SlideShare a Scribd company logo

ACRN Kata Container on ACRN

Project ACRN, profile picture
Project ACRN

This document discusses integrating Kata Containers with ACRN hypervisor. It begins with an overview of Kata architecture and how it fits into the container ecosystem. It then describes adaptations made to Kata to support ACRN, including adding ACRN as a supported hypervisor and implementing sandbox management APIs. Features added to ACRN-DM to support Kata are socket backend support and plans for PCI device hotplug support. Current results are not discussed and next steps include completing hotplug support, VM shutdown handling, validation with Kubernetes and Docker, and upstreaming changes. The goal is for performance to exceed or match QEMU and Firecracker.

Software
1 of 21
Downloaded 13 times
1
2
Most read
3
4
Most read
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
Kata Container Architecture: First Steps with ACRN 03/06/2019 vijay.dhanraj@intel.com
Agenda  Why Kata?  Container eco-system  Kata architecture Overview  Kata adaptations to support ACRN  ACRN-DM features to support Kata  Current Results & Next Steps
Host Linux Kernel Process ProcessProcess namespaces /cgroups namespaces /cgroups namespaces /cgroups Memory Network StorageCPU Software is not enough! Why Kata?
Why Kata? Linux Kernel container container container Process Process Process Linux Kernel container container container Process Process Process VM VM Host Linux Kernel Host Linux Kernel Guest Linux Kernel Process Container Guest Linux Kernel Guest Linux Kernel Process Container Process Container VM VM VM HW Virtualization HW Virtualization HW Virtualization Kata Containers “trust something to someone” Maintaining each individual VM becomes a pain! To achieve more security, avoid noisy neighbor issues, Cloud providers spun up containers inside a VM
Agenda  Why Kata?  Container eco-system  Kata architecture Overview  Kata adaptations to support ACRN  ACRN-DM features to support Kata  Current Results & Next Steps
Container eco-system OpenStack Docker Kubernetes CRI OCI Guest Linux Kernel Process container VM HW Virtualization Linux Kernel Process container Kata-RuntimeRunc Since Kata is OCI compliant, it easily fits into existing container eco-system!
Container eco-system: Kubernetes o Kubelet: Primary “node agent” that runs on each node. It has one job: given a set of containers to run, make sure they are all running. o CRI-O: An implementation of the Kubernetes CRI (Container Runtime Interface) to enable using OCI (Open Container Initiative) compatible runtimes. o Pod: A group of one or more containers, with shared storage/network, and a specification for how to run the containers. o Pause Container: Part of each pod that is responsible to create shared network, assign IP address, share volumes for all containers inside a pod. o Regular Containers Vs VM based containers: io.kubernetes.cri- o.TrustedSandbox not set io.kubernetes.cri- o.TrustedSandbox = true io.kubernetes.cri- o.TrustedSandbox = false Default CRI-O trust level: trusted runc runc Kata containers Default CRI-O trust level: untrusted Kata containers Kata containers Kata containers Kubelet CRI-O runc Kata-runtime pod container VM pod container OCI OCI
Agenda  Why Kata?  Container eco-system  Kata architecture Overview  Kata adaptations to support ACRN  ACRN-DM features to support Kata  Current Results & Next Steps
Kata Architecture Overview Kata-Shim Kata-Shim Kata-Runtime Kata-Proxy Hypervisor Guest Linux Kernel Kata-Agent VM Container Process Process Container I/O OCI Command gRPC gRPC gRPC over Yamux o Kata-Runtime: An OCI compatible container runtime and is responsible for handling all commands specified by the OCI runtime specification o Kata-Agent: A process running in the guest as a supervisor for managing containers and processes running within those containers. o Kata-Shim: A container process reaper, such as Docker's containerd-shim or CRI-O's conmon. o Kata-Proxy: A process offering access to the VM kata-agent to multiple kata-runtime and kata-shim clients associated with the VM.
Kata Architecture Overview: OCI lifecycle - Create Kata-Shim Kata-Runtime Kata-Proxy Hypervisor Guest Linux Kernel Kata-Agent VM Container Process I/O OCI create command Socket Connection Start proxy (Socket Connection) Connect VM Start VM Listen to serialConnection Established Create Container Container is created and running!
Kata Architecture Overview: Container infrastructure Kata-Runtime Kata-Agent VM libcontainer Guest Linux Kernel Container Process OCI Spec o All namespace (PID, UTS, IPC, …) are created in kata-agent running inside VM, except network and shared PID namespace. o Resource constraint:  Inside VM: Can be achieved by passing value through kernel command line to boot guest (configuration.toml).  Inside Container: Container orchestrator be it kubernetes /docker needs to specify the resources via OCI spec • E.g. “docker run -it --cpus=".5" ubuntu /bin/bash” would ensure that container can use maximum 50% of the CPU o Since ACRN-DM doesn’t support 9pfs, use device-mapper storage driver.  Benefits: Device-mapper POSIX compliant and more performant than 9pfs. o Container rootfs is provided as a block device and is hot-plugged directly to the container. Block device Guest Linux Kernel virtio-blk Container rootfs volumes VM
Kata Architecture Overview: Host Namespaces VETH PAIR VM T A P BRIDGE DOCKER BRIDGE Pre-Start Hook CNI/CNM plugin New N/W namespace Network namespace is run in the host, as network plugins expect to create an interface between container namespace and host network namespace.
Kata Architecture Overview: Sum-up 1. Create the network namespace where we will spawn VM and shims processes. 2. Call into the pre-start hooks for creating the veth network pair between the host network namespace and the network namespace freshly created. 3. Scan the network from the new network namespace, and create a bridge connecting the veth interface to a tap. 4. Start the VM inside the network namespace. 5. Wait for the VM to be ready. 6. Start kata-proxy, which will connect to the created VM. (single proxy per VM) 7. Communicate with kata-agent (through the proxy) to configure the sandbox inside the VM. 8. Communicate with kata-agent to create the container, relying on the OCI configuration file config.json initially provided to kata- runtime. 9. Start kata-shim, which will connect to the gRPC server socket provided by the kata- proxy. kata-shim will spawn a few Go routines to parallelize blocking calls ReadStdout() , ReadStderr().
Agenda  Why Kata?  Container eco-system  Kata architecture Overview  Kata adaptations to support ACRN  ACRN-DM features to support Kata  Current Results & Next Steps
Kata adaptations to support ACRN o Kata-runtime:  Added ACRN hypervisor as a supported hypervisor, so that kata config could pickup ACRN instead of QEMU when launching VM [hypervisor.acrn] path = "/usr/bin/acrn-dm" kernel = "/usr/share/kata-containers/vmlinuz.container" # initrd = "/usr/share/kata-containers/kata-containers-initrd.img" image = "/usr/share/kata-containers/kata-containers.img"  Implemented Sandbox Management APIs such as CreateSandBox, FetchSandBox.. • https://github.com/kata-containers/documentation/blob/master/design/kata-api-design.md#sandbox-management-api  Implemented Sandbox Operation APIs such as StartSandbox, StopSanbox, PauseSandBox.. • https://github.com/kata-containers/documentation/blob/master/design/kata-api-design.md#sandbox-operation-api  Implemented hot-plug API (currently have a WA. Working on adding PCI device hot-plug support in ACRN- DM) • https://github.com/kata-containers/documentation/blob/master/design/kata-api-design.md#sandbox-hotplug-api  Prime the devices, image and kernel as parameters for ACRN-DM when launching the VM.
Agenda  Why Kata?  Container eco-system  Kata architecture Overview  Kata adaptations to support ACRN  ACRN-DM features to support Kata  Current Results & Next Steps
ACRN-DM features to support Kata o Socket Backend support:  Kata uses socket communication to talk between kata-runtime <->Kata-proxy, Kata-shim<->Kata-Proxy and Kata-Proxy<->Kata-agent running inside VM.  Implemented socket backend for virtio-console device in acrn-dm. (This feature is already merged upstream) • -s x,virtio-console,socket:”socket name”=“socket path” where x is the PCI slot number. o PCI device Hot-Plug support:  Kata containers does hot plugging of container roofs for both Docker and Kubernetes. • Kubernetes when creating a pod, first creates a *pause container and then subsequently creates the application container(s). During the launch of the VM, the roofs for the application container is not known, it needs to be hot- plugged.  Looking at both ACPI based hot-plug and PCI/PCIe hot-plug support for PCI device (container rootfs is passed as virtio-blk device). Scoped out initial design and code changes that would be needed in acrn- dm. (WIP) o Graceful shutdown of VMs:  When kata containers finishes its job, expectation is that VM associated with container will be shutdown gracefully. (WIP)
Agenda  Why Kata?  Container eco-system  Kata architecture Overview  Kata adaptations to support ACRN  ACRN-DM features to support Kata  Current Results & Next Steps
Current Result
Next Steps o Complete PCI device hot-plug support in ACRN-DM. o Complete support for graceful shutdown of VMs. o Complete validation with Kubernetes/Docker and identify limitations.  For example Docker Privilege mode cannot be supported as no simple way to grant the VM access to all of the host devices which is expected by this command. o Create PR request for Kata changes and upstream the changes.  Kata team wants all the ACRN-DM related changes to be complete. o Performance optimizations to exceed or at least match qemu/firecracker.
Thank You!

More Related Content

PDF
Project ACRN Device Model architecture introduction
Project ACRN
 
PDF
IETF 104 Hackathon VPP Prototyping Stateless SRv6/GTP-U Translation
Kentaro Ebisawa
 
PDF
Project ACRN expose and pass through platform hidden PCIe devices to SOS
Project ACRN
 
PDF
The Linux Block Layer - Built for Fast Storage
Kernel TLV
 
PPTX
Introduction to the Container Network Interface (CNI)
Weaveworks
 
PPTX
Kafka PPT.pptx
SRIRAMKIRAN9
 
PDF
What Is OpenStack | OpenStack Tutorial For Beginners | OpenStack Training | E...
Edureka!
 
PDF
Scale Kubernetes to support 50000 services
LinuxCon ContainerCon CloudOpen China
 
Project ACRN Device Model architecture introduction
Project ACRN
 
IETF 104 Hackathon VPP Prototyping Stateless SRv6/GTP-U Translation
Kentaro Ebisawa
 
Project ACRN expose and pass through platform hidden PCIe devices to SOS
Project ACRN
 
The Linux Block Layer - Built for Fast Storage
Kernel TLV
 
Introduction to the Container Network Interface (CNI)
Weaveworks
 
Kafka PPT.pptx
SRIRAMKIRAN9
 
What Is OpenStack | OpenStack Tutorial For Beginners | OpenStack Training | E...
Edureka!
 
Scale Kubernetes to support 50000 services
LinuxCon ContainerCon CloudOpen China
 

What's hot (20)

PDF
Podman rootless containers
Giuseppe Scrivano
 
PPTX
Vxlan control plane and routing
Wilfredzeng
 
PDF
Tuning Android for low RAM
Chris Simmonds
 
PDF
Deep dive into Kubernetes Networking
Sreenivas Makam
 
PDF
DPDK & Layer 4 Packet Processing
Michelle Holley
 
PPTX
OpenvSwitch Deep Dive
rajdeep
 
PDF
Monitoring pfSense 2.4 with SNMP - pfSense Hangout March 2018
Netgate
 
PDF
Spring Boot & Containers - Do's & Don'ts
Julien Wittouck
 
PDF
Multiple Sites and Disaster Recovery with Ceph: Andrew Hatfield, Red Hat
OpenStack
 
PPTX
Versioning avec Git
Jean-Baptiste Vigneron
 
PPTX
Introduction to ansible
Omid Vahdaty
 
PPTX
VXLAN Integration with CloudStack Advanced Zone
Yoshikazu Nojima
 
PDF
Open vSwitch Introduction
HungWei Chiu
 
PDF
Kamailio with Docker and Kubernetes
Paolo Visintin
 
ODP
Linux Internals - Kernel/Core
Shay Cohen
 
PDF
OpenShift Virtualization- Technical Overview.pdf
ssuser1490e8
 
ODP
VPC Implementation In OpenStack Heat
Saju Madhavan
 
PDF
Using VPP and SRIO-V with Clear Containers
Michelle Holley
 
PPTX
Building a Stretched Cluster using Virtual SAN 6.1
Duncan Epping
 
PDF
The Container Storage Interface (CSI)
Masiar Ighani
 
Podman rootless containers
Giuseppe Scrivano
 
Vxlan control plane and routing
Wilfredzeng
 
Tuning Android for low RAM
Chris Simmonds
 
Deep dive into Kubernetes Networking
Sreenivas Makam
 
DPDK & Layer 4 Packet Processing
Michelle Holley
 
OpenvSwitch Deep Dive
rajdeep
 
Monitoring pfSense 2.4 with SNMP - pfSense Hangout March 2018
Netgate
 
Spring Boot & Containers - Do's & Don'ts
Julien Wittouck
 
Multiple Sites and Disaster Recovery with Ceph: Andrew Hatfield, Red Hat
OpenStack
 
