Open Source Summit + ELC North America 2020

Container runtimes have been using virtualization as a way of improving isolation (e.g., Kata containers). And in order to make them feel like regular containers, the community has been trying to slim down their virtual machine (VM) monitors (e.g., Firecracker). In this talk we describe what happens when you slim down to the extreme: no monitor at all.

We implemented a Linux virtual machine that runs as a single unprivileged user-level process on top of only 11 syscalls. We achieve isolation equivalent to virtual machines, without using a monitor, by restricting the VM process to only these 11 system calls using seccomp (on already open file descriptors). The system was built on top of a combination of two well known Linux features: user mode linux (UML) and no-MMU support (used for embedded devices) both in the kernel and in userspace (musl and busybox).

Our initial experiments show that this Linux VM is capable of running multiple unmodified binaries from Alpine (like python, nginx, redis), and can boot in 6 milliseconds (to our knowledge, this is the fastest); albeit with some limitations: PIE executables only, and no forks (processes are emulated using vforks).