Runtimes

Runtimes

OCI runtimes are responsible for interactive with the kernel

They implement the OCI runtime spec

They are pluggable

Implementations

Reference implementation by OCI (Go): runc

Lightweight implementation by RedHat (C): crun

Application kernel by Google (Go): gvisor

Lightweight VMs using QEMU/KVM (Go): kata-containers

Micro VMs by AWS (Rust): Firecracker

gvisor

Application kernel that…

“implements a substantial portion of the Linux system call interface”

Binaries

Ships with…

• an OCI runtime runsc
• a containerd shim containerd-shim-runsc-v1

Security model

Google provides a detailed analysis

Concepts

Comparison to…

Hardware virtualization

Syscall filtering using seccomp, SELinux and AppArmor

Sentry

Application kernel

Intercepts system calls

Starts in container w/ seccomp

Gofer

Host process for every container

Talks to Sentry using 9P

Demo

gvisor in Kubernetes