25

As I understand, Kata Containers

Kata Container build a standard implementation of lightweight Virtual Machines (VMs) that feel and perform like containers but provide the workload isolation and security advantages of VMs

On the other hand, gvisor

gVisor is a user-space kernel for containers. It limits the host kernel surface accessible to the application while still giving the application access to all the features it expects.

As I believe, both of these technology trying to add linux space into containers in order to enhance security.

My question is How do they differ from each other ? Is there overlapping in functionalities?

tgogos
  • 23,218
  • 20
  • 96
  • 128
Suresh Vishnoi
  • 17,341
  • 8
  • 47
  • 55
  • It's really hard to do better to answer this question than refer to gcloud's blog post: https://cloudplatform.googleblog.com/2018/05/Open-sourcing-gVisor-a-sandboxed-container-runtime.html. Perhaps edit your question with specific details if the above is insufficient. – Jonah Benton May 02 '18 at 20:53
  • Hi, please correct me if i misunderstood. gVisor bring kernel space into user space which provide another line of control.Thus it becomes `{[User Space+ guest Kernel Space] + Kernel Space}` However, kata container provide a `{User Space + Kernel Space} ` ? – Suresh Vishnoi May 02 '18 at 21:06
  • Ok- so in addition to the kernelspace/userspace boundary, there is another hardware-maintained boundary that modern chips are capable of. A single chip can now efficiently maintain multiple distinct "virtual machine" contexts- each of which has its own kernelspace/userspace boundary. – Jonah Benton May 02 '18 at 21:30
  • So- normal containers operate in the context of a single virtual machine, creating greater isolation between individual processes within the single shared kernel. gVisor provides further isolation in userspace- pretending to be the shared kernel for the container, but without allowing all system calls to go through to the real kernel. Kata uses the "virtual machine" context capability to essentially create a lightweight virtual machine per container. – Jonah Benton May 02 '18 at 21:30
  • 2
    Kata is essentially an Intel project, which wants to ensure it stays relevant in the container ecosystem. It's a highly secure but more heavyweight container implementation, because switching machine contexts is somewhat expensive. gVisor is lighter weight- single virtual machine context, single shared kernel, but now with an additional layer in userspace that protects the shared kernel. – Jonah Benton May 02 '18 at 21:33
  • Thanks for the comprehensive view, It does make sense now. Keeping the container lighter weight is essential. – Suresh Vishnoi May 03 '18 at 08:46

2 Answers2

18

From what I gather:

Kata Containers

  • Full Kernel on top of a lightweight QEMU/KVM VM
    • Kernel has been optimized in newer releases.
  • Lets system calls go through freely
  • Performance penalty due to the VM layer. Not clear yet how slower or faster than gVisor
  • On paper, slower startup time.
  • Can run any application.
  • Can run in nested virtualized environments if the hypervisor and hardware support it.

gVisor

  • Partial Kernel in userspace.
  • Intercepts syscalls
  • Performance penalty at runtime due to syscall filtering. Not clear how slower or faster than Kata yet.
  • On paper, faster startup time.
  • Can run only applications that use supported system calls.
  • On paper, you may not need nested virtualization.
Rico
  • 58,485
  • 12
  • 111
  • 141
  • Hallo, I have a follow-up question: why Kata's guest kernel is bigger than Gvisor's, although it has been optimized @Rico? – yaoxin jing Jul 21 '23 at 19:35
7

Here's a simple explanation

Kata Containers

Some kind of Containers which run on Hardware.

Traditional Virtual Machines are secure but not as fast as Containers. Kata Containers Project is like a Virtual Machine as lightweight as a Container. In other words, Kata Containers solved the low speed problem of VMs.

gVisor

Containers running inside a sandbox named gVisor (there's a sandbox per container)

Containers are fast but not as secure as Virtual Machines. gVisor is something like a sandbox and every container should run inside one sandbox. In other words, gVisor solved the security problem of Containers.

Iman Ravakhah
  • 111
  • 1
  • 2
  • 5