Shulou(Shulou.com)05/31 Report--

This article introduces the knowledge of "how to use gVisor and KataContainers". In the operation of actual cases, many people will encounter such a dilemma. Next, let the editor lead you to learn how to deal with these situations. I hope you can read it carefully and be able to achieve something!

Current container technology still has many well-known security challenges, one of the major problems is that gaining efficiency and performance from a single shared kernel means that container escape can be a loophole.

So in 2015, almost in the same week, Intel OTC (Open Source Technology Center) and the domestic HyperHQ team simultaneously opened up two container implementations based on virtualization technology, called the Intel Clear Container and runV projects. In 2017, with the help of the east wind of Kubernetes, these two similar container runtime projects were finally merged under the mediation of the Neutral Foundation, which became the now familiar Kata Containers project. Because the essence of Kata Containers is a streamlined lightweight virtual machine, its characteristic is "as secure as a virtual machine and as agile as a container".

In 2018, Google released a project called gVisor. The gVisor project configures the container process with a minimal "independent kernel" that runs in user mode and is implemented in the Go language. This kernel exposes the Linux kernel ABI to the container process, playing the role of "Guest Kernel", thus isolating the container from the host.

KataContainers

First, let's take a look at KataContainers. How it works can be described by the diagram shown below.

The essence of Kata Containers is a lightweight virtual machine. So when you start a Kata Containers, you will actually see a normal virtual machine running. This means that a standard hypervisor (Virtual Machine Manager, VMM) is a necessary component to run Kata Containers. In our figure above, the VMM used is Qemu.

Docker uses KataContainers

First, the node needs to support any of the following four cpu virtualization technologies:

Intel VT-x technology

ARM Hyp mode

IBM Power Systems

If IBM Z manframes is deployed in a VMware virtual machine, you need to enable nested virtualization in the host. For more information on enabling steps, please see the link: https://blog.51cto.com/11434894/2389180?source=dra.

Install kataContainer:

ARCH=$ (arch) BRANCH= "${BRANCH:-master}" sudo sh-c "echo 'deb http://download.opensuse.org/repositories/home:/katacontainers:/releases:/${ARCH}:/${BRANCH}/xUbuntu_$(lsb_release-rs) / etc/apt/sources.list.d/kata-containers.list" curl-sL http://download.opensuse.org/repositories/home:/katacontainers:/releases:/${ARCH}:/${BRANCH} / xUbuntu_$ (lsb_release-rs) / Release.key | sudo apt-key add-sudo-E apt-get updatesudo-E apt-get-y install kata-runtime kata-proxy kata-shim

Set up the docker profile:

Cat > / etc/docker/daemon.json / etc/containerd/config.toml / etc/systemd/system/kubelet.service.d/0-cri-containerd.conf / etc/docker/daemon.json / etc/containerd/config.toml / var/lib/kubelet/kubeadm-flags.env

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.