|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [MirageOS-devel] Unikernel talk deck
On 31 Oct 2014, at 09:53, Malte Schwarzkopf <ms705@xxxxxxxxx> wrote: > > Hi Russ, > > While not really a Mirage-ite myself (I just lurk on the mailing list > out of interest), I thought I should point out one small correction to > this (excellent) slide deck: > > On slide 6, you say that "Google & others run Docker in VMs when they > need security". While the security drawbacks of containers are clear, > this statement isn't quite true at least for Google. What they is the > opposite: they run VMs *inside* containers (no doubt for the same > security reasons). This talk by John Wilkes states very clearly that > they run KVM instances inside containers: > https://www.youtube.com/watch?v=VQAAkO5B5Hg (at 22:50--23:10). > Indeed, there's a subtle distinction here with two deployment models: - In Google's case, they run KVM inside Docker to protect the backend devices (i.e. qemu) from having too much system access in case a VM exploit takes out qemu. KVM doesn't support disaggregation to the same level as Xen, so multiple VMs are very dependent on the isolation afforded to their respective qemus, whereas Xen can deploy driver domains (see Xoar etc). - In a multitenant situation, running Docker inside a VM is the only way to have proper isolation between the two untrusted parties. This is because containers are a fairly wide API, and the Linux kernel isn't fully 'container-friendly' until everything is migrated over. Russ: I'll mail you PDF versions of the images you use. Minor point is that it's spelt "OCaml" and not "Ocaml". You may also want to mention that Xen 4.5/Mirage has improved support for ARM unikernels as well, which is a new and not very well-known feature yet. cheers, Anil > Just a minor point, but given that the information is out there, it > makes sense to be accurate (especially given the mystery that usually > surrounds Google's infrastructure!). > > Cheers, > M. > > > On 31/10/14 02:41, Russ Pavlicek wrote: >> Mirage-ites, >> >> Attached is the deck I intend to use on a talk about Unikernels this >> weekend at CPOSC. I liberated a few slides from you folks. If you >> want me to replace them or include additional attribution, let me >> know. I will probably replace them eventually, but frankly I'd rather >> not do that the day before the talk, if possible. >> >> Please let me know if you see any issues or have any suggestions. >> >> Thanks, >> >> Russ >> >> >> >> _______________________________________________ >> MirageOS-devel mailing list >> MirageOS-devel@xxxxxxxxxxxxxxxxxxxx >> http://lists.xenproject.org/cgi-bin/mailman/listinfo/mirageos-devel >> > > > > _______________________________________________ > MirageOS-devel mailing list > MirageOS-devel@xxxxxxxxxxxxxxxxxxxx > http://lists.xenproject.org/cgi-bin/mailman/listinfo/mirageos-devel > _______________________________________________ MirageOS-devel mailing list MirageOS-devel@xxxxxxxxxxxxxxxxxxxx http://lists.xenproject.org/cgi-bin/mailman/listinfo/mirageos-devel
|
 |
Lists.xenproject.org is hosted with RackSpace, monitoring our |