[Plug-In] Kata Container Runtime


Recommended Posts

This plugin installs the Kata Container Runtime and integrates it with Docker. The Kata Container Runtime is a virtual machine based runtime for docker and OCI containers. As currently configured this plugin allows the creation of docker containers sand-boxed with a QEMU virtual machine.

 

Usage: 

Once installed you can run a docker container with kata by adding the following to the Extra Parameters field. 

--runtime=kata-qemu

Additionally you must select a network type other than host for any container run with kata.

 

Notes:

  • Currently in Beta
  • After installing the plugin you must restart the Docker Daemon before using Kata. Do this by Disabling/Enabling Docker or by restarting you NAS.
  • Currently this plugin has no configurable options.
  • This plugin is a simple re-packaging of the Kata Runtime static binary, with the addition of a tweaked configuration file and a docker daemon.json configuration file. Credit for this work belongs to the Kata Containers open source community. 

 

Limitations:

  • The Kata Runtime does not support the host network type. 
  • Full list of limitations see here.

 

Edited by primeval_god
Link to comment
16 hours ago, primeval_god said:

Did you also try the version that I released last night? (version 2020.01.09a)

Ok, with last night release it's working.
It's not working with containers using openvpn (i guess the runtime misses something):

Sat Jan 11 08:51:27 2020 [PureVPN] Peer Connection Initiated with [AF_INET]172.94.119.2:53
Sat Jan 11 08:51:28 2020 ERROR: Cannot open TUN/TAP dev /dev/net/tun: No such device (errno=19)
Sat Jan 11 08:51:28 2020 Exiting due to fatal error

I apologize if i don't report correctly, i'm a newbie on linux.

 

Thanks.

Link to comment
10 hours ago, dhstsw said:

I apologize if i don't report correctly, i'm a newbie on linux.

No problem, this is in fact my first attempt at a plugin. 

10 hours ago, dhstsw said:

It's not working with containers using openvpn (i guess the runtime misses something):

I will look into containers with openvpn, but i suspect the issue may be a limitation to the way the kata runtime does things. I suspect it may be a trying to use a TAP/TUN device from the host OS, which it cant do because of the isolation, and the sandbox (VM) does not feature a usable TAP/TUN.

Link to comment
On 1/11/2020 at 12:31 PM, primeval_god said:

I will look into containers with openvpn, but i suspect the issue may be a limitation to the way the kata runtime does things. I suspect it may be a trying to use a TAP/TUN device from the host OS, which it cant do because of the isolation, and the sandbox (VM) does not feature a usable TAP/TUN.

TL;DR - Try using the containerized VPN activeeos/wireguard-docker in your host OS (has to be Ubuntu ≥16.04 it seems).  I found this referenced here BTW: vltraheaven.io: Down the Rabbit Hole - Kata Containers (this site wins the award for form over function destroying user accessability.  Dat font...)

--------

So this is the first I'm learning of Kata Containers, and it's certainly intriguing (especially after reading that you can run K8s in it).  Regarding its extremely interesting network architecture, it's using MACVTAP which isn't anything new.  There seems to be a good bit of documentation for it regarding use with QEMU and/or libvrt. 

 

Basically, due to network hardware's common lack of hairpin support, you'll be running MACVTAP in 'Bridge' mode, which will let all guest containers communicate with each other, but not with the Host.  This is why a containerized VPN should do the trick (but I havent' tried it and won't be testing it anytime soon).

 

The other option (found referenced several times) is to create a second network interface in the Kata VM.  The first one is blind to the host, but the second one can interact with it if set up correctly with a different subnet and such.  Again, no clue ho well this would actually work but thought I'd pass on what I found at least.  Good luck, and I'll keep an eye on this thread!

accessibility_vltraheaven.io.gif

Link to comment

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.