Kata Containers is an open source project that is designed to address the security concerns associated with containers, namely the shared kernel technology, and how different workloads or environments can be isolated. Kata Containers combines technology from Intel Clear Containers and Hyper runV. The code is hosted on GitHub under the Apache 2 license and the project is managed by the OpenStack Foundation. Ovum believes that interest in Kata Containers will accelerate as the ability to isolate container workloads successfully to the same degree that virtual machines (VMs) can be isolated will become an issue for some market segments.
Providing isolation of containers beyond just the namespace approach is a key security requirement
Kata Containers consists of six components: Agent, Runtime, Proxy, Shim, Kernel, and QEMU.
Agent: The Agent interfaces with the Runtime, and runs inside the VM, where it supports the spawning of processes and containers.
Runtime: Runtime is the command-line interface access to Kata Containers and manages the host environment. The runtime is OCI-compatible, allowing it to work seamlessly with both Docker and Kubernetes.
Proxy: A Kata Proxy instance is launched for each VM to handle multiplexing and de-multiplexing commands and streams.
Shim: The Shim manages the communications between the container and the Agent. It uses Google's Remote Protocol Call (gRPC) to make direct calls on the application, and does this on different machines, while still making it look like a local object. The Shim is needed because it is not possible to monitor the container process directly from the host operating system, so the Shim acts as the container process, and the container process reaper then monitors this.
Kernel: The lightweight VM created by Kata Containers requires a guest operating system and a guest kernel to create and boot the container inside the guest operating system.
QEMU: QEMU is a full virtualization open source solution for Linux.
The concept behind Kata Containers is to build an OCI-compliant, lightweight VM that operates and behaves like a container. Using this approach, Kata Containers can offer a higher level of workload isolation beyond using namespaces that current OCI-compliant containers use. Kata Containers provides this isolation at different levels depending on the technology being used. For example, for Docker environments the VM isolation is at the container level. However, for Kubernetes the VM isolation is provided at the pod level.
Roy Illsley, Principal Analyst, Infrastructure Solutions