What is the Kata Container?

Introduction

Thank you for clicking through to my arcticle. I've been a DevOps engineer for 2 years in dev-team of 7 engineers.

My name is MINSEOK, LEE, but I use Unchaptered as an alias on the interenet. So, you can call me anythings "MINSEOK, LEE" or "Unchaptered" to ask something.

Topic

In this article, I'll cover this followings:

1. What is the Kata Container?

VM vs Container

Atlassian (Blog) | Containers vs. virtual machines

Before we dive into Kata Container, let's learn about traditional VM(Virtual Machine) and docker container.

VM and container are very similar resource virtualization technologies.
Virtualization is the process in which a system singular resource like RAM, CPU, Disk or Networking can be "virtualized" and represented as multiple resources.
The key differentiator between vm and containers is that virtual machines virtualize an entire machine down to hardware layer and containers only virtualize software layer above the operating operating system level.

Generally, VM is more heavier than containers.
But, each containers have overhead about kernel because all containers share OS and Kernel.

What is the Kata Container?

Kata Container is Light-weight VM feels like container.
It provides stable container as isolating workloads using HW system.

It have these following features:

1. Security
   → separate dedicated kernal

2. Separated Networking
   → provides separated networking I/O memory
   → provides isolated environment without performance drain like VMs.

3. Conformance
   → Compatible with OCI and CRI

   OCI(Open COntianer Initiative)
   Defines standards for creating and running containerized applications within the open container ecosystem

   CRI(Container Runtime Interface)
   Standardized interface between container runtimes and container orchestrators, enabling systems like kubernetes to support various container runtimes

4. Simplicity
   → Easily launch containers without running them on top of existing VMs, including all OS functionality.

Kata Containers Hypervisor and VMM support

Kata Containers (GitHub) / Design - Virutalization # Kata Containers Hypervisor and VMM support

Advacned Parts | Kata Container and Open Stack

OSKG (Youtube) | [2020.09 Seminar] Kata Container using zun, OpenStack

• DoWoon, Baek / OpenStack / Kubernetes / DevOps Engineer

• ChanYeol, Yoon / OpenStack / Kubernetes Engineer

• Presentation File : https://drive.google.com/file/d/1ms6AmR5t3NKhw6Y63i0HCG93DYjQN44M/view?usp=sharing

In this advanced parts, we deeply learned about Kata Containers.

Adv | Traditional Container vs Kata Container

• Traditional Container

  • Container는 host에서 동작되는 process

  • cgroups, namespace를 이용한 분리(kernel 기능)

  • use shared kernel

Adv | Shared kernel issue

1. Malicious users use the shared kernel inside their container to gain access the other containers.

2. Security Issues

   1. Insecure container image

   2. Container behavior with root privileges

   3. Containers not fully isolated from Host

3. Problem

   1. Finally, Container Escape is occured.
      And then, malicious user can access to application and host OS and kernel. Therefore, this issue potentially occur and causing many problems.

4. Solution

   1. Need to create a layer of separation between container and host

Adv | The solution of shared kernel issue

The ways to reinforce security point

• Use seccomp profile

• Use SELinux, Apparmor profile

• Use (linux) specific specific user permissions, not root permmission

• Use traditional VM

• Use Kata Container

Adv | Purpose of kata container

• Will get VM-like isolation

• Will get Container-like performance

Adv | History of kata container

Adv | The deep inside of traditional container and kata container in 'runtime'

1. CLI etc. | call container-cli

2. High-Level runtime | pull conatiner image from registry

3. Low-Level runtime | runc, runv (compatible of OCI spec)

4. OCI

5. Container

[Docker Container Process]

[Kata Container Process]

[Diff]

Adv | The inside aspect(kernel) of kata container

1. Hypervisor boots mini-os image with guest kernel.

   1. Only services running on mini-os (systemd, kata-agent)

   2. Kata-agent uses libcontainer to create OS(ex, ubuntu) context

2. Inside mini-os, systemd runs and kata-agent runs along the same lines.

3. The kata-agent created using libcontainer runs container control in the VM

Adv | Kata container in Platform(OpenStack, Kubernetes)

12:20

• [Version 1.x]

  

• [Version 2.x]

  

Adv | Why/when use kata container?

What is RMDA?

To use RMDA with docker container, there are several ways to do this

1. Root account to use RMDA

2. Need to create a Docker binary through a build against docker itself.

This is not impossible, but can lead to security issues.

Should we use the scured way with Kata Conatiner?

When we use Kata Container, we can have these advantages.

1. Multi-OS

   1. You can use each OS and conf in each Kata Conatiner

      1. Linux 4.8 + GPU

      2. Linux 4.6

      3. Linux 3.14

   2. Can execute separated workload

      1. Trusted : process by RunC or OpenStack VM

      2. UnTrusted : process by Kata Container

   3. Edge Computing

      1. Ideal for edge deployments with limited resources.

Conclusion

As I learned Kata Container, I also gained a better understanding of VMs and Containers. It also increased my awareness of several security vulnerabilities.