Kata Containers Demo: A Container Experience with VM Security

The New Stack’s Alex Williams sat down with Eric Ernst, principal systems software engineer, for Ampere and Bharat Kunwar, software engineer, for StackHPC. In the “Kata Containers Demo: A Container Experience with VM Security”, the group discusses how Kata Containers works, its performance, security advantages, use-case scenarios, and new research.

The trio discusses how Kata Containers bridges the gap between the hardware isolation of traditional virtual machines (VMs) and the speed and relatively smaller footprint of containers.

The reason why people care about containers is that “it’s just a nice little packaging vehicle,” Ernst said. “It’s a slick UI. It’s really easy to just start a container, kill a container, scale up, scale down, and everything else.” Kata Containers behave just like traditional containers but provide stronger workload isolation using a separate guest kernel as a second layer of defense, however retain performance through nested virtualization technology.

In May 2019, Kunwar began a performance benchmark study on Kata Containers. In the demo, Bharat shares his perspective on the disk I/O performance. Kunwar compared read and write bandwidth for high performance computing (HPC) workloads when the underlying configuration is bare metal (bare), runC containers (runc), Kata with 9pfs (kata-9p), Kata with virtiofs (kata-virtio) , and Kata with virtiofs and direct memory access (kata-virtio-dax). The following charts demonstrate the tradeoff of using Kata Containers vs. traditional runC containers vs bare metal.

It is noted that the compatibility with Kubernetes is maintained via the CRI (Container Runtime Interface) runtime class API, which projects like containerd and CRI-O expose allow Kata Containers to bind into.

Looking forward, Kunwar is excited to see that “Kata is gaining widespread momentum and especially with improvements to the disk I/O performance”.

You can listen to Alex Williams, Eric Ernst, and Bharat Kunwar discussing the container experience with VM security on The New Stack’s YouTube channel. Check out this Kata Containers demo here!