Support Firecracker #71
Comments
|
@jackevans43 Firecracker is very focused on serverless use-cases, while that might be something we could support in the future on the operator (with QEMU), it is not our only use-case. In our case, we are using a minimal version of QEMU, which covers most of the use-cases. I would like to point out that both Firecracker and QEMU are meant to isolate via virtualization. In fact, Firecracker might suffer in-terms of networking performance (e.g., does not use vhost networking), it also only supports block storage and lacks support for host-guest file-sharing which is crucial to the functionality of Kubernetes / OpenShift [1][2]. With this operator, we are only supporting QEMU as the VMM atm. [1] kata-containers/runtime#1071 |
Previous discussed elsewhere, @fidencio suggested raising an issue here.
Can/should the OpenShift implementation of Kata containers support Firecracker? AWS trust Firecracker to isolate lambda functions from different users running on the same physical machine - that is an exceptionally high security bar. QEMU is great, but I'd argue Firecracker provides a higher level of isolation due to not being a general purpose implementation and being focused on simplicity and security, uses Rust etc.
Why would you want the option of a higher level of isolation?
The text was updated successfully, but these errors were encountered: