- html - 出于某种原因,IE8 对我的 Sass 文件中继承的 html5 CSS 不友好?
- JMeter 在响应断言中使用 span 标签的问题
- html - 在 :hover and :active? 上具有不同效果的 CSS 动画
- html - 相对于居中的 html 内容固定的 CSS 重复背景?
我想知道 gVisor 之间是否有区别和 Weave Ignite就其用例而言(如果有的话)。对我来说,他们似乎都在尝试类似的事情:让虚拟化环境中的代码执行更加安全。
gVisor 通过引入 runsc
来实现这一点,这是一个启用沙盒容器的运行时,而 Ignite 则通过使用 Firecracker 来实现这一点。 ,在他们的上下文中似乎也被用作沙箱。
最佳答案
两者Firecracker和 gVisor这些技术以不同的方式提供沙箱/隔离。
Weave Ignite是一个工具,可帮助您使用 Firecracker 在轻量级虚拟机内运行容器,并且还可以通过良好的用户体验来实现这一点,类似于使用 Docker。
github.com/weaveworks/ignite 的范围部分也提到了这一点
Scope
Ignite is different from Kata Containers or gVisor. They don't let you run real VMs, but only wrap a container in new layer providing some kind of security boundary (or sandbox).
Ignite on the other hand lets you run a full-blown VM, easily and super-fast, but with the familiar container UX. This means you can "move down one layer" and start managing your fleet of VMs powering e.g. a Kubernetes cluster, but still package your VMs like containers.
关于您问题的用例部分,我的感觉是,由于虚拟机提供了更强大的隔离功能,Ignite 可以更加适合生产。此外,gVisor 的方法似乎具有显着的性能成本,正如 The True Cost of Containing: A gVisor Case Study 中提到的那样。 :
<小时/>Conclusion
- gVisor is arguably more secure than
runc
- Unfortunately, our analysis shows that the true costs of effectively containing are high: system calls are 2.2× slower, memory allocations are 2.5× slower, large downloads are 2.8× slower, and file opens are 216× slower
<小时/> <小时/>Current Sandboxing Methods
Sandboxing with gVisor
Do I Need gVisor?
No. If you're running production workloads, don't even think about it! Right now, this is a metaphorical science experiment. That's not to say you may not want to use it as it matures. I don't have any problem with the way it's trying to solve process isolation and I think it's a good idea. There are also alternatives you should take the time to explore before adopting this technology in the future.
Where might I want to use it?
As an operator, you'll want to use gVisor to isolate application containers that aren't entirely trusted. This could be a new version of an open source project your organization has trusted in the past. It could be a new project your team has yet to completely vet or anything else you aren't entirely sure can be trusted in your cluster. After all, if you're running an open source project you didn't write (all of us), your team certainly didn't write it so it would be good security and good engineering to properly isolate and protect your environment in case there may be a yet unknown vulnerability.
我的答案包含来自以下来源的信息,这些信息在“按原样”获取时位于引用部分,我建议您进一步阅读:
关于sandbox - Ignite 和 gVisor 在用例方面有什么区别?,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/56996602/
据我了解, Kata Containers Kata Container build a standard implementation of lightweight Virtual Machines
我想知道 gVisor 之间是否有区别和 Weave Ignite就其用例而言(如果有的话)。对我来说,他们似乎都在尝试类似的事情:让虚拟化环境中的代码执行更加安全。 gVisor 通过引入 runs
我想使用 Go 获取 Google PubSub 订阅。它在本地运行良好,但当我将它部署在 Cloud Run 上时,无法提取任何消息。 这是我的代码片段 func (pubSubService *p
最近我的 Undertow 应用程序触发 Cloud Run 报告以下内容: Container Sandbox Limitation: Unsupported syscall setsockopt(
我希望构建一个与 Azure DevOps 或任何 CI/CD 产品非常相似的解决方案,该解决方案接受用户提交的可执行文件、代码、PowerShell/cmd 命令等,执行它们来部署应用程序。本质上我
我从gvisor-containerd-shim(Shim V1)移到了containerd-shim-runsc-v1(Shim V2)。在使用gvisor-containerd-shim的情况下,
背景 该服务是一个简单的 Go 程序,可将文件从 Cloud Storage 通过管道传输到浏览器。 在我的 Macbook 上一切正常,但在 Cloud-Run(托管)上某些请求失败。主要是大型 m
我是一名优秀的程序员,十分优秀!