-
Notifications
You must be signed in to change notification settings - Fork 1.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Proposal: Use Docker CE as jailer #813
Comments
Hi, we didn't get the chance to investigate the implications of this proposal, but it does sound quite interesting. We'll update the issue after having a look. |
@alexandruag no problem we all got time 👍 |
Sounds very interesting, especially due to the Docker API that allows an easy automation of spinning up firecracker instances! |
@alexandruag I think the right component to investigate as a replacement of the jailer (if desired) is runc. This is the low-level container runtime used by most of the popular higher-level tools like Docker, containerd, and CRI-O. systemd-nspawn would also potentially be a reasonable option, but is a bit more tightly coupled to systemd than runc is. @frank-dspeed If you're interested in running container workloads in Firecracker, we're working on that in the firecracker-containerd project. There is also Kata Containers, which has a working implementation with Firecracker and Kubernetes. |
I tried to start firecracker within Docker but still have some problems:
The syscall error comes up after I tried to define the kernel via the API. |
ahh, I have compiled with 1.33. I'll try 1.32. (see also #997) |
Hi everyone, just picked this up (for real this time :D). I'll have a look at all these things you mentioned and try to figure out if/how they can fit together. Also, just wondering, any particular reason why you would rather build Firecracker via |
I wanted to add vsock and didn't know how to add this using the devtool 😊 |
Something like |
I could start a Micro-VM within Docker using
(I share /root because there are my kernel & rootfs images) The container is simply a debian with a firecracker executable:
Now it's about choosing the required capabilities and maybe narrowing down the seccomp rules to get rid of |
@MalteJ thats correct and works but first of all let me explain a bit: we don't want to run firecracker inside docker this way we want to enable firecracker to work on docker. |
@frank-dspeed what do you mean exactly with "firecracker to work on docker"? |
@MalteJ your right replacing the jailer with docker and offer it as a additional jailer |
Hello everyone, I've tried spending some time to find something like a unifying perspective over jailing, but ultimately the Firecracker jailer is about implementing our recommendations for building a secure sandbox around each Firecracker process. I didn't attempt to replicate everything the jailer does (outlined here), but it seems possible to achieve the same using something like We're not actively trying to come up with other options right now, but we're very interested in any use cases you might have which don't align with the jailer, what's missing, and what you consider building as an alternative. |
I am new to this area but I think users want to run Firecracker VM with |
@style95 What you describe is effectively what the firecracker-containerd project and kata containers projects are working to build. As you describe, it's not so much the use of Docker as the jailer as it is the ability to run unmodified containers using familiar tools with the addition of an enhanced security boundary provided by firecracker. Using Docker in place of the current wouldn't really support such workflows. You'd still be responsible for dealing with a per-application microVM root image in a custom format, handling instantiation and configuration of the microVM, configuring the network stack, etc. If you're interested in using firecracker to enhance the isolation boundary of you containerized applications, please consider contributing to either (or both) of the projects I mentioned above. |
@nmeyerhans Thanks you so much for the detail explanation. |
@nmeyerhans the jailer part comes only from the documentation thats why i suggested it. I did not evaluate other Scenarios but i am happy that others did pickup the idea. Out of my view it looked like when we could replace the jailer with docker then we could create jailed containers. But i am not sure now what is the right path:
|
I don't understand why you want to force firecracker users to use the firecracker-jailer and not use container technologies they are already using in their stack. |
honestly I don't understand why you have implemented an own jailer at all. |
@MalteJ the way I think about this is not that we built our own jailer, but that out of the box, we provide one minimalist, tightly coupled, and efficient way of isolating a Firecracker microVM . You can definitely use Firecracker without the jailer, or with another jailing technology, it just means that you'll be responsible for tweaking the settings to ensure that things are secure and work well (e.g., when setting up thousands of jails for thousands of microVMs on the same host, and while starting and stopping them all the time). We'd be happy to see integrations with other jailing technologies. As for users doing something like Some specific reasons why we made a separate jailer:
So to sum it up, yes, we want to give users the ability to isolate their containers in VMs, as transparently as possible. This is something that other projects are working on, and something we support. It will be up to those projects how to use the jailer (or if they want to use it at all). But out of the box, we provide what we think is a simple and effective way to jail Firecracker at scale. |
@raduweiss thanks for the clarification :) |
@frank-dspeed, @MalteJ, we've looked at this again as part of our 2020 Roadmap exercise, but in the end, beyond the arguments above, it looks like this can be implemented at a higher level in the stack (e.g., like Ignite did). Therefor, I'll be closing this now. Feel free to re-open it if you want to continue the conversation :) |
@raduweiss Hi 👋! If I understand it correctly, it'd be very nice to make it possible for the jailer to not do a specific set of things (e.g. the xref related Ignite issue weaveworks/ignite#68 (comment) |
I think the syscall filtering is now taken care of in Firecracker directly. But I understand the general idea. Do you want to open an issue about it? I think it's different than this one. |
Ok. Sure! |
There are a few Jailers already around that support creation of Linux/BSD Jails the two biggest are Docker CE (containerD, moby) and SystemdNS
I would love to see that we get this Project to choose one of this Options as additional jailer
It will enable firecracker to be spawned in all this environments so it can be deployed in a local Kubernetes Cluster (containerd & moby) or CoreOs installation (SystemdNS)
The text was updated successfully, but these errors were encountered: