Skip to content

Feature/lab12#16

Open
Uiyrte wants to merge 3 commits intomainfrom
feature/lab12
Open

Feature/lab12#16
Uiyrte wants to merge 3 commits intomainfrom
feature/lab12

Conversation

@Uiyrte
Copy link
Owner

@Uiyrte Uiyrte commented Nov 15, 2025

Goal

Implement and demonstrate VM-backed container isolation using Kata Containers. Compare security and performance characteristics between default runc runtime and Kata's hardware-virtualized sandboxing approach.

Changes

  • Built and installed Kata Containers shim v3.22.0 (Rust implementation)
  • Configured containerd with io.containerd.kata.v2 runtime
  • Installed Kata guest kernel (6.12.47) and rootfs images
  • Updated containerd configuration and restarted service
  • Deployed OWASP Juice Shop with runc runtime (port 3012)
  • Executed Alpine-based Kata containers for comparison tests
  • Created isolation test suite (dmesg, /proc, network, kernel modules)
  • Performed startup time and HTTP latency benchmarking
  • Added submission12.md with complete lab report covering all 4 tasks
  • Organized all artifacts under labs/lab12/ by category

Testing

Hardware virtualization enabled (16 cores with VT-x). Kata shim installed and operational (version 3.22.0). runc container (Juice Shop) health check returned HTTP 200. Kata containers running with isolated guest kernel (6.12.47 vs host 6.14.0-35-generic). Completed isolation tests for dmesg, /proc, network interfaces, and kernel modules. Performance benchmarks show Kata startup overhead of +1s (1.74s vs 0.73s) due to VM initialization. HTTP latency baseline for runc: 5.4ms avg. /proc visibility demonstrates isolation: Host 193 entries vs Kata VM 52. Kernel modules comparison shows reduced attack surface: Host 243 vs Kata 58.

Artifacts & Screenshots

  • labs/lab12/setup/kata-built-version.txt: Kata shim version 3.22.0
  • labs/lab12/kata/test1.txt: Successful Kata test with kernel 6.12.47
  • labs/lab12/runc/health.txt: Juice Shop HTTP 200 response
  • labs/lab12/kata/kernel.txt: Kata guest kernel version
  • labs/lab12/kata/cpu.txt: CPU model information
  • labs/lab12/analysis/kernel-comparison.txt: Host vs guest kernel comparison
  • labs/lab12/analysis/cpu-comparison.txt: CPU passthrough verification
  • labs/lab12/isolation/dmesg.txt: VM boot logs proving separate kernel
  • labs/lab12/isolation/proc.txt: Process namespace isolation (193 vs 52 entries)
  • labs/lab12/isolation/network.txt: Network interface isolation
  • labs/lab12/isolation/modules.txt: Kernel module comparison (243 vs 58)
  • labs/lab12/bench/startup.txt: Startup time comparison (runc 0.73s, Kata 1.74s)
  • labs/lab12/bench/http-latency.txt: HTTP latency summary (5.4ms avg)
  • labs/lab12/bench/curl-3012.txt: Raw latency measurements (50 samples)

Checklist

  • Clear title
  • Docs updated if needed
  • No secrets/large temp files
  • Task 1 — Kata install + runtime config
  • Task 2 — runc vs kata runtime comparison
  • Task 3 — Isolation tests
  • Task 4 — Basic performance snapshot

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@Uiyrte