Versioning avec Git
Jean-Baptiste Vigneron
 
Introduction to ansible
Omid Vahdaty
 
VXLAN Integration with CloudStack Advanced Zone
Yoshikazu Nojima
 
Open vSwitch Introduction
HungWei Chiu
 
Kamailio with Docker and Kubernetes
Paolo Visintin
 
Linux Internals - Kernel/Core
Shay Cohen
 
OpenShift Virtualization- Technical Overview.pdf
ssuser1490e8
 
VPC Implementation In OpenStack Heat
Saju Madhavan
 
Using VPP and SRIO-V with Clear Containers
Michelle Holley
 
Building a Stretched Cluster using Virtual SAN 6.1
Duncan Epping
 
The Container Storage Interface (CSI)
Masiar Ighani
 
Ad

Similar to ACRN Kata Container on ACRN (20)

PPTX
kata-containers-onboarding-deck.pptx
QforQA
 
PPTX
OpenStack Israel Meetup - Project Kuryr: Bringing Container Networking to Neu...
Cloud Native Day Tel Aviv
 
PPTX
IBM MQ in containers MQTC 2017
Robert Parker
 
PDF
Metal-k8s presentation by Julien Girardin @ Paris Kubernetes Meetup
Laure Vergeron
 
PDF
Bug smash day magnum
Ton Ngo
 
PDF
Bug smash day magnum
Ton Ngo
 
ODP
containerD
strikr .
 
PPTX
Kata Container - The Security of VM and The Speed of Container | Yuntong Jin
Vietnam Open Infrastructure User Group
 
PDF
Build and Deploy Cloud Native Camel Quarkus routes with Tekton and Knative
Omar Al-Safi
 
PDF
Collabnix Online Webinar - Demystifying Docker & Kubernetes Networking by Bal...
Ajeet Singh Raina
 
PDF
"One network to rule them all" - OpenStack Summit Austin 2016
Phil Estes
 
PDF
Method of NUMA-Aware Resource Management for Kubernetes 5G NFV Cluster
byonggon chun
 
PDF
Tech Talk by Gal Sagie: Kuryr - Connecting containers networking to OpenStack...
nvirters
 
PPTX
Tectonic Summit 2016: Brandon Philips, CTO of CoreOS, Keynote
CoreOS
 
PDF
Demystfying container-networking
Balasundaram Natarajan
 
PDF
Scaling docker with kubernetes
Liran Cohen
 
PDF
Practical Design Patterns in Docker Networking
Docker, Inc.
 
PDF
Apache Kafka - Event Sourcing, Monitoring, Librdkafka, Scaling & Partitioning
Guido Schmutz
 
PDF
Load Balancing in the Cloud using Nginx & Kubernetes
Lee Calcote
 
PDF
Lines of Defense - Securing your Kubernetes Clusters by Koray Oksay
ContainerDay Security 2023
 
kata-containers-onboarding-deck.pptx
QforQA
 
OpenStack Israel Meetup - Project Kuryr: Bringing Container Networking to Neu...
Cloud Native Day Tel Aviv
 
IBM MQ in containers MQTC 2017
Robert Parker
 
Metal-k8s presentation by Julien Girardin @ Paris Kubernetes Meetup
Laure Vergeron
 
Bug smash day magnum
Ton Ngo
 
Bug smash day magnum
Ton Ngo
 
containerD
strikr .
 
Kata Container - The Security of VM and The Speed of Container | Yuntong Jin
Vietnam Open Infrastructure User Group
 
Build and Deploy Cloud Native Camel Quarkus routes with Tekton and Knative
Omar Al-Safi
 
Collabnix Online Webinar - Demystifying Docker & Kubernetes Networking by Bal...
Ajeet Singh Raina
 
"One network to rule them all" - OpenStack Summit Austin 2016
Phil Estes
 
Method of NUMA-Aware Resource Management for Kubernetes 5G NFV Cluster
byonggon chun
 
Tech Talk by Gal Sagie: Kuryr - Connecting containers networking to OpenStack...
nvirters
 
Tectonic Summit 2016: Brandon Philips, CTO of CoreOS, Keynote
CoreOS
 
Demystfying container-networking
Balasundaram Natarajan
 
Scaling docker with kubernetes
Liran Cohen
 
Practical Design Patterns in Docker Networking
Docker, Inc.
 
