Story of a container runtime Kata Containers · 2019-05-13 · Story of a container runtime...

Kata ContainersStory of a container runtime

Sébastien Boeuf, Software EngineerIntel Corporation

Agenda

● Why Kata Containers?● Acceptance● Community growth● Ecosystem influence● Hypervisor flexible

https://regmedia.co.uk/2017/09/11/shutterstock_containers_in_port.jpg

Containers

Host OS

Container Container Container

Security threat

Host OS

https://cdn-images-1.medium.com/max/800/1*zPiik9vlW_G7GU9bTjxhJQ.jpeg

Manual isolation

Baremetal server

Host OS

https://s3.amazonaws.com/wordpress-production/wp-content/uploads/2015/12/collaborative-problem-solving.jpg

Legacy

Clear Containers

Host OS

Guest OS

HWvirtualization

Kata Containers

Container

Guest OS

HWvirtualization

Container

Guest OS

HWvirtualization

Container

https://marketingweek.imgix.net/content/uploads/2017/06/30121536/Ecosystem-body-image.jpg

Container ecosystem

Docker

Containerrunc

Container ecosystem

Kubernetes

Container

Container ecosystem

Kubernetes

Docker CRI

Container

Guest OS

Seamless integration

Kubernetes

Docker CRI

Container

kata-runtime

OCI compatible

OCIcreate start

delete

OCI compatible

runc OCIcreate start

delete

exec list

resumepause

updaterun

OCI compatible

Containermonitoring

OCI compatible

Guest OS

Container

?monitoring

OCI compatible

Guest OS

Container

kata-shim

monitoringI/O

https://www.incimages.com/uploaded_files/image/1940x900/getty_524541622_2000133320009280310_370635.jpg

Community growth

Additional architectures

● aarch64 (ARM)● ppc64 and s390 (IBM)

Enhanced stability and production ready

● Huawei● Baidu● Alibaba

Community growth

CI resources

● Vexxhost (Vexxhost)● Azure (Microsoft)● AWS (Amazon)● GCE (Google)

Community growth

2000 pull requests / 100 contributors

https://hbr.org/resources/images/article_assets/2015/05/MAY15_19_686097-001.jpg

Extend OCI

RuntimeClass

node 1

RuntimeClass

node 2

Pod 3 Pod 4

pod1.yaml

pod2.yaml

pod3.yaml

pod4.yaml

kata runc

Pod overhead

pod1.yaml

cpus: 2mem: 256M

Guest OS

Container

pod2.yaml

cpus: 2mem: 256M

Overhead:- cpus: 1- mem: 128M

Shim v2

containerd

Shim v2

containerd

containerd-shim

conmon

Shim v2

containerd

CRI-Okata-runtime

kata-shim+

CRI OCI

containerd-shim

conmon

Shim v2

containerd

CRI-Okata-runtime

kata-shim+

kata-v2

CRI Shim v2 OCI

containerd-shim

conmon

Shim v2

resizePty

No host PID assumption!k8s pod scaling!

Shared filesystem

Virtio-9p

● Not fully POSIX compliant ⇒ Workload functional issues

● Not performant

● Production should use virtio-blk ⇒ devicemapper

Shared filesystem

Redhat developed replacement for virtio-9p ⇒ virtio-fs

● Fully POSIX compliant ⇒ Solve workload functional issues

● As performant as virtio-blk (with DAX optimization)

● Overlay back into the picture for production

Shared filesystem

Shared FS

MountedFSvirtio-9p

Shared filesystem

VMShared FS

MountedFSvirtio-fs

virtiofsd

virtio-fs

Shared filesystem

VMShared FS

MountedFS

virtiofsd

QEMU/NEMU

● Swiss army knife hypervisor ⇒ Default for Kata

○ Type 2 (KVM)

○ Multi-purpose

○ Extensive device model (virtio-gpu, virtio-crypto, ...)

○ Direct Device Assignment (VFIO)

● Wide codebase in C ⇒ Potential attack surface

● NEMU reduces the attack surface

Firecracker

● Lightweight hypervisor

○ Type 2 (KVM)

○ Narrow focus: container workloads and FaaS

○ Reduced device model

● Small codebase in Rust ⇒ Highly secure

ACRN (in progress)

● Lightweight hypervisor

○ Type 1

○ Focus on Automotive and IoT

○ Industry standard FuSa (Functional Safety)

● Small codebase in C ⇒ Highly secure

http://www.lifeafterlondon.com/wp-content/uploads/2014/07/pick-your-own.jpg

Takeaways

INFLUENCE

INTEGRATE

Join the fun!

Sources: https://github.com/kata-containers/runtime

Get started: https://github.com/kata-containers/documentation/blob/master/Developer-Guide.md

Slack: katacontainers.slack.com

IRC: #kata-dev@freenode

Mailing list: kata-dev@lists.katacontainers.io

Thank you

Story of a container runtime Kata Containers · 2019-05-13 · Story of a container runtime...

Documents

Transcript of Story of a container runtime Kata Containers · 2019-05-13 · Story of a container runtime...

Java in a world of containers - FOSDEM · Java in a World of Containers •Managed language/runtime •Hardware and operating system agnostic •Safety and security enforced by JVM

The State of Linux Containers - HPC Advisory Council...low-level runtime, reference implementation of OCI 2. rkt (CoreOS) Runtime to download,verify and start App Containers 3. Singularity

KATA-KATA PERANSANG BILIK GURU PG 1.ppt

2016 Kata Summit: Kata in Office/Service Presentation

Kata Containers: Design, Architecture and Impactfiles.informatandm.com/uploads/2019/4/13.00_Panel_-_Jean_Bozman_Panel.pdf · Kata： • Better compatibility • Use qcow2 as graph

Proses Pemendekan dalam Pembentukan Kata Submorfologi ... · perkataan-perkataan di dalam rangkai kata. Suku kata yang menjadi unsur kata cantuman dipilih sembarangan dan kata cantuman

Unified Kubernetes CRI runtimes based on Kata …...Unified Kubernetes CRI runtimes based on Kata Containers Xu Wang (@gnawux) hyper.sh Agenda •Kubernetes CRI Deep Dive •The Current

Containers 101 - Fedora · 29 Containers 101 with Podman Docker, Red Hat et al. June 2015 Two Specifications Runtime How to run a “filesystem bundle” that is unpacked on disk

Secure Containers for Embedded and IoT ViryaOS RFC...A Secure Xen based runtime Containers supported natively A turnkey solution A Flexible build system Supports aarch64 and x86_64

Kata-Containers on openSUSE - FOSDEM€¦ · 5 Why Virtualization Threat Model: untrusted code in a (Kata) Container attacks the host Attack surface-- – Containers: the shared host

Kata Containers on Edge Cloud...kata containers Pre-warm Container Startup Time (ms) Startup Speed Optimization • Edge computing should respond in a short time, the delay is expected

Title Perkembangan ejaan rumi bahasa Melayu Author(s) · PDF filesegi kata-kata pinjaman. ... Penggunaan lambang-Iambang yang berdasarkan suku kata huruf Wenggi ... senarai kata-kata

Introduction to Containers · 2020. 10. 22. · •Images become containers once launched with a Container runtime (e.g. Docker Engine, Singularity, Podman, Sarus etc.) •Multiple

Spice Up Your Workloads @raravena80 With Kata Containers … · @raravena80 Spice Up Your Workloads With Kata Containers Ricardo Aravena branch.io @raravena80

Kata Beach - thompsons.co.za · hotel description contact point of interest services / facilities location ... phuket kata beach kata noibeach noi harn noibeach resort & spa kata

Modern Development: How Containers Are Changing Everything · 2019-11-18 · How Containers Are Changing Everything Steve Poole @spoole167. About me ... CI/CD system Runtime levels

Workshop: Introduction Toyota Kataspecials.han.nl/.../Workshops-Toyota-Kata-ELEC-2017_V28062017.pdf · Workshop: Introduction Toyota Kata Introduction to Toyota Kata Toyota Kata is

Kata Beach - · PDF filekaron beach koh bon phuket kata beach kata noibeach noi harn noibeach resort & spa kata beach. beach wedding

5 Minutes to Enterprise JavaScript - Lance Ball...RHOAR - Red Hat OpenShift Application Runtime for Node.js 8.x LTS Supported Node.js RPMs and Runtime containers for Node.js 8.x LTS

Replacing Docker With Podman · runc default implementation of OCI Runtime Spec (Same tool Docker uses to run containers) Standard Way to setup networking for containers Container