Internships/ProjectIdeas/VhostUserVSOCKRust: Difference between revisions

From QEMU
No edit summary
Line 1: Line 1:
=== vhost-user-vsock application ===
=== vhost-user-vsock application ===
    
    
'''Summary:''' Develop a vhost-user-vsock application in Rust and integrates it with Kata Container
'''Summary:''' Develop a vhost-user-vsock application in Rust and integrate it with Kata Container


[https://katacontainers.io/ Kata Containers] provides a secure container runtime using lightweight virtual machines that feel and perform like traditional containers.
[https://katacontainers.io/ Kata Containers] provides a secure container runtime using lightweight virtual machines that feel and perform like traditional containers.
Kata leverages on KVM and supports multiple Virtual Machine Monitors, including QEMU. It uses [https://wiki.qemu.org/Features/VirtioVsock virtio-vsock] to create a communication channel between the runtime, running in the host, and the agent running in the guest.
Kata Containers leverages KVM and supports multiple Virtual Machine Monitors, including QEMU. It uses [https://wiki.qemu.org/Features/VirtioVsock virtio-vsock] to create a communication channel between the runtime, running in the host, and the agent running in the guest.
      
      
Kata focuses on security, so moving the device emulation into an external user space process is very attractive in order to reduce the attack surface.
Kata Containers focuses on security, so moving the device emulation into an external user space process is very attractive in order to reduce the attack surface.
      
      
This project aims to realize an application (i.e. vhost-user-vsock) that will leverage the [https://gitlab.com/qemu-project/qemu/-/blob/master/docs/interop/vhost-user.rst vhost-user protocol] to emulate the virtio-vsock device in an external process. It will provide the [https://github.com/firecracker-microvm/firecracker/blob/master/docs/vsock.md hybrid VSOCK interface over AF_UNIX introduced by Firecracker].
This project aims to realize an application (i.e. vhost-user-vsock) that will leverage the [https://gitlab.com/qemu-project/qemu/-/blob/master/docs/interop/vhost-user.rst vhost-user protocol] to emulate the virtio-vsock device in an external process. It will provide the [https://github.com/firecracker-microvm/firecracker/blob/master/docs/vsock.md hybrid VSOCK interface over AF_UNIX introduced by Firecracker].

Revision as of 10:01, 9 February 2021

vhost-user-vsock application

Summary: Develop a vhost-user-vsock application in Rust and integrate it with Kata Container

Kata Containers provides a secure container runtime using lightweight virtual machines that feel and perform like traditional containers. Kata Containers leverages KVM and supports multiple Virtual Machine Monitors, including QEMU. It uses virtio-vsock to create a communication channel between the runtime, running in the host, and the agent running in the guest.

Kata Containers focuses on security, so moving the device emulation into an external user space process is very attractive in order to reduce the attack surface.

This project aims to realize an application (i.e. vhost-user-vsock) that will leverage the vhost-user protocol to emulate the virtio-vsock device in an external process. It will provide the hybrid VSOCK interface over AF_UNIX introduced by Firecracker.

The QEMU part has already been implemented and tested with a proof of concept based on Cloud Hypervisor crates, that can be used as starting point for this project.

The new application should be written in Rust reusing as much as possible the crates available in rust-vmm. It's an umbrella project that provides a set of virtualization components that can be easily reused to speed up the implementation.

If time allows, we could integrate vhost-user-vsock into Kata Containers. The work will mostly be:

  • On the kata-containers' runtime side, where we will have to:
    • start the application daemon;
    • ensure it's receiving the correct SELinux labels;
      • we'll need some interactions with container-selinux project, to ensure the application will be started with th container_kvm_t label;
  • On the govmm side, we will have to:
    • add support to "vhost-user-vsock";
  • There may be some work needed on the agent related to this integration, but we hope everything will be transparent on that layer.

Links:

Details:

  • Skill level: intermediate
  • Language: Rust / Go
  • Mentors: Stefano Garzarella <sgarzare@redhat.com>, Fabiano Fidêncio <fidencio@redhat.com>
    • IRC nick: sgarzare (OFTC/freenode), fidencio (OFTC/freenode)