kata containers
play

Kata Containers Story of a container runtime Sbastien Boeuf, - PowerPoint PPT Presentation

Mar 25, 2024 •454 likes •958 views

Kata Containers Story of a container runtime Sbastien Boeuf, Software Engineer Intel Corporation Agenda Why Kata Containers? Acceptance Community growth Ecosystem influence Hypervisor flexible

  1. Kata Containers Story of a container runtime Sébastien Boeuf, Software Engineer Intel Corporation

  2. Agenda ● Why Kata Containers? ● Acceptance ● Community growth ● Ecosystem influence ● Hypervisor flexible

  3. https://regmedia.co.uk/2017/09/11/shutterstock_containers_in_port.jpg

  4. Containers Container Container Container Host OS

  5. Security threat Container Container Container Host OS

  6. https://cdn-images-1.medium.com/max/800/1*zPiik9vlW_G7GU9bTjxhJQ.jpeg

  7. Manual isolation Container Container Container Container Container Container Host OS Host OS VM VM Baremetal server

  8. https://s3.amazonaws.com/wordpress-production/wp-content/uploads/2015/12/collaborative-problem-solving.jpg

  9. Legacy Clear Containers

  10. Kata Containers Container Container Container Guest OS Guest OS Guest OS VM VM VM HW HW HW virtualization virtualization virtualization Host OS

  11. https://marketingweek.imgix.net/content/uploads/2017/06/30121536/Ecosystem-body-image.jpg

  12. Container ecosystem Docker OCI runc Container

  13. Container ecosystem Kubernetes CRI OCI runc Container

  14. Container ecosystem Kubernetes Docker CRI OCI runc Container

  15. Seamless integration Kubernetes Docker CRI Container OCI kata-runtime Guest OS VM

  17. OCI compatible OCI create start state kill delete

  18. OCI compatible runc OCI exec list create start pause resume state run update kill delete

  19. OCI compatible host monitoring Container I/O

  20. OCI compatible host Container ? monitoring I/O Guest OS VM

  21. OCI compatible host Container monitoring I/O Guest OS kata-shim VM

  22. https://www.incimages.com/uploaded_files/image/1940x900/getty_524541622_2000133320009280310_370635.jpg

  23. Community growth Additional architectures ● aarch64 ( ARM ) ● ppc64 and s390 ( IBM ) Enhanced stability and production ready ● Huawei ● Baidu ● Alibaba

  24. Community growth CI resources ● Vexxhost ( Vexxhost ) ● Azure ( Microsoft ) ● AWS ( Amazon ) ● GCE ( Google )

  25. Community growth 2000 pull requests / 100 contributors

  26. https://hbr.org/resources/images/article_assets/2015/05/MAY15_19_686097-001.jpg

  27. Extend OCI

  28. RuntimeClass

  29. RuntimeClass node 1 pod1.yaml Pod 1 Pod 2 pod2.yaml runc kata pod3.yaml pod4.yaml node 2 Pod 3 Pod 4 runc kata

  30. Pod overhead

  31. Pod overhead pod1.yaml node cpus: 2 mem: 256M Pod 1 Pod 2 Container pod2.yaml Container Guest OS cpus: 2 mem: 256M VM Overhead: - cpus: 1 - mem: 128M

  32. Shim v2 CRI containerd or CRI-O

  33. Shim v2 CRI containerd-shim or containerd conmon or CRI-O

  34. Shim v2 CRI OCI runc containerd-shim or containerd conmon + or kata-runtime kata-shim CRI-O

  35. Shim v2 Shim CRI OCI v2 runc containerd-shim or containerd conmon + or kata-runtime kata-shim CRI-O kata-v2

  36. Shim v2 wait stats resizePty No host PID assumption! k8s pod scaling!

  37. Shared filesystem Virtio-9p ● Not fully POSIX compliant ⇒ Workload functional issues ● Not performant ● Production should use virtio-blk ⇒ devicemapper

  38. Shared filesystem Redhat developed replacement for virtio-9p ⇒ virtio-fs ● Fully POSIX compliant ⇒ Solve workload functional issues ● As performant as virtio-blk (with DAX optimization) ● Overlay back into the picture for production

