Re: [9fans] gVisor - user space kernel in Go

9fans - fans of the OS Plan 9 from Bell Labs
 help / color / mirror / Atom feed

From: Bakul Shah <bakul@bitblocks.com>
To: Fans of the OS Plan 9 from Bell Labs <9fans@9fans.net>
Subject: Re: [9fans] gVisor - user space kernel in Go
Date: Thu,  3 May 2018 14:26:32 -0700	[thread overview]
Message-ID: <20180503212639.3A801156E510@mail.bitblocks.com> (raw)
In-Reply-To: Your message of "Wed, 02 May 2018 19:19:43 -0000." <CAJSxfmKhMAHOA4o=Wb6D-ra19ujDgXE0wWqP3BRTrPJiCsQs1g@mail.gmail.com>

On Wed, 02 May 2018 19:19:43 -0000 Skip Tavakkolian <skip.tavakkolian@gmail.com> wrote:
> 
> Just saw this today; might be of interest to some 9fans. Apache open source
> from Google:
> 
> https://github.com/google/gvisor

Unix emulation on microkernels looks a bit like this.

Quick comparison:

jails   each jail has its own kernel context.  The host kernel
	needs support for this. Apps run unchanged.

	containers & zones are variations on this.

VMs	a proxy emulates a processor and assorted IO devices.
	very fast if the host and guest instruction sets are
	very similar. The host doesn't know about emulation
	or care. Apps run unchanged.

gvisor  a proxy emulates an OS API by intercepting all
	syscalls.  Very few host facilities are needed.
	Apps may have to be linked with the right library.

In a capabilities based system you don't need most of this and
can still achieve better security and isolation.  What a
process can access is constrained by the capabilities it holds
or can gain via calls on existing caps. API interception as
with gvisor can be done naturally: a process would be given
proxy caps to start with.

plan9 more or less used file descriptors in this fashion.  It
also provided better higher level composition by attempting to
cast many things as files/dirs/filesystems.  Even here I think
a cap system can be used to build better &/or more convenient
abstractions.

     prev parent reply	other threads:[~2018-05-03 21:26 UTC|newest]

Thread overview: 6+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2018-05-02 19:19 Skip Tavakkolian
2018-05-03 11:41 ` yy
2018-05-03 16:01   ` hiro
2018-05-03 17:55     ` Aram Hăvărneanu
2018-05-03 18:55       ` Skip Tavakkolian
2018-05-03 21:26 ` Bakul Shah [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20180503212639.3A801156E510@mail.bitblocks.com \
    --to=bakul@bitblocks.com \
    --cc=9fans@9fans.net \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).