diff --git a/labs/lab12/analysis/cpu-comparison.txt b/labs/lab12/analysis/cpu-comparison.txt new file mode 100644 index 00000000..a284a2ce --- /dev/null +++ b/labs/lab12/analysis/cpu-comparison.txt @@ -0,0 +1,5 @@ +=== CPU Model Comparison === +Host CPU: +model name : 12th Gen Intel(R) Core(TM) i5-12450H +Kata VM CPU: +model name : 12th Gen Intel(R) Core(TM) i5-12450H diff --git a/labs/lab12/analysis/kernel-comparison.txt b/labs/lab12/analysis/kernel-comparison.txt new file mode 100644 index 00000000..7efa9b61 --- /dev/null +++ b/labs/lab12/analysis/kernel-comparison.txt @@ -0,0 +1,3 @@ +=== Kernel Version Comparison === +Host kernel (runc uses this): 6.6.87.2-microsoft-standard-WSL2 +Kata guest kernel: Linux version 5.15.26 (root@94239f575d46) (gcc (Ubuntu 9.4.0-1ubuntu1~20.04.1) 9.4.0, GNU ld (GNU Binutils for Ubuntu) 2.34) #2 SMP Wed Jul 6 07:12:59 UTC 2022 diff --git a/labs/lab12/bench/curl-3012.txt b/labs/lab12/bench/curl-3012.txt new file mode 100644 index 00000000..7b96c29b --- /dev/null +++ b/labs/lab12/bench/curl-3012.txt @@ -0,0 +1,50 @@ +0.011392 +0.006857 +0.005947 +0.007598 +0.006822 +0.005746 +0.005602 +0.008163 +0.006453 +0.005460 +0.005426 +0.005672 +0.004593 +0.005081 +0.006454 +0.005125 +0.006006 +0.005469 +0.005213 +0.004983 +0.005476 +0.006958 +0.005629 +0.005242 +0.005381 +0.005911 +0.005992 +0.004939 +0.005596 +0.005837 +0.005786 +0.006522 +0.004187 +0.003514 +0.002917 +0.003163 +0.003706 +0.004155 +0.004984 +0.006323 +0.005040 +0.004924 +0.005257 +0.003554 +0.003465 +0.003371 +0.003773 +0.004019 +0.005011 +0.005558 diff --git a/labs/lab12/bench/http-latency.txt b/labs/lab12/bench/http-latency.txt new file mode 100644 index 00000000..7c460df0 --- /dev/null +++ b/labs/lab12/bench/http-latency.txt @@ -0,0 +1,3 @@ +=== HTTP Latency Test (juice-runc) === +Results for port 3012 (juice-runc): +avg=0.0054s min=0.0029s max=0.0114s n=50 diff --git a/labs/lab12/bench/startup.txt b/labs/lab12/bench/startup.txt new file mode 100644 index 00000000..243b2014 --- /dev/null +++ b/labs/lab12/bench/startup.txt @@ -0,0 +1,9 @@ +=== Startup Time Comparison === +runc: +sudo nerdctl run --rm alpine:3.19 echo "test" 2>&1 0.01s user 0.01s system 1% cpu 1.221 total +grep --color=auto --exclude-dir={.bzr,CVS,.git,.hg,.svn,.idea,.tox,.venv,venv 0.00s user 0.00s system 0% cpu 1.221 total +tee -a labs/lab12/bench/startup.txt 0.00s user 0.00s system 0% cpu 1.222 total +Kata: +sudo nerdctl run --rm --runtime io.containerd.kata.v2 alpine:3.19 echo "test" 0.00s user 0.01s system 0% cpu 2.522 total +grep --color=auto --exclude-dir={.bzr,CVS,.git,.hg,.svn,.idea,.tox,.venv,venv 0.00s user 0.00s system 0% cpu 2.522 total +tee -a labs/lab12/bench/startup.txt 0.00s user 0.00s system 0% cpu 2.523 total \ No newline at end of file diff --git a/labs/lab12/isolation/dmesg.txt b/labs/lab12/isolation/dmesg.txt new file mode 100644 index 00000000..50882197 --- /dev/null +++ b/labs/lab12/isolation/dmesg.txt @@ -0,0 +1,7 @@ +=== dmesg Access Test === +Kata VM (separate kernel boot logs): +time="2025-11-13T05:23:12+03:00" level=warning msg="cannot set cgroup manager to \"systemd\" for runtime \"io.containerd.kata.v2\"" +[ 0.000000] Linux version 5.15.26 (root@94239f575d46) (gcc (Ubuntu 9.4.0-1ubuntu1~20.04.1) 9.4.0, GNU ld (GNU Binutils for Ubuntu) 2.34) #2 SMP Wed Jul 6 07:12:59 UTC 2022 +[ 0.000000] Command line: tsc=reliable no_timer_check rcupdate.rcu_expedited=1 i8042.direct=1 i8042.dumbkbd=1 i8042.nopnp=1 i8042.noaux=1 noreplace-smp reboot=k cryptomgr.notests net.ifnames=0 pci=lastbus=0 console=hvc0 console=hvc1 debug panic=1 nr_cpus=12 scsi_mod.scan=none agent.log=debug +[ 0.000000] x86/fpu: Supporting XSAVE feature 0x001: 'x87 floating point registers' +[ 0.000000] x86/fpu: Supporting XSAVE feature 0x002: 'SSE registers' diff --git a/labs/lab12/isolation/modules.txt b/labs/lab12/isolation/modules.txt new file mode 100644 index 00000000..b6fdfe47 --- /dev/null +++ b/labs/lab12/isolation/modules.txt @@ -0,0 +1,3 @@ +=== Kernel Modules Count === +Host kernel modules: 219 +Kata guest kernel modules: 65 diff --git a/labs/lab12/isolation/network.txt b/labs/lab12/isolation/network.txt new file mode 100644 index 00000000..056cb82f --- /dev/null +++ b/labs/lab12/isolation/network.txt @@ -0,0 +1,14 @@ +=== Network Interfaces === +Kata VM network: +1: lo: mtu 65536 qdisc noqueue state UNKNOWN qlen 1000 + link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 + inet 127.0.0.1/8 scope host lo + valid_lft forever preferred_lft forever + inet6 ::1/128 scope host + valid_lft forever preferred_lft forever +2: eth0: mtu 1500 qdisc pfifo_fast state DOWN qlen 1000 + link/ether e2:b2:ca:41:5d:dc brd ff:ff:ff:ff:ff:ff + inet 10.4.0.13/24 brd 10.4.0.255 scope global eth0 + valid_lft forever preferred_lft forever + inet6 fe80::e0b2:caff:fe41:5ddc/64 scope link tentative + valid_lft forever preferred_lft forever diff --git a/labs/lab12/isolation/proc.txt b/labs/lab12/isolation/proc.txt new file mode 100644 index 00000000..d39a472e --- /dev/null +++ b/labs/lab12/isolation/proc.txt @@ -0,0 +1,3 @@ +=== /proc Entries Count === +Host: 160 +Kata VM: 52 diff --git a/labs/lab12/kata/cpu.txt b/labs/lab12/kata/cpu.txt new file mode 100644 index 00000000..5b746475 --- /dev/null +++ b/labs/lab12/kata/cpu.txt @@ -0,0 +1 @@ +model name : 12th Gen Intel(R) Core(TM) i5-12450H diff --git a/labs/lab12/kata/kernel.txt b/labs/lab12/kata/kernel.txt new file mode 100644 index 00000000..73512881 --- /dev/null +++ b/labs/lab12/kata/kernel.txt @@ -0,0 +1 @@ +5.15.26 diff --git a/labs/lab12/kata/test1.txt b/labs/lab12/kata/test1.txt new file mode 100644 index 00000000..bd4c1bb2 --- /dev/null +++ b/labs/lab12/kata/test1.txt @@ -0,0 +1 @@ +Linux 443af894bed9 5.15.26 #2 SMP Wed Jul 6 07:12:59 UTC 2022 x86_64 Linux diff --git a/labs/lab12/runc/health.txt b/labs/lab12/runc/health.txt new file mode 100644 index 00000000..848dc384 --- /dev/null +++ b/labs/lab12/runc/health.txt @@ -0,0 +1 @@ +juice-runc: HTTP 200 diff --git a/labs/lab12/scripts/configure-containerd-kata.sh b/labs/lab12/scripts/configure-containerd-kata.sh old mode 100755 new mode 100644 diff --git a/labs/lab12/scripts/install-kata-assets.sh b/labs/lab12/scripts/install-kata-assets.sh old mode 100755 new mode 100644 diff --git a/labs/lab12/setup/kata-build/kata-containers b/labs/lab12/setup/kata-build/kata-containers new file mode 160000 index 00000000..92758a17 --- /dev/null +++ b/labs/lab12/setup/kata-build/kata-containers @@ -0,0 +1 @@ +Subproject commit 92758a17fe7fe7f9be04799f6d9eb7f58d7630c3 diff --git a/labs/lab12/setup/kata-built-version.txt b/labs/lab12/setup/kata-built-version.txt new file mode 100644 index 00000000..b664289e --- /dev/null +++ b/labs/lab12/setup/kata-built-version.txt @@ -0,0 +1,2 @@ +Kata Containers containerd shim (Rust): id: io.containerd.kata.v2, version: 3.22.0, commit: +e2a8815ba46360acb8bf89a2894b0d437dc8548a diff --git a/labs/submission12.md b/labs/submission12.md new file mode 100644 index 00000000..b68f159f --- /dev/null +++ b/labs/submission12.md @@ -0,0 +1,174 @@ +# Task 1 — Install and Configure Kata + +## Shim + +`containerd-shim-kata-v2 --version`: + +```bash +Kata Containers containerd shim: id: "io.containerd.kata.v2", version: 3.0.0, commit: e2a8815ba46360acb8bf89a2894b0d437dc8548a +``` +## Successful Test Run + +`sudo nerdctl run --rm -it --runtime io.containerd.kata.v2 alpine uname -a`: + +```bash +Linux 36bf81b37e46 5.15.26 #2 SMP Wed Jul 6 07:12:59 UTC 2022 x86_64 Linux +``` + +--- + +# Task 2 — Run and Compare Containers (runc vs kata) + +## `juice-runc` health check + +```bash +juice-runc: HTTP 200 +``` + +## Kata Containers Running Successfully + +`sudo nerdctl run -d --runtime io.containerd.kata.v2 --name kata-test alpine sleep 60` + +`sudo nerdctl ps `: + +```bash +CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES +e30b6cd128b3 docker.io/library/alpine:latest "sleep 60" 5 seconds ago Up kata-test +80ee39416d88 docker.io/bkimminich/juice-shop:v19.0.0 "/nodejs/bin/node /j…" 9 minutes ago Up 0.0.0.0:3012->3000/tcp juice-runc +``` + +```sudo nerdctl inspect kata-test | grep -i runtime```: + +```bash +"Runtime": "io.containerd.kata.v2", +"CpuRealtimeRuntime": 0, +``` + +## Kernel Versions Comparision + +1. **Host Kernel**: + - 6.6.87.2-microsoft-standard-WSL2 + +2. **Kata Guest Kernel**: + - Linux version 5.15.26 (root@94239f575d46) (gcc (Ubuntu 9.4.0-1ubuntu1~20.04.1) 9.4.0, GNU ld (GNU Binutils for Ubuntu) 2.34) #2 SMP Wed Jul 6 07:12:59 UTC 2022 + +## CPU Models Comparision + +1. Host CPU: + - **model name**: 12th Gen Intel(R) Core(TM) i5-12450H + +2. Kata VM CPU: + - **model name**: 12th Gen Intel(R) Core(TM) i5-12450H + +## Isolation Implications + +| Characteristic | runc | Kata Containers | +|------------------------------|-----------------------------------------------|------------------------------------------------------| +| Isolation type | Process-based (Linux namespaces & cgroups) | Hardware-assisted virtualization (KVM / QEMU VM) | +| Kernel | Shared with the host | Separate guest kernel | +| Security level | Basic process isolation | Strong VM-level isolation | +| Performance | Higher (lightweight, fast startup) | Slightly lower (VM overhead) | +| Resource usage | Low (shared host kernel and resources) | Higher (each VM has its own kernel and memory) | +| Kernel escape risk | Possible (containers share host kernel) | Very low (guest kernel is isolated via hypervisor) | + +--- + +# Task 3 — Isolation Tests + +## `dmesg` Output Differences + +```bash +Kata VM (separate kernel boot logs): +[ 0.000000] Linux version 5.15.26 (root@94239f575d46) (gcc (Ubuntu 9.4.0-1ubuntu1~20.04.1) 9.4.0, GNU ld (GNU Binutils for Ubuntu) 2.34) #2 SMP Wed Jul 6 07:12:59 UTC 2022 +[ 0.000000] Command line: tsc=reliable no_timer_check rcupdate.rcu_expedited=1 i8042.direct=1 i8042.dumbkbd=1 i8042.nopnp=1 i8042.noaux=1 noreplace-smp reboot=k cryptomgr.notests net.ifnames=0 pci=lastbus=0 console=hvc0 console=hvc1 debug panic=1 nr_cpus=12 scsi_mod.scan=none agent.log=debug +[ 0.000000] x86/fpu: Supporting XSAVE feature 0x001: 'x87 floating point registers' +[ 0.000000] x86/fpu: Supporting XSAVE feature 0x002: 'SSE registers' +``` + +## `/proc` filesystem visibility comparison + +- **Host**: 160 +- **Kata VM**: 52 + +## Network Interface Configuration in Kata VM + +```bash +Kata VM network: +1: lo: mtu 65536 qdisc noqueue state UNKNOWN qlen 1000 + link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 + inet 127.0.0.1/8 scope host lo + valid_lft forever preferred_lft forever + inet6 ::1/128 scope host + valid_lft forever preferred_lft forever +2: eth0: mtu 1500 qdisc pfifo_fast