Have you ever been concerned about a container running on your VPS engaging in malicious behavior? I have had circumstances where containers screwed up my system. This is why container sandboxing is essential. Implementing a tool, such as gVisor and Kata Containers provides an extra layer of isolation and security to containers, while also allowing them to run efficiently.
• gVisor: A lightweight user-space Kernel between your containers to the VPS. gVisor is more convenient and allows quicker performance.
• Kata Containers: A full blown virtual machine encapsulated in between the container and VPS. Kata Containers is more robust from a security aspect, but uses more resources.
If running dangerous workloads, I usually opt for Kata as it is more secure. I will use Kata Containers when the main goal is security and sandboxing.
Before deploying gVisor and/or Kata Containers, please ensure your VPS is prepared. The Technologist prefers Ubuntu 22.04 as the distrobtion, and the following packages should be installed:
Step 2: gVisor/Kata Installation
After downloading the latest release of gVisor, you install the runsc runtime on the VPS. Once gVisor is installed on the VPS, you have to configure Docker to run the runsc runtime.
For Kata Containers:
1. Install Kata from the official website
2. Configure the Docker (or any container engine) to utilize the Kata runtime
Then, operating safe containers will be incredibly simple.
• gVisor: “docker run --runtime=runsc hello-world”
• Kata: “docker run --runtime=kata-runtime hello-world”
It's smooth, with the additional benefit of isolating each container from your VPS.
When you think of running a new container next time, think to yourself, do I want to run something that is just fast, or fast and secure? Sandboxed containers provide both in the manner of which I have described. Give it a shot; I'm sure you'll be pleased your VPS is secured!
gVisor vs. Kata Containers
Before getting started with the above container isolation platforms, let’s recap the differences:• gVisor: A lightweight user-space Kernel between your containers to the VPS. gVisor is more convenient and allows quicker performance.
• Kata Containers: A full blown virtual machine encapsulated in between the container and VPS. Kata Containers is more robust from a security aspect, but uses more resources.
If running dangerous workloads, I usually opt for Kata as it is more secure. I will use Kata Containers when the main goal is security and sandboxing.
Getting Your VPS Ready
Step 1: Prepare VPSBefore deploying gVisor and/or Kata Containers, please ensure your VPS is prepared. The Technologist prefers Ubuntu 22.04 as the distrobtion, and the following packages should be installed:
- Docker or containerd
- Kernel head
- Networking tools
Step 2: gVisor/Kata Installation
After downloading the latest release of gVisor, you install the runsc runtime on the VPS. Once gVisor is installed on the VPS, you have to configure Docker to run the runsc runtime.
For Kata Containers:
1. Install Kata from the official website
2. Configure the Docker (or any container engine) to utilize the Kata runtime
Then, operating safe containers will be incredibly simple.
Running Containers Safely
Once you're set up, you can run containers in this manner:• gVisor: “docker run --runtime=runsc hello-world”
• Kata: “docker run --runtime=kata-runtime hello-world”
It's smooth, with the additional benefit of isolating each container from your VPS.
Why I Use Sandboxing
I have run untrusted applications before. I think of sandboxed containers as another layer of security for the host and to ensure nothing odd is happening. gVisor and Kata would definitely serve you well if you need to implement several containers on one VPS.Conclusion
If you are using gVisor or Kata Containers on your VPS, you are able to ensure trusted containers are safe. You provide peace of mind and added security, but still receive the benefits of deploying containers in a timely manner.When you think of running a new container next time, think to yourself, do I want to run something that is just fast, or fast and secure? Sandboxed containers provide both in the manner of which I have described. Give it a shot; I'm sure you'll be pleased your VPS is secured!
