Kata Containers Version 2.0 Ships with Rust Agent for Improved Security, Performance With 10x Footprint Reduction

Share Article

Kata Containers 2.0 delivers significant improvements in observability and manageability for building secure container infrastructure

Kata Containers
At Ant Group, Kata Containers is running on thousands of nodes and over 10,000 CPU cores, and part of our deployment has been upgraded to a 2.0 pre-release version. We believe the isolation provided by Kata Containers will be the cornerstone of our financial-grade infrastructure architecture.

Open Infrastructure Summit —Today, the open source project Kata Containers™ issued version 2.0 of the software. Kata Containers provides a way of isolating containerized workloads with security comparable to virtual machines (VMs) without the performance burden of full VMs. This solution offers a fast and secure deployment option for anything from highly regulated workloads to untrusted code, spanning public and private cloud, containers-as-a-service and edge computing use cases.

Kata Containers 2.0 delivers improved performance and observability enhancements as the community continues to address the challenge of providing secure, light, fast and agile container management technology across stacks and platforms:

  • One of the most fundamental changes is a rewrite of the Kata Containers agent. To help reduce the attack surface and reduce overhead, the agent was rewritten in Rust. The main benefit users will see is a 10-fold improvement in size, from 11MB to 300KB. This rewrite and refactoring also introduces utilizing ttRPC, further improving a user’s footprint.
  • Kata Containers 2.0 offers significant improvements around observability and manageability. Kata Containers now provides metrics about the runtime itself, the VMM, as well as the guest kernel, all in Prometheus format. This will help administrators with understanding the infrastructure impact of running Kata Containers and will help users and developers better understand workload performance.
  • This release added support for the Cloud Hypervisor VMM, up to the same level of support as QEMU. The Cloud Hypervisor VMM gives users a choice of virtualization stack that is designed with only cloud workloads in mind (i.e. cloud-native and serverless) as opposed to more generic solutions.
  • Kata-agent-ctl, a tool for agent API debugging, was added to the 2.0 release.

“Kata Containers 2.0 is an exciting release for the community,” said Xu Wang, senior staff engineer at Ant Group. “In the 2.0 development cycle, we kept working on weaving Kata into the cloud native infrastructure fabric invisibly by reducing the overhead and improving operability and debuggability. At Ant Group, Kata Containers is running on thousands of nodes and over 10,000 CPU cores, and part of our deployment has been upgraded to a 2.0 pre-release version. We believe the isolation provided by Kata Containers will be the cornerstone of our financial-grade infrastructure architecture.”

Kata Containers 2.0 will be available during the Open Infrastructure Summit this week. Check https://katacontainers.io/software/ for download availability.

Upcoming on the software roadmap, the community is developing features to allow users to pull container images inside a sandbox for advanced security and isolation as well as better IO stream handling.

Kata Containers Community Continues to Expand
Over the Kata Containers 2.0 development timeframe, the Kata Containers community added almost 4,000 changes from 167 contributors and 26 organizations including Adobe, Alibaba, ARM, Atlassian, Baidu, CrayGoogle, Microsoft, NVIDIA, and Orange. The Architecture Committee just completed an election last month and includes members from Ant Group, Apple, Intel and Red Hat. Current infrastructure donors include AWS, Google Cloud, Microsoft, PackageCloud, Packet and Vexxhost.

The Kata Containers community has grown since it was announced at KubeCon in December 2017, and open source contributors passionate about container security are invited to get involved. Contributors can expect to work upstream across multiple infrastructure and container orchestration communities, including Kubernetes, containerd / CRI-O, Docker, OCI, CNI, QEMU, rust-vmm, cloud-hypervisor KVM and OpenStack. Get started by connecting with the Kata Containers community.

Meet the Kata Containers Team at Open Infrastructure Summit This Week, October 19-21
Members of the Kata Containers community are presenting on the project and use cases at the Open Infrastructure Summit, being held virtually this week. Sessions include:

  • Changpeng Liu and Xiaodong Liu: Building High Efficient Storage Infrastructure for Secure Container on Top of SPDK
  • Kailun Qin: Kata * TEE = A Lego-Like Two-way Sandbox for Seamless Security and Privacy
  • Bin Liu: Observability in Kata Containers 2.0
  • Fupan Li and Wei Yang: The Practice and Landing of Kata Containers in Ant Group and Alibaba Group
  • Yi Wang: Time-Sensitive Networking (TSN) Enabling on StarlingX
  • Yan Song: Toward Next Generation Container Image
  • Hongliang Tian, Tianjia Zhang and Yutong Jin: Towards Enclave-as-a-Container with Inclavare Containers and Occlum
  • Jose Carlos Venegas Munoz: Cloud Hypervisor and Kata Containers: A Path Towards Modernization

About Kata Containers
Kata Containers is an open infrastructure project of the Open Infrastructure Foundation. Delivering the speed and performance of containers with the security of virtual machines, Kata Containers is designed to be architecture agnostic and is compatible with Open Container Initiative (OCI) images as well as the container runtime interface (CRI) for Kubernetes. Kata Containers is hosted on Github under the Apache 2 license. Connect with the Kata Containers community:

About the Open Infrastructure Foundation
The Open Infrastructure Foundation (OIF) builds communities that write open source infrastructure software that runs in production. With the support of over 100,000 individuals in 187 countries, the OIF hosts open source projects and communities of practice, including infrastructure for AI, container native apps, edge computing and datacenter clouds.

Share article on social media or email:

View article via:

Pdf Print

Contact Author

Robert Cathey

Allison Price
Visit website