Network Reliability Engineering Community

Lab sandboxing?

Is there any kind of sandboxing of the labs, or are containers just run in regular k8s pods alongside ?

I fear some labs could lead to users trying to mess around…

I’ve been investigating kubevirt or kata-containers for doing os (k8s on premises ?)… have you investigated such paths ?

Responding to myself: I’ve found the utility-vm image that might be useful in such respect, but couldn’t find an example, so I’m thankful in advance for some advice

Kubevirt is interesting. We do have the image you mentioned but the lesson it was built for hasn’t been contributed yet, so it sits on its own for now.

Each of the lessons is namespaced in kubernetes but we don’t stress out too much about true isolation, since it is just a learning tool. Most of the time when we leverage virtual machines, it’s less about security and more about technical requirements (i.e. running network devices, or when we are trying to teach something that requires dedicated kernel resources like learning Docker)

I fear there may be issues with KataContainers or KubeVirt if running on selfmedicate inside VirtualBox btw. As exhibited here: https://github.com/olberger/vagrant-kata-containerd/issues/1 I’m not so sure VirtualBox will support nested virtualization required by qemu/kvm for running KataContainers (AFAIU)…

Of course on bare metal, that’s another story :wink: