├── .gitignore
├── compare_on_i3_metal
    ├── Vagrantfile
    └── provision
    │   ├── firecracker.sh
    │   ├── gvisor.sh
    │   ├── kata.sh
    │   └── nabla.sh
├── firecracker
    ├── README.md
    ├── Vagrantfile
    └── provision.sh
├── gvisor
    ├── README.md
    ├── Vagrantfile
    └── provision.sh
├── kata-containers
    ├── README.md
    ├── Vagrantfile
    └── provision.sh
├── measurements
    ├── .dockerignore
    ├── Makefile
    ├── README.md
    ├── Vagrantfile
    ├── build_image_and_rootfs.sh
    ├── bundle
    │   ├── .gitignore
    │   ├── config.json.for_nabla
    │   └── config.json.for_non_nabla
    ├── hello.c
    ├── loop.c
    ├── measure_startup_time.sh
    ├── netbsd.patch
    ├── provision
    │   ├── docker.sh
    │   ├── firecracker.sh
    │   ├── go.sh
    │   ├── gvisor.sh
    │   ├── kata.sh
    │   ├── nabla.sh
    │   └── packages.sh
    ├── rumprun-bake.patch
    └── rumprun.patch
├── nabla-containers
    ├── README.md
    ├── Vagrantfile
    └── provision.sh
└── runc
    ├── README.md
    ├── Vagrantfile
    └── provision.sh


/.gitignore:
--------------------------------------------------------------------------------
1 | *.log
2 | .vagrant
3 | 
4 | 


--------------------------------------------------------------------------------
/compare_on_i3_metal/Vagrantfile:
--------------------------------------------------------------------------------
 1 | Vagrant.configure('2') do |config|
 2 |   config.vm.box = 'dummy'
 3 |   config.vm.box_url = 'https://github.com/mitchellh/vagrant-aws/raw/master/dummy.box'
 4 | 
 5 |   config.vm.provider :aws do |aws, override|
 6 |     aws.security_groups = ['sg-0ed58ae6c6caa8b13']
 7 |     aws.subnet_id = 'subnet-4d542565'
 8 |     aws.keypair_name = 'aws_mizzy'
 9 |     override.ssh.private_key_path = '~/.ssh/aws_mizzy.pem'
10 |     aws.associate_public_ip = true
11 |     override.ssh.username = 'admin'
12 |     aws.ami = 'ami-0e39dfb1283d1154e'
13 |     aws.instance_type = 'i3.metal'
14 |     aws.block_device_mapping = [
15 |       {
16 |         'DeviceName' => 'xvda',
17 |         'Ebs.VolumeSize' => 100,
18 |       }
19 |     ]
20 |   end
21 | 
22 |   config.vm.provision :shell, path: 'provision/firecracker.sh'
23 |   config.vm.provision :shell, path: 'provision/gvisor.sh'
24 |   config.vm.provision :shell, path: 'provision/kata.sh'
25 |   
26 |   config.vm.synced_folder '.', '/vagrant', #disabled: true
27 |     type: 'rsync',
28 |     rsync__verbose: true,
29 |     rsync__auto: false,
30 |     rsync__exclude: ['.git/']
31 | end
32 | 


--------------------------------------------------------------------------------
/compare_on_i3_metal/provision/firecracker.sh:
--------------------------------------------------------------------------------
  1 | #!/bin/bash
  2 | 
  3 | set -eux
  4 | 
  5 | cd ~
  6 | 
  7 | # Install git, Go 1.11, make, curl
  8 | mkdir -p /etc/apt/sources.list.d
  9 | echo "deb http://ftp.debian.org/debian stretch-backports main" | \
 10 |      tee /etc/apt/sources.list.d/stretch-backports.list
 11 | DEBIAN_FRONTEND=noninteractive apt-get update
 12 | DEBIAN_FRONTEND=noninteractive apt-get \
 13 |   --target-release stretch-backports \
 14 |   install --yes \
 15 |   golang-go \
 16 |   make \
 17 |   git \
 18 |   curl \
 19 |   e2fsprogs \
 20 |   musl-tools \
 21 |   util-linux
 22 | 
 23 | # Install Rust
 24 | curl https://sh.rustup.rs -sSf | sh -s -- --verbose -y --default-toolchain 1.32.0
 25 | source $HOME/.cargo/env
 26 | rustup target add x86_64-unknown-linux-musl
 27 | 
 28 | # Check out Firecracker and build it from the v0.15.2 tag
 29 | git clone https://github.com/firecracker-microvm/firecracker.git
 30 | cd firecracker
 31 | git checkout v0.15.2
 32 | cargo build --release --features vsock --target x86_64-unknown-linux-musl
 33 | cp target/x86_64-unknown-linux-musl/release/{firecracker,jailer} /usr/local/bin
 34 | 
 35 | cd ~
 36 | 
 37 | # Check out containerd and build it from the v1.2.4 tag
 38 | mkdir -p ~/go/src/github.com/containerd/containerd
 39 | git clone https://github.com/containerd/containerd.git ~/go/src/github.com/containerd/containerd
 40 | cd ~/go/src/github.com/containerd/containerd
 41 | git checkout v1.2.4
 42 | DEBIAN_FRONTEND=noninteractive apt-get install -y libseccomp-dev btrfs-progs
 43 | make
 44 | cp bin/* /usr/local/bin
 45 | 
 46 | cd ~
 47 | 
 48 | # Check out runc and build it from the 6635b4f0c6af3810594d2770f662f34ddc15b40d
 49 | # commit.  Note that this is the version described in
 50 | # https://github.com/containerd/containerd/blob/v1.2.4/RUNC.md and
 51 | # https://github.com/containerd/containerd/blob/v1.2.4/vendor.conf#L23
 52 | mkdir -p ~/go/src/github.com/opencontainers/runc
 53 | git clone https://github.com/opencontainers/runc ~/go/src/github.com/opencontainers/runc
 54 | cd ~/go/src/github.com/opencontainers/runc
 55 | git checkout 6635b4f0c6af3810594d2770f662f34ddc15b40d
 56 | make static BUILDTAGS='seccomp'
 57 | make BINDIR='/usr/local/bin' install
 58 | 
 59 | cd ~
 60 | 
 61 | # Check out firecracker-containerd and build it
 62 | git clone https://github.com/firecracker-microvm/firecracker-containerd.git
 63 | cd firecracker-containerd
 64 | DEBIAN_FRONTEND=noninteractive apt-get install -y dmsetup
 65 | make STATIC_AGENT='true'
 66 | cp runtime/containerd-shim-aws-firecracker snapshotter/cmd/{devmapper/devmapper_snapshotter,naive/naive_snapshotter} /usr/local/bin
 67 | 
 68 | cd ~
 69 | 
 70 | # Download kernel and generic VM image
 71 | curl -fsSL -o hello-vmlinux.bin https://s3.amazonaws.com/spec.ccfc.min/img/hello/kernel/hello-vmlinux.bin
 72 | curl -fsSL -o hello-rootfs.ext4 https://s3.amazonaws.com/spec.ccfc.min/img/hello/fsfiles/hello-rootfs.ext4
 73 | 
 74 | # Inject the agent, runc, and a startup script into the VM image
 75 | mkdir /tmp/mnt
 76 | # Construct fc-agent.start
 77 | cat >fc-agent.start <<EOF
 78 | #!/bin/sh
 79 | mkdir -p /container
 80 | exec > /container/agent-debug.log # Debug logs from the agent
 81 | exec 2>&1
 82 | touch /container/runtime
 83 | mkdir /container/rootfs
 84 | mount -t auto -o rw /dev/vdb /container/rootfs
 85 | cd /container
 86 | /usr/local/bin/agent -id 1 -debug &
 87 | EOF
 88 | chmod +x fc-agent.start
 89 | truncate --size=+50M hello-rootfs.ext4
 90 | /sbin/e2fsck -f hello-rootfs.ext4 -y
 91 | /sbin/resize2fs hello-rootfs.ext4
 92 | mount hello-rootfs.ext4 /tmp/mnt
 93 | cp $(which runc) firecracker-containerd/agent/agent /tmp/mnt/usr/local/bin
 94 | cp fc-agent.start /tmp/mnt/etc/local.d
 95 | ln -s /etc/init.d/local /tmp/mnt/etc/runlevels/default/local
 96 | ln -s /etc/init.d/cgroups /tmp/mnt/etc/runlevels/default/cgroups
 97 | umount /tmp/mnt
 98 | rmdir /tmp/mnt
 99 | 
100 | cd ~
101 | 
102 | # Configure containerd to use our new snapshotter
103 | mkdir -p /etc/containerd
104 | tee -a /etc/containerd/config.toml <<EOF
105 | [proxy_plugins]
106 |   [proxy_plugins.firecracker-naive]
107 |     type = "snapshot"
108 |     address = "/var/run/firecracker-containerd/naive-snapshotter.sock"
109 | EOF
110 | 
111 | cd ~
112 | 
113 | # Configure the aws.firecracker runtime
114 | mkdir -p /var/lib/firecracker-containerd/runtime
115 | cp hello-rootfs.ext4 hello-vmlinux.bin /var/lib/firecracker-containerd/runtime
116 | mkdir -p /etc/containerd
117 | tee -a /etc/containerd/firecracker-runtime.json <<EOF
118 | {
119 |   "firecracker_binary_path": "/usr/local/bin/firecracker",
120 |   "socket_path": "./firecracker.sock",
121 |   "kernel_image_path": "/var/lib/firecracker-containerd/runtime/hello-vmlinux.bin",
122 |   "kernel_args": "console=ttyS0 noapic reboot=k panic=1 pci=off nomodules rw",
123 |   "root_drive": "/var/lib/firecracker-containerd/runtime/hello-rootfs.ext4",
124 |   "cpu_count": 1,
125 |   "cpu_template": "T2",
126 |   "console": "stdio",
127 |   "log_fifo": "/tmp/fc-logs.fifo",
128 |   "log_level": "Debug",
129 |   "metrics_fifo": "/tmp/fc-metrics.fifo"
130 | }
131 | EOF
132 | 
133 | # Enable vhost-vsock
134 | modprobe vhost-vsock
135 | 
136 | apt-get -y install acl
137 | setfacl -m u:admin:rw /dev/kvm
138 | 


--------------------------------------------------------------------------------
/compare_on_i3_metal/provision/gvisor.sh:
--------------------------------------------------------------------------------
 1 | #!/bin/bash
 2 | 
 3 | if [ ! -x /usr/local/bin/runsc ]; then
 4 |     wget -q https://storage.googleapis.com/gvisor/releases/nightly/latest/runsc
 5 |     wget -q https://storage.googleapis.com/gvisor/releases/nightly/latest/runsc.sha512
 6 |     sha512sum -c runsc.sha512
 7 |     chmod a+x runsc
 8 |     mv runsc /usr/local/bin
 9 | fi
10 | 
11 | if [ ! -x /usr/local/bin/containerd-shim-runsc-v1 ]; then
12 |     git clone https://github.com/google/gvisor-containerd-shim.git
13 |     pushd gvisor-containerd-shim
14 |     go mod init
15 |     make
16 |     make install
17 |     popd
18 | fi
19 | 


--------------------------------------------------------------------------------
/compare_on_i3_metal/provision/kata.sh:
--------------------------------------------------------------------------------
 1 | #!/bin/bash
 2 | 
 3 | if [ ! -x /usr/local/bin/containerd-shim-kata-v2 ]; then
 4 |     go get github.com/kata-containers/runtime
 5 |     cd go/src/github.com/kata-containers/runtime
 6 |     go get -u github.com/golang/dep/cmd/dep
 7 |     ~/go/bin/dep ensure
 8 |     make
 9 |     make install
10 |     cd
11 | fi
12 | 
13 | if [ ! -x /usr/bin/kata-runtime ]; then
14 |     ARCH=$(arch)
15 |     sh -c \
16 |        "echo 'deb http://download.opensuse.org/repositories/home:/katacontainers:/releases:/${ARCH}:/stable-1.5/xUbuntu_16.04/ /' \
17 |   > /etc/apt/sources.list.d/kata-containers.list"
18 |     curl -sL \
19 |          http://download.opensuse.org/repositories/home:/katacontainers:/releases:/${ARCH}:/master/xUbuntu_16.04/Release.key \
20 |         | apt-key add -
21 |     apt-get update
22 |     apt install -t unstable librdb1
23 |     apt-get -y install kata-runtime kata-proxy kata-shim
24 | fi
25 | 


--------------------------------------------------------------------------------
/compare_on_i3_metal/provision/nabla.sh:
--------------------------------------------------------------------------------
 1 | #!/bin/bash
 2 | 
 3 | if [ ! -x /usr/local/bin/runnc ]; then
 4 |     GOPATH=/root/go
 5 |     if [ ! -d $GOPATH ]; then
 6 |         mkdir -p $GOPATH/src/github.com/opencontainers
 7 |     fi
 8 | 
 9 |     go get github.com/nabla-containers/runnc
10 | 
11 |     cd ~/go/src/github.com/nabla-containers
12 |     rm -rf runnc
13 |     git clone https://github.com/nabla-containers/runnc.git
14 |     cd runnc
15 |     git checkout b78fe29
16 |     git submodule update --init
17 |     make build
18 |     make install
19 |     apt-get install genisoimage
20 | 
21 |     cat <<EOF >> /etc/containerd/config.toml
22 | [plugins]
23 |   [plugins.linux]
24 |     shim = "containerd-shim"
25 |     runtime = "runnc"
26 | EOF
27 | 
28 | fi
29 | 
30 | 
31 | 


--------------------------------------------------------------------------------
/firecracker/README.md:
--------------------------------------------------------------------------------
 1 | # Firecracker
 2 | 
 3 | ## Pointers
 4 | 
 5 | - [Firecracker](https://firecracker-microvm.github.io/)
 6 | - [firecracker-microvm/firecracker: Secure and fast microVMs for serverless computing.](https://github.com/firecracker-microvm/firecracker)
 7 | - [firecracker/getting-started.md at master · firecracker-microvm/firecracker](https://github.com/firecracker-microvm/firecracker/blob/master/docs/getting-started.md)
 8 | 
 9 | ----
10 | 
11 | ## Getting Started
12 | 
13 | If you use VirtualBox, firecracker does not work because VirtualBox does not support kvm.
14 | 
15 | ### Building Firecracker
16 | 
17 | ```sh
18 | git clone https://github.com/firecracker-microvm/firecracker
19 | cd firecracker
20 | sudo tools/devtool build
21 | sudo mv build/debug/firecracker /usr/local/bin
22 | ```
23 | 
24 | ### Running Firecracker
25 | 
26 | Add permission to access to /dev/kvm.
27 | 
28 | ```sh
29 | sudo setfacl -m u:${USER}:rw /dev/kvm
30 | ```
31 | In your first shell:
32 | 
33 | Start firecracker.
34 | 
35 | ```sh
36 | rm -f /tmp/firecracker.socket
37 | firecracker --api-sock /tmp/firecracker.socket
38 | ```
39 | 
40 | In yousr second shell:
41 | 
42 | Get the kernel and rootfs.
43 | 
44 | ```sh
45 | curl -fsSL -o hello-vmlinux.bin \
46 |   https://s3.amazonaws.com/spec.ccfc.min/img/hello/kernel/hello-vmlinux.bin
47 | curl -fsSL -o hello-rootfs.ext4 \
48 |   https://s3.amazonaws.com/spec.ccfc.min/img/hello/fsfiles/hello-rootfs.ext4
49 | ```
50 | 
51 | Set the guest kernel.
52 | 
53 | ```sh
54 | curl --unix-socket /tmp/firecracker.socket -i \
55 |     -X PUT 'http://localhost/boot-source'   \
56 |     -H 'Accept: application/json'           \
57 |     -H 'Content-Type: application/json'     \
58 |     -d '{
59 |         "kernel_image_path": "/home/vagrant/hello-vmlinux.bin",
60 |         "boot_args": "console=ttyS0 reboot=k panic=1 pci=off"
61 |     }'
62 | ```
63 | 
64 | Set the rootfs.
65 | 
66 | ```sh
67 | curl --unix-socket /tmp/firecracker.socket -i \
68 |     -X PUT 'http://localhost/drives/rootfs' \
69 |     -H 'Accept: application/json'           \
70 |     -H 'Content-Type: application/json'     \
71 |     -d '{
72 |         "drive_id": "rootfs",
73 |         "path_on_host": "/home/vagrant/hello-rootfs.ext4",
74 |         "is_root_device": true,
75 |         "is_read_only": false
76 |     }'
77 | ```
78 | 
79 | 
80 | Start the guest machine.
81 | 
82 | ```sh
83 | curl --unix-socket /tmp/firecracker.socket -i \
84 |     -X PUT 'http://localhost/actions'       \
85 |     -H  'Accept: application/json'          \
86 |     -H  'Content-Type: application/json'    \
87 |     -d '{
88 |         "action_type": "InstanceStart"
89 |      }'
90 | ```
91 | 
92 | You can see login prompt in your first shell. You can login with root/root.
93 | 


--------------------------------------------------------------------------------
/firecracker/Vagrantfile:
--------------------------------------------------------------------------------
1 | Vagrant.configure('2') do |config|
2 |   config.vm.box = 'generic/ubuntu1804'
3 |   config.vm.provision :shell, path: 'provision.sh'
4 |   config.vm.provider 'vmware_fusion' do |v, override|
5 |     v.vmx['vhv.enable'] = 'TRUE'
6 |   end
7 | end
8 | 


--------------------------------------------------------------------------------
/firecracker/provision.sh:
--------------------------------------------------------------------------------
 1 | #!/bin/sh
 2 | 
 3 | apt-get update
 4 | 
 5 | if [ ! -x /usr/bin/docker ]; then
 6 |     apt-get remove docker docker-engine docker.io containerd runc
 7 |     apt-get install \
 8 |             apt-transport-https \
 9 |             ca-certificates \
10 |             curl \
11 |             gnupg-agent \
12 |             software-properties-common
13 | 
14 |     curl -fsSL https://download.docker.com/linux/ubuntu/gpg \
15 |         | apt-key add -
16 | 
17 |     add-apt-repository \
18 |         "deb [arch=amd64] https://download.docker.com/linux/ubuntu \
19 |         $(lsb_release -cs) \
20 |         stable"
21 | 
22 |     apt-get update
23 | 
24 |     apt-get -y install docker-ce docker-ce-cli containerd.io
25 | fi
26 | 


--------------------------------------------------------------------------------
/gvisor/README.md:
--------------------------------------------------------------------------------
 1 | # gVisor Playground
 2 | 
 3 | ## Pointers
 4 | 
 5 | - [google/gvisor: Container Runtime Sandbox](https://github.com/google/gvisor)
 6 | - [gvisor/quick_start.md at master · google/gvisor](https://github.com/google/gvisor/blob/master/docs/user_guide/quick_start.md)
 7 | - [minikube/README.md at master · kubernetes/minikube](https://github.com/kubernetes/minikube/blob/master/deploy/addons/gvisor/README.md)
 8 | - [google/gvisor-containerd-shim: containerd shim for gVisor](https://github.com/google/gvisor-containerd-shim)
 9 | 
10 | ## Using runsc
11 | 
12 | ### Run an OCI compatible container
13 | 
14 | ```sh
15 | mkdir bundle
16 | cd bundle
17 | mkdir rootfs
18 | sudo docker export $(sudo docker create busybox) | tar -xf - -C rootfs
19 | runsc spec
20 | sudo runsc run hello
21 | ```
22 | 
23 | This does not show a command prompt, but you can execute commands.
24 | 
25 | 
26 | ```
27 | $ ps -ef|grep runsc
28 | root     15420 15365  0 09:15 pts/0    00:00:00 sudo runsc run hello
29 | root     15421 15420  0 09:15 pts/0    00:00:00 runsc run hello
30 | root     15426 15421  0 09:15 pts/0    00:00:00 runsc-gofer --root=/var/run/runsc --debug=false --log= --log-format=text --debug-log= --debug-log-format=text --file-access=exclusive --overlay=false --network=sandbox --log-packets=false --platform=ptrace --strace=false --strace-syscalls= --strace-log-size=1024 --watchdog-action=LogWarning --panic-signal=-1 gofer --bundle /home/vagrant/bundle --spec-fd=3 --io-fds=4 --apply-caps=false --setup-root=false
31 | nobody   15427 15421  2 09:15 ?        00:00:01 runsc-sandbox --root=/var/run/runsc --debug=false --log= --log-format=text --debug-log= --debug-log-format=text --file-access=exclusive --overlay=false --network=sandbox --log-packets=false --platform=ptrace --strace=false --strace-syscalls= --strace-log-size=1024 --watchdog-action=LogWarning --panic-signal=-1 boot --bundle=/home/vagrant/bundle --controller-fd=3 --spec-fd=4 --start-sync-fd=5 --io-fds=6 --stdio-fds=7 --stdio-fds=8 --stdio-fds=9 hello
32 | ```
33 | 
34 | ### Run with Docker
35 | 
36 | /etc/docker/daemon.json
37 | 
38 | ```json
39 | {
40 |     "runtimes": {
41 |         "runsc": {
42 |             "path": "/usr/local/bin/runsc"
43 |         }
44 |     }
45 | }
46 | ```
47 | 
48 | ```sh
49 | sudo systemctl restart docker
50 | ```
51 | 
52 | ```sh
53 | sudo docker run -ti --runtime=runsc busybox /bin/sh
54 | ```
55 | 
56 | ```sh
57 | $ ps -ef|grep runsc
58 | root      5409  4486  0 12:30 pts/0    00:00:00 sudo docker run -ti --runtime=runsc busybox /bin/sh
59 | root      5410  5409  0 12:30 pts/0    00:00:00 docker run -ti --runtime=runsc busybox /bin/sh
60 | root      5432  3102  0 12:30 ?        00:00:00 containerd-shim -namespace moby -workdir /var/lib/containerd/io.containerd.runtime.v1.linux/moby/01adddacabeff4db8e095bc90e5ec6b3593368f304604358976fa2e741be598c -address /run/containerd/containerd.sock -containerd-binary /usr/bin/containerd -runtime-root /var/run/docker/runtime-runsc
61 | root      5453  5432  0 12:30 ?        00:00:00 runsc-gofer --root=/var/run/docker/runtime-runsc/moby --debug=false --log=/run/containerd/io.containerd.runtime.v1.linux/moby/01adddacabeff4db8e095bc90e5ec6b3593368f304604358976fa2e741be598c/log.json --log-format=json --debug-log= --debug-log-format=text --file-access=exclusive --overlay=false --network=sandbox --log-packets=false --platform=ptrace --strace=false --strace-syscalls= --strace-log-size=1024 --watchdog-action=LogWarning --panic-signal=-1 --log-fd=3 gofer --bundle /run/containerd/io.containerd.runtime.v1.linux/moby/01adddacabeff4db8e095bc90e5ec6b3593368f304604358976fa2e741be598c --spec-fd=4 --io-fds=5 --io-fds=6 --io-fds=7 --io-fds=8 --apply-caps=false --setup-root=false
62 | nobody    5458  5432  1 12:30 pts/2    00:00:00 runsc-sandbox --root=/var/run/docker/runtime-runsc/moby --debug=false --log=/run/containerd/io.containerd.runtime.v1.linux/moby/01adddacabeff4db8e095bc90e5ec6b3593368f304604358976fa2e741be598c/log.json --log-format=json --debug-log= --debug-log-format=text --file-access=exclusive --overlay=false --network=sandbox --log-packets=false --platform=ptrace --strace=false --strace-syscalls= --strace-log-size=1024 --watchdog-action=LogWarning --panic-signal=-1 --log-fd=3 boot --bundle=/run/containerd/io.containerd.runtime.v1.linux/moby/01adddacabeff4db8e095bc90e5ec6b3593368f304604358976fa2e741be598c --controller-fd=4 --spec-fd=5 --start-sync-fd=6 --io-fds=7 --io-fds=8 --io-fds=9 --io-fds=10 --console=true --stdio-fds=11 --stdio-fds=12 --stdio-fds=13 --cpu-num 2 01adddacabeff4db8e095bc90e5ec6b3593368f304604358976fa2e741be598c
63 | ```
64 | 


--------------------------------------------------------------------------------
/gvisor/Vagrantfile:
--------------------------------------------------------------------------------
1 | Vagrant.configure('2') do |config|
2 |   config.vm.box = 'ubuntu/bionic64'
3 |   config.vm.provision :shell, path: 'provision.sh'
4 | end
5 | 


--------------------------------------------------------------------------------
/gvisor/provision.sh:
--------------------------------------------------------------------------------
 1 | #!/bin/sh
 2 | 
 3 | apt-get update
 4 | 
 5 | if [ ! -x /usr/local/bin/runsc ]; then
 6 |     wget https://storage.googleapis.com/gvisor/releases/nightly/latest/runsc
 7 |     wget https://storage.googleapis.com/gvisor/releases/nightly/latest/runsc.sha512
 8 |     sha512sum -c runsc.sha512
 9 |     chmod a+x runsc
10 |     mv runsc /usr/local/bin
11 | fi
12 | 
13 | if [ ! -x /usr/bin/docker ]; then
14 |     apt-get remove docker docker-engine docker.io containerd runc
15 |     apt-get install \
16 |             apt-transport-https \
17 |             ca-certificates \
18 |             curl \
19 |             gnupg-agent \
20 |             software-properties-common
21 | 
22 |     curl -fsSL https://download.docker.com/linux/ubuntu/gpg \
23 |         | apt-key add -
24 | 
25 |     add-apt-repository \
26 |         "deb [arch=amd64] https://download.docker.com/linux/ubuntu \
27 |         $(lsb_release -cs) \
28 |         stable"
29 | 
30 |     apt-get update
31 | 
32 |     apt-get -y install docker-ce docker-ce-cli containerd.io
33 | fi
34 | 


--------------------------------------------------------------------------------
/kata-containers/README.md:
--------------------------------------------------------------------------------
 1 | # Kata Containers
 2 | 
 3 | ## Pointers
 4 | 
 5 | - [Kata Containers - The speed of containers, the security of VMs](https://katacontainers.io/)
 6 | - [Kata Containers](https://github.com/kata-containers)
 7 | - [documentation/install at master · kata-containers/documentation](https://github.com/kata-containers/documentation/tree/master/install)
 8 | - [documentation/ubuntu-installation-guide.md at master · kata-containers/documentation](https://github.com/kata-containers/documentation/blob/master/install/ubuntu-installation-guide.md)
 9 | 
10 | ## Getting Started
11 | 
12 | ### Installing Kata Containers on Ubuntu
13 | 
14 | ```sh
15 | ARCH=$(arch)
16 | sudo sh -c \
17 |   "echo 'deb http://download.opensuse.org/repositories/home:/katacontainers:/releases:/${ARCH}:/master/xUbuntu_$(lsb_release -rs)/ /' \
18 |   > /etc/apt/sources.list.d/kata-containers.list"
19 | curl -sL \
20 |   http://download.opensuse.org/repositories/home:/katacontainers:/releases:/${ARCH}:/master/xUbuntu_$(lsb_release -rs)/Release.key \
21 |   | sudo apt-key add -
22 | sudo -E apt-get update
23 | sudo -E apt-get -y install kata-runtime kata-proxy kata-shim
24 | ```
25 | 
26 | ### Running with Docker
27 | 
28 | ```sh
29 | sudo mkdir -p /etc/systemd/system/docker.service.d
30 | cat <<EOF | sudo tee /etc/systemd/system/docker.service.d/kata-containers.conf
31 | [Service]
32 | ExecStart=
33 | ExecStart=/usr/bin/dockerd -D --add-runtime kata-runtime=/usr/bin/kata-runtime --default-runtime=kata-runtime
34 | EOF
35 | ```
36 | 
37 | Add the following definitions to `/etc/docker/daemon.json`:
38 | 
39 | ```json
40 | {
41 |   "default-runtime": "kata-runtime",
42 |   "runtimes": {
43 |     "kata-runtime": {
44 |       "path": "/usr/bin/kata-runtime"
45 |     }
46 |   }
47 | }
48 | ```
49 | 
50 | Restart the Docker systemd service with the following commands:
51 | 
52 | ```sh
53 | sudo systemctl daemon-reload
54 | sudo systemctl restart docker
55 | ```
56 | 
57 | Run the container.
58 | 
59 | 
60 | ```sh
61 | sudo docker run -ti  --runtime=kata-runtime busybox /bin/sh
62 | ```
63 | 
64 | ```sh
65 | $ ps -ef|grep kata
66 | root      7369  5297  0 01:52 pts/0    00:00:00 sudo docker run -ti --runtime=kata-runtime busybox /bin/sh
67 | root      7370  7369  0 01:52 pts/0    00:00:00 docker run -ti --runtime=kata-runtime busybox /bin/sh
68 | root      7398  3438  0 01:52 ?        00:00:00 containerd-shim -namespace moby -workdir /var/lib/containerd/io.containerd.runtime.v1.linux/moby/1d0a0d693fb41bdd57f2686971c9c78115f16b97680f7245277a192814fba06a -address /run/containerd/containerd.sock -containerd-binary /usr/bin/containerd -runtime-root /var/run/docker/runtime-kata-runtime
69 | root      7439  7398  6 01:52 ?        00:00:01 /usr/bin/qemu-lite-system-x86_64 -name sandbox-1d0a0d693fb41bdd57f2686971c9c78115f16b97680f7245277a192814fba06a -uuid cb31ff50-8873-44b2-88c5-aa48914f6284 -machine pc,accel=kvm,kernel_irqchip,nvdimm -cpu host,pmu=off -qmp unix:/run/vc/vm/1d0a0d693fb41bdd57f2686971c9c78115f16b97680f7245277a192814fba06a/qmp.sock,server,nowait -m 2048M,slots=10,maxmem=3017M -device pci-bridge,bus=pci.0,id=pci-bridge-0,chassis_nr=1,shpc=on,addr=2,romfile= -device virtio-serial-pci,disable-modern=true,id=serial0,romfile= -device virtconsole,chardev=charconsole0,id=console0 -chardev socket,id=charconsole0,path=/run/vc/vm/1d0a0d693fb41bdd57f2686971c9c78115f16b97680f7245277a192814fba06a/console.sock,server,nowait -device nvdimm,id=nv0,memdev=mem0 -object memory-backend-file,id=mem0,mem-path=/usr/share/kata-containers/kata-containers-image_clearlinux_1.5.0_agent_a581aebf473.img,size=536870912 -device virtio-scsi-pci,id=scsi0,disable-modern=true,romfile= -object rng-random,id=rng0,filename=/dev/urandom -device virtio-rng,rng=rng0,romfile= -device virtserialport,chardev=charch0,id=channel0,name=agent.channel.0 -chardev socket,id=charch0,path=/run/vc/vm/1d0a0d693fb41bdd57f2686971c9c78115f16b97680f7245277a192814fba06a/kata.sock,server,nowait -device virtio-9p-pci,disable-modern=true,fsdev=extra-9p-kataShared,mount_tag=kataShared,romfile= -fsdev local,id=extra-9p-kataShared,path=/run/kata-containers/shared/sandboxes/1d0a0d693fb41bdd57f2686971c9c78115f16b97680f7245277a192814fba06a,security_model=none -netdev tap,id=network-0,vhost=on,vhostfds=3,fds=4 -device driver=virtio-net-pci,netdev=network-0,mac=02:42:ac:11:00:02,disable-modern=true,mq=on,vectors=4,romfile= -global kvm-pit.lost_tick_policy=discard -vga none -no-user-config -nodefaults -nographic -daemonize -kernel /usr/share/kata-containers/vmlinuz-4.14.67.22-18.container -append tsc=reliable no_timer_check rcupdate.rcu_expedited=1 i8042.direct=1 i8042.dumbkbd=1 i8042.nopnp=1 i8042.noaux=1 noreplace-smp reboot=k console=hvc0 console=hvc1 iommu=off cryptomgr.notests net.ifnames=0 pci=lastbus=0 root=/dev/pmem0p1 rootflags=dax,data=ordered,errors=remount-ro rw rootfstype=ext4 quiet systemd.show_status=false panic=1 nr_cpus=2 init=/usr/lib/systemd/systemd systemd.unit=kata-containers.target systemd.mask=systemd-networkd.service systemd.mask=systemd-networkd.socket -smp 1,cores=1,threads=1,sockets=1,maxcpus=2
70 | root      7445  7398  0 01:52 ?        00:00:00 /usr/libexec/kata-containers/kata-proxy -listen-socket unix:///run/vc/sbs/1d0a0d693fb41bdd57f2686971c9c78115f16b97680f7245277a192814fba06a/proxy.sock -mux-socket /run/vc/vm/1d0a0d693fb41bdd57f2686971c9c78115f16b97680f7245277a192814fba06a/kata.sock -sandbox 1d0a0d693fb41bdd57f2686971c9c78115f16b97680f7245277a192814fba06a
71 | root      7456  7398  0 01:52 pts/2    00:00:00 /usr/libexec/kata-containers/kata-shim -agent unix:///run/vc/sbs/1d0a0d693fb41bdd57f2686971c9c78115f16b97680f7245277a192814fba06a/proxy.sock -container 1d0a0d693fb41bdd57f2686971c9c78115f16b97680f7245277a192814fba06a -exec-id 1d0a0d693fb41bdd57f2686971c9c78115f16b97680f7245277a192814fba06a -terminal
72 | ```
73 | 


--------------------------------------------------------------------------------
/kata-containers/Vagrantfile:
--------------------------------------------------------------------------------
1 | Vagrant.configure('2') do |config|
2 |   config.vm.box = 'generic/ubuntu1804'
3 |   config.vm.provision :shell, path: 'provision.sh'
4 |   config.vm.provider 'vmware_fusion' do |v, override|
5 |     v.vmx['vhv.enable'] = 'TRUE'
6 |   end
7 | end
8 | 


