DENVER — Some pairings really do spark joy. Peanut butter and chocolate. Wine and cheese. Biscuits and gravy. The concept crosses over to the tech world: Firecracker and Kata Containers.
On the Open Infrastructure keynote stage in Denver, Samuel Ortiz, architecture committee, Kata Containers and Andreea Florescu, maintainer, Firecracker project, talked about how the projects are working together.
The pair introduced a new collaborative project: rust-vmm. Firecracker allows Kata Containers to support a large number of container workloads, but not all of them. OSF, Amazon, Intel, Google and others are now collaborating to build a custom container hypervisor. Enter rust-vmm, a project featuring shared virtualization components to build specialized VMMs.
But let’s get up to speed on the two projects and what’s next for them in detail.
Kata Containers aim to improve security in the container ecosystem by adding lightweight VMs and hypervisors as another, hardware-based workload isolation layer for containers. Kata Containers has offered a number of enhancements since May 2018 (six releases to date, with another shipping soon) including:
- Improved performance with VM templating, TC mirroring to improve networking performance and the soon-to-be integrated Virtio-fs support.
- Improved simplicity and operability by adding distributed tracing support, live update and overall simplified architecture based on vsock.
- Improved industry support by adding new hardware architectures like ARM64, ppc64 and s390
- Even stronger security architecture by adding more libcontainer-based isolation layers inside the virtual machine, but most importantly by supporting more hypervisors, including QEMU, NEMU and Firecracker.
Firecracker is an open-source, lightweight virtual machine monitor written in Rust. It leverages Linux Kernel Virtual Machine (KVM) to provide isolation for multi-tenant cloud workloads like containers and functions.
What makes it great:
- It “boots blazingly fast” (under 125 milliseconds)
- Low memory footprint, helping it achieve high densities (<5MiB)
- Security: two boundaries–virtualization and jailer
Florescu also outlined some of the main enhancements in progress:
- ARM and AMD support
- Refactoring the codebase for standalone virtualization components that can be used by other projects.
- Container integration: Transitioning from an experimental implementation of Vsock to a production ready version; also integrating firecracker-containerd, which is a container runtime on top of Firecracker.
Check out the whole 12-minute keynote below and stay tuned for a video from their Summit session titled “Tailor-made security: Building a container specific hypervisor.”
Photo // CC BY NC