kata containers: design, architecture and...

Information Classification: General

Kata Containers:

Design, Architecture and Impact

Panel Chairperson:

Jean S. Bozman

VP/Principal Analyst, Hurwitz & Associates

1


Agenda

• Introduction

• Panel Presentations

• Panel Discussion

• Question & Answer Session

2


Kata Containers: Brief History

• Kata Containers project launched in December, 2017

• Goal: Improve security and performance for micro-

services delivery in hybrid clouds

• Team from the Open Stack open-source community

• Sources: Intel Clear Containers and Hyper.sh RunV

• Using thin VMs to provide secure, light, fast and agile

container management across stacks and platforms

3


Kata Containers: The Panel

NVMe Developer Days 2018

San Diego, CA 4

Manohar Castelino

Intel, virty container wizard

Eric Ernst

Intel, Kata Architecture

Committee

Lei (Harry) Zhang

Alibaba


San Diego, CA

December 2018 5



San Diego, CA 6


Features

Multi

HypervisorQEMU*/KVM,

NEMU/KVM,

Firecracker*

Works seamlessly

with Kubernetes*

and Docker*and is a drop in

replacement for runc

Open SourceOpen governance

project under the

OpenStack*

Foundation umbrella

Multi

Architecturex86, Arm*, PowerPC*,

s390x

OCI* compatible runtime that enhances security of container workloads in a lightweight virtual machines.

* Other names and brands may be claimed as the property of others.



San Diego, CA 4


Where to run Kata

Distro packagesCentOS*

Clear Linux*

Debian*

Fedora*

OpenSUSE*

SUSE Linux* Enterprise Server*

Red Hat* Enterprise Linux*

Ubuntu*

CloudAmazon Web Services* (AWS)

Microsoft Azure*

Google Compute Engine* (GCE)

VEXXHOST* OpenStack Cloud

Packet.IO

Hardware Supportx86_64

arm64

ppc64le

s390x


Lei (Harry) ZhangStaff Software Engineer, Alibaba


Bio

• Lei (Harry) Zhang

• Staff Software Engineer of Alibaba (and Cloud)

• Previously: hyper.sh

• Now: co-maintainer of Kubernetes, co-leading engineering effort on Alibaba’s Kubernetes upstream and large-scale cluster management system as well


Sandboxed Container Runtime In Alibaba

各种运行时的比较

Kata：• Better compatibility• Use qcow2 as graph driver• Long running service• Supporting Serverless product of Alibaba

gVisor：• Quicker start time，lower overhead• Used to run batch job and other restricted

runtime platforms

Focus on sandboxed container lifecycle & Kubernetes, including both Kata & gVisor

Apps

Emulationkernel

Apps

Network

stack

Apps

Emulationkernel

Apps

Network

stack

kvm

hardware


YarnFUXI Mesos

Kubernetes

“Elf” Container APIServerless infra

Legacy Batch Job User (also Alibaba tenants)Alibaba tenants

LRSFor

Spark

For Flink

For PAI

For …

Pouch Containerd

runc runtime kata runtime

LRS Batch Job

agile

Legacy BatchJob

UntrustedCode

Legacy Batch Job

secure

hypervisor

kata agent

guest kernel

container

rootfs

hypervisor

kata agent

guest kernel

container(batch job)

Rootfs/initrd

Standard Mode

Advanced Mode

Agent of tenants

Sandboxed Runtime in Multi-tenant Kubernetes of Alibaba


Next:

Panel Discussion and Q/A Session

19


Kata Containers: The Panel


San Diego, CA 20

Manohar Castelino

Intel, virty container wizard

Eric Ernst

Intel, Kata Architecture

Committee

Lei (Harry) Zhang

Alibaba

kata containers: design, architecture and...

Documents