After two years of development, the release of the Kata Containers 3.0 project has been published, which develops a stack for organizing the execution of containers using isolation based on full-fledged virtualization mechanisms. The project was created by Intel and Hyper by combining Clear Containers and runV technologies. The project code is written in Go and Rust and distributed under the Apache 2.0 license. The development of the project is overseen by a working group created under the auspices of the independent organization OpenStack Foundation, which includes companies such as Canonical, China Mobile, Dell / EMC, EasyStack, Google, Huawei, NetApp, Red Hat, SUSE and ZTE.
At the heart of Kata is the runtime, which provides the ability to create compact virtual machines that run using a full-fledged hypervisor, instead of using traditional containers that use a common Linux kernel and isolate using namespaces and cgroups. The use of virtual machines allows you to achieve a higher level of security that protects against attacks caused by the exploitation of vulnerabilities in the Linux kernel.
Kata Containers is focused on integrating into existing container isolation infrastructures with the ability to use such virtual machines to enhance the protection of traditional containers. The project provides mechanisms to make lightweight virtual machines compatible with various container isolation frameworks, container orchestration platforms, and specifications such as OCI (Open Container Initiative), CRI (Container Runtime Interface), and CNI (Container Networking Interface). Integrations with Docker, Kubernetes, QEMU, and OpenStack are available.
Integration with container management systems is achieved using a layer that simulates container management, which, through the gRPC interface and a special proxy, accesses the control agent in the virtual machine. Inside the virtual environment, which is launched by the hypervisor, a specially optimized Linux kernel is used, containing only the minimum set of necessary features.
As a hypervisor, the use of Dragonball Sandbox (KVM edition optimized for containers) with QEMU toolkit, as well as Firecracker and Cloud Hypervisor is supported. The system environment includes the initialization daemon and the agent. The agent runs user-defined container images in OCI format for Docker and CRI for Kubernetes. When used in conjunction with Docker, a separate virtual machine is created for each container, i.e. the hypervisor-launched environment is used to nest containers.
To reduce memory consumption, the DAX mechanism is used (direct access to the FS bypassing the page cache without using the block device level), and KSM (Kernel Samepage Merging) technology is used to dedupe identical memory areas, which allows sharing host system resources and connecting to different guest systems a common system environment template.
In the new version:
- An alternative runtime (runtime-rs) is proposed, which forms the stuffing of containers, written in the Rust language (the previously supplied runtime is written in the Go language). Runtime is compatible with OCI, CRI-O, and Containerd, making it compatible with Docker and Kubernetes.
- A new dragonball hypervisor based on KVM and rust-vmm has been proposed.
- Added support for GPU access forwarding using VFIO.
- Added support for cgroup v2.
- Implemented support for changing settings without changing the main configuration file by replacing blocks in separate files located in the "config.d/" directory.
- Rust components use a new library for safely working with file paths.
- The virtiofsd component (written in C) has been replaced with virtiofsd-rs (written in Rust).
- Added support for sandbox isolation of QEMU components.
- QEMU uses the io_uring API for asynchronous I/O.
- Support for Intel TDX (Trusted Domain Extensions) extensions has been implemented for QEMU and Cloud-hypervisor.
- Updated components: QEMU 6.2.0, Cloud-hypervisor 26.0, Firecracker 1.1.0, Linux kernel 5.19.2.
Source: opennet.ru