Powerful Google developer tools for immediate impact! (2023-24 C)
Kata Container - The Security of VM and The Speed of Container | Yuntong Jin
1. Kata Containers
The speed of containers, the security of VMs
Jin, Yuntong
Intel Open Technology Center
2. Agenda
Linux Containers Overview
Container VS VM
Kata Container Project Overview
Kata Container Architecture and Design
Kata Container Use Case
3.
4. Linux* Containers Definition(s)
● LXC (Linux* Containers) is an operating-system-level virtualization method for running multiple
isolated Linux systems (containers) on a control host using a single Linux kernel. – Wikipedia
(https://en.wikipedia.org/wiki/LXC)
● Linux containers keep applications and their runtime components together by combining
lightweight application isolation with an image-based deployment method. Containers package
applications with the files on which they depend. This reduces the friction between development
and operations, simplifies application deployment, and accelerates delivery cycles--allowing you
to deliver value to customers faster. – Red Hat* (https://www.redhat.com/en/insights/containers)
5. Containers Use Linux* Kernel Technologies
Namespaces
MN
T
IPC
NET
PID UTS
Isolated networking
namespace for each
container instance
Control Groups
blkio
Device
s
Memory
CP
U
Assign, limit and monitor
system resources for each
container instance
Advanced File Systems
Fast root files system
creation and layered
changes
btrfs
AUFS
Device
Mapper
UnionFS
User Space
Kernel Space
Container Engine
Container Container Container Container Container Container Container
*Other names and brands may be claimed as the property of others
6.
7. Containers and Virtual Machines
Source: http://www.rightscale.com/blog/cloud-management-best-practices/docker-vs-vms-combining-both-cloud-portability-nirvana
8. Containers Compared to Virtual Machines
Source: http://searchnetworking.techtarget.com/feature/Container-networking-offers-opportunity-to-simplify-networks
9. Containers and Virtual Machines
Containers and Virtual Machines are not Mutually Exclusive
Containers in Virtual Machines
The containers can be created/destroyed on multiple VMs and the VMs can migrate between physical
servers using existing VM infrastructure (e.g., OpenStack*)
Virtual Machines in Containers
Make use of resource management technologies (kernel: c groups, namespaces)
Make use of build and deployment tools (simple Container creation syntax, Container infrastructure)
*Other names and brands may be claimed as the property of others
10. Container Concerns
● Security
Isolation from malicious neighbors
● Compatibility
Application compatibility with kernel versions
● Networking
Support for massive interconnectivity
● Maturity
Completeness of infrastructure, Compatibility and Interoperability in ecosystem
13. Kata Container - Hypervisor Based Containers
App A
Middleware A
Linux* Kernel
Server Hardware
Container A Container B Container C
Linux Kernel A
Virtual Machine
App B
Middleware B
Linux Kernel B
Virtual Machine
App C
Middleware C
Linux Kernel C
Virtual Machine
● Each container/pod is
hypervisor isolated
● As secure as a VM
● As fast as a container
● OCI spec compatible
● Seamless integration with
the container ecosystem
and management layers
● No need any changes for
container images
16. Technical Vision
Light and fast VM-based containers
OCI compatible container runtime
No need container images changes
Seamless integration with Kubernetes (CRI), Docker and OpenStack
Seamless integration with all major networking plugins
Support multiple architectures (x86, ARM, System Z, Power)
Support multiple hypervisors (KVM/QEMU, Firecracker, ACRN)
17. Non-Technical Goals
*Other names and brands may be claimed as the property of
others.
Open and vendor-neutral project
All VM based containers, users and consumers under the same project
Managed at the OpenStack Foundation*
Independent from the OpenStack* software project
21. Hypervisor
Shim Agent
Kernel
Virtual Machine
Runtime
I/O OCI cmd/spec
gRPC
gRPC
Shim
Container namespaces
Container
Command
Container
Exec
Hypervisor VSOCK socket
*Other names and brands may be claimed as the property of
others.
