Edera Adds Rust Library to Run Container Images on Hardened Runtime Faster
Edera this week revealed at the KubeCon + CloudNativeCon Europe conference that it has developed a Rust library, dubbed ocirender, that assembles container images based on the Open Container Image (OCI) format and converts them into squashfs, tar, or directory output formats that can be run faster in memory.
In addition, the company revealed that the hardened runtime it developed to run on Xen virtual machines will later this year be made available on Kernel-based virtual machines (KVMs).
At its core, Edera provides a primitive, known as a zone, that creates a single-tenant execution environment with its own kernel, address space, device namespace, and lifecycle. That approach prevents the shared-kernel failure modes that make multi-tenant container environments challenging to secure.
The difference between KVM and Xen is that the latter centralizes enforcement in the hypervisor itself. In contrast, KVM integrates virtualization into the Linux kernel, which means memory management is handled by the host kernel.
Edera CTO Alex Zenla said that means Edera can’t delegate enforcement to the substrate the same way it does on Xen. Instead, the Edera platform will assume responsibility for memory management, he added.
At the same time, Edera has also delved deeper into how OCI images are rendered. The ocirender library it has developed processes OCI image layers in reverse order using an in-memory overlay merge engine, which eliminates intermediate extraction to disk by streaming file data directly from compressed layer blobs to the output sink.
The library assembles a single squashfs image from the OCI layer that is set at pull time, then mounts it read-only as the base for the workload’s filesystem. A thin writable overlayfs layer on top gives the workload the ability to write to its filesystem without ever modifying the underlying squashfs.
The library also adds a CanonicalTarHeader, which pairs each USTAR header with its PAX extended header key-value pairs generated by a pax utility. The library, however, is designed to always prefer the PAX value as the means for processing all extended metadata.
In tests shared by Edera spanning five graphical processor unit (GPU) and machine learning (ML) workloads tested on a 10GbE LAN-local registry, ocirender pulled images on average 31% faster than Docker despite performing additional CPU work to create a compressed squashfs image.
Ultimately, the Edera platform provides an agnostic runtime environment that can continue to be extended to other classes of processors and artificial intelligence (AI) accelerators, noted Zenla. The primary goal is to isolate workloads in a way that eliminates the root causes of privilege escalation, lateral movement, and data exfiltration because the host is sheltered from vulnerable system calls and kernel-level attack paths.
Each IT team will need to determine how best to employ a hardened runtime environment, but as the volume of cyberattacks being launched in the age of artificial intelligence (AI) continues to grow, the need to isolate workloads as much as possible has become a much more pressing concern than ever. The challenge, as always, is finding a way to achieve that goal without unduly adding additional layers of management overhead that require too much time and effort to maintain.
