*

The speed of containers, the security of VMs

KataContainers.io
Contents
Project Overview

Technical Details

Governance

Get Involved
History

Intel® Clear Containers

May 2015 Dec 2017

*Other names and brands may be claimed as the property of others.
Technical Vision

● Light and fast VM-based containers

● Merge Intel® Clear Containers and Hyper runV technologies
● Seamless integration with Kubernetes (CRI), Docker and Openstack
● Support multiple architectures (x86 today; others to come in the future)
● Support multiple hypervisors (KVM today; others to come in the future)
 Intel® Clear Containers
Multi Architecture Direct Device Assignment
Multi Hypervisor SRIOV
Full Hotplug NVDIMM
K8s Multi Tenancy Multi-OS
VM templating KSM throttling
Frakti native support CRI-O native support
Traffic Controller net MacVTap, multi-queue net
Non-Technical Goals

● Open and vendor-neutral project

● All VM based containers, users and consumers under the same project
● Managed at the OpenStack Foundation*
● Independent from the OpenStack* software project
Containers in Cloud
Container A Container B Container C

App A App B App C

Middleware A Middleware B Middleware C

Linux* Kernel
Virtual Machine
Linux Kernel
Server Hardware
 Hypervisor Based Containers
Container A Container B Container C
● Each container/pod is
App A App B App C hypervisor isolated
● As secure as a VM
Middleware A Middleware B Middleware C ● As fast as a container
● Seamless integration
Linux Kernel A Linux Kernel B Linux Kernel C with the container
ecosystem and
Virtual Machine Virtual Machine Virtual Machine
management layers
Linux* Kernel
Server Hardware
Isolation

Speed
Technical Details
 Virtual Machine

Container Container
I/O OCI cmd/spec Command Exec

Container namespaces
Shim
Runtime
Shim
Agent
gRPC gRPC
Kernel
Proxy
gRPC over Yamux Hypervisor
Hypervisor serial interface
 Virtual Machine

Container Container
Command Exec

I/O OCI cmd/spec

Container namespaces

Shim Agent
Shim Runtime
gRPC
Kernel
gRPC
Hypervisor
Hypervisor VSOCK socket
 Fast as a Container

Create Start
$ kubectl apply -f nginx.yml

VM
Kernel Agent Start Pod
Boot

hotplug
Prepare Prepare
container Image Volumes
 Small as a Container

● Minimize memory footprint

○ Minimal rootfs
○ Minimal kernel
○ VM Template
○ DAX/nvdimm

● De-duplicate memory across VMs

○ KSM (with throttling)
Networking

MacVTAP
Pod
Kubernetes* veth pair Tap
Overlay
Network

Virtual Machine
Container networking namespace
Networking

tc
Pod
Kubernetes* veth pair Tap
Overlay mirror
Network

Virtual Machine
Container networking namespace
Storage

9pfs/virtio-blk
9pfs/virtio-blk

Container 1
Rootfs Volume
Overlay

Container 2
Rootfs Volume
9pfs/virtio-b 9pfs/virtio-blk
Overlay
lk
Virtual Machine
 Multi-tenant Kubernetes*

k8s k8s k8s

Pod Pod Pod Pod

VM VM VM VM
container
container container
container container
container container
container
Pod Pod Pod Pod
Pod Pod Pod Pod

VM VM VM VM VM VM VM VM

IaaS CaaS
Demo: Stackube - K8S with Hard Multi-tenancy

kubectl
k8s Node

k8s Master kubelet

Keystone
kube-apiserver (Tenant mgmt)
frakti (runtime shim)
Cinder
Tenant (CRD) (Persistent Volume)
Neutron
Network (CRD) (L2 Isolated Network)
CNI
Project Status - Code

Status Current Work

Shim Initial implementation merged Terminal size, code coverage

Proxy Initial implementation merged Code coverage, functional testing

Agent Initial implementation merged Shared PID ns, sub-reaping (agent is PID 1)

QEMU Vanilla 2.9 QEMU build config

Linux Kernel 4.13.13 + one 9pfs patch Minimal kernel config definition

OS builder Initial implementation merged Initrd/initramfs support

Agent Protocol V0.0.1 merged (pre-alpha) More declarative APIs, network APIs improved
Project Status - Code - Runtime

● No runtime code at the moment

● Step 1: Add both Clear Containers and runV
○ Adapted to Kata Containers architecture (gRPC, new components)
○ Both runtimes will work seamlessly with all the Kata Containers components
○ Users can switch runtime implementations transparently
● Step 2: Merge runtimes into one single implementation
● Step 3: Deprecate Clear Containers and runV
Project Status - Documentation and CI

● Documentation
○ Missing at the moment
○ Clear Containers and runV documentation as a backup
● CI
○ Travis based for now: Unit testing only
○ Will move to a nested virtualization enabled and/or bare metal public cloud
■ Functional and integration test
■ From unit testing up to the higher levels of the stack (Kubernetes, OpenShift)
What’s Next?

1H’2018 Horizon

● 1.0 Release (parity with RunV and CC 3.0 with upgrade path)
● CRI integration: Frakti, CRI-O, containerd-cri
● OCI runtime spec support for hypervisor based containers
● OSV support
● Documented case studies
Governance
Governance

The Kata Containers project is governed according to the “four opens,”

● open source
● open design
● open development
● open community

Technical decisions will be made by technical contributors and a representative

Architecture Committee. The community is committed to diversity, openness,
encouraging new contributors and leaders to rise up.
Governance

● Contributors
○ At least one github contribution for the past 12 months
● Maintainers
○ Active contributor, nominated by fellow maintainers
○ Can merge code
● Architecture Committee
○ Take high level architecture and roadmap decisions
○ 5 seats, elected by contributors
Governance

Architecture Committee
● The Architecture Committee is responsible for architectural decisions, including
standardization, and making final decisions if Maintainers disagree.
● It will be comprised of 5 members, who are appointed by the Maintainers at launch
but fully elected by Contributors within the first year.
● The initial Architecture committee members are Samuel Otiz (Intel), Xu Wang
(Hyper), Zhang Wei (Huawei) and Tim AllClair (Google).
 Governance

Working Committee
● The Working Committee is intended to make non-technical decisions and help influence the project strategy,
including marketing and communications, product management and ecosystem support.
● Representatives are expected to be active contributors who are committed to the health and success of the
project.
● Recognizing the project will grow and change quickly in the first six months, and in order to encourage diversity
and participation, the Working Committee will be forming up and finalizing it’s structure after the project launch.
● Initial appointed members include Amy Leeland (Intel) and James Kulina (Hyper). During this initial period, the
participants will appoint a leader to help organize and run regular meetings, coordinate the various work streams
and help define the long-term structure.
● The initial task will be to determine 2018 plans and appropriate work streams, working groups and funding to
execute on those plans.
● Anyone can join! Get involved in the #working-committee channel on Slack: bit.ly/KataSlack (case sensitive)
Get Involved
Contribute

● Code and documentation hosted on https://github.com/kata-containers/

● Major releases managed through Github* Projects
● Intel (Intel® Clear Containers) & Hyper (runV) contributing initial IP
● Apache 2 license
● Slack: katacontainers.slack.com
● IRC: #kata-dev@freenode
● Mailing-list: [email protected]
Where To Contribute?

● Code ● Documentation
○ Unit tests for agent, shim and proxy ○ Getting Started guides
○ PR reviews (agent, shim) ○ Code documentation
○ Osbuilder support for more distros

● Features Requests
● gRPC ○ Open issues and PRs for any feature
○ Input needed: Do we cover it all? that you’d like to get from Kata
○ API documentation Containers
Community

● You do not need to be an Individual Member of the OpenStack Foundation in

order to contribute, but if you want to vote in the annual OpenStack
Foundation Board of Directors election, you may join: openstack.org/join
● If you are contributing on behalf of an employer, they will need to sign a
corporate contributor license agreement, which now covers all projects
hosted by the OpenStack Foundation (same model as Apache and CNCF)
● Independent contributors may be submitted with a sign off header under the
DCO
Communication

● KataContainers Slack bit.ly/KataSlack (case sensitive)

● #kata-dev IRC freenode (Slack and IRC have a gateway to share messages)
● Mailing Lists: lists.katacontainers.io
● Twitter: @KataContainers
● Email: [email protected]
Thank you!
KataContainers.io