Lab12 Submission Nikita Timofeev

[MoriSummerz]

Goal

Submit Lab 12 — exercise VM-backed container sandboxing with Kata Containers,
compare it against the default runc runtime, and capture the
isolation / performance trade-offs as evidence under labs/lab12/.

Changes

• labs/submission12.md — full write-up: install evidence, runc vs Kata
  comparison, isolation tests (dmesg / proc / network / kernel modules),
  performance snapshot, recommendations.
• labs/lab12/setup/ — kata-shim-version.txt, kata-runtime-version.txt,
  kata-check.txt, containerd config wiring log, install log,
  alpine sanity runs.
• labs/lab12/runc/ — Juice Shop on runc (HTTP 200 on port 3013) and
  nerdctl ps snapshot.
• labs/lab12/kata/ — uname / /proc/cpuinfo references, kata run trace.
• labs/lab12/isolation/ — dmesg.txt, proc.txt, network.txt,
  modules.txt.
• labs/lab12/bench/ — startup.txt (5 trials), http-latency.txt
  (50 requests), raw curl-3013.txt timings.
• labs/lab12/analysis/ — kernel-comparison.txt, cpu-comparison.txt.
• .gitignore — minor housekeeping carried over from the branch.

Testing

Executed on Ubuntu 22.04 aarch64 (Neoverse-N1, kernel 5.15.0-1027-oracle)
with containerd 1.6.33 + nerdctl 2.2.0 + Kata 3.29.0:

# Task 1
containerd-shim-kata-v2 --version    # → 3.29.0
sudo bash labs/lab12/scripts/configure-containerd-kata.sh
sudo systemctl restart containerd
sudo kata-runtime kata-check

# Task 2
sudo nerdctl run -d --name juice-runc -p 3013:3000 bkimminich/juice-shop:v19.0.0
curl -s -o /dev/null -w "HTTP %{http_code}\n" http://localhost:3013   # → 200
sudo nerdctl run --rm alpine:3.19 uname -a

# Task 3
sudo nerdctl run --rm --privileged alpine:3.19 sh -c "dmesg | head -5"
sudo nerdctl run --rm alpine:3.19 sh -c "ls /proc | wc -l"
sudo nerdctl run --rm alpine:3.19 ip addr show
sudo nerdctl run --rm alpine:3.19 sh -c "ls /sys/module | wc -l"

# Task 4
for i in 1 2 3 4 5; do /usr/bin/time -f "real=%e" \
    sudo nerdctl run --rm alpine:3.19 echo test; done
for i in $(seq 1 50); do \
    curl -s -o /dev/null -w "%{time_total}\n" http://localhost:3013/; done

Artifacts & Screenshots

Key evidence (full directory under labs/lab12/):

• setup/kata-shim-version.txt — Kata containerd shim 3.29.0 verified
• setup/kata-runtime-version.txt — kata-runtime 3.29.0
• setup/kata-check.txt — kata-runtime kata-check output
• runc/health.txt — juice-runc on port 3013: HTTP 200
• analysis/kernel-comparison.txt — host vs container kernel
• analysis/cpu-comparison.txt — Neoverse-N1 host CPU vs container
• isolation/dmesg.txt — privileged runc reads host kernel ring buffer
• isolation/proc.txt — host=416 entries, runc=62
• isolation/network.txt — runc CNI veth, single eth0 in netns
• isolation/modules.txt — runc shares host's 235 kernel modules
• bench/startup.txt — runc startup avg ≈ 0.44 s (5 trials)
• bench/http-latency.txt — juice-runc avg = 0.0020 s (50 requests)

---

Checklist

• PR title is clear and descriptive
• Documentation updated if needed
• No secrets or large temporary files committed
• Task 1 — Kata install + runtime config
• Task 2 — runc vs kata runtime comparison
• Task 3 — Isolation tests
• Task 4 — Basic performance snapshot