The characteristics of the kata
- Security runs in a dedicated kernel, provides network, I/O, and memory isolation, and can be hardware-enforced by virtualization VT extensions.
- Compatibility supports industry standards, including THE OCI container format, the Kubernetes CRI interface, and older virtualization technologies
- Performance provides performance consistent with standard Linux containers; Improve isolation without increasing standard virtual machine performance
- Simply eliminates the need to nest containers inside a full virtual machine; Standard interfaces make it easy to plug in and get started.
Installation and simple use
The installation
source /etc/os-release
sudo yum -y install yum-utils
ARCH=$(arch)
BRANCH="${BRANCH:-master}"
sudo -E yum-config-manager --add-repo "http://download.opensuse.org/repositories/home:/katacontainers:/releases:/${ARCH}: /${BRANCH}/CentOS_${VERSION_ID}/home:katacontainers:releases:${ARCH}:${BRANCH}.repo"
sudo -E yum -y install kata-runtime kata-proxy kata-shim
Copy the codeNote: Some versions of the BRANCH system are not complete. I used the master system with no Centos7 and reported 404, so I used “stables -1.10”.
{the ARCH} : http://download.opensuse.org/repositories/home:/katacontainers:/releases:/$/ stable - 1.10 / ${VERSION_ID} CentOS_ / home : katacontainers: releases: ${ARCH} : stable - 1.10. RepoCopy the codeVerify that kata installation is incomplete
sudo kata-runtime kata-check
System is capable of running Kata Containers
System can currently create Kata Containers
Copy the codeDocker installation
yum remove -y docker docker-common container-selinux docker-selinux docker-engine
yum install -y yum-utils
yum-config-manager --add-repo https://download.docker.com/linux/centos/docker-ce.repo
yum makecache fast
yum install docker-ce
systemctl start docker
Copy the codeDocker integration
The configuration file/etc/systemd/system/docker. Service. D/kata – containers. Conf
[Service]
Type=simple
ExecStart=
ExecStart=/usr/bin/dockerd -D --default-runtime runc --add-runtime kata-runtime=/usr/bin/kata-runtime
Copy the codeRestart the docker
systemctl daemon-reload
systemctl restart docker.service
docker info | grep runtime
Copy the codeStart one container for validation, and here I start two, each in a different way
docker run -d --name centos-latest --runtime kata-runtime centos:latest sleep 3600
Copy the code
An error occurred during installation
Q: An error may occur when the VmWare hypervisor is used
1, ERROR: System is not capable of running Kata Containers 2, ERRO[0000] CPU property not foundCopy the codeA: Enable Intel VT-X /EPT in vm Settings.
Q: ERROR: could not insert ‘vhost_vsock’: Device or resource busy
WARN[0000] modprobe insert module failed: modprobe: ERROR: could not insert 'vhost_vsock': Device or resource busy
arch=amd64 error="exit status 1" module=vhost_vsock name=kata-runtime pid=1932 source=runtime
ERRO[0000] kernel property not found arch=amd64 description="Host Support for Linux VM Sockets" name=vhost_vsock pid=1932 source=runtime type=module
System is capable of running Kata Containers
System can currently create Kata Containers
Copy the codeA: The reason is that Linux detects that when running in vmware, some vmware modules will be loaded and vSOCK will be used, resulting in conflicts
sudo tee /etc/modprobe.d/blacklist-vmware.conf << EOF
blacklist vmw_vsock_virtio_transport_common
blacklist vmw_vsock_vmci_transport
EOF
Copy the code