New packages libkrun, libkrunfw and krunvm for super-lightweigth virtualization and virtualization hardened containers
Hello,
I'm about to submit two factory 3 packages, from the Virtualization
Devel project:
- libkrunfw
https://build.opensuse.org/package/show/Virtualization/libkrunfw
- libkrun
https://build.opensuse.org/package/show/Virtualization/libkrun
- krunvm
https://build.opensuse.org/package/show/Virtualization/krunvm
Libkrun is the key and the heart of everything. It's a library that
enable a (OCI) runtime to start the environments that such runtimes
usually handles (read: containers) inside a super-lightweight virtual
machine (using KVM underneath, of course).
If you're familiar with KataContainers, well, it's similar... but all
done in a library, which makes things smaller and faster (at least
potentially, as the project is still in early stage of development and
performance is not a goal yet).
This is already possible, with krunvm, which is basically a CLI for
libkrun, that allows you to create lightweight VMs out of OCI images.
Watch this:
$ cat /etc/os-release
NAME="openSUSE Tumbleweed"
ID="opensuse-tumbleweed"
ID_LIKE="opensuse suse"
VERSION_ID="20210223"
[...]
$ uname -a
Linux Solace 5.10.16-1-default #1 SMP Sat Feb 13 16:20:19 UTC 2021 (11381f3) x86_64 x86_64 x86_64 GNU/Linux
Now, if I do:
$ sudo krunvm create opensuse/leap --name leap
Resolving "opensuse/leap" using unqualified-search registries
(/etc/containers/registries.conf)
Getting image source signatures
Copying blob 99b65196a7ec done
[...]
Lightweight VM created with name: leap
$ sudo krunvm list
leap
CPUs: 2
RAM (MiB): 1024
DNS server: 1.1.1.1
Buildah container: leap-working-container
Workdir: /root
Mapped volumes: {}
Mapped ports: {}
$ sudo krunvm start leap
sh-4.4# cat /etc/os-release
NAME="openSUSE Leap"
VERSION="15.2"
ID="opensuse-leap"
ID_LIKE="suse opensuse"
VERSION_ID="15.2"
sh-4.4# uname -a
Linux leap 5.10.10 #1 SMP Fri Feb 26 08:27:43 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux
And you can tell that it's a VM from --among other things-- the fact
that the kernels (see the two `uname -a`) are different!
In this example, I used `sudo`, but it does work rootless as well, like
this (for now):
$ buildah unshare
Solace:~ # krunvm create ubuntu --name ubu
Solace:~ # krunvm start ubu
# apt-get update
Hit:1 http://archive.ubuntu.com/ubuntu focal InRelease
Get:2 http://archive.ubuntu.com/ubuntu focal-updates InRelease [114 kB]
Get:3 http://security.ubuntu.com/ubuntu focal-security InRelease [109
kB]
[...]
Get:5 http://archive.ubuntu.com/ubuntu focal-updates/universe amd64
Packages [934 kB]
Fetched 1257 kB in 3s (423 kB/s)
Reading package lists... Done
# ^D
Solace:~ # exit
$
And yes, as you see from the above example where I used apt, networking
works (limited to IPv4-TCP, for now... because as I said it's early!)
with zero configuration.
And of course it supports bind mounting pieces of the host filesystem
as well (and also with zero config needed).
Note also that the crun OCI runtime already has support for libkrun,
and that podman can work on top of crun. Therefore, we could one day
have podman containers running as lightweight VMs!
We could one day have toolbox containers (which is why I'm cross-
posting to Kubic) running as lightweight VMs!!
Sure, we need to have crun for that, which I don't think we do right
now. But, baby steps. :-)
The third package, libkrunfw, is basically where the kernel of the
lightweight VM lives. Now, ideally, we would pick-up our kernel-source
package, apply patches and configuration, ad build libkrunfw from it.
However, this is currently not possible, due to the dependency of some
of the needed patches on a specific kernel-version.
We do intend, however, to fix this as soon as possible.
Libkrun and krunvm are available already in Fedora, via Copr and on
MacOS-aarch64 (the so-called M1).
You can find more about the project at the following links:
https://github.com/containers/libkrun
https://github.com/containers/krunvm
https://news.ycombinator.com/item?id=25939995
https://static.sched.com/hosted_files/devconfcz2021/b9/libkrun%20Virtuailzat...
Regards
--
Dario Faggioli, Ph.D
http://about.me/dario.faggioli
Virtualization Software Engineer
SUSE Labs, SUSE https://www.suse.com/
-------------------------------------------------------------------
<
On Sat, 2021-02-27 at 04:41 +0100, Dario Faggioli wrote:
Hello,
I'm about to submit two factory 3 packages, from the Virtualization Devel project:
- libkrunfw https://build.opensuse.org/package/show/Virtualization/libkrunfw
SR 875562 https://build.opensuse.org/request/show/875562
- libkrun https://build.opensuse.org/package/show/Virtualization/libkrun
SR 875561 https://build.opensuse.org/request/show/875561
- krunvm https://build.opensuse.org/package/show/Virtualization/krunvm
SR 875563
https://build.opensuse.org/request/show/875563
Regards
--
Dario Faggioli, Ph.D
http://about.me/dario.faggioli
Virtualization Software Engineer
SUSE Labs, SUSE https://www.suse.com/
-------------------------------------------------------------------
<
On Sat, 2021-02-27 at 04:52 +0100, Dario Faggioli wrote:
On Sat, 2021-02-27 at 04:41 +0100, Dario Faggioli wrote:
I'm about to submit two factory 3 packages, from the Virtualization Devel project:
- libkrunfw https://build.opensuse.org/package/show/Virtualization/libkrunfw
Wow... This is "interesting"! Everything was working all day yesterday, including when I wrote this mail and hit the submit button. Now, it's not already... As libkrunfw does not build. :-O I think I've identified the problem, it seems related to this patch: https://lore.kernel.org/patchwork/patch/ I've added it to the list of patches applied to the kernel in the package in my home: project, and that builds fine. I've already opened an issue upstream, to decide how to handle it: https://github.com/containers/libkrunfw/issues/4
- libkrun https://build.opensuse.org/package/show/Virtualization/libkrun
SR 875561 https://build.opensuse.org/request/show/875561
- krunvm https://build.opensuse.org/package/show/Virtualization/krunvm
In the case of these other two SRs, it's just me that forgot switching
one of the service to "disabled". Will fix and resubmit.
Regards
--
Dario Faggioli, Ph.D
http://about.me/dario.faggioli
Virtualization Software Engineer
SUSE Labs, SUSE https://www.suse.com/
-------------------------------------------------------------------
<
participants (1)
-
Dario Faggioli