The speed of containers, the security of VMs

Similar documents
The speed of containers, the security of VMs. KataContainers.io

Kata Containers The way to run virtualized containers. Sebastien Boeuf, Linux Software Engineer Intel Corporation

Unified Kubernetes CRI runtimes based on Kata Containers. Xu Wang hyper.sh

How Container Runtimes matter in Kubernetes?

Intel Clear Containers. Amy Leeland Program Manager Clear Linux, Clear Containers And Ciao

OPENSTACK + KUBERNETES + HYPERCONTAINER. The Container Platform for NFV

Bringing Security and Multitenancy. Lei (Harry) Zhang

Multitenancy Deep Dive

Full Scalable Media Cloud Solution with Kubernetes Orchestration. Zhenyu Wang, Xin(Owen)Zhang

Launching StarlingX. The Journey to Drive Compute to the Edge Pilot Project Supported by the OpenStack

Secure Kubernetes Container Workloads

Datacenter Network Solutions Group

1. What is Cloud Computing (CC)? What are the Pros and Cons of CC? Technologies of CC 27

Cloud & container monitoring , Lars Michelsen Check_MK Conference #4

CONTAINERS AND MICROSERVICES WITH CONTRAIL

Reimagining OpenStack*

Stackube Documentation

Disclaimer This presentation may contain product features that are currently under development. This overview of new technology represents no commitme

A Big Little Hypervisor for IoT Development February 2018

Disclaimer This presentation may contain product features that are currently under development. This overview of new technology represents no commitme

Managing and Protecting Persistent Volumes for Kubernetes. Xing Yang, Huawei and Jay Bryant, Lenovo

[Docker] Containerization

Simple custom Linux distributions with LinuxKit. Justin Cormack

Code: Slides:

Docker All The Things

Akraino & Starlingx: a technical overview

How to build scalable, reliable and stable Kubernetes cluster atop OpenStack.

Kubernetes 101. Doug Davis, STSM September, 2017

Buenos Aires 31 de Octubre de 2018

Part2: Let s pick one cloud IaaS middleware: OpenStack. Sergio Maffioletti

Project Calico v3.2. Overview. Architecture and Key Components. Project Calico provides network security for containers and virtual machine workloads.

ViryaOS RFC: Secure Containers for Embedded and IoT. A proposal for a new Xen Project sub-project

OPENSTACK Building Block for Cloud. Ng Hwee Ming Principal Technologist (Telco) APAC Office of Technology

Red Hat Enterprise Virtualization Hypervisor Roadmap. Bhavna Sarathy Senior Technology Product Manager, Red Hat

Achieve Low Latency NFV with Openstack*

Kuber-what?! Learn about Kubernetes

Kubernetes. An open platform for container orchestration. Johannes M. Scheuermann. Karlsruhe,

NVMe over Fabrics (NVMe-oF) For Containers

Kubernetes 1.9 Features and Future

Introduction to Software Defined Infrastructure SUSE OpenStack Cloud SUSE CaaS Platform

Contrail Networking: Evolve your cloud with Containers

Container Security and new container technologies. Dan

Dan Williams Networking Services, Red Hat

Convergence of VM and containers orchestration using KubeVirt. Chunfu Wen

Building Kubernetes cloud: real world deployment examples, challenges and approaches. Alena Prokharchyk, Rancher Labs

CS-580K/480K Advanced Topics in Cloud Computing. OpenStack

Introduction to Virtualization and Containers Phil Hopkins

rkt and Kubernetes What's new (and coming) with Container Runtimes and Orchestration

Multiple Networks and Isolation in Kubernetes. Haibin Michael Xie / Principal Architect Huawei

Secure Containers with EPT Isolation

Runtime VM Protection By Intel Multi-Key Total Memory Encryption (MKTME)

Dataplane Networking journey in Containers

Disclaimer This presentation may contain product features that are currently under development. This overview of new technology represents no commitme

Baremetal with Apache CloudStack

Overview. SUSE OpenStack Cloud Monitoring

Project Calico v3.1. Overview. Architecture and Key Components

OpenStack and OVN What s New with OVS 2.7 OpenStack Summit -- Boston 2017

Project Kuryr. Here comes advanced services for containers networking. Antoni Segura

Microservices. Chaos Kontrolle mit Kubernetes. Robert Kubis - Developer Advocate,

IT S COMPLICATED: THE ENTERPRISE OPEN SOURCE VENDOR RELATIONSHIP. Red Hat s POV

Next Generation Tools for container technology. Dan

Kubernetes on Openstack

So, I have all these containers! Now what?

