Ignite 和 gVisor 在用例方面有什么区别? [英] What is the difference between Ignite and gVisor in terms of their use-case?

查看:49
本文介绍了Ignite 和 gVisor 在用例方面有什么区别?的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!

问题描述

我想知道


使用 gVisor 进行沙箱


我需要 gVisor 吗?

没有.如果您正在运行生产工作负载,请不要考虑它!现在,这是一个比喻性的科学实验.这并不是说您可能不想在它成熟时使用它.我对它试图解决进程隔离的方式没有任何问题,我认为这是一个好主意.在将来采用这项技术之前,您还应该花时间探索一些替代方案.

我想在哪里使用它?

作为操作员,您需要使用 gVisor 来隔离不完全受信任的应用程序容器.这可能是您的组织过去信任的开源项目的新版本.它可能是您的团队尚未完全审查的新项目,或者您不能完全确定可以在您的集群中信任的任何其他项目.毕竟,如果您正在运行一个不是您(我们所有人)编写的开源项目,那么您的团队肯定没有编写它,因此如果有的话,正确隔离和保护您的环境将是良好的安全性和良好的工程可能是一个未知的漏洞.

进一步阅读

我的回答包含来自以下来源的信息,这些信息在按原样"采用时位于 引用 部分:我推荐他们进一步阅读:

I would like to know if there is a difference between gVisor and Weave Ignite in terms of their use-cases (if there is any). To me, both of them seem to try a similar thing: make the execution of code in virtualized environments more secure.

gVisor is doing this by introducing runsc, a runtime that enables sandboxed containers and Ignite is doing it by using Firecracker, which in their context also seems to be used as a sandbox.

解决方案

Both Firecracker and gVisor are technologies which provide sandboxing / isolation but in a different way.

  • Firecracker (orange box) is a Virtual Machine Manager.
  • gVisor (green box) has an architecture which controls/filters the system calls that reach the actual host.

Weave Ignite is a tool that helps you use Firecracker in order to run containers inside lightweight VMs and also do that with a nice UX, similar to using Docker.

This is also mentioned in the Scope section of github.com/weaveworks/ignite

Scope

Ignite is different from Kata Containers or gVisor. They don't let you run real VMs, but only wrap a container in new layer providing some kind of security boundary (or sandbox).

Ignite on the other hand lets you run a full-blown VM, easily and super-fast, but with the familiar container UX. This means you can "move down one layer" and start managing your fleet of VMs powering e.g. a Kubernetes cluster, but still package your VMs like containers.

Regarding the use-case part of your question, it's my feeling that because of the stronger isolation VMs offer, Ignite can be more production-ready. Also, the approach of gVisor seems to have a significant performance cost, as it is mentioned at The True Cost of Containing: A gVisor Case Study:

Conclusion

  • gVisor is arguably more secure than runc
  • Unfortunately, our analysis shows that the true costs of effectively containing are high: system calls are 2.2× slower, memory allocations are 2.5× slower, large downloads are 2.8× slower, and file opens are 216× slower

Current Sandboxing Methods


Sandboxing with gVisor


Do I Need gVisor?

No. If you're running production workloads, don't even think about it! Right now, this is a metaphorical science experiment. That's not to say you may not want to use it as it matures. I don't have any problem with the way it's trying to solve process isolation and I think it's a good idea. There are also alternatives you should take the time to explore before adopting this technology in the future.

Where might I want to use it?

As an operator, you'll want to use gVisor to isolate application containers that aren't entirely trusted. This could be a new version of an open source project your organization has trusted in the past. It could be a new project your team has yet to completely vet or anything else you aren't entirely sure can be trusted in your cluster. After all, if you're running an open source project you didn't write (all of us), your team certainly didn't write it so it would be good security and good engineering to properly isolate and protect your environment in case there may be a yet unknown vulnerability.

Further reading

My answer has information from the following sources which are in quote sections when taken "as-is" and I recommend them for further reading:

这篇关于Ignite 和 gVisor 在用例方面有什么区别?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!

查看全文
相关文章
其他开发最新文章
热门教程
热门工具
登录 关闭
扫码关注1秒登录
发送“验证码”获取 | 15天全站免登陆