SlideShare a Scribd company logo

Kata Container - The Security of VM and The Speed of Container | Yuntong Jin

Download as PPTX, PDF
Vietnam Open Infrastructure User Group
Vietnam Open Infrastructure User Group

Kata Container - The Security of VM and The Speed of Container | Yuntong Jin

Technology
1 of 33
Kata Containers The speed of containers, the security of VMs Jin, Yuntong Intel Open Technology Center
Agenda  Linux Containers Overview  Container VS VM  Kata Container Project Overview  Kata Container Architecture and Design  Kata Container Use Case
Linux* Containers Definition(s) ● LXC (Linux* Containers) is an operating-system-level virtualization method for running multiple isolated Linux systems (containers) on a control host using a single Linux kernel. – Wikipedia (https://en.wikipedia.org/wiki/LXC) ● Linux containers keep applications and their runtime components together by combining lightweight application isolation with an image-based deployment method. Containers package applications with the files on which they depend. This reduces the friction between development and operations, simplifies application deployment, and accelerates delivery cycles--allowing you to deliver value to customers faster. – Red Hat* (https://www.redhat.com/en/insights/containers)
Containers Use Linux* Kernel Technologies Namespaces MN T IPC NET PID UTS Isolated networking namespace for each container instance Control Groups blkio Device s Memory CP U Assign, limit and monitor system resources for each container instance Advanced File Systems Fast root files system creation and layered changes btrfs AUFS Device Mapper UnionFS User Space Kernel Space Container Engine Container Container Container Container Container Container Container *Other names and brands may be claimed as the property of others
Containers and Virtual Machines Source: http://www.rightscale.com/blog/cloud-management-best-practices/docker-vs-vms-combining-both-cloud-portability-nirvana
Containers Compared to Virtual Machines Source: http://searchnetworking.techtarget.com/feature/Container-networking-offers-opportunity-to-simplify-networks
Containers and Virtual Machines  Containers and Virtual Machines are not Mutually Exclusive  Containers in Virtual Machines The containers can be created/destroyed on multiple VMs and the VMs can migrate between physical servers using existing VM infrastructure (e.g., OpenStack*)  Virtual Machines in Containers Make use of resource management technologies (kernel: c groups, namespaces) Make use of build and deployment tools (simple Container creation syntax, Container infrastructure) *Other names and brands may be claimed as the property of others
Container Concerns ● Security Isolation from malicious neighbors ● Compatibility Application compatibility with kernel versions ● Networking Support for massive interconnectivity ● Maturity Completeness of infrastructure, Compatibility and Interoperability in ecosystem
Tradition Containers App A Middleware A App B Middleware B App C Middleware C Server Hardware Container A Container B Container C Linux * Kernel
Kata Container - Hypervisor Based Containers App A Middleware A Linux* Kernel Server Hardware Container A Container B Container C Linux Kernel A Virtual Machine App B Middleware B Linux Kernel B Virtual Machine App C Middleware C Linux Kernel C Virtual Machine ● Each container/pod is hypervisor isolated ● As secure as a VM ● As fast as a container ● OCI spec compatible ● Seamless integration with the container ecosystem and management layers ● No need any changes for container images
Kubelet Container Runtime Interface (CRI) CRI-O runc kata-runtime Pod VM Pod CRI-O and Kata Containers
History Intel® Clear Containers May 2015 Dec 2017 *Other names and brands may be claimed as the property of others. *
Technical Vision  Light and fast VM-based containers  OCI compatible container runtime  No need container images changes  Seamless integration with Kubernetes (CRI), Docker and OpenStack  Seamless integration with all major networking plugins  Support multiple architectures (x86, ARM, System Z, Power)  Support multiple hypervisors (KVM/QEMU, Firecracker, ACRN)
Non-Technical Goals *Other names and brands may be claimed as the property of others.  Open and vendor-neutral project  All VM based containers, users and consumers under the same project  Managed at the OpenStack Foundation*  Independent from the OpenStack* software project
Kata Containers Architecture and Design
Hypervisor Shim Proxy Agent Kernel Virtual Machine Runtime I/O OCI cmd/spec gRPC over Yamux gRPC gRPC Shim Container namespaces Container Command Container Exec Hypervisor serial interface
Hypervisor Shim Agent Kernel Virtual Machine Runtime I/O OCI cmd/spec gRPC gRPC Shim Container namespaces Container Command Container Exec Hypervisor VSOCK socket *Other names and brands may be claimed as the property of others.
Linux Bridge Kata Container Networking Virtual Machine Pod Tap Container networking namespace Kubernetes* Overlay Network veth pair tc mirror *Other names and brands may be claimed as the property of others. MacVTAP
Kata Container Storage Virtual Machine Container 1 Rootfs Overlay Container 2 Rootfs Overlay 9pfs/virtio-blk/virtio-fs 9pfs/virtio-blk/virtio-fs 9pfs/virtio- blk/virtio-fs 9pfs/virtio- blk/virtio-fs Container 1 Volume Container 2 Volume
1 4 3 2 7 6 5 8
More Security + Flexibility Regulated and sensitive production environments Mixed workloads production environments Multi-tenant container clusters Bare metal infrastructure Legacy and cutting edge workloads with kernel-dependent features
Multi-tenant Kubernetes* k8s k8s IaaS container container Pod VM container container Pod VM container container Pod VM container container Pod VM CaaS Pod VM k8s Pod VM Pod VM Pod VM Pod VM Pod VM Pod VM Pod VM *Other names and brands may be claimed as the property of others.
Key Points  Kata Containers is a security container with VM isolation.  Seamless integration with Docker and Kubernetes.  Open source project under OpenStack Foundation, vendor-neutral.  Support multi Virtualization and platform, actively community.  Maturity, product ready, deployed widely.
More information about Kata  Source code: Kata Containers: https://github.com/kata-containers  Documentation: Kata getting started: https://github.com/kata-containers/documentation/wiki/Developer-Guide Kata Design requirements: https://github.com/kata-containers/documentation/blob/master/design/kata-design-requirements.md Clear containers architecture: https://github.com/clearcontainers/runtime/blob/master/docs/architecture/architecture.md  White papers and blogs: Clear Containers custom kernel per pod: https://asciinema.org/a/146888 Clear Containers and Kubernetes: https://medium.com/cri-o/intel-clear-containers-and-cri-o-70824fb5181 More coming from katacontainers.io
Get involved in Kata community  Code and documentation hosted on https://github.com/kata-containers/  Major releases managed through Github* Projects  Apache 2 license  Slack: katacontainers.slack.com  IRC: #kata-dev@freenode  Mailing-list: kata-dev@lists.katacontainers.io
Thank you!
Notices and Disclaimers ● No license (express or implied, by estoppel or otherwise) to any intellectual property rights is granted by this document. ● Intel disclaims all express and implied warranties, including without limitation, the implied warranties of merchantability, fitness for a particular purpose, and non-infringement, as well as any warranty arising from course of performance, course of dealing, or usage in trade. ● Intel technologies’ features and benefits depend on system configuration and may require enabled hardware, software or service activation. Performance varies depending on system configuration. No computer system can be absolutely secure. Check with your system manufacturer or retailer or learn more. ● The products described may contain design defects or errors known as errata which may cause the product to deviate from published specifications. Current characterized errata are available on request. ● Intel, the Intel logo are trademarks of Intel Corporation or its subsidiaries in the U.S. and/or other countries. ● *Other names and brands may be claimed as the property of others. ● ©2019 Intel Corporation

