The way to run virtualized containers Kata Containers · Kata Containers The way to run virtualized...
Transcript of The way to run virtualized containers Kata Containers · Kata Containers The way to run virtualized...
![Page 1: The way to run virtualized containers Kata Containers · Kata Containers The way to run virtualized containers Sebastien Boeuf, Linux Software Engineer Intel Corporation](https://reader031.fdocuments.us/reader031/viewer/2022022116/5c7b8c2309d3f2352a8bc143/html5/thumbnails/1.jpg)
Kata ContainersThe way to run virtualized containers
Sebastien Boeuf, Linux Software EngineerIntel Corporation
![Page 2: The way to run virtualized containers Kata Containers · Kata Containers The way to run virtualized containers Sebastien Boeuf, Linux Software Engineer Intel Corporation](https://reader031.fdocuments.us/reader031/viewer/2022022116/5c7b8c2309d3f2352a8bc143/html5/thumbnails/2.jpg)
https://regmedia.co.uk/2017/09/11/shutterstock_containers_in_port.jpg
![Page 3: The way to run virtualized containers Kata Containers · Kata Containers The way to run virtualized containers Sebastien Boeuf, Linux Software Engineer Intel Corporation](https://reader031.fdocuments.us/reader031/viewer/2022022116/5c7b8c2309d3f2352a8bc143/html5/thumbnails/3.jpg)
Containers 101
Host Linux kernel
namespaces
Process
namespaces
Process
namespaces
Process
CPU Memory Network Storage
![Page 4: The way to run virtualized containers Kata Containers · Kata Containers The way to run virtualized containers Sebastien Boeuf, Linux Software Engineer Intel Corporation](https://reader031.fdocuments.us/reader031/viewer/2022022116/5c7b8c2309d3f2352a8bc143/html5/thumbnails/4.jpg)
Software is not enough !
Host Linux kernel
namespaces
Process
namespaces
Process
namespaces
Process
CPU Memory Network Storage
![Page 5: The way to run virtualized containers Kata Containers · Kata Containers The way to run virtualized containers Sebastien Boeuf, Linux Software Engineer Intel Corporation](https://reader031.fdocuments.us/reader031/viewer/2022022116/5c7b8c2309d3f2352a8bc143/html5/thumbnails/5.jpg)
https://cdn-images-1.medium.com/max/800/1*zPiik9vlW_G7GU9bTjxhJQ.jpeg
![Page 6: The way to run virtualized containers Kata Containers · Kata Containers The way to run virtualized containers Sebastien Boeuf, Linux Software Engineer Intel Corporation](https://reader031.fdocuments.us/reader031/viewer/2022022116/5c7b8c2309d3f2352a8bc143/html5/thumbnails/6.jpg)
Manual isolation
Baremetal server
VM
Linux kernel
namespaces
Process
namespaces
Process
namespaces
Process
VM
Linux kernel
namespaces
Process
namespaces
Process
namespaces
Process
![Page 7: The way to run virtualized containers Kata Containers · Kata Containers The way to run virtualized containers Sebastien Boeuf, Linux Software Engineer Intel Corporation](https://reader031.fdocuments.us/reader031/viewer/2022022116/5c7b8c2309d3f2352a8bc143/html5/thumbnails/7.jpg)
https://s3.amazonaws.com/wordpress-production/wp-content/uploads/2015/12/collaborative-problem-solving.jpg
![Page 8: The way to run virtualized containers Kata Containers · Kata Containers The way to run virtualized containers Sebastien Boeuf, Linux Software Engineer Intel Corporation](https://reader031.fdocuments.us/reader031/viewer/2022022116/5c7b8c2309d3f2352a8bc143/html5/thumbnails/8.jpg)
Kata Containers legacy
Intel® Clear Containers
May 2015 Dec 2017
*Other names and brands may be claimed as the property of others.
*
![Page 9: The way to run virtualized containers Kata Containers · Kata Containers The way to run virtualized containers Sebastien Boeuf, Linux Software Engineer Intel Corporation](https://reader031.fdocuments.us/reader031/viewer/2022022116/5c7b8c2309d3f2352a8bc143/html5/thumbnails/9.jpg)
Host Linux kernel
VMVMVM
Kata Containers 101
Guest Linux kernel
namespaces
Process
Guest Linux kernel
namespaces
Guest Linux kernel
namespaces
Process
HWvirtualization
HWvirtualization
HWvirtualization
Process
![Page 10: The way to run virtualized containers Kata Containers · Kata Containers The way to run virtualized containers Sebastien Boeuf, Linux Software Engineer Intel Corporation](https://reader031.fdocuments.us/reader031/viewer/2022022116/5c7b8c2309d3f2352a8bc143/html5/thumbnails/10.jpg)
https://marketingweek.imgix.net/content/uploads/2017/06/30121536/Ecosystem-body-image.jpg
![Page 11: The way to run virtualized containers Kata Containers · Kata Containers The way to run virtualized containers Sebastien Boeuf, Linux Software Engineer Intel Corporation](https://reader031.fdocuments.us/reader031/viewer/2022022116/5c7b8c2309d3f2352a8bc143/html5/thumbnails/11.jpg)
Container ecosystem
Docker
OpenStack
Container
Process
runc
OCI
![Page 12: The way to run virtualized containers Kata Containers · Kata Containers The way to run virtualized containers Sebastien Boeuf, Linux Software Engineer Intel Corporation](https://reader031.fdocuments.us/reader031/viewer/2022022116/5c7b8c2309d3f2352a8bc143/html5/thumbnails/12.jpg)
Container ecosystem
Kubernetes
CRI
Container
Process
runc
OCI
![Page 13: The way to run virtualized containers Kata Containers · Kata Containers The way to run virtualized containers Sebastien Boeuf, Linux Software Engineer Intel Corporation](https://reader031.fdocuments.us/reader031/viewer/2022022116/5c7b8c2309d3f2352a8bc143/html5/thumbnails/13.jpg)
Container ecosystem
Kubernetes
Docker CRI
OpenStack
Container
Process
runc
OCI
![Page 14: The way to run virtualized containers Kata Containers · Kata Containers The way to run virtualized containers Sebastien Boeuf, Linux Software Engineer Intel Corporation](https://reader031.fdocuments.us/reader031/viewer/2022022116/5c7b8c2309d3f2352a8bc143/html5/thumbnails/14.jpg)
VM
Guest Linux kernel
Seamless integration
Kubernetes
Docker CRI
OpenStack
Container
Process
kata-runtime
OCI
![Page 15: The way to run virtualized containers Kata Containers · Kata Containers The way to run virtualized containers Sebastien Boeuf, Linux Software Engineer Intel Corporation](https://reader031.fdocuments.us/reader031/viewer/2022022116/5c7b8c2309d3f2352a8bc143/html5/thumbnails/15.jpg)
Architecture
Hypervisor
VM
Shim
Proxy
Guest Linux kernel
AgentRuntime
I/O OCI command
gRPC over Yamux
gRPC gRPC
Shim
Hypervisor serial interface
ns
proc
ns
proc
![Page 16: The way to run virtualized containers Kata Containers · Kata Containers The way to run virtualized containers Sebastien Boeuf, Linux Software Engineer Intel Corporation](https://reader031.fdocuments.us/reader031/viewer/2022022116/5c7b8c2309d3f2352a8bc143/html5/thumbnails/16.jpg)
https://cdn.tinybuddha.com/wp-content/uploads/2015/07/Simplify.png
![Page 17: The way to run virtualized containers Kata Containers · Kata Containers The way to run virtualized containers Sebastien Boeuf, Linux Software Engineer Intel Corporation](https://reader031.fdocuments.us/reader031/viewer/2022022116/5c7b8c2309d3f2352a8bc143/html5/thumbnails/17.jpg)
Architecture over VSOCK
Hypervisor
VM
Shim
Guest Linux kernel
AgentRuntime
I/O OCI command
gRPC gRPC
Shim
Hypervisor VSOCK interface
ns
proc
ns
proc
