Youki

Youki is a low-level container runtime written in Rust that creates and manages isolated containers according to Open Container Initiative specifications. It serves as an execution engine that can function as a rootless container manager or a pluggable Kubernetes CRI runtime to manage pods and containers within a cluster.

The project distinguishes itself by providing a Wasm container runtime capable of executing WebAssembly modules as isolated workloads compatible with standard orchestration tools. It further supports a rootless execution model, allowing isolated environments to start as non-root users to reduce security risks and remove the need for administrative privileges.

The runtime covers a broad range of system capabilities, including Linux sandbox provisioning, hardware resource limit configuration via cgroups, and security hardening through system call filtering. It also handles container network interface management, process execution control, and the full container lifecycle from creation to termination.

The project includes tooling for multi-architecture cross-compilation and automated provisioning of virtualized Linux environments for testing and development.

Features

OCI Container Engines - Implements the Open Container Initiative standards for building and running isolated containers.

OCI Runtime Implementations - Implements a low-level container runtime that adheres to Open Container Initiative specifications for image formats and execution.

Sandbox Process Execution - Runs containers and pods using compatible sandboxes to isolate processes and manage hardware resources.

Runtime Lifecycle Management - Manages the full container lifecycle from creation to termination by interfacing with host kernel features.

Container Runtime Integrations - Implements the Container Runtime Interface to allow Kubernetes to orchestrate pods and containers via the runtime.

Wasm Execution Engines - Provides a specialized execution environment for running WebAssembly modules as isolated containers.

Namespace-Based Isolation - Leverages Linux kernel namespaces to create isolated execution environments and partition system resources.

Linux Sandboxes - Implements Linux sandbox provisioning using kernel namespaces and cgroups to create isolated execution environments.

WebAssembly - Executes WebAssembly modules as isolated containers by assigning them to a dedicated runtime handler.

Containerized Workloads - Executes WebAssembly modules as isolated workloads that are compatible with standard container orchestration tools.

Wasm Sandboxes - Provides a dedicated handler to run WebAssembly modules as isolated workloads within a sandbox.

Rootless Container Runtimes - Provides a rootless execution model that allows containers to run without requiring administrative privileges on the host.

Container Security Hardening - Hardens the container environment by applying security profiles and filtering system calls.

Seccomp Profiles - Hardens the container sandbox by restricting available system calls through defined seccomp security profiles.

Kernel Resource Limiting - Uses Linux kernel control groups to enforce hardware resource limits like CPU and memory for containers.

Container Management Systems - Executes containerized processes by leveraging system primitives and adhering to industry-standard specifications.

Rust Systems Programming - Developed in Rust to ensure memory safety and performance when interfacing with low-level Linux kernel features.

Memory-Safe Systems Programming - Built with Rust to ensure memory safety while interfacing directly with low-level Linux kernel system calls.

Cgroup Resource Analyzers - Exports usage statistics and configures root paths for Linux control groups to monitor resource consumption.

DevOps & Infrastructure - Container runtime implementation.

Container Runtimes - Rust-based OCI-compliant container runtime.

youki-devyouki

Features

Star history