Leveraging virtio-vsock in the cloud and containers
A communication channel for isolated workloads
- Track: Virtualization and IaaS devroom
- Room: D.virtualization
- Day: Saturday
- Start: 11:30
- End: 12:15
- Video with Q&A: D.virtualization
- Video only: D.virtualization
- Chat: Join the conversation!
VM sockets (vsock) enable communication between hosts and VMs. The vsock use cases have grown over the recent years to also cover cloud and containers projects. Andra and Stefano will walk through the details of a set of projects focused on isolation that use vsock as a communication channel. Then they will present debugging tools and further work items for improving and adding new features for vsock.
In the last years, many projects have been developed to increase security and isolation in the cloud and containers, such as Kata Containers, Nitro Enclaves, and libkrun. All these projects leverage Linux KVM (Kernel-based virtual machines) to create a more isolated environment. They use VM sockets (vsock) to provide a communication channel between constrained and less constrained worlds, reducing the attack surface.
These VM sockets are provided by the AF_VSOCK address family and the virtio-vsock device. They offer a very simple configuration and the possibility to use POSIX sockets to communicate between hosts and VMs.
Andra and Stefano will give a brief introduction of AF_VSOCK and virtio-vsock. Then they will illustrate how the projects and features, mentioned at the beginning, use VM sockets. They will present a couple of demos to explain how to use several tools for easier debugging and performance evaluation of vsock.
At the end, they will share an overview of a set of new features such as namespaces, multiqueue, and shared memory. These are planned as future work to further grow the ecosystem for virtio-vsock.
Speakers
Andra Paraschiv | |
Stefano Garzarella |