One year after its launch, Kata Containers has grown into a global community delivering OCI-compliant secured containers. Its latest release, version 1.4 is optimized for cloud environments while protecting against single containers using up host resources which could lead to things like denial of service.
Kata Containers is an open source project and community working to build a standard implementation of lightweight VMs that feel and perform like containers, but provide the workload isolation and security advantages of adding a virtual machine layer.
In the last year, the project has added features to make Kata Containers easier to deploy in production, by request of the community’s CSP participants. It also has scaled to support more architectures including AMD64, ARM/ARM64 and IBM p-series in addition to Intel.
Version 1.4 of Kata Containers is now available and includes new features such as:
- Host cgroups support – The virtual machine is now constrained in a host side cpu cgroup, enabling the requested cpu quota and periods to be better honored, protecting against a single container using up host resources which could lead to things like denial of service.
- NEMU ‘virt’ machine type support – This new machine type is optimized for cloud environments. NEMU is a lighter weight version of QEMU intended to reduce the VM attack footprint, improving security. To learn more, see https://github.com/intel/nemu.
- New NetInterworkingModel ‘none’ – It works with tap endpoint types so that enlightened CNI plugins can add tap devices to a sandbox directly, bypassing host network namespaces and providing better performance with less network setup complexity.
- New NetInterworkingModel ‘tcfilter’ – Another method for Kata Containers to bridge the host netns veth and guest tap device, with TC filter rules. Delivers more compatibility with different network endpoint types and CNI plugins.
- Enable macvlan and ipvlan network support – Networking models provide lightweight, fast access to underlay or host interfaces without NATing.
- Guest rootfs image get ‘guest_hook_path’ – Saves prestart/poststart/prestop/poststop hook binaries, and they will be executed in the guest at a specified container life cycle point accordingly. This helps with vendor-specific device pass-through to the Kata VM.
The 1.3.0 and 1.2.2 stable releases were released in September 2018, with features like Network and Memory hotplug in order to better support CSP customers’ running production environments. The community also continued its pursuit of cross-architectural design by adding more support for ARM64 as well as Intel(R) Graphics Virtualization Technology.
Alibaba, Tencent, Baidu, Huawei
The Kata Container community recently hosted a meetup in China designed for large cloud providers including Alibaba, Baidu, Huawei, Tencent and more to share adoption plans and feedback for the Kata Containers roadmap.
The Kata Containers community continues to work closely with the OCI and Kubernetes communities to ensure compatibility, and regularly tests Kata Containers across Azure, GCP and OpenStack public cloud environments. The Kata Containers project is supported by the OpenStack Foundation.