Kata Containers

The printable version is no longer supported and may have rendering errors. Please update your browser bookmarks and please use the default browser print function instead.

Kata Containers (previously Clear Containers) is an OCI-compatible application container runtime meant to provide isolation of potentially untrusted processes from the host system and other processes by leveraging virtualization. Currently upstream-supported hypervisors are qemu, firecracker-bin^AUR and cloud-hypervisor^AUR.

Architecture

kata-agent - supervisor process running on the hypervised guest sandbox, tasked with managing its lifetime
kata-runtime - container runtime component responsible for handling commands specified by the OCI runtime specification and tasked with launching shims
kata-proxy (before 2.0) - routes I/O streams and signals between on-guest agent and host-side processes associated with running a given sandbox using gRPC
kata-shim (before 2.0) - container process monitor and reaper
kata-ksm-throttler (optional, before 2.0) -
kata-linux-container - patched kernel used to launch VMs serving as container/pod sandboxes
kata-containers-image - initramfs and rootfs images used for spawning VM sandboxes

Usage

Kata, by default, picks up its configuration from /etc/kata-containers/configuration.toml, but that can be overridden by providing a path to configuration through the KATA_CONF_FILE environment variable. Be sure to initialize configuration from /usr/share/defaults/kata-containers/configuration-qemu.toml.

v1

Install the runtime kata1-runtime-bin^AUR, kata1-proxy-bin^AUR, kata1-shim-bin^AUR, kernel linux-kata1-bin^AUR and set of initrd and rootfs kata-containers-image-bin^AUR.

Docker

In order to use Kata Containers with Docker, the user needs to add it to supported runtimes in /etc/docker/daemon.json:

 {
   "runtimes": {
     "kata": {
       "path": "/usr/bin/kata-runtime"
     }
   }
 }

To use it as the default runtime for Docker: {"default-runtime": "kata"} .

To use it with the Firecracker hypervisor, due to its limitations, the devicemapper storage driver [1] has to be used: {"storage-driver": "devicemapper"} .

Afterward you can use the runtime key: docker run --runtime kata --rm -ti archlinux/base /bin/bash.

Podman

Running a container: podman --runtime /usr/bin/kata-runtime run --rm -ti archlinux/base /bin/bash.

Keep in mind that a Kata VM sandbox conceptually maps to Kubernetes pods or a shared netns, not just individual containers.

v2

Since release 2.0, Kata Containers exclusively uses OCI runtime shim API v2, however Docker has that API version hard-coded to v1, making it unfeasible to use this combination as of this writing.

Install the runtime kata-runtime-bin^AUR, kernel linux-kata-bin^AUR and set of initrd and rootfs kata-containers-image-bin^AUR.

Containerd CLI

# ctr image pull docker.io/library/archlinux:latest
# ctr run --rm -t --runtime io.containerd.kata.v2 docker.io/archlinux/base:latest example-container-name date