Absolutely, that reduces your surface area more than anything else, but at an enormous cost to ergonomics.
Some of us are still fighting for docker images to not include a vim install ("but it's so handy!") and here we've got madlads building their app as its own bootable machine image.
It’s not the best way to get low per-privilege domain overhead and fungible resource allocation. You’re ultimately limited by your hypervisor on those fronts. gVisor containers are ultimately a few Linux processes and mostly behave like one from a CPU and memory allocation perspective.
The last solution I looked at to do something like this was using tap / tun devices for networking. How does unikraft handle network isolation and virtualization?
It relies on your hypervisor and/or network hardware to provide that. In an ideal circumstance (e.g. running on a multiqueue NIC with VFIO or virtio acceleration), your VM can talk directly to the network hardware. Major clouds will provide something morally equivalent via their newer network interfaces (gVNIC etc.).
Also - one needs to be careful cause many of the workloads they advertise on their site do not actually run under their kernel - it runs under linux which breaks a completely different type of trust barrier.
As for trust/full disclosure - I'm with nanovms.com
No it wasn't - you can still easily replicate. I just did.
My point is that you shouldn't go around talking about how "secure" you are when you have large gaping things like this. This btw is not the only major security issue they have.
Absolutely, that reduces your surface area more than anything else, but at an enormous cost to ergonomics.
Some of us are still fighting for docker images to not include a vim install ("but it's so handy!") and here we've got madlads building their app as its own bootable machine image.
It’s not the best way to get low per-privilege domain overhead and fungible resource allocation. You’re ultimately limited by your hypervisor on those fronts. gVisor containers are ultimately a few Linux processes and mostly behave like one from a CPU and memory allocation perspective.
The last solution I looked at to do something like this was using tap / tun devices for networking. How does unikraft handle network isolation and virtualization?
From my limited understanding, it has the same isolation advantages as that of a VM and therefore it's as strong as the hypervisor you use
so does unikraft contain a "driver" for virtio networking?
It relies on your hypervisor and/or network hardware to provide that. In an ideal circumstance (e.g. running on a multiqueue NIC with VFIO or virtio acceleration), your VM can talk directly to the network hardware. Major clouds will provide something morally equivalent via their newer network interfaces (gVNIC etc.).
not really, its just attack surface reduction
These people definitely do not understand security at all:
https://github.com/unikraft/unikraft/issues/414
Also - one needs to be careful cause many of the workloads they advertise on their site do not actually run under their kernel - it runs under linux which breaks a completely different type of trust barrier.
As for trust/full disclosure - I'm with nanovms.com
they acknowledged the issue and the fix was merged in 2022, what exactly is the criticism here?
No it wasn't - you can still easily replicate. I just did.
My point is that you shouldn't go around talking about how "secure" you are when you have large gaping things like this. This btw is not the only major security issue they have.
Big fan of nanovms! I should have linked that instead, sorry