►
From YouTube: Rust-based, Secure and Lightweight Container Runtime for Embedded Systems - Manabu Sugimoto, Sony
Description
Don’t miss out! Join us at our upcoming event: KubeCon + CloudNativeCon North America 2021 in Los Angeles, CA from October 12-15. Learn more at https://kubecon.io The conference features presentations from developers and end users of Kubernetes, Prometheus, Envoy, and all of the other CNCF-hosted projects.
Rust-based, Secure and Lightweight Container Runtime for Embedded Systems - Manabu Sugimoto, Sony Group Corporation
Linux container is a lightweight virtualization technology that provides isolation and containment for applications. Recently, the container has been adopted by embedded systems because the mechanism is attractive to resource-constrained systems. Unfortunately, the existing container runtimes such as runc do not provide sufficient security and performance for mission-critical embedded systems. This talk presents a rust-based container runtime for embedded systems that enables the container to run at high speed while reducing the runtime memory usage. The runtime has an original fast-startup mechanism that starts the container by leveraging the pre-created container. Furthermore, the runtime offers a fine-grained access control using the new seccomp notify feature. The evaluation shows that the runtime launches the container 7.4x faster with 4.4x less memory usage than runc.
A
My
name
is
manuel
sigmotor,
I'm
a
system
software
engineer
at
sony
id
center.
My
research
interests
are
container
virtualization,
unicornos
and
linux.
Kernel
here
is
the
ultra
outline
of
my
presentation.
First
I'd
like
to
start
by
talking
about
linux,
container,
virtualization
and
container
runtime
software.
A
A
A
A
A
A
A
A
A
A
First
I'll
talk
about
the
requirements
of
embedded
systems.
The
main
difference
between
general
purpose
systems
and
embedded
systems
is
that
embedded
systems
have
more
restrictions
than
server
systems
in
resource
constraining
the
systems
the
memory
size
is
small
stretch,
capacity
is
lower
and
the
cpu
is
not
high.
A
A
How
we
land
continue
runtime
on
such
embedded
systems.
It
is
difficult
to
use
kubernetes
or
docker
on
embedded
systems,
because
those
software
includes
performance,
overhead
and
high
resource
usage
to
manage
containers,
for
example,
kubernetes
and
the
docker
includes
a
high
level
runtime
that
manages
container
images.
A
In
addition,
the
right
operations
shot
in
the
live
span
or
emmc
that
stands
for
embedded
multimedia
card.
That
is
a
standard
specification
of
embedded
memory.
Please
look
at
the
figure
on
the
left.
A
demo
sub
such
as
darkerly
always
writes
up
rights
to
metadata
files
in
mounts
on
emmc
of
embedded
systems.
A
We
want
to
avoid
the
right
applications
as
much
as
possible
to
extend
the
lifespan
of
the
emmc
to
solve
these
problems.
We
learned
a
lot
about
content
among
time
along
on
the
systems
in
the
figure
on
the
right
container,
on
timelines
without
any
services.
In
this
way,
we
can
manage
containers
effectively
on
the
systems.
A
A
When
a
user
wants
to
use
a
ping
command,
the
user
needs
to
have
a
cab
network
capability.
However,
cabinet
role
also
allows
users
to
run
up
spoofing
attacks.
Second,
the
looters
container
by
username
spaces
is
very
strict
for
the
systems.
The
username
space
allows
the
containers
that
are
pre
privileged
outside
the
name
space
to
have
root
privileges,
but
at
the
same
time
limiting
their
scope
of
that
privilege
to
the
name
space.
A
In
the
case
of
the
embedded
systems,
it
is
not
good
because
some
embedded
system
embedded
applications
needed
to
access
devices
via
such
mount
system
core.
Second,
in
terms
of
lightweight
container
setup
time,
is
not
fast
enough
for
real
time
system.
Most
container
long
time,
such
as
ranci,
are
written
in
guru,
language,
the
language
is
very
good,
but
unfortunately,
the
application
binary
size
is
big
for
the
embedded
systems
and
the
garbage
collection
by
go
run.
Time
increase
high
cpu
utilization,
so
we
have
to
solve
the
problems
in
embedded
systems.
A
Okay,
now
I'll
talk
proposal
to
solve
these
problems
here
I
propose
sl
run
time
that
is
rust
based
secure
and
the
light
which
could
turn
on
on
timing
for
embedded
systems.
Sm
runtime
is
implemented
freely
in
rust,
with
modern
flights
and
lca
compatible
minimal
container
on
time
for
embedded
systems.
A
Isolation
by
container
for
high
dependability,
the
essential
runtime
has
a
fine
landing
access
control
and
the
memory
safety
by
rust,
forcibility
in
the
lightweight
mechanism,
raw
memory
usage
and
the
smaller
binary
sizes,
from
the
benefits
for
the
rest
and
the
first
setup.
