Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Kata Containers vs gVisor?

As I understand, Kata Containers

Kata Container build a standard implementation of lightweight Virtual Machines (VMs) that feel and perform like containers but provide the workload isolation and security advantages of VMs

On the other hand, gvisor

gVisor is a user-space kernel for containers. It limits the host kernel surface accessible to the application while still giving the application access to all the features it expects.

As I believe, both of these technology trying to add linux space into containers in order to enhance security.

My question is How do they differ from each other ? Is there overlapping in functionalities?

like image 650
Suresh Vishnoi Avatar asked May 02 '18 20:05

Suresh Vishnoi


People also ask

What are Kata containers?

Kata Containers is an open source community working to build a secure container runtime with lightweight virtual machines that feel and perform like containers, but provide stronger workload isolation using hardware virtualization technology as a second layer of defense.

Who uses Kata containers?

Alibaba Group. Kata Containers is not only valued for its security isolation, but also valued for providing resource isolation and fault isolation. In Alibaba Group and Ant Group, thousands of tasks are scheduled and running on Kata Containers.


2 Answers

From what I gather:

Kata Containers

  • Full Kernel on top of a lightweight QEMU/KVM VM
    • Kernel has been optimized in newer releases.
  • Lets system calls go through freely
  • Performance penalty due to the VM layer. Not clear yet how slower or faster than gVisor
  • On paper, slower startup time.
  • Can run any application.
  • Can run in nested virtualized environments if the hypervisor and hardware support it.

gVisor

  • Partial Kernel in userspace.
  • Intercepts syscalls
  • Performance penalty at runtime due to syscall filtering. Not clear how slower or faster than Kata yet.
  • On paper, faster startup time.
  • Can run only applications that use supported system calls.
  • On paper, you may not need nested virtualization.
like image 57
Rico Avatar answered Sep 17 '22 19:09

Rico


Here's a simple explanation

Kata Containers

Some kind of Containers which run on Hardware.

Traditional Virtual Machines are secure but not as fast as Containers. Kata Containers Project is like a Virtual Machine as lightweight as a Container. In other words, Kata Containers solved the low speed problem of VMs.

gVisor

Containers running inside a sandbox named gVisor (there's a sandbox per container)

Containers are fast but not as secure as Virtual Machines. gVisor is something like a sandbox and every container should run inside one sandbox. In other words, gVisor solved the security problem of Containers.

like image 40
Iman Ravakhah Avatar answered Sep 19 '22 19:09

Iman Ravakhah