Ignite 和 gVisor 在用例方面有什么区别?
What is the difference between Ignite and gVisor in terms of their use-case?
我想知道 gVisor and Weave Ignite 在用例方面是否有区别(如果有的话)。对我来说,他们俩似乎都在尝试类似的事情:让虚拟化环境中的代码执行更加安全。
gVisor 通过引入 runsc 来做到这一点,这是一个启用沙盒容器的运行时,而 Ignite 通过使用 Firecracker 来做到这一点,在他们的上下文中,它似乎也被用作沙箱。
两者 Firecracker and gVisor 都是提供沙盒/隔离的技术,但方式不同。
- Firecracker(橙色框)是一个虚拟机管理器。
- gVisor(绿框)的架构 controls/filters 系统调用到达实际主机。
Weave Ignite 是一个 工具,它可以帮助您使用 Firecracker 以便 运行 轻量级 VM 中的容器,并且还具有良好的用户体验,类似使用 Docker.
的Scope部分也提到了这一点
Scope
Ignite is different from Kata Containers or gVisor. They don't let you run real VMs, but only wrap a container in new layer providing some kind of security boundary (or sandbox).
Ignite on the other hand lets you run a full-blown VM, easily and super-fast, but with the familiar container UX. This means you can "move down one layer" and start managing your fleet of VMs powering e.g. a Kubernetes cluster, but still package your VMs like containers.
关于你问题的 use-case 部分,我的感觉是,由于 VM 提供的隔离性更强,Ignite 可以更多 production-ready。此外,gVisor 的方法似乎具有显着的性能成本,如 The True Cost of Containing: A gVisor Case Study:
中所述
Conclusion
- gVisor is arguably more secure than
runc
- Unfortunately, our analysis shows that the true costs of effectively containing are high: system calls are 2.2× slower, memory allocations are 2.5× slower, large downloads are 2.8× slower, and file opens are 216× slower
Current Sandboxing Methods
Sandboxing with gVisor
Do I Need gVisor?
No. If you're running production workloads, don't even think about it! Right now, this is a metaphorical science experiment. That's not to say you may not want to use it as it matures. I don't have any problem with the way it's trying to solve process isolation and I think it's a good idea. There are also alternatives you should take the time to explore before adopting this technology in the future.
Where might I want to use it?
As an operator, you'll want to use gVisor to isolate application containers that aren't entirely trusted. This could be a new version of an open source project your organization has trusted in the past. It could be a new project your team has yet to completely vet or anything else you aren't entirely sure can be trusted in your cluster. After all, if you're running an open source project you didn't write (all of us), your team certainly didn't write it so it would be good security and good engineering to properly isolate and protect your environment in case there may be a yet unknown vulnerability.
进一步阅读
我的回答包含来自以下来源的信息,这些信息在 quote 部分中被引用“as-is”,我推荐他们进一步阅读:
- What is gVisor? 来自 Rancher 博客
- Making Containers More Isolated: An Overview of Sandboxed Container Technologies
- Containers, Security, and Echo Chambers Jessie Frazelle 的博客
- The True Cost of Containing: A gVisor Case Study
- Firecracker: Lightweight Virtualization for Serverless Applications 来自 AWS 的论文
- gVisor Security Basics - Part 1 来自 gVisor 博客
我想知道 gVisor and Weave Ignite 在用例方面是否有区别(如果有的话)。对我来说,他们俩似乎都在尝试类似的事情:让虚拟化环境中的代码执行更加安全。
gVisor 通过引入 runsc 来做到这一点,这是一个启用沙盒容器的运行时,而 Ignite 通过使用 Firecracker 来做到这一点,在他们的上下文中,它似乎也被用作沙箱。
两者 Firecracker and gVisor 都是提供沙盒/隔离的技术,但方式不同。
- Firecracker(橙色框)是一个虚拟机管理器。
- gVisor(绿框)的架构 controls/filters 系统调用到达实际主机。
Weave Ignite 是一个 工具,它可以帮助您使用 Firecracker 以便 运行 轻量级 VM 中的容器,并且还具有良好的用户体验,类似使用 Docker.
的Scope部分也提到了这一点Scope
Ignite is different from Kata Containers or gVisor. They don't let you run real VMs, but only wrap a container in new layer providing some kind of security boundary (or sandbox).
Ignite on the other hand lets you run a full-blown VM, easily and super-fast, but with the familiar container UX. This means you can "move down one layer" and start managing your fleet of VMs powering e.g. a Kubernetes cluster, but still package your VMs like containers.
关于你问题的 use-case 部分,我的感觉是,由于 VM 提供的隔离性更强,Ignite 可以更多 production-ready。此外,gVisor 的方法似乎具有显着的性能成本,如 The True Cost of Containing: A gVisor Case Study:
中所述Conclusion
- gVisor is arguably more secure than
runc- Unfortunately, our analysis shows that the true costs of effectively containing are high: system calls are 2.2× slower, memory allocations are 2.5× slower, large downloads are 2.8× slower, and file opens are 216× slower
Current Sandboxing Methods
Sandboxing with gVisor
Do I Need gVisor?
No. If you're running production workloads, don't even think about it! Right now, this is a metaphorical science experiment. That's not to say you may not want to use it as it matures. I don't have any problem with the way it's trying to solve process isolation and I think it's a good idea. There are also alternatives you should take the time to explore before adopting this technology in the future.
Where might I want to use it?
As an operator, you'll want to use gVisor to isolate application containers that aren't entirely trusted. This could be a new version of an open source project your organization has trusted in the past. It could be a new project your team has yet to completely vet or anything else you aren't entirely sure can be trusted in your cluster. After all, if you're running an open source project you didn't write (all of us), your team certainly didn't write it so it would be good security and good engineering to properly isolate and protect your environment in case there may be a yet unknown vulnerability.
进一步阅读
我的回答包含来自以下来源的信息,这些信息在 quote 部分中被引用“as-is”,我推荐他们进一步阅读:
- What is gVisor? 来自 Rancher 博客
- Making Containers More Isolated: An Overview of Sandboxed Container Technologies
- Containers, Security, and Echo Chambers Jessie Frazelle 的博客
- The True Cost of Containing: A gVisor Case Study
- Firecracker: Lightweight Virtualization for Serverless Applications 来自 AWS 的论文
- gVisor Security Basics - Part 1 来自 gVisor 博客