That
is
our
original
features
and
their
real-time
support
for
embedded
I'll,
explain
these
mechanisms
in
detail
later
slide
here
you
can
see
the
compiling
table
of
srn
time
and
existing
container
on
times
its
runtime
is
more
lightweight
and
secure
than
their
existing
controller
on
time.
A
A
Why
did
we
choose
ras
over
golang
or
cc
practice
to
develop
content
around
time?
The
answer
is
that
rust
is
a
great
fit
for
embedded
systems.
First,
the
performance
is
equivalent
to
cc
press
press.
Second
last
guarantees
memory
safety
without
garbage
collection.
Third,
the
rust
community
has
awesome
place
for
developing
the
content
on
time.
A
I'll
introduce
this
phrase
in
the
next
slide.
Lastly,
ras
ffizer
stands
for
following
function.
Interface
is
very
helpful
to
bind
linux
api
go
rank
adapted
by
many
existing
container.
Runtimes
is
also
good,
but
has
some
limitations
in
embedded
systems.
The
goal
has
a
problem
interacting
with
name
spaces
by
go
run
time.
In
addition,
the
application
finally
says
is
big
compared
to
rust
and
they
go
based
around
time
include
performance
overhead
by
garbage
collection.
A
Here,
I'd
like
to
share
the
clients
for
developing
the
container
on
time,
rust
has
already
a
useful
class
for
creating
containers
such
as
capability
remit,
c
group.
Second,
and
things
like
that
passively
phrase
is
used
for
the
fine
grained
access
control
of
the
slr
on
time
and
the
co-affinity
is
used
for
the
excel
on
time.
Real
time
support,
as
you
already
know,
we
can
develop
the
software
easily
using
crafts
or
json
bitmaps
or
ci
of
json
format
to
interrupt
data
structures.
A
A
I
will
explain
the
first
setup
feature
the
process
up
around
choose
a
container
speedly
by
leveraging
a
pre-created
container
by
using
the
first
setup.
Sron
time
can
omit
time
before
initializing
the
runtime
and
creating
the
container
faster
setup
replaces
only
the
execution
process
inside
the
container
at
a
setup,
so
the
runtime
can
be
used
as
a
configuration,
except
for
the
execution
process.
A
A
These
containers
do
not
align
yet
after
that,
when
you
need
to
run
a
real-time
application,
srn
term
replaces
the
dummy
process
with
real-time
application.
You
want
to
run.
Please
look
at
the
figure
on
the
right.
The
normal
run
has
initializing
runtime,
creating
a
container
and
starting
the
container
phase.
In
the
case
of
the
first
setup,
you
can
reduce
the
time
of
initializing
return
time
and
creating
the
container,
so
it
is
possible
to
run
the
container
faster
than
normal
run.
A
A
A
At
this
point,
the
container
goes
into
a
clay,
create
status
and
slam
time
and
monitors
are
a
file
descriptor.
Then,
when
the
user
wants
to
run
the
container
using
process
setup,
the
user
creates.
The
processor
json
describes
the
real-time
process
to
be
executed
inside
the
container
and
the
cpu
core.
That
is
due
the
process.
A
Then
the
user
runs
the
first
setup
and
the
slr
runtime
writes
the
contents
of
the
first
startup
configuration
at
the
moment,
since
the
container
that
is
waiting
can
read,
file
descriptor
just
run.
Runtime
causes
the
container
to
resume
execution.
So
as
long
time
sets,
the
process
under
the
container
runs
execution
process.
A
It's
a
runtime.
The
fine
line
access
control
enables
the
routers
containers
to
execute
the
system
code
safely.
By
using
this
fine
blend
access
control
feature,
the
looters
container
can
emulate
even
system
course
that
changes
gravel
resources,
because
the
final
and
access
control
server,
emulates
assessment
core
in
user
space.
On
the
behalf
of
the
container,
based
on
the
security
policy
that
is
set
in
advanced
by
the
administrator,
please
look
at
the
figure.
A
If
container
a
does
mount
temperatures,
the
server
catches,
the
mount
system
call
before
executing
it
checks,
whether
the
destination
of
the
amount
is
temperature
under
the
performance,
a
performance
amount
on
behalf
of
the
container,
a
thanks
to
this
mechanism.
The
router's
containers
can
issue
the
mount
system
call
safely.
A
If
container
b
does
not
does
mount
tempest,
the
server
denies
amount
because
of
the
security
policy.
This
fine
land
access
control
mechanism
is
achieved
using
the
new
sitcom
notify
feature
here.
