containers/libkrun containers/libkrun

  • Stars
    star
    655
  • Rank 66,109 (Top 2 %)
  • Language
    Rust
  • License
    Apache License 2.0
  • Created over 3 years ago
  • Updated 3 months ago
Twitter logo Share LinkedIn logo Share Facebook logo Share
containers/libkrun
github

containers

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

A dynamic library providing Virtualization-based process isolation capabilities

libkrun

libkrun is a dynamic library that allows programs to easily acquire the ability to run processes in a partially isolated environment using KVM Virtualization.

It integrates a VMM (Virtual Machine Monitor, the userspace side of an Hypervisor) with the minimum amount of emulated devices required to its purpose, abstracting most of the complexity that comes from Virtual Machine management, offering users a simple C API.

Possible use cases

  • Adding VM-isolation capabilities to an OCI runtime.
  • Implementing a lightweight jailer for serverless workloads.
  • Bringing additional self-isolation capabilities to conventional services (think of something as simple as chroot, but more powerful).

Goals and non-goals

Goals

  • Enable other projects to easily gain KVM-based process isolation capabilities.
  • Be self-sufficient (no need for calling to an external VMM) and very simple to use.
  • Be as small as possible, implementing only the features required to achieve its goals.
  • Have the smallest possible footprint in every aspect (RAM consumption, CPU usage and boot time).
  • Be compatible with a reasonable amount of workloads.

Non-goals

  • Become a generic VMM.
  • Be compatible with all kinds of workloads.

Variants

This project provides two different variants of the library:

  • libkrun: Generic variant compatible with all Virtualization-capable systems.
  • libkrun-sev: Variant including support for AMD SEV (bare SEV and SEV-ES) memory encryption and remote attestation. Requires an SEV-capable CPU.

Each variant generates a dynamic library with a different name (and soname), so both can be installed at the same time in the same system.

Virtio device support

All variants

  • virtio-console
  • virtio-vsock (specialized for TSI, Transparent Socket Impersonation)

libkrun

  • virtio-fs
  • virtio-balloon (only free-page reporting)
  • virtio-rng

libkrun-sev

  • virtio-block

Networking

In libkrun, networking is implemented using a novel technique called Transparent Socket Impersonation, or TSI. This allows the VM to have network connectivity without a virtual interface (hence, virtio-net is not among the list of supported devices).

This technique supports both outgoing and incoming connections. It's possible for userspace applications running in the VM are able to transparently connect to endpoints outside the VM, and also receive connections from the outside to ports listening inside the VM.

Limitations

TSI only supports impersonating AF_INET SOCK_DGRAM and SOCK_STREAM sockets. This implies it's not possible to communicate outside the VM with raw sockets.

Building and installing

Linux (generic variant)

Requirements

  • libkrunfw
  • A working Rust toolchain
  • C Library static libraries, as the init binary is statically linked (package glibc-static in Fedora)
  • patchelf

Compiling

make

Installing

sudo make install

Linux (SEV variant)

Requirements

  • The SEV variant of libkrunfw, which provides a libkrunfw-sev.so library.
  • A working Rust toolchain
  • C Library static libraries, as the init binary is statically linked (package glibc-static in Fedora)
  • patchelf
  • OpenSSL headers and libraries (package openssl-devel in Fedora).

Compiling

make SEV=1

Installing

sudo make SEV=1 install

macOS

Requirements

As part of libkrun building process, it's necessary to produce a Linux ELF binary from init/init.c. The easiest way to do this is by using a binary version of krunvm and its dependencies (libkrunfw, and libkrun itself), such as the one available in the krunvm Homebrew repo, and then executing the build_on_krunvm.sh script found in this repository.

This will create a lightweight Linux VM using krunvm with the current working directory mapped inside it, and produce the Linux ELF binary from init/init.c.

Building the library using krunvm

./build_on_krunvm.sh
make

Using the library

Despite being written in Rust, this library provides a simple C API defined in include/libkrun.h

Examples

chroot_vm

This is a simple example providing chroot-like functionality using libkrun.

Building chroot_vm

cd examples
make

Running chroot_vm

To be able to chroot_vm, you need first a directory to act as the root filesystem for your isolated program.

