Intel & Hyper Combine on a Container Alternative
Intel and the Hyper open source project have combined projects to create Kata containers, which behave like containers but are really a slimmer alternative to virtual machines.
The Kata Containers project, which itself is open source and being managed by the OpenStack Foundation, is getting launched this week at KubeCon in Austin, Texas. Kata doesn't require OpenStack; the Foundation is involved because it wants to become a home for open infrastructure projects of all types, including those related to infrastructure and to software development.
The goal behind Kata Containers is to create a virtual machine that's as lightweight as a container. Virtual machines are bulky, in that each VM includes a full operating system kernel. Containers are smaller and have a density advantage; you can pack multiple containers on one CPU. But those containers share one OS kernel, which means an intruder who breaks into the kernel could theoretically gain access to every container on that host.
A mini-ecosystem of container security options has emerged to address this. Startup Twistlock, for instance, offers software that keeps an eye on containers to make sure their behaviors are within policy guidelines.
But another alternative that's been popular is to run one container per hypervisor, which improves security but erases containers' density advantage. "You end up losing the efficiency," says Jonathan Bryce, executive director of the OpenStack Foundation.
Kata uses the virtual machine model, giving each application its own OS kernel. But like a container, it leaves out pieces of the OS that a particular workload doesn't need -- thus giving Kata the same "lightweight" feel of a container. The structure is a combination of Clear Containers (a container variant that Intel Corp. (Nasdaq: INTC) developed) and the runV technology developed by Hyper.
"We need to bring back some of the isolation [of VMs] but not all of the overhead," says James Kulina, COO of Hyper. "When you do that, it opens up all sorts of use cases for containers."
Kata also matches the agility of containers -- the ability to launch many of them quickly and tear them down when their jobs are done. In fact, to the application developer, Kata behaves like a container and follows a workflow similar to Docker's. It's meant to be controlled by container tools such as Kubernetes and it will comply with the format defined by the Open Container Initiative (OCI).
"We haven't even launched this yet, but as we've been talking around, there's support for it, because this is a really hard problem to solve," Bryce says.
The first version of Kata works only on the open source KVM hypervisor, but support for other hypervisors is on the way, says Imad Sousou, vice president and general manager of Intel's Open Source Technology Center.
Kata is also starting out supporting only one hardware environment -- Intel's -- but Intel and Hyper intend to support other processors as well, Sousou says. "I know that the Hyper engineers have added at least some ARM support," he says.
— Craig Matsumoto, Editor-in-Chief, Light Reading