Nothing wrong with a full VM, but I don't think it's a panacea (and you probably shouldn't guarantee security). You may have taken the UML comparison to heart: did you look at the KVM platform? I'm not clear on the distinctions you're making in that case -- a kernel escape would look a lot like a user-space VMM code execution vulnerability (which also sits on top an exploitable kernel).
Well, I wasn’t arguing for a VM being a panacea, but in the context of not being satisfied with the Linux primitives for sandboxing, I think it is the next logical step up in security.
From my perspective this project seems like an intermediate jump from Linux containerization primitives and a full blown VM, and I was wondering out loud who fits that use case?
Finally, I didn’t mention KVM, but my understanding of KVM is that it’s isolation primitive was the hardware virtualization instructions (or at least could be, I’m not sure if it has a PV mode or not).
I guess my question for you would be:
In what context would I want to use this over something like Kata containers?
KVM is the kernel interface for virtualization features, but the model created (i.e. the emulated hardware or lack thereof) is up to the user space component (normally QEMU). I think your understanding of KVM is tied with a specific implementation.
FWIW, I don't disagree that it's an intermediate step in some regards. The use cases follow (also from trade-offs discussed in the README). I can't speculate on a stranger's needs, it's great if Kata works for yours. I also think that approach is valuable (as an aside, I authored an experimental project with a similar approach years ago [1]).
Is there a comparison of Kata and gVisor based on how they act functionally rather than how they are implemented under-the-hood? Like the OP, I'm curious when you'd use this over Kata.
Not a direct comparison of these projects specifically but here is the write-up that was presented in the context of the Kubernetes SIG Node discussions about this topic:
Nothing wrong with a full VM, but I don't think it's a panacea (and you probably shouldn't guarantee security). You may have taken the UML comparison to heart: did you look at the KVM platform? I'm not clear on the distinctions you're making in that case -- a kernel escape would look a lot like a user-space VMM code execution vulnerability (which also sits on top an exploitable kernel).