Skip to content

feat(lab12): kata vs runc isolation + perf + escape PoC#12

Open
RII6 wants to merge 1 commit into
mainfrom
feature/lab12
Open

feat(lab12): kata vs runc isolation + perf + escape PoC#12
RII6 wants to merge 1 commit into
mainfrom
feature/lab12

Conversation

@RII6

@RII6 RII6 commented Jun 30, 2026

Copy link
Copy Markdown
Owner

Goal

This PR compares Kata Containers against runc in terms of isolation and performance overhead, and demonstrates a container escape PoC that succeeds on runc but is blocked by Kata's micro-VM isolation.

Changes

  • Documented Kata vs runc environment details, including kernel diffs (kata's 6.6.22 guest kernel vs the host kernel).
  • Captured isolation evidence (diffing /dev and capabilities) and measured performance overhead (~5.3x cold start latency, significant I/O drop).
  • Executed and documented a real privileged container-escape PoC (host write via bind mounts) demonstrating runc's vulnerability and Kata's successful mitigation.

Testing

  • Verified isolation differences on the Linux host by executing nerdctl run with and without --runtime=io.containerd.kata.v2.
  • Benchmarked startup time using date and bc over 5 iterations, and dd for I/O throughput.
  • Executed a privileged volume-mount escape attempt (echo ... > /host_tmp/lab12-target) and verified host filesystem integrity from outside the container.

Artifacts & Screenshots

  • Please refer to submissions/lab12.md for full command outputs, test evidence, and tradeoff analysis.

Checklist

  • Task 1 — Kata installed; both runtimes run; kernel diff documented
  • Task 2 — Isolation + 5-run startup + I/O benchmark with trade-off analysis
  • Bonus — Escape PoC succeeds on runc, fails on Kata (with host-side verification)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant