ZeroVM is a secure execution environment that allows users to run applications in isolation. It is based on Google's Native Client and includes a runtime environment called ZRT that provides a subset of POSIX APIs. ZeroVM has very low overhead and fast startup times compared to traditional VMs and containers. The document discusses how ZeroVM could be embedded in OpenStack Swift to enable distributed computing on Swift storage nodes, such as for video transcoding, log searching, and distributed SQL.
3. RACKSPACE® HOSTING | WWW.RACKSPACE.COM
Google Native Client (NaCl)
• Created for enabling safe client-side execution of code for Chromium
• Combines memory segmentation with run-time disassembly
• Near-native run speeds – much faster than inline instruction checking
3
5. RACKSPACE® HOSTING | WWW.RACKSPACE.COM
The (sort of) Plain English Description
ZeroVM creates a secure isolated execution
environment that allows users to run a single application
or program.
Service providers can leverage ZeroVM to allow their
users to run applications inside of multi-tenant systems.
6. RACKSPACE® HOSTING | WWW.RACKSPACE.COM
Some Technical Details
• Based on the Chromium Native Client (NaCl) project
• Leverages ZeroMQ ZBroker (networked named pipes)
• Includes a full compiler toolchain
• ZRT provides a subset of the POSIX API
• ZRT also includes a port of the CPython interpreter
7. RACKSPACE® HOSTING | WWW.RACKSPACE.COM
NaCl vs ZeroVM
• ZeroVM retains the same restrictions as NaCl
• ZeroVM retains the disassembly checking
• ZeroVM comes with its own runtime environment: ZRT
• Files represent input and output in true UNIX fashion
8
12. RACKSPACE® HOSTING | WWW.RACKSPACE.COM
VM vs. Container vs. ZeroVM
Traditional VM
Shared Hardware
Dedicated Kernel/OS
High Overhead
Slow Startup
(minutes)
Security model
ZeroVM
Shared Hardware
No Kernel/OS
Very Low Overhead
Very Fast Startup
(microseconds)
Security model
Container
Shared Hardware
Shared Kernel/OS
Low Overhead
Fast Startup
(seconds)
Security model