ZeroVM is an
open source
Open source is source code that is made freely available for possible modification and redistribution. Products include permission to use the source code, design documents, or content of the product. The open-source model is a decentralized sof ...
light-weight
virtualization
In computing, virtualization or virtualisation (sometimes abbreviated v12n, a numeronym) is the act of creating a virtual (rather than actual) version of something at the same abstraction level, including virtual computer hardware platforms, stor ...
and
sandboxing technology. It virtualizes a single process using the
Google Native Client
Google Native Client (NaCl) is a discontinued sandboxing technology for running either a subset of Intel x86, ARM, or MIPS native code, or a portable executable, in a sandbox. It allows safely running native code from a web browser, independ ...
platform. Since only a single process is virtualized (instead of a full operating system), the startup overhead is in the order of 5 ms.
Sandboxing
ZeroVM creates a sandbox around a single process,
using technology based on
Google Native Client
Google Native Client (NaCl) is a discontinued sandboxing technology for running either a subset of Intel x86, ARM, or MIPS native code, or a portable executable, in a sandbox. It allows safely running native code from a web browser, independ ...
(NaCl). The sandbox ensures that the application executed cannot access data in the host operating system, so it is safe to execute untrusted code. The programs executed in ZeroVM must first be cross-compiled to the NaCl platform. ZeroVM can only execute NaCl code compiled for the
x86-64
x86-64 (also known as x64, x86_64, AMD64, and Intel 64) is a 64-bit version of the x86 instruction set, first released in 1999. It introduced two new modes of operation, 64-bit mode and compatibility mode, along with a new 4-level paging mod ...
platform, not the
portable Native Client (PNaCl) format.
Code executed in ZeroVM cannot call normal
system calls
In computing, a system call (commonly abbreviated to syscall) is the programmatic way in which a computer program requests a service from the operating system on which it is executed. This may include hardware-related services (for example, acc ...
and initially cannot interact with the host environment. All communication with the outside world takes place over ''channels'', which must be declared before the program starts. Outside the sandbox, a channel can be connected to a local file, to a pipe, or to another ZeroVM instance.
Inside the sandbox, the program sees the channel as a
file descriptor
In Unix and Unix-like computer operating systems, a file descriptor (FD, less frequently fildes) is a process-unique identifier (handle) for a file or other input/output resource, such as a pipe or network socket.
File descriptors typically have ...
. The sandboxed program can read/write data from/to the channel, but does not know where the channel is connected in the host.
Programs compiled for ZeroVM can optionally use the ZeroVM Runtime library called ZRT. This library aims to provide the program with a
POSIX
The Portable Operating System Interface (POSIX) is a family of standards specified by the IEEE Computer Society for maintaining compatibility between operating systems. POSIX defines both the system- and user-level application programming interf ...
environment.
It does this by replacing parts of the
C standard library
The C standard library or libc is the standard library for the C programming language, as specified in the ISO C standard.ISO/IEC (2018). '' ISO/IEC 9899:2018(E): Programming Languages - C ยง7'' Starting from the original ANSI C standard, it wa ...
. In particular, ZRT replaces
C file input/output
The C programming language provides many standard library functions for file input and output. These functions make up the bulk of the C standard library header . The functionality descends from a "portable I/O package" written by Mike Lesk ...
functions such as
fopen and
opendir with versions that operate on an in-memory filesystem. The root filesystem is provided as a tarball. This allows a program to "see" a normal Unix environment.
The ZRT also replaces
C date and time functions
The C date and time functions are a group of functions in the standard library of the C programming language implementing date and time manipulation operations. They provide support for time acquisition, conversion between date formats, and fo ...
such as
time to give programs a fixed and ''deterministic'' environment. With fixed inputs, every execution is guaranteed to give the same result. Even non-
functional
Functional may refer to:
* Movements in architecture:
** Functionalism (architecture)
** Form follows function
* Functional group, combination of atoms within molecules
* Medical conditions without currently visible organic basis:
** Functional sy ...
programs become deterministic in this restricted environment.
This makes programs easier to debug since their behavior is fixed.
Integration with Swift
ZeroVM has been integrated with
Swift
Swift or SWIFT most commonly refers to:
* SWIFT, an international organization facilitating transactions between banks
** SWIFT code
* Swift (programming language)
* Swift (bird), a family of birds
It may also refer to:
Organizations
* SWIFT, ...
, the distributed object storage component of
OpenStack
OpenStack is a free, open standard cloud computing platform. It is mostly deployed as infrastructure-as-a-service (IaaS) in both public and private clouds where virtual servers and other resources are made available to users. The software plat ...
.
When the ZeroCloud middleware is installed into Swift, a client can make a request to Swift containing a ZeroVM program. The program is then executed directly on the storage nodes. This means that the program has direct access to the data.
History
ZeroVM was developed by LiteStack, an Israeli startup. The first commit in the
zerovm Git
Git () is a distributed version control system: tracking changes in any set of files, usually used for coordinating work among programmers collaboratively developing source code during software development. Its goals include speed, data in ...
repository was added in November 2011.
LiteStack was bought by
Rackspace
Rackspace Technology, Inc. is an American cloud computing company based in Windcrest, Texas, an inner suburb of San Antonio, Texas. The company also has offices in Blacksburg, Virginia, and Austin, Texas, as well as in Australia, Canada, United ...
in October 2013.
ZeroVM participated in
Techstars Cloud 2013 incubator program and got $500,000 in seed funding.
The first ZeroVM Design Summit was held in January 2014 at the
University of Texas at San Antonio
The University of Texas at San Antonio (UTSA) is a public research university in San Antonio, Texas. With over 34,000 students across its four campuses spanning 758 acres, UTSA is the largest university in San Antonio and the eighth-largest by ...
.
See also
*
Google Native Client
Google Native Client (NaCl) is a discontinued sandboxing technology for running either a subset of Intel x86, ARM, or MIPS native code, or a portable executable, in a sandbox. It allows safely running native code from a web browser, independ ...
*
LXC (LinuX Containers)
*
seccomp
seccomp (short for secure computing mode) is a computer security facility in the Linux kernel. seccomp allows a process to make a one-way transition into a "secure" state where it cannot make any system calls except exit(), sigreturn(), read() ...
*
Docker (software)
Docker is a set of platform as a service (PaaS) products that use OS-level virtualization to deliver software in packages called ''containers''.
The service has both free and premium tiers. The software that hosts the containers is called Doc ...
References
External links
*
*
Stable Ubuntu packagesLatest Ubuntu packages
{{Virtualization software
Free virtualization software
Virtualization software for Linux
Free software for cloud computing
Free software projects
Operating system security