I'll
explain
the
second
notified
feature
that
is
introduced
in
linux
5.0.
The
second
nullify
provides
a
way
to
handle
a
particular
system
call
in
user
space.
A
Now,
in
this
example,
we
have
a
container
and
a
second
agent
which
handles
the
system
course
on
behalf
of
the
container.
First,
the
container
will
issue
a
system
call
second,
second
catches,
a
cisco
call
and
executes
a
ppf
program,
and
the
bpf
returns
notify
after
that.
Sitcom
asks
the
circum
agent
to
want
to
run
the
system
call,
and
the
agent
makes
a
decision
on
whether
the
container
performs
the
seismical
to
make
the
decision
to
set
compensation
to
read
the
seismic
or
arguments
and
validate
the
system
goal.
A
If
okay,
the
agent
performs
the
system
goal
on
behalf
of
the
behalf
of
the
process
and
otherwise
rejects
the
systemic
goal,
when
the
agent
can
successfully
successfully
execute
a
multi-system
call
agent
sets
the
return,
value
and
return
it
to
the
container
here.
This
slide
shows
how
their
experimental
implements
find.
Glenda
access
control
using
the
cell
comp
notify
first,
a
system
administrator
launches
a
final
and
access
control.
Server,
resolute
before
starting
a
container
second
user,
runs
a
container
using
config.json
that
describes
the
set
combinatory
a
few
months
ago,
ocl
on
time
specification
added.
A
A
A
Our
config.json
describes
that
execution
process
is
shell
and
the
username
space
setting
and
there's
a
comp
notify
configuration
in
this
demo
a
limits
mount
seismic
call.
Please
look
at
the
top
right.
First,
I
want
to
find
land
access
control
server
that
allows
the
container
to
the
mount
only
when
the
destination
is
flew
directly.
A
Second
runs
in
routers
container
buyers
along
time.
The
user
id
is
not
root
is
root
inside
the
container,
but
on
the
host
messenger
user
is
non-loot.
Now,
if
he
is
not
mounted
when
I
try
to
mount
bar
the
mount
fed
to
because
destination
buys
not
allowed
suburb,
you
can
see
the
error
message
in
the
server.
A
Now
let
me
move
on
the
evaluation
of
esl
on
time.
The
aberration
goals
are
measuring
two
types
of
start
time,
normal
run
and
faster
setup
and
the
memory
consumption
of
the
container
on
times
the
existing
runtimes
that
we
use
in
this
evaluation
runs
to
see
singularity,
run
c
series
and
right
curve.
In
the
experimental
setup
original
runtimes
uses
the
same
config.json
remove
the
c
grip's
configuration
because
s
runtime
does
not
support
it.
Yet
then
we
learn
the
container
runtimes
alone
without
any
client
tools.
The
container
executes
to
execute
true
commands
inside
the
containers.
A
The
result
of
a
startup
time
shows
that
sron
time
is
the
fastest
among
the
existing
continental
run
times,
because
the
runtime
is
minimal.
Please
look
at
the
graph
on
the
left
side.
The
normal
round
of
srn
time
achieves
7.4
times
speed
up
compared
to
run
c.
The
radical
is
also
rust
based
container
on
time,
but
restaurant
time
is
much
faster
than
regular.
Please
look
at
the
graph
on
the
right
side
process.
Setup
time
is
a
5.1
millisecond
and
first
up
start
up
achieves
1.5
times
speed
up
compared
to
the
normal
run
here.
A
This
slide
shows
the
memory
usage
of
the
container
runtimes.
The
result
of
the
memory
usage
shows
that
sron
time
is
3.824
and
it
is
small
compared
to
go
based
or
controller
end
times.
The
important
point
here
is
that
srn
times
memory
usage
is
equivalent
to
serum
written
in
c.
Language
c
is
the
most
preferred
language
for
embedded
systems.
Paragraphs
is
also
a
great
fit
for
the
systems.
A
A
Currently
sr
antenna
does
not
support
some
features
such
as
c
groups
or
ci,
and
things
like
that,
because
serrante
is
a
research
prototype.
Second,
we
need
to
enable
kubernetes
to
use
excel
on
time.
Lastly,
we
plan
to
integrate
slr
on
time
into
cate
containers,
because
cadet
community
has
already
developed
their
container
runtime
in
rust
conclusion.
A
First
rash
language
is
a
great
fit
for
america's
system
due
to
the
small
manually
fit
plant
and
binary
size.
In
addition,
rust
guarantees
memory
safety
without
any
overhead,
so
we
developed
rust-based
container
on-time
information
embedded
systems.
Our
runtime
has
the
first
asylum
mechanism
they're
fine,
grand
access,
control
for
embedded
systems.