Launched at the end of 2017, the Kata Containers open source project aims to combine the security advantages of virtual machines (VMS) with the high speed and manageability of Containers to bring outstanding container solutions to users. What progress has the project made in the past two years? What features will the next version of the roadmap contain? Let’s start with a quick review of the Kata Containers project’s progress…

Origin: Kata Containers

When Docker came out in 2013, containers became the hot new thing, and developers around the world became obsessed with them. Unsurprisingly, containers are packaged in a standard format, packaging applications running on a standard operating system environment and making it possible to quickly and reliably switch from one computing environment to another, which is crucial for developers who want to quickly build, test, and deploy software. Containers are lightweight, low overhead, can be scheduled and started almost immediately, can run in any environment, facilitate microservices, extend resources, and so on (just to name a few popular advantages). Despite its many technical advantages, containers have a disadvantage – they share a kernel with the host, which can lead to serious security vulnerabilities. In theory, if you have multiple containers deployed on a single host, once one of them is exploited by malicious code, all the other containers on that host are also vulnerable due to the shared namespace, which in this case could pose a serious security threat to the cloud infrastructure as a whole. If you are a cloud provider, security threats can extend to cloud customers’ data and business, which is absolutely something to avoid.

Figure 1. Traditional containers: Container isolation and resource constraints are achieved primarily through cgroups and namespaces that share the kernel

Therefore, many o&m personnel responsible for large-scale container operations “nest” containers in virtual machines, logically isolating them from other processes running on the same host, but running containers in virtual machines loses the speed and agility benefits of containers. Developers at Intel and Hyper-sh (now part of Ant) recognized this problem and began working independently on a solution. Both companies wanted containers to be free of all the burden of traditional virtual machines, in other words, to develop “cloud-native virtualization” technology:

  • Engineers from Intel Clear Containers use Intel Virtualization Technology (Intel VT) to enhance performance and security isolation;
  • At the same time, the engineers at Hyper-.sh started the open source project runV with a similar strategy, placing containers in a secure “sandbox” and focusing on developing technology-neutral solutions by supporting multiple CPU architectures and hypervisons;

In 2017, the two companies merged their projects to complement each other, creating Kata Containers, an open source project. Intel and Hyper-sh, in collaboration with the developer community, hope to accelerate the development of new features to meet the needs of emerging use cases in the future, while providing excellent application experience for end users with consideration of performance and compatibility through the joint efforts of all parties. Kata Containers became the OpenStack Foundation’s (OSF) first hosting project outside of OpenStack, officially debuting on KubeCon North America in December 2017 under the community motto “Fast as a container, stable as a virtual machine”. In essence, Kata Containers allows each container/POD to have its own separate kernel, running in a lightweight virtual machine. Because each container/POD now runs in a dedicated virtual machine, malicious code cannot reuse the shared kernel to access adjacent containers, so container as a Service (CaaS) vendors can more safely provide services that run containers on bare metal. Because of the hardware isolation between Containers, Kata Containers allows untrusted tenants, even production applications and uncertified production applications to operate safely in the same cluster.

Figure 2. Kata Containers: Each container/POD is isolated in its own lightweight virtual machine

As a result, Kata Containers are as light and fast as Containers, and integrate seamlessly with the container ecosystem (including popular orchestration tools such as Docker and Kubernetes), while still having the security advantages of a virtual machine.

Community development

During the first year of the Kata Containers project, the community focused on incorporating Intel and Hyper-sh code, presenting the project’s unique hardware isolation solution at industry events around the world, a feature lacking in other container operations, and inviting a large number of community developers to work with the project. The Kata Containers community now has many contributors and supporters, Including companies from Kyushu Cloud, Alibaba, AMD, AWS, Baidu, Canonical, China Mobile, CityNetwork, Dell Eon, EJet Cloud, Homehome, Google, Huawei, IBM, Microsoft, Red Hat, SUSE, Tencent, Tongfang Youyun, ZTE, Nvidia, Mirantis, NetApp, P AckageCloud, Packet, Vexxhost, and many other influential companies. The project is steadily growing as the community continues to grow. Community achievements include:

  • Joining the Open Container Initiative (OCI) specification, the Kata Containers community continues to work closely with OCI and the Kubernetes community, Periodically tested Kata Containers in AWS, Azure, GCP and OpenStack public cloud environments, as well as all major Linux distributions;
  • Added support for major architectures, including AMD64, ARM, IBM P-Series and IBM Z-Series, in addition to X86_64;
  • Seamlessly integrated with the upstream Kubernetes ecosystem, Kata Containers can now connect immediately to most Out-of-the-box Kubernetes networks;
  • Removing unnecessary layers of indirection, the community has removed the Kata-proxy component and introduced Cim-v2 with the help of the Kubernetessig-Node developers and the Containerd community, thus reducing the number of Kata Containers helper processes;
  • With lower overhead and higher speed, the community is working to increase startup speed, reduce memory consumption, and move toward creating (almost) “zero overhead” sandbox technology. For this purpose, several VIRTUAL machine management programs are introduced, including QEMU, QEMU-Lite, NEMU and AWSFirecracker. Integration with the Containerd project led to the establishment of the Rust-VMM project, and in 2019, the community used Rust to rewrite an Agent in a sandbox, significantly reducing the number of anonymous pages. In conclusion, the community is minimizing the overhead through a series of improvements, such as the introduction of FirecrackerVMM to reduce the memory overhead to 10MB, and the combination of rust-agent to reduce the agent’s anonymous pages from 10MB to 1.1mb.
  • “Cloud native virtualization”, different from the VIRTUAL machine domain, the container domain is application-centered. In order to solve this difference, the community introduced Virtio-VSock and Virtio-FS. Virtio-mem, a more flexible memory elasticity technology, will be introduced later.

For more details on the project, check out Wang’s series of blogs: KataContainers: Two Years in the Making

Kata Containers application practice of Baidu Intelligent Cloud

Baidu, China’s leading search engine operator, the world’s largest Chinese website host, and the world’s leading AI company — is working on a massive scale (over 43K CPU cores!) in its Baidu Intelligent cloud. Application of Kata Containers, including Baidu Intelligent Cloud function Computing (CFC), Baidu Intelligent Cloud Container Instance (BCI), Baidu Edge computing and other practical scenarios. Baidu Intelligent Cloud is baidu’s intelligent cloud computing platform for enterprises and developers. It is committed to providing integrated ARTIFICIAL intelligence, big data and cloud computing services for enterprises from all walks of life. According to Synergy Research Group’s Asia Pacific Public Cloud Market Report for the first quarter of 2019, Baidu has become one of the top four players in China’s public cloud market. Baidu intelligent cloud is a complex network with a large amount of traffic and complex deployment scenarios, such as a single cluster peak daily page views of 1 billion +, a single tenant container scale of 50,000+, etc. Based on extensive research on safe container technology, Baidu team believes that Kata Containers is a safe container technology with high safety and practicality, and finally chooses to use Kata Containers for technology development and application. In the white paper “Application practice of Kata Containers in Baidu Intelligent Cloud”, Baidu elaborated on the reasons for selecting Kata Containers, recorded and shared its application cases related to Kata Containers. The technical challenges encountered in applying the technology and the innovative ways baidu engineers have solved them. Zhang Yu, senior architect at Baidu and author of the white paper, said:

  • Baidu must find out how to make full use of container lightweight and agility, while improving its container isolation to ensure the security of resource sharing, so as to ensure the security of the entire cloud infrastructure and tenant business and data.
  • The virtual machine isolation mode of Kata Containers not only ensures safe isolation of Containers in multi-tenant environment, but also realizes invisibility to applications and users.
  • Kata Containers, as a secure container solution, plays an important role in Baidu’s container services and meets the diversified needs of customers by replacing Virtual Machine Monitor (VMM) in different scenarios.

In its successful bid to become a power user, Baidu laid out how Kata Containers could change its business:

In 2019, our Kata Container-based products achieved market success in FaaS (function as a Service), CaaS (Container as a Service) and edge computing. Baidu Intelligent Cloud Function Computing Service (CFC) is based on Kata Containers to provide a deployment platform for technology developers of intelligent hardware for small assistants (DuerOS, a conversational ARTIFICIAL intelligence operating system with 100 million installations), providing computing power for more than 3,000 developers with nearly 20,000 skills. Baidu Container Instance Service (BCI) provides a powerful infrastructure support for baidu’s internal big data business and helps the big data department build a multi-tenant Serverless data processing platform. Baidu Intelligent Cloud Edge Computing Node (BEC) provides open service for all customers, which isolates multiple users from each other and does not affect each other based on the characteristics of Kata Containers.

In a speech at the Open Source Infrastructure Summit in Shanghai in November 2019, Zhang said Baidu already has 17 significant online businesses migrated to Kata Containers. Kata Containers provides container-level virtual machine-like security mechanisms that give customers great confidence and reduce their concerns when moving their business to a container environment.

Kata Containers 2.0 technology wiring diagram

Over the past two years, the Kata Containers community has increased container isolation at the expense of some overhead, while pushing virtualization to become more lightweight and “container friendly.” The future vision of the Kata Containers project is to continue to improve sandbox isolation, further reduce overhead, and develop cloud-native virtualization technologies for further transparent isolation of cloud-native applications at minimal cost. Kata Containers Version 2.0 is expected to be released later this year with the following key objectives:

  • Maintain compatibility with existing Kubernetes ecosystem;
  • Allows you to sandbox all applications, including run-time processes, mirrors/root file systems, etc.
  • Remove unnecessary functions of Agent and reduce packaging of Kata Containers processes by rewriting key components in Rust and improving other architectures;
  • Improve security, such as adjusting the architecture to keep host functions in user space as much as possible, and allow long-life processes to work with non-root permissions;
  • Added support for virtio-MEm, a new memory scaling technology that allows page-by-page memory scaling without breaking security isolation, and eliminates the need to consider hardware limitations such as memory sticks that do not physically exist;
  • Cloud-hypervisor support and configuration and customization for Kata Containers scenarios;

To learn more about the community’s plans for version 2.0, please visit Wang Xu’s series of blogs:

  • Kata Containers: Cloud native virtualization
  • Kata Containers: Blueprints for 2.0

Baidu is a good example of active participation and success in open source projects and communities. The Kata Containers community welcomes other individuals and organizations to contribute code, documentation and use cases to the development, optimization and growth of the project.

To learn more about The Kata Containers project, follow the link to the community website: Katacontainers.io /

About the author

Horace Li: Community Manager of OpenStack Foundation in China, mainly responsible for promoting the development of the OpenStack ecosystem in China, increasing the activity and participation of open source infrastructure projects (including Kata Containers, etc.) and the community. Prior to joining OpenStack Foundation, He worked at Intel Open Source Technology Center for 13 years as a technical account Manager supporting open source community projects in China.

IO /the road-to…