docs(lab12): add lab12 β kata containers VM-backed sandboxing#614
Open
3llimi wants to merge 44 commits intoinno-devops-labs:mainfrom
Open
docs(lab12): add lab12 β kata containers VM-backed sandboxing#6143llimi wants to merge 44 commits intoinno-devops-labs:mainfrom
3llimi wants to merge 44 commits intoinno-devops-labs:mainfrom
Conversation
Create pull_request_template.md
docs(lab1): OWASP Juice Shop deployment and security triage
docs(lab2): complete lab2 threat modeling with Threagile analysis
feat: Lab 3 β SSH commit signing and pre-commit secret scanning
docs: Lab4 submission - SBOM generation and SCA comparison
Main PR
docs: add lab5 submission - SAST/multi-approach DAST security analysis (Post Zap Fix)
docs: lab6 IaC security scanning
docs: add lab7 submission - container security analysis
docs(lab8): add lab8 submission β signing + attestations
docs(lab9): add lab9 β falco runtime + conftest policies
docs(lab10): lab10 β DefectDojo vulnerability management & metrics package
docs(lab11): add lab11 β nginx reverse proxy hardening
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Goal
Install and configure Kata Containers as a VM-backed container runtime on WSL2 (Ubuntu 24.04 / KVM), run OWASP Juice Shop under runc and compare it against Kata isolation, execute isolation tests proving the VM boundary, and document performance trade-offs between the two runtimes.
Changes
labs/submission12.mdβ full lab writeup covering all 4 tasks with commands, outputs, and analysislabs/lab12/setup/kata-built-version.txtβcontainerd-shim-kata-v2 --versionoutput (Kata 3.28.0 runtime-rs)labs/lab12/runc/health.txtβ HTTP 200 health check for juice-runc on port 3012labs/lab12/kata/test1.txtβuname -ainside Kata container (guest kernel 6.12.47)labs/lab12/kata/kernel.txtβuname -rinside Kata containerlabs/lab12/isolation/dmesg.txtβ Kata VM boot log proving separate guest kernellabs/lab12/isolation/proc.txtβ /proc entry counts (host: 119 vs Kata VM: 52)labs/lab12/isolation/network.txtβ Kata VM dedicated virtual NIC (10.4.0.10/24)labs/lab12/isolation/modules.txtβ kernel module counts (host: 114 vs Kata VM: 72)labs/lab12/bench/startup.txtβ startup time comparison (runc: 1.148s, Kata: 2.664s)labs/lab12/bench/http-latency.txtβ 50-request HTTP latency baseline (avg: 0.0030s)labs/lab12/analysis/kernel-comparison.txtβ host vs guest kernel versionslabs/lab12/analysis/cpu-comparison.txtβ real i5-12450H vs virtualized Intel XeonTesting
egrep -c '(vmx|svm)' /proc/cpuinfoβ 24,/dev/kvmpresentcontainerd-shim-kata-v2 --versionβ 3.28.0 (runtime-rs / Rust)sudo nerdctl run --rm --runtime io.containerd.kata.v2 alpine:3.19 uname -rβ6.12.47curl http://localhost:3012β HTTP 200timefor both runtimesArtifacts & Screenshots
labs/lab12/setup/kata-built-version.txtβ shim version evidencelabs/lab12/kata/test1.txtβ Kata container running with guest kernel 6.12.47labs/lab12/isolation/dmesg.txtβ VM boot log proving kernel isolationlabs/lab12/bench/startup.txtβ runc vs Kata startup time comparisonlabs/lab12/bench/http-latency.txtβ HTTP latency results for juice-runcWSL2-specific note: Default Kata QEMU config requires
vhost_vsockwhich the Microsoft WSL2 kernel does not include. Resolved by switching to runtime-rs + Dragonball hypervisor (configuration-dragonball.toml), which uses virtio-mmio and is fully compatible with WSL2 KVM.Checklist