Containers more secured? Use Cri-o Kata with Oracle Linux on Oracle Cloud

Thanks to Simon Coter, Product Director Oracle Linux

Containers here, there and everywhere. Since the rise of Cloud, DevOps, Microservices, plus a lot of other new technologytrends, also infrastructure has made a major transition in how to build, provision and operate a live production, serving the needs of always on 24*7, high demands of new and better functionality, and higher demands in non functional requirement such as performance and scalability.

Transition an existing infrastructure to a container-based landscape is something which has to land and evolve within an organisation and it’s not that it’s an easy task. One has to think of implementing all the benefits of this new way of working, but also keep in mind of things such as security and maintainability, and not only productivity.

More Security using Kata based containers

Kata Containers are other than Docker Containers. They are a lightweight Virtual Machine (VMs) but still feel and perform like containers.
Kata containers have their own kernel but still have all the characteristics and beneftis of containers; one of the benefits is that they become more secure. They provides the workload isolation and security advantages of VMs. but at the same time maintain the speed of deployment and usability of using Kata containers, instead of a namespace, small virtual machines are created on the kernel and be strongly isolated.
The technology of Kata Containers is based on QEMU. That’s why the level of isolation is equivalent to typical hypervisors. Also KVM is based on QEMU.

QEMU can emulate a complete machine in software without any
need for hardware virtualization support.

See in this diagram the main differences between traditional docker containers and kata containers:

Container Engine

Docker containers use the docker container engine to implement their API’S and being accessible. Kubernetes will, by default use the docker engine layer. Now a container engine provides some sort of a virtualization layer between the kernel and the container. The eventual container is a running process within Linux making use of it.

To make containers run you need a container runtime. Docker provides it’s own, but can also run on others such as containerd

See here the different k8s nodes running different container engines

For this you need to tell the kubelet which container engine to use:

mkdir -p /etc/systemd/system/kubelet.service.d/

cat << EOF |tee /etc/systemd/system/kubelet.service.d/0-containerd.conf


Environment=”KUBELET_EXTRA_ARGS= — container-runtime=remote — runtime-request-timeout=15m — container-runtime-endpoint=unix:///run/containerd/containerd.sock”


And setup containerd to integrate with kubelet:

modprobe overlay

modprobe br_netfilter

Contents of /etc/sysctl.d/99-kubernetes-cri.conf :

Now containerd is compatible running kata-containers, by using the CRI plugin. You can also use CRI-O, another lightweighted container runtime interface, but for now I focussed on containerd

Components for building

The components I used for building a K8s cluster in the cloud were:

  • 3 VM Instances in the Oracle Cloud Infrastructure
  • These instances used the Oracle Linux 7.7 developer image because here a lot of the needed tools such as KVM utils were already installed:
  • Use oracle-olcne-release-el7.x86_64
  • enable ol7_kvm_utils
  • kata-runtime
  • Some Cloud storage, the basics for setting up VMs in the Oracle Cloud

I also wanted to let docker to make use of the kata-runtime bij creating a file


and to see which runtime Dockers uses, execute:

I won’t go through all the installation and setup details, you can find them here:

Use Kata in Kubernetes and run an Oracle Database

To use kata containers in the proper runtime, you need to create a config file, to be generated with containerd

Per k8s node, you specifiy the runtime. Because I used Kubernetes version 1.12, some of the sections looked like this

In higher versions you have to use the kata version 2

runtime_type = "io.containerd.kata.v2"

Do not forget to reload system daemons and restart the containerd service to apply changes.

To let K8s make use of kata, a few yamls need to be deployed to kube-system with kata-runtime.yaml, to implement runtime classes. These were introduced in v1.12, so the apiVersion hete should be v1alpha1:

For enabling deployment of kata containers, also needs ro be deployed to the k8s cluster.

And finally, some RBAC settings by using for labeling nodes as kata runtime nodes:

Deploy an Oracle Database

My endgoal is to deploy an entire WebLogic environment but first I installed the database using a yaml file. Here specified the kata runtime class and a node selector:

By applying the database, on k8s-worker2 the pod was scheduled and qemu was started to emulate a VM based container:


There is a lot going on in container landscape. There is also a lot of information, which is sometimes difficult tot get it all together in a understandable story. This is just a beginning and certainly a lot need to be adjusted to transition to a more secure container platform. I hope you will learn something of it and improve by doing ot yourself.

Next article I will deepdive into cri-o and how it will be used with WebLogic Cloud Native.

Michel Schildmeijer

Written by


Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade