Software execution Environments ～Process, virtual machine, and container May 15, 2020 Kanazawa.rb meetup #93 Satoru Takeuchi (twitter: satoru_takeuchi, EnSatoru) 1 

Without process 2 program hardware access 

Process with primitiv kernels like poor embedded system 3 Process hardware access Process access 〇 〇 kernel access 〇 〇 access 

Process with modern kernels like Linux and NT kernel 4 kernel hardware process ①Requests with system calls ● File access ● Hardware access ● Inter process communication ②access access × × access 〇 〇 process 

Virtual machine (qemu + kvm) 5 kernel hardware Process for virtual machine Virtual hardware kernel プロセス プロセス process ①trap ③request ④request access × ② 

Container (with Linux’s namespace) 6 kernel hardware Container プロセス プロセス process Container プロセス process ×access 

Two types of containers 7 System container (for full featured OS environment) Application container (for only one application like Docker container) container Environment for all apps container app app Environment for an app app 

Security risks ● The required steps to attack other process 8 kernel kernel hardware hardware container プロセス プロセス process Virtual machine container Virtual machine Virtual hardware kernel process ① process ① process ② ② ③ ④ 

Various container runtimes ● System call steps 9 runC(basic way) Kata Containers gVisor Namespace app kernel VM app kernel kernel app Userland kernel kernel hardware ① ② ① ② ① ② ④ ③ ⑤ 

That’s all Question? 10