Supported VMMs and software-based monitors
One of the main goals of urunc is to be a generic OCI unikernel runtime for
various unikernel frameworks and similar technologies. In order to achieve
that, we want to support as many Virtual Machine Monitors (VMMs) and other
types of sandboxing mechanisms such as user-space monitors based on
seccomp.
In this document, we will go through the current state of urunc's support for
VMMs and monitors that utilize software-based isolation technologies. We will
provide a brief description about them, along with installation instructions
and a few comments regarding their integration with urunc.
Note: In general,
uruncexpects all supported VM/Sandbox monitors to be available somewhere in the$PATH.
Virtual Machine Monitors (VMMs)
VMMs use hardware-assisted virtualization technologies in order to create a
Virtual Machine (VM) where a guest OS will execute. It is one of the most
widely used technology for providing strong isolation in multi-tenant
environments. For the time being urunc supports 3 types of such VMMs: 1)
Qemu, 2)
Firecracker and 3) Solo5-hvt.
Qemu
Qemu (Quick Emulator) is an open-source virtualization platform that enables the emulation of various hardware architectures. By leveraging Linux's KVM, Qemu is able to create VMs and manage their execution. Some of the biggest advantages of Qemu are the mature and stable interface and codebase. In addition, Qemu supports various paravirtual devices, mostly based on VirtIO and allows the direct use of the host's devices with passthrough.
Installing Qemu
We can easily install Qemu through almost all package managers. For more details check Qemu's download page. For instance, in the case of Ubuntu, we can simply run the following command:
$ sudo apt-get install qemu-system
Qemu and urunc
In the case of Qemu, urunc makes use of its
virtio-net device to provide network support for the unikernel through a tap
device. In addition, urunc can leverage Qemu's
initrd option in order to provide the Unikernel with an initial RamFS
(initramfs). However, Qemu supports various ways to
provide storage in VMs such as block devices through virtio-blk,
shared-fs through 9p and virtio-fs and initramfs.
We plan to add support for all the above options, but as previously mentioned only Initramfs is supported for the time being.
Supported unikernel frameworks with urunc:
An example unikernel:
$ sudo nerdctl run --rm -ti --runtime io.containerd.urunc.v2 harbor.nbfc.io/nubificus/urunc/nginx-qemu-unikraft-initrd:latest unikernel
AWS Firecracker
AWS Firecracker is an open-source virtualization technology developed by Amazon Web Services (AWS) that is designed to run serverless workloads efficiently. Firecracker provides a minimalist VMM, allowing the creation of lightweight virtual machines, called microVMs, that are faster and more resource-efficient than traditional VMs. In contrast with Qemu, Firecracker aims to provide a smaller set of devices for the VMs. The main benefit of Firecracker comes from its fast VM instantiation and guest OS boot.
Installing Firecracker
Firecracker is not available through a package manger, but it can easily be installed. The Getting Started guide of Firecracker describes how users can set up Firecracker. Long story short, we can fetch a Firecracker binary with the following commands:
$ ARCH="$(uname -m)" $ VERSION=v1.7.0"
$ release_url="https://github.com/firecracker-microvm/firecracker/releases"
$ curl -L ${release_url}/download/${VERSION}/firecracker-${VERSION}-${ARCH}.tgz | tar -xz
$ # Rename the binary to "firecracker"
$ sudo mv release-${latest}-$(uname-m)/firecracker-${latest}-${ARCH} /usr/local/bin/firecracker
$ rm -fr release-${latest}-$(uname -m)
It is important to note that urunc expects to find the firecracker binary
located in the $PATH and named firecracker.
Note: Since only Unikraft can boot on top of Firecracker (from the supported unikernels in
urunc) we use the v1.7.0 version of Firecracker, due to some booting issues of Unikraft in newer versions.
Firecracker and urunc
In the case of Firecracker, urunc
makes use of its virtio-net device to provide network support for the
unikernel though a tap device. In addition, urunc can leverage
Firecracker's initrd option in order
to provide the Unikernel with an initial RamFS (initramfs).
Firecracker does not support
shared-fs between the host and the guest. However, it does provide support for
virtio-block.
We plan to add support for virtio-block, but as previously mentioned only Initramfs is supported for the time being.