Use the rootfs target to get a rootfs prepared from the Fedora container image (note: you must have podman installed):

make rootfs

Now you can use chroot_vm to run a process within this new root filesystem:

./chroot_vm ./rootfs_fedora /bin/sh

If the libkrun and/or libkrunfw libraries were installed on a path that's not included in your /etc/ld.so.conf configuration, you may get an error like this one:

./chroot_vm: error while loading shared libraries: libkrun.so: cannot open shared object file: No such file or directory

To avoid this problem, use the LD_LIBRARY_PATH environment variable to point to the location where the libraries were installed. For example, if the libraries were installed in /usr/local/lib64, use something like this:

LD_LIBRARY_PATH=/usr/local/lib64 ./chroot_vm rootfs/ /bin/sh

Status

libkrun has achieved maturity and starting version 1.0.0 the public API is guaranteed to be stable, following SemVer.

Known users

  • crun: An OCI runtime that can make use of libkrun to run containers with Virtualization-based isolation.
  • krunvm: A CLI tool for creating and running microVMs based on OCI images.

Getting in contact

The main communication channel is the VirTEE Matrix channel.

Acknowledgments

libkrun incorporates code from Firecracker, rust-vmm and Cloud-Hypervisor.

More Repositories

1

podman

Podman: A tool for managing OCI containers and pods.
Go
21,713
star
2

skopeo

Work with remote images registries - retrieving information, images, signing content
Go
7,355
star
3

buildah

A tool that facilitates building OCI images.
Go
7,003
star
4

youki

A container runtime written in Rust
Rust
5,793
star
5

podman-compose

a script to run docker-compose.yml using podman
Python
4,567
star
6

podman-desktop

Podman Desktop - A graphical tool for developing on containers and Kubernetes
TypeScript
4,145
star
7

bubblewrap

Low-level unprivileged sandboxing tool used by Flatpak and similar projects
C
3,601
star
8

crun

A fast and lightweight fully featured OCI runtime and C library for running containers
C
2,759
star
9

toolbox

Tool for interactive command line environments on Linux
Shell
2,284
star
10

krunvm

Create microVMs from OCI images
Rust
1,315
star
11

image

Work with containers' images
Go
822
star
12

storage

Container Storage Library
Go
522
star
13

podman-tui

Podman Terminal UI
Go
494
star
14

fuse-overlayfs

FUSE implementation for overlayfs
C
476
star
15

netavark

Container network stack
Rust
457
star
16

udica

This repository contains a tool for generating SELinux security profiles for containers
Python
425
star
17

conmon

An OCI container runtime monitor.
C
395
star
18

composefs

a file system for mounting container images
C
368
star
19

build

another build tool for container images (archived, see https://github.com/rkt/rkt/issues/4024)
Go
341
star
20

quadlet

C
330
star
21

oci-seccomp-bpf-hook

OCI hook to trace syscalls and generate a seccomp profile
Go
280
star
22

podman.io_old

Repository for podman.io website using GitHub Pages.
CSS
259
star
23

bootc

Boot and upgrade via container images
Rust
250
star
24

ansible-podman-collections

Repository for Ansible content that can include playbooks, roles, modules, and plugins for use with the Podman tool
Python
233
star
25

container-selinux

SELinux policy files for Container Runtimes
Roff
227
star
26

podman-py

Python bindings for Podman's RESTful API
Python
215
star
27

gvisor-tap-vsock

A new network stack based on gVisor
Go
212
star
28

dnsname

name resolution for containers
Go
178
star
29

oci-spec-rs

OCI Runtime, Image and Distribution Spec in Rust
Rust
173
star
30

common

Location for shared common files in github.com/containers repos.
Go
161
star
31

conmon-rs

An OCI container runtime monitor written in Rust
Rust
157
star
32

aardvark-dns

Authoritative dns server for A/AAAA container records. Forwards other request to host's /etc/resolv.conf
Rust
151
star
33

docker-lvm-plugin

Docker volume plugin for LVM volumes
Go
148
star
34

virtcontainers

A Go package for building hardware virtualized container runtimes
Go
140
star
35

containrs

General purpose container library
Rust
122
star
36

ocicrypt

Encryption libraries for Encrypted OCI Container images
Go
121
star
37

fetchit

FetchIt is used to manage the life cycle and configuration of Podman containers
Go
109
star
38

prometheus-podman-exporter

Prometheus exporter for podman environments exposing containers, pods, images, volumes and networks information.
Go
105
star
39

bluechi

Bluechi is a systemd service controller intended for multi-node environments with a predefined number of nodes and with a focus on highly regulated ecosystems such as those requiring functional safety.
C
96
star
40

crun-vm

An OCI Runtime that enables Podman, Docker, and Kubernetes to run VM images.
Rust
78
star
41

