Containers
Kata Containers on openSUSE
Kata Containers provide a secure container runtime offering an experience close to that of native containers, while providing stronger workload isolation and host infrastructure security by using hardware virtualization technology. This is particularly useful when containers are used to host and run third-party applications. In this presentation, after a short intro to Kata, we will demonstrate how easy it is to install and use on openSUSE. We will show it in action both as part of a podman setup as well as within a full-featured Kubernetes environment.
With containers becoming not only the preferred way of deploying applications, but also the building blocks of microservice architectures, infrastructure security and workload isolation concerns are being raised. The Kata Containers Open Source project addresses these concerns by using virtualization technology, in compliance with the "defense in depth" design principles. It is also a very flexible, dynamic and fast-moving project, with many components that need to be integrated among each others.
This presentation will illustrate how easy it can already be to use Kata as a container runtime on top of the openSUSE distribution. In fact, after giving a short introduction of Kata Containers and its architecture, we will provide a DEMO of how we have integrated Kata into openSUSE and how it can be used with podman to run containers in a secure and isolated fashion. As Kata is compatible with the OCI (Open Container Initiative) runtime specification, it can be used to seamlessly replace or coexist with other runtimes (e.g. runc) in existing Container Engines (podman, CRI-O, docker, ...), even inside a Kubernetes cluster. We will therefore be able to show how native containers and strongly isolated Kata containers can run together on the same platform. Finally, we will also demonstrate how to set Kata Containers up as an alternative runtime inside of a Kubernetes Cluster.
Additional information
| Type | devroom |
|---|
More sessions
| 2/1/20 |
Podman is the container management tool of your choice when it comes to boosting day-to-day development tasks around containers. The journey of Podman started as a drop-in replacement for docker, but nowadays it’s even more than just that. For example, Podman is capable of managing pods, running containers without being root and supports fine granular configuration possibilities.
|
| 2/1/20 |
The biggest problem of the OCI Image Spec is that a container cannot be started until all the tarball layers are downloaded, even though more than 90% of the tarball contents are often unneeded for the actual workload. This session will show state-of-the-art alternative image formats, which allow runtime implementations to start a container without waiting for all its image contents to be locally available. Especially, this session will put focus on CRFS/stargz and its implementation status in ...
|
| 2/1/20 |
BPF as a foundational technology in the Linux kernel provides a powerful tool for systems developers and users to dynamically reprogram and customize the kernel to meet their needs in order to solve real-world problems and without having to be a kernel expert. Thanks to BPF we have come to the point to overcome having to carry legacy accumulated over decades of development grounded in a more traditional networking environment that is typically far more static than your average Kubernetes ...
|
| 2/1/20 |
Kube-proxy enables access to Kubernetes services (virtual IPs backed by pods) by configuring client-side load-balancing on nodes. The first implementation relied on a userspace proxy which was not very performant. The second implementation used iptables and is still the one used in most Kubernetes clusters. Recently, the community introduced an alternative based on IPVS. This talk will start with a description of the different modes and how they work. It will then focus on the IPVS ...
|
| 2/1/20 |
The difficult task to checkpoint and restore a process is used in many container runtimes to implement container live migration. This talk will give details how CRIU is able to checkpoint and restore processes, how it is integrated in different container runtimes and which optimizations CRIU offers to decrease the downtime during container migration. In this talk I want to provide details how CRIU checkpoints and restores a process. Starting from ptrace() to pause the process, how parasite code ...
|
| 2/1/20 |
Recently the kernel landed seccomp support for SECCOMPRETUSER_NOTIF which enables a process (supervisee) to retrieve a fd for its seccomp filter. This fd can then be handed to another (usually more privileged) process (supervisor). The supervisor will then be able to receive seccomp messages about the syscalls having been performed by the supervisee. We have integrated this feature into userspace and currently make heavy use of this to intercept mknod(), mount(), and other syscalls in user ...
|
| 2/1/20 |
Today, the task of running containers involves a lot of technologies and levels of abstraction, and it can be difficult to understand, or just to keep up. How do CRI-O and containerd overlap ? Does Kata containers compete with Firecracker ? Is there any relationship between OCI and CRI ? How many different meanings can "container runtime" have ? In this talk, we will navigate this treacherous sea of overlapping technologies and acronyms that take care of running container workloads, below ...
|
