Internships/ProjectIdeas/EncryptedStorageInVMBasedContainerRuntimes: Difference between revisions

From QEMU
(Created page with "'''Summary:''' Create encrypted storage using VM-based container runtimes The Linux cryptsetup(8) tool requires root privileges to encrypt storage with LUKS. However, privile...")
 
No edit summary
Line 1: Line 1:
'''Summary:''' Create encrypted storage using VM-based container runtimes
=== Create encrypted storage using VM-based container runtimes ===
'''Summary:''' Extend crun to create encrypted storage by running a libkrun VM


The Linux cryptsetup(8) tool requires root privileges to encrypt
The Linux cryptsetup(8) tool requires root privileges to encrypt

Revision as of 16:25, 17 February 2022

Create encrypted storage using VM-based container runtimes

Summary: Extend crun to create encrypted storage by running a libkrun VM

The Linux cryptsetup(8) tool requires root privileges to encrypt storage with LUKS. However, privileged containers are generally discouraged for security reasons. A possible solution to avoid extra privileges is using VM-based container runtimes (e.g crun with libkrun or kata-containers) and running the storage encryption tool inside the VM.

This internship focusses on a proof-of-concept for integrating and extending the crun container runtime with libkrun in order to create encrypted storage without root privileges. The initial step will focus on creating encrypted images to demonstrate the feasibility and the necessary changes in the software stack. If the timeframe allows it, an interesting follow-up to the first step is the encryption of persistent storage using block-based volumes.

This project will expose you to container runtimes and virtual machines. You must be willing to dig into different source codes like crun (written in C), libkrun (written in Rust), and possibly podman or other kubernetes/containers projects (written in Go).

Links:

Details:

  • Language: C, Rust, golang
  • Skills: containers and virtualization would be a big plus
  • Mentor: Alice Frosi <afrosi@redhat.com>, Co-mentor: Sergio Lopez Pascual <slp@redhat.com>