Kata Containers: A virtual machine take on running containers


First things first. Kata Containers aren’t containers. Kata is a virtual machine (VM) for running containers. That said, Kata promises to deliver workload isolation and security with lightweight VMs, while feeling and performing like containers.

Kata does this by combining the best of two earlier virtualized container open source code bases: Intel’s Clear Containers and Hyper.sh‘s runV. Kata was announced in December 2017. It’s the first non-OpenStack project to be hosted by the OpenStack Foundation. Underneath all this is the classic BSD Unix/Linux QEMU hypervisor.

The key difference between the Kata approach and other container engines is that Kata uses hardware-backed isolation as the boundary for each container or collection of containers in a Kubernetes container pod. As Sebastien Boeuf, an Intel Linux kernel engineer explained at OpenStack Summit in Vancouver, “instead of relying on software isolation provided by the kernel, instead we rely on hardware isolation, which is stronger.” Hardware isolation is provided at the chip level by Intel’s virtualization VT extensions.

This approach addresses the security concerns of a shared kernel in traditional container architecture. With Kata, each container gets its own kernel. Kata containers have a dedicated kernel and isolated network, I/O, and memory. Of course, the downside is each kernel makes the containerized application “heavier” in terms of memory and CPU usage.

But, as the OpenStack Foundation’s marketing manager, Anne Bertucio, pointed out, “People were wrapping full blown VMs around each container. Doing that, you take a big performance sting and you’re kind of back to where you started about the portability and performance issues that containers are solving. How to make a very lightweight VM that provides virtualization as an isolation boundary while not taking that ding on performance was a huge challenge.”

This says more about how people are deploying containers wrong than it does about containers. Still, there are companies who are willing to pay a performance cost for the improved security of hardware isolation.

This makes Kata a good fit for both container’s on-demand (event-based deployments such as continuous integration/continuous delivery and web applications), while providing an easier transition to containers from traditional virtualized environments. Kata does this by supporting legacy guest kernels and device pass through capabilities. And, of course, it providers enhanced security and scalability for older client/server applications.

You can use Kata with container orchestration tools such as Docker’s Swarm Mode and Kubernetes. Today it runs on Linux-based x86-based servers that use KVM as a  hypervisor. Eventually AMD, with its AMD-V virtualization, and ARM will be supported, but it’s not there yet. In the long term, Kata’s goal is to be hardware and hypervisor agnostic.

Kata supporters say, “You don’t have to pay much VM tax with a Kata container.” That’s easy to say. We’ll see if they perform as well as containers with other security plans. This, for example,  is where Kubernetes and Google claims gVisor, which runs containers in a secured sandbox, will win.

Want to give Kata a try? Kata is now available in its first official release, Kata 1.0. Kata Containers is hosted on Github under the Apache 2 license.


  1. François FERRAT says:

    Please can you tell me (in fact confirm me ) if you can as well manage the palet ?

Speak Your Mind


This site uses Akismet to reduce spam. Learn how your comment data is processed.