![Page 18: The way to run virtualized containers Kata Containers · Kata Containers The way to run virtualized containers Sebastien Boeuf, Linux Software Engineer Intel Corporation](https://reader031.fdocuments.us/reader031/viewer/2022022116/5c7b8c2309d3f2352a8bc143/html5/thumbnails/18.jpg)
OCI lifecycle
https://www.connection.com/~/media/images/solutions/new-pages/3-box-icons/606772-it-lifecycle-services.png
![Page 19: The way to run virtualized containers Kata Containers · Kata Containers The way to run virtualized containers Sebastien Boeuf, Linux Software Engineer Intel Corporation](https://reader031.fdocuments.us/reader031/viewer/2022022116/5c7b8c2309d3f2352a8bc143/html5/thumbnails/19.jpg)
OCI Lifecycle - run
Runtime
kata-runtime run
![Page 20: The way to run virtualized containers Kata Containers · Kata Containers The way to run virtualized containers Sebastien Boeuf, Linux Software Engineer Intel Corporation](https://reader031.fdocuments.us/reader031/viewer/2022022116/5c7b8c2309d3f2352a8bc143/html5/thumbnails/20.jpg)
OCI Lifecycle - run
Hypervisor
VM
Guest Linux kernel
Runtime
Start VM
![Page 21: The way to run virtualized containers Kata Containers · Kata Containers The way to run virtualized containers Sebastien Boeuf, Linux Software Engineer Intel Corporation](https://reader031.fdocuments.us/reader031/viewer/2022022116/5c7b8c2309d3f2352a8bc143/html5/thumbnails/21.jpg)
OCI Lifecycle - run
Hypervisor
VM
Guest Linux kernel
AgentRuntime
listen to serial
![Page 22: The way to run virtualized containers Kata Containers · Kata Containers The way to run virtualized containers Sebastien Boeuf, Linux Software Engineer Intel Corporation](https://reader031.fdocuments.us/reader031/viewer/2022022116/5c7b8c2309d3f2352a8bc143/html5/thumbnails/22.jpg)
OCI Lifecycle - run
Hypervisor
VM
Proxy
Guest Linux kernel
AgentRuntime
Start proxy
![Page 23: The way to run virtualized containers Kata Containers · Kata Containers The way to run virtualized containers Sebastien Boeuf, Linux Software Engineer Intel Corporation](https://reader031.fdocuments.us/reader031/viewer/2022022116/5c7b8c2309d3f2352a8bc143/html5/thumbnails/23.jpg)
OCI Lifecycle - run
Hypervisor
VM
Proxy
Guest Linux kernel
AgentRuntime
connect VM
![Page 24: The way to run virtualized containers Kata Containers · Kata Containers The way to run virtualized containers Sebastien Boeuf, Linux Software Engineer Intel Corporation](https://reader031.fdocuments.us/reader031/viewer/2022022116/5c7b8c2309d3f2352a8bc143/html5/thumbnails/24.jpg)
OCI Lifecycle - run
Hypervisor
VM
Proxy
Guest Linux kernel
AgentRuntime
connection established
![Page 25: The way to run virtualized containers Kata Containers · Kata Containers The way to run virtualized containers Sebastien Boeuf, Linux Software Engineer Intel Corporation](https://reader031.fdocuments.us/reader031/viewer/2022022116/5c7b8c2309d3f2352a8bc143/html5/thumbnails/25.jpg)
OCI Lifecycle - run
Hypervisor
VM
Proxy
Guest Linux kernel
AgentRuntime
run container
ns
proc
![Page 26: The way to run virtualized containers Kata Containers · Kata Containers The way to run virtualized containers Sebastien Boeuf, Linux Software Engineer Intel Corporation](https://reader031.fdocuments.us/reader031/viewer/2022022116/5c7b8c2309d3f2352a8bc143/html5/thumbnails/26.jpg)
OCI Lifecycle - run
Hypervisor
VM
Proxy
Guest Linux kernel
AgentRuntimestart shim
Shimns
proc
![Page 27: The way to run virtualized containers Kata Containers · Kata Containers The way to run virtualized containers Sebastien Boeuf, Linux Software Engineer Intel Corporation](https://reader031.fdocuments.us/reader031/viewer/2022022116/5c7b8c2309d3f2352a8bc143/html5/thumbnails/27.jpg)
OCI Lifecycle - run
Hypervisor
VM
Proxy
