From 9e57bb60bfdf11fe76288fa7c024e730b7373942 Mon Sep 17 00:00:00 2001 From: Alex Zenla Date: Wed, 13 Mar 2024 15:10:30 +0000 Subject: [PATCH] krata: simplify README --- FAQ.md | 6 ++++++ README.md | 6 +----- 2 files changed, 7 insertions(+), 5 deletions(-) diff --git a/FAQ.md b/FAQ.md index f7f637e..ef6e36d 100644 --- a/FAQ.md +++ b/FAQ.md @@ -1,5 +1,11 @@ # Frequently Asked Questions +## How does krata currently work? + +The krata hypervisor makes it possible to launch OCI containers on a Xen hypervisor without utilizing the Xen userspace tooling. krata contains just enough of the userspace of Xen (reimplemented in Rust) to start an x86_64 Xen Linux PV guest, and implements a Linux init process that can boot an OCI container. It does so by converting an OCI image into a squashfs file and packaging basic startup data in a bundle which the init container can read. + +In addition, due to the desire to reduce dependence on the dom0 network, krata contains a networking daemon called kratanet. kratanet listens for krata guests to startup and launches a userspace networking environment. krata guests can access the dom0 networking stack via the proxynat layer that makes it possible to communicate over UDP, TCP, and ICMP (echo only) to the outside world. In addition, each krata guest is provided a "gateway" IP (both in IPv4 and IPv6) which utilizes smoltcp to provide a virtual host. That virtual host in the future could dial connections into the container to access container networking resources. + ## Why utilize Xen instead of KVM? Xen is a very interesting technology, and Edera believes that type-1 hypervisors are ideal for security. Most OCI isolation techniques use KVM, which is not a type-1 hypervisor, and thus is subject to the security limitations of the OS kernel. A type-1 hypervisor on the otherhand provides a minimal amount of attack surface upon which less-trusted guests can be launched on top of. diff --git a/README.md b/README.md index c4f6e44..27fd9d3 100644 --- a/README.md +++ b/README.md @@ -17,8 +17,4 @@ The Edera Hypervisor ## Introduction -The krata hypervisor makes it possible to launch OCI containers on a Xen hypervisor without utilizing the Xen userspace tooling. krata contains just enough of the userspace of Xen (reimplemented in Rust) to start an x86_64 Xen Linux PV guest, and implements a Linux init process that can boot an OCI container. It does so by converting an OCI image into a squashfs file and packaging basic startup data in a bundle which the init container can read. - -In addition, due to the desire to reduce dependence on the dom0 network, krata contains a networking daemon called kratanet. kratanet listens for krata guests to startup and launches a userspace networking environment. krata guests can access the dom0 networking stack via the proxynat layer that makes it possible to communicate over UDP, TCP, and ICMP (echo only) to the outside world. In addition, each krata guest is provided a "gateway" IP (both in IPv4 and IPv6) which utilizes smoltcp to provide a virtual host. That virtual host in the future could dial connections into the container to access container networking resources. - -krata is in its early days and this project is still a work in progress. +krata is a single-host hypervisor service built primarily for OCI containers.