22. Linux
Bridge
Kata Container Networking
Virtual Machine
Pod
Tap
Container networking namespace
Kubernetes*
Overlay
Network
veth pair
tc
mirror
*Other names
and brands
may be
claimed as the
property of
others.
MacVTAP
26. More Security
+
Flexibility
Regulated and sensitive
production environments
Mixed workloads
production
environments
Multi-tenant container
clusters
Bare metal
infrastructure
Legacy and cutting edge workloads with
kernel-dependent features
29. Key Points
Kata Containers is a security container with VM isolation.
Seamless integration with Docker and Kubernetes.
Open source project under OpenStack Foundation, vendor-neutral.
Support multi Virtualization and platform, actively community.
Maturity, product ready, deployed widely.
30. More information about Kata
Source code:
Kata Containers: https://github.com/kata-containers
Documentation:
Kata getting started: https://github.com/kata-containers/documentation/wiki/Developer-Guide
Kata Design requirements: https://github.com/kata-containers/documentation/blob/master/design/kata-design-requirements.md
Clear containers architecture: https://github.com/clearcontainers/runtime/blob/master/docs/architecture/architecture.md
White papers and blogs:
Clear Containers custom kernel per pod: https://asciinema.org/a/146888
Clear Containers and Kubernetes: https://medium.com/cri-o/intel-clear-containers-and-cri-o-70824fb5181
More coming from katacontainers.io
31. Get involved in Kata community
Code and documentation hosted on https://github.com/kata-containers/
Major releases managed through Github* Projects
Apache 2 license
Slack: katacontainers.slack.com
IRC: #kata-dev@freenode
Mailing-list: kata-dev@lists.katacontainers.io
Key Points:
Operating-system-level virtualization
Single Linux Kernel (shared by all containers)
Package applications with the files on which they depend (pre-configured config files, or dependencies like other libraries)
Image-based deployment
Key Points:
Containers make use of kernel technologies – namespaces, c groups, and advanced file systems
These technologies are used for other things, not just containers
A lot of grey area ; could run without certain namespaces, without certain c groups or without advanced FS
Key Points:
Hardware emulation via hypervisor and full guest kernel with VMs
Shared kernel resources with Containers
Note the duplicated bins/libs with VMs
Images, as described earlier, allow you to share bins/libs as base-images (layers) that multiple apps can use
Transition:
Let’s compare Containers and VMs a bit more closely
Key Points:
As discussed before ; kernel virtualization, not hardware emulation
Can share bin/libs
Minimal system footprint = Hyperdensity
Fast boot, shutdown and reboot times
Maturity: VMs infrastructure has been developed over a decade
Transition:
Let’s take a look at some container concerns or gaps
Key Points:
Containers in VMs – already a lot of tooling/infrastructure for VMs
VMs in Containers
A lot of innovation happening
Transition:
Hopefully now everyone has a good basic concept of what a container is
Key Points:
Security: because you’re not using HW features for isolation, you’re sharing kernel resources
Networking: because now you have massive scale and a lot of moving (create/destroy) parts
Maturity: Not well known technology ; not all infrastructure projects are mature
Compatibility: If applications have kernel dependencies you may have a problem
Kata container is an alternative container runtime implementation with RunC
both RunC and Kata runtime can be deployed in same Kubernetes cluster
Clear Containers project in 2015, the project goal was to address security concerns within containers through Intel® Virtualization Technology (VT)
kata means trust in Greek
Kata containers are as light and fast as containers and integrate with the container management layers, while also delivering the security advantages of VMs.
The technology is designed to be architecture agnostic and compatible with the Container Runtime Interface (CRI), and integrates with multiple software stacks, (OpenStack, Kubernetes, Docker etc).
QEMU support h s of virtualize devices and lagency platform arch and system.
BIOS optimization with Limited virtualize devices.
Guest OS, is where actually to run container
Clear Linux fast boot
2 type of storage in container, container image and container volum