Kata Containers is a free and open source project aimed at building standard lightweight virtual machines (VMs). These VMs have the feel of containers and work like them, but have the security isolation of VMs. Kata Containers has community support but is looking for more contributors with varied expertise and skills.
During the latest OpenStack Summit at Vancouver in May 2018, the OpenStack Foundation announced the Kata Containers 1.0 release, which is designed to bolster container security. The Kata Containers project provides a virtualisation isolation layer to help run multi-tenant container deployments in a more secure manner than running containers natively on bare metal. The effort provides a micro-virtual machine (VM) layer that can run container workloads.
The 1.0 release delivers fully integrated code for the two contributing technologies that form the foundation of the project: Intel Clear Containers from Intel Corporation and runV technology from Hyper.sh. It also delivers an OCI-compatible runtime with seamless integration for the container ecosystem technologies like Docker and Kubernetes. By combining two of the leading virtualised, open source container code bases, Kata Containers is well positioned to solve the challenge of providing secure, light, fast and agile container management technology across stacks and platforms.
The components of release 1.0
The command line interface (CLI) part of the Kata Containers runtime component is kata-runtime, also referred to as the ‘runtime’. It leverages the virtcontainers package to provide a high-performance standards-compliant runtime that creates hardware-virtualised containers. The runtime is OCI-compatible, CRI-O-compatible, and Containerd-compatible, allowing it to work seamlessly with both Docker and Kubernetes, respectively. Kata Containers currently works on systems supporting the following technologies:
- Intel’s VT-x technology
- ARM’s Hyp mode (virtualisation extension)
- IBM’s Power Systems
- The kata-shim is a process that runs on the host. It acts as though it is the workload (which actually runs inside the virtual machine). This shim is required to be compliant with the OCI runtime specification.
- The kata-proxy is a process that runs on the host and co-ordinates access to the agent running inside the virtual machine.
- The kata-ksm-throttler is an optional utility that monitors containers and de-duplicates memory to maximise container density on a host.
- The kata-agent runs inside the virtual machine and sets up the container environment.
- The osbuilder tool can create a rootfs and a ‘mini O/S’ image. This image is used by the hypervisor to set up the environment before switching to the workload.
Call for contributions
Kata Containers is working to build a global, diverse and collaborative community. If you are interested in supporting the technology, you are welcome to participate. There is a requirement for contributors with different expertise and skills, ranging from development, operations, documentation, marketing, community organisation and product management. You can learn more about the project at katacontainers.io, or see the code repositories on GitHub to contribute to the project. You could also talk to fellow contributors on the Freenode IRC (#kata-dev), on Kata Containers Slack or subscribe to the kata-dev mailing list. The links to all these are given in the ‘References’ below.