Story of a container runtime Kata Containers · 2019-05-13 · Story of a container runtime...
Transcript of Story of a container runtime Kata Containers · 2019-05-13 · Story of a container runtime...
![Page 1: Story of a container runtime Kata Containers · 2019-05-13 · Story of a container runtime Sébastien Boeuf, Software Engineer Intel Corporation. Agenda Why Kata Containers? ...](https://reader033.fdocuments.in/reader033/viewer/2022042313/5edc4b09ad6a402d6666e673/html5/thumbnails/1.jpg)
Kata ContainersStory of a container runtime
Sébastien Boeuf, Software EngineerIntel Corporation
![Page 2: Story of a container runtime Kata Containers · 2019-05-13 · Story of a container runtime Sébastien Boeuf, Software Engineer Intel Corporation. Agenda Why Kata Containers? ...](https://reader033.fdocuments.in/reader033/viewer/2022042313/5edc4b09ad6a402d6666e673/html5/thumbnails/2.jpg)
Agenda
● Why Kata Containers?● Acceptance● Community growth● Ecosystem influence● Hypervisor flexible
![Page 3: Story of a container runtime Kata Containers · 2019-05-13 · Story of a container runtime Sébastien Boeuf, Software Engineer Intel Corporation. Agenda Why Kata Containers? ...](https://reader033.fdocuments.in/reader033/viewer/2022042313/5edc4b09ad6a402d6666e673/html5/thumbnails/3.jpg)
https://regmedia.co.uk/2017/09/11/shutterstock_containers_in_port.jpg
![Page 4: Story of a container runtime Kata Containers · 2019-05-13 · Story of a container runtime Sébastien Boeuf, Software Engineer Intel Corporation. Agenda Why Kata Containers? ...](https://reader033.fdocuments.in/reader033/viewer/2022042313/5edc4b09ad6a402d6666e673/html5/thumbnails/4.jpg)
Containers
Host OS
Container Container Container
![Page 5: Story of a container runtime Kata Containers · 2019-05-13 · Story of a container runtime Sébastien Boeuf, Software Engineer Intel Corporation. Agenda Why Kata Containers? ...](https://reader033.fdocuments.in/reader033/viewer/2022042313/5edc4b09ad6a402d6666e673/html5/thumbnails/5.jpg)
Security threat
Host OS
Container Container Container
![Page 6: Story of a container runtime Kata Containers · 2019-05-13 · Story of a container runtime Sébastien Boeuf, Software Engineer Intel Corporation. Agenda Why Kata Containers? ...](https://reader033.fdocuments.in/reader033/viewer/2022042313/5edc4b09ad6a402d6666e673/html5/thumbnails/6.jpg)
https://cdn-images-1.medium.com/max/800/1*zPiik9vlW_G7GU9bTjxhJQ.jpeg
![Page 7: Story of a container runtime Kata Containers · 2019-05-13 · Story of a container runtime Sébastien Boeuf, Software Engineer Intel Corporation. Agenda Why Kata Containers? ...](https://reader033.fdocuments.in/reader033/viewer/2022042313/5edc4b09ad6a402d6666e673/html5/thumbnails/7.jpg)
Manual isolation
Baremetal server
VM
Host OS
Container Container Container
VM
Host OS
Container Container Container
![Page 8: Story of a container runtime Kata Containers · 2019-05-13 · Story of a container runtime Sébastien Boeuf, Software Engineer Intel Corporation. Agenda Why Kata Containers? ...](https://reader033.fdocuments.in/reader033/viewer/2022042313/5edc4b09ad6a402d6666e673/html5/thumbnails/8.jpg)
https://s3.amazonaws.com/wordpress-production/wp-content/uploads/2015/12/collaborative-problem-solving.jpg
![Page 9: Story of a container runtime Kata Containers · 2019-05-13 · Story of a container runtime Sébastien Boeuf, Software Engineer Intel Corporation. Agenda Why Kata Containers? ...](https://reader033.fdocuments.in/reader033/viewer/2022042313/5edc4b09ad6a402d6666e673/html5/thumbnails/9.jpg)
Legacy
Clear Containers
![Page 10: Story of a container runtime Kata Containers · 2019-05-13 · Story of a container runtime Sébastien Boeuf, Software Engineer Intel Corporation. Agenda Why Kata Containers? ...](https://reader033.fdocuments.in/reader033/viewer/2022042313/5edc4b09ad6a402d6666e673/html5/thumbnails/10.jpg)
Host OS
VM
Guest OS
HWvirtualization
Kata Containers
Container
VM
Guest OS
HWvirtualization
Container
VM
Guest OS
HWvirtualization
Container
![Page 11: Story of a container runtime Kata Containers · 2019-05-13 · Story of a container runtime Sébastien Boeuf, Software Engineer Intel Corporation. Agenda Why Kata Containers? ...](https://reader033.fdocuments.in/reader033/viewer/2022042313/5edc4b09ad6a402d6666e673/html5/thumbnails/11.jpg)
https://marketingweek.imgix.net/content/uploads/2017/06/30121536/Ecosystem-body-image.jpg
![Page 12: Story of a container runtime Kata Containers · 2019-05-13 · Story of a container runtime Sébastien Boeuf, Software Engineer Intel Corporation. Agenda Why Kata Containers? ...](https://reader033.fdocuments.in/reader033/viewer/2022042313/5edc4b09ad6a402d6666e673/html5/thumbnails/12.jpg)
Container ecosystem
Docker
Containerrunc
OCI
![Page 13: Story of a container runtime Kata Containers · 2019-05-13 · Story of a container runtime Sébastien Boeuf, Software Engineer Intel Corporation. Agenda Why Kata Containers? ...](https://reader033.fdocuments.in/reader033/viewer/2022042313/5edc4b09ad6a402d6666e673/html5/thumbnails/13.jpg)
Container ecosystem
Kubernetes
CRI
runc
OCI
Container
![Page 14: Story of a container runtime Kata Containers · 2019-05-13 · Story of a container runtime Sébastien Boeuf, Software Engineer Intel Corporation. Agenda Why Kata Containers? ...](https://reader033.fdocuments.in/reader033/viewer/2022042313/5edc4b09ad6a402d6666e673/html5/thumbnails/14.jpg)
Container ecosystem
Kubernetes
Docker CRI
runc
OCI
Container
![Page 15: Story of a container runtime Kata Containers · 2019-05-13 · Story of a container runtime Sébastien Boeuf, Software Engineer Intel Corporation. Agenda Why Kata Containers? ...](https://reader033.fdocuments.in/reader033/viewer/2022042313/5edc4b09ad6a402d6666e673/html5/thumbnails/15.jpg)
VM
Guest OS
Seamless integration
Kubernetes
Docker CRI
Container
kata-runtime
OCI
![Page 16: Story of a container runtime Kata Containers · 2019-05-13 · Story of a container runtime Sébastien Boeuf, Software Engineer Intel Corporation. Agenda Why Kata Containers? ...](https://reader033.fdocuments.in/reader033/viewer/2022042313/5edc4b09ad6a402d6666e673/html5/thumbnails/16.jpg)
![Page 17: Story of a container runtime Kata Containers · 2019-05-13 · Story of a container runtime Sébastien Boeuf, Software Engineer Intel Corporation. Agenda Why Kata Containers? ...](https://reader033.fdocuments.in/reader033/viewer/2022042313/5edc4b09ad6a402d6666e673/html5/thumbnails/17.jpg)
OCI compatible
OCIcreate start
kill
state
delete
![Page 18: Story of a container runtime Kata Containers · 2019-05-13 · Story of a container runtime Sébastien Boeuf, Software Engineer Intel Corporation. Agenda Why Kata Containers? ...](https://reader033.fdocuments.in/reader033/viewer/2022042313/5edc4b09ad6a402d6666e673/html5/thumbnails/18.jpg)
OCI compatible
runc OCIcreate start
kill
state
delete
exec list
resumepause
updaterun
![Page 19: Story of a container runtime Kata Containers · 2019-05-13 · Story of a container runtime Sébastien Boeuf, Software Engineer Intel Corporation. Agenda Why Kata Containers? ...](https://reader033.fdocuments.in/reader033/viewer/2022042313/5edc4b09ad6a402d6666e673/html5/thumbnails/19.jpg)
host
OCI compatible
Containermonitoring
I/O
![Page 20: Story of a container runtime Kata Containers · 2019-05-13 · Story of a container runtime Sébastien Boeuf, Software Engineer Intel Corporation. Agenda Why Kata Containers? ...](https://reader033.fdocuments.in/reader033/viewer/2022042313/5edc4b09ad6a402d6666e673/html5/thumbnails/20.jpg)
host
OCI compatible
VM
Guest OS
Container
?monitoring
I/O