state DOWN qlen 1000 + link/ether e2:b2:ca:41:5d:dc brd ff:ff:ff:ff:ff:ff + inet 10.4.0.13/24 brd 10.4.0.255 scope global eth0 + valid_lft forever preferred_lft forever + inet6 fe80::e0b2:caff:fe41:5ddc/64 scope link tentative + valid_lft forever preferred_lft forever +``` + +## Kernel Module Counts + +- **Host kernel modules**: 219 +- **Kata guest kernel modules**: 65 + +## Isolation Boundary Differences + +Runtime | Isolation Boundary | Description | +|--------------|------------------------|-----------------| +| runc | Linux kernel (namespaces, cgroups, seccomp) | All containers share the same host kernel, using Linux namespaces and cgroups for process isolation | +| Kata Containers | Virtual Machine boundary (hardware virtualization via KVM/QEMU) | Each container runs inside its own lightweight VM with a separate guest kernel, creating a strong boundary between host and container | + +## Security Implications + +| Scenario | runc | Kata Containers | +|---------------|-----------|----------------------| +| Container escape | Possible — if a vulnerability in the host kernel or container runtime is exploited, an attacker can escape to the host | Highly unlikely — each container runs in a separate VM, and the hypervisor layer prevents direct access to the host kernel | +| Attack surface | Larger — containers share the same kernel and system calls | Smaller — isolation through hardware virtualization greatly limits host exposure | +| Trade-off | Better performance, weaker isolation | Stronger isolation, slightly higher resource overhead | + +--- + +# Task 4 — Performance Comparison + +## Startup Time Comparison + +`runc`: +1. `sudo nerdctl run --rm alpine:3.19 echo "test" 2>&1`: 0.01s user 0.01s system 1% cpu 1.221 total +2. `grep --color=auto --exclude-dir={.bzr,CVS,.git,.hg,.svn,.idea,.tox,.venv,venv}`: 0.00s user 0.00s system 0% cpu 1.221 total +3. `tee -a labs/lab12/bench/startup.txt`: 0.00s user 0.00s system 0% cpu 1.222 total + + +`Kata`: +1. `sudo nerdctl run --rm --runtime io.containerd.kata.v2 alpine:3.`: 19 echo "test": 0.00s user 0.01s system 0% cpu 2.522 total +2. `grep --color=auto --exclude-dir={.bzr,CVS,.git,.hg,.svn,.idea,.tox,.venv,venv}`: 0.00s user 0.00s system 0% cpu 2.522 total +3. `tee -a labs/lab12/bench/startup.txt`: 0.00s user 0.00s system 0% cpu 2.523 total + + +## HTTP Latency for `juice-runc` Baseline + +**Results for `juice-runc`**: +- **avg**: 0.0054s +- **min**: 0.0029s +- **max**: 0.0114s +- **n**: 50 + +## Performance Tradeoffs Analysis + +| Metric | runc | Kata Containers | Notes | +|-------------|-----------|----------------------|------------| +| Startup overhead | Minimal | Higher | VM boot time adds extra startup delay | +| Runtime overhead | Low | Slightly higher | Virtualization layer adds some I/O and memory latency | +| CPU overhead | Negligible | Small | Due to KVM context switches and VM management | + +--- + +## When to Use Each Interpretation + +| Use Case | Recommended Runtime | Reason | +|---------------|--------------------------|-------------| +| Fast startup and low latency workloads | runc | Best for microservices, CI pipelines, and short-lived containers | +| Security-sensitive workloads | Kata Containers | Strong isolation (VM boundary) prevents container escape and kernel exploits | +| Untrusted or multi-tenant environments | Kata Containers | Each container runs in a dedicated VM, reducing cross-tenant risk | +| High-performance single-tenant systems | runc | Less overhead, full access to host kernel performance |