We use containers all the time, but we're not ready to give up on Virtual Machines (VM) yet. Both have their uses. But, what if we could use the flexibility and ease of deployment of containers with the security and manageability of VMs? That's the idea behind the OpenInfra Foundation's Kata Containers, and it's been fine-tuned in the latest release, Kata Containers 3.0.0.
It started with the marriage of two different programs. The first was the Hyper.sh container platform. This enabled containers to run in the runV container runtime. It was then married to Intel's Intel Clear Containers, and their child is Kata Containers. Although it's only five years old, Kata Containers has seen a lot of changes. The most important came with Kata 2.0.0., which migrated Kata to the Rust language.
The basic concept, however, remains the same.
Also: StarlingX, the cloud for edge computing, gets a major upgrade
That is, Kata Containers provides a secure container runtime with lightweight VMs. These feel and act like containers but come with VM's stronger workload isolation. It relies on AMD SVM and Intel VT-x CPU-based virtualization technology for this extra level of protection.
Kata Containers 3 also now has support for GPUs. This includes support for Virtual function I/O (VFIO), which allows safe, non-privileged, user space drivers and PCIe devices.
This version of Kata Containers also features a newly written Rust runtime implementation and an optional integrated Rust hypervisor. This makes the program even lighter and easier to manage.
It all supports Kubernetes and container runtimes such as CRI-O, Containerd, cGroup v2, and OCI v1.0.0-rc5.
Underneath all this, Kata Containers has its own Linux kernel. The kernel in Kata Containers 3.0.0 is v5.19.2.
Users are already happy with these new developments. As Treva Williams, OpenInfra's technical community manager, said, "There's a lot of excitement in the Kata Containers community around how the improved hypervisor support in Kata Containers 3.0.0 expands compatibility with a number of popular environment configurations and hardware technologies, such as GPUs."
In addition, a new project has sprung from Kata Containers. This is Confidential Containers, an open-source Cloud-Native Computing Foundation (CNCF) sandbox project. This outgrowth of Kata Containers' container isolation, integrates Trusted Execution Environments (TEE) infrastructure.
TEE is a hardware-based, trusted execution environment. With it, your application and data run in a secure and isolated environment. The alpha Confidential Containers 0.10 release can work with Kata 3.0.0. For more on this new project, see its GitHub Quickstart guide.