  39. Shared filesystem virtio-9p Mounted FS Shared FS VM

  40. Shared filesystem virtio-fs Mounted FS virtiofsd Shared FS VM

  41. Shared filesystem virtio-fs Mounted FS virtiofsd Shared FS VM

  43. QEMU/NEMU ● Swiss army knife hypervisor ⇒ Default for Kata ○ Type 2 (KVM) ○ Multi-purpose ○ Extensive device model (virtio-gpu, virtio-crypto, ...) ○ Direct Device Assignment (VFIO) ● Wide codebase in C ⇒ Potential attack surface ● NEMU reduces the attack surface

  44. Firecracker ● Lightweight hypervisor ○ Type 2 (KVM) ○ Narrow focus: container workloads and FaaS ○ Reduced device model ● Small codebase in Rust ⇒ Highly secure

  45. ACRN (in progress) ● Lightweight hypervisor ○ Type 1 ○ Focus on Automotive and IoT ○ Industry standard FuSa (Functional Safety) ● Small codebase in C ⇒ Highly secure

  46. http://www.lifeafterlondon.com/wp-content/uploads/2014/07/pick-your-own.jpg

  47. Takeaways INFLUENCE INTEGRATE

  48. Join the fun! Sources: https://github.com/kata-containers/runtime Get started: https://github.com/kata-containers/documentation/blob/master/Deve loper-Guide.md Slack: katacontainers.slack.com IRC: #kata-dev@freenode Mailing list: kata-dev@lists.katacontainers.io

  49. Thank you

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Kata-Containers on openSUSE Ralf Haferkamp, Container Software Engineer, SUSE Dario Faggioli,

Kata-Containers on openSUSE Ralf Haferkamp, Container Software Engineer, SUSE Dario Faggioli,

Kata-Containers on openSUSE Ralf Haferkamp, Container Software Engineer, SUSE Dario Faggioli, Virtualization Software Engineer, SUSE What is Kata Containers A container runtime providing stronger isolation by using hardware virtualization

528 views • 15 slides
Improvement Kata IK Makes the Impossible Discussable 1 Kata and Continuous Improvement at The

Improvement Kata IK Makes the Impossible Discussable 1 Kata and Continuous Improvement at The

Improvement Kata IK Makes the Impossible Discussable 1 Kata and Continuous Improvement at The Andersons Who we are Our approach to CI Training (100 attendees so far) Applied Learning Why Kata? Next Steps 2 THE FOUR

348 views • 18 slides
ORCHIDACEA RESORT Kata Beach, Phuket w w w . o r c h i d a c e a r e s o r t . c o m About Us

ORCHIDACEA RESORT Kata Beach, Phuket w w w . o r c h i d a c e a r e s o r t . c o m About Us

ORCHIDACEA RESORT Kata Beach, Phuket w w w . o r c h i d a c e a r e s o r t . c o m About Us Orchidacea Resort is located on the gently sloping hills of Kata, Phuket -Thailand, overlooking the crystal clear Andaman Sea and the immaculate

422 views • 18 slides
CHEESE WASTE KATA PROJECT Lisa Roberts, Tara Stow, Diego Aliste CHEESE WASTE KATA PROJECT The

CHEESE WASTE KATA PROJECT Lisa Roberts, Tara Stow, Diego Aliste CHEESE WASTE KATA PROJECT The

ZINGERMANS MAIL ORDER: Arjun Bhalla, Eric Lam, Shivani Palekar, Ting-Yi Li CHEESE WASTE KATA PROJECT Lisa Roberts, Tara Stow, Diego Aliste CHEESE WASTE KATA PROJECT The online shop for Zingermans food and sends food, such as breads,

184 views • 14 slides
Unprivileged Containers Jess Frazelle, @jessfraz How do containers help security? Containers are

Unprivileged Containers Jess Frazelle, @jessfraz How do containers help security? Containers are

Unprivileged Containers Jess Frazelle, @jessfraz How do containers help security? Containers are not going to be the answer to preventing your application from being compromised, but they can limit the damage from a compromise. How do

823 views • 25 slides
Improving Trust in Containers Matthew Garrett @mjg59 | mjg59@coreos.com | coreos.com

Improving Trust in Containers Matthew Garrett @mjg59 | mjg59@coreos.com | coreos.com

Improving Trust in Containers Matthew Garrett @mjg59 | mjg59@coreos.com | coreos.com Containers are great Containers are resource efficient Containers make deployment easy Containers can be monitored easily Containers are secure But are

508 views • 38 slides
Everything you need to know about Containers Security Track Containers Jos Manuel Ortega

Everything you need to know about Containers Security Track Containers Jos Manuel Ortega

Everything you need to know about Containers Security Track Containers Jos Manuel Ortega @jmortegac Agenda Introduction to containers security Linux Containers(LXC) Docker Security Security pipeline && Container

807 views • 57 slides
Refactoring Fundamentals The Gilded Rose Refactoring Kata Steve Smith Ardalis.com @ardalis The

Refactoring Fundamentals The Gilded Rose Refactoring Kata Steve Smith Ardalis.com @ardalis The

Refactoring Fundamentals The Gilded Rose Refactoring Kata Steve Smith Ardalis.com @ardalis The Gilded Rose Kata Introduction The Gilded Rose is a small inn with a prime location in a prominent city run by a friendly innkeeper named Allison.

420 views • 7 slides
SUSE Containers as a Service Platform 53 53 Why Do You Want to Invest in Containers? 54 54

SUSE Containers as a Service Platform 53 53 Why Do You Want to Invest in Containers? 54 54

SUSE Containers as a Service Platform 53 53 Why Do You Want to Invest in Containers? 54 54 What are Containers? A package/image that can be deployed anywhere (thats running a Linux Kernel) Developers create a layered image of their

996 views • 53 slides
Herd of Containers Sad DIF Database Engineer Herd of Containers: PostgreSQL in containers at

Herd of Containers Sad DIF Database Engineer Herd of Containers: PostgreSQL in containers at

Herd of Containers Sad DIF Database Engineer Herd of Containers: PostgreSQL in containers at BlaBlaCar pgDay Paris, Mar 15, 2018 BlaBlaCar Overview Todays agenda PostgreSQL usage at BlaBlaCar Switching to a new implementation

844 views • 40 slides
Persistent storage for Containers Anil Degwekar What are we talking about? Containers have

Persistent storage for Containers Anil Degwekar What are we talking about? Containers have

Persistent storage for Containers Anil Degwekar What are we talking about? Containers have become popular replacing many Physical / Virtual Machine use cases But: The persistent storage problem for containers is still not fully solved

1.01k views • 17 slides
Containers in the Enterprise Avoiding the Kobayashi Maru Agenda Containers Bring Change

Containers in the Enterprise Avoiding the Kobayashi Maru Agenda Containers Bring Change

Containers in the Enterprise Avoiding the Kobayashi Maru Agenda Containers Bring Change An Approach Required Software Processes Cultural Changes Additional Concerns Lessons Learned Why This Talk? Containers are

678 views • 49 slides
IJF KATA COMMISSION ANALYSIS OF OFFICIAL KODOKAN VIDEO In the meeting held in Paris the 5 th and

IJF KATA COMMISSION ANALYSIS OF OFFICIAL KODOKAN VIDEO In the meeting held in Paris the 5 th and

IJF KATA COMMISSION ANALYSIS OF OFFICIAL KODOKAN VIDEO In the meeting held in Paris the 5 th and 6 th of January 2008, the IJF Kata Commission, after the analysis of the official Kodokan video, decided that the following actions, even if

208 views • 17 slides
Exploding the Linux Container Host Presenter: Ben Corrie (@bensdoings) Containers vs VMs

Exploding the Linux Container Host Presenter: Ben Corrie (@bensdoings) Containers vs VMs

Exploding the Linux Container Host Presenter: Ben Corrie (@bensdoings) Containers vs VMs Google Wisdom: VMs and Containers are similar but different Try running containers in VMs for security Containers are best for scale-out

314 views • 17 slides
our container journey @beshippable shippable.com our container journey containers can

our container journey @beshippable shippable.com our container journey containers can

our container journey @beshippable shippable.com our container journey containers can make us way more efficient containers can save us money on hosting containers sound interesting company founded in 2013

848 views • 30 slides
COACHING TEAM PERFORMANCE KATA INCLUSION Steve MEN Ken Thorne WOMEN Chappell Terry

COACHING TEAM PERFORMANCE KATA INCLUSION Steve MEN Ken Thorne WOMEN Chappell Terry

COACHING TEAM PERFORMANCE KATA INCLUSION Steve MEN Ken Thorne WOMEN Chappell Terry Atkinson Steve Withers Jason Parsons Simon Ward Judy Maslen Pete Douglas DEVELOPMENT STRUCTURE GBR PROGRAM -Juniors u20 -- Seniors ENGLAND

618 views • 9 slides
Scheduling-Independence in SHIM Olivier Tardieu Columbia University, New York joint work with

Scheduling-Independence in SHIM Olivier Tardieu Columbia University, New York joint work with

Scheduling-Independence in SHIM Olivier Tardieu Columbia University, New York joint work with Prof. Stephen A. Edwards Software/Hardware Integration Medium SHIM is a concurrent programming language C/Java-like syntax and semantics for

478 views • 24 slides
uf: Minimizing the Coq Extraction TCB Eric Mullen , Stuart Pernsteiner, James Wilcox, Zachary

uf: Minimizing the Coq Extraction TCB Eric Mullen , Stuart Pernsteiner, James Wilcox, Zachary

uf: Minimizing the Coq Extraction TCB Eric Mullen , Stuart Pernsteiner, James Wilcox, Zachary Tatlock, Dan Grossman 1 Extraction 2 Extraction K coq 2 Extraction K coq 2 Extraction K coq Extraction 2 Extraction K coq Extraction K

1.3k views • 106 slides
Propagating ECN across IP tunnel Headers Separated by a Shim

Propagating ECN across IP tunnel Headers Separated by a Shim

Propagating ECN across IP tunnel Headers Separated by a Shim draft-ietf-tsvwg-rfc6040update-shim-04 Bob Briscoe bobbriscoe.net IETF-99, Jul 2017 draft-ietf-tsvwg-rfc6040update-shim-04 Problem #1 RFC6040 Tunnelling of ECN; scope was

187 views • 7 slides
AdL SUS/US Quad Controls Conceptual Design J. Heefner 7/12/2005 LIGO-G050318-00-C AdL SUS

AdL SUS/US Quad Controls Conceptual Design J. Heefner 7/12/2005 LIGO-G050318-00-C AdL SUS

AdL SUS/US Quad Controls Conceptual Design J. Heefner 7/12/2005 LIGO-G050318-00-C AdL SUS Controls Conceptual Design Design Considerations AdL Controls Architecture has yet to be determined Controls block diagram based on scaling

180 views • 17 slides
6.888 Lecture 6: Network Performance Isola8on Mohammad Alizadeh Spring 2016 1 Mul8-tenant

6.888 Lecture 6: Network Performance Isola8on Mohammad Alizadeh Spring 2016 1 Mul8-tenant

6.888 Lecture 6: Network Performance Isola8on Mohammad Alizadeh Spring 2016 1 Mul8-tenant Cloud Data Centers Shared infrastructure between mul8ple tenants/apps Lack of Performance Predictability GAE memcache read 100 values Unpredictable

730 views • 31 slides
Securing Linux VMs in a Hosted Environment mikbras@microsoft.com Goal attacks from the

Securing Linux VMs in a Hosted Environment mikbras@microsoft.com Goal attacks from the

Securing Linux VMs in a Hosted Environment mikbras@microsoft.com Goal attacks from the outside To protect Linux VMs from outside attacks (from processes running on the host). Injecting code into the boot chain. Stealing data from

559 views • 18 slides
WIDEX Working Group IETF 65 Chairs: David Bryan, Eunsoo Shim, Dean Willis Note Well Any

WIDEX Working Group IETF 65 Chairs: David Bryan, Eunsoo Shim, Dean Willis Note Well Any

WIDEX Working Group IETF 65 Chairs: David Bryan, Eunsoo Shim, Dean Willis Note Well Any submission to the IETF intended by the Contributor for publication as all or part of an IETF Internet-Draft or RFC and any statement made within the

779 views • 3 slides
A preliminary result on synchronization of heterogeneous agents via funnel control Stephan Trenn

A preliminary result on synchronization of heterogeneous agents via funnel control Stephan Trenn

A preliminary result on synchronization of heterogeneous agents via funnel control Stephan Trenn Technomathematics group, University of Kaiserslautern, Germany joint work with Hyungbo Shim (Seoul National University, Korea) 54th IEEE Conference

381 views • 21 slides

More recommend