Demos

Repository is a location of user demos for technologies listed on github.com/containers
Shell
77
star
42

shortnames

Shortnames project is collecting registry alias names for shortnames to fully specified container image names.
Python
66
star
43

libkrunfw

A dynamic library bundling the guest payload consumed by libkrun
C
59
star
44

psgo

A ps(1) AIX-format compatible golang library
Go
56
star
45

python-podman

Python bindings and code examples for using Varlink access to Podman Service
Python
50
star
46

nri-plugins

A collection of community maintained NRI plugins
Go
48
star
47

libocispec

a C library for accessing OCI runtime and image spec files
Python
47
star
48

tar-diff

Go
46
star
49

selinuxd

A daemon that manages SELinux policies on a filesystem
Go
37
star
50

podman-desktop-swift

Swift
34
star
51

podman.io

The new podman.io design project
TypeScript
33
star
52

podman-security-bench

Shell
33
star
53

initoverlayfs

C
32
star
54

nydus-storage-plugin

A storage plugin that provided CRI-O/Podman with the ability to lazy mount nydus images.
Go
30
star
55

buildah.io

Repository for the buildah.io web site using GitHub Pages.
HTML
27
star
56

BuildSourceImage

Tool to build a source image based on an existing OCI image
Shell
26
star
57

ansible-podman

Ansible podman is a package to allow ansible playbooks to manage podman containers
Python
26
star
58

oci-fetch

Simple command line tool for fetching the Open Container Initiative image format over various transports.
Go
23
star
59

podman-wsl-fedora

Root FS image of Fedora for Podman Machine on Windows
22
star
60

containertoolbx.org

Website for the Toolbx project
CSS
20
star
61

appstore

Example directory of Kubernetes YAML and Quadlets tested with Podman
Python
18
star
62

automation_images

Shell
17
star
63

containers-image-proxy-rs

containers-image-proxy-rs
Rust
17
star
64

qm

QM is a containerized environment for running Functional Safety qm (Quality Management) software
Shell
17
star
65

libhvee

Special purposed library for Windows HyperV control
Go
16
star
66

podman-machine-qemu

Qemu build for macOS used by the self-contained `podman machine` installer
Shell
16
star
67

oci-umount

C
13
star
68

docs

Repository for all documentation written about tools hosted at github.com/containers
Shell
12
star
69

automation

Automation scripts and configurations common across the containers org. repositories
Shell
12
star
70

netavark-dhcp-proxy-deprecated

DHCP proxy for Netavark
Rust
11
star
71

podman-desktop-extension-bootc

Support for bootable OS containers (bootc) and generating disk images
TypeScript
9
star
72

podhawk

Python
9
star
73

podman-machine-cni

Go
6
star
74

podman-desktop-catalog

Catalog of extensions of Podman Desktop
6
star
75

validator

C
6
star
76

arty

Arty is a tool for managing OCI Artifacts on OCI Registries.
6
star
77

automation_sandbox

Test-repository for experimenting with in-repo automation tools/settings.
Shell
4
star
78

kubensmnt

Shell
4
star
79

podman-desktop-e2e

Podman desktop e2e tests
Go
3
star
80

.github

The README for the containers organization
3
star
81

fetchit-desktop-extension

TypeScript
3
star
82

podman-desktop-extension-minikube

TypeScript
2
star
83

release-keys

2
star
84

podman-wsl-fedora-arm

Fedora ARM distribution for Podman Machine on WSL
2
star
85

ContainerPlumbing

Container Plumbing Conference information.
2
star
86

bootable

Ruby
2
star
87

nri-plugins-operator

Makefile
2
star
88

luksy

offline encryption/decryption using LUKS formats
Go
2
star
89

PodmanHello

Podman Hello Image Repository
Dockerfile
1
star
90

containers.github.io

HTML
1
star
91

winquit

golang module that supports graceful shutdown of Windows applications
Go
1
star
92

podman-installer

1
star
93

ai-lab-recipes

ai-studio-recipes
1
star