Recommended

Room 3 - 7 - Nguyễn Như Phúc Huy - Vitastor: a fast and simple Ceph-like bloc...
Room 3 - 7 - Nguyễn Như Phúc Huy - Vitastor: a fast and simple Ceph-like bloc...Room 3 - 7 - Nguyễn Như Phúc Huy - Vitastor: a fast and simple Ceph-like bloc...
Room 3 - 7 - Nguyễn Như Phúc Huy - Vitastor: a fast and simple Ceph-like bloc...
Vietnam Open Infrastructure User Group
 
Getting Started with Kubernetes
Getting Started with Kubernetes Getting Started with Kubernetes
Getting Started with Kubernetes
VMware Tanzu
 
Kubernetes Introduction
Kubernetes IntroductionKubernetes Introduction
Kubernetes Introduction
Peng Xiao
 
OpenShift 4 installation
OpenShift 4 installationOpenShift 4 installation
OpenShift 4 installation
Robert Bohne
 
Room 2 - 6 - Đinh Tuấn Phong - Migrate opensource database to Kubernetes easi...
Room 2 - 6 - Đinh Tuấn Phong - Migrate opensource database to Kubernetes easi...Room 2 - 6 - Đinh Tuấn Phong - Migrate opensource database to Kubernetes easi...
Room 2 - 6 - Đinh Tuấn Phong - Migrate opensource database to Kubernetes easi...
Vietnam Open Infrastructure User Group
 
Room 1 - 4 - Phạm Tường Chiến & Trần Văn Thắng - Deliver managed Kubernetes C...
Room 1 - 4 - Phạm Tường Chiến & Trần Văn Thắng - Deliver managed Kubernetes C...Room 1 - 4 - Phạm Tường Chiến & Trần Văn Thắng - Deliver managed Kubernetes C...
Room 1 - 4 - Phạm Tường Chiến & Trần Văn Thắng - Deliver managed Kubernetes C...
Vietnam Open Infrastructure User Group
 
Rancher 2.0 Technical Deep Dive
Rancher 2.0 Technical Deep DiveRancher 2.0 Technical Deep Dive
Rancher 2.0 Technical Deep Dive
LINE Corporation
 
Room 1 - 7 - Lê Quốc Đạt - Upgrading network of Openstack to SDN with Tungste...
Room 1 - 7 - Lê Quốc Đạt - Upgrading network of Openstack to SDN with Tungste...Room 1 - 7 - Lê Quốc Đạt - Upgrading network of Openstack to SDN with Tungste...
Room 1 - 7 - Lê Quốc Đạt - Upgrading network of Openstack to SDN with Tungste...
Vietnam Open Infrastructure User Group
 

Recommended

Room 3 - 7 - Nguyễn Như Phúc Huy - Vitastor: a fast and simple Ceph-like bloc...
Room 3 - 7 - Nguyễn Như Phúc Huy - Vitastor: a fast and simple Ceph-like bloc...Room 3 - 7 - Nguyễn Như Phúc Huy - Vitastor: a fast and simple Ceph-like bloc...
Room 3 - 7 - Nguyễn Như Phúc Huy - Vitastor: a fast and simple Ceph-like bloc...
Vietnam Open Infrastructure User Group
 
Getting Started with Kubernetes
Getting Started with Kubernetes Getting Started with Kubernetes
Getting Started with Kubernetes
VMware Tanzu
 
Kubernetes Introduction
Kubernetes IntroductionKubernetes Introduction
Kubernetes Introduction
Peng Xiao
 
OpenShift 4 installation
OpenShift 4 installationOpenShift 4 installation
OpenShift 4 installation
Robert Bohne
 
Room 2 - 6 - Đinh Tuấn Phong - Migrate opensource database to Kubernetes easi...
Room 2 - 6 - Đinh Tuấn Phong - Migrate opensource database to Kubernetes easi...Room 2 - 6 - Đinh Tuấn Phong - Migrate opensource database to Kubernetes easi...
Room 2 - 6 - Đinh Tuấn Phong - Migrate opensource database to Kubernetes easi...
Vietnam Open Infrastructure User Group
 
