The speed of containers, the security of VMs. KataContainers.io

Similar documents
The speed of containers, the security of VMs

Kata Containers The way to run virtualized containers. Sebastien Boeuf, Linux Software Engineer Intel Corporation

Unified Kubernetes CRI runtimes based on Kata Containers. Xu Wang hyper.sh

How Container Runtimes matter in Kubernetes?

Multitenancy Deep Dive

Launching StarlingX. The Journey to Drive Compute to the Edge Pilot Project Supported by the OpenStack

Intel Clear Containers. Amy Leeland Program Manager Clear Linux, Clear Containers And Ciao

Bringing Security and Multitenancy. Lei (Harry) Zhang

OPENSTACK + KUBERNETES + HYPERCONTAINER. The Container Platform for NFV

A Big Little Hypervisor for IoT Development February 2018

Kubernetes 101. Doug Davis, STSM September, 2017

CONTAINERS AND MICROSERVICES WITH CONTRAIL

Secure Kubernetes Container Workloads

Managing and Protecting Persistent Volumes for Kubernetes. Xing Yang, Huawei and Jay Bryant, Lenovo

Simple custom Linux distributions with LinuxKit. Justin Cormack

Docker All The Things

Building Kubernetes cloud: real world deployment examples, challenges and approaches. Alena Prokharchyk, Rancher Labs

1. What is Cloud Computing (CC)? What are the Pros and Cons of CC? Technologies of CC 27

Cloud & container monitoring , Lars Michelsen Check_MK Conference #4

Full Scalable Media Cloud Solution with Kubernetes Orchestration. Zhenyu Wang, Xin(Owen)Zhang

Stackube Documentation

Container Security and new container technologies. Dan

Next Generation Tools for container technology. Dan

rkt and Kubernetes What's new (and coming) with Container Runtimes and Orchestration

Datacenter Network Solutions Group

Dan Williams Networking Services, Red Hat

OPENSTACK Building Block for Cloud. Ng Hwee Ming Principal Technologist (Telco) APAC Office of Technology

Kubernetes 1.9 Features and Future

Onto Petaflops with Kubernetes

Disclaimer This presentation may contain product features that are currently under development. This overview of new technology represents no commitme

Buenos Aires 31 de Octubre de 2018

Project Calico v3.2. Overview. Architecture and Key Components. Project Calico provides network security for containers and virtual machine workloads.

Reimagining OpenStack*

Kuber-what?! Learn about Kubernetes

Project Kuryr. Here comes advanced services for containers networking. Antoni Segura

Disclaimer This presentation may contain product features that are currently under development. This overview of new technology represents no commitme

Kubernetes. An open platform for container orchestration. Johannes M. Scheuermann. Karlsruhe,

Introduction to Virtualization and Containers Phil Hopkins

Convergence of VM and containers orchestration using KubeVirt. Chunfu Wen

NET1821BU THE FUTURE OF NETWORKING AND SECURITY WITH NSX-T Bruce Davie CTO, APJ 2

Code: Slides:

Disclaimer This presentation may contain product features that are currently under development. This overview of new technology represents no commitme

Making Immutable Infrastructure simpler with LinuxKit. Justin Cormack

Akraino & Starlingx: a technical overview

ViryaOS RFC: Secure Containers for Embedded and IoT. A proposal for a new Xen Project sub-project

Cloud I - Introduction

Red Hat Roadmap for Containers and DevOps

THE STATE OF CONTAINERS

Kubernetes made easy with Docker EE. Patrick van der Bleek Sr. Solutions Engineer NEMEA

WHITE PAPER. RedHat OpenShift Container Platform. Benefits: Abstract. 1.1 Introduction

Container Orchestration on Amazon Web Services. Arun

Project Calico v3.1. Overview. Architecture and Key Components

Part2: Let s pick one cloud IaaS middleware: OpenStack. Sergio Maffioletti

Dataplane Networking journey in Containers

Using DC/OS for Continuous Delivery

Disclaimer This presentation may contain product features that are currently under development. This overview of new technology represents no commitme

Kubernetes on Azure. Daniel Neumann Technology Solutions Professional Microsoft. Build, run and monitor your container applications

Container Networking and Openstack. Fernando Sanchez Fawad Khaliq March, 2016

TEN LAYERS OF CONTAINER SECURITY

Kubernetes on Openstack

Microservices. Chaos Kontrolle mit Kubernetes. Robert Kubis - Developer Advocate,

Cisco Cloud Strategy. Uwe Müller. Leader PreSales Cloud & Datacenter Germany

Kubernetes - Networking. Konstantinos Tsakalozos

Red Hat OpenShift Roadmap Q4 CY16 and H1 CY17 Releases. Lutz Lange Solution

IT S COMPLICATED: THE ENTERPRISE OPEN SOURCE VENDOR RELATIONSHIP. Red Hat s POV

Contrail Networking: Evolve your cloud with Containers

[Docker] Containerization

More Containers, More Problems

OpenStack and OVN What s New with OVS 2.7 OpenStack Summit -- Boston 2017

Project Kuryr. Antoni Segura Puimedon (apuimedo) Gal Sagie (gsagie)

Delivering Red Hat OpenShift at Ease on Red Hat OpenStack and RHV

Continuous delivery while migrating to Kubernetes

Linux Containers Roadmap Red Hat Enterprise Linux 7 RC. Bhavna Sarathy Senior Technology Product Manager, Red Hat

Multiple Networks and Isolation in Kubernetes. Haibin Michael Xie / Principal Architect Huawei

OpenShift Roadmap Enterprise Kubernetes for Developers. Clayton Coleman, Architect, OpenShift

Kuberiter White Paper. Kubernetes. Cloud Provider Comparison Chart. Lawrence Manickam Kuberiter Inc

So, I have all these containers! Now what?

Kontejneri u Azureu uz pomoć Kubernetesa što i kako? Tomislav Tipurić Partner Technology Strategist Microsoft

Safe Harbor Statement

CS-580K/480K Advanced Topics in Cloud Computing. OpenStack

Define Your Future with SUSE

Kubernetes: Integration vs Native Solution

OCI Runtime Tools for Container Standardization

Introduction to Kubernetes

Replacing Docker With Podman. By Dan

How to build scalable, reliable and stable Kubernetes cluster atop OpenStack.

OpenShift 3 Technical Architecture. Clayton Coleman, Dan McPherson Lead Engineers

A REFERENCE ARCHITECTURE FOR DEPLOYING WSO2 MIDDLEWARE ON KUBERNETES

An Introduction to Kubernetes

NephOS. A Single Turn-key Solution for Public, Private, and Hybrid Clouds

ACCELERATE APPLICATION DELIVERY WITH OPENSHIFT. Siamak Sadeghianfar Sr Technical Marketing Manager, April 2016

Application Centric Microservices Ken Owens, CTO Cisco Intercloud Services. Redhat Summit 2015

This document (including, without limitation, any product roadmap or statement of direction data) illustrates the planned testing, release and

Implementing SaaS on Kubernetes

Kubernetes: Twelve KeyFeatures

Introduction to OpenDaylight: An Open Source Community around Software-Defined Networking

KVM Weather Report. Amit Shah SCALE 14x

NVMe over Fabrics (NVMe-oF) For Containers

What s New in Red Hat OpenShift Container Platform 3.4. Torben Jäger Red Hat Solution Architect

Disclaimer This presentation may contain product features that are currently under development. This overview of new technology represents no commitme

Transcription:

* The speed of containers, the security of VMs KataContainers.io

Contents Project Overview Technical Details Governance Get Involved

History Intel Clear Containers * May 2015 Dec 2017 *Other names and brands may be claimed as the property of others.

Technical Vision Light and fast VM-based containers Merge Intel Clear Containers and Hyper runv technologies Seamless integration with Kubernetes (CRI), Docker and Openstack Support multiple architectures (x86 today; others to come in the future) Support multiple hypervisors (KVM today; others to come in the future)

Intel Clear Containers Multi Architecture Multi Hypervisor Full Hotplug K8s Multi Tenancy VM templating Frakti native support Traffic Controller net Direct Device Assignment SRIOV NVDIMM Multi-OS KSM throttling CRI-O native support MacVTap, multi-queue net

Non-Technical Goals Open and vendor-neutral project All VM based containers, users and consumers under the same project Managed at the OpenStack Foundation* Independent from the OpenStack* software project

Containers in Cloud Container A Container B Container C App A App B App C Middleware A Middleware B Middleware C Linux* Kernel Virtual Machine Linux Kernel Server Hardware

Hypervisor Based Containers Container A Container B Container C App A App B App C Middleware A Middleware B Middleware C Linux Kernel A Linux Kernel B Linux Kernel C Virtual Machine Virtual Machine Virtual Machine Linux* Kernel Server Hardware Each container/pod is hypervisor isolated As secure as a VM As fast as a container Seamless integration with the container ecosystem and management layers

Isolation Speed

Technical Details

Virtual Machine I/O OCI cmd/spec Container Command Container Exec Shim Shim grpc Proxy Hypervisor serial interface Runtime grpc grpc over Yamux Container namespaces Agent Kernel Hypervisor

Virtual Machine I/O OCI cmd/spec Container Command Container Exec Container namespaces Shim Shim Runtime grpc Agent Kernel grpc Hypervisor Hypervisor VSOCK socket

Fast as a Container Create Start $ kubectl apply -f nginx.yml VM Boot Kernel Agent Start Pod Prepare container Image Prepare Volumes hotplug

Small as a Container Minimize memory footprint Minimal rootfs Minimal kernel VM Template DAX/nvdimm De-duplicate memory across VMs KSM (with throttling)

Networking Kubernetes* Overlay Network veth pair MacVTAP Tap Pod Virtual Machine Container networking namespace

Networking Kubernetes* Overlay Network veth pair tc mirror Tap Pod Virtual Machine Container networking namespace

