Kata Containers is an open source container runtime that is crafted to seamlessly plug into the containers ecosystem.
We are now excited to announce that the Kata Containers packages are finally available in the official openSUSE Tumbleweed repository.
It is worthwhile to spend few words explaining why this is a great news, considering the role of Kata Containers (a.k.a. Kata) in fulfilling the need for security in the containers ecosystem, and given its importance for openSUSE and Kubic.
What is Kata
As already mentioned, Kata is a container runtime focusing on security and on ease of integration with the existing containers ecosystem. If you are wondering what’s a container runtime, this blog post by Sascha will give you a clear introduction about the topic.
Kata should be used when running container images whose source is not fully trusted, or when allowing other users to run their own containers on your platform.
Traditionally, containers share the same physical and operating system (OS) resources with host processes, and specific kernel features such as namespaces are used to provide an isolation layer between host and container processes. By contrast, Kata containers run inside lightweight virtual machines, adding an extra isolation and security layer, that minimizes the host attack surface and mitigates the consequences of containers breakout. Despite this extra layer, Kata achieves impressive runtime performances thanks to KVM hardware virtualization, and when configured to use a minimalist virtual machine manager (VMM) like Firecracker, a high density of microVM can be packed on a single host.
If you want to know more about Kata features and performances:
- katacontainers.io is a great starting point.
- For something more SUSE oriented, Flavio gave a interesting talk about Kata at SUSECON 2019,
- Kata folks hang out on katacontainers.slack.com, and will be happy to answer any quesitons.