Skip to content
This repository has been archived by the owner on May 6, 2020. It is now read-only.

"Outer" container & Qemu process isolation #127

Open
jcvenegas opened this issue May 11, 2017 · 6 comments
Open

"Outer" container & Qemu process isolation #127

jcvenegas opened this issue May 11, 2017 · 6 comments
Labels
CC 3.0 domain:isolation domain:OCI pm:2.1-backlog post-release type:enhancement

Comments

@jcvenegas
Copy link
Contributor

From @dlespiau on September 9, 2016 11:21

Most of the OCI isolation/security features don't directly apply to the qemu process, but to the workload process inside the VM (eg. seccomp filters).

However we want to:

  • apply some of those isolation features to the qemu process (eg. CPU limits). The exact list is TDB.
  • unconditionally harden the qemu process. libvirt has a page about that. Seccomp filters around qemu would be nice as well.

Investigation is needed to:

  • split the isolation features in "outer" vs "inner" (relative to where we'd apply them, outside or inside the VM)
  • define reasonable confinement to limit the damage of VM escapes.

Copied from original issue: intel/cc-oci-runtime#246
@jcvenegas
Copy link
Contributor Author

From @dlespiau on September 9, 2016 14:14

Adding Anthony to the discussion, he'll probably have some good input for the qemu side of things.

@jcvenegas
Copy link
Contributor Author

From @anthonyzxu on September 13, 2016 0:43

Can we run CC inside container? then we can use cgroup ACL for CC.
we may need to figure out how to handle root disk, how to put it into container file system, will symbolic link or hard link work if root disk is a shared image?

@jcvenegas
Copy link
Contributor Author

From @grahamwhaley on September 13, 2016 9:31

Hi @anthonyzxu Yes, we have considered running QEMU inside a container if that is needed to provide any of the required functionality - if that is the best way to provide it. Although I think we all agree it may 'feel a little odd', using a container space to wrap the VM that is providing a method to run containers in VMs, if there is a feature/method we need that is only really viable (or most efficient/effective) via a container space, then we should probably go that route.
Once we have worked out which features are best implemented in the Outside/Inside spaces then we can make the call.

@jcvenegas
Copy link
Contributor Author

From @anthonyzxu on September 13, 2016 23:33

https://github.com/rancher/vm
RancherVM allows you to create a special kind of containers called VM Containers. A VM container looks and feels like a regular container.

Maybe we can leverage their efforts.

@jcvenegas
Copy link
Contributor Author

From @anthonyzxu on September 13, 2016 23:35

Seems they use runc to start the VM container

@jcvenegas jcvenegas mentioned this issue May 11, 2017
Closed
@egernst
Copy link

egernst commented Aug 22, 2017

@jcvenegas - I'm wondering if this issue can be closed? I think we have other proposals for resource management opened, and I'm not sure if we're looking at improved isolation?

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
CC 3.0 domain:isolation domain:OCI pm:2.1-backlog post-release type:enhancement
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@egernst @jcvenegas