Kata Containers Story of a container runtime Sbastien Boeuf, - - PowerPoint PPT Presentation

kata containers
SMART_READER_LITE
LIVE PREVIEW

Kata Containers Story of a container runtime Sbastien Boeuf, - - PowerPoint PPT Presentation

Mar 25, 2024 454 likes •958 views

Kata Containers Story of a container runtime Sbastien Boeuf, Software Engineer Intel Corporation Agenda Why Kata Containers? Acceptance Community growth Ecosystem influence Hypervisor flexible

slide-1
SLIDE 1

Kata Containers

Story of a container runtime

Sébastien Boeuf, Software Engineer Intel Corporation

slide-2
SLIDE 2

Agenda

  • Why Kata Containers?
  • Acceptance
  • Community growth
  • Ecosystem influence
  • Hypervisor flexible
slide-3
SLIDE 3

https://regmedia.co.uk/2017/09/11/shutterstock_containers_in_port.jpg

slide-4
SLIDE 4

Containers

Host OS

Container Container Container

slide-5
SLIDE 5

Security threat

Host OS

Container Container Container

slide-6
SLIDE 6

https://cdn-images-1.medium.com/max/800/1*zPiik9vlW_G7GU9bTjxhJQ.jpeg

slide-7
SLIDE 7

Manual isolation

Baremetal server

VM Host OS

Container Container Container

VM Host OS

Container Container Container

slide-8
SLIDE 8

https://s3.amazonaws.com/wordpress-production/wp-content/uploads/2015/12/collaborative-problem-solving.jpg

slide-9
SLIDE 9

Legacy

Clear Containers

slide-10
SLIDE 10

Host OS

VM Guest OS HW virtualization

Kata Containers

Container VM Guest OS HW virtualization Container VM Guest OS HW virtualization Container

slide-11
SLIDE 11

https://marketingweek.imgix.net/content/uploads/2017/06/30121536/Ecosystem-body-image.jpg

slide-12
SLIDE 12

Container ecosystem

Docker Container runc OCI

slide-13
SLIDE 13

Container ecosystem

Kubernetes CRI runc OCI Container

slide-14
SLIDE 14

Container ecosystem

Kubernetes Docker CRI runc OCI Container

slide-15
SLIDE 15

VM Guest OS

Seamless integration

Kubernetes Docker CRI Container kata-runtime OCI

slide-16
SLIDE 16
slide-17
SLIDE 17

OCI compatible

OCI

create start kill state delete

slide-18
SLIDE 18

OCI compatible

runc OCI

create start kill state delete exec list resume pause update run

slide-19
SLIDE 19

host

OCI compatible

Container

monitoring I/O

slide-20
SLIDE 20

host

OCI compatible

VM Guest OS

Container

?

monitoring I/O

slide-21
SLIDE 21

host

OCI compatible

VM Guest OS

Container kata-shim

monitoring I/O

slide-22
SLIDE 22

https://www.incimages.com/uploaded_files/image/1940x900/getty_524541622_2000133320009280310_370635.jpg

slide-23
SLIDE 23

Community growth

Additional architectures

  • aarch64 (ARM)
  • ppc64 and s390 (IBM)

Enhanced stability and production ready

  • Huawei
  • Baidu
  • Alibaba
slide-24
SLIDE 24

Community growth

CI resources

  • Vexxhost (Vexxhost)
  • Azure (Microsoft)
  • AWS (Amazon)
  • GCE (Google)
slide-25
SLIDE 25

Community growth

2000 pull requests / 100 contributors

slide-26
SLIDE 26

https://hbr.org/resources/images/article_assets/2015/05/MAY15_19_686097-001.jpg

slide-27
SLIDE 27

Extend OCI

slide-28
SLIDE 28

RuntimeClass

slide-29
SLIDE 29

node 1

RuntimeClass

node 2

Pod 1 runc Pod 2 kata Pod 3 Pod 4

pod1.yaml pod2.yaml pod3.yaml pod4.yaml

kata runc

slide-30
SLIDE 30

Pod overhead

slide-31
SLIDE 31

Pod overhead

node

Pod 1

pod1.yaml cpus: 2 mem: 256M

Pod 2

VM Guest OS

Container Container

pod2.yaml cpus: 2 mem: 256M Overhead:

  • cpus: 1
  • mem: 128M
slide-32
SLIDE 32

Shim v2

containerd

  • r

CRI-O

CRI

slide-33
SLIDE 33

Shim v2

containerd

  • r

CRI-O

CRI

containerd-shim

  • r

conmon

slide-34
SLIDE 34

Shim v2

containerd

  • r

CRI-O kata-runtime runc kata-shim

+

CRI OCI

containerd-shim

  • r

conmon

slide-35
SLIDE 35

Shim v2

containerd

  • r

CRI-O kata-runtime runc kata-shim

+

kata-v2

CRI Shim v2 OCI

containerd-shim

  • r

conmon

slide-36
SLIDE 36

Shim v2

wait stats resizePty

No host PID assumption! k8s pod scaling!

slide-37
SLIDE 37

Shared filesystem

Virtio-9p

  • Not fully POSIX compliant ⇒ Workload functional issues
  • Not performant
  • Production should use virtio-blk ⇒ devicemapper
slide-38
SLIDE 38

Shared filesystem

Redhat developed replacement for virtio-9p ⇒ virtio-fs

  • Fully POSIX compliant ⇒ Solve workload functional issues
  • As performant as virtio-blk (with DAX optimization)
  • Overlay back into the picture for production
slide-39
SLIDE 39

Shared filesystem

VM

Shared FS Mounted FS

virtio-9p

slide-40
SLIDE 40

Shared filesystem

VM

Shared FS Mounted FS

virtio-fs

virtiofsd

slide-41
SLIDE 41

virtio-fs

Shared filesystem

VM

Shared FS Mounted FS

virtiofsd

slide-42
SLIDE 42
slide-43
SLIDE 43

QEMU/NEMU

  • Swiss army knife hypervisor ⇒ Default for Kata

○ Type 2 (KVM) ○ Multi-purpose ○ Extensive device model (virtio-gpu, virtio-crypto, ...) ○ Direct Device Assignment (VFIO)

  • Wide codebase in C ⇒ Potential attack surface
  • NEMU reduces the attack surface
slide-44
SLIDE 44

Firecracker

  • Lightweight hypervisor

○ Type 2 (KVM) ○ Narrow focus: container workloads and FaaS ○ Reduced device model

  • Small codebase in Rust ⇒ Highly secure
slide-45
SLIDE 45

ACRN (in progress)

  • Lightweight hypervisor

○ Type 1 ○ Focus on Automotive and IoT ○ Industry standard FuSa (Functional Safety)

  • Small codebase in C ⇒ Highly secure
slide-46
SLIDE 46

http://www.lifeafterlondon.com/wp-content/uploads/2014/07/pick-your-own.jpg

slide-47
SLIDE 47

Takeaways INFLUENCE INTEGRATE

slide-48
SLIDE 48

Join the fun!

Sources: https://github.com/kata-containers/runtime Get started: https://github.com/kata-containers/documentation/blob/master/Deve loper-Guide.md Slack: katacontainers.slack.com IRC: #kata-dev@freenode Mailing list: kata-dev@lists.katacontainers.io

slide-49
SLIDE 49

Thank you