Improve workspace data isolation with micro VMs
Problem to solve
Gitlab Workspaces are cloud-based development environments that run within the browser. The security and isolation of these environments are critical to ensure the protection of user data and system resources. MicroVMs, such as Kata containers, Firecracker, gVisor, or sysbox, can help solve these problems by providing a secure and isolated environment for each Workspace.
A MicroVM is a small and lightweight virtual machine that can run a single process. Unlike traditional virtual machines, which run a complete operating system, MicroVMs only run the necessary components for the application to function. This reduces the attack surface, making it more difficult for malicious actors to penetrate the system. Additionally, MicroVMs are typically isolated from the host and other containers, reducing the risk of cross-contamination and data breaches.
By using a MicroVM for each Workspace, GitLab could ensure that each environment is secure and isolated from the host and other Workspaces. This eliminates the risk of a security breach or data loss, making it a safer option for users to store and process sensitive data. Additionally, by using MicroVMs, GitLab can provide a more stable and secure environment for developers to work in, which can increase productivity and reduce downtime.
MicroVM Pros
MicroVMs can solve several core problems for GitLab Workspaces, including:
- Root Access: MicroVMs are designed to run a single process, which means that the guest operating system does not have root access to the host system. This makes it more difficult for malicious actors to gain access to sensitive data or compromise the host system.
- Multi-Tenancy Data Security: By using a separate MicroVM for each user or tenant, data is isolated and kept separate from other tenants' data. This helps to prevent cross-tenant data breaches and ensures that data is only accessible to those who are authorized to access it.
- Sandboxing: MicroVMs use techniques like sandboxing and process isolation to prevent malicious code from accessing sensitive data or compromising the host system. For example, Kata Containers use hardware virtualization technologies to provide a lightweight and secure virtual environment for containers.
- Resource Control: MicroVMs also allow for more fine-grained control of resources, such as CPU, memory, and disk, which can help to prevent a single tenant from monopolizing resources and affecting the performance of other tenants.
Proposal
- Choose a MicroVM technology: Choose a MicroVM technology such as Kata Containers, Firecracker, gVisor, or sysbox.
- Configure the MicroVM environment: Set up and configure the MicroVM environment, including setting up the necessary software components, such as a hypervisor and the MicroVM software.
- Integrate with GitLab Workspaces: Integrate the MicroVM technology with GitLab Workspaces by modifying the existing Workspaces infrastructure to run MicroVMs for each user session. This will involve changes to the underlying infrastructure, i.e. network and storage configurations.
- Implement user authentication and authorization: Implement user authentication and authorization to ensure that only authorized users can access the MicroVM environment.
Links
Relevant blog posts: