当前位置: 首页 > 软件库 > 云计算 > >

firecracker-containerd

授权协议 Apache-2.0 License
开发语言 C/C++
所属分类 云计算
软件类型 开源软件
地区 不详
投 递 者 郎鸿雪
操作系统 跨平台
开源组织
适用人群 未知
 软件概览

firecracker-containerd

GitHub Actions

This repository enables the use of a container runtime,containerd, to manageFirecracker microVMs.Like traditional containers, Firecracker microVMs offer fast start-up andshut-down and minimal overhead. Unlike traditional containers, however, theycan provide an additional layer of isolation via the KVM hypervisor.

Potential use cases of Firecracker-based containers include:

  • Sandbox a partially or fully untrusted third party containerin its own microVM. This would reduce the likelihood ofleaking secrets via the third party container, for example.
  • Bin-pack disparate container workloads on the same host,while maintaining a high level of isolation between containers. Becausethe overhead of Firecracker is low, the achievable containerdensity per host should be comparable torunning containers using kernel-based container runtimes,without the isolation compromise of such solutions. Multi-tenanthosts would particularly benefit from this use case.

To maintain compatibility with the container ecosystem, where possible, we usecontainer standards such as the OCI image format.

There are several components in this repository that enable containerd to useFirecracker microVMs to run containers:

  • A control plugin managing the lifecycle of theruntime and implementing our control API tomanage the lifecycle of microVMs. The control plugin is compiled in to thecontainerd binary since building a Go plugin out-of-tree is hard,which requires us to build a specialized containerd binary forfirecracker-containerd.
  • A runtime linking containerd (outside the microVM) to theFirecracker virtual machine monitor (VMM). The runtime is implemented as anout-of-processshim runtimecommunicating over ttrpc.
  • An agent running inside the microVM, which invokesrunC via containerd's containerd-shim-runc-v1to create standard Linux containers inside the microVM.
  • A root file filesystem image builder thatconstructs a firecracker microVM root filesystem containing runc andthe firecracker-containerd agent.

For more detailed information on the components and how they work, seearchitecture.md.

Roadmap

To support the widest variety of workloads, firecracker-containerd has to workwith popular container orchestration frameworks such as Kubernetes and AmazonECS, so we will work to ensure that the software is conformant or compatiblewhere necessary. The project currently allows you to launch a few containerscolocated in the same microVM, and we are exploring how to raise the number ofcontainers. We recently added support for configuring networking at the microVMlevel with CNI plugins and provide a CNI plugin suitable for chaining called"tc-redirect-tap". Our short term roadmap includes constraining or "jailing"the Firecracker VMM process to improve the host security posture. Ourlonger-term roadmap includes polishing, packaging, and generally makingfirecracker-containerd easier to run as well as exploring CRI conformance andcompatibility with Kubernetes.

Details of specific roadmap items are tracked in GitHubissues.

Usage

For detailed instructions on building and runningfirecracker-containerd, see thegetting started guide and thequickstart guide.

Questions?

Please use GitHubissues toreport problems, discuss roadmap items, or make feature requests.

If you've discovered an issue that may have security implications tousers or developers of this software, please do not report it usingGitHub issues, but instead followFirecracker's security reportingguidelines.

Other discussion: For general discussion, please join us in the #containerdchannel on the Firecracker Slack.

License

This library is licensed under the Apache 2.0 License.

  • Kubernetes 1.20 版开始废除了对 dockershim 的支持,改用 Containerd 作为默认的容器运行时。本文将介绍 Containerd 中的 “shim” 接口。 每一个 Containerd 或 Docker 容器都有一个相应的 “shim” 守护进程,这个守护进程会提供一个 API,Containerd 使用该 API 来管理容器基本的生命周期(启动/停止),在容器中

 相关资料
  • Firecracker 是一种专门用于创建和管理多租户容器和基于函数的服务的虚拟化技术。 使用 Rust 开发,旨在加快 AWS Lambda 和 AWS Fargate 等服务的速度和效率。它是一种虚拟化技术,提供 Serverless 操作模型,专门用于创建和管理多租户容器与基于函数的服务。Firecracker 在轻量级虚拟机中运行工作负载,AWS 将其称为 microVM,它结合了硬件虚拟

  • 本文向大家介绍再见 Docker如何5分钟转型 containerd,包括了再见 Docker如何5分钟转型 containerd的使用技巧和注意事项,需要的朋友参考一下 Docker作为非常流行的容器技术,之前经常有文章说它被K8S弃用了,取而代之的是另一种容器技术containerd!其实containerd只是从Docker中分离出来的底层容器运行时,使用起来和Docker并没有啥区别,本文

  • 问题内容: 这些东西现在真的变得很困惑。有人可以解释发生了什么吗?只是直线的一线差异。 谢谢 问题答案: dockerd -Docker守护程序本身。列表中最高级的组件,也是列出的唯一“ Docker”产品。提供Docker的所有出色的UX功能。 (docker-)containerd- 还有一个守护程序,在Unix套接字上侦听,公开gRPC端点。处理所有底层容器管理任务,存储,图像分发,网络附件

  • Containerd 是行业标准的容器运行时,强调简单性、稳健性和可移植性。它可以作为Linux和Windows的守护进程,可以管理其主机系统的完整容器生命周期:图像传输和存储,容器执行和监督,低级存储和网络附件等。 Containerd 是一个控制 runC 的守护进程,主要是为了性能和密度。Containerd 提供一个命令行客户端和 API,在一个机器上管理容器。Containerd 使用

相关阅读

相关文章

相关问答

相关文档