Guest Linux kernel
AgentShim
ns
proc
I/OSignals
![Page 28: The way to run virtualized containers Kata Containers · Kata Containers The way to run virtualized containers Sebastien Boeuf, Linux Software Engineer Intel Corporation](https://reader031.fdocuments.us/reader031/viewer/2022022116/5c7b8c2309d3f2352a8bc143/html5/thumbnails/28.jpg)
OCI Lifecycle - exec
Hypervisor
VM
Proxy
Guest Linux kernel
AgentShim
ns
proc
Runtime
kata-runtime execI/OSignals
![Page 29: The way to run virtualized containers Kata Containers · Kata Containers The way to run virtualized containers Sebastien Boeuf, Linux Software Engineer Intel Corporation](https://reader031.fdocuments.us/reader031/viewer/2022022116/5c7b8c2309d3f2352a8bc143/html5/thumbnails/29.jpg)
OCI Lifecycle - exec
Hypervisor
VM
Proxy
Guest Linux kernel
AgentShim
ns
proc
I/O
Runtime
exec process
proc
![Page 30: The way to run virtualized containers Kata Containers · Kata Containers The way to run virtualized containers Sebastien Boeuf, Linux Software Engineer Intel Corporation](https://reader031.fdocuments.us/reader031/viewer/2022022116/5c7b8c2309d3f2352a8bc143/html5/thumbnails/30.jpg)
OCI Lifecycle - exec
Hypervisor
VM
Proxy
Guest Linux kernel
AgentShim
ns
proc
I/O
Runtime
proc
Shimstart shim
![Page 31: The way to run virtualized containers Kata Containers · Kata Containers The way to run virtualized containers Sebastien Boeuf, Linux Software Engineer Intel Corporation](https://reader031.fdocuments.us/reader031/viewer/2022022116/5c7b8c2309d3f2352a8bc143/html5/thumbnails/31.jpg)
OCI Lifecycle - exec
Hypervisor
VM
Proxy
Guest Linux kernel
AgentShim
ns
proc
I/Oproc
Shim
![Page 32: The way to run virtualized containers Kata Containers · Kata Containers The way to run virtualized containers Sebastien Boeuf, Linux Software Engineer Intel Corporation](https://reader031.fdocuments.us/reader031/viewer/2022022116/5c7b8c2309d3f2352a8bc143/html5/thumbnails/32.jpg)
virtcontainers
More than just OCIOCI runtime
kata-runtime
Kata API
Hypervisor
Native CRIfrakti
Network Device Storage
QemuKVM Xen CNM CNI
MACVTAP
TCmirror
block vfio
SR-IOV
block 9p
![Page 33: The way to run virtualized containers Kata Containers · Kata Containers The way to run virtualized containers Sebastien Boeuf, Linux Software Engineer Intel Corporation](https://reader031.fdocuments.us/reader031/viewer/2022022116/5c7b8c2309d3f2352a8bc143/html5/thumbnails/33.jpg)
http://www.breadalbane.pkc.sch.uk/BA/wp-content/uploads/2014/05/Technical-Drawings2.jpg
![Page 34: The way to run virtualized containers Kata Containers · Kata Containers The way to run virtualized containers Sebastien Boeuf, Linux Software Engineer Intel Corporation](https://reader031.fdocuments.us/reader031/viewer/2022022116/5c7b8c2309d3f2352a8bc143/html5/thumbnails/34.jpg)
OCI compatibility
VM
kata-runtime
libcontainer
AgentOCI spec
![Page 35: The way to run virtualized containers Kata Containers · Kata Containers The way to run virtualized containers Sebastien Boeuf, Linux Software Engineer Intel Corporation](https://reader031.fdocuments.us/reader031/viewer/2022022116/5c7b8c2309d3f2352a8bc143/html5/thumbnails/35.jpg)
Host
Lightweight VM - NVDIMM/DAXVM 1
Guest kernel
DAX
NVDIMM
Shared/ROROOTFS
VM 2
Guest kernel
DAX
NVDIMM
![Page 36: The way to run virtualized containers Kata Containers · Kata Containers The way to run virtualized containers Sebastien Boeuf, Linux Software Engineer Intel Corporation](https://reader031.fdocuments.us/reader031/viewer/2022022116/5c7b8c2309d3f2352a8bc143/html5/thumbnails/36.jpg)
Host
Lightweight VM - KSM
KSM
Hypervisor
VM 1pages
VM 2pages
Mergedpages
