Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Kata Containers vs gVisor?

Tags:

kubernetes

gvisor

kata-containers

As I understand, Kata Containers

Kata Container build a standard implementation of lightweight Virtual Machines (VMs) that feel and perform like containers but provide the workload isolation and security advantages of VMs

On the other hand, gvisor

gVisor is a user-space kernel for containers. It limits the host kernel surface accessible to the application while still giving the application access to all the features it expects.

As I believe, both of these technology trying to add linux space into containers in order to enhance security.

My question is How do they differ from each other ? Is there overlapping in functionalities?

like image 650
Suresh Vishnoi Avatar asked May 02 '18 20:05

Suresh Vishnoi

People also ask

What are Kata containers?

Kata Containers is an open source community working to build a secure container runtime with lightweight virtual machines that feel and perform like containers, but provide stronger workload isolation using hardware virtualization technology as a second layer of defense.

Who uses Kata containers?

Alibaba Group. Kata Containers is not only valued for its security isolation, but also valued for providing resource isolation and fault isolation. In Alibaba Group and Ant Group, thousands of tasks are scheduled and running on Kata Containers.

2 Answers

From what I gather:

Kata Containers

  • Full Kernel on top of a lightweight QEMU/KVM VM
    • Kernel has been optimized in newer releases.
  • Lets system calls go through freely
  • Performance penalty due to the VM layer. Not clear yet how slower or faster than gVisor
  • On paper, slower startup time.
  • Can run any application.
  • Can run in nested virtualized environments if the hypervisor and hardware support it.

gVisor

  • Partial Kernel in userspace.
  • Intercepts syscalls
  • Performance penalty at runtime due to syscall filtering. Not clear how slower or faster than Kata yet.
  • On paper, faster startup time.
  • Can run only applications that use supported system calls.
  • On paper, you may not need nested virtualization.
like image 57
Rico Avatar answered Sep 17 '22 19:09

Rico

Here's a simple explanation

Kata Containers

Some kind of Containers which run on Hardware.

Traditional Virtual Machines are secure but not as fast as Containers. Kata Containers Project is like a Virtual Machine as lightweight as a Container. In other words, Kata Containers solved the low speed problem of VMs.

gVisor

Containers running inside a sandbox named gVisor (there's a sandbox per container)

Containers are fast but not as secure as Virtual Machines. gVisor is something like a sandbox and every container should run inside one sandbox. In other words, gVisor solved the security problem of Containers.

like image 40
Iman Ravakhah Avatar answered Sep 19 '22 19:09

Iman Ravakhah
Sign in to Comment

Related questions

How to use Cloudflare 1.1.1.1 with Kubernetes DNS
Cluster Autoscaler not scaling up with nodeSelector
metalLB vs ingress vs (nodeport or cluster ip) in kubernetes
Caching in kubernetes
artisan command always shows the message Not a git repository (or any of the parent directories)
How to mount volume of airflow worker to airflow kubernetes pod operator?
Helm charts vs ansible-playbook vs k8s operator in system installation
How to generate a random string / password in Kubernetes secrets
How to fix the error in YAML file converting yaml to JSON? mapping values are not allowed in this context"
kubernetes: image can't be pulled
How to run kubectl within a job in a namespace?
Error {"message":"failure to get a peer from the ring-balancer"} using kong ingress
access kubernetes storage from multiple pods with different modes - one pod ReadWrite, other pods ReadOnly
upstream connect error or disconnect/reset before headers. reset reason: connection failure. Spring Boot and java 11
Kubernetes Operator (Operator SDK, Kubebuilder VERSUS Kubernetes Client Libraries)
Azure Kubernetes - prometheus is deployed as a part of ISTIO not showing the deployments?
Is the "hosts" attribute in VirtualService and Gateway based on HTTP's Host header (layer 7)?
how to fix 404 not found when accessing URL routes while deploying an app using nginx?
What is the default value of initialDelaySeconds?
how to ssh into nodes of Google container engine cluster?

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!