Software Execution Environmens - process, virtual machine, and container

Transcript

1. Software execution Environments ～Process, virtual machine, and container May 15,

   2020 Kanazawa.rb meetup #93 Satoru Takeuchi (twitter: satoru_takeuchi, EnSatoru) 1

2. Without process 2 program hardware access

3. Process with primitiv kernels like poor embedded system 3 Process

   hardware access Process access 〇 〇 kernel access 〇 〇 access

4. Process with modern kernels like Linux and NT kernel 4

   kernel hardware process ①Requests with system calls • File access • Hardware access • Inter process communication ②access access × × access 〇 〇 process

5. Virtual machine (qemu + kvm) 5 kernel hardware Process for

   virtual machine Virtual hardware kernel プロセス プロセス process ①trap ③request ④request access × ②

6. Container (with Linux’s namespace) 6 kernel hardware Container プロセス プロセス

   process Container プロセス process ×access

7. Two types of containers 7 System container (for full featured

   OS environment) Application container (for only one application like Docker container) container Environment for all apps container app app Environment for an app app

8. Security risks • The required steps to attack other process

   8 kernel kernel hardware hardware container プロセス プロセス process Virtual machine container Virtual machine Virtual hardware kernel process ① process ① process ② ② ③ ④

9. Various container runtimes • System call steps 9 runC(basic way)

   Kata Containers gVisor Namespace app kernel VM app kernel kernel app Userland kernel kernel hardware ① ② ① ② ① ② ④ ③ ⑤

10. That’s all Question? 10