Less overhead, strong isolation: Running containers in minimal specialized Linux VMs

Containers have become the preferred solution for cloud-native applications due to their lightweight nature and scalability. However, their security limitations, particularly from shared kernel access, have led to a renewed interest in traditional VMs for stronger isolation. Technologies like kata-containers enhance security by running containers inside microVMs, offering better isolation, but they introduce complexity and overhead. Specifically, the container runtimes spawn additional processes to manage the container within the VM, adding extra layers of complexity and resource consumption.

This talk examines the pros and cons of sandboxed container runtimes, focusing on the added complexity of auxiliary processes. It then proposes a more efficient and streamlined approach based on the unikernel paradigm, where only the application and its dependencies are running. Rather than using strict unikernels, it explores how containers can run inside specialized, stripped-down Linux VMs, containing only the components required by the application and without additional services. This is achieved through urunc, a CRI-compatible container runtime that treats unikernels like standard containers, managing the user application via the VM process.