Apache Kafka - Event Sourcing, Monitoring, Librdkafka, Scaling & Partitioning
Guido Schmutz
 
Load Balancing in the Cloud using Nginx & Kubernetes
Lee Calcote
 
Lines of Defense - Securing your Kubernetes Clusters by Koray Oksay
ContainerDay Security 2023
 
Ad

More from Project ACRN (20)

PDF
ACRN vMeet-Up EU 2021 - installation and configuration introduction
Project ACRN
 
PDF
ACRN vMeet-Up EU 2021 - Bridging Orchestrator and Hard Realtime Workload Cons...
Project ACRN
 
PDF
ACRN vMeet-Up EU 2021 - Boot Process and Secure Boot
Project ACRN
 
PDF
ACRN vMeet-Up EU 2021 - debug ACRN hypervisor
Project ACRN
 
PDF
ACRN vMeet-Up EU 2021 - functional safety design and certification plan
Project ACRN
 
PDF
ACRN vMeet-Up EU 2021 - community and development model
Project ACRN
 
PDF
ACRN vMeet-Up EU 2021 - hypervisor new platform enabling
Project ACRN
 
PDF
ACRN vMeet-Up EU 2021 - shared memory based inter-vm communication introduction
Project ACRN
 
PDF
ACRN vMeet-Up EU 2021 - Real Time Management and Performance Optimization
Project ACRN
 
PDF
ACRN vMeet-Up EU 2021 - Introduction and Architecture Look Forward
Project ACRN
 
PDF
Project ACRN Yocto Project meta-acrn layer introduction
Project ACRN
 
PDF
Project ACRN USB mediator introduction
Project ACRN
 
PDF
Project ACRN I2C mediator introduction
Project ACRN
 
PDF
Project ACRN system debug
Project ACRN
 
PDF
Project ACRN SR-IOV on ACRN
Project ACRN
 
PDF
Project ACRN configuration scenarios and config tool
Project ACRN
 
PDF
Project ACRN hypervisor introduction
Project ACRN
 
PDF
Project ACRN CPU sharing BVT scheduler in ACRN hypervisor
Project ACRN
 
PDF
Project ACRN how to build a Yocto Project-based SOS
Project ACRN
 
PDF
Project ACRN EtherCAT 101
Project ACRN
 
ACRN vMeet-Up EU 2021 - installation and configuration introduction
Project ACRN
 
ACRN vMeet-Up EU 2021 - Bridging Orchestrator and Hard Realtime Workload Cons...
Project ACRN
 
ACRN vMeet-Up EU 2021 - Boot Process and Secure Boot
Project ACRN
 
ACRN vMeet-Up EU 2021 - debug ACRN hypervisor
Project ACRN
 
ACRN vMeet-Up EU 2021 - functional safety design and certification plan
Project ACRN
 
ACRN vMeet-Up EU 2021 - community and development model
Project ACRN
 
ACRN vMeet-Up EU 2021 - hypervisor new platform enabling
Project ACRN
 
ACRN vMeet-Up EU 2021 - shared memory based inter-vm communication introduction
Project ACRN
 
ACRN vMeet-Up EU 2021 - Real Time Management and Performance Optimization
Project ACRN
 
ACRN vMeet-Up EU 2021 - Introduction and Architecture Look Forward
Project ACRN
 
Project ACRN Yocto Project meta-acrn layer introduction
Project ACRN
 
Project ACRN USB mediator introduction
Project ACRN
 
Project ACRN I2C mediator introduction
Project ACRN
 
Project ACRN system debug
Project ACRN
 
Project ACRN SR-IOV on ACRN
Project ACRN
 
Project ACRN configuration scenarios and config tool
Project ACRN
 
Project ACRN hypervisor introduction
Project ACRN
 
Project ACRN CPU sharing BVT scheduler in ACRN hypervisor
Project ACRN
 
Project ACRN how to build a Yocto Project-based SOS
Project ACRN
 
Project ACRN EtherCAT 101
Project ACRN
 

Recently uploaded (20)

PPTX
ManageIQ - Sprint 268 Review - Slide Deck
ManageIQ
 
PDF
Which alternative to Crystal Reports is best for small or large businesses.pdf
Varsha Nayak
 
PDF
System and Network Administraation Chapter 3
jaramharo
 
PDF
Design an Analysis of Algorithms I-SECS-1021-03
DilanEscobar1
 
PDF
Upgrade and Innovation Strategies for SAP ERP Customers
Virendra Rai, PMP
 
PPT
Introduction Database Management System for Course Database
ReinertYosua
 
PPTX
Online Work Permit System for Fast Permit Processing
SHEQ Network Limited
 
PDF
How Creative Agencies Leverage Project Management Software.pdf
Orangescrum
 
PPTX
Odoo POS Development Services by CandidRoot Solutions
CandidRoot Solutions Private Limited
 
PDF
Claude Code: Everyone is a 10x Developer - A Comprehensive AI-Powered CLI Tool
William Chong
 
PPTX
Agentic AI : A Practical Guide. Undersating, Implementing and Scaling Autono...
IT IDOL Technologies
 
PDF
medical staffing services at VALiNTRY
Tiyan Grayson
 
PDF
Understanding Forklifts - TECH EHS Solution
TECH EHS Solution
 
PPTX
Oracle E-Business Suite: A Comprehensive Guide for Modern Enterprises
Conacent Consulting
 
PPTX
ai tools demonstartion for schools and inter college
harshavardhanreddyka11
 
PDF
Audit Checklist Design Aligning with ISO, IATF, and Industry Standards — Omne...
rohnjim07
 
PPTX
history of c programming in notes for students .pptx
Vijayakumari829030
 
PDF
Internet Downloader Manager (IDM) Crack 6.42 Build 42 Updates Latest 2025
itskinga12
 
PPTX
Transform Your Business with a Software ERP System
Canada Software Company
 
PDF
Navsoft: AI-Powered Business Solutions & Custom Software Development
Navsoft
 
ManageIQ - Sprint 268 Review - Slide Deck
ManageIQ
 
Which alternative to Crystal Reports is best for small or large businesses.pdf
Varsha Nayak
 
System and Network Administraation Chapter 3
jaramharo
 
Design an Analysis of Algorithms I-SECS-1021-03
DilanEscobar1
 
Upgrade and Innovation Strategies for SAP ERP Customers
Virendra Rai, PMP
 
Introduction Database Management System for Course Database
ReinertYosua
 
Online Work Permit System for Fast Permit Processing
SHEQ Network Limited
 
How Creative Agencies Leverage Project Management Software.pdf
Orangescrum
 
Odoo POS Development Services by CandidRoot Solutions
CandidRoot Solutions Private Limited
 
Claude Code: Everyone is a 10x Developer - A Comprehensive AI-Powered CLI Tool
William Chong
 
Agentic AI : A Practical Guide. Undersating, Implementing and Scaling Autono...
IT IDOL Technologies
 
medical staffing services at VALiNTRY
Tiyan Grayson
 
Understanding Forklifts - TECH EHS Solution
TECH EHS Solution
 
Oracle E-Business Suite: A Comprehensive Guide for Modern Enterprises
Conacent Consulting
 
ai tools demonstartion for schools and inter college
harshavardhanreddyka11
 
Audit Checklist Design Aligning with ISO, IATF, and Industry Standards — Omne...
rohnjim07
 
history of c programming in notes for students .pptx
Vijayakumari829030
 
Internet Downloader Manager (IDM) Crack 6.42 Build 42 Updates Latest 2025
itskinga12
 
Transform Your Business with a Software ERP System
Canada Software Company
 
Navsoft: AI-Powered Business Solutions & Custom Software Development
Navsoft
 

ACRN Kata Container on ACRN

  • 1. Kata Container Architecture: First Steps with ACRN 03/06/2019 vijay.dhanraj@intel.com
  • 2. Agenda  Why Kata?  Container eco-system  Kata architecture Overview  Kata adaptations to support ACRN  ACRN-DM features to support Kata  Current Results & Next Steps
  • 3. Host Linux Kernel Process ProcessProcess namespaces /cgroups namespaces /cgroups namespaces /cgroups Memory Network StorageCPU Software is not enough! Why Kata?
  • 4. Why Kata? Linux Kernel container container container Process Process Process Linux Kernel container container container Process Process Process VM VM Host Linux Kernel Host Linux Kernel Guest Linux Kernel Process Container Guest Linux Kernel Guest Linux Kernel Process Container Process Container VM VM VM HW Virtualization HW Virtualization HW Virtualization Kata Containers “trust something to someone” Maintaining each individual VM becomes a pain! To achieve more security, avoid noisy neighbor issues, Cloud providers spun up containers inside a VM
  • 5. Agenda  Why Kata?  Container eco-system  Kata architecture Overview  Kata adaptations to support ACRN  ACRN-DM features to support Kata  Current Results & Next Steps
  • 6. Container eco-system OpenStack Docker Kubernetes CRI OCI Guest Linux Kernel Process container VM HW Virtualization Linux Kernel Process container Kata-RuntimeRunc Since Kata is OCI compliant, it easily fits into existing container eco-system!
  • 7. Container eco-system: Kubernetes o Kubelet: Primary “node agent” that runs on each node. It has one job: given a set of containers to run, make sure they are all running. o CRI-O: An implementation of the Kubernetes CRI (Container Runtime Interface) to enable using OCI (Open Container Initiative) compatible runtimes. o Pod: A group of one or more containers, with shared storage/network, and a specification for how to run the containers. o Pause Container: Part of each pod that is responsible to create shared network, assign IP address, share volumes for all containers inside a pod. o Regular Containers Vs VM based containers: io.kubernetes.cri- o.TrustedSandbox not set io.kubernetes.cri- o.TrustedSandbox = true io.kubernetes.cri- o.TrustedSandbox = false Default CRI-O trust level: trusted runc runc Kata containers Default CRI-O trust level: untrusted Kata containers Kata containers Kata containers Kubelet CRI-O runc Kata-runtime pod container VM pod container OCI OCI
  • 8. Agenda  Why Kata?  Container eco-system  Kata architecture Overview  Kata adaptations to support ACRN  ACRN-DM features to support Kata  Current Results & Next Steps
  • 9. Kata Architecture Overview Kata-Shim Kata-Shim Kata-Runtime Kata-Proxy Hypervisor Guest Linux Kernel Kata-Agent VM Container Process Process Container I/O OCI Command gRPC gRPC gRPC over Yamux o Kata-Runtime: An OCI compatible container runtime and is responsible for handling all commands specified by the OCI runtime specification o Kata-Agent: A process running in the guest as a supervisor for managing containers and processes running within those containers. o Kata-Shim: A container process reaper, such as Docker's containerd-shim or CRI-O's conmon. o Kata-Proxy: A process offering access to the VM kata-agent to multiple kata-runtime and kata-shim clients associated with the VM.
  • 10. Kata Architecture Overview: OCI lifecycle - Create Kata-Shim Kata-Runtime Kata-Proxy Hypervisor Guest Linux Kernel Kata-Agent VM Container Process I/O OCI create command Socket Connection Start proxy (Socket Connection) Connect VM Start VM Listen to serialConnection Established Create Container Container is created and running!
  • 11. Kata Architecture Overview: Container infrastructure Kata-Runtime Kata-Agent VM libcontainer Guest Linux Kernel Container Process OCI Spec o All namespace (PID, UTS, IPC, …) are created in kata-agent running inside VM, except network and shared PID namespace. o Resource constraint:  Inside VM: Can be achieved by passing value through kernel command line to boot guest (configuration.toml).  Inside Container: Container orchestrator be it kubernetes /docker needs to specify the resources via OCI spec • E.g. “docker run -it --cpus=".5" ubuntu /bin/bash” would ensure that container can use maximum 50% of the CPU o Since ACRN-DM doesn’t support 9pfs, use device-mapper storage driver.  Benefits: Device-mapper POSIX compliant and more performant than 9pfs. o Container rootfs is provided as a block device and is hot-plugged directly to the container. Block device Guest Linux Kernel virtio-blk Container rootfs volumes VM
  • 12. Kata Architecture Overview: Host Namespaces VETH PAIR VM T A P BRIDGE DOCKER BRIDGE Pre-Start Hook CNI/CNM plugin New N/W namespace Network namespace is run in the host, as network plugins expect to create an interface between container namespace and host network namespace.
  • 13. Kata Architecture Overview: Sum-up 1. Create the network namespace where we will spawn VM and shims processes. 2. Call into the pre-start hooks for creating the veth network pair between the host network namespace and the network namespace freshly created. 3. Scan the network from the new network namespace, and create a bridge connecting the veth interface to a tap. 4. Start the VM inside the network namespace. 5. Wait for the VM to be ready. 6. Start kata-proxy, which will connect to the created VM. (single proxy per VM) 7. Communicate with kata-agent (through the proxy) to configure the sandbox inside the VM. 8. Communicate with kata-agent to create the container, relying on the OCI configuration file config.json initially provided to kata- runtime. 9. Start kata-shim, which will connect to the gRPC server socket provided by the kata- proxy. kata-shim will spawn a few Go routines to parallelize blocking calls ReadStdout() , ReadStderr().
  • 14. Agenda  Why Kata?  Container eco-system  Kata architecture Overview  Kata adaptations to support ACRN  ACRN-DM features to support Kata  Current Results & Next Steps
  • 15. Kata adaptations to support ACRN o Kata-runtime:  Added ACRN hypervisor as a supported hypervisor, so that kata config could pickup ACRN instead of QEMU when launching VM [hypervisor.acrn] path = "/usr/bin/acrn-dm" kernel = "/usr/share/kata-containers/vmlinuz.container" # initrd = "/usr/share/kata-containers/kata-containers-initrd.img" image = "/usr/share/kata-containers/kata-containers.img"  Implemented Sandbox Management APIs such as CreateSandBox, FetchSandBox.. • https://github.com/kata-containers/documentation/blob/master/design/kata-api-design.md#sandbox-management-api  Implemented Sandbox Operation APIs such as StartSandbox, StopSanbox, PauseSandBox.. • https://github.com/kata-containers/documentation/blob/master/design/kata-api-design.md#sandbox-operation-api  Implemented hot-plug API (currently have a WA. Working on adding PCI device hot-plug support in ACRN- DM) • https://github.com/kata-containers/documentation/blob/master/design/kata-api-design.md#sandbox-hotplug-api  Prime the devices, image and kernel as parameters for ACRN-DM when launching the VM.
  • 16. Agenda  Why Kata?  Container eco-system  Kata architecture Overview  Kata adaptations to support ACRN  ACRN-DM features to support Kata  Current Results & Next Steps
  • 17. ACRN-DM features to support Kata o Socket Backend support:  Kata uses socket communication to talk between kata-runtime <->Kata-proxy, Kata-shim<->Kata-Proxy and Kata-Proxy<->Kata-agent running inside VM.  Implemented socket backend for virtio-console device in acrn-dm. (This feature is already merged upstream) • -s x,virtio-console,socket:”socket name”=“socket path” where x is the PCI slot number. o PCI device Hot-Plug support:  Kata containers does hot plugging of container roofs for both Docker and Kubernetes. • Kubernetes when creating a pod, first creates a *pause container and then subsequently creates the application container(s). During the launch of the VM, the roofs for the application container is not known, it needs to be hot- plugged.  Looking at both ACPI based hot-plug and PCI/PCIe hot-plug support for PCI device (container rootfs is passed as virtio-blk device). Scoped out initial design and code changes that would be needed in acrn- dm. (WIP) o Graceful shutdown of VMs:  When kata containers finishes its job, expectation is that VM associated with container will be shutdown gracefully. (WIP)
  • 18. Agenda  Why Kata?  Container eco-system  Kata architecture Overview  Kata adaptations to support ACRN  ACRN-DM features to support Kata  Current Results & Next Steps
  • 20. Next Steps o Complete PCI device hot-plug support in ACRN-DM. o Complete support for graceful shutdown of VMs. o Complete validation with Kubernetes/Docker and identify limitations.  For example Docker Privilege mode cannot be supported as no simple way to grant the VM access to all of the host devices which is expected by this command. o Create PR request for Kata changes and upstream the changes.  Kata team wants all the ACRN-DM related changes to be complete. o Performance optimizations to exceed or at least match qemu/firecracker.