krata
krata copied to clipboard
edera-dev
krata is an isolation engine built for securing workloads
Some images need PaX markings in order to run in an OpenPaX environment, because they do certain memory-unsafe operations that we want to prevent by default, such as executing previously-writable...
At the moment, when CPU power management is unavailable, we are presented with a vague log message: ``` [2024-08-13T08:47:46Z INFO kratart::power] non-fatal error while setting scheduler policy: Kernel(EINVAL) ``` We...
This change introduces custom process spawning logic around libc::posix_spawn/p, as well as a custom set of stdio wrappers using the Tokio AsyncRead/AsyncWrite traits. Currently stdio is not working, though through...
`kmod` crate which provides bindings to `libkmod`: https://docs.rs/kmod/latest/kmod/ We should have kratad try to load all of the xen modules at startup if they are missing and the devices they...
SUID binaries can be used to escalate privilege (in fact that is the entire point of them) in unexpected ways, so it would be nice to optionally support mounting a...
Currently, krata does not define what happens when OOM situation, general resource starvation, or even kernel panics occur. We should have a clearly defined system for determining this state, and...
There are multiple branches already associated with filesystem mounts, but this issue is to track the official implementation that is performant and secure. Prior art is https://github.com/azenla/krata/tree/mount and https://github.com/azenla/krata/tree/sandbox, however...
In conjunction with #273, this would greatly improve the ux of troubleshooting workloads and Krata itself.
`kratactl logs` should have an `--output ` flag to save the output without the need for shell piping.
This should cover logs and metrics. Some sources (eg syslog) should be automatic. Daemon should also use this for its own o11y as well as zones/etc. Everything should be tagged...