The open source project Kata Containers™ issued version 2.0 of the software. Kata Containers provides a way of isolating containerized workloads with security comparable to virtual machines (VMs) without the performance burden of full VMs. This solution offers a fast and secure deployment option for anything from highly regulated workloads to untrusted code, spanning public and private cloud, containers-as-a-service and edge computing use cases.
Kata Containers 2.0 delivers improved performance and observability enhancements as the community continues to address the challenge of providing secure, light, fast and agile container management technology across stacks and platforms:
- One of the most fundamental changes is a rewrite of the Kata Containers agent. To help reduce the attack surface and reduce overhead, the agent was rewritten in Rust. The main benefit users will see is a 10-fold improvement in size, from 11MB to 300KB. This rewrite and refactoring also introduces utilizing ttRPC, further improving a user’s footprint.
- Kata Containers 2.0 offers significant improvements around observability and manageability. Kata Containers now provides metrics about the runtime itself, the VMM, as well as the guest kernel, all in Prometheus format. This will help administrators with understanding the infrastructure impact of running Kata Containers and will help users and developers better understand workload performance.
- This release added support for the Cloud Hypervisor VMM, up to the same level of support as QEMU. The Cloud Hypervisor VMM gives users a choice of virtualization stack that is designed with only cloud workloads in mind (i.e. cloud-native and serverless) as opposed to more generic solutions.
- Kata-agent-ctl, a tool for agent API debugging, was added to the 2.0 release.
“Kata Containers 2.0 is an exciting release for the community. In the 2.0 development cycle, we kept working on weaving Kata into the cloud native infrastructure fabric invisibly by reducing the overhead and improving operability and debuggability,” said Xu Wang, senior staff engineer at Ant Group. “At Ant Group, Kata Containers is running on thousands of nodes and over 10,000 CPU cores, and part of our deployment has been upgraded to a 2.0 pre-release version. We believe the isolation provided by Kata Containers will be the cornerstone of our financial-grade infrastructure architecture.”
Kata Containers 2.0 will be available during the Open Infrastructure Summit next week. Check https://katacontainers.io/software/ for download availability.
Upcoming on the software roadmap, the community is developing features to allow users to pull container images inside a sandbox for advanced security and isolation as well as better IO stream handling.
Kata Containers Community Continues to Expand
Over the Kata 2.0 development timeframe, the Kata Containers community added almost 4,000 changes from 167 contributors and 26 organizations including Adobe, Alibaba, ARM, Atlassian, Baidu, CrayGoogle, Microsoft, NVIDIA, and Orange. The Architecture Committee just completed an election last month and includes members from Ant Group, Apple, Intel and Red Hat. Current infrastructure donors include AWS, Google Cloud, Microsoft, PackageCloud, Packet and Vexxhost.
The Kata Containers community has grown since it was announced at KubeCon in December 2017, and open source contributors passionate about container security are invited to get involved. Contributors can expect to work upstream across multiple infrastructure and container orchestration communities, including Kubernetes, containerd / CRI-O, Docker, OCI, CNI, QEMU, rust-vmm, cloud-hypervisor KVM and OpenStack. Get started by connecting with the Kata Containers community.
Meet the Kata Containers Team at Open Infrastructure Summit Next Week, October 19-21
Members of the Kata Containers community will be presenting on the project and use cases at the Open Infrastructure Summit, held virtually next week. Sessions include:
- Changpeng Liu and Xiaodong Liu: Building High Efficient Storage Infrastructure for Secure Container on Top of SPDK)
- Kailun Qin: Kata * TEE = A Lego-Like Two-way Sandbox for Seamless Security and Privacy
- Bin Liu: Observability in Kata Containers 2.0
- Fupan Li and Wei Yang: The Practice and Landing of Kata Containers in Ant Group and Alibaba Group
- Yi Wang: Time-Sensitive Networking (TSN) Enabling on StarlingX
- Yan Song: Toward Next Generation Container Image
- Hongliang Tian, Tianjia Zhang and Yutong Jin: Towards Enclave-as-a-Container with Inclavare Containers and Occlum
- Jose Carlos Venegas Munoz: Cloud Hypervisor and Kata Containers: A Path Towards Modernization
About Kata Containers
Kata Containers is an open infrastructure project of the OpenStack Foundation. Delivering the speed and performance of containers with the security of virtual machines, Kata Containers is designed to be architecture agnostic and is compatible with Open Container Initiative (OCI) images as well as the container runtime interface (CRI) for Kubernetes. Kata Containers is hosted on Github under the Apache 2 license. Connect with the Kata Containers community:
- Freenode IRC: #kata-dev
- Slack: KataContainers.slack.com (Request invite.) (bridged to IRC)
- Website: katacontainers.io
- Developer Mailing List: lists.katacontainers.io
- Twitter: @KataContainers