How to build and run OCI containers

Merging Enterprise Applications with Docker* Container Technology

NET1821BU THE FUTURE OF NETWORKING AND SECURITY WITH NSX-T Bruce Davie CTO, APJ 2

What s Up Docker. Presented by Robert Sordillo Avada Software

THE STATE OF CONTAINERS

The Post-Cloud. Where Google, DevOps, and Docker Converge

Singularity CRI User Documentation

Define Your Future with SUSE

SUBSCRIPTION OVERVIEW

SUSE OpenStack Cloud. Enabling your SoftwareDefined Data Center. SUSE Expert Days. Nyers Gábor Trainer &

MesosCon Qian Zhang (IBM China), Jie Yu (Mesosphere) OCI Support in Mesos Mesosphere, Inc. All Rights Reserved. 1

Docker Networking In OpenStack What you need to know now. Fawad Khaliq

Onto Petaflops with Kubernetes

FUJITSU Software ServerView Cloud Monitoring Manager V1.0. Overview

DPDK Summit China 2017

KVM 在 OpenStack 中的应用. Dexin(Mark) Wu

Painless switch from proprietary hypervisor to QEMU/KVM. Denis V. Lunev

BRKDCT-1253: Introduction to OpenStack Daneyon Hansen, Software Engineer

, )!"#$%#$&! " # # # $!!" S ÔÕµaz`]^

Kubernetes made easy with Docker EE. Patrick van der Bleek Sr. Solutions Engineer NEMEA

Cloud I - Introduction

Build Cloud like Rackspace with OpenStack Ansible

Case Study on Enterprise Private Cloud

Kubernetes - Networking. Konstantinos Tsakalozos

Deployment Patterns using Docker and Chef

ovirt and Docker Integration

DEEP DIVE: OPENSTACK COMPUTE

What You Need to Know About OpenStack + VMware

SR-IOV support in Xen. Yaozu (Eddie) Dong Yunhong Jiang Kun (Kevin) Tian

INTRODUCING CONTAINER-NATIVE VIRTUALIZATION

Project Kuryr. Antoni Segura Puimedon (apuimedo) Gal Sagie (gsagie)

S Implementing DevOps and Hybrid Cloud

NephOS. A Single Turn-key Solution for Public, Private, and Hybrid Clouds

Introduction to Container Technology. Patrick Ladd Technical Account Manager April 13, 2016

Making Immutable Infrastructure simpler with LinuxKit. Justin Cormack

Datasheet FUJITSU Software ServerView Cloud Monitoring Manager V1.1

DEPLOYING NFV: BEST PRACTICES

Transcription:

* The speed of containers, the security of VMs Xu Wang, Hyper <xu@hyper.sh> Samuel Ortiz, Intel <samuel.ortiz@intel.com> *Other names and brands may be claimed as the property of others.

Contents Project Overview Technical Details Get Involved

History Intel Clear Containers * May 2015 Dec 2017 *Other names and brands may be claimed as the property of others.

Technical Vision Light and fast VM-based containers Merge Intel Clear Containers and Hyper runv technologies Seamless integration with Kubernetes (CRI), Docker and Openstack Support multiple architectures (x86 today; others to come in the future) Support multiple hypervisors (KVM today; others to come in the future)

Intel Clear Containers Multi Architecture Multi Hypervisor Full Hotplug K8s Multi Tenancy VM templating Frakti native support Traffic Controller net Direct Device Assignment SRIOV NVDIMM Multi-OS KSM throttling CRI-O native support MacVTap, multi-queue net

Non-Technical Goals Open and vendor-neutral project All VM based containers, users and consumers under the same project Managed at the OpenStack Foundation* Independent from the OpenStack* software project *Other names and brands may be claimed as the property of others.