--------------------------------------------------------------------------------
/kata-containers/provision.sh:
--------------------------------------------------------------------------------
 1 | #!/bin/sh
 2 | 
 3 | apt-get update
 4 | 
 5 | if [ ! -x /usr/bin/docker ]; then
 6 |     apt-get remove docker docker-engine docker.io containerd runc
 7 |     apt-get install \
 8 |             apt-transport-https \
 9 |             ca-certificates \
10 |             curl \
11 |             gnupg-agent \
12 |             software-properties-common
13 | 
14 |     curl -fsSL https://download.docker.com/linux/ubuntu/gpg \
15 |         | apt-key add -
16 | 
17 |     add-apt-repository \
18 |         "deb [arch=amd64] https://download.docker.com/linux/ubuntu \
19 |         $(lsb_release -cs) \
20 |         stable"
21 | 
22 |     apt-get update
23 | 
24 |     apt-get -y install docker-ce docker-ce-cli containerd.io
25 | fi
26 | 


--------------------------------------------------------------------------------
/measurements/.dockerignore:
--------------------------------------------------------------------------------
1 | rumprun/
2 | solo5/
3 | bundle/
4 | provision/
5 | 


--------------------------------------------------------------------------------
/measurements/Makefile:
--------------------------------------------------------------------------------
 1 | all: hello loop
 2 | 
 3 | loop:
 4 | 	gcc -static loop.c -o loop
 5 | 
 6 | hello:
 7 | 	gcc -static hello.c -o hello
 8 | 
 9 | clean:
10 | 	rm hello
11 | 	rm loop
12 | 


--------------------------------------------------------------------------------
/measurements/README.md:
--------------------------------------------------------------------------------
 1 | # Measurements and comparisons of container runtimes
 2 | 
 3 | ```sh
 4 | vagrant up
 5 | vagrant ssh
 6 | cd /vagrant/mycontainer
 7 | ./build_image_and_rootfs.sh
 8 | ./measure_startup_time.sh
 9 | ```
10 | 
11 | 


--------------------------------------------------------------------------------
/measurements/Vagrantfile:
--------------------------------------------------------------------------------
 1 | Vagrant.configure('2') do |config|
 2 |   config.vm.box = 'generic/ubuntu1804'
 3 | 
 4 |   config.vm.provision :shell, path: 'provision/packages.sh'
 5 |   config.vm.provision :shell, path: 'provision/go.sh'
 6 |   config.vm.provision :shell, path: 'provision/docker.sh'
 7 |   config.vm.provision :shell, path: 'provision/nabla.sh'
 8 |   config.vm.provision :shell, path: 'provision/gvisor.sh'
 9 |   config.vm.provision :shell, path: 'provision/firecracker.sh'
10 |   config.vm.provision :shell, path: 'provision/kata.sh'
11 | 
12 |   config.vm.provider 'vmware_fusion' do |v, override|
13 |     v.vmx['vhv.enable'] = 'TRUE'
14 |   end
15 | 
16 |   config.vm.synced_folder '.', '/vagrant', type: 'rsync',
17 |     rsync__exclude: [
18 |       '.vagrant/',
19 |       'bundle/rootfs/',
20 |       'rumprun/',
21 |       'solo5/',
22 |     ]
23 | end
24 | 


--------------------------------------------------------------------------------
/measurements/build_image_and_rootfs.sh:
--------------------------------------------------------------------------------
 1 | #!/bin/bash
 2 | 
 3 | set -eux
 4 | 
 5 | make all
 6 | 
 7 | cid=`sudo docker create busybox`
 8 | mkdir -p bundle/rootfs
 9 | sudo docker export $cid | tar -C bundle/rootfs -xvf -
10 | cp hello bundle/rootfs
11 | cp loop bundle/rootfs
12 | 
13 | git clone https://github.com/nabla-containers/solo5.git
14 | pushd solo5
15 | ./configure.sh
16 | make
17 | sudo cp kernel/ukvm/solo5.o /usr/lib/libsolo5_seccomp.a
18 | 
19 | popd
20 | 
21 | git clone https://github.com/nabla-containers/rumprun.git
22 | pushd rumprun
23 | git checkout 8b01b3
24 | git submodule update --init
25 | pushd src-netbsd
26 | # https://github.com/rumpkernel/rumprun/issues/122
27 | patch -p1 < /vagrant/netbsd.patch
28 | popd
29 | # https://github.com/rumpkernel/rumprun/pull/118
30 | patch -p1 < /vagrant/rumprun.patch
31 | make
32 | . obj/config-PATH.sh
33 | pushd rumprun-solo5/bin
34 | patch -p1 < /vagrant/rumprun-bake.patch
35 | popd
36 | 
37 | popd
38 | 
39 | x86_64-rumprun-netbsd-gcc -o hello.out hello.c
40 | rumprun-bake solo5_ukvm_seccomp hello.nabla hello.out
41 | cp hello.nabla bundle/rootfs
42 | 
43 | x86_64-rumprun-netbsd-gcc -o loop.out loop.c
44 | rumprun-bake solo5_ukvm_seccomp loop.nabla loop.out
45 | cp loop.nabla bundle/rootfs
46 | 


--------------------------------------------------------------------------------
/measurements/bundle/.gitignore:
--------------------------------------------------------------------------------
1 | hello
2 | loop
3 | rootfs
4 | config.clean.json
5 | 
6 | 


--------------------------------------------------------------------------------
/measurements/bundle/config.json.for_nabla:
--------------------------------------------------------------------------------
  1 | {
  2 | 	"ociVersion": "1.0.1-dev",
  3 | 	"process": {
  4 | 		"terminal": false,
  5 | 		"user": {
  6 | 			"uid": 0,
  7 | 			"gid": 0
  8 | 		},
  9 | 		"args": [
 10 | 			"/hello.nabla"
 11 | 		],
 12 | 		"env": [
 13 | 			"PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin",
 14 | 			"TERM=xterm"
 15 | 		],
 16 | 		"cwd": "/",
 17 | 		"capabilities": {
 18 | 			"bounding": [
 19 | 				"CAP_AUDIT_WRITE",
 20 | 				"CAP_KILL",
 21 | 				"CAP_NET_BIND_SERVICE"
 22 | 			],
 23 | 			"effective": [
 24 | 				"CAP_AUDIT_WRITE",
 25 | 				"CAP_KILL",
 26 | 				"CAP_NET_BIND_SERVICE"
 27 | 			],
 28 | 			"inheritable": [
 29 | 				"CAP_AUDIT_WRITE",
 30 | 				"CAP_KILL",
 31 | 				"CAP_NET_BIND_SERVICE"
 32 | 			],
 33 | 			"permitted": [
 34 | 				"CAP_AUDIT_WRITE",
 35 | 				"CAP_KILL",
 36 | 				"CAP_NET_BIND_SERVICE"
 37 | 			],
 38 | 			"ambient": [
 39 | 				"CAP_AUDIT_WRITE",
 40 | 				"CAP_KILL",
 41 | 				"CAP_NET_BIND_SERVICE"
 42 | 			]
 43 | 		},
 44 | 		"rlimits": [
 45 | 			{
 46 | 				"type": "RLIMIT_NOFILE",
 47 | 				"hard": 1024,
 48 | 				"soft": 1024
 49 | 			}
 50 | 		],
 51 | 		"noNewPrivileges": true
 52 | 	},
 53 | 	"root": {
 54 | 		"path": "/vagrant/bundle/rootfs",
 55 | 		"readonly": true
 56 | 	},
 57 |         "hooks": {
 58 |                 "prestart": [
 59 | 		{
 60 | 			"path": "/sbin/ip",
 61 | 			"args": ["ip", "link", "add" , "eth0", "type", "dummy"]
 62 | 		},
 63 | 		{
 64 | 			"path": "/sbin/ip",
 65 | 			"args": ["ip", "addr", "add", "10.0.0.251/8", "dev", "eth0"]
 66 | 		},
 67 | 		{
 68 | 			"path": "/sbin/ip",
 69 | 			"args": ["ip", "link", "set", "eth0", "up"]
 70 | 		},
 71 | 		{
 72 | 			"path": "/sbin/ip",
 73 | 			"args": ["ip", "route", "add", "default", "via", "10.0.0.251"]
 74 | 		}
 75 | 		]
 76 |         },
 77 | 	"hostname": "runc",
 78 | 	"mounts": [
 79 | 		{
 80 | 			"destination": "/proc",
 81 | 			"type": "proc",
 82 | 			"source": "proc"
 83 | 		},
 84 | 		{
 85 | 			"destination": "/dev",
 86 | 			"type": "tmpfs",
 87 | 			"source": "tmpfs",
 88 | 			"options": [
 89 | 				"nosuid",
 90 | 				"strictatime",
 91 | 				"mode=755",
 92 | 				"size=65536k"
 93 | 			]
 94 | 		},
 95 | 		{
 96 | 			"destination": "/dev/pts",
 97 | 			"type": "devpts",
 98 | 			"source": "devpts",
 99 | 			"options": [
100 | 				"nosuid",
101 | 				"noexec",
102 | 				"newinstance",
103 | 				"ptmxmode=0666",
104 | 				"mode=0620",
105 | 				"gid=5"
106 | 			]
107 | 		},
108 | 		{
109 | 			"destination": "/dev/shm",
110 | 			"type": "tmpfs",
111 | 			"source": "shm",
112 | 			"options": [
113 | 				"nosuid",
114 | 				"noexec",
115 | 				"nodev",
116 | 				"mode=1777",
117 | 				"size=65536k"
118 | 			]
119 | 		},
120 | 		{
121 | 			"destination": "/dev/mqueue",
122 | 			"type": "mqueue",
123 | 			"source": "mqueue",
124 | 			"options": [
125 | 				"nosuid",
126 | 				"noexec",
127 | 				"nodev"
128 | 			]
129 | 		},
130 | 		{
131 | 			"destination": "/sys",
132 | 			"type": "sysfs",
133 | 			"source": "sysfs",
134 | 			"options": [
135 | 				"nosuid",
136 | 				"noexec",
137 | 				"nodev",
138 | 				"ro"
139 | 			]
140 | 		},
141 | 		{
142 | 			"destination": "/sys/fs/cgroup",
143 | 			"type": "cgroup",
144 | 			"source": "cgroup",
145 | 			"options": [
146 | 				"nosuid",
147 | 				"noexec",
148 | 				"nodev",
149 | 				"relatime",
150 | 				"ro"
151 | 			]
152 | 		}
153 | 	],
154 | 	"linux": {
155 | 		"resources": {
156 | 			"devices": [
157 | 				{
158 | 					"allow": false,
159 | 					"access": "rwm"
160 | 				}
161 | 			]
162 | 		},
163 | 		"namespaces": [
164 | 			{
165 | 				"type": "pid"
166 | 			},
167 | 			{
168 | 				"type": "network"
169 | 			},
170 | 			{
171 | 				"type": "ipc"
172 | 			},
173 | 			{
174 | 				"type": "uts"
175 | 			},
176 | 			{
177 | 				"type": "mount"
178 | 			}
179 | 		],
180 | 		"maskedPaths": [
181 | 			"/proc/kcore",
182 | 			"/proc/latency_stats",
183 | 			"/proc/timer_list",
184 | 			"/proc/timer_stats",
185 | 			"/proc/sched_debug",
186 | 			"/sys/firmware",
187 | 			"/proc/scsi"
188 | 		],
189 | 		"readonlyPaths": [
190 | 			"/proc/asound",
191 | 			"/proc/bus",
192 | 			"/proc/fs",
193 | 			"/proc/irq",
194 | 			"/proc/sys",
195 | 			"/proc/sysrq-trigger"
196 | 		]
197 | 	}
198 | }
199 | 


--------------------------------------------------------------------------------
/measurements/bundle/config.json.for_non_nabla:
--------------------------------------------------------------------------------
  1 | {
  2 | 	"ociVersion": "1.0.1-dev",
  3 | 	"process": {
  4 | 		"terminal": false,
  5 | 		"user": {
  6 | 			"uid": 0,
  7 | 			"gid": 0
  8 | 		},
  9 | 		"args": [
 10 | 			"/hello"
 11 | 		],
 12 | 		"env": [
 13 | 			"PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin",
 14 | 			"TERM=xterm"
 15 | 		],
 16 | 		"cwd": "/",
 17 | 		"capabilities": {
 18 | 			"bounding": [
 19 | 				"CAP_AUDIT_WRITE",
 20 | 				"CAP_KILL",
 21 | 				"CAP_NET_BIND_SERVICE"
 22 | 			],
 23 | 			"effective": [
 24 | 				"CAP_AUDIT_WRITE",
 25 | 				"CAP_KILL",
 26 | 				"CAP_NET_BIND_SERVICE"
 27 | 			],
 28 | 			"inheritable": [
 29 | 				"CAP_AUDIT_WRITE",
 30 | 				"CAP_KILL",
 31 | 				"CAP_NET_BIND_SERVICE"
 32 | 			],
 33 | 			"permitted": [
 34 | 				"CAP_AUDIT_WRITE",
 35 | 				"CAP_KILL",
 36 | 				"CAP_NET_BIND_SERVICE"
 37 | 			],
 38 | 			"ambient": [
 39 | 				"CAP_AUDIT_WRITE",
 40 | 				"CAP_KILL",
 41 | 				"CAP_NET_BIND_SERVICE"
 42 | 			]
 43 | 		},
 44 | 		"rlimits": [
 45 | 			{
 46 | 				"type": "RLIMIT_NOFILE",
 47 | 				"hard": 1024,
 48 | 				"soft": 1024
 49 | 			}
 50 | 		],
 51 | 		"noNewPrivileges": true
 52 | 	},
 53 | 	"root": {
 54 | 		"path": "rootfs",
 55 | 		"readonly": true
 56 | 	},
 57 | 	"hostname": "runc",
 58 | 	"mounts": [
 59 | 		{
 60 | 			"destination": "/proc",
 61 | 			"type": "proc",
 62 | 			"source": "proc"
 63 | 		},
 64 | 		{
 65 | 			"destination": "/dev",
 66 | 			"type": "tmpfs",
 67 | 			"source": "tmpfs",
 68 | 			"options": [
 69 | 				"nosuid",
 70 | 				"strictatime",
 71 | 				"mode=755",
 72 | 				"size=65536k"
 73 | 			]
 74 | 		},
 75 | 		{
 76 | 			"destination": "/dev/pts",
 77 | 			"type": "devpts",
 78 | 			"source": "devpts",
 79 | 			"options": [
 80 | 				"nosuid",
 81 | 				"noexec",
 82 | 				"newinstance",
 83 | 				"ptmxmode=0666",
 84 | 				"mode=0620",
 85 | 				"gid=5"
 86 | 			]
 87 | 		},
 88 | 		{
 89 | 			"destination": "/dev/shm",
 90 | 			"type": "tmpfs",
 91 | 			"source": "shm",
 92 | 			"options": [
 93 | 				"nosuid",
 94 | 				"noexec",
 95 | 				"nodev",
 96 | 				"mode=1777",
 97 | 				"size=65536k"
 98 | 			]
 99 | 		},
100 | 		{
101 | 			"destination": "/dev/mqueue",
102 | 			"type": "mqueue",
103 | 			"source": "mqueue",
104 | 			"options": [
105 | 				"nosuid",
106 | 				"noexec",
107 | 				"nodev"
108 | 			]
109 | 		},
110 | 		{
111 | 			"destination": "/sys",
112 | 			"type": "sysfs",
113 | 			"source": "sysfs",
114 | 			"options": [
115 | 				"nosuid",
116 | 				"noexec",
117 | 				"nodev",
118 | 				"ro"
119 | 			]
120 | 		},
121 | 		{
122 | 			"destination": "/sys/fs/cgroup",
123 | 			"type": "cgroup",
124 | 			"source": "cgroup",
125 | 			"options": [
126 | 				"nosuid",
127 | 				"noexec",
128 | 				"nodev",
129 | 				"relatime",
130 | 				"ro"
131 | 			]
132 | 		}
133 | 	],
134 | 	"linux": {
135 | 		"resources": {
136 | 			"devices": [
137 | 				{
138 | 					"allow": false,
139 | 					"access": "rwm"
140 | 				}
141 | 			]
142 | 		},
143 | 		"namespaces": [
144 | 			{
145 | 				"type": "pid"
146 | 			},
147 | 			{
148 | 				"type": "network"
149 | 			},
150 | 			{
151 | 				"type": "ipc"
152 | 			},
153 | 			{
154 | 				"type": "uts"
155 | 			},
156 | 			{
157 | 				"type": "mount"
158 | 			}
159 | 		],
160 | 		"maskedPaths": [
161 | 			"/proc/kcore",
162 | 			"/proc/latency_stats",
163 | 			"/proc/timer_list",
164 | 			"/proc/timer_stats",
165 | 			"/proc/sched_debug",
166 | 			"/sys/firmware",
167 | 			"/proc/scsi"
168 | 		],
169 | 		"readonlyPaths": [
170 | 			"/proc/asound",
171 | 			"/proc/bus",
172 | 			"/proc/fs",
173 | 			"/proc/irq",
174 | 			"/proc/sys",
175 | 			"/proc/sysrq-trigger"
176 | 		]
177 | 	}
178 | }
179 | 


--------------------------------------------------------------------------------
/measurements/hello.c:
--------------------------------------------------------------------------------
1 | #include <stdio.h>
2 | 
3 | void main()
4 | {
5 |     printf("Hello\n");
6 | }
7 | 


--------------------------------------------------------------------------------
/measurements/loop.c:
--------------------------------------------------------------------------------
 1 | #include <stdio.h>
 2 | 
 3 | void main()
 4 | {
 5 |     int i = 0;
 6 |     while(1) {
 7 |         printf("%d\n", i++);
 8 |     }
 9 | }
10 | 


--------------------------------------------------------------------------------
/measurements/measure_startup_time.sh:
--------------------------------------------------------------------------------
 1 | #!/bin/bash
 2 | 
 3 | pushd bundle
 4 | 
 5 | cp config.json.for_non_nabla config.json
 6 | 
 7 | # runc
 8 | echo "##### runc"
 9 | time sudo runc run bundle
10 | echo
11 | 
12 | # gVisor
13 | echo "##### gVisor"
14 | time sudo runsc -log /dev/null run bundle
15 | echo
16 | 
17 | # Kata Containers
18 | echo "##### Kata Containers"
19 | time sudo kata-runtime run bundle
20 | 
21 | cp config.json.for_nabla config.json
22 | 
23 | # Nabla Containers
24 | # https://github.com/nabla-containers/runnc/issues/53
25 | sudo runnc create abcdefg123456 && sudo runnc --debug start abcdefg123456
26 | 
27 | sudo runnc delete abcdefg123456
28 | 
29 | popd
30 | 


--------------------------------------------------------------------------------
/measurements/netbsd.patch:
--------------------------------------------------------------------------------
 1 | From 713e2f607aad1cfffe1d814843fe7df5d1780bfc Mon Sep 17 00:00:00 2001
 2 | From: christos <christos@NetBSD.org>
 3 | Date: Thu, 2 Nov 2017 16:09:33 +0000
 4 | Subject: [PATCH] Avoid negative shift.
 5 | 
 6 | ---
 7 |  sys/lib/libunwind/AddressSpace.hpp | 2 +-
 8 |  1 file changed, 1 insertion(+), 1 deletion(-)
 9 | 
10 | diff --git a/sys/lib/libunwind/AddressSpace.hpp b/sys/lib/libunwind/AddressSpace.hpp
11 | index 2786744551ba..6539040edec6 100644
12 | --- a/sys/lib/libunwind/AddressSpace.hpp
13 | +++ b/sys/lib/libunwind/AddressSpace.hpp
14 | @@ -140,7 +140,7 @@ class LocalAddressSpace {
15 |      } while (byte >= 0x80);
16 |      // sign extend negative numbers
17 |      if ((byte & 0x40) != 0)
18 | -      result |= (-1LL) << bit;
19 | +      result |= (~0ULL) << bit;
20 |      return result;
21 |    }
22 |  
23 | 


--------------------------------------------------------------------------------
/measurements/provision/docker.sh:
--------------------------------------------------------------------------------
 1 | #!/bin/sh
 2 | 
 3 | if [ ! -x /usr/bin/docker ]; then
 4 |     apt-get remove docker docker-engine docker.io containerd runc
 5 |     apt-get -y install \
 6 |             apt-transport-https \
 7 |             ca-certificates \
 8 |             curl \
 9 |             gnupg-agent \
10 |             software-properties-common
11 | 
12 |     curl -fsSL https://download.docker.com/linux/ubuntu/gpg \
13 |         | apt-key add -
14 | 
15 |     add-apt-repository \
16 |         "deb [arch=amd64] https://download.docker.com/linux/ubuntu \
17 |         $(lsb_release -cs) \
18 |         stable"
19 | 
20 |     apt-get update
21 | 
22 |     apt-get -y install docker-ce docker-ce-cli containerd.io
23 | 
24 |     cat <<EOF > /etc/docker/daemon.json
25 | {
26 |     "runtimes": {
27 |         "runsc": {
28 |             "path": "/usr/local/bin/runsc"
29 |         },
30 |         "kata-runtime": {
31 |             "path": "/usr/bin/kata-runtime"
32 |         },
33 |         "runnc": {
34 |             "path": "/usr/local/bin/runnc"
35 |         }
36 |     }
37 | }
38 | EOF
39 | 
40 |     sudo systemctl daemon-reload
41 |     sudo systemctl restart docker
42 | fi
43 | 


--------------------------------------------------------------------------------
/measurements/provision/firecracker.sh:
--------------------------------------------------------------------------------
 1 | #!/bin/bash
 2 | 
 3 | if [ ! -x /usr/local/bin/firecracker ]; then
 4 |     sudo apt install -y musl-tools
 5 |     curl https://sh.rustup.rs -sSf | sh -s -- -y
 6 |     export PATH=$PATH:$HOME/.cargo/bin
 7 |     rustup target add x86_64-unknown-linux-musl
 8 | 
 9 |     git clone https://github.com/firecracker-microvm/firecracker
10 |     pushd firecracker
11 |     git checkout v0.12.0
12 |     cargo build --release --features vsock
13 |     cp target/x86_64-unknown-linux-musl/release/{firecracker,jailer} \
14 |        /usr/local/bin
15 |     popd
16 |     
17 |     setfacl -m u:vagrant:rw /dev/kvm
18 | fi
19 | 
20 | if [ ! -x /usr/local/bin/containerd-shim-aws-firecracker ]; then
21 |     git clone \
22 |         https://github.com/firecracker-microvm/firecracker-containerd
23 |     pushd firecracker-containerd
24 |     GO111MODULE=on make STATIC_AGENT=true
25 |     cp runtime/containerd-shim-aws-firecracker /usr/local/bin
26 |     cp snapshotter/cmd/naive/naive_snapshotter /usr/local/bin
27 |     popd
28 | fi
29 | 
30 | 
31 | if [ ! -f hello-vmlinux.bin ]; then
32 |     curl -fsSL -o hello-vmlinux.bin \
33 |          https://s3.amazonaws.com/spec.ccfc.min/img/hello/kernel/hello-vmlinux.bin
34 |     curl -fsSL -o hello-rootfs.ext4 \
35 |          https://s3.amazonaws.com/spec.ccfc.min/img/hello/fsfiles/hello-rootfs.ext4
36 | 
37 |     mkdir /tmp/mnt
38 | 
39 |     cat >fc-agent.start <<EOF
40 | #!/bin/sh
41 | mkdir -p /container
42 | exec > /container/agent-debug.log # Debug logs from the agent
43 | exec 2>&1
44 | touch /container/runtime
45 | mkdir /container/rootfs
46 | mount -t auto -o rw /dev/vdb /container/rootfs
47 | cd /container
48 | /usr/local/bin/agent -id 1 -debug &
49 | EOF
50 | 
51 |     chmod +x fc-agent.start
52 |     truncate --size=+50M hello-rootfs.ext4
53 |     /sbin/e2fsck -f hello-rootfs.ext4 -y
54 |     /sbin/resize2fs hello-rootfs.ext4
55 |     mount hello-rootfs.ext4 /tmp/mnt
56 |     cp $(which runc) firecracker-containerd/agent/agent /tmp/mnt/usr/local/bin
57 |     cp fc-agent.start /tmp/mnt/etc/local.d
58 |     ln -s /etc/init.d/local /tmp/mnt/etc/runlevels/default/local
59 |     ln -s /etc/init.d/cgroups /tmp/mnt/etc/runlevels/default/cgroups
60 |     umount /tmp/mnt
61 |     rmdir /tmp/mnt
62 | 
63 |     mkdir -p /etc/containerd
64 |     tee -a /etc/containerd/config.toml <<EOF
65 | [proxy_plugins]
66 |   [proxy_plugins.firecracker-naive]
67 |     type = "snapshot"
68 |     address = "/var/run/firecracker-containerd/naive-snapshotter.sock"
69 | EOF
70 | 
71 |     mkdir -p /var/lib/firecracker-containerd/runtime
72 |     cp hello-rootfs.ext4 hello-vmlinux.bin \
73 |        /var/lib/firecracker-containerd/runtime
74 |     mkdir -p /etc/containerd
75 |     tee -a /etc/containerd/firecracker-runtime.json <<EOF
76 | {
77 |   "firecracker_binary_path": "/usr/local/bin/firecracker",
78 |   "socket_path": "./firecracker.sock",
79 |   "kernel_image_path": "/var/lib/firecracker-containerd/runtime/hello-vmlinux.bin",
80 |   "kernel_args": "console=ttyS0 noapic reboot=k panic=1 pci=off nomodules rw",
81 |   "root_drive": "/var/lib/firecracker-containerd/runtime/hello-rootfs.ext4",
82 |   "cpu_count": 1,
83 |   "cpu_template": "T2",
84 |   "console": "stdio",
85 |   "log_fifo": "/tmp/fc-logs.fifo",
86 |   "log_level": "Debug",
87 |   "metrics_fifo": "/tmp/fc-metrics.fifo"
88 | }
89 | EOF
90 | 
91 |     modprobe vhost-vsock
92 | fi
93 | 


--------------------------------------------------------------------------------
/measurements/provision/go.sh:
--------------------------------------------------------------------------------
1 | #!/bin/sh
2 | 
3 | if [ ! -f go1.11.5.linux-amd64.tar.gz ]; then
4 |     curl -s -O https://dl.google.com/go/go1.11.5.linux-amd64.tar.gz
5 |     tar -C /usr/local -xzf go1.11.5.linux-amd64.tar.gz
6 |     echo 'export PATH=$PATH:/usr/local/go/bin' >> /etc/profile
7 |     export PATH=$PATH:/usr/local/go/bin
8 | fi
9 | 


--------------------------------------------------------------------------------
/measurements/provision/gvisor.sh:
--------------------------------------------------------------------------------
 1 | #!/bin/sh
 2 | 
 3 | if [ ! -x /usr/local/bin/runsc ]; then
 4 |     wget -q https://storage.googleapis.com/gvisor/releases/nightly/latest/runsc
 5 |     wget -q https://storage.googleapis.com/gvisor/releases/nightly/latest/runsc.sha512
 6 |     sha512sum -c runsc.sha512
 7 |     chmod a+x runsc
 8 |     mv runsc /usr/local/bin
 9 | fi
10 | 


--------------------------------------------------------------------------------
/measurements/provision/kata.sh:
--------------------------------------------------------------------------------
 1 | #!/bin/sh
 2 | 
 3 | if [ ! -x /usr/bin/kata-runtime ]; then
 4 |     ARCH=$(arch)
 5 |     sh -c \
 6 |        "echo 'deb http://download.opensuse.org/repositories/home:/katacontainers:/releases:/${ARCH}:/stable-1.5/xUbuntu_$(lsb_release -rs)/ /' \
 7 |   > /etc/apt/sources.list.d/kata-containers.list"
 8 |     curl -sL \
 9 |          http://download.opensuse.org/repositories/home:/katacontainers:/releases:/${ARCH}:/master/xUbuntu_$(lsb_release -rs)/Release.key \
10 |         | apt-key add -
11 |     apt-get update
12 |     apt-get -y install kata-runtime kata-proxy kata-shim
13 | fi
14 | 


--------------------------------------------------------------------------------
/measurements/provision/nabla.sh:
--------------------------------------------------------------------------------
 1 | #!/bin/sh
 2 | 
 3 | if [ ! -x /usr/local/bin/runnc ]; then
 4 |     GOPATH=/root/go
 5 |     if [ ! -d $GOPATH ]; then
 6 |         mkdir -p $GOPATH/src/github.com/opencontainers
 7 |     fi
 8 | 
 9 |     go get github.com/nabla-containers/runnc
10 | 
11 |     cd ~/go/src/github.com/nabla-containers
12 |     rm -rf runnc
13 |     git clone https://github.com/nabla-containers/runnc.git
14 |     cd runnc
15 |     git checkout b78fe29
16 |     git submodule update --init
17 |     make container-build
18 |     make container-install
19 |     apt-get install genisoimage
20 | fi
21 | 
22 | 


--------------------------------------------------------------------------------
/measurements/provision/packages.sh:
--------------------------------------------------------------------------------
1 | #!/bin/sh
2 | 
3 | apt-get update
4 | 
5 | apt-get -y install gcc make pkg-config libseccomp-dev zlib1g-dev \
6 |         silversearcher-ag
7 | 


--------------------------------------------------------------------------------
/measurements/rumprun-bake.patch:
--------------------------------------------------------------------------------
 1 | diff --git a/rumprun-bake b/rumprun-bake.1
 2 | index fbde0c6..29c105b 100755
 3 | --- a/rumprun-bake
 4 | +++ b/rumprun-bake.1
 5 | @@ -403,6 +403,7 @@ ${runcmd} ${RUMPBAKE_BACKINGCC} ${RUMPBAKE_CFLAGS} -no-pie	\
 6 |      --sysroot ${RUMPBAKE_TOOLDIR}/rumprun-${MACHINE_GNU_ARCH}		\
 7 |      -specs=${RUMPBAKE_TOOLDIR}/rumprun-${MACHINE_GNU_ARCH}/lib/rumprun-${PLATFORM}/specs-bake \
 8 |      -o ${OUTPUT} ${allobjs}						\
 9 | +    -L/usr/lib \
10 |      -Wl,--whole-archive ${LIBS} || exit 1
11 |  
12 |  exit 0
13 | 


--------------------------------------------------------------------------------
/measurements/rumprun.patch:
--------------------------------------------------------------------------------
  1 | diff --git a/Makefile b/Makefile
  2 | index cb33957..2fd4b17 100644
  3 | --- a/Makefile
  4 | +++ b/Makefile
  5 | @@ -1,5 +1,5 @@
  6 |  build:
  7 | -	./build-rr.sh -j4 -d rumprun-solo5 -o ./obj solo5 build
  8 | +	./build-rr.sh -j4 -d rumprun-solo5 -o ./obj solo5 build -- -F CFLAGS="-Wimplicit-fallthrough=0"
  9 |  	./build-rr.sh -j4 -d rumprun-solo5 -o ./obj solo5 install
 10 |  
 11 |  build_hw:
 12 | diff --git a/app-tools/Makefile b/app-tools/Makefile
 13 | index beb39b8..e355e05 100644
 14 | --- a/app-tools/Makefile
 15 | +++ b/app-tools/Makefile
 16 | @@ -83,6 +83,7 @@ ${TOOLOBJ}/${2}: ${1} Makefile ${TOOLOBJ}
 17 |  		-e 's#!PLATFORM!#$(PLATFORM)#g;'			\
 18 |  		-e 's#!CPPFLAGS!#$(BUILDRUMP_TOOL_CPPFLAGS)#g;'		\
 19 |  		-e 's#!CFLAGS!#$(BUILDRUMP_TOOL_CFLAGS)#g;'		\
 20 | +		-e 's#!EXTRACCFLAGS!#$(EXTRACCFLAGS)#g;'		\
 21 |  		-e 's#!CXXFLAGS!#$(BUILDRUMP_TOOL_CXXFLAGS)#g;'		\
 22 |  		-e 's#!LDFLAGS_BAKE!#$(LDFLAGS_BAKE)#g;'
 23 |  	chmod 755 $$@
 24 | diff --git a/app-tools/cc.in b/app-tools/cc.in
 25 | index ef0db9a..4ea20a8 100644
 26 | --- a/app-tools/cc.in
 27 | +++ b/app-tools/cc.in
 28 | @@ -96,7 +96,7 @@ ferment)
 29 |  	${CC} ${CFLAGS} -no-integrated-cpp \
 30 |  	    --sysroot !DESTDIR!/rumprun-!MACHINE_GNU_ARCH! \
 31 |  	    -specs=!DESTDIR!/rumprun-!MACHINE_GNU_ARCH!/lib/specs-compile_or_ferment \
 32 | -	    -Wl,-r -Wl,-u,main \
 33 | +	    !EXTRACCFLAGS! -Wl,-r -Wl,-u,main \
 34 |  	    "$@" !DESTDIR!/rumprun-!MACHINE_GNU_ARCH!/share/!TOOLTUPLE!-recipe.s ${EXTRALIBS} || die
 35 |  
 36 |  	# If the presumed output file did not change, and the compiler
 37 | diff --git a/app-tools/cookfs.in b/app-tools/cookfs.in
 38 | index 4972b3f..16d8b2b 100644
 39 | --- a/app-tools/cookfs.in
 40 | +++ b/app-tools/cookfs.in
 41 | @@ -164,7 +164,7 @@ processonefile ()
 42 |  	ln -sf -- "${fabs}" ${LINKPATH}
 43 |  
 44 |  	${RUMPRUN_COOKFS_CC} !CFLAGS! !CPPFLAGS! -nostdlib		\
 45 | -	    -Wl,-r,-b,binary -o ${TMPDIR}/d${fn}.o ${LINKPATH}
 46 | +	    !EXTRACCFLAGS! -Wl,-r,-b,binary -o ${TMPDIR}/d${fn}.o ${LINKPATH}
 47 |  
 48 |  	${RUMPRUN_COOKFS_OBJCOPY}					\
 49 |  	    --redefine-sym ${LINKPATH_BIN}_start=${rf}_start		\
 50 | @@ -233,7 +233,7 @@ exec 1>&3 3>&-
 51 |  unset IFS
 52 |  
 53 |  ${RUMPRUN_COOKFS_CC} !CFLAGS! !CPPFLAGS! -I${RUMPRUN_COOKFS_INCDIR}	\
 54 | -    -nostdlib -Wl,-r -o ${TMPDIR}/fin.o ${TMPDIR}/d*.o ${TMPDIR}/constr.c
 55 | +    -nostdlib !EXTRACCFLAGS! -Wl,-r -o ${TMPDIR}/fin.o ${TMPDIR}/d*.o ${TMPDIR}/constr.c
 56 |  ${RUMPRUN_COOKFS_OBJCOPY} ${LSYM} ${TMPDIR}/fin.o ${OUTFILE}
 57 |  
 58 |  totsize=$(${RUMPRUN_COOKFS_SIZE} ${OUTFILE} | awk 'NR == 2{print $4}')
 59 | diff --git a/app-tools/rumprun-bake.in b/app-tools/rumprun-bake.in
 60 | index 9cc5e25..d4c2fe3 100644
 61 | --- a/app-tools/rumprun-bake.in
 62 | +++ b/app-tools/rumprun-bake.in
 63 | @@ -397,8 +397,9 @@ done
 64 |  
 65 |  MACHINE_GNU_ARCH=${RUMPBAKE_TUPLE%%-*}
 66 |  
 67 | +
 68 |  # Final link using cc to produce the unikernel image.
 69 | -${runcmd} ${RUMPBAKE_BACKINGCC} ${RUMPBAKE_CFLAGS}			\
 70 | +${runcmd} ${RUMPBAKE_BACKINGCC} ${RUMPBAKE_CFLAGS} !EXTRACCFLAGS!	\
 71 |      --sysroot ${RUMPBAKE_TOOLDIR}/rumprun-${MACHINE_GNU_ARCH}		\
 72 |      -specs=${RUMPBAKE_TOOLDIR}/rumprun-${MACHINE_GNU_ARCH}/lib/rumprun-${PLATFORM}/specs-bake \
 73 |      -o ${OUTPUT} ${allobjs}						\
 74 | diff --git a/build-rr.sh b/build-rr.sh
 75 | index 137e9c0..b011edc 100755
 76 | --- a/build-rr.sh
 77 | +++ b/build-rr.sh
 78 | @@ -503,6 +503,14 @@ makeconfig ()
 79 |  	else
 80 |  		echo "CONFIG_CXX=no" >> ${1}
 81 |  	fi
 82 | +
 83 | +	# Check for if compiler supports -no-pie and save to EXTRACCFLAGS
 84 | +	gccnopie=
 85 | +	if [ -z "`echo 'int p=1;' | ${CC} -no-pie -S -o /dev/null -x c - 2>&1`" ]; then
 86 | +		gccnopie=-no-pie
 87 | +	fi
 88 | +	echo "EXTRACCFLAGS=${quote}${gccnopie}${quote}" >> ${1}
 89 | +
 90 |  }
 91 |  
 92 |  dobuild ()
 93 | diff --git a/global.mk b/global.mk
 94 | index 5995507..1e0ebd8 100644
 95 | --- a/global.mk
 96 | +++ b/global.mk
 97 | @@ -23,3 +23,6 @@ INSTALLDIR=     ${RROBJ}/dest.stage
 98 |  else
 99 |  INSTALLDIR=     ${RRDEST}
100 |  endif
101 | +
102 | +cc-option = $(shell if [ -z "`echo 'int p=1;' | $(CC) $(1) -S -o /dev/null -x c - 2>&1`" ]; \
103 | +                       then echo y; else echo n; fi)
104 | diff --git a/platform/hw/Makefile b/platform/hw/Makefile
105 | index 387440b..20bb297 100644
106 | --- a/platform/hw/Makefile
107 | +++ b/platform/hw/Makefile
108 | @@ -31,6 +31,10 @@ SRCS+=		intr.c clock_subr.c kernel.c multiboot.c undefs.c
109 |  include ../Makefile.inc
110 |  include arch/${ARCHDIR}/Makefile.inc
111 |  
112 | +# Disable PIE, but need to check if compiler supports it
113 | +LDFLAGS-$(call cc-option,-no-pie) += -no-pie
114 | +LDFLAGS += $(LDFLAGS-y)
115 | +
116 |  OBJS:=	$(patsubst %.c,${RROBJ}/platform/%.o,${SRCS}) \
117 |  	$(patsubst %.S,${RROBJ}/platform/%.o,${ASMS})
118 |  
119 | @@ -54,7 +58,7 @@ ${RROBJ}/platform/%.o: %.S
120 |  	${CC} -D_LOCORE ${CPPFLAGS} ${CFLAGS} -c $< -o $@
121 |  
122 |  ${MAINOBJ}: ${OBJS} platformlibs
123 | -	${CC} -nostdlib ${CFLAGS} -Wl,-r ${OBJS} -o $@ \
124 | +	${CC} -nostdlib ${CFLAGS} ${LDFLAGS} -Wl,-r ${OBJS} -o $@ \
125 |  	    -L${RROBJLIB}/libbmk_core -L${RROBJLIB}/libbmk_rumpuser \
126 |  	    -Wl,--whole-archive -lbmk_rumpuser -lbmk_core -Wl,--no-whole-archive
127 |  	${OBJCOPY} -w -G bmk_* -G rumpuser_* -G jsmn_* \
128 | diff --git a/platform/solo5/Makefile b/platform/solo5/Makefile
129 | index 67fe6ea..58a921f 100644
130 | --- a/platform/solo5/Makefile
131 | +++ b/platform/solo5/Makefile
132 | @@ -55,7 +55,7 @@ $(eval $(call BUILDLIB_target,librumpnet_ukvmif,.))
133 |  solo5libs: ${RROBJLIB}/librumpnet_ukvmif/librumpnet_ukvmif.a
134 |  
135 |  ${MAINOBJ}: ${OBJS} platformlibs solo5libs
136 | -	${CC} -nostdlib ${CFLAGS} -Wl,-r ${OBJS} -o $@ \
137 | +	${CC} -nostdlib ${CFLAGS} -r ${OBJS} -o $@ \
138 |  	    -L${RROBJLIB}/libbmk_core -L${RROBJLIB}/libbmk_rumpuser \
139 |  	    -Wl,--whole-archive -lbmk_rumpuser -lbmk_core -Wl,--no-whole-archive
140 |  	#${OBJCOPY} -w -G bmk_* -G jsmn_* -G solo5_app_main -G _start $@
141 | diff --git a/platform/xen/Makefile b/platform/xen/Makefile
142 | index 4f074f7..28ba4c5 100644
143 | --- a/platform/xen/Makefile
144 | +++ b/platform/xen/Makefile
145 | @@ -24,6 +24,10 @@ default: prepare links mini-os ${MAINOBJ} ${TARGETS}
146 |  CPPFLAGS+= -isystem xen/include
147 |  CPPFLAGS+= -no-integrated-cpp
148 |  
149 | +# Disable PIE, but need to check if compiler supports it
150 | +LDFLAGS-$(call cc-option,-no-pie) += -no-pie
151 | +LDFLAGS += $(LDFLAGS-y)
152 | +
153 |  CFLAGS += -fno-builtin
154 |  
155 |  rump-src-y += rumphyper_bio.c
156 | diff --git a/platform/xen/xen/Makefile b/platform/xen/xen/Makefile
157 | index 95a8ecd..e42d3bb 100644
158 | --- a/platform/xen/xen/Makefile
159 | +++ b/platform/xen/xen/Makefile
160 | @@ -33,7 +33,9 @@ LDARCHLIB := -l$(ARCH_LIB_NAME)
161 |  LDSCRIPT := $(TARGET_ARCH_DIR)/minios-$(XEN_TARGET_ARCH).lds
162 |  LDFLAGS_FINAL := -T $(LDSCRIPT)
163 |  
164 | -LDFLAGS := -L$(abspath $(OBJ_DIR)/$(TARGET_ARCH_DIR))
165 | +# Disable PIE, but need to check if compiler supports it
166 | +LDFLAGS-$(call cc-option,-no-pie) += -no-pie
167 | +LDFLAGS := -L$(abspath $(OBJ_DIR)/$(TARGET_ARCH_DIR)) $(LDFLAGS-y)
168 |  
169 |  # Prefixes for global API names. All other symbols in mini-os are localised
170 |  # before linking with rumprun applications.
171 | diff --git a/platform/xen/xen/minios.mk b/platform/xen/xen/minios.mk
172 | index e6db96d..a9b59a8 100644
173 | --- a/platform/xen/xen/minios.mk
174 | +++ b/platform/xen/xen/minios.mk
175 | @@ -7,8 +7,9 @@ debug = y
176 |  # Define some default flags.
177 |  # NB. '-Wcast-qual' is nasty, so I omitted it.
178 |  DEF_CFLAGS += -fno-builtin -Wall -Werror -Wredundant-decls -Wno-format -Wno-redundant-decls
179 | -DEF_CFLAGS += $(call cc-option,$(CC),-fno-stack-protector,)
180 | -DEF_CFLAGS += $(call cc-option,$(CC),-fgnu89-inline)
181 | +DEF_CFLAGS-$(call cc-option,-fno-stack-protector) += -fno-stack-protector
182 | +DEF_CFLAGS-$(call cc-option,-fgnu89-inline) += -fgnu89-inline
183 | +DEF_CFLAGS += $(DEF_CFLAGS-y)
184 |  DEF_CFLAGS += -Wstrict-prototypes -Wnested-externs -Wpointer-arith -Winline
185 |  DEF_CPPFLAGS += -D__XEN_INTERFACE_VERSION__=$(XEN_INTERFACE_VERSION)
186 |  
187 | 


