How Kuasar Multi‑Sandbox Runtime Boosts Cloud‑Native Security and Performance

Multi‑Sandbox Container Runtime Kuasar: Overview and Benefits

In this live session, Huawei Cloud DTSE evangelist Zhang Tianyang introduced the evolution of sandbox containers, the advantages of the open‑source Kuasar runtime, and demonstrated installation and usage.

Background of Sandbox Containers

Docker (2013) introduced containers sharing the host kernel via namespaces and cgroups. Kubernetes (2014) added the pause container to share network and storage. Sharing the host kernel poses security risks, leading to the emergence of sandbox containers in 2017, which isolate container processes in a closed sandbox.

Types of Sandbox Containers

MicroVM Sandbox (Lightweight VM sandbox) – runs containers inside a full virtual machine, providing strong isolation.

Application Kernel Sandbox (App Kernel) – uses a custom kernel (QKernel) and hypervisor (QVisor) to intercept syscalls.

WebAssembly Sandbox (Wasm) – runs containers in a Wasm runtime, requiring programs to be compiled to Wasm.

Each sandbox has its own strengths in elasticity, security, and standardization, and all are managed by containerd Shim v2.

Kuasar Architecture

Kuasar is a low‑level container runtime that interacts with a high‑level runtime such as containerd. It consists of two main modules:

Kuasar‑Sandboxer – implements the Sandbox API and manages sandbox lifecycle and resources; interacts with containerd as a plugin.

Kuasar‑Task – implements the Task API and manages container lifecycle and resources.

Benefits of Kuasar

Clear separation of sandbox and container management logic.

Resident sandboxer process reduces cold‑start overhead; 1:N management model lowers process count and memory usage.

Simplified call chain by removing the pause container.

Performance Evaluation

End‑to‑end container start‑up time and memory consumption were measured against competing solutions. Kuasar achieved up to 100 % faster start‑up by eliminating the pause container and using a resident sandboxer, and reduced memory usage by nearly 99 % thanks to the 1:N model and Rust implementation.

Getting Started

Installation can be done via pre‑built binaries for Ubuntu 22.04 (GitHub release) or by building from source. Required components include a supported OS, a sandbox implementation (MicroVM – Cloud Hypervisor, App Kernel – Quark, Wasm – WasmEdge), containerd 1.7.0, and debugging tools such as crictl.

For a hands‑on experience, a video demonstration is provided.

Future Directions

Future directions include support for Dynamic Resource Allocation (DRA) and Container Device Interface (CDI) to further enhance security and efficiency in cloud‑native environments.