Hacker News new | comments | show | ask | jobs | submit login
Runq – Runc-based runtime to run regular Docker images in KVM/Qemu (github.com)
71 points by sandGorgon 3 months ago | hide | past | web | favorite | 16 comments

I would assume Clear Containers[1] are more lightweight solution, and they also leverage KVM/Qemu for isolation purposes.

[1] https://github.com/clearcontainers/runtime

Or Kata containers or Hyper.sh. There's so much going on, it's hard to keep up or even tell the difference. Kata is an initiative by the OpenStack foundationa and somehow a mix of Clear and Hyper as far as I can tell.


Kata is the merge of ClearContainer and Hyper's runV.

Disclosure: I work at Hyper.sh

Note that clear containers the runtime has been replaced by kata-containers[0], which is a merge with runv[1].

[0]: https://github.com/kata-containers

[1]: https://github.com/hyperhq/runv

I'm not very familiarized with this problem space. Could someone explain what why this is useful, and why you'd want to use it? What are the problems that it solves? I looked through the README, but I'm a bit lost.

You can use Dockerfile (easy to start, large ecosystem) to build and launch a VM (presumably more secure).

Simply put, it allows you to run multiple-tenants' code (image) over shared infrastructure.

Think about why all public clouds are built with virtualization technology. Multi-tenants require strong isolation, which virtualization promises. Therefore, if we could get strong isolation in container, we can build public cloud with container.

You get fair bit more isolation between the container and the host, which could help with security.

Ok, I'll say it. I think we need efficient arbitrary depth nesting of containers.

Sure, it is incredibly bloaty.

But so is the way, say, npm works.

Bloaty apps often provide a ton of programmer convenience.

And history tells us that programmer convenience usually wins.

Docker style development already usually means bundling tons of redundant dependencies everywhere.

Let's just take that further, and hold your nose.

Isn’t that entirely possible with regular containers, but it’s mostly Docker’s client/server model getting in the way?

I agree with you we need this, though. I’m frequently running CI in Docker, and this makes launching a new container from CI a pain.

See also: user-mode Linux. I think it's a good idea but it's not really maintained and never really worked well as far as I know.

Google is also working on a shim that intercepts system calls in userspace to simulate having more priveledges.

But user mode Linux is a real full kernel!

This is the link you are looking for: https://github.com/google/gvisor

There is also HyperD: https://github.com/hyperhq/hyperd

Hyperd has been merged into Kata (katacontainers.io).

User-mode Linux is a good enough system that people were making money off hosting UML vms before KVM was usable.

Very nice, but bummer for me is:

  Limtations (not supported):
    - docker exec
    - docker swarm
Specially 'exec' part.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact