+ All Categories
Home > Documents > The way to run virtualized containers Kata Containers · Kata Containers The way to run virtualized...

The way to run virtualized containers Kata Containers · Kata Containers The way to run virtualized...

Date post: 03-Mar-2019
Category:
Upload: dinhnhu
View: 229 times
Download: 0 times
Share this document with a friend
54
Kata Containers The way to run virtualized containers Sebastien Boeuf, Linux Software Engineer Intel Corporation
Transcript
Page 1: The way to run virtualized containers Kata Containers · Kata Containers The way to run virtualized containers Sebastien Boeuf, Linux Software Engineer Intel Corporation

Kata ContainersThe way to run virtualized containers

Sebastien Boeuf, Linux Software EngineerIntel Corporation

Page 2: The way to run virtualized containers Kata Containers · Kata Containers The way to run virtualized containers Sebastien Boeuf, Linux Software Engineer Intel Corporation

https://regmedia.co.uk/2017/09/11/shutterstock_containers_in_port.jpg

Page 3: The way to run virtualized containers Kata Containers · Kata Containers The way to run virtualized containers Sebastien Boeuf, Linux Software Engineer Intel Corporation

Containers 101

Host Linux kernel

namespaces

Process

namespaces

Process

namespaces

Process

CPU Memory Network Storage

Page 4: The way to run virtualized containers Kata Containers · Kata Containers The way to run virtualized containers Sebastien Boeuf, Linux Software Engineer Intel Corporation

Software is not enough !

Host Linux kernel

namespaces

Process

namespaces

Process

namespaces

Process

CPU Memory Network Storage

Page 5: The way to run virtualized containers Kata Containers · Kata Containers The way to run virtualized containers Sebastien Boeuf, Linux Software Engineer Intel Corporation

https://cdn-images-1.medium.com/max/800/1*zPiik9vlW_G7GU9bTjxhJQ.jpeg

Page 6: The way to run virtualized containers Kata Containers · Kata Containers The way to run virtualized containers Sebastien Boeuf, Linux Software Engineer Intel Corporation

Manual isolation

Baremetal server

VM

Linux kernel

namespaces

Process

namespaces

Process

namespaces

Process

VM

Linux kernel

namespaces

Process

namespaces

Process

namespaces

Process

Page 7: The way to run virtualized containers Kata Containers · Kata Containers The way to run virtualized containers Sebastien Boeuf, Linux Software Engineer Intel Corporation

https://s3.amazonaws.com/wordpress-production/wp-content/uploads/2015/12/collaborative-problem-solving.jpg

Page 8: The way to run virtualized containers Kata Containers · Kata Containers The way to run virtualized containers Sebastien Boeuf, Linux Software Engineer Intel Corporation

Kata Containers legacy

Intel® Clear Containers

May 2015 Dec 2017

*Other names and brands may be claimed as the property of others.

*

Page 9: The way to run virtualized containers Kata Containers · Kata Containers The way to run virtualized containers Sebastien Boeuf, Linux Software Engineer Intel Corporation

Host Linux kernel

VMVMVM

Kata Containers 101

Guest Linux kernel

namespaces

Process

Guest Linux kernel

namespaces

Guest Linux kernel

namespaces

Process

HWvirtualization

HWvirtualization

HWvirtualization

Process

Page 10: The way to run virtualized containers Kata Containers · Kata Containers The way to run virtualized containers Sebastien Boeuf, Linux Software Engineer Intel Corporation

https://marketingweek.imgix.net/content/uploads/2017/06/30121536/Ecosystem-body-image.jpg

Page 11: The way to run virtualized containers Kata Containers · Kata Containers The way to run virtualized containers Sebastien Boeuf, Linux Software Engineer Intel Corporation

Container ecosystem

Docker

OpenStack

Container

Process

runc

OCI

Page 12: The way to run virtualized containers Kata Containers · Kata Containers The way to run virtualized containers Sebastien Boeuf, Linux Software Engineer Intel Corporation

Container ecosystem

Kubernetes

CRI

Container

Process

runc

OCI

Page 13: The way to run virtualized containers Kata Containers · Kata Containers The way to run virtualized containers Sebastien Boeuf, Linux Software Engineer Intel Corporation

Container ecosystem

Kubernetes

Docker CRI

OpenStack

Container

Process

runc

OCI

Page 14: The way to run virtualized containers Kata Containers · Kata Containers The way to run virtualized containers Sebastien Boeuf, Linux Software Engineer Intel Corporation

VM

Guest Linux kernel

Seamless integration

Kubernetes

Docker CRI

OpenStack

Container

Process

kata-runtime

OCI

Page 15: The way to run virtualized containers Kata Containers · Kata Containers The way to run virtualized containers Sebastien Boeuf, Linux Software Engineer Intel Corporation

Architecture

Hypervisor

VM

Shim

Proxy

Guest Linux kernel

AgentRuntime

I/O OCI command

gRPC over Yamux

gRPC gRPC

Shim

Hypervisor serial interface

ns

proc

ns

proc

Page 16: The way to run virtualized containers Kata Containers · Kata Containers The way to run virtualized containers Sebastien Boeuf, Linux Software Engineer Intel Corporation

https://cdn.tinybuddha.com/wp-content/uploads/2015/07/Simplify.png

Page 17: The way to run virtualized containers Kata Containers · Kata Containers The way to run virtualized containers Sebastien Boeuf, Linux Software Engineer Intel Corporation

Architecture over VSOCK

Hypervisor

VM

Shim

Guest Linux kernel

AgentRuntime

I/O OCI command

gRPC gRPC

Shim

Hypervisor VSOCK interface

ns

proc

ns

proc

Page 18: The way to run virtualized containers Kata Containers · Kata Containers The way to run virtualized containers Sebastien Boeuf, Linux Software Engineer Intel Corporation

OCI lifecycle

https://www.connection.com/~/media/images/solutions/new-pages/3-box-icons/606772-it-lifecycle-services.png

Page 19: The way to run virtualized containers Kata Containers · Kata Containers The way to run virtualized containers Sebastien Boeuf, Linux Software Engineer Intel Corporation

OCI Lifecycle - run

Runtime

kata-runtime run

Page 20: The way to run virtualized containers Kata Containers · Kata Containers The way to run virtualized containers Sebastien Boeuf, Linux Software Engineer Intel Corporation

OCI Lifecycle - run

Hypervisor

VM

Guest Linux kernel

Runtime

Start VM

Page 21: The way to run virtualized containers Kata Containers · Kata Containers The way to run virtualized containers Sebastien Boeuf, Linux Software Engineer Intel Corporation

OCI Lifecycle - run

Hypervisor

VM

Guest Linux kernel

AgentRuntime

listen to serial

Page 22: The way to run virtualized containers Kata Containers · Kata Containers The way to run virtualized containers Sebastien Boeuf, Linux Software Engineer Intel Corporation

OCI Lifecycle - run

Hypervisor

VM

Proxy

Guest Linux kernel

AgentRuntime

Start proxy

Page 23: The way to run virtualized containers Kata Containers · Kata Containers The way to run virtualized containers Sebastien Boeuf, Linux Software Engineer Intel Corporation

OCI Lifecycle - run

Hypervisor

VM

Proxy

Guest Linux kernel

AgentRuntime

connect VM

Page 24: The way to run virtualized containers Kata Containers · Kata Containers The way to run virtualized containers Sebastien Boeuf, Linux Software Engineer Intel Corporation

OCI Lifecycle - run

Hypervisor

VM

Proxy

Guest Linux kernel

AgentRuntime

connection established

Page 25: The way to run virtualized containers Kata Containers · Kata Containers The way to run virtualized containers Sebastien Boeuf, Linux Software Engineer Intel Corporation

OCI Lifecycle - run

Hypervisor

VM

Proxy

Guest Linux kernel

AgentRuntime

run container

ns

proc

Page 26: The way to run virtualized containers Kata Containers · Kata Containers The way to run virtualized containers Sebastien Boeuf, Linux Software Engineer Intel Corporation

OCI Lifecycle - run

Hypervisor

VM

Proxy

Guest Linux kernel

AgentRuntimestart shim

Shimns

proc

Page 27: The way to run virtualized containers Kata Containers · Kata Containers The way to run virtualized containers Sebastien Boeuf, Linux Software Engineer Intel Corporation

OCI Lifecycle - run

Hypervisor

VM

Proxy

Guest Linux kernel

AgentShim

ns

proc

I/OSignals

Page 28: The way to run virtualized containers Kata Containers · Kata Containers The way to run virtualized containers Sebastien Boeuf, Linux Software Engineer Intel Corporation

OCI Lifecycle - exec

Hypervisor

VM

Proxy

Guest Linux kernel

AgentShim

ns

proc

Runtime

kata-runtime execI/OSignals

Page 29: The way to run virtualized containers Kata Containers · Kata Containers The way to run virtualized containers Sebastien Boeuf, Linux Software Engineer Intel Corporation

OCI Lifecycle - exec

Hypervisor

VM

Proxy

Guest Linux kernel

AgentShim

ns

proc

I/O

Runtime

exec process

proc

Page 30: The way to run virtualized containers Kata Containers · Kata Containers The way to run virtualized containers Sebastien Boeuf, Linux Software Engineer Intel Corporation

OCI Lifecycle - exec

Hypervisor

VM

Proxy

Guest Linux kernel

AgentShim

ns

proc

I/O

Runtime

proc

Shimstart shim

Page 31: The way to run virtualized containers Kata Containers · Kata Containers The way to run virtualized containers Sebastien Boeuf, Linux Software Engineer Intel Corporation

OCI Lifecycle - exec

Hypervisor

VM

Proxy

Guest Linux kernel

AgentShim

ns

proc

I/Oproc

Shim

Page 32: The way to run virtualized containers Kata Containers · Kata Containers The way to run virtualized containers Sebastien Boeuf, Linux Software Engineer Intel Corporation

virtcontainers

More than just OCIOCI runtime

kata-runtime

Kata API

Hypervisor

Native CRIfrakti

Network Device Storage

QemuKVM Xen CNM CNI

MACVTAP

TCmirror

block vfio

SR-IOV

block 9p

Page 33: The way to run virtualized containers Kata Containers · Kata Containers The way to run virtualized containers Sebastien Boeuf, Linux Software Engineer Intel Corporation

http://www.breadalbane.pkc.sch.uk/BA/wp-content/uploads/2014/05/Technical-Drawings2.jpg

Page 34: The way to run virtualized containers Kata Containers · Kata Containers The way to run virtualized containers Sebastien Boeuf, Linux Software Engineer Intel Corporation

OCI compatibility

VM

kata-runtime

libcontainer

AgentOCI spec

Page 35: The way to run virtualized containers Kata Containers · Kata Containers The way to run virtualized containers Sebastien Boeuf, Linux Software Engineer Intel Corporation

Host

Lightweight VM - NVDIMM/DAXVM 1

Guest kernel

DAX

NVDIMM

Shared/ROROOTFS

VM 2

Guest kernel

DAX

NVDIMM

Page 36: The way to run virtualized containers Kata Containers · Kata Containers The way to run virtualized containers Sebastien Boeuf, Linux Software Engineer Intel Corporation

Host

Lightweight VM - KSM

KSM

Hypervisor

VM 1pages

VM 2pages

Mergedpages

Page 37: The way to run virtualized containers Kata Containers · Kata Containers The way to run virtualized containers Sebastien Boeuf, Linux Software Engineer Intel Corporation

Pool

Fast VM - Templating

VMtemplate

VMtemplate

VMtemplate Runtime

VM

Guest kernel

1vCPU

128 MiBRAM

Page 38: The way to run virtualized containers Kata Containers · Kata Containers The way to run virtualized containers Sebastien Boeuf, Linux Software Engineer Intel Corporation

Fast VM - Hotplug

Runtime

VM

Guest kernel

1vCPU

128 MiBRAM

Page 39: The way to run virtualized containers Kata Containers · Kata Containers The way to run virtualized containers Sebastien Boeuf, Linux Software Engineer Intel Corporation

Fast VM - Hotplug

Runtime

VM

Guest kernel

3vCPU

1024 MiBRAM

PCI devices

Hotplug

Page 40: The way to run virtualized containers Kata Containers · Kata Containers The way to run virtualized containers Sebastien Boeuf, Linux Software Engineer Intel Corporation

Host Linux kernel

Devices - virtio

VM

Guest kernel

container

/dev/sda

virtio-scsi back-end

QEMU

Block deviceemulation

virtio-scsi front-end

Page 41: The way to run virtualized containers Kata Containers · Kata Containers The way to run virtualized containers Sebastien Boeuf, Linux Software Engineer Intel Corporation

Devices - virtio

VM

Guest kernel

container

Host Linux kernel

eth0

vhost-net back-end

emulation

virtio-net front-end

Page 42: The way to run virtualized containers Kata Containers · Kata Containers The way to run virtualized containers Sebastien Boeuf, Linux Software Engineer Intel Corporation

Devices - HW passthrough

VM

Guest kernel

container

Host Linux kernel

eth0

ixgbe driver

NIC

vfio-pci

Page 43: The way to run virtualized containers Kata Containers · Kata Containers The way to run virtualized containers Sebastien Boeuf, Linux Software Engineer Intel Corporation

Devices - SR-IOV bonus

VM 1

Guest kernel

container

Host Linux kernel

eth0

ixgbe driver

NIC

vfio-pci

PF VF1 VF2 VFN

VM 2

Guest kernel

container

eth0

ixgbe driver

Page 44: The way to run virtualized containers Kata Containers · Kata Containers The way to run virtualized containers Sebastien Boeuf, Linux Software Engineer Intel Corporation

MACVTAP

veth

pair

Container netns

Network - Macvtap

VM

vhost-net

Page 45: The way to run virtualized containers Kata Containers · Kata Containers The way to run virtualized containers Sebastien Boeuf, Linux Software Engineer Intel Corporation

veth

pair

Network - Traffic control

Container netns

TAPTC

mirroring

VM

vhost-net

Page 46: The way to run virtualized containers Kata Containers · Kata Containers The way to run virtualized containers Sebastien Boeuf, Linux Software Engineer Intel Corporation

Storage - 9p

HostFilesystem

VM

Guest kernel

container

rootfs volumes

virtio-9pColdplug

Page 47: The way to run virtualized containers Kata Containers · Kata Containers The way to run virtualized containers Sebastien Boeuf, Linux Software Engineer Intel Corporation

Storage - blk

Blockdevice

Hotplug

VM

Guest kernel

container

rootfs volumes

virtio-blk | virtio-scsi

Page 48: The way to run virtualized containers Kata Containers · Kata Containers The way to run virtualized containers Sebastien Boeuf, Linux Software Engineer Intel Corporation

PID ns

Network ns

Host namespaces

shim

VM

Guest Linux kernel

Agent ns

proc proc

shim

Page 49: The way to run virtualized containers Kata Containers · Kata Containers The way to run virtualized containers Sebastien Boeuf, Linux Software Engineer Intel Corporation

https://img.taste.com.au/ZATA4qbZ/taste/2017/03/double-choc-easter-cheesecake-1980x1320-124941-1.jpg

Page 50: The way to run virtualized containers Kata Containers · Kata Containers The way to run virtualized containers Sebastien Boeuf, Linux Software Engineer Intel Corporation

Multi OS

Host Linux kernel

VMVMVM

linux-4.16 linux-3.14linux-4.8 + GPU module

container container container

GPU

Page 51: The way to run virtualized containers Kata Containers · Kata Containers The way to run virtualized containers Sebastien Boeuf, Linux Software Engineer Intel Corporation

Time to wrap up !

https://www.huddle.com/sites/default/files/image/security-01.png

Page 52: The way to run virtualized containers Kata Containers · Kata Containers The way to run virtualized containers Sebastien Boeuf, Linux Software Engineer Intel Corporation

Time to wrap up !

https://www.huddle.com/sites/default/files/image/security-01.pnghttp://www.theiskandarian.com/web/wp-content/uploads/2015/10/high-speed-rail-attracts-interest.jpg

Page 53: The way to run virtualized containers Kata Containers · Kata Containers The way to run virtualized containers Sebastien Boeuf, Linux Software Engineer Intel Corporation

Time to wrap up !

https://www.huddle.com/sites/default/files/image/security-01.pnghttp://www.theiskandarian.com/web/wp-content/uploads/2015/10/high-speed-rail-attracts-interest.jpg

https://i.pinimg.com/originals/90/69/f7/9069f7abb8d91fbfd2353d62b6dc6053.jpg

Page 54: The way to run virtualized containers Kata Containers · Kata Containers The way to run virtualized containers Sebastien Boeuf, Linux Software Engineer Intel Corporation

Play & contribute !

Sources: https://github.com/kata-containers/runtime

Get started: https://github.com/kata-containers/documentation/blob/master/Developer-Guide.md

Slack: katacontainers.slack.com

IRC: #kata-dev@freenode

Mailing list: [email protected]


Recommended