Kata Containers

From ArchWiki

Related articles

Kata Containers (previously Clear Containers) is an OCI-compatible application container runtime meant to provide isolation of potentially untrusted processes from the host system and other processes by leveraging virtualization. Currently upstream-supported hypervisors are qemu-desktop, firecracker and cloud-hypervisorAUR.

Architecture

  • kata-agent - supervisor process running on the hypervised guest sandbox, tasked with managing its lifetime
  • kata-runtime - container runtime component responsible for handling commands specified by the OCI runtime specification and tasked with launching shims
  • kata-proxy (before 2.0) - routes I/O streams and signals between on-guest agent and host-side processes associated with running a given sandbox using gRPC
  • kata-shim (before 2.0) - container process monitor and reaper
  • kata-ksm-throttler (optional, before 2.0) -
  • kata-linux-container - patched kernel used to launch VMs serving as container/pod sandboxes
  • kata-containers-image - initramfs and rootfs images used for spawning VM sandboxes

Usage

Kata, by default, picks up its configuration from /etc/kata-containers/configuration.toml, but that can be overridden by providing a path to configuration through the KATA_CONF_FILE environment variable. Be sure to initialize configuration from /usr/share/defaults/kata-containers/configuration-qemu.toml.

v1

This article or section is out of date.

Reason: The v1 packages were dropped from AUR since they were legacy and not maintained. (Discuss in Talk:Kata Containers)

Docker

In order to use Kata Containers with Docker, the user needs to add it to supported runtimes in /etc/docker/daemon.json: 

 {
   "runtimes": {
     "kata": {
       "path": "/usr/bin/kata-runtime"
     }
   }
 }

To use it as the default runtime for Docker: {"default-runtime": "kata"} .

To use it with the Firecracker hypervisor, due to its limitations, the devicemapper storage driver [1] has to be used: {"storage-driver": "devicemapper"} .

Afterward you can use the runtime key: docker run --runtime kata --rm -ti archlinux/base /bin/bash.

Podman

Running a container: podman --runtime /usr/bin/kata-runtime run --rm -ti archlinux/base /bin/bash.

Keep in mind that a Kata VM sandbox conceptually maps to Kubernetes pods or a shared netns, not just individual containers.

v2

This article or section is out of date.

Reason: The v2 packages are all out of date. (Discuss in Talk:Kata Containers)

Install the runtime kata-runtime-binAUR, kernel linux-kata-binAUR and set of initrd and rootfs kata-containers-image-binAUR.

Docker has added support for OCI-compatible runtimes in Docker Engine 23.0 [2]. To run a Docker container using Kata: docker run --runtime io.containerd.kata.v2

Containerd CLI

# ctr image pull docker.io/library/archlinux:latest
# ctr run --rm -t --runtime io.containerd.kata.v2 docker.io/archlinux/base:latest example-container-name date

See also