Add Kata Containers spec

Story: 2010765 Task: 48073 Signed-off-by: mpaulool <Marcos.PauloOliveiraSilva@windriver.com> Change-Id: I42e9b827f276252eb686bb161e4fe3d88336e78f
2023-12-06 18:43:14 -03:00 · 2023-12-06 18:43:14 -03:00 · bb409a212f
parent f46bb1a5b4
commit bb409a212f
1 changed files with 175 additions and 0 deletions
--- a/doc/source/specs/stx-9.0/approved/starlingx-2010740-kata-containers-reintegration.rst
+++ b/doc/source/specs/stx-9.0/approved/starlingx-2010740-kata-containers-reintegration.rst
@ -0,0 +1,175 @@
+..
+  This work is licensed under a Creative Commons Attribution 3.0 Unported
+  License. http://creativecommons.org/licenses/by/3.0/legalcode
+
+==========================================
+Reintegrate Kata Containers into StarlingX
+==========================================
+
+Storyboard: https://storyboard.openstack.org/#!/story/2010765
+            https://storyboard.openstack.org/#!/story/2010781
+
+This spec reintegrates Kata Containers into StarlingX. When the migration
+to Debian was made, the Kata containers support wasn't ported. Then, this spec
+aims to port it.
+
+Problem description
+===================
+Kata Containers is an open source community working to build a secure
+container runtime with lightweight virtual machines that feel and perform
+like containers, but provide stronger workload isolation using hardware
+virtualization technology as a second layer of defense.[0]
+
+Since there is a performance gap between Kata Containers and conventional
+containers [1], Kata Containers is not used in default unless explicitly
+requirement is found in the Kubernetes's pod configuration file. Or in other
+words, regardless Kata Containers is enabled or not, containers
+currently we have in StarlingX will not use kata container runtime in default,
+unless extra change is made.
+
+Use Cases
+---------
+With Kata Containers supported in StarlingX, System developers, testers,
+operators, administrators could choose what container runtime to use when run
+a container image, based on their needs. For example, if there is security
+concern for the pod/container, it could be selected to run with kata container.
+For the default case, runc will be selected as default low-level container
+runtime, which is the default low-level runtime for Kubernetes.
+
+Proposed change
+===============
+
+To be done
+
+Data model impact
+-----------------
+
+None. This spec does not change any existing data models.
+
+REST API impact
+---------------
+
+None. This spec does not change any existing REST APIs.
+
+Security impact
+---------------
+
+There is no sensitive data touch for this feature, except containerd need
+touch certificate/key for local secure registry "registry.local".
+Kata Containers could help enhance system's security by runs in a dedicated
+kernel, providing isolation of network, I/O and memory and can utilize
+hardware-enforced isolation with virtualization VT extensions." [0]
+
+Other end user impact
+---------------------
+
+None. This spec does not impact the end user at all.
+
+Performance Impact
+------------------
+
+For containers that doesn't use kata-runtime, the performance should be the
+same as previous.
+For containers that use kata-runtime, some performance drop is expected.
+Per Kata Containers website:"Delivers consistent performance as standard Linux
+containers; increased isolation with the performance tax of standard virtual
+machines."[0]
+Also there is a report of "I/O performance of Kata Containers". [1]
+
+Other deployer impact
+---------------------
+
+None. This spec does not impact deployement at all.
+
+Developer impact
+----------------
+
+None. This spec does not impact the development at all.
+
+Upgrade impact
+--------------
+
+None. This spec does not impact the upgrade process at all.
+
+Implementation
+==============
+
+Assignee(s)
+-----------
+
+Primary assignee:
+
+Guilherme Batista Leite (guilhermebatista)
+
+Other contributors:
+
+David Liu (<>)
+Davi Frossard (dbarrosf)
+Fabio Studyny Higa (fstudyny)
+Marcos Paulo Oliveira Silva (mpaulool)
+Elson Claudio de Oliveira (<>)
+
+Repos Impacted
+--------------
+
+* stx-integ
+* stx-virt
+* stx-root
+* stx-metal
+* stx-tools
+
+Work Items
+----------
+
+Add kata container
+* Add kata container support
+
+  Add the support in StarlingX for Kata Containers. The prebuilt runtime
+  binaries are downloaded and modified to provide customization support.
+
+Upgrade QEMU from version 5.2 to version 7.2
+* Upgrade QEMU and port patches
+
+  To avoid any kind of incompatibility with Kata Containers 3.1.x version,
+  the QEMU upgrade to version 7.2 is necessary.
+  Currently, the QEMU version on the host has WRO-specific patches which
+  will need to be ported to the new version.
+
+Besides upper work items, there are other work items maybe need added during
+implementation of this spec. Please check the spec link in the beginning of
+this spec to get the full work item list.
+
+Dependencies
+============
+
+This specification depends upon the open source upstream:
+
+https://github.com/kata-containers/kata-containers
+https://github.com/qemu/qemu
+
+
+Testing
+=======
+
+To be done
+
+Documentation Impact
+====================
+
+To be done
+
+References
+==========
+[0]: https://katacontainers.io/
+[1]: https://www.stackhpc.com/kata-io-1.html
+
+History
+=======
+
+.. list-table:: Revisions
+   :header-rows: 1
+
+   * - Release Name
+     - Description
+   * - stx-9.0
+     - Introduced