![Page 21: Story of a container runtime Kata Containers · 2019-05-13 · Story of a container runtime Sébastien Boeuf, Software Engineer Intel Corporation. Agenda Why Kata Containers? ...](https://reader033.fdocuments.in/reader033/viewer/2022042313/5edc4b09ad6a402d6666e673/html5/thumbnails/21.jpg)
host
OCI compatible
VM
Guest OS
Container
kata-shim
monitoringI/O
![Page 22: Story of a container runtime Kata Containers · 2019-05-13 · Story of a container runtime Sébastien Boeuf, Software Engineer Intel Corporation. Agenda Why Kata Containers? ...](https://reader033.fdocuments.in/reader033/viewer/2022042313/5edc4b09ad6a402d6666e673/html5/thumbnails/22.jpg)
https://www.incimages.com/uploaded_files/image/1940x900/getty_524541622_2000133320009280310_370635.jpg
![Page 23: Story of a container runtime Kata Containers · 2019-05-13 · Story of a container runtime Sébastien Boeuf, Software Engineer Intel Corporation. Agenda Why Kata Containers? ...](https://reader033.fdocuments.in/reader033/viewer/2022042313/5edc4b09ad6a402d6666e673/html5/thumbnails/23.jpg)
Community growth
Additional architectures
● aarch64 (ARM)● ppc64 and s390 (IBM)
Enhanced stability and production ready
● Huawei● Baidu● Alibaba
![Page 24: Story of a container runtime Kata Containers · 2019-05-13 · Story of a container runtime Sébastien Boeuf, Software Engineer Intel Corporation. Agenda Why Kata Containers? ...](https://reader033.fdocuments.in/reader033/viewer/2022042313/5edc4b09ad6a402d6666e673/html5/thumbnails/24.jpg)
Community growth
CI resources
● Vexxhost (Vexxhost)● Azure (Microsoft)● AWS (Amazon)● GCE (Google)
![Page 25: Story of a container runtime Kata Containers · 2019-05-13 · Story of a container runtime Sébastien Boeuf, Software Engineer Intel Corporation. Agenda Why Kata Containers? ...](https://reader033.fdocuments.in/reader033/viewer/2022042313/5edc4b09ad6a402d6666e673/html5/thumbnails/25.jpg)
Community growth
2000 pull requests / 100 contributors
![Page 26: Story of a container runtime Kata Containers · 2019-05-13 · Story of a container runtime Sébastien Boeuf, Software Engineer Intel Corporation. Agenda Why Kata Containers? ...](https://reader033.fdocuments.in/reader033/viewer/2022042313/5edc4b09ad6a402d6666e673/html5/thumbnails/26.jpg)
https://hbr.org/resources/images/article_assets/2015/05/MAY15_19_686097-001.jpg
![Page 27: Story of a container runtime Kata Containers · 2019-05-13 · Story of a container runtime Sébastien Boeuf, Software Engineer Intel Corporation. Agenda Why Kata Containers? ...](https://reader033.fdocuments.in/reader033/viewer/2022042313/5edc4b09ad6a402d6666e673/html5/thumbnails/27.jpg)
Extend OCI
![Page 28: Story of a container runtime Kata Containers · 2019-05-13 · Story of a container runtime Sébastien Boeuf, Software Engineer Intel Corporation. Agenda Why Kata Containers? ...](https://reader033.fdocuments.in/reader033/viewer/2022042313/5edc4b09ad6a402d6666e673/html5/thumbnails/28.jpg)
RuntimeClass
![Page 29: Story of a container runtime Kata Containers · 2019-05-13 · Story of a container runtime Sébastien Boeuf, Software Engineer Intel Corporation. Agenda Why Kata Containers? ...](https://reader033.fdocuments.in/reader033/viewer/2022042313/5edc4b09ad6a402d6666e673/html5/thumbnails/29.jpg)
node 1
RuntimeClass
node 2
Pod 1
runc
Pod 2
kata
Pod 3 Pod 4
pod1.yaml
pod2.yaml
pod3.yaml
pod4.yaml
kata runc
![Page 30: Story of a container runtime Kata Containers · 2019-05-13 · Story of a container runtime Sébastien Boeuf, Software Engineer Intel Corporation. Agenda Why Kata Containers? ...](https://reader033.fdocuments.in/reader033/viewer/2022042313/5edc4b09ad6a402d6666e673/html5/thumbnails/30.jpg)
Pod overhead
![Page 31: Story of a container runtime Kata Containers · 2019-05-13 · Story of a container runtime Sébastien Boeuf, Software Engineer Intel Corporation. Agenda Why Kata Containers? ...](https://reader033.fdocuments.in/reader033/viewer/2022042313/5edc4b09ad6a402d6666e673/html5/thumbnails/31.jpg)
Pod overhead
node
Pod 1
pod1.yaml
cpus: 2mem: 256M
Pod 2
VM
Guest OS
Container
Container
pod2.yaml
cpus: 2mem: 256M
Overhead:- cpus: 1- mem: 128M
![Page 32: Story of a container runtime Kata Containers · 2019-05-13 · Story of a container runtime Sébastien Boeuf, Software Engineer Intel Corporation. Agenda Why Kata Containers? ...](https://reader033.fdocuments.in/reader033/viewer/2022042313/5edc4b09ad6a402d6666e673/html5/thumbnails/32.jpg)
Shim v2
containerd
or
CRI-O
CRI
![Page 33: Story of a container runtime Kata Containers · 2019-05-13 · Story of a container runtime Sébastien Boeuf, Software Engineer Intel Corporation. Agenda Why Kata Containers? ...](https://reader033.fdocuments.in/reader033/viewer/2022042313/5edc4b09ad6a402d6666e673/html5/thumbnails/33.jpg)
Shim v2
containerd
or
CRI-O
CRI
containerd-shim
or
conmon
![Page 34: Story of a container runtime Kata Containers · 2019-05-13 · Story of a container runtime Sébastien Boeuf, Software Engineer Intel Corporation. Agenda Why Kata Containers? ...](https://reader033.fdocuments.in/reader033/viewer/2022042313/5edc4b09ad6a402d6666e673/html5/thumbnails/34.jpg)
Shim v2
containerd
or
CRI-Okata-runtime
runc
kata-shim+
CRI OCI
containerd-shim
or
conmon
![Page 35: Story of a container runtime Kata Containers · 2019-05-13 · Story of a container runtime Sébastien Boeuf, Software Engineer Intel Corporation. Agenda Why Kata Containers? ...](https://reader033.fdocuments.in/reader033/viewer/2022042313/5edc4b09ad6a402d6666e673/html5/thumbnails/35.jpg)
Shim v2
containerd
or
CRI-Okata-runtime
runc
kata-shim+
kata-v2
CRI Shim v2 OCI
containerd-shim
or
conmon
![Page 36: Story of a container runtime Kata Containers · 2019-05-13 · Story of a container runtime Sébastien Boeuf, Software Engineer Intel Corporation. Agenda Why Kata Containers? ...](https://reader033.fdocuments.in/reader033/viewer/2022042313/5edc4b09ad6a402d6666e673/html5/thumbnails/36.jpg)
Shim v2
wait
stats
resizePty
No host PID assumption!k8s pod scaling!
![Page 37: Story of a container runtime Kata Containers · 2019-05-13 · Story of a container runtime Sébastien Boeuf, Software Engineer Intel Corporation. Agenda Why Kata Containers? ...](https://reader033.fdocuments.in/reader033/viewer/2022042313/5edc4b09ad6a402d6666e673/html5/thumbnails/37.jpg)
Shared filesystem
Virtio-9p
● Not fully POSIX compliant ⇒ Workload functional issues
● Not performant
● Production should use virtio-blk ⇒ devicemapper
![Page 38: Story of a container runtime Kata Containers · 2019-05-13 · Story of a container runtime Sébastien Boeuf, Software Engineer Intel Corporation. Agenda Why Kata Containers? ...](https://reader033.fdocuments.in/reader033/viewer/2022042313/5edc4b09ad6a402d6666e673/html5/thumbnails/38.jpg)
Shared filesystem
Redhat developed replacement for virtio-9p ⇒ virtio-fs
● Fully POSIX compliant ⇒ Solve workload functional issues
● As performant as virtio-blk (with DAX optimization)
● Overlay back into the picture for production
![Page 39: Story of a container runtime Kata Containers · 2019-05-13 · Story of a container runtime Sébastien Boeuf, Software Engineer Intel Corporation. Agenda Why Kata Containers? ...](https://reader033.fdocuments.in/reader033/viewer/2022042313/5edc4b09ad6a402d6666e673/html5/thumbnails/39.jpg)
Shared filesystem
VM
Shared FS
MountedFSvirtio-9p
![Page 40: Story of a container runtime Kata Containers · 2019-05-13 · Story of a container runtime Sébastien Boeuf, Software Engineer Intel Corporation. Agenda Why Kata Containers? ...](https://reader033.fdocuments.in/reader033/viewer/2022042313/5edc4b09ad6a402d6666e673/html5/thumbnails/40.jpg)
Shared filesystem
VMShared FS
MountedFSvirtio-fs
virtiofsd
![Page 41: Story of a container runtime Kata Containers · 2019-05-13 · Story of a container runtime Sébastien Boeuf, Software Engineer Intel Corporation. Agenda Why Kata Containers? ...](https://reader033.fdocuments.in/reader033/viewer/2022042313/5edc4b09ad6a402d6666e673/html5/thumbnails/41.jpg)
virtio-fs
Shared filesystem
VMShared FS
MountedFS
virtiofsd
![Page 42: Story of a container runtime Kata Containers · 2019-05-13 · Story of a container runtime Sébastien Boeuf, Software Engineer Intel Corporation. Agenda Why Kata Containers? ...](https://reader033.fdocuments.in/reader033/viewer/2022042313/5edc4b09ad6a402d6666e673/html5/thumbnails/42.jpg)
![Page 43: Story of a container runtime Kata Containers · 2019-05-13 · Story of a container runtime Sébastien Boeuf, Software Engineer Intel Corporation. Agenda Why Kata Containers? ...](https://reader033.fdocuments.in/reader033/viewer/2022042313/5edc4b09ad6a402d6666e673/html5/thumbnails/43.jpg)
QEMU/NEMU
● Swiss army knife hypervisor ⇒ Default for Kata
○ Type 2 (KVM)
○ Multi-purpose
○ Extensive device model (virtio-gpu, virtio-crypto, ...)
○ Direct Device Assignment (VFIO)
● Wide codebase in C ⇒ Potential attack surface
● NEMU reduces the attack surface
![Page 44: Story of a container runtime Kata Containers · 2019-05-13 · Story of a container runtime Sébastien Boeuf, Software Engineer Intel Corporation. Agenda Why Kata Containers? ...](https://reader033.fdocuments.in/reader033/viewer/2022042313/5edc4b09ad6a402d6666e673/html5/thumbnails/44.jpg)
Firecracker
● Lightweight hypervisor
○ Type 2 (KVM)
○ Narrow focus: container workloads and FaaS
○ Reduced device model
● Small codebase in Rust ⇒ Highly secure
![Page 45: Story of a container runtime Kata Containers · 2019-05-13 · Story of a container runtime Sébastien Boeuf, Software Engineer Intel Corporation. Agenda Why Kata Containers? ...](https://reader033.fdocuments.in/reader033/viewer/2022042313/5edc4b09ad6a402d6666e673/html5/thumbnails/45.jpg)
ACRN (in progress)
● Lightweight hypervisor
○ Type 1
○ Focus on Automotive and IoT
○ Industry standard FuSa (Functional Safety)
● Small codebase in C ⇒ Highly secure
![Page 46: Story of a container runtime Kata Containers · 2019-05-13 · Story of a container runtime Sébastien Boeuf, Software Engineer Intel Corporation. Agenda Why Kata Containers? ...](https://reader033.fdocuments.in/reader033/viewer/2022042313/5edc4b09ad6a402d6666e673/html5/thumbnails/46.jpg)
http://www.lifeafterlondon.com/wp-content/uploads/2014/07/pick-your-own.jpg
![Page 47: Story of a container runtime Kata Containers · 2019-05-13 · Story of a container runtime Sébastien Boeuf, Software Engineer Intel Corporation. Agenda Why Kata Containers? ...](https://reader033.fdocuments.in/reader033/viewer/2022042313/5edc4b09ad6a402d6666e673/html5/thumbnails/47.jpg)
Takeaways
INFLUENCE
INTEGRATE
![Page 48: Story of a container runtime Kata Containers · 2019-05-13 · Story of a container runtime Sébastien Boeuf, Software Engineer Intel Corporation. Agenda Why Kata Containers? ...](https://reader033.fdocuments.in/reader033/viewer/2022042313/5edc4b09ad6a402d6666e673/html5/thumbnails/48.jpg)
Join the fun!
Sources: https://github.com/kata-containers/runtime
Get started: https://github.com/kata-containers/documentation/blob/master/Developer-Guide.md
Slack: katacontainers.slack.com
IRC: #kata-dev@freenode
Mailing list: [email protected]
![Page 49: Story of a container runtime Kata Containers · 2019-05-13 · Story of a container runtime Sébastien Boeuf, Software Engineer Intel Corporation. Agenda Why Kata Containers? ...](https://reader033.fdocuments.in/reader033/viewer/2022042313/5edc4b09ad6a402d6666e673/html5/thumbnails/49.jpg)
Thank you