From: Bakul Shah <bakul@bitblocks.com>
To: Fans of the OS Plan 9 from Bell Labs <9fans@9fans.net>
Subject: Re: [9fans] gVisor - user space kernel in Go
Date: Thu, 3 May 2018 14:26:32 -0700 [thread overview]
Message-ID: <20180503212639.3A801156E510@mail.bitblocks.com> (raw)
In-Reply-To: Your message of "Wed, 02 May 2018 19:19:43 -0000." <CAJSxfmKhMAHOA4o=Wb6D-ra19ujDgXE0wWqP3BRTrPJiCsQs1g@mail.gmail.com>
On Wed, 02 May 2018 19:19:43 -0000 Skip Tavakkolian <skip.tavakkolian@gmail.com> wrote:
>
> Just saw this today; might be of interest to some 9fans. Apache open source
> from Google:
>
> https://github.com/google/gvisor
Unix emulation on microkernels looks a bit like this.
Quick comparison:
jails each jail has its own kernel context. The host kernel
needs support for this. Apps run unchanged.
containers & zones are variations on this.
VMs a proxy emulates a processor and assorted IO devices.
very fast if the host and guest instruction sets are
very similar. The host doesn't know about emulation
or care. Apps run unchanged.
gvisor a proxy emulates an OS API by intercepting all
syscalls. Very few host facilities are needed.
Apps may have to be linked with the right library.
In a capabilities based system you don't need most of this and
can still achieve better security and isolation. What a
process can access is constrained by the capabilities it holds
or can gain via calls on existing caps. API interception as
with gvisor can be done naturally: a process would be given
proxy caps to start with.
plan9 more or less used file descriptors in this fashion. It
also provided better higher level composition by attempting to
cast many things as files/dirs/filesystems. Even here I think
a cap system can be used to build better &/or more convenient
abstractions.
prev parent reply other threads:[~2018-05-03 21:26 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-05-02 19:19 Skip Tavakkolian
2018-05-03 11:41 ` yy
2018-05-03 16:01 ` hiro
2018-05-03 17:55 ` Aram Hăvărneanu
2018-05-03 18:55 ` Skip Tavakkolian
2018-05-03 21:26 ` Bakul Shah [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20180503212639.3A801156E510@mail.bitblocks.com \
--to=bakul@bitblocks.com \
--cc=9fans@9fans.net \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).