Add Kata Containers spec
Story: 2010765 Task: 48073 Signed-off-by: mpaulool <Marcos.PauloOliveiraSilva@windriver.com> Change-Id: I42e9b827f276252eb686bb161e4fe3d88336e78f
This commit is contained in:
parent
f46bb1a5b4
commit
bb409a212f
|
@ -0,0 +1,175 @@
|
|||
..
|
||||
This work is licensed under a Creative Commons Attribution 3.0 Unported
|
||||
License. http://creativecommons.org/licenses/by/3.0/legalcode
|
||||
|
||||
==========================================
|
||||
Reintegrate Kata Containers into StarlingX
|
||||
==========================================
|
||||
|
||||
Storyboard: https://storyboard.openstack.org/#!/story/2010765
|
||||
https://storyboard.openstack.org/#!/story/2010781
|
||||
|
||||
This spec reintegrates Kata Containers into StarlingX. When the migration
|
||||
to Debian was made, the Kata containers support wasn't ported. Then, this spec
|
||||
aims to port it.
|
||||
|
||||
Problem description
|
||||
===================
|
||||
Kata Containers is an open source community working to build a secure
|
||||
container runtime with lightweight virtual machines that feel and perform
|
||||
like containers, but provide stronger workload isolation using hardware
|
||||
virtualization technology as a second layer of defense.[0]
|
||||
|
||||
Since there is a performance gap between Kata Containers and conventional
|
||||
containers [1], Kata Containers is not used in default unless explicitly
|
||||
requirement is found in the Kubernetes's pod configuration file. Or in other
|
||||
words, regardless Kata Containers is enabled or not, containers
|
||||
currently we have in StarlingX will not use kata container runtime in default,
|
||||
unless extra change is made.
|
||||
|
||||
Use Cases
|
||||
---------
|
||||
With Kata Containers supported in StarlingX, System developers, testers,
|
||||
operators, administrators could choose what container runtime to use when run
|
||||
a container image, based on their needs. For example, if there is security
|
||||
concern for the pod/container, it could be selected to run with kata container.
|
||||
For the default case, runc will be selected as default low-level container
|
||||
runtime, which is the default low-level runtime for Kubernetes.
|
||||
|
||||
Proposed change
|
||||
===============
|
||||
|
||||
To be done
|
||||
|
||||
Data model impact
|
||||
-----------------
|
||||
|
||||
None. This spec does not change any existing data models.
|
||||
|
||||
REST API impact
|
||||
---------------
|
||||
|
||||
None. This spec does not change any existing REST APIs.
|
||||
|
||||
Security impact
|
||||
---------------
|
||||
|
||||
There is no sensitive data touch for this feature, except containerd need
|
||||
touch certificate/key for local secure registry "registry.local".
|
||||
Kata Containers could help enhance system's security by runs in a dedicated
|
||||
kernel, providing isolation of network, I/O and memory and can utilize
|
||||
hardware-enforced isolation with virtualization VT extensions." [0]
|
||||
|
||||
Other end user impact
|
||||
---------------------
|
||||
|
||||
None. This spec does not impact the end user at all.
|
||||
|
||||
Performance Impact
|
||||
------------------
|
||||
|
||||
For containers that doesn't use kata-runtime, the performance should be the
|
||||
same as previous.
|
||||
For containers that use kata-runtime, some performance drop is expected.
|
||||
Per Kata Containers website:"Delivers consistent performance as standard Linux
|
||||
containers; increased isolation with the performance tax of standard virtual
|
||||
machines."[0]
|
||||
Also there is a report of "I/O performance of Kata Containers". [1]
|
||||
|
||||
Other deployer impact
|
||||
---------------------
|
||||
|
||||
None. This spec does not impact deployement at all.
|
||||
|
||||
Developer impact
|
||||
----------------
|
||||
|
||||
None. This spec does not impact the development at all.
|
||||
|
||||
Upgrade impact
|
||||
--------------
|
||||
|
||||
None. This spec does not impact the upgrade process at all.
|
||||
|
||||
Implementation
|
||||
==============
|
||||
|
||||
Assignee(s)
|
||||
-----------
|
||||
|
||||
Primary assignee:
|
||||
|
||||
Guilherme Batista Leite (guilhermebatista)
|
||||
|
||||
Other contributors:
|
||||
|
||||
David Liu (<>)
|
||||
Davi Frossard (dbarrosf)
|
||||
Fabio Studyny Higa (fstudyny)
|
||||
Marcos Paulo Oliveira Silva (mpaulool)
|
||||
Elson Claudio de Oliveira (<>)
|
||||
|
||||
Repos Impacted
|
||||
--------------
|
||||
|
||||
* stx-integ
|
||||
* stx-virt
|
||||
* stx-root
|
||||
* stx-metal
|
||||
* stx-tools
|
||||
|
||||
Work Items
|
||||
----------
|
||||
|
||||
Add kata container
|
||||
* Add kata container support
|
||||
|
||||
Add the support in StarlingX for Kata Containers. The prebuilt runtime
|
||||
binaries are downloaded and modified to provide customization support.
|
||||
|
||||
Upgrade QEMU from version 5.2 to version 7.2
|
||||
* Upgrade QEMU and port patches
|
||||
|
||||
To avoid any kind of incompatibility with Kata Containers 3.1.x version,
|
||||
the QEMU upgrade to version 7.2 is necessary.
|
||||
Currently, the QEMU version on the host has WRO-specific patches which
|
||||
will need to be ported to the new version.
|
||||
|
||||
Besides upper work items, there are other work items maybe need added during
|
||||
implementation of this spec. Please check the spec link in the beginning of
|
||||
this spec to get the full work item list.
|
||||
|
||||
Dependencies
|
||||
============
|
||||
|
||||
This specification depends upon the open source upstream:
|
||||
|
||||
https://github.com/kata-containers/kata-containers
|
||||
https://github.com/qemu/qemu
|
||||
|
||||
|
||||
Testing
|
||||
=======
|
||||
|
||||
To be done
|
||||
|
||||
Documentation Impact
|
||||
====================
|
||||
|
||||
To be done
|
||||
|
||||
References
|
||||
==========
|
||||
[0]: https://katacontainers.io/
|
||||
[1]: https://www.stackhpc.com/kata-io-1.html
|
||||
|
||||
History
|
||||
=======
|
||||
|
||||
.. list-table:: Revisions
|
||||
:header-rows: 1
|
||||
|
||||
* - Release Name
|
||||
- Description
|
||||
* - stx-9.0
|
||||
- Introduced
|
Loading…
Reference in New Issue