![Page 37: The way to run virtualized containers Kata Containers · Kata Containers The way to run virtualized containers Sebastien Boeuf, Linux Software Engineer Intel Corporation](https://reader031.fdocuments.us/reader031/viewer/2022022116/5c7b8c2309d3f2352a8bc143/html5/thumbnails/37.jpg)
Pool
Fast VM - Templating
VMtemplate
VMtemplate
VMtemplate Runtime
VM
Guest kernel
1vCPU
128 MiBRAM
![Page 38: The way to run virtualized containers Kata Containers · Kata Containers The way to run virtualized containers Sebastien Boeuf, Linux Software Engineer Intel Corporation](https://reader031.fdocuments.us/reader031/viewer/2022022116/5c7b8c2309d3f2352a8bc143/html5/thumbnails/38.jpg)
Fast VM - Hotplug
Runtime
VM
Guest kernel
1vCPU
128 MiBRAM
![Page 39: The way to run virtualized containers Kata Containers · Kata Containers The way to run virtualized containers Sebastien Boeuf, Linux Software Engineer Intel Corporation](https://reader031.fdocuments.us/reader031/viewer/2022022116/5c7b8c2309d3f2352a8bc143/html5/thumbnails/39.jpg)
Fast VM - Hotplug
Runtime
VM
Guest kernel
3vCPU
1024 MiBRAM
PCI devices
Hotplug
![Page 40: The way to run virtualized containers Kata Containers · Kata Containers The way to run virtualized containers Sebastien Boeuf, Linux Software Engineer Intel Corporation](https://reader031.fdocuments.us/reader031/viewer/2022022116/5c7b8c2309d3f2352a8bc143/html5/thumbnails/40.jpg)
Host Linux kernel
Devices - virtio
VM
Guest kernel
container
/dev/sda
virtio-scsi back-end
QEMU
Block deviceemulation
virtio-scsi front-end
![Page 41: The way to run virtualized containers Kata Containers · Kata Containers The way to run virtualized containers Sebastien Boeuf, Linux Software Engineer Intel Corporation](https://reader031.fdocuments.us/reader031/viewer/2022022116/5c7b8c2309d3f2352a8bc143/html5/thumbnails/41.jpg)
Devices - virtio
VM
Guest kernel
container
Host Linux kernel
eth0
vhost-net back-end
emulation
virtio-net front-end
![Page 42: The way to run virtualized containers Kata Containers · Kata Containers The way to run virtualized containers Sebastien Boeuf, Linux Software Engineer Intel Corporation](https://reader031.fdocuments.us/reader031/viewer/2022022116/5c7b8c2309d3f2352a8bc143/html5/thumbnails/42.jpg)
Devices - HW passthrough
VM
Guest kernel
container
Host Linux kernel
eth0
ixgbe driver
NIC
vfio-pci
![Page 43: The way to run virtualized containers Kata Containers · Kata Containers The way to run virtualized containers Sebastien Boeuf, Linux Software Engineer Intel Corporation](https://reader031.fdocuments.us/reader031/viewer/2022022116/5c7b8c2309d3f2352a8bc143/html5/thumbnails/43.jpg)
Devices - SR-IOV bonus
VM 1
Guest kernel
container
Host Linux kernel
eth0
ixgbe driver
NIC
vfio-pci
PF VF1 VF2 VFN
VM 2
Guest kernel
container
eth0
ixgbe driver
![Page 44: The way to run virtualized containers Kata Containers · Kata Containers The way to run virtualized containers Sebastien Boeuf, Linux Software Engineer Intel Corporation](https://reader031.fdocuments.us/reader031/viewer/2022022116/5c7b8c2309d3f2352a8bc143/html5/thumbnails/44.jpg)
MACVTAP
veth
pair
Container netns
Network - Macvtap
VM
vhost-net
![Page 45: The way to run virtualized containers Kata Containers · Kata Containers The way to run virtualized containers Sebastien Boeuf, Linux Software Engineer Intel Corporation](https://reader031.fdocuments.us/reader031/viewer/2022022116/5c7b8c2309d3f2352a8bc143/html5/thumbnails/45.jpg)
veth
pair
Network - Traffic control
Container netns
TAPTC
mirroring
VM
vhost-net
![Page 46: The way to run virtualized containers Kata Containers · Kata Containers The way to run virtualized containers Sebastien Boeuf, Linux Software Engineer Intel Corporation](https://reader031.fdocuments.us/reader031/viewer/2022022116/5c7b8c2309d3f2352a8bc143/html5/thumbnails/46.jpg)
Storage - 9p
HostFilesystem
VM
Guest kernel
container
rootfs volumes
virtio-9pColdplug
![Page 47: The way to run virtualized containers Kata Containers · Kata Containers The way to run virtualized containers Sebastien Boeuf, Linux Software Engineer Intel Corporation](https://reader031.fdocuments.us/reader031/viewer/2022022116/5c7b8c2309d3f2352a8bc143/html5/thumbnails/47.jpg)
Storage - blk
Blockdevice
Hotplug
VM
Guest kernel
container
rootfs volumes
virtio-blk | virtio-scsi
![Page 48: The way to run virtualized containers Kata Containers · Kata Containers The way to run virtualized containers Sebastien Boeuf, Linux Software Engineer Intel Corporation](https://reader031.fdocuments.us/reader031/viewer/2022022116/5c7b8c2309d3f2352a8bc143/html5/thumbnails/48.jpg)
PID ns
Network ns
Host namespaces
shim
VM
Guest Linux kernel
Agent ns
proc proc
shim
![Page 49: The way to run virtualized containers Kata Containers · Kata Containers The way to run virtualized containers Sebastien Boeuf, Linux Software Engineer Intel Corporation](https://reader031.fdocuments.us/reader031/viewer/2022022116/5c7b8c2309d3f2352a8bc143/html5/thumbnails/49.jpg)
https://img.taste.com.au/ZATA4qbZ/taste/2017/03/double-choc-easter-cheesecake-1980x1320-124941-1.jpg
![Page 50: The way to run virtualized containers Kata Containers · Kata Containers The way to run virtualized containers Sebastien Boeuf, Linux Software Engineer Intel Corporation](https://reader031.fdocuments.us/reader031/viewer/2022022116/5c7b8c2309d3f2352a8bc143/html5/thumbnails/50.jpg)
Multi OS
Host Linux kernel
VMVMVM
linux-4.16 linux-3.14linux-4.8 + GPU module
container container container
GPU
![Page 51: The way to run virtualized containers Kata Containers · Kata Containers The way to run virtualized containers Sebastien Boeuf, Linux Software Engineer Intel Corporation](https://reader031.fdocuments.us/reader031/viewer/2022022116/5c7b8c2309d3f2352a8bc143/html5/thumbnails/51.jpg)
Time to wrap up !
https://www.huddle.com/sites/default/files/image/security-01.png
![Page 52: The way to run virtualized containers Kata Containers · Kata Containers The way to run virtualized containers Sebastien Boeuf, Linux Software Engineer Intel Corporation](https://reader031.fdocuments.us/reader031/viewer/2022022116/5c7b8c2309d3f2352a8bc143/html5/thumbnails/52.jpg)
Time to wrap up !
https://www.huddle.com/sites/default/files/image/security-01.pnghttp://www.theiskandarian.com/web/wp-content/uploads/2015/10/high-speed-rail-attracts-interest.jpg
![Page 53: The way to run virtualized containers Kata Containers · Kata Containers The way to run virtualized containers Sebastien Boeuf, Linux Software Engineer Intel Corporation](https://reader031.fdocuments.us/reader031/viewer/2022022116/5c7b8c2309d3f2352a8bc143/html5/thumbnails/53.jpg)
Time to wrap up !
https://www.huddle.com/sites/default/files/image/security-01.pnghttp://www.theiskandarian.com/web/wp-content/uploads/2015/10/high-speed-rail-attracts-interest.jpg
https://i.pinimg.com/originals/90/69/f7/9069f7abb8d91fbfd2353d62b6dc6053.jpg
![Page 54: The way to run virtualized containers Kata Containers · Kata Containers The way to run virtualized containers Sebastien Boeuf, Linux Software Engineer Intel Corporation](https://reader031.fdocuments.us/reader031/viewer/2022022116/5c7b8c2309d3f2352a8bc143/html5/thumbnails/54.jpg)
Play & contribute !
Sources: https://github.com/kata-containers/runtime
Get started: https://github.com/kata-containers/documentation/blob/master/Developer-Guide.md
Slack: katacontainers.slack.com
IRC: #kata-dev@freenode
Mailing list: [email protected]