The OpenStack Foundation has launched a new project to develop open source containerisation software, Kata Containers, by combining components from two existing container software projects: Intel’s Clear Containers and Hyper runV, the runtime version of the software behind HyperHQ’s Hyper.sh containers as a service.
OpenStack Foundation executive director Jonathan Bryce told Computerworld Australia that the aim of Kata was to create software for running containers that offered the security of running in a virtualised environment under a hypervisor with the ease and efficiency of running them directly under the operating system.
“Containers are great because they are light and fast and easy to integrate into a lot of different application workflows, but there are some potential security issues when you run containers, especially multi tenant containers in a single operating system because ultimately the containers are sharing one kernel, one path for the I/O, the network, the memory and all of those piece,” Bryce said. “You lose some of the benefits of containers when you insert that VM layer.”
The move marks the OpenStack Foundation’s first push into taking a wider role in the open source movement, an orientation announced at the recent OpenStack Summit in Sydney. However although Kata Containers will be managed by the OpenStack Foundation it will be an independent project with its own architecture committee, working committee, and so on, as well as independent branding.
Bryce said the key feature of Kata is that it will use only those components of the virtualisation layer needed to provide isolation enabling containers to run inside a lightweight virtual layer. “Kata will give you the security of VMs, but because it is very lightweight, you will get the speed and agility of containers.
“Kata takes just the components of the virtual layer you need to provide isolation and it runs the containers inside this lightweight virtual layer that give you the security of VMs but, because it is so lightweight, you get the speed and agility of containers.”
Use cases for Kata, according to the OpenStack Foundation, will include continuous integration/continuous delivery, network functions virtualisation, edge computing, development and testing and containers as a service.
“These use cases are really well suited to an environment that gives you the efficiency of a container stack with a higher level of security than running containers side by side in a single kernel,” Bryce said.
The OpenStack Foundation says Kata’s small footprint and high level of security will make it well suited to edge deployments where resources are limited. For CaaS, it will be much easier to use than existing container software, because users will not need to learn and manage their containers with container orchestration environments like Docker Swarm or Kubernetes.
Kata has launched with more than 20 backers, in addition to Intel and HyperHQ. They include Chinese ecommerce company JD.com, one of the world’s largest, and Chinese Internet company, Tencent
Hyper COO James Kulina, said JD.com was already using Hyper.sh’s runV in the public cloud to support its eCommerce platform. “The service exposes an easy-to-use, Docker-like workflow, so developers who know Docker are able to jump in and deploy apps immediately,” he said.
“And we are working with a number of other companies as well. Our goal is to popularise the technology and what it is capable of. Because it operates at a lower level it touches a lot of new use cases like serverless computing and edge. We think we will make very good headway in a very short time with this technology.”
He predicted that initial users of Kata would be large providers of public cloud services, and said requirements for edge computing were still emerging.
The Kata project web site and GitHub code repository go live on 6 December, Australian time, and Kata is on show at the KubeCon / CloudNativeCon event in Austin Texas from 6 to 8 December. These events will be followed by a series of webinars in multiple time zones to December 12 -13 to onboard new participants. Bryce said the aim was to have release 1.0 of the software out within six months.
The Kata Containers project will initially comprise six components, including the Agent, Runtime, Proxy, Shim, Kernel and packaging of QEMU 2.9. It is designed to be architecture agnostic, run on multiple hypervisors and be compatible with the OCI specification for Docker containers and CRI for Kubernetes.
From runV it will take the Multi Architecture, Multi Hypervisor, Full Hotplug, K8s Multi Tenancy, VM templating, Frakti native support and Traffic Controller net. From Clear Containers will come Direct Device Assignment, SRIOV, NVDIMM, Multi-OS, KSM throttling, CRI-O native support and MacVTap, multi-queue net.