Downloaded 27 times
![CONFIGURATION STEPS
• Enable virtualization (Intel VT / AMD-V) on the docker host
• Create a config file inside docker.service.d
• Restart docker
• Spin up kata containers using docker run command and docker images
[root@tt2aio docker-host]# cd /etc/systemd/system/docker.service.d
[root@tt2aio docker-host]# cat <<EOF | sudo tee kata-containers.conf
[Service]
ExecStart=
ExecStart=/usr/bin/dockerd -D --add-runtime kata-
runtime=/usr/bin/kata-runtime --default-runtime=kata-runtime
EOF
[root@tt2aio docker-host]# systemctl daemon-reload
[root@tt2aio docker-host]# systemctl restart docker](https://image.slidesharecdn.com/virtualizedcontainers-howgoodisit-ananth-siemens-cc18-180806081647/75/Virtualized-Containers-How-Good-is-it-Ananth-Siemens-CC18-12-2048.jpg)
Uploaded byCodeOps Technologies LLP
Virtualized Containers - How Good is it - Ananth - Siemens - CC18
The document discusses the differences between virtual machines (VMs) and containers, highlighting that containers are more lightweight and faster due to shared OS kernels, while VMs are heavier and slower. It introduces kata containers, which enhance security by running each container as a lightweight VM, offering better isolation and reducing vulnerabilities. Additionally, it emphasizes that kata containers complement existing technologies like Docker and Kubernetes rather than replacing them.
More Related Content
Similar to Virtualized Containers - How Good is it - Ananth - Siemens - CC18
More from CodeOps Technologies LLP
Virtualized Containers - How Good is it - Ananth - Siemens - CC18
- 1. VIRTUALIZED CONTAINERS Ananth, Himanshu,Rajaram, Sandeep, Siva, Sanjay
- 2. AGENDA • VMs vscontainers • Virtualized containers • Kata containers • Container security • Kata containers & Docker • Kata containers & K8s • Summary
- 3. VM VS CONTAINERS Ref:https://katacontainers.io
- 4. VM VS CONTAINERS •VMs are abstraction of the hardware, allowing multiple servers to run on the same hardware • Containers are abstraction at the application layer, that packages app code and dependencies together • Each VM has its own operating system, all necessary binaries and libraries, making it heavy • Containers share the host OS kernel and has only those packages necessary to run the application, therefore very light • VMs take time to boot-up and the images are large in size • The USP for containers is speed and portability
- 5. VIRTUALIZED CONTAINERS • Speedof containers • Security of VMs • Otherwise called hypervisor based containers Image Ref Image Ref Image refImage Ref
- 6. VIRTUALIZED CONTAINERS CONTD… Traditionalcontainers such as Docker Virtualized containers Ref: http://katacontainers.io Shared kernel Dedicated kernel
- 7. VIRTUALIZED CONTAINERS CONTD… •Traditional containers share the underlying OS kernel. • We run a lot of unknown un-trusted applications on containers in our datacenter. • If a malicious user gains access to the host OS kernel, rest of the containers and the entire system can be compromised. • Kata-runtime boots each containers as a light weight VM, using hardware virtualization. • Provides double isolation without compromising on performance • Reduces the attacking surface, thereby improving security
- 8. CONTAINER SECURITY • Dockeritself is built with security and isolation in mind. It provides lot of inherent features and hooks to make your system more secure. • However, it does not prevent you from “Running random code downloaded from the Internet and running it as root” • We need not worry if proper security measures are taken and best practices are adhered to
- 9. CONTAINER SECURITY CONTD… •Host and kernel security • Denial-of-service attacks • Container breakout • Credentials and secrets • Authenticity of images • Static image vulnerabilities • Runtime security
- 10.
- 11. KATA CONTAINERS WITHDOCKER Ref: http://katacontainers.io
- 12. CONFIGURATION STEPS • Enablevirtualization (Intel VT / AMD-V) on the docker host • Create a config file inside docker.service.d • Restart docker • Spin up kata containers using docker run command and docker images [root@tt2aio docker-host]# cd /etc/systemd/system/docker.service.d [root@tt2aio docker-host]# cat <<EOF | sudo tee kata-containers.conf [Service] ExecStart= ExecStart=/usr/bin/dockerd -D --add-runtime kata- runtime=/usr/bin/kata-runtime --default-runtime=kata-runtime EOF [root@tt2aio docker-host]# systemctl daemon-reload [root@tt2aio docker-host]# systemctl restart docker
- 13. K8S – CRI- OCI Ref: https://katacontainers.io/posts/why-kata-containers-doesnt-replace- kubernetes
- 14. KATA CONTAINERS ANDKUBERNETES Kubelet cri-containerd Kata Runtime CRI OCI cri-o VM Pod Container
- 15. SUMMARY • Kata-containers arenew, exciting, evolving • More secure by design without much impact on performance • Has limited support for various hypervisors to begin with • Does not replace Docker and Kubernetes, rather complements them.
- 16. WHAT’S IN STORE •Support hypervisor based runtime called fracti. • Fracti can schedule pods and containers directly inside a hypervisor via runV. • Enable runV to kata-runtime migrations • Provide “official” support for Kubernetes Contribute to https://github.com/kata-containers
- 17. REFERENCES • https://docs.docker.com/ • https://katacontainers.io/ •Docker runtime execution options • Why Kata containers cannot replaces K8S • Container security vulnerabilities and threats • Securing containers • Running kata with Docker • Running kata with K8s