--------------------------------------------------------------------------------
/nabla-containers/README.md:
--------------------------------------------------------------------------------
 1 | # Nabla containers
 2 | 
 3 | ## Pointers
 4 | 
 5 | - [Nabla containers: a new approach to container isolation · Nabla Containers](https://nabla-containers.github.io/)
 6 | - [Nabla Containers](https://github.com/nabla-containers)
 7 | - [nabla-containers/nabla-measurements: Measurements and comparisons of nabla containers](https://github.com/nabla-containers/nabla-measurements)
 8 | - [Running a Nabla Container · Nabla Containers](https://nabla-containers.github.io/2018/06/28/nabla-setup/)
 9 | 
10 | ## Running a Nabla Container
11 | 
12 | ### Build and install runnc
13 | 
14 | ```sh
15 | mkdir -p ~/go
16 | go get github.com/nabla-containers/runnc
17 | ```
18 | 
19 | I saw this error, but ignored.
20 | 
21 | ```
22 | package github.com/opencontainers/runc/libcontainer/label: cannot find package "github.com/opencontainers/runc/libcontainer/label" in any of:
23 |         /usr/local/go/src/github.com/opencontainers/runc/libcontainer/label (from $GOROOT)
24 |         /home/vagrant/go/src/github.com/opencontainers/runc/libcontainer/label (from $GOPATH)
25 | ```
26 | 
27 | ```sh
28 | cd go/src/github.com/nabla-containers/runnc
29 | make container-build
30 | make container-install
31 | ```
32 | 
33 | 
34 | ### Installing the runtime for docker
35 | 
36 | ```sh
37 | sudo apt install -y genisoimage
38 | ```
39 | 
40 | 
41 | /etc/docker/daemon.json
42 | 
43 | 
44 | ```json
45 | {
46 |     "runtimes": {
47 |         "runnc": {
48 |                 "path": "/usr/local/bin/runnc"
49 |         }
50 |     }
51 | }
52 | ```
53 | 
54 | ```sh
55 | sudo systemctl restart docker
56 | ```
57 | 
58 | 
59 | ### Creating our first nabla container
60 | 
61 | ```sh
62 | sudo docker run --rm -p 8080:8080 --runtime=runnc nablact/node-express-nabla
63 | ```
64 | 
65 | 
66 | ```
67 | curl localhost:8080
68 | ```
69 | 
70 | 
71 | ```sh
72 | ps -ef|grep runnc
73 | root     16689  9703  0 04:19 pts/0    00:00:00 sudo docker run --rm -p 8080:8080 --runtime=runnc nablact/node-express-nabla
74 | root     16690 16689  0 04:19 pts/0    00:00:00 docker run --rm -p 8080:8080 --runtime=runnc nablact/node-express-nabla
75 | root     16759  8282  0 04:19 ?        00:00:00 containerd-shim -namespace moby -workdir /var/lib/containerd/io.containerd.runtime.v1.linux/moby/f890dd474526621d7232f0f07d803ed7dd2dc82dfaf2411bf45a956352b2dc6a -address /run/containerd/containerd.sock -containerd-binary /usr/bin/containerd -runtime-root /var/run/docker/runtime-runnc
76 | root     16779 16759  1 04:19 ?        00:00:00 /opt/runnc/bin/nabla-run --mem=512 --net-mac=02:42:ac:11:00:02 --net=tapf890dd474526 --disk=/var/run/docker/runtime-runnc/moby/f890dd474526621d7232f0f07d803ed7dd2dc82dfaf2411bf45a956352b2dc6a/rootfs.iso /var/lib/docker/overlay2/dfc849b4eac55398ce9280f3edfae554db54d54a019cacd724bfb95fe687d211/merged/node.nabla {"env":"PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin","env":"HOSTNAME=f890dd474526","cmdline":"/var/lib/docker/overlay2/dfc849b4eac55398ce9280f3edfae554db54d54a019cacd724bfb95fe687d211/merged/node.nabla /home/node/app/app.js","net":{"if":"ukvmif0","cloner":"True","type":"inet","method":"static","addr":"172.17.0.2","mask":"16","gw":"172.17.0.1"},"blk":{"source":"etfs","path":"/dev/ld0a","fstype":"blk","mountpoint":"/"},"cwd":"/"}
77 | ```
78 | 


--------------------------------------------------------------------------------
/nabla-containers/Vagrantfile:
--------------------------------------------------------------------------------
1 | Vagrant.configure('2') do |config|
2 |   config.vm.box = 'ubuntu/bionic64'
3 |   config.vm.provision :shell, path: 'provision.sh'
4 | end
5 | 


--------------------------------------------------------------------------------
/nabla-containers/provision.sh:
--------------------------------------------------------------------------------
 1 | #!/bin/sh
 2 | 
 3 | apt-get update
 4 | apt-get -y install gcc make pkg-config libseccomp-dev
 5 | 
 6 | if [ ! -f go1.11.5.linux-amd64.tar.gz ]; then
 7 |     curl -s -O https://dl.google.com/go/go1.11.5.linux-amd64.tar.gz
 8 |     tar -C /usr/local -xzf go1.11.5.linux-amd64.tar.gz
 9 |     echo 'export PATH=$PATH:/usr/local/go/bin' >> /etc/profile
10 | fi
11 | 
12 | GOPATH=/root/go
13 | if [ ! -d $GOPATH ]; then
14 |     mkdir -p $GOPATH/src/github.com/opencontainers
15 | fi
16 | 
17 | if [ ! -x /usr/bin/docker ]; then
18 |     apt-get remove docker docker-engine docker.io containerd runc
19 |     apt-get install \
20 |             apt-transport-https \
21 |             ca-certificates \
22 |             curl \
23 |             gnupg-agent \
24 |             software-properties-common
25 | 
26 |     curl -fsSL https://download.docker.com/linux/ubuntu/gpg \
27 |         | apt-key add -
28 | 
29 |     add-apt-repository \
30 |         "deb [arch=amd64] https://download.docker.com/linux/ubuntu \
31 |         $(lsb_release -cs) \
32 |         stable"
33 | 
34 |     apt-get update
35 | 
36 |     apt-get -y install docker-ce docker-ce-cli containerd.io
37 | fi
38 | 


--------------------------------------------------------------------------------
/runc/README.md:
--------------------------------------------------------------------------------
  1 | # runc
  2 | 
  3 | ## Overview
  4 | 
  5 | - [opencontainers/runc: CLI tool for spawning and running containers according to the OCI specification](https://github.com/opencontainers/runc)
  6 | 
  7 | 
  8 | ## Using runc
  9 | 
 10 | ### Creating an OCI Bundle
 11 | 
 12 | ```sh
 13 | mkdir mycontainer
 14 | cd mycontainer
 15 | mkdir rootfs
 16 | cid=`sudo docker create busybox`
 17 | sudo docker export $cid | tar -C rootfs -xvf -
 18 | runc spec
 19 | ```
 20 | 
 21 | ### Running Containers
 22 | 
 23 | Under `mycontainer` directory:
 24 | 
 25 | ```sh
 26 | sudo runc run mycontainerid
 27 | / #
 28 | / # uname -n
 29 | runc
 30 | / # id
 31 | uid=0(root) gid=0(root)
 32 | ```
 33 | 
 34 | 
 35 | On another terminal:
 36 | 
 37 | ```
 38 | sudo runc list
 39 | ID              PID         STATUS      BUNDLE                      CREATED                         OWNER
 40 | mycontainerid   18750       running     /home/vagrant/mycontainer   2019-02-07T01:06:08.41163043Z   root
 41 | 
 42 | sudo ps f
 43 |   PID TTY      STAT   TIME COMMAND
 44 | 18773 pts/1    S+     0:00 sudo ps f
 45 | 18774 pts/1    R+     0:00  \_ ps f
 46 | 18729 pts/0    S+     0:00 sudo runc run mycontainerid
 47 | 18730 pts/0    Sl+    0:00  \_ runc run mycontainerid
 48 | 18750 pts/0    Ss+    0:00      \_ sh
 49 | ```
 50 | ### Lifecycle Operations
 51 | 
 52 | Modify `config.json`.
 53 | 
 54 | ```diff
 55 | --- config.json.org     2019-02-07 01:12:49.023777804 +0000
 56 | +++ config.json 2019-02-07 01:13:18.715777804 +0000
 57 | @@ -1,13 +1,13 @@
 58 |  {
 59 |         "ociVersion": "1.0.1-dev",
 60 |         "process": {
 61 | -               "terminal": true,
 62 | +               "terminal": false,
 63 |                 "user": {
 64 |                         "uid": 0,
 65 |                         "gid": 0
 66 |                 },
 67 |                 "args": [
 68 | -                       "sh"
 69 | +                       "sleep", " 5"
 70 |                 ],
 71 |                 "env": [
 72 |                         "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin",
 73 | @@ -175,4 +175,4 @@
 74 |                         "/proc/sysrq-trigger"
 75 |                 ]
 76 |         }
 77 | -}
 78 | \ No newline at end of file
 79 | +}
 80 | ```
 81 | 
 82 | ```sh
 83 | sudo runc create mycontainerid
 84 | sudo runc list
 85 | ID              PID         STATUS      BUNDLE                      CREATED                          OWNER
 86 | mycontainerid   18972       created     /home/vagrant/mycontainer   2019-02-07T01:56:52.337417123Z   root
 87 | sudo runc start mycontainerid
 88 | sudo runc list
 89 | ID              PID         STATUS      BUNDLE                      CREATED                          OWNER
 90 | mycontainerid   18972       running     /home/vagrant/mycontainer   2019-02-07T01:56:52.337417123Z   root
 91 | # After 5 seconds
 92 | sudo runc list
 93 | ID              PID         STATUS      BUNDLE                      CREATED                          OWNER
 94 | mycontainerid   0           stopped     /home/vagrant/mycontainer   2019-02-07T01:56:52.337417123Z   root
 95 | sudo runc delete mycontainerid
 96 | ```
 97 | 
 98 | ### Rootless containers
 99 | 
100 | 
101 | ```sh
102 | mkdir mycontainer
103 | cd mycontainer
104 | mkdir rootfs
105 | cid=`sudo docker create busybox`
106 | sudo docker export $cid | tar -C rootfs -xvf -
107 | runc spec --rootless
108 | runc --root /tmp/runc run mycontainerid
109 | ```
110 | 


--------------------------------------------------------------------------------
/runc/Vagrantfile:
--------------------------------------------------------------------------------
1 | Vagrant.configure('2') do |config|
2 |   config.vm.box = 'ubuntu/bionic64'
3 |   config.vm.provision :shell, path: 'provision.sh'
4 | end
5 | 


--------------------------------------------------------------------------------
/runc/provision.sh:
--------------------------------------------------------------------------------
 1 | #!/bin/sh
 2 | 
 3 | apt-get update
 4 | apt-get -y install gcc make pkg-config libseccomp-dev
 5 | 
 6 | if [ ! -f go1.11.5.linux-amd64.tar.gz ]; then
 7 |     curl -s -O https://dl.google.com/go/go1.11.5.linux-amd64.tar.gz
 8 |     tar -C /usr/local -xzf go1.11.5.linux-amd64.tar.gz
 9 |     echo 'export PATH=$PATH:/usr/local/go/bin' >> /etc/profile
10 | fi
11 | 
12 | GOPATH=/root/go
13 | if [ ! -d $GOPATH ]; then
14 |     mkdir -p $GOPATH/src/github.com/opencontainers
15 | fi
16 | 
17 | if [ ! -f /usr/local/sbin/runc ]; then
18 |     go get github.com/opencontainers/runc
19 |     cd $GOPATH/src/github.com/opencontainers/runc
20 |     make
21 |     make install
22 | fi
23 | 
24 | if [ ! -x /usr/bin/docker ]; then
25 |     apt-get remove docker docker-engine docker.io containerd runc
26 |     apt-get install \
27 |             apt-transport-https \
28 |             ca-certificates \
29 |             curl \
30 |             gnupg-agent \
31 |             software-properties-common
32 | 
33 |     curl -fsSL https://download.docker.com/linux/ubuntu/gpg \
34 |         | apt-key add -
35 | 
36 |     add-apt-repository \
37 |         "deb [arch=amd64] https://download.docker.com/linux/ubuntu \
38 |         $(lsb_release -cs) \
39 |         stable"
40 | 
41 |     apt-get update
42 | 
43 |     apt-get -y install docker-ce docker-ce-cli containerd.io
44 | fi
45 | 


--------------------------------------------------------------------------------