Supported unikernel frameworks with urunc:
An example unikernel:
$ sudo nerdctl run --rm -ti --runtime io.containerd.urunc.v2 harbor.nbfc.io/nubificus/urunc/nginx-firecracker-unikraft-initrd:latest unikernel
Solo5-hvt
Solo5-hvt is a lightweight, high-performance VMM designed to run unikernels in a virtualized environment. As a part of the broader Solo5 project, Solo5-hvt provides a minimal, efficient abstraction layer for running unikernels on modern hardware, leveraging hardware virtualization technologies Some of the key benefits of Solo5-hvt is its simplicity and and extremely fast boot times of unikernels. In contrast to the other VMMs, Solo5-hvt does not provide support for virtIO devices. Instead, it defines its own interface, which can be used for network and block I/O.
Installing Solo5-hvt
Solo5 can be installed by building from source. However, in order to do that, we will need a few packages.
$ sudo apt install libseccomp-dev pkg-config build-essential
Next, we can clone and build solo5-hvt.
$ git clone -b v0.6.9 https://github.com/Solo5/solo5.git
$ cd solo5
$ ./configure.sh && make -j$(nproc)
It is important to note that urunc expects to find the solo5-hvt binary
located in the $PATH and named as solo5-hvt. Therefore, to install it:
$ sudo cp tenders/hvt/solo5-hvt /usr/local/bin
Solo5-hvt and urunc
In the case of Solo5-hvt, urunc supports
all the devices and utilizes a tap device to provide network in the unikernel.
For the storage part, urunc supports the block storage interface of
Solo5-hvt, which can be used in two ways,
either with a block image inside the container image, or using the devmapper as
a snapshotter.
In the first case, we copy inside the container image a block image that contains all the data we want to pass in the unikernel.
In the second case, we copy directly all the files we want the unikernel to
access inside the container's image. Using devmapper urunc will use the
container's image snapshot as a block image for the unikernel. It is important
to note that the unikernel framework must support the respective filesystem
type (e.g. ext2/3/4). This is the case for Rumprun unikernel.
Supported unikernel frameworks with urunc:
An example unikernel with a block image inside the conntainer's rootfs:
$ sudo nerdctl run --rm -ti --runtime io.containerd.urunc.v2 harbor.nbfc.io/nubificus/urunc/redis-hvt-rumprun-block:latest unikernel
Software-based isolation monitors
Except for the traditional VM-based isolation solutions, there are other solutions which provide isolation using software-based technologies too. In that case the monitor interacts with a user-space kernel on top of which the application is running. The user-space kernel intercepts or defines a set of system calls and then forwards them to the monitor. To further strengthen security, it is common to use seccomp filters to limit the exposure of the host OS to the monitor.
A well-known example of such a technology is gVisor. Unfortunately, gVisor does not support the execution of any unikernel framework.
Solo5-spt
In a similar way, Solo5-spt is a specialized backend for the Solo5 project, designed to run unikernels in systems that do not have access to hardware-assisted virtualization technologies. Solo5-spt executes a unikernel monitor with a seccomp filter allowing only seven system calls. The unikernel running on top of Solo5-spt interacts with this monitor through a similar interface with Solo5-hvt, facilitating network and block storage I/O. Solo5-spt can provide extremely fast intantiation times, very small overhead, along with performant execution.
Installing Solo5-spt
The installation process of Solo5-spt is similar with the Solo5-hvt one. In fact, both projects share the same repository. Hence we can follow the same steps as in Solo5-hvt. At first, make sure to install the necessary packages.
$ sudo apt install libseccomp-dev pkg-config build-essential
Next, we can clone and build solo5-spt.
$ git clone -b v0.6.9 https://github.com/Solo5/solo5.git
$ cd solo5
$ ./configure.sh && make -j$(nproc)
It is important to note that urunc expects to find the solo5-spt binary
located in the $PATH and named solo5-spt. Therefore, to install it:
$ sudo cp tenders/spt/solo5-spt /usr/local/bin
Solo5-spt and urunc
Similarly with Solo5-hvt, urunc supports
all the devices of Solo5-spt. For more
information take a look at the respective Solo5-hvt
section.
Supported unikernel frameworks with urunc:
An example unikernel which utilizes devmapper for block storage:
$ sudo nerdctl run --rm -ti --snapshotter devmapper --runtime io.containerd.urunc.v2 harbor.nbfc.io/nubificus/urunc/redis-spt-rumprun:latest unikernel
Note: Since only Rumrpun can boot on top of Solo5-{hvt|spt} (from the supported unikernels in
urunc) we use the v0.6.9 version of Solo5 since Rumprun has not been updated for the newer ones.