This repository has been archived by the owner on May 12, 2021. It is now read-only.
-
Notifications
You must be signed in to change notification settings - Fork 304
Kata images
Jose Carlos Venegas Munoz edited this page Mar 21, 2019
·
14 revisions
- Comparing Rootfs images with initrd images
- Why images use an init daemon
- systemd as the image init daemon
This page provides information on Kata Containers "mini O/S" images.
Comparison of running Kata with a image=
entry with running Kata with an initrd=
entry in the configuration.toml
configuration file.
Feature | systemd-specific | Available in image | Available in initrd | Notes |
---|---|---|---|---|
Agent log messages with use_vsock=true
|
yes | yes | no | Uses kata-journald-host-redirect.service . |
Debug console | yes | yes | no | |
Guest time sync | yes | yes | no | Uses chrony. |
Static tracing | yes | yes | no | Currently relies on kata-agent.service to shutdown VM. |
Start agent | "yes" but easy to change | yes | yes |
kata-agent is the init daemon in an initrd image. |
- Ability to manage services.
- Allows users to add additional services to custom images.
- De facto Linux init daemon.
- Avoids having to "re-invent the wheel" by implementing additional functionality in the agent - just drop in a standard service, otherwise the logic has to be implemented on the agent
- Automatically handles mounting standard mounts (
/dev
, etc) (agent as init already handle it as well) - Leverage systemd boot time performance improvements from Clear Linux.
- Allows underlying osbuilder distro to be changed with minimal impact on the environment.
- Large binary - bloats image.
- Large potential attack surface.
- Image needs to be updated not only with agent related changes but also to fix Systemd CVEs
- Sometimes from upgrades of systemd break use cases
- Possible slower boot time as systemd has to start first and its services, then the kata agent is started
- Launch a terminal to allow run a debug console
- Redirect agent logs using vsocks (for opentracing support)
- Allow launch additional binaries (service like)
- iptables: used by kata agent to setup iptables rules inside the guest, it uses the iptables provided by the os guest.