Awesome
libkrun
libkrun
is a dynamic library that allows programs to easily acquire the ability to run processes in a partially isolated environment using KVM Virtualization on Linux and HVF on macOS/ARM64.
It integrates a VMM (Virtual Machine Monitor, the userspace side of an Hypervisor) with the minimum amount of emulated devices required to its purpose, abstracting most of the complexity that comes from Virtual Machine management, offering users a simple C API.
Use cases
- crun: Adding Virtualization-based isolation to container and confidential workloads.
- kunkit: Running GPU-enabled (via venus) lightweight VMs on macOS.
- muvm: Launching a microVM with GPU acceleration (via native context) for running games that require 4k pages.
Goals and non-goals
Goals
- Enable other projects to easily gain KVM-based process isolation capabilities.
- Be self-sufficient (no need for calling to an external VMM) and very simple to use.
- Be as small as possible, implementing only the features required to achieve its goals.
- Have the smallest possible footprint in every aspect (RAM consumption, CPU usage and boot time).
- Be compatible with a reasonable amount of workloads.
Non-goals
- Become a generic VMM.
- Be compatible with all kinds of workloads.
Variants
This project provides two different variants of the library:
- libkrun: Generic variant compatible with all Virtualization-capable systems.
- libkrun-sev: Variant including support for AMD SEV (SEV, SEV-ES and SEV-SNP) memory encryption and remote attestation. Requires an SEV-capable CPU.
- libkrun-efi: Variant that bundles OVMF/EDK2 for booting a distribution-provided kernel (only available on macOS).
Each variant generates a dynamic library with a different name (and soname
), so both can be installed at the same time in the same system.
Virtio device support
All variants
- virtio-console
- virtio-block
- virtio-fs
- virtio-gpu (venus and native-context)
- virtio-net
- virtio-vsock (for TSI and socket redirection)
- virtio-balloon (only free-page reporting)
- virtio-rng
- virtio-snd
Networking
In libkrun
, networking is provided by two different, mutually exclusive techniques:
-
virtio-vsock + TSI: A novel technique called Transparent Socket Impersonation which allows the VM to have network connectivity without a virtual interface. This technique supports both outgoing and incoming connections. It's possible for userspace applications running in the VM to transparently connect to endpoints outside the VM and receive connections from the outside to ports listening inside the VM. Requires a custom kernel (like the one bundled in libkrunfw) and it's limited to AF_INET SOCK_DGRAM and SOCK_STREAM sockets.
-
virtio-net + passt/gvproxy: A conventional virtual interface that allows the guest to communicate with the outside through the VMM using a supporting application like passt or gvproxy.
Building and installing
Linux (generic variant)
Requirements
- libkrunfw
- A working Rust toolchain
- C Library static libraries, as the init binary is statically linked (package
glibc-static
in Fedora) - patchelf
Optional features
- GPU=1: Enables virtio-gpu. Requires virglrenderer-devel.
- VIRGL_RESOURCE_MAP2=1: Uses virgl_resource_map2 function. Requires a virglrenderer-devel patched with 1374
- BLK=1: Enables virtio-block.
- NET=1: Enables virtio-net.
- SND=1: Enables virtio-snd.
Compiling
make [FEATURE_OPTIONS]
Installing
sudo make [FEATURE_OPTIONS] install
Linux (SEV variant)
Requirements
- The SEV variant of libkrunfw, which provides a
libkrunfw-sev.so
library. - A working Rust toolchain
- C Library static libraries, as the init binary is statically linked (package
glibc-static
in Fedora) - patchelf
- OpenSSL headers and libraries (package
openssl-devel
in Fedora).
Compiling
make SEV=1
Installing
sudo make SEV=1 install
macOS (EFI variant)
Requirements
- A working Rust toolchain
Compiling
make EFI=1
Installing
sudo make EFI=1 install
Using the library
Despite being written in Rust, this library provides a simple C API defined in include/libkrun.h
Examples
chroot_vm
This is a simple example providing chroot
-like functionality using libkrun
.
Building chroot_vm
cd examples
make
Running chroot_vm
To be able to chroot_vm
, you need first a directory to act as the root filesystem for your isolated program.
Use the rootfs
target to get a rootfs prepared from the Fedora container image (note: you must have podman installed):
make rootfs
Now you can use chroot_vm
to run a process within this new root filesystem:
./chroot_vm ./rootfs_fedora /bin/sh
If the libkrun
and/or libkrunfw
libraries were installed on a path that's not included in your /etc/ld.so.conf
configuration, you may get an error like this one:
./chroot_vm: error while loading shared libraries: libkrun.so: cannot open shared object file: No such file or directory
To avoid this problem, use the LD_LIBRARY_PATH
environment variable to point to the location where the libraries were installed. For example, if the libraries were installed in /usr/local/lib64
, use something like this:
LD_LIBRARY_PATH=/usr/local/lib64 ./chroot_vm rootfs/ /bin/sh
Status
libkrun
has achieved maturity and starting version 1.0.0
the public API is guaranteed to be stable, following SemVer.
Getting in contact
The main communication channel is the libkrun Matrix channel.
Acknowledgments
libkrun
incorporates code from Firecracker, rust-vmm and Cloud-Hypervisor.