The sandbox from burning1020

[Sandbox] Kuasar

Application contact emails

Maintainers

[email protected],
[email protected],
[email protected]

Champions

[email protected],
[email protected]

Project Summary

Kuasar(Quasar in Kubernetes) is a low-level container runtime that provides multiple sandbox container solutions.

Project Description

Isolation techniques are being integrated into containers world, including microVM, WebAssembly, application kernel, unikernel, and confidential computing. These techniques create an isolated environment for running containers. That is referred to as a "sandbox".

However, the concept of a sandbox is not well-defined in container runtimes like containerd. Its semantics are unclear and imitated by "pause container", and its management is mixed into container management . We believe it's time to introduce the concept of "sandboxer" that is for handling the sandbox lifecycle and resource management independently. Thus, Kuasar was born.

Kuasar is a low-level container runtime that offers multiple sandbox container solutions. It provides several "sandboxer" implementations for microVM, WebAssembly runtime, and application kernel sandbox. Kuasar consists of two main modules: one, called "sandboxer", handles sandbox lifecycle management, while the other, named "task", manages all containers lifecycle within a sandbox.

Kuasar features:

Unified Sandbox Abstraction: Kuasar introduces a unified abstraction for various sandbox types, along with a suite of interfaces for seamless integration and efficient management. Finally, it's safe to say that the "sandbox" concept has now emerged as a first-class citizen in containers world.
Multi-Sandbox Colocation: Kuasar comes with built-in support for popular sandboxes, enabling users to deploy multiple sandboxes on the same node according to their specific requirements for security, isolation, speed, and standardization. This versatility equips Kuasar with the capability to deploy both online and offline services.
Optimized Framework: Kuasar has developed an optimized framework using the Rust programming language, bring about a higher level of performance and a more streamlined architecture. The benchmark test results showed performance that Kuasar's vmm sandbox startup speed 2x, and the resource overhead for management was reduced by 99%.

Org repo URL (provide if all repos under the org are in scope of the application)

https://github.com/kuasar-io

Roadmap context

Kuasar is actively inviting additional sandbox technologies to join its ecosystem so these sandbox are planned in roadmap. In addition, kuasar has interests in the following features:

Limit container by CgroupV2
Kubernetes DRA and NRI
Ability for Tracing
Container Checkpointing
In-place Update of Pod Resources
Image Distribution Acceleration
eBPF monitoring
Running vm on Container OS

Contributing Guide

https://github.com/kuasar-io/kuasar/blob/main/CONTRIBUTING.md

Code of Conduct (CoC)

https://github.com/kuasar-io/kuasar/blob/main/CODE_OF_CONDUCT.md

Adopters

https://github.com/kuasar-io/kuasar/blob/main/ADOPTERS.md

Contributing or Sponsoring Org

Contributing or Sponsoring Org
Huawei
Agricultural Bank of China
WasmEdge
openEuler
QuarkContainer

Maintainers file

https://github.com/kuasar-io/kuasar/blob/main/MAINTAINERS.md

IP Policy

If the project is accepted, I agree the project will follow the CNCF IP Policy

Trademark and accounts

If the project is accepted, I agree to donate all project trademarks and accounts to the CNCF

Why CNCF?

To expand the range of sandbox runtime solutions, Kuasar maintains an open and neutral attitude towards sandbox technologies. This aligns seamlessly with CNCF's mission to foster and sustain an ecosystem of open source and vendor-neutral projects. Given CNCF's extensive user base, leveraging CNCF's platform will enable Kuasar to benefit more and more organizations and companies.

Benefit to the Landscape

Given the diversity of cloud native scenarios and user requirements, many sandbox container runtime solutions have been proposed. Supporting the simultaneous execution of these various runtimes increases the complexity of operation and maintenance. Additionally, smoothly embracing to new sandbox technology can also be challenging.

The beneift could be:

Kuasar allows users to customize sandbox container runtime solutions according to their specific needs. Its unified sandbox abstraction simplifies operation maintenance and solves the problem of integrating of new sandbox technologies.
Kuasar's emergence promotes a tighter integration of sandbox isolation technology with Kubernetes, fostering further development in both domains.
The participation of Kuasar also enriches the container runtime of CNCF landscape, attracting a more extensive community of developers and users.

Cloud Native 'Fit'

Landscape: Runtime - Container Runtime
Kuasar, as a low level container runtime on cloud computing node, will handle the specific lifecycle management of kubernetes pod, creating the sandbox environment and running containers. So it fits in "Runtime" and "Container Runtime".

TAGs: TAG Runtime
The participation of Kuasar in tag-runtime group will raise discussions about the integration of sandboxes within Kubernetes, particularly in conjunction with containerd. These discussions present an opportunity to enhance the Kubernetes ecosystem, especially the WebAssembly sandbox.

Cloud Native 'Integration'

Northbound: Kuasar will interact with the high-level container runtimes implementing CRI to manage a container. Complements the following project:

Containerd (CNCF graduated),
cri-o (CNCF graduated),
iSulad (out-of-CNCF projects but in landscape)

Southbound: Kuasar will create a sandbox instance and start container inside it. Depends on the following project:

WasmEdge runtime (CNCF sandbox)
Cloud Hypervisor (out-of-CNCF projects)
QuarkContainer (out-of-CNCF projects)
StratoVirt (out-of-CNCF projects)
Wasmtime (out-of-CNCF projects)

Cloud Native Overlap

Not just runwasi, but also kata-shim, firecracker-containerd, and runsc have their own considerations when defining the sandbox. Consequently, their diverse implementations introduce challenges for operations and maintenance engineers to toggle runtimes and identify problems. To address this, Kuasar is introduced to simplifiy the management of different sandboxes and provide some implementations based on popular sandbox.

Similar projects

containerd/runwasi support integrate kubernetes with wasm workloads,
kata-containers support integrate kubernetes with lightweight VMs,
gVisor/runsc support integrate kubernetes with gVisor sandbox,
firecracker-containerd support integrate kubernetes with Firecracker microVMs.

Landscape

https://landscape.cncf.io/?selected=kuasar

Business Product or Service to Project separation

N/A

Project presentations

CNCF TAG Runtime Presentation:
https://docs.google.com/document/d/1k7VNetgbuDNyIs_87GLQRH2W5SLgjgOhB6pDyv89MYk/edit#heading=h.otyvkecgzybr
Slide: https://docs.google.com/presentation/d/1SKMaCuwJI5jU2hGkB3ns14i5xLqOolDMJZfZBW70E7k/edit#slide=id.g23d32d0c81c_0_112

Project champions

@kevin-wangzefeng
@juntao

Additional information

N/A

burning1020 / sandbox Goto Github PK

sandbox's Introduction

Hi there 👋

sandbox's People

sandbox's Issues