Room 1 - 4 - Phạm Tường Chiến & Trần Văn Thắng - Deliver managed Kubernetes C...
Room 1 - 4 - Phạm Tường Chiến & Trần Văn Thắng - Deliver managed Kubernetes C...Room 1 - 4 - Phạm Tường Chiến & Trần Văn Thắng - Deliver managed Kubernetes C...
Room 1 - 4 - Phạm Tường Chiến & Trần Văn Thắng - Deliver managed Kubernetes C...
Vietnam Open Infrastructure User Group
 
Rancher 2.0 Technical Deep Dive
Rancher 2.0 Technical Deep DiveRancher 2.0 Technical Deep Dive
Rancher 2.0 Technical Deep Dive
LINE Corporation
 
Room 1 - 7 - Lê Quốc Đạt - Upgrading network of Openstack to SDN with Tungste...
Room 1 - 7 - Lê Quốc Đạt - Upgrading network of Openstack to SDN with Tungste...Room 1 - 7 - Lê Quốc Đạt - Upgrading network of Openstack to SDN with Tungste...
Room 1 - 7 - Lê Quốc Đạt - Upgrading network of Openstack to SDN with Tungste...
Vietnam Open Infrastructure User Group
 
Kubernetes Basics
Kubernetes BasicsKubernetes Basics
Kubernetes Basics
Eueung Mulyana
 
OpenShift Introduction
OpenShift IntroductionOpenShift Introduction
OpenShift Introduction
Red Hat Developers
 
Docker Kubernetes Istio
Docker Kubernetes IstioDocker Kubernetes Istio
Docker Kubernetes Istio
Araf Karsh Hamid
 
Red Hat OpenShift Container Platform Overview
Red Hat OpenShift Container Platform OverviewRed Hat OpenShift Container Platform Overview
Red Hat OpenShift Container Platform Overview
James Falkner
 
How to build a Kubernetes networking solution from scratch
How to build a Kubernetes networking solution from scratchHow to build a Kubernetes networking solution from scratch
How to build a Kubernetes networking solution from scratch
All Things Open
 
Kubernetes: A Short Introduction (2019)
Kubernetes: A Short Introduction (2019)Kubernetes: A Short Introduction (2019)
Kubernetes: A Short Introduction (2019)
Megan O'Keefe
 
Room 2 - 1 - Phạm Quang Minh - A real DevOps culture in practice
Room 2 - 1 - Phạm Quang Minh - A real DevOps culture in practiceRoom 2 - 1 - Phạm Quang Minh - A real DevOps culture in practice
Room 2 - 1 - Phạm Quang Minh - A real DevOps culture in practice
Vietnam Open Infrastructure User Group
 
Kubernetes Introduction
Kubernetes IntroductionKubernetes Introduction
Kubernetes Introduction
Eric Gustafson
 
OpenShift-Technical-Overview.pdf
OpenShift-Technical-Overview.pdfOpenShift-Technical-Overview.pdf
OpenShift-Technical-Overview.pdf
JuanSalinas593459
 
Ceph Introduction 2017
Ceph Introduction 2017 Ceph Introduction 2017
Ceph Introduction 2017
Karan Singh
 
Kubernetes PPT.pptx
Kubernetes PPT.pptxKubernetes PPT.pptx
Kubernetes PPT.pptx
ssuser0cc9131
 
An Introduction to Kubernetes
An Introduction to KubernetesAn Introduction to Kubernetes
An Introduction to Kubernetes
Imesh Gunaratne
 
Introduction and Deep Dive Into Containerd
Introduction and Deep Dive Into ContainerdIntroduction and Deep Dive Into Containerd
Introduction and Deep Dive Into Containerd
Kohei Tokunaga
 
Kubernetes Networking
Kubernetes NetworkingKubernetes Networking
Kubernetes Networking
CJ Cullen
 
Introduction to Kubernetes Workshop
Introduction to Kubernetes WorkshopIntroduction to Kubernetes Workshop
Introduction to Kubernetes Workshop
Bob Killen
 
Kubernetes - introduction
Kubernetes - introductionKubernetes - introduction
Kubernetes - introduction
Sparkbit
 
DevOps with Kubernetes
DevOps with KubernetesDevOps with Kubernetes
DevOps with Kubernetes
EastBanc Tachnologies
 
Dockers and kubernetes
Dockers and kubernetesDockers and kubernetes
Dockers and kubernetes
Dr Ganesh Iyer
 
OpenShift Virtualization - VM and OS Image Lifecycle
OpenShift Virtualization - VM and OS Image LifecycleOpenShift Virtualization - VM and OS Image Lifecycle
OpenShift Virtualization - VM and OS Image Lifecycle
Mihai Criveti
 
Kubernetes
KubernetesKubernetes
Kubernetes
Meng-Ze Lee
 
Moby Open Source Summit North America 2017
Moby Open Source Summit North America 2017Moby Open Source Summit North America 2017
Moby Open Source Summit North America 2017
Patrick Chanezon
 
Dev opsec dockerimage_patch_n_lifecyclemanagement_
Dev opsec dockerimage_patch_n_lifecyclemanagement_Dev opsec dockerimage_patch_n_lifecyclemanagement_
Dev opsec dockerimage_patch_n_lifecyclemanagement_
kanedafromparis
 

More Related Content

What's hot

How to build a Kubernetes networking solution from scratch
How to build a Kubernetes networking solution from scratchHow to build a Kubernetes networking solution from scratch
How to build a Kubernetes networking solution from scratch
All Things Open
 
An Introduction to Kubernetes
An Introduction to KubernetesAn Introduction to Kubernetes
An Introduction to Kubernetes
Imesh Gunaratne
 

What's hot (20)

Kubernetes Basics
Kubernetes BasicsKubernetes Basics
Kubernetes Basics
 
OpenShift Introduction
OpenShift IntroductionOpenShift Introduction
OpenShift Introduction
 
Docker Kubernetes Istio
Docker Kubernetes IstioDocker Kubernetes Istio
Docker Kubernetes Istio
 
Red Hat OpenShift Container Platform Overview
Red Hat OpenShift Container Platform OverviewRed Hat OpenShift Container Platform Overview
Red Hat OpenShift Container Platform Overview
 
How to build a Kubernetes networking solution from scratch
How to build a Kubernetes networking solution from scratchHow to build a Kubernetes networking solution from scratch
How to build a Kubernetes networking solution from scratch
 
Kubernetes: A Short Introduction (2019)
Kubernetes: A Short Introduction (2019)Kubernetes: A Short Introduction (2019)
Kubernetes: A Short Introduction (2019)
 
Room 2 - 1 - Phạm Quang Minh - A real DevOps culture in practice
Room 2 - 1 - Phạm Quang Minh - A real DevOps culture in practiceRoom 2 - 1 - Phạm Quang Minh - A real DevOps culture in practice
Room 2 - 1 - Phạm Quang Minh - A real DevOps culture in practice
 
Kubernetes Introduction
Kubernetes IntroductionKubernetes Introduction
Kubernetes Introduction
 
OpenShift-Technical-Overview.pdf
OpenShift-Technical-Overview.pdfOpenShift-Technical-Overview.pdf
OpenShift-Technical-Overview.pdf
 
Ceph Introduction 2017
Ceph Introduction 2017 Ceph Introduction 2017
Ceph Introduction 2017
 
Kubernetes PPT.pptx
Kubernetes PPT.pptxKubernetes PPT.pptx
Kubernetes PPT.pptx
 
An Introduction to Kubernetes
An Introduction to KubernetesAn Introduction to Kubernetes
An Introduction to Kubernetes
 
Introduction and Deep Dive Into Containerd
Introduction and Deep Dive Into ContainerdIntroduction and Deep Dive Into Containerd
Introduction and Deep Dive Into Containerd
 
Kubernetes Networking
Kubernetes NetworkingKubernetes Networking
Kubernetes Networking
 
Introduction to Kubernetes Workshop
Introduction to Kubernetes WorkshopIntroduction to Kubernetes Workshop
Introduction to Kubernetes Workshop
 
Kubernetes - introduction
Kubernetes - introductionKubernetes - introduction
Kubernetes - introduction
 
DevOps with Kubernetes
DevOps with KubernetesDevOps with Kubernetes
DevOps with Kubernetes
 
Dockers and kubernetes
Dockers and kubernetesDockers and kubernetes
Dockers and kubernetes
 
OpenShift Virtualization - VM and OS Image Lifecycle
OpenShift Virtualization - VM and OS Image LifecycleOpenShift Virtualization - VM and OS Image Lifecycle
OpenShift Virtualization - VM and OS Image Lifecycle
 
Kubernetes
KubernetesKubernetes
Kubernetes
 

Similar to Kata Container - The Security of VM and The Speed of Container | Yuntong Jin

Dev opsec dockerimage_patch_n_lifecyclemanagement_
Dev opsec dockerimage_patch_n_lifecyclemanagement_Dev opsec dockerimage_patch_n_lifecyclemanagement_
Dev opsec dockerimage_patch_n_lifecyclemanagement_
kanedafromparis
 
Oscon 2017: Build your own container-based system with the Moby project
Oscon 2017: Build your own container-based system with the Moby projectOscon 2017: Build your own container-based system with the Moby project
Oscon 2017: Build your own container-based system with the Moby project
Patrick Chanezon
 
WSO2Con USA 2015: Revolutionizing WSO2 PaaS with Kubernetes & App Factory
WSO2Con USA 2015: Revolutionizing WSO2 PaaS with Kubernetes & App FactoryWSO2Con USA 2015: Revolutionizing WSO2 PaaS with Kubernetes & App Factory
WSO2Con USA 2015: Revolutionizing WSO2 PaaS with Kubernetes & App Factory
WSO2
 
kata-containers-onboarding-deck.pptx
kata-containers-onboarding-deck.pptxkata-containers-onboarding-deck.pptx
kata-containers-onboarding-deck.pptx
QforQA
 
給 RD 的 Kubernetes 初體驗
給 RD 的 Kubernetes 初體驗給 RD 的 Kubernetes 初體驗
給 RD 的 Kubernetes 初體驗
William Yeh
 
Moby KubeCon 2017
Moby KubeCon 2017Moby KubeCon 2017
Moby KubeCon 2017
Patrick Chanezon
 

Similar to Kata Container - The Security of VM and The Speed of Container | Yuntong Jin (20)

Moby Open Source Summit North America 2017
Moby Open Source Summit North America 2017Moby Open Source Summit North America 2017
Moby Open Source Summit North America 2017
 
Dev opsec dockerimage_patch_n_lifecyclemanagement_
Dev opsec dockerimage_patch_n_lifecyclemanagement_Dev opsec dockerimage_patch_n_lifecyclemanagement_
Dev opsec dockerimage_patch_n_lifecyclemanagement_
 
Oscon 2017: Build your own container-based system with the Moby project
Oscon 2017: Build your own container-based system with the Moby projectOscon 2017: Build your own container-based system with the Moby project
Oscon 2017: Build your own container-based system with the Moby project
 
Docker Application to Scientific Computing
Docker Application to Scientific ComputingDocker Application to Scientific Computing
Docker Application to Scientific Computing
 
Kubernetes
KubernetesKubernetes
Kubernetes
 
WSO2Con USA 2015: Revolutionizing WSO2 PaaS with Kubernetes & App Factory
WSO2Con USA 2015: Revolutionizing WSO2 PaaS with Kubernetes & App FactoryWSO2Con USA 2015: Revolutionizing WSO2 PaaS with Kubernetes & App Factory
WSO2Con USA 2015: Revolutionizing WSO2 PaaS with Kubernetes & App Factory
 
kata-containers-onboarding-deck.pptx
kata-containers-onboarding-deck.pptxkata-containers-onboarding-deck.pptx
kata-containers-onboarding-deck.pptx
 
給 RD 的 Kubernetes 初體驗
給 RD 的 Kubernetes 初體驗給 RD 的 Kubernetes 初體驗
給 RD 的 Kubernetes 初體驗
 
Diving Through The Layers: Investigating runc, containerd, and the Docker eng...
Diving Through The Layers: Investigating runc, containerd, and the Docker eng...Diving Through The Layers: Investigating runc, containerd, and the Docker eng...
Diving Through The Layers: Investigating runc, containerd, and the Docker eng...
 
Container Runtimes: Comparing and Contrasting Today's Engines
Container Runtimes: Comparing and Contrasting Today's EnginesContainer Runtimes: Comparing and Contrasting Today's Engines
Container Runtimes: Comparing and Contrasting Today's Engines
 
MongoDB World 2018: Partner Talk - Red Hat: Deploying to Enterprise Kubernetes
MongoDB World 2018: Partner Talk - Red Hat: Deploying to Enterprise KubernetesMongoDB World 2018: Partner Talk - Red Hat: Deploying to Enterprise Kubernetes
MongoDB World 2018: Partner Talk - Red Hat: Deploying to Enterprise Kubernetes
 
Kata containers workshop_openinfrasummit_denver_may2019
Kata containers workshop_openinfrasummit_denver_may2019Kata containers workshop_openinfrasummit_denver_may2019
Kata containers workshop_openinfrasummit_denver_may2019
 
Revolutionizing WSO2 PaaS with Kubernetes & App Factory
Revolutionizing WSO2 PaaS with Kubernetes & App FactoryRevolutionizing WSO2 PaaS with Kubernetes & App Factory
Revolutionizing WSO2 PaaS with Kubernetes & App Factory
 
Webinar container management in OpenStack
Webinar container management in OpenStackWebinar container management in OpenStack
Webinar container management in OpenStack
 
Cloud Native Landscape (CNCF and OCI)
Cloud Native Landscape (CNCF and OCI)Cloud Native Landscape (CNCF and OCI)
Cloud Native Landscape (CNCF and OCI)
 
Docker Dublin Meetup | 22 Feb 2018 | Docker + Kubernetes
Docker Dublin Meetup | 22 Feb 2018 | Docker + KubernetesDocker Dublin Meetup | 22 Feb 2018 | Docker + Kubernetes
Docker Dublin Meetup | 22 Feb 2018 | Docker + Kubernetes
 
Moby KubeCon 2017
Moby KubeCon 2017Moby KubeCon 2017
Moby KubeCon 2017
 
Building Distributed Systems without Docker, Using Docker Plumbing Projects -...
Building Distributed Systems without Docker, Using Docker Plumbing Projects -...Building Distributed Systems without Docker, Using Docker Plumbing Projects -...
Building Distributed Systems without Docker, Using Docker Plumbing Projects -...
 
Demystifying Containerization Principles for Data Scientists
Demystifying Containerization Principles for Data ScientistsDemystifying Containerization Principles for Data Scientists
Demystifying Containerization Principles for Data Scientists
 
Microservices , Docker , CI/CD , Kubernetes Seminar - Sri Lanka
Microservices , Docker , CI/CD , Kubernetes Seminar - Sri Lanka Microservices , Docker , CI/CD , Kubernetes Seminar - Sri Lanka
Microservices , Docker , CI/CD , Kubernetes Seminar - Sri Lanka
 

More from Vietnam Open Infrastructure User Group

More from Vietnam Open Infrastructure User Group (20)

Room 3 - 5 - Nguyễn Văn Hoàn - 101 Bugs, issues when I work with Ceph
Room 3 - 5 - Nguyễn Văn Hoàn - 101 Bugs, issues when I work with CephRoom 3 - 5 - Nguyễn Văn Hoàn - 101 Bugs, issues when I work with Ceph
Room 3 - 5 - Nguyễn Văn Hoàn - 101 Bugs, issues when I work with Ceph
 
Room 2 - 3 - Nguyễn Hoài Nam & Nguyễn Việt Hùng - Terraform & Pulumi Comparin...
Room 2 - 3 - Nguyễn Hoài Nam & Nguyễn Việt Hùng - Terraform & Pulumi Comparin...Room 2 - 3 - Nguyễn Hoài Nam & Nguyễn Việt Hùng - Terraform & Pulumi Comparin...
Room 2 - 3 - Nguyễn Hoài Nam & Nguyễn Việt Hùng - Terraform & Pulumi Comparin...
 
Room 3 - 6 - Nguyễn Văn Thắng & Dzung Nguyen - Ứng dụng openzfs làm lưu trữ t...
Room 3 - 6 - Nguyễn Văn Thắng & Dzung Nguyen - Ứng dụng openzfs làm lưu trữ t...Room 3 - 6 - Nguyễn Văn Thắng & Dzung Nguyen - Ứng dụng openzfs làm lưu trữ t...
Room 3 - 6 - Nguyễn Văn Thắng & Dzung Nguyen - Ứng dụng openzfs làm lưu trữ t...
 
Room 3 - 4 - Lê Quang Hiếu - How to be a cool dad: Leverage DIY Home Automati...
Room 3 - 4 - Lê Quang Hiếu - How to be a cool dad: Leverage DIY Home Automati...Room 3 - 4 - Lê Quang Hiếu - How to be a cool dad: Leverage DIY Home Automati...
Room 3 - 4 - Lê Quang Hiếu - How to be a cool dad: Leverage DIY Home Automati...
 
Room 3 - 2 - Trần Tuấn Anh - Defending Software Supply Chain Security in Bank...
Room 3 - 2 - Trần Tuấn Anh - Defending Software Supply Chain Security in Bank...Room 3 - 2 - Trần Tuấn Anh - Defending Software Supply Chain Security in Bank...
Room 3 - 2 - Trần Tuấn Anh - Defending Software Supply Chain Security in Bank...
 
Room 3 - 1 - Nguyễn Xuân Trường Lâm - Zero touch on-premise storage infrastru...
Room 3 - 1 - Nguyễn Xuân Trường Lâm - Zero touch on-premise storage infrastru...Room 3 - 1 - Nguyễn Xuân Trường Lâm - Zero touch on-premise storage infrastru...
Room 3 - 1 - Nguyễn Xuân Trường Lâm - Zero touch on-premise storage infrastru...
 
Room 2 - 2 - Giang Thiên Phú - Kinh nghiệm tối ưu mongodb với database hơn 10...
Room 2 - 2 - Giang Thiên Phú - Kinh nghiệm tối ưu mongodb với database hơn 10...Room 2 - 2 - Giang Thiên Phú - Kinh nghiệm tối ưu mongodb với database hơn 10...
Room 2 - 2 - Giang Thiên Phú - Kinh nghiệm tối ưu mongodb với database hơn 10...
 
Room 2 - 4 - Juncheng Anthony Lin - Redhat - A Practical Approach to Traditio...
Room 2 - 4 - Juncheng Anthony Lin - Redhat - A Practical Approach to Traditio...Room 2 - 4 - Juncheng Anthony Lin - Redhat - A Practical Approach to Traditio...
Room 2 - 4 - Juncheng Anthony Lin - Redhat - A Practical Approach to Traditio...
 
Room 2 - 7 - Lã Mạnh Hà - Agile + DevOps = A great combination
Room 2 - 7 - Lã Mạnh Hà - Agile + DevOps = A great combinationRoom 2 - 7 - Lã Mạnh Hà - Agile + DevOps = A great combination
Room 2 - 7 - Lã Mạnh Hà - Agile + DevOps = A great combination
 
Room 2 - 5 - Seong Soo - NHN Cloud - Upstream contribution mentoring program ...
Room 2 - 5 - Seong Soo - NHN Cloud - Upstream contribution mentoring program ...Room 2 - 5 - Seong Soo - NHN Cloud - Upstream contribution mentoring program ...
Room 2 - 5 - Seong Soo - NHN Cloud - Upstream contribution mentoring program ...
 
Room 1 - 2 - Nguyễn Văn Thắng & Dzung Nguyen - Proxmox VE và ZFS over iscsi
Room 1 - 2 - Nguyễn Văn Thắng & Dzung Nguyen - Proxmox VE và ZFS over iscsiRoom 1 - 2 - Nguyễn Văn Thắng & Dzung Nguyen - Proxmox VE và ZFS over iscsi
Room 1 - 2 - Nguyễn Văn Thắng & Dzung Nguyen - Proxmox VE và ZFS over iscsi
 
Room 1 - 6 - Trần Quốc Sang - Autoscaling for multi cloud platform based on S...
Room 1 - 6 - Trần Quốc Sang - Autoscaling for multi cloud platform based on S...Room 1 - 6 - Trần Quốc Sang - Autoscaling for multi cloud platform based on S...
Room 1 - 6 - Trần Quốc Sang - Autoscaling for multi cloud platform based on S...
 
Room 1 - 3 - Lê Anh Tuấn - Build a High Performance Identification at GHTK wi...
Room 1 - 3 - Lê Anh Tuấn - Build a High Performance Identification at GHTK wi...Room 1 - 3 - Lê Anh Tuấn - Build a High Performance Identification at GHTK wi...
Room 1 - 3 - Lê Anh Tuấn - Build a High Performance Identification at GHTK wi...
 
Room 1 - 5 - Thủy Đặng - Load balancing k8s services on baremetal with Cilium...
Room 1 - 5 - Thủy Đặng - Load balancing k8s services on baremetal with Cilium...Room 1 - 5 - Thủy Đặng - Load balancing k8s services on baremetal with Cilium...
Room 1 - 5 - Thủy Đặng - Load balancing k8s services on baremetal with Cilium...
 
Room 1 - 1 - Benoit TELLIER - On premise email inbound service with Apache James
Room 1 - 1 - Benoit TELLIER - On premise email inbound service with Apache JamesRoom 1 - 1 - Benoit TELLIER - On premise email inbound service with Apache James
Room 1 - 1 - Benoit TELLIER - On premise email inbound service with Apache James
 
Phiên sáng - 05 - Chia sẻ về Open Infrastructure trên thế giới
Phiên sáng - 05 - Chia sẻ về Open Infrastructure trên thế giớiPhiên sáng - 05 - Chia sẻ về Open Infrastructure trên thế giới
Phiên sáng - 05 - Chia sẻ về Open Infrastructure trên thế giới
 
Phiên sáng - 06 - Thúc đẩy phát triển với Hệ sinh thái Cloud mở
Phiên sáng - 06 - Thúc đẩy phát triển với Hệ sinh thái Cloud mởPhiên sáng - 06 - Thúc đẩy phát triển với Hệ sinh thái Cloud mở
Phiên sáng - 06 - Thúc đẩy phát triển với Hệ sinh thái Cloud mở
 
Phiên sáng - 02 - Khai mạc và phát biểu của VIA và VietOpenInfra
Phiên sáng - 02 - Khai mạc và phát biểu của VIA và VietOpenInfraPhiên sáng - 02 - Khai mạc và phát biểu của VIA và VietOpenInfra
Phiên sáng - 02 - Khai mạc và phát biểu của VIA và VietOpenInfra
 
Packaging Strategy for Community Openstack and Implementation Reference | Hoj...
Packaging Strategy for Community Openstack and Implementation Reference | Hoj...Packaging Strategy for Community Openstack and Implementation Reference | Hoj...
Packaging Strategy for Community Openstack and Implementation Reference | Hoj...
 
Unrevealed Story Behind Viettel Network Cloud Hotpot | Đặng Văn Đại, Hà Mạnh ...
Unrevealed Story Behind Viettel Network Cloud Hotpot | Đặng Văn Đại, Hà Mạnh ...Unrevealed Story Behind Viettel Network Cloud Hotpot | Đặng Văn Đại, Hà Mạnh ...
Unrevealed Story Behind Viettel Network Cloud Hotpot | Đặng Văn Đại, Hà Mạnh ...
 

Recently uploaded

TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
Igalia
 
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsTop 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
Roshan Dwivedi
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
Principled Technologies
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
Joaquim Jorge
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
UK Journal
 
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Principled Technologies
 

Recently uploaded (20)

Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
 
Manulife - Insurer Innovation Award 2024
Manulife - Insurer Innovation Award 2024Manulife - Insurer Innovation Award 2024
Manulife - Insurer Innovation Award 2024
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsTop 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : Uncertainty
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
 
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 

Kata Container - The Security of VM and The Speed of Container | Yuntong Jin

  • 1. Kata Containers The speed of containers, the security of VMs Jin, Yuntong Intel Open Technology Center
  • 2. Agenda  Linux Containers Overview  Container VS VM  Kata Container Project Overview  Kata Container Architecture and Design  Kata Container Use Case
  • 3.
  • 4. Linux* Containers Definition(s) ● LXC (Linux* Containers) is an operating-system-level virtualization method for running multiple isolated Linux systems (containers) on a control host using a single Linux kernel. – Wikipedia (https://en.wikipedia.org/wiki/LXC) ● Linux containers keep applications and their runtime components together by combining lightweight application isolation with an image-based deployment method. Containers package applications with the files on which they depend. This reduces the friction between development and operations, simplifies application deployment, and accelerates delivery cycles--allowing you to deliver value to customers faster. – Red Hat* (https://www.redhat.com/en/insights/containers)
  • 5. Containers Use Linux* Kernel Technologies Namespaces MN T IPC NET PID UTS Isolated networking namespace for each container instance Control Groups blkio Device s Memory CP U Assign, limit and monitor system resources for each container instance Advanced File Systems Fast root files system creation and layered changes btrfs AUFS Device Mapper UnionFS User Space Kernel Space Container Engine Container Container Container Container Container Container Container *Other names and brands may be claimed as the property of others
  • 6.
  • 7. Containers and Virtual Machines Source: http://www.rightscale.com/blog/cloud-management-best-practices/docker-vs-vms-combining-both-cloud-portability-nirvana
  • 8. Containers Compared to Virtual Machines Source: http://searchnetworking.techtarget.com/feature/Container-networking-offers-opportunity-to-simplify-networks
  • 9. Containers and Virtual Machines  Containers and Virtual Machines are not Mutually Exclusive  Containers in Virtual Machines The containers can be created/destroyed on multiple VMs and the VMs can migrate between physical servers using existing VM infrastructure (e.g., OpenStack*)  Virtual Machines in Containers Make use of resource management technologies (kernel: c groups, namespaces) Make use of build and deployment tools (simple Container creation syntax, Container infrastructure) *Other names and brands may be claimed as the property of others
  • 10. Container Concerns ● Security Isolation from malicious neighbors ● Compatibility Application compatibility with kernel versions ● Networking Support for massive interconnectivity ● Maturity Completeness of infrastructure, Compatibility and Interoperability in ecosystem
  • 11.
  • 12. Tradition Containers App A Middleware A App B Middleware B App C Middleware C Server Hardware Container A Container B Container C Linux * Kernel
  • 13. Kata Container - Hypervisor Based Containers App A Middleware A Linux* Kernel Server Hardware Container A Container B Container C Linux Kernel A Virtual Machine App B Middleware B Linux Kernel B Virtual Machine App C Middleware C Linux Kernel C Virtual Machine ● Each container/pod is hypervisor isolated ● As secure as a VM ● As fast as a container ● OCI spec compatible ● Seamless integration with the container ecosystem and management layers ● No need any changes for container images
  • 14. Kubelet Container Runtime Interface (CRI) CRI-O runc kata-runtime Pod VM Pod CRI-O and Kata Containers
  • 15. History Intel® Clear Containers May 2015 Dec 2017 *Other names and brands may be claimed as the property of others. *
  • 16. Technical Vision  Light and fast VM-based containers  OCI compatible container runtime  No need container images changes  Seamless integration with Kubernetes (CRI), Docker and OpenStack  Seamless integration with all major networking plugins  Support multiple architectures (x86, ARM, System Z, Power)  Support multiple hypervisors (KVM/QEMU, Firecracker, ACRN)
  • 17. Non-Technical Goals *Other names and brands may be claimed as the property of others.  Open and vendor-neutral project  All VM based containers, users and consumers under the same project  Managed at the OpenStack Foundation*  Independent from the OpenStack* software project
  • 19.
  • 20. Hypervisor Shim Proxy Agent Kernel Virtual Machine Runtime I/O OCI cmd/spec gRPC over Yamux gRPC gRPC Shim Container namespaces Container Command Container Exec Hypervisor serial interface
  • 21. Hypervisor Shim Agent Kernel Virtual Machine Runtime I/O OCI cmd/spec gRPC gRPC Shim Container namespaces Container Command Container Exec Hypervisor VSOCK socket *Other names and brands may be claimed as the property of others.
  • 22. Linux Bridge Kata Container Networking Virtual Machine Pod Tap Container networking namespace Kubernetes* Overlay Network veth pair tc mirror *Other names and brands may be claimed as the property of others. MacVTAP
  • 23. Kata Container Storage Virtual Machine Container 1 Rootfs Overlay Container 2 Rootfs Overlay 9pfs/virtio-blk/virtio-fs 9pfs/virtio-blk/virtio-fs 9pfs/virtio- blk/virtio-fs 9pfs/virtio- blk/virtio-fs Container 1 Volume Container 2 Volume
  • 25.
  • 26. More Security + Flexibility Regulated and sensitive production environments Mixed workloads production environments Multi-tenant container clusters Bare metal infrastructure Legacy and cutting edge workloads with kernel-dependent features
  • 28.
  • 29. Key Points  Kata Containers is a security container with VM isolation.  Seamless integration with Docker and Kubernetes.  Open source project under OpenStack Foundation, vendor-neutral.  Support multi Virtualization and platform, actively community.  Maturity, product ready, deployed widely.
  • 30. More information about Kata  Source code: Kata Containers: https://github.com/kata-containers  Documentation: Kata getting started: https://github.com/kata-containers/documentation/wiki/Developer-Guide Kata Design requirements: https://github.com/kata-containers/documentation/blob/master/design/kata-design-requirements.md Clear containers architecture: https://github.com/clearcontainers/runtime/blob/master/docs/architecture/architecture.md  White papers and blogs: Clear Containers custom kernel per pod: https://asciinema.org/a/146888 Clear Containers and Kubernetes: https://medium.com/cri-o/intel-clear-containers-and-cri-o-70824fb5181 More coming from katacontainers.io
  • 31. Get involved in Kata community  Code and documentation hosted on https://github.com/kata-containers/  Major releases managed through Github* Projects  Apache 2 license  Slack: katacontainers.slack.com  IRC: #kata-dev@freenode  Mailing-list: kata-dev@lists.katacontainers.io
  • 33. Notices and Disclaimers ● No license (express or implied, by estoppel or otherwise) to any intellectual property rights is granted by this document. ● Intel disclaims all express and implied warranties, including without limitation, the implied warranties of merchantability, fitness for a particular purpose, and non-infringement, as well as any warranty arising from course of performance, course of dealing, or usage in trade. ● Intel technologies’ features and benefits depend on system configuration and may require enabled hardware, software or service activation. Performance varies depending on system configuration. No computer system can be absolutely secure. Check with your system manufacturer or retailer or learn more. ● The products described may contain design defects or errors known as errata which may cause the product to deviate from published specifications. Current characterized errata are available on request. ● Intel, the Intel logo are trademarks of Intel Corporation or its subsidiaries in the U.S. and/or other countries. ● *Other names and brands may be claimed as the property of others. ● ©2019 Intel Corporation

Editor's Notes

  1. Key Points: Operating-system-level virtualization Single Linux Kernel (shared by all containers) Package applications with the files on which they depend (pre-configured config files, or dependencies like other libraries) Image-based deployment
  2. Key Points: Containers make use of kernel technologies – namespaces, c groups, and advanced file systems These technologies are used for other things, not just containers A lot of grey area ; could run without certain namespaces, without certain c groups or without advanced FS
  3. Key Points: Hardware emulation via hypervisor and full guest kernel with VMs Shared kernel resources with Containers Note the duplicated bins/libs with VMs Images, as described earlier, allow you to share bins/libs as base-images (layers) that multiple apps can use Transition: Let’s compare Containers and VMs a bit more closely
  4. Key Points: As discussed before ; kernel virtualization, not hardware emulation Can share bin/libs Minimal system footprint = Hyperdensity Fast boot, shutdown and reboot times Maturity: VMs infrastructure has been developed over a decade Transition: Let’s take a look at some container concerns or gaps
  5. Key Points: Containers in VMs – already a lot of tooling/infrastructure for VMs VMs in Containers A lot of innovation happening Transition: Hopefully now everyone has a good basic concept of what a container is
  6. Key Points: Security: because you’re not using HW features for isolation, you’re sharing kernel resources Networking: because now you have massive scale and a lot of moving (create/destroy) parts Maturity: Not well known technology ; not all infrastructure projects are mature Compatibility: If applications have kernel dependencies you may have a problem
  7. Kata container is an alternative container runtime implementation with RunC both RunC and Kata runtime can be deployed in same Kubernetes cluster
  8. Clear Containers project in 2015, the project goal was to address security concerns within containers through Intel® Virtualization Technology (VT) kata means trust in Greek
  9. Kata containers are as light and fast as containers and integrate with the container management layers, while also delivering the security advantages of VMs. The technology is designed to be architecture agnostic and compatible with the Container Runtime Interface (CRI), and integrates with multiple software stacks, (OpenStack, Kubernetes, Docker etc).
  10. QEMU support h s of virtualize devices and lagency platform arch and system. BIOS optimization with Limited virtualize devices. Guest OS, is where actually to run container Clear Linux fast boot
  11. 2 type of storage in container, container image and container volum