Storage 9pfs/virtio-blk 9pfs/virtio-blk Container 1 Rootfs Overlay Volume Container 2 Rootfs Overlay 9pfs/virtio-b lk Virtual Machine 9pfs/virtio-blk Volume

Multi-tenant Kubernetes* k8s k8s k8s Pod Pod Pod Pod container container Pod container container Pod container container Pod container container Pod VM Pod VM Pod VM Pod VM Pod VM VM VM VM VM VM VM VM IaaS CaaS

Demo: Stackube - K8S with Hard Multi-tenancy kubectl k8s Node k8s Master kube-apiserver Tenant (CRD) Network (CRD) Keystone (Tenant mgmt) Cinder (Persistent Volume) Neutron (L2 Isolated Network) kubelet frakti (runtime shim) CNI

Project Status - Code Status Current Work Shim Initial implementation merged Terminal size, code coverage Proxy Initial implementation merged Code coverage, functional testing Agent Initial implementation merged Shared PID ns, sub-reaping (agent is PID 1) QEMU Vanilla 2.9 QEMU build config Linux Kernel 4.13.13 + one 9pfs patch Minimal kernel config definition OS builder Initial implementation merged Initrd/initramfs support Agent Protocol V0.0.1 merged (pre-alpha) More declarative APIs, network APIs improved

Project Status - Code - Runtime No runtime code at the moment Step 1: Add both Clear Containers and runv Adapted to Kata Containers architecture (grpc, new components) Both runtimes will work seamlessly with all the Kata Containers components Users can switch runtime implementations transparently Step 2: Merge runtimes into one single implementation Step 3: Deprecate Clear Containers and runv

Project Status - Documentation and CI Documentation CI Missing at the moment Clear Containers and runv documentation as a backup Travis based for now: Unit testing only Will move to a nested virtualization enabled and/or bare metal public cloud Functional and integration test From unit testing up to the higher levels of the stack (Kubernetes, OpenShift)

What s Next? 1H 2018 Horizon 1.0 Release (parity with RunV and CC 3.0 with upgrade path) CRI integration: Frakti, CRI-O, containerd-cri OCI runtime spec support for hypervisor based containers OSV support Documented case studies

Governance

Governance The Kata Containers project is governed according to the four opens, open source open design open development open community Technical decisions will be made by technical contributors and a representative Architecture Committee. The community is committed to diversity, openness, encouraging new contributors and leaders to rise up.

Governance Contributors At least one github contribution for the past 12 months Maintainers Active contributor, nominated by fellow maintainers Can merge code Architecture Committee Take high level architecture and roadmap decisions 5 seats, elected by contributors

Governance Architecture Committee The Architecture Committee is responsible for architectural decisions, including standardization, and making final decisions if Maintainers disagree. It will be comprised of 5 members, who are appointed by the Maintainers at launch but fully elected by Contributors within the first year. The initial Architecture committee members are Samuel Otiz (Intel), Xu Wang (Hyper), Zhang Wei (Huawei) and Tim AllClair (Google).

Governance Working Committee The Working Committee is intended to make non-technical decisions and help influence the project strategy, including marketing and communications, product management and ecosystem support. Representatives are expected to be active contributors who are committed to the health and success of the project. Recognizing the project will grow and change quickly in the first six months, and in order to encourage diversity and participation, the Working Committee will be forming up and finalizing it s structure after the project launch. Initial appointed members include Amy Leeland (Intel) and James Kulina (Hyper). During this initial period, the participants will appoint a leader to help organize and run regular meetings, coordinate the various work streams and help define the long-term structure. The initial task will be to determine 2018 plans and appropriate work streams, working groups and funding to execute on those plans. Anyone can join! Get involved in the #working-committee channel on Slack: bit.ly/kataslack (case sensitive)

Get Involved

Contribute Code and documentation hosted on https://github.com/kata-containers/ Major releases managed through Github* Projects Intel (Intel Clear Containers) & Hyper (runv) contributing initial IP Apache 2 license Slack: katacontainers.slack.com IRC: #kata-dev@freenode Mailing-list: kata-dev@lists.katacontainers.io

Where To Contribute? Code Unit tests for agent, shim and proxy PR reviews (agent, shim) Osbuilder support for more distros Documentation Getting Started guides Code documentation Features Requests grpc Input needed: Do we cover it all? API documentation Open issues and PRs for any feature that you d like to get from Kata Containers

Community You do not need to be an Individual Member of the OpenStack Foundation in order to contribute, but if you want to vote in the annual OpenStack Foundation Board of Directors election, you may join: openstack.org/join If you are contributing on behalf of an employer, they will need to sign a corporate contributor license agreement, which now covers all projects hosted by the OpenStack Foundation (same model as Apache and CNCF) Independent contributors may be submitted with a sign off header under the DCO

Communication KataContainers Slack bit.ly/kataslack (case sensitive) #kata-dev IRC freenode (Slack and IRC have a gateway to share messages) Mailing Lists: lists.katacontainers.io Twitter: @KataContainers Email: info@katacontainers.io

Thank you! KataContainers.io

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback