Kata Containers, KubeVirt, & Virtlet: VM Solutions for Multi-Tenant Applications

Written by: , Dec. 20, 2017

OpenStack Releases New Platform Software Merging Intel Clear Containers & Hyper.sh runV

One of the most interesting announcements made at the KubeCon in Austin this year was the unveiling of Kata Containers, a combination of the new Intel Clear Container software and Hyper.sh's runV technology. Clear Containers are part of Intel's Open Source Initiative and linked to the Clear Linux project, a light-weight distro optimized for cloud servers and IoT devices. HyperHQ was founded by Xu Wang, Simon Xue, & Feng Gao in Beijing in 2014, producing a hybrid container/hypervisor technology that allows for virtual machines (VMs) to run in Docker/Kubernetes deployments with extremely fast boot times and better security isolation for multi-tenant requirements. Arjan van de Ven, who works with the Intel Clear Containers group, wrote that this framework can launch a secure container with a running VM in "under 150 milliseconds" and that "the per-container memory overhead is roughly 18 to 20MB (this means you can run over 3500 of these on a server with 128GB of RAM)." The further development of Kata Containers will be governed by the OpenStack Foundation as part of the Open Cloud Initiative and the project has already developed a significant amount of support from IT industry majors (99cloud, AWcloud, Canonical, China Mobile, City Network, CoreOS, Dell/EMC, EasyStack, Fiberhome, Google, Huawei, JD.com, Mirantis, NetApp, Red Hat, SUSE, Tencent, Ucloud, UnitedStack, & ZTE). Due to the increasing popularity of using Docker & Kubernetes as web standards on cloud servers in DevOps, there is a large demand from enterprise companies for these solutions which allow for multi-tenant apps to be run with better security in containers as well as allowing developers to build solutions with multiple operating systems running simultaneously in different pods. Other solutions to this problem are KubeVirt (a Kubernetes plugin for better VM support) and Virtlet (produced by Mirantis for use with OpenContrail and Calico). Programmers and systems administrators can use software defined networking tools and the Kubernetes Pod API to create innovative solutions for modernizing legacy software applications or new strategies for complex web & mobile apps hosted in a private/public cloud.

Clear Linux is designed "to showcase the best of Intel architecture technology and performance, from low-level kernel features to complex applications that span across the entire OS stack," optimized particularly for use with containers in cloud servers as an extremely light-weight and fast booting distro similar to Rancher & CoreOS. Kata Containers implement Intel Virtualization Technology (VT) with interoperable support for the same file standards and protocols used by Kubernetes, Docker, Open Container Initiative (OCI), Container Runtime Interface (CRI), Container Networking Interface (CNI), QEMU, KVM, HyperV, and OpenStack. Kata Containers are currently packaged for distribution and use with Ubuntu, CentOS, CoreOS, Fedora, & Clear Linux, although programmers will also be able to install the framework independently with other distros. The Hyper.sh HyperContainer is used to "secure hardware-enforced isolation between containers, while still keeping the sub-second startup performance." Rather than sharing the OS kernel across containers in Docker, Kubernetes, or CoreOS/rkt using KVM, Hyper.sh has developed a new hybrid hypervisor technology that allows each OS instance to run as a VM with a microkernel in every pod for better security in multi-tenant applications as well as to enable the ability to run Windows & Linux together on container-based web servers. Kata Containers are fast, agile, & easy to use, with development support from one of the world's largest hardware manufacturers. Intel currently has a $220 billion market capitalization and is one of the most well known international brands.

Commenting on the new release, James Kulina, COO @Hyper, stated: "Hyper is proud and excited to contribute runV, our virtualized container runtime technology, as the foundation of the new Kata Containers project. Hyper’s vision from the start has always been to combine the best of virtualization and containerization, in delivering the security of VMs with the speed of containers. We see Kata Containers, as a potential basis for new on-demand container-native services spanning public/private cloud, serverless, and edge computing use cases and look forward to working with the community."

Intel® Clear Containers Overview (Amy Leeland)

"Intel® Clear Containers provide the ease of use of containers while leveraging the isolation of Virtual machines. It is a back-end technology that plugs into Docker, Kubernetes and Rocket, and is packaged for multiple Linux* distributions, including Ubuntu, Centos, CoreOs, and Fedora. To support upstream proliferation, Intel Clear Containers supports specifications including OCI, AppC, CRI-O, CNI, and CNM. Downstream, Intel is working with Docker, Kubernetes, OSVs, ISVs, Integrators, and CSVs. Clear Containers is an open source project available on GitHub." Learn More About Intel Clear Containers.

"Hyper.sh is a secure container hosting service. What makes it different from AWS (Amazon Web Services) is that you don't start servers, but start Docker images directly from Docker Hub or other registries. Hyper.sh is running the containers in a new way, in which multi-tenants' containers are inherently safe to run side by side on bare metal, instead of being nested in VMs. This benefits you in being safe and cheap at the same time and you can focus on your app instead of maintaining servers." Learn More About Hyper.sh.

With the growing popularity of OpenStack, Docker, and Kubernetes for cloud hosting in enterprise corporations, other programmers, development teams, and systems integration companies have also independently tackled the problem of providing better support and security for running VMs in containers. First and foremost among these is Virtlet, produced by Mirantis, with another being KubeVirt, an open source plugin for Kubernetes. KubeVirt uses oVirt/RHV to enhance the ability of OpenStack to operate in Infrastructure-as-a-Service (IaaS) applications. Kubernetes is used for the deployment, scaling, & management of containers in production, but does not manage VMs in pods specifically by default. VMs deployments can benefit from Kubernetes by taking advantage of the superior load balancing, scheduling, rolling updates, provisioning, etc. that the platform provides. Enterprise corporations can use this combination to modernize legacy applications (i.e., Windows or mainframe-based), creating a unified infrastructure that is easier to maintain and operate, while reducing the overall cost of development and maintenance. As Carlos Luo, cloud general manager of government affairs @Tencent stated, "Containers technology offers huge potential benefits to operators of cloud infrastructure at scale, but practical considerations of security and performance result in compromises. As scale operators of infrastructure powered by OpenStack and other technologies, we’re excited to support the Kata Containers project, as it offers a novel approach to solving the challenges of containers at scale."

KubeVirt - Kubernetes, Virtualization and Your Future Data Center
(Itamar Heim & Fabian Deutsch)

Virtual Networking in Kubernetes can be accomplished using Virtlet to manage the Pod API and run VMs, or the Hyper/Intel Clear Containers fusion provided by Kata Containers which offers better user & process isolation for web security. Kubernetes is used to communicate the system memory and storage requirements of the VM with the pod where the replication controller can manage multiple instances of VMs with synchronization of databases and storage. Kata Containers, Virtlet, and KubeVirt allow users to run multiple operating systems, such as Linux & Windows, together as VMs in pods. Virtcontroller manages the scheduling and deployment automatically in production environments. Overall, this approach improves clustering ability through resource protection, exclusiveness, and fencing, enabling better overall host life-cycle management. With this comes greater computation efficiency for hardware, improved Layer 2 networking in Kubernetes installations, multipath storage options through the use of cloning & snapshots, as well as resource driven scheduling of security updates and system patches. Integration with OpenStack means greater security, reliability, peer-review, and trust in enterprise virtualization at a lower cost for businesses. Developers can focus on legacy app migration or pushing new functions and features into production, using VMs & containers together with software defined networking & the Pod API to create new solutions for web and mobile applications at scale.

"A virtualization API and runtime add-on for Kubernetes in order to define and manage virtual machines." Learn More About KubeVirt.

In this demo, Jakub Pavlik of Mirantis demonstrates how large scale OpenStack deployments can be created with Kubernetes clusters and OpenContrail using virtual routers, Kubernetes manager, Helm, Yaml, etc. for administration. Each VM includes SSH keys with a unique IP address for every pod. Virtlet is used to manage Docker with Nginx running in one container and Ubuntu as a VM in another container, with OpenContrail providing the SDN resources required for the integration.

Kubernetes Virtlet and Contrail (Jakub Pavlik)

"Sometimes your app doesn't need a full-blown OpenStack implementation, but it's not quite ready for Kubernetes, either. Virtlet lets you run VMs on Kubernetes, so that you can have your VMs and your containers on the same OpenContrail network." Learn More About the Mirantis Ecosystem.

"Virtlet is a Kubernetes runtime server that enables you to run VM workloads based on QCOW2 images. Virtlet was started by Mirantis k8s folks almost year ago, with the first implementation done with Flannel. In other words, Virtlet is a Kubernetes CRI (Container Runtime Interface) implementation for running VM-based pods on Kubernetes clusters. (CRI is what enables Kubernetes to run non-Docker flavors of containers, such as Rkt.) For the sake of simplicity of deployment, Virtlet itself runs as a DaemonSet, essentially acting as a hypervisor and making the CRI proxy available to run the actual VMs This way, it’s possible to have both Docker and non-Docker pods run on the same node." Learn More About Virtlet.

"To demonstrate how all of this works, we created a lab with: 3 OpenContrail 3.1.1.x controllers running in HA; 3 Kubernetes master/minion nodes; & 2 Kubernetes minion nodes. The K8s nodes are running Kubernetes 1.6 with the OpenContrail Container Network Interface (CNI) plugin, and we spun up a Ubuntu VM POD via virtlet and standard deployment with Nginx container pods. So what we wind up with is an installation where we’re running containers and virtual machines on the same Kubernetes cluster, running on the same OpenContrail virtual network." Learn More About Virtlet.

With the backing of Intel, Google, the OpenStack Foundation, and so many industry majors already using Docker/Kubernetes in large scale production environments, Kata Containers appears well poised to make an immediate impact in data center management techniques as a major DevOps tool and platform standard. Developers can follow the links below for more information about the software:

Eliran Ouzan is the Co. Founder and designer of HostAdvice and also owns Moonshot Marketing LTD, a leading web design & development firm and was a member at GreenPeace.

Widely known for his pixel-perfect and high conversion rate web designs. Over the course of his web experience he experimeneted with over 200 web hosting companies and have a superior knowledge on what defines a good hosting company.

Share this post

"Kata Containers, KubeVirt, & Virtlet: VM Solutions for Multi-Tenant Applications"