Any discussion about Linux containers invariably goes to the differences between container technology and virtualization. Now, the open-source Kata Containers project, governed by the OpenStack Foundation, is leveraging those differences to make Linux container implementations more secure.
The goal of the Kata Containers open-source project and community is to build a standard implementation of lightweight virtual machines (VMs) that feel and perform like containers, but provide the workload isolation and security advantages of VMs. In doing so, Kata may ease some of the concerns about containers, especially at scale. Here are 10 things you need to know about the project.
1. Why Kata? Why now?
There is a reason why the Linux container model has taken off like it has: Containers are light, fast and easy to integrate into many different application workflows. However, there are some potential security issues when you run containers, especially multitenant containers in a single operating system: Ultimately, the containers are sharing one kernel, one path for the I/O, the network, the memory, and so on. Therefore, a compromise of one container is a potential compromise of many. Kata is designed to mitigate this security issue with the hypervisor—creating a virtual machine that looks and feels like a container.
2. How it’s managed
The Kata Containers project is managed by OpenStack Foundation. OpenStack has announced its intention to take a wider role in the open source movement, and Kata is its first foray. Kata Containers is not part of “OpenStack the project”, but rather an independent project with its own technical governance and contributor base. The Kata Containers roadmap has support for multiple popular infrastructure providers and container orchestration frameworks, in addition to OpenStack-powered clouds, and the Kata Architecture Committee has representation from companies like Google and Microsoft.
3. What its origins are
Kata is based on Intel Clear Containers and Hyper runV technology. Intel and Hyper each had been running its own container project, utilising different strengths: Intel focused on performance, while Hyper was platform-agnostic. Intel’s and Hyper’s separate projects addressed the container security issue in parallel, but the two were not completely isolated and their results were somewhat similar. Both addressed a critical issue in containerized environments: the layering of environments, such as Kubernetes on OpenStack, or OpenStack on Kubernetes, or even Kubernetes on OpenStack on Kubernetes. Container orchestration is a layer in the stack, and Kata simplifies how these layers integrate while maintaining security.
4. How it’s licensed
Kata Containers is hosted on Github under the Apache 2 license. For more information and to get involved, go to www.katacontainers.io.
5. How the Kata architecture is designed
The Kata Containers project will initially comprise six components: the Agent, Runtime, Proxy, Shim, Kernel and packaging of QEMU 2.9. It is designed to be architecture-agnostic, run on multiple hypervisors, and be compatible with the OCI specification for Docker containers and CRI for Kubernetes.
What operating systems it runs on
For now, Kata Containers is a Linux-only play. On the host side, installation instructions for several popular distributions are available. There is also out-of-the-box support for Clear Linux, Fedora, and CentOS 7 rootfs images through the OSBuilder, which can also be used to roll your own guest images.
7. How Kata integrates with existing container platforms
By combining two well-integrated virtualised container open source code bases and moving the project to open governance, the Kata Containers community supports diverse architectures and drives technology adoption across multiple infrastructures and container orchestration communities, including Kubernetes, Docker, OCI, CRI, CNI, QEMU, KVM and OpenStack. For example, OCI compliance enables Docker images to be picked up and used without the need for re-tooling. In addition, because Kubernetes already runs on public cloud and orchestrates containers, Kata is already making headway with Kubernetes and how it integrates with new technology.
8. Examples of use cases
Kata works well in an environment where you need the efficiency of a container stack with a higher level of security than running containers side by side in a single kernel. This might include continuous integration/continuous delivery, network functions virtualisation, edge computing, development and testing, and containers as a service. In addition, Kata’s small footprint and high level of security will make it well suited to edge deployments where resources are limited. Kata Containers is still in the nascent stage, but the technical foundation of the project–Clear Containers and runV–are used globally at enterprise scale by organisations like JD.com, China’s largest ecommerce company (by revenue).
9. Who’s thrown in their support
At launch, Kata has the support of more than 20 companies, including 99cloud, AWcloud, Canonical, China Mobile, City Network, CoreOS, Dell/EMC, EasyStack, Fiberhome, Google, Huawei, JD.com, Mirantis, NetApp, Red Hat, SUSE, Tencent, Ucloud, UnitedStack and ZTE.
10. What does “kata” mean?
The word Kata comes from the Greek word, Καταπίστευμα (“ka-ta-PI-stev-ma”), which means “trust something to someone.”
Kata Containers is working to gain the trust of organisations looking to start or expand their use of Linux containers.