A talk given at KubeCon/CloudNativeCon EU in Barcelona, Spain on May 23, 2019. In this talk Phil presented the explosion of OCI-compliant CRI-enabled runtimes that can be used underneath Kubernetes, and demonstrated several of them live.
Report
Share
Report
Share
1 of 28
Download to read offline
More Related Content
Let's Try Every CRI Runtime Available for Kubernetes
1. Let’s Try Every CRI Runtime
Available for Kubernetes
Phil Estes, Distinguished Engineer
IBM Cloud
6. Caveats
@estesp
What I don’t have time to cover/demo...
▧ Windows containers & runtimes
▧ rkt (CNCF)
▧ Virtual Kubelet (CRI implementation)
▧ Nabla containers (IBM)
10. Docker
@estesp
● Most common, original runtime for Kubernetes clusters
● Simplifies tooling for mixed use cluster node (e.g. applications
relying on `docker …` commands “just work”
● Docker Enterprise customers get support and
multi-orchestrator support (swarm + K8s in same cluster)
● “More than enough” engine for Kubernetes
● Concerns over mismatch/lack of release sync between Docker
releases and Kubernetes releases (e.g. “certified” engine version)
● Extra memory/CPU use due to extra layer (docker->ctr->runc)
12. Containerd
@estesp
● Used in GKE (Google), IKS (IBM), & Alibaba public clouds
● Significant hardening/testing by nature of use in every Docker
installation (tens of millions of engines)
● Lower memory/CPU use; clean API for extensibility/embedding
● No Docker API socket (tools/vendor support)
● Still growing in maturity/use
● Windows support in flight; soon at parity with Docker engine
14. CRI-O
@estesp
● Used in RH OpenShift; SuSE CaaS; other customers/uses
● “all the runtime Kubernetes needs and nothing more”
● UNIX perspective on separating concerns (client, registry
interactions, build)
● Not consumable apart from RH tools (design choice)
● Use/installation on non-RH distros can be complicated
● Extensibility limited (e.g. proposal from Kata to add containerd
shim API to cri-o)
18. Kata Containers
@estesp
● Lightweight virtualization via Intel Clear Containers + Hyper.sh
predecessors
● Implemented via KVM/qemu-based VM isolation
● Works with Docker, cri-o, & containerd
● Solid and maturing project with Intel and others leading;
governance under OpenStack Foundation
● Have added ability to drive Firecracker VMM as well
● Supports ARM, x86_64, AMD64, and IBM p and zSeries
20. AWS Firecracker
@estesp
● Lightweight virtualization via Rust-written VMM, originating
from Google’s crosvm project; target serverless/functions area
● Open Sourced by Amazon in November 2018
● Works standalone via API or via containerd
● cgroup + seccomp “jailer” to tighten down kernel access
● Integrated with containerd via shim and external snapshotter
implementation
● Quickly moving & young project; packaging and delivery still in
flux and requires quite a few manual steps today
22. gVisor
@estesp
● A kernel-in-userspace concept from Google; written in Golang
● Used in concert with GKE; for example with Google Cloud Run
for increased isolation/security boundary
● Works standalone (OCI runc replacement) or via containerd
shim implementation
● Reduced syscalls used against “real kernel”; applications run
against gVisor syscall implementations
● Limited functionality; some applications may not work if syscall
not implemented in gVisor
● Syscall overhead, network performance impacted (ref: KVM mode)
24. Singularity
@estesp
● An HPC/academic community focused container runtime
● Initially not implementing OCI, now has OCI compliant mode
● To meet HPC use model; not daemon-based, low privilege,
user-oriented runtime (e.g. HPC end user workload scheduling)
● Sylabs, creator of Singularity have recently written a CRI
implementation that drives Singularity runtime
● Uses OCI compliant mode; converts images to SIF, however
● Focused solely on the academic/HPC use case
26. Nabla
@estesp
● IBM Research created open source sandbox runtime
● Uses highly limited seccomp profile + unikernel implementation
● Similar to gVisor, but instead of user-mode kernel, uses
unikernel+application approach
● Currently requires building images against special set of
unikernel-linked runtimes (Node, Python, Java, etc.)
● IBM Research pursuing ways to remove this limitation; only
runtime which doesn’t allow generic use of any container image
27. Summary
@estesp
● OCI specs (runtime, image, distribution) have
enabled a common underpinning for innovation
that maintains interoperability
● CRI has enabled a “pluggable” model for
container runtimes underneath Kubernetes
● Options are growing; most innovation is around
sandboxes and enabled for easier use with
RuntimeClass in K8s