的答案包含来自以下来源的信息，这些信息在“按原样”获取时位于引用部分，我建议您进一步阅读:

• What is gVisor?来自 Rancher 博客
• Making Containers More Isolated: An Overview of Sandboxed Container Technologies
• Containers, Security, and Echo Chambers杰西·弗雷泽尔的博客
• The True Cost of Containing: A gVisor Case Study
• Kata Containers vs gVisor?
• Firecracker: Lightweight Virtualization for Serverless Applications AWS 论文
• gVisor Security Basics - Part 1来自 gVisor 博客