L12 - Lightweight sandboxes

Question 1

Containers vs VMs

Answer 1

containers:
- use Linux primitives
- share linux kernel
- fast starts, minimal overhead
- flexible isolation

VMs:
- virtualize hardware components
- use separate kernels
- slower starts, must boot kernel and set-up hardware

Question 2

What is CRI?

Answer 2

Container Runtime Interface

• Kubernetes API
• defines the way that Kubernetes interacts with different container runtimes

Question 3

container runtime

Answer 3

software components that can run containers on a host operating system

Question 4

OCI

Answer 4

Open Container Initiative specifications for container images and running containers.

Question 5

runc

Answer 5

runc is an OCI-compliant tool for spawning and running containers. Implements the OCI specifications.

Question 6

What is Containerd

Answer 6

• container runtime
• manages complete container lifecycle of its host system (image transfer and storage)

Question 7

What is a shim?

Answer 7

• piece of software that resides between containerd and a low-level container runtime (runc)
• abstracts low-level runtimes
• lives as long as the container process

internet:
- By providing compatibility between different components, shims make it easier to use different container runtimes with a variety of container images.

Question 8

Why is there need for more isolation?

Answer 8

Prevention of kernel bugs.

Question 9

What are three types of exploits concerning the kernel?

Answer 9

• System API (bugs within the kernel can be exploited via the API)
• System Application Binary Interface (ABI) (Hardware and software exploits targeting the execution path in response to events)
• Side Channels (exploit indirect effects of the system)

Question 10

Sandbox

Answer 10

internet:

A sandbox is a secure, isolated environment that enables the execution of untrusted or potentially malicious code without affecting the host system. In computer security, a sandbox acts as a protective barrier between an application and the host system, limiting the application’s access to system resources and preventing it from making harmful changes to the system. Sandboxes are used for various purposes, including software testing, application isolation, and security.

Question 11

gVisor

Answer 11

• secure-container runtime writting in Go
• minimizes the system API attack vectors

internet:

gVisor is an open-source project that provides a secure sandbox for containers. It acts as a lightweight runtime, isolating containers from the host system and potentially untrusted applications, while still providing access to the host system’s resources. gVisor enhances the security of containers by limiting the system calls a container can make and by providing additional security features such as process isolation and file system protection.

Question 12

drawbacks of gVisor

Answer 12

• not well suited for syscall heavy workload
• not all syscalls are implemented

Question 13

KVM

Answer 13

Kernel-based Virtual Machine (KVM) is a virtualization module in the Linux kernel that allows the kernel to function as a hypervisor.

Question 14

kernel

Answer 14

The kernel is a computer program at the core of a computer’s operating system and generally has complete control over everything in the system.

Question 15

VMM

Answer 15

Virtual Machine Manager (VMM): Also called a “hypervisor,”

Question 16

What is AWS Firecracker?

Answer 16

Firecracker, a new virtualization technology that makes use of KVM. You can launch lightweight micro-virtual machines (microVMs) in non-virtualized environments in a fraction of a second, taking advantage of the security and workload isolation provided by traditional VMs and the resource efficiency that comes along with containers.

Question 17

AWS Firecracker advantages

Answer 17

• designed for serverless computing
• minimalist design
• enhanced security and workload isolation
• reduces startup time and memory footprint
• open source

Question 18

Where does Firecracker sit?

Answer 18

MicroVM (Guest OS and Container Workload)
Firecracker
Linux Kernel
Hardware

Question 19

What is a sandbox in security?

Answer 19

Sandbox is a security mechanism for separating running programs, usually in an effort to mitigate system failures and/or software vulnerabilities from spreading

Question 20

What are Kata Conainers

Answer 20

Kata Containers is an open source community working to build a secure container runtime with lightweight virtual machines that feel and perform like containers, but provide stronger workload isolation using hardware virtualization technology as a second layer of defense.

Question 21

Characteristics of Kata Containers

Answer 21

• Runs in a dedicated kernel
• OCI compliant
• one Kata Agent per VM that manages user containers and their workloads
• one shim per pod

Question 22

WebAssemly

Answer 22

WebAssembly is a binary instruction format and virtual machine that brings near-native performance to web browser applications, and allows developers to build high-speed web apps in the language of their choice

internet:
It is meant to provide a portable, efficient, and secure alternative to JavaScript for running high-performance web applications. Wasm allows developers to write code in languages like C, C++, and Rust, and then compile it to Wasm binary format for deployment on the web.

Question 23

Characteristics of WebAssembly

Answer 23

• written in binary format but can also be represented human-readable
• isolated from host by default

Question 24

WebAssembly Module

Answer 24

A WebAssembly Module object contains stateless WebAssembly code that has already been compiled by the browser
- defines functions, globals, memories, imports, exports, static data

Question 25

WebAssembly Embedder

Answer 25

• parses WASM modules and executes the application code

internet:
A WebAssembly Embedder is a program that allows the integration and execution of WebAssembly code within a larger software application. The embedder provides the environment and resources necessary for the WebAssembly code to run, such as memory allocation and access to system APIs.

Question 26

Krustlet

Answer 26

• enables running WebAssembly workloads natively on Kubernetes
• implements the kubelet API

internet:
Krustlet is an implementation of a WebAssembly runtime for Kubernetes. It allows developers to run WebAssembly (WASM) modules as containers within a Kubernetes cluster, providing a secure and efficient way to run WASM applications at scale. Krustlet provides a bridge between the Kubernetes API and the WASM runtime, allowing WASM applications to access the resources and services provided by the Kubernetes platform, such as networking, storage, and scaling. By running WASM modules as containers, Krustlet provides an efficient and scalable platform for developing and deploying cloud-native applications.

Question 27

WebAssembly vs containers

Answer 27

The packaging of WebAssembly is much more lightweight, as containers unfortunately often include unnecessary system dependencies, which increase the image size and create a bigger attack surface for hackers. In addition to the smaller memory and storage footprint, it promises faster startup and shutdown times.

Question 28

Knative

Answer 28

Is an open-source community project which adds components for deploying, running, and managing serverless, cloud-native applications to Kubernetes.

• platform on top of K8s
• Components: Build, Serve, Event

internet:
It provides a set of abstractions and components that enable developers to easily build, scale, and manage event-driven applications without having to worry about the underlying infrastructure.

Question 29

Knative Serving

Answer 29

Knative Serving defines a set of objects as Kubernetes Custom Resource Definitions (CRDs). These resources are used to define and control how your serverless workload behaves on the cluster.

• scale-to-zero: request-drien functionality

internet:
Knative Serving is a component of the Knative platform that provides a serverless platform for running and managing containerized applications. It allows developers to build and deploy their applications in a scalable, efficient, and cost-effective manner, without having to worry about managing infrastructure. Knative Serving automatically manages the underlying infrastructure, such as scaling the number of replicas of the application based on demand, and provides features like traffic management and automatic routing. Knative Serving also provides a simple, Kubernetes-style API for deploying and managing applications, making it easy for developers to integrate with their existing development and deployment pipelines.

Question 30

scale-to-zero

Answer 30

Scaling to zero allows containers to be run only when there is demand. For certain workloads, this gives a lot lower baseline resource usage and lets you scale down instances when in the public cloud to cost less.