Pedro Henrique Penna
I am a Senior Research Software Engineer at Microsoft Research – Systems Research Group.
I am currently working on Nanvix – A Microkernel-Based Research Operating System.
I earned my PhD Degree in Computer Science from Université Grenoble Alpes (UGA) and from Pontifícia Universidade Católica de Minas Gerais (PUC Minas) in 2021. During my thesis, I devised a distributed operating system for lightweight manycore processors.
In 2017, I received my MSc Degree in Computer Science from Universidade Federal de Santa Catarina (UFSC). In 2015, I earned my BSc Degree in Computer Science from Pontifícia Universidade Católica de Minas Gerais (PUC Minas) with Summa Cum Laude honors and Featured Computer Science Student Award by the Brazilian Computer Society (SBC).
I have over than 15 years of experience in research, design and development of computing systems. I have expertise in Operating Systems, Distributed Systems Embedded Systems, Parallel Programming and High-Performance Computing.
Session
Kubernetes enables teams to deploy almost any workload without modification, but its boundaries are still defined by namespaces and cgroups. The presence of seven container-escape CVEs from 2022 to 2024 shows these boundaries can be breached. Full VMs or Kata Containers can restore security but suffer from multi-second cold starts and high memory usage, impacting latency-sensitive or densely packed clusters.
In this talk, we will explore a middle ground with Hyperlight, a CNCF virtual-machine monitor that boots micro-VMs, and Nanvix, an open-source Rust microkernel designed to keep guests small yet compatible. This combination allows unmodified Rust, Python, and Wasm services to start up in tens of milliseconds while maintaining VM-class isolation.
We will delve into the architecture, present head-to-head benchmarks, and conduct a live demo. By the end of the session, you will have a clear understanding of the trade-offs and a checklist for implementing micro-VM isolation.