Removing the Lid on Kata Containers

DZone 's Guide to

Removing the Lid on Kata Containers

To find out more about the Kata Containers project, including how they compare to other solutions, and recent developments, I spoke with the team.

· Cloud Zone ·
Free Resource

Have you heard of Kata Containers? If not, chances are you probably will soon.

Kata Containers aim to combine the ease, lightness, and speed of containers with the workload isolation and security of VMs.

Even though the Kata Containers project is in its formational stages, its technical basis - Intel Clear Containers with Hyper.sh RunV - are used at enterprise scale by global organizations like JD.com, China’s largest eCommerce company (by revenue).

To find out more about the Kata Containers project, including how they compare to other solutions, and recent developments, I spoke with the team.

What Is Kata Containers at a High Level?

Kata Containers is an open source container application runtime engine. It’s a sandbox environment that allows you to run a container application isolated from the rest of the guest operating system. It provides that environment by launching the application inside of a lightweight virtual machine.

How Does the Project Compare to Docker, Rkt, etc. and Why Should a Developer Use Kata Instead?

Container application frameworks are built on layers of abstractions. At the lowest level, you have the container runtime engines. These engines conform to standard APIs and allow you to swap one out for another. The most common of these is runc, the engine developed by Docker.

Rkt, gvisor, and Kata Containers are all container runtime engines, which can replace runc, and that use different underlying tech for creating an application sandbox. Container application engines, like Docker, are built on these runtime engines, and container orchestration engines, like Kubernetes, built on top of those.

Runtimes like runc and rkt use a collection of Linux security primitives to build the sandbox environment. These include things like namespaces, control groups, and apparmor, which are pieced together to create the isolation and security model.

Kata takes a different approach, one that uses virtualization as a complete solution for container security. Rather than run an application on a shared host kernel, applications are launched inside of virtual machines with their own strongly isolated process space and virtual hardware. This approach takes advantage of decades of testing and hardening of production virtualization architectures.

What Are the Advantages and Disadvantages of Kata?

The primary advantage of Kata is strong process isolation. Kata uses standard runc containers for each container application, utilizing standard isolation techniques. Kata adds a security layer by launching that environment inside of a lightweight virtual machine. This guarantees that the application only sees the kernel process space and hardware associated with that virtual machine while retaining standard runc behavior.

Even if a malicious application were to break out its own process space, it would be contained to a strongly limited environment with no other processes visible to it. Kata’s security model is about defense in depth.

You Have a lot of Corporate Backers, Is Kata Mostly an Enterprise Play, or Will Smaller Hobby Developers Also Find it Useful?

Kata was designed to meet the real world security needs of enterprise customers. Its model of application isolation through virtualization is used widely throughout the industry and has decades of development, hardware acceleration, security research, and hardening behind it.

However, being enterprise grade doesn’t mean it’s inaccessible. Kata is easy to install on any major Linux distribution, and is easily adopted by organizations from any size, be it a hobbyist trying things out to a security researcher testing against the latest exploits to large enterprises running large orchestration engines.

The Kata Claim Is “to Seamlessly Plug Into the Container Ecosystem.” What Does This Mean, and What Container Orchestration and Tooling Does Kata Support?

Because Kata conforms to container runtime standards - Kata Containers and the OpenStack Foundation are members of the Open Container Initiative that defines the standards - it is a drop-in replacement for any other container runtime engine.

With Kata installed, you only need to change a simple configuration variable to launch an application inside of Kata using container application interfaces like Docker, or container orchestration engines like Kubernetes.

The Kata Containers project automatically tests the runtime against the 1000 most popular container applications on Docker Hub, demonstrating conformance and compatibility.

How Old Is the Project? You’re at 1.5 Already, What’s the Development Origin and History of the Project? Why Did the Team Create it in the First Place?

Kata Containers was officially launched in December of 2017 at KubeCon Austin. Then, at the May 2018 OpenStack Summit in Vancouver, Kata Containers 1.0 was released. The project came about through collaboration between the Clear Containers project from Intel and the runV project from Hyper.sh.

What’s New in v1.5?

The 1.5 release included new support for the Firecracker hypervisor, and the s390x architecture, as well as a new method for integrating with the containerd project.

What’s Next for Kata?

The Kata Containers community recently announced its 1.6.0 release. Features include OpenTracing support; changes to enable virtio-fs so the agent can mount virtio-fs shared directories; NVDIMM support on arm64; CPU cgroups in sandbox are honored which includes user-defined paths and the limit of hypervisor vCPU threads. The project also updated to the Linux Kernel 4.19.x as its preferred kernel version.

Join us at the next Open Infrastructure Summit in Denver from April 29 to May 1, 2019. The Kata team has several presentations at the Summit, as well as collaborative working sessions where we will discuss roadmap, planning, and hands-on hacking to improve the project.

Kata sessions include:

  • Kata Containers on Edge Cloud (Yuntong Jin, Yu Bai, Zhiming Hu)
  • Kata Containers, story of a container runtime (Sebastien Boeuf)
  • Kata Containers on Arm: Let’s talk about our progress! (Penny Zheng, Jia He)
  • Tracing the life of a packet with Kata Containers (Purnendu Ghosh)
  • Tailor-made security: Building a container specific hypervisor (Samuel Ortiz, Andreea Florescu)
  • Kubernetes Bedtime Stories: Taking the “scary” out of production workloads (panel)
  • Kata Containers Project Update (Eric Ernst, Manhoar Castelino)
  • Kata Containers Project Onboarding (Xu Wang)

In the meantime, explore Kata on GitHub, KataContainers.io and get involved! Kata Containers is an independent open source community collaboratively developing code under the Apache 2 license.

You can connect with the community via these channels:

cloud ,hyper.sh ,kata containers ,kubernetes ,runc ,runv

Opinions expressed by DZone contributors are their own.

{{ parent.title || parent.header.title}}

{{ parent.tldr }}

{{ parent.urlSource.name }}