A dynamic library providing Virtualization-based process isolation capabilities
libkrunis a dynamic library that allows programs to easily acquire the ability to run processes in a partially isolated environment using KVM Virtualization.
It integrates a VMM (Virtual Machine Monitor, the userspace side of an Hypervisor) with the minimum amount of emulated devices required to its purpose, abstracting most of the complexity that comes from Virtual Machine management, offering users a simple C API.
chroot, but more powerful).
libkrun, networking is implemented using a novel technique called socket-to-vsock impersonation. This allows the VM to have network connectivity without a virtual interface (hence,
virtio-netis not among the list of supported devices).
The current implementation of this technique, found part in this repository and the other part in the kernel patches included with libkrunfw is just a proof-of-concept. It's limited to IPv4 TCP and UNIX connections, only supports recv/send operations, and the implementation itself is still quite hacky. We expect this technique to mature within
libkrun, so it can be eventually upstreamed into the Linux kernel and other VMMs.
As, by default,
glibcwill use UDP for DNS requests, which is not yet supported by the socket-to-vsock impersonation technique described above, name resolution will fail with the default configuration. To work around this, you need to add the following line to the
/etc/resolv.confof the root filesystem servicing the isolated process:
sudo make install
As part of
libkrunbuilding process, it's necessary to produce a Linux ELF binary from init/init.c. The easiest way to do this is by using a binary version of krunvm and its dependencies (libkrunfw, and
libkrunitself), such as the one available in the krunvm Homebrew repo, and then executing the buildonkrunvm.sh script found in this repository.
This will create a lightweight Linux VM using
krunvmwith the current working directory mapped inside it, and produce the Linux ELF binary from init/init.c.
Despite being written in Rust, this library provides a simple C API defined in include/libkrun.h
This is a simple example providing
chroot-like functionality using
cd examples make
To be able to
chroot_vm, you need first a directory to act as the root filesystem for your isolated program.
rootfstarget to get a rootfs prepared from the Fedora container image (note: you must have podman installed):
Now you can use
chroot_vmto run a process within this new root filesystem:
./chroot_vm ./rootfs_fedora /bin/sh
libkrunfwlibraries were installed on a path that's not included in your
/etc/ld.so.confconfiguration, you may get an error like this one:
./chroot_vm: error while loading shared libraries: libkrun.so: cannot open shared object file: No such file or directory
To avoid this problem, use the
LD_LIBRARY_PATHenvironment variable to point to the location where the libraries were installed. For example, if the libraries were installed in
/usr/local/lib64, use something like this:
LD_LIBRARY_PATH=/usr/local/lib64 ./chroot_vm rootfs/ /bin/sh
libkrunis still in a very early development stage.
Our first priority now is getting feedback from potential users of the library, to build a Community around it that would help us set the priorities and shape it to be useful for them.
libkrunincorporates code from Firecracker, rust-vmm and Cloud-Hypervisor.