krunvm

Create MicroVM based on Fedora

$ krunvm create [docker.io/fedora] --cpus [number_of_vcpus] --mem [memory_in_megabytes] --name "[name]"

$ krunvm start "[image_name]"

$ krunvm list

$ krunvm changevm --cpus [number_of_vcpus] --mem [memory_in_megabytes] --name "[new_vm_name]" "[current_vm_name]"

$ krunvm delete "[image_name]"

krunvm [GLOBAL_OPTIONS] [SUBCOMMAND_OPTIONS] [ARGUMENTS]

Common Subcommands:
krunvm run [OPTIONS] <IMAGE_REFERENCE> [COMMAND] [ARGUMENTS]
krunvm create [OPTIONS] <CONTAINER_ID> <BUNDLE_PATH>
krunvm start <CONTAINER_ID>
krunvm delete <CONTAINER_ID>
krunvm ps
krunvm info

--help
    Display help information for krunvm or a specific subcommand.

--version
    Display the krunvm version.

--log-level <LEVEL>
    Set the logging level (e.g., debug, info, warn, error).

--root <PATH>
    Specify the root directory for krunvm state (default: /var/lib/krunvm).

--config <PATH>
    Specify a custom configuration file for krunvm.

--net <MODE>
    Configure networking for the micro-VM (e.g., none, bridge, tap). Specific modes may require additional arguments.

--memory <SIZE>
    Set the amount of memory allocated to the micro-VM (e.g., 256M, 1G).

--cpus <COUNT>
    Set the number of virtual CPUs allocated to the micro-VM.

--kernel <PATH>
    Specify the path to the kernel image to use for the micro-VM. Defaults to a bundled krun-kernel.

--disk <PATH>
    Attach a disk image to the micro-VM, specified by path.

--publish <HOST_PORT:CONTAINER_PORT>
    Publish a container port to a host port (e.g., 8080:80).

krunvm is a command-line interface tool that enables running OCI (Open Container Initiative) compatible container images as lightweight, isolated micro-VMs. It's a key component of the krun project, which aims to provide a secure and fast execution environment for containers by leveraging modern virtualization technologies like Firecracker or Cloud Hypervisor.

Unlike traditional container runtimes that share the host kernel, krunvm provides strong isolation by encapsulating each container within its own minimal virtual machine, drastically reducing the attack surface. This approach combines the security benefits of full virtualization with the efficiency and rapid boot times expected from containers. krunvm acts as a containerd shim, allowing seamless integration into container ecosystems like Kubernetes, providing a secure alternative for sensitive workloads. Its design prioritizes low resource consumption and rapid startup, making it suitable for serverless functions and other ephemeral workloads.

krunvm is part of the actively developed krun project. While it offers significant security and performance benefits for specific workloads, it may not be as feature-rich or mature as established container runtimes for all scenarios. It relies on a specific Virtual Machine Monitor (VMM) like Firecracker or Cloud Hypervisor and a compatible host kernel. Full integration with container orchestrators typically requires its containerd shim.

krunvm operates by launching a minimal Linux kernel within a VMM (such as Firecracker or Cloud Hypervisor) dedicated to running a single OCI image. This guest kernel is highly optimized and often called the 'krun-kernel'. Instead of traditional block devices, krunvm uses vhost-user based virtio devices for efficient I/O, allowing direct communication between the guest and the host for file system access, networking, and other resources. This architecture minimizes overhead while maximizing isolation.

One of krunvm's key features is its implementation of the containerd runtime shim API. This means that containerd, a core component of many container orchestration systems like Kubernetes, can use krunvm as an alternative to runc. When configured as a containerd runtime, krunvm intercepts container creation requests and launches the OCI image within a micro-VM, providing an enhanced security boundary without requiring significant changes to existing container workflows.

The krun project emerged from the need for stronger isolation and faster boot times for containerized applications, particularly in serverless and edge computing environments. It aimed to overcome the limitations of traditional container runtimes (like runc) which share the host kernel, by leveraging lightweight virtualization. krunvm was developed as the command-line interface and containerd shim for the krun runtime, providing a user-friendly way to interact with and manage these secure micro-VMs. Its development focuses on Rust for performance and security, integrating with existing virtualization technologies to offer a new paradigm for container execution.

containerd(1), runc(1), crictl(1), firecracker(8), cloud-hypervisor(8)