Containers in Cloud Container A Container B Container C App A App B App C Middleware A Middleware B Middleware C *Other names and brands may be claimed as the property of others. Linux* Kernel Virtual Machine Linux Kernel Server Hardware

Hypervisor Based Containers Container A Container B Container C App A App B App C Middleware A Middleware B Middleware C Linux Kernel A Linux Kernel B Linux Kernel C Virtual Machine Virtual Machine Virtual Machine Linux* Kernel Server Hardware Each container/pod is hypervisor isolated As secure as a VM As fast as a container Seamless integration with the container ecosystem and management layers *Other names and brands may be claimed as the property of others.

Isolation Speed

Technical Details

Virtual Machine I/O OCI cmd/spec Container Command Container Exec Shim Shim Runtime Container namespaces Agent grpc Proxy Hypervisor serial interface grpc grpc over Yamux *Other names and brands may be claimed as the property of others. Kernel Hypervisor

Virtual Machine I/O OCI cmd/spec Container Command Container Exec Container namespaces Shim Shim Runtime grpc Agent Kernel grpc Hypervisor Hypervisor VSOCK socket *Other names and brands may be claimed as the property of others.

Fast as a Container Create Start $ kubectl apply -f nginx.yml VM Boot Kernel Agent Start Prepare container Image Prepare Volumes hotplug

Small as a Container Minimize memory footprint Minimal rootfs Minimal kernel VM Template DAX/nvdimm De-duplicate memory across VMs KSM (with throttling)

Networking Kubernetes* Overlay Network veth pair MacVTAP Tap *Other names and brands may be claimed as the property of others. Virtual Machine Container networking namespace

Networking Kubernetes* Overlay Network veth pair tc mirror Tap *Other names and brands may be claimed as the property of others. Virtual Machine Container networking namespace

Storage 9pfs/virtio-blk 9pfs/virtio-blk Container 1 Rootfs Overlay Volume Container 2 Rootfs Overlay 9pfs/virtio-b lk Virtual Machine 9pfs/virtio-blk Volume

Multi-tenant Kubernetes* k8s k8s k8s container container container container container container container container VM VM VM VM VM VM VM VM VM VM VM VM IaaS *Other names and brands may be claimed as the property of others. CaaS

Demo: Stackube - K8S with Hard Multi-tenancy kubectl k8s Node k8s Master kube-apiserver Tenant (CRD) Network (CRD) Keystone (Tenant mgmt) Cinder (Persistent Volume) Neutron (L2 Isolated Network) kubelet frakti (runtime shim) CNI

What s Next? 1H 2018 Horizon 1.0 Release (parity with RunV and CC 3.0 with upgrade path) CRI integration: Frakti, CRI-O, containerd-cri OCI runtime spec support for hypervisor based containers OSV support Documented case studies

Get Involved

Contribute Code and documentation hosted on https://github.com/kata-containers/ Major releases managed through Github* Projects Intel (Intel Clear Containers) & Hyper (runv) contributing initial IP Apache 2 license Slack: katacontainers.slack.com IRC: #kata-dev@freenode Mailing-list: kata-dev@lists.katacontainers.io *Other names and brands may be claimed as the property of others.

Where To Contribute? Role Language Upstream version Host/Guest Shim I/O and signal handling between the host and the VM Go N/A Host Proxy I/O and signal multiplexing (optional, serial connection) Go N/A Host Runtime OCI commands handling. VM, shim, and proxy startup Go N/A Host QEMU Hypervisor C 2.9 Host Agent Guest containers manager Go N/A Guest Guest Kernel Boot to systemd/boot initrd C 4.13.13 Guest Guest image Minimal Linux root filesystem that starts the agent N/A Pick your image Guest

Open Governance Contributors At least one github contribution for the past 12 months Maintainers Active contributor, nominated by fellow maintainers Can merge code Architecture Committee Take high level architecture and roadmap decisions 5 seats, elected by contributors

Thank you!

Disclaimer Intel and the Intel logo are trademarks of Intel Corporation in the U.S. and/or other countries. *Other names and brands may be claimed as the property of others. Intel Corporation

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback