Execute Docker Containers as QEMU MicroVMs

A few years ago I invested in a small startup called `hyper.sh`. It open sourced a container runtime called `runV` which provided exactly this: security of virtual machines plus convenience of containers.<p>The project later merged with Intel Clear Container to become what&#x27;s now called Kata Containers (<a href="https:&#x2F;&#x2F;katacontainers.io&#x2F;" rel="nofollow">https:&#x2F;&#x2F;katacontainers.io&#x2F;</a>) and is now widely used by several Internet giants like Alibaba and Baidu.<p>The startup was acquired by Ant Finance a couple of years ago.<p>(I recorded a podcast with one of hyper.sh engineer if you can listen to Mandarin <a href="https:&#x2F;&#x2F;pan.icu&#x2F;25" rel="nofollow">https:&#x2F;&#x2F;pan.icu&#x2F;25</a>)

There are a few existing projects out there like this (running Docker images as virtual machines, specifically) if folks are interested. Slim [0] is the one I can remember off the top of my head. I think there are a couple more.<p>Still, neat to have the walkthrough here in this post.<p><a href="https:&#x2F;&#x2F;github.com&#x2F;ottomatica&#x2F;slim" rel="nofollow">https:&#x2F;&#x2F;github.com&#x2F;ottomatica&#x2F;slim</a>

As I understand the landscape here, the big enabling win of microvms is faster boot time; there&#x27;s a cool qemu-lite slide deck that goes into detail about how they cut down boot time:<p><a href="https:&#x2F;&#x2F;www.linux-kvm.org&#x2F;images&#x2F;d&#x2F;d2&#x2F;03x05B-Chao_Peng-Light_Weight_Virtualization_with_QEMU_KVM.pdf" rel="nofollow">https:&#x2F;&#x2F;www.linux-kvm.org&#x2F;images&#x2F;d&#x2F;d2&#x2F;03x05B-Chao_Peng-Light...</a><p>The big win was slashing away the BIOS stuff.<p>We use AWS&#x27;s Firecracker to turn our customers Docker containers into Firecracker microvms (Firecracker is Amazon&#x27;s Rust VMM, the engine for Fargate and Lambda). Anecdotally: in my dev environment, the difference between Firecracker boot times and native Docker container startup is imperceptible; the logging we do swamps the VM boot stuff. It&#x27;s <i>very</i> fast.

<a href="https:&#x2F;&#x2F;katacontainers.io&#x2F;" rel="nofollow">https:&#x2F;&#x2F;katacontainers.io&#x2F;</a> ?

&gt; Can we somehow combine the advantages of the docker ecosystem with VMs?<p>Shameless plug: this is exactly what our goal is with <a href="https:&#x2F;&#x2F;kwarantine.xyz" rel="nofollow">https:&#x2F;&#x2F;kwarantine.xyz</a> We are creating a new hypervisor (from scratch) that can run strongly isolated Docker&#x2F;LXC containers.

For an even more lightweight approach to running containers in VMs see: <a href="https:&#x2F;&#x2F;github.com&#x2F;containers&#x2F;krunvm" rel="nofollow">https:&#x2F;&#x2F;github.com&#x2F;containers&#x2F;krunvm</a><p>It&#x27;s powered by <a href="https:&#x2F;&#x2F;github.com&#x2F;containers&#x2F;libkrun" rel="nofollow">https:&#x2F;&#x2F;github.com&#x2F;containers&#x2F;libkrun</a>.

Isn&#x27;t firecracker an AWS tech?

I had fun exploring Docker-&gt;VM conversion a while back [1], though the larger goal in my case was to be able to make the build path to custom GCP VM Images a bit simpler. Exciting to see other cases where folks are finding this sort of flow useful!<p>1: <a href="https:&#x2F;&#x2F;thekev.in&#x2F;blog&#x2F;2019-08-05-dockerfile-bootable-vm&#x2F;index.html" rel="nofollow">https:&#x2F;&#x2F;thekev.in&#x2F;blog&#x2F;2019-08-05-dockerfile-bootable-vm&#x2F;ind...</a>

I understand, it&#x27;s cool to do content marketing. but folks proof-read your articles. Firecracker was created by AWS and rightly states so on the page.

I think a lot of folks are going out of their way to misunderstand what happened. Yes there are other similar projects and containers. No, none come from a long established <i>COMMUNITY RUN PROJECT</i>. This is something akin to the difference between VirtualBox and OpenBSD’s vmd. Ones a product with a “free” tier, the other is a community project.

Something I&#x27;d be very interested in: building a PXE image from something declarative like Dockerfiles.

Why not run containers in VMs in containers in VMs? :)<p>Seriously, VMs are hardly as secure as many people want to believe unless you&#x27;re utilizing enclaves and even that has vulnerabilities. I think a better approach is Seccomp and whatever other filtering makes sense.