Quark – A secure container runtime with CRI/OCI interface
github.comIs there any real point to this?
Is this effectively anything more than a syscall filtered container?
To me, relaying syscalls from a guest in a VM to a host sounds like it is defeating the whole point of the VM!
At least normally a VM doesn’t have direct access to host syscalls — it is confirmed to the emulated block and network devices which (should) provide a constrained means of access.
Container escapes often happen because of exposure to host kernel interfaces (via syscalls!), and kernel file systems such as /sys and /proc (especially /proc/self shenanigans).
I fear they have reinvented a container, much less efficiently.
Very cool! Curious to know the use cases for this tech?