Internships/ProjectIdeas/VhostUserVSOCKRust
vhost-user-vsock application
Summary: Develop a vhost-user-vsock application in Rust and integrate it with Kata Container
Kata Containers provides a secure container runtime using lightweight virtual machines that feel and perform like traditional containers. Kata Containers leverages KVM and supports multiple Virtual Machine Monitors, including QEMU. It uses virtio-vsock to create a communication channel between the runtime, running in the host, and the agent running in the guest.
Kata Containers focuses on security, so moving the device emulation into an external user space process is very attractive in order to reduce the attack surface.
This project aims to realize an application (i.e. vhost-user-vsock) that will leverage the vhost-user protocol to emulate the virtio-vsock device in an external process. It will provide the hybrid VSOCK interface over AF_UNIX introduced by Firecracker.
The QEMU part has already been implemented and tested with a proof of concept based on Cloud Hypervisor crates, that can be used as starting point for this project.
The new application should be written in Rust reusing as much as possible the crates available in rust-vmm. It's an umbrella project that provides a set of virtualization components that can be easily reused to speed up the implementation.
If time allows, we could integrate vhost-user-vsock into Kata Containers. The work will mostly be:
- On the kata-containers' runtime side, where we will have to:
- start the application daemon;
- ensure it's receiving the correct SELinux labels;
- we'll need some interactions with container-selinux project, to ensure the application will be started with th container_kvm_t label;
- On the govmm side, we will have to:
- add support to "vhost-user-vsock";
- There may be some work needed on the agent related to this integration, but we hope everything will be transparent on that layer.
Links:
- Kata Containers
- virtio-vsock
- vhost-user protocol
- Firecracker's hybrid VSOCK
- QEMU's patches already merged to support vhost-user-vsock
- vhost-user-vsock PoC based on Cloud Hypervisor
- rust-vmm repositories
- kata-containers repository
- GoVMM repository
Details:
- Skill level: intermediate
- Language: Rust / Go
- Mentors: Stefano Garzarella <sgarzare@redhat.com>, Fabiano Fidêncio <fidencio@redhat.com>
- IRC nick: sgarzare (OFTC/freenode), fidencio (OFTC/freenode)