Post on 22-Jul-2020
Kata Containers on Edge Cloud
Jin, Yuntong (Yuntong.jin@intel.com)
Bai,Yu (baiyu10@baidu.com)
Kata Containers Innovate Edge Cloud
Kata@Baidu DuerEdge
Agenda
HOST LINUX* KERNEL
Standard ContainersMore prone to exploits
PROCESS
namespaces
Kata* ContainersEach container or pod is more isolated in its own lightweight VM
GUEST LINUX* KERNEL
HW VIRTUALIZATION
VM
PROCESS
namespaces
GUEST LINUX* KERNEL
HW VIRTUALIZATION
VM
PROCESS
namespaces
GUEST LINUX* KERNEL
HW VIRTUALIZATION
VM
PROCESS
namespaces
PROCESS
namespaces
PROCESS
namespaces
HOST LINUX* KERNEL
* Other names and brands may be claimed as the property of others.
What is Kata Containers?
* Other names and brands may be claimed as the property of others.
Kata ContainersThe speed of containers, the security of VMs
Hypervisor
Shim Agent
Kernel
Virtual Machine
Runtime
I/O OCI cmd/spec
gRPC
gRPCShim
Container namespaces
ContainerCommand
ContainerExec
Hypervisor VSOCK socket *Other names and brands may be claimed as the property of others.
Kubelet
Container Runtime Interface (CRI)
CRI-O
runc kata-runtime
PodVM
Pod
CRI-O and Kata Containers
7
Kata Containers - Innovate Edge Cloud
CaaS/Serverless
Edge Cloud Central Cloud Edge Cloud
8
Serverless Kuberntes * Cluster for Multi-tenant
k8s k8s
IaaS
containercontainer Pod
VM
containercontainer Pod
VM
containercontainer Pod
VM
containercontainer Pod
VM
CaaS
Pod
VM
k8s
Pod
VM
Pod
VM
Pod
VM
Pod
VM
Pod
VM
Pod
VM
Pod
VM
*Other names and brands may be claimed as the property of others.
KATA@DuerEdge
10
DuerEdge - Baidu Edge Network Computing
Baidu aims to use the power of edge network computing to break
through the data transmission and network traffic problems between
cloud and end, and to improve business flexibility and operational
efficiency.
The platform relies on Baidu's core technology, service nodes are all
over the backbone network of the country, supporting customized
functions on demand, providing customers with flexible, low-cost,
high-reliable solutions.
11
DuEdge Features
Network all over the world
• China and overseas network
• Low latency
Customizable
• Function programming• Application Strategy
Pay on-demand
• On calls• On bandwidth
Low cost
• Serverless• NoOps
AI ability
• AI function API• Local inference
Security defense
• Security function API• Multi-tenant isolation
12
Why use kata containers
• Edge computing multi-tenant runtime environment
• Supports VM level isolation
• Performs like a standard container
• Supports k8s CRI and OCI
• Customizable Kernel
• Uses different kernel from the host
• Easy to change the container kernel
• Easy to adjust the host kernel parameters
• Resource isolation and restriction
• Provides isolation of network, I/O, CPU and memory
• Utilizes hardware-enforced isolation with virtualization VT
extensions
• High Security
• Minimizes attack surface in VM
13
DuerEdge Framework
• Deploys in CDN and MEC edge node, multiple network traffic access
• Supports runc and kata computing containers
• Developing APIs help to improve the efficient of programing
• Developers can quickly develop apps and deploy online using console and CI/CD tools
• Provides log management system to view and download access logs and debug logs
• Metric and alarm are collected centrally and processed automatically
• Various recipes can be found in Github:
• https://github.com/baidu/duedge-recipes
14
Container Architecture
• Programming language sandboxprovides a trusted execution environment
• AI APIs makes it easy for developers to doinference on the edge of the network
• Providing security check APIs and can beused in functions
• Supporting flow computing onHTTP/HTTPS, big data can be processed inreal time
• Single container can processingconcurrent requests, a cluster can handle massive concurrent requests
• Developers can configure a global KV orcreate a shared KV in a cluster
• Cache APIs enable users to store files atthe edge and accelerate files download
( ( ( (
) ( (
( )
&
N am espace
&
N am espace
&
N am espace
& &
&
&
15
Where to use kata containers
• Running user debugging code
• Dead loop
• Network requests flood
• Memory leak
• High risk code
• Failure to pass code auto-check
• Suspected malicious code
• Isolated service container runtime
• Isolated kernel
• Isolated network
• Needed special kernel
• Legacy kernel
• Unsafe language sandbox container
runtime
16
Set TriggerCoding
AccessNode
Things ComputingNode
Cache/KV
Origin
Service API
Deploy
triggerhttp/https http/https
Baidu Edge Computing Node
How to use DuerEdge
Step 1. Write Function
Step 2. Modify DNSresolve
17
Consoles
• Function Editor
• multi-file editor
• upload zip code
• version control
• syntax prompt
• syntax highlight
• Trigger Rule
• regular expression url
• select function by name
• adjustable rule priority
• rule switch
• searching rule
• Data Report
• function request number
• function run time
• function timeout
• multiple dimensional views
• log download
18
Programming APIs
• Event (JSON object)
• request : request information
• response : response data to client
• config : user configure
• env : environment variables
• Event.fetch (function)
• fetch(url[, request][, config])
• Event.cache (class)• find
• put
• purge
• Event.kv (class)• get
• mget
• put
• delete
• Event.ai (class)• FaceDetect
• ImageCensor
• AntiPorn
• PoliticianCensor
• TerrorCensor
• Event.console (class)
• log
• Event.security (class)• JSChallengeResult
• RatelimitResult
• JSResponse
Entry function:
exports.handler = (event) => {}
• PassThrough (stream class)
• readable.pipe(destination[,
options])
• Event: 'data', 'end', 'close', etc
19
Anti-Crawler Use Case
• Malicious crawler issue
• Steals copyright content and business secret
• Wastes a lot of computing and bandwidth resource of origin
• Affects search engine ranking
• Anti-crawler solution
• Uses kata containers to isolate multi-tenant business and
resource
• Providing security check APIs makes development easier
• Supports invoking cloud anti-crawler service to check from
the whole network
• Uses fake origin to cheat malicious crawler
• Automatically increasing containers with increasing requests
• Results and Benefits
• Significant reduction in malicious crawler requests (3.9)
• Better SEO results lead to increased website traffic (3.20)
A
-
RESTful API
A
20
0 200 400 600 800 1000 1200
TARGET
runC
kata containers
Container Startup Time (ms)
0 2 4 6 8 10
TARGET
runC
kata containers
Pre-warm Container Startup Time (ms)
Startup Speed Optimization
• Edge computing should respond in a short
time, the delay is expected less than 10ms
• Kata and runC containers startup time is
much longer than 10ms
• Pre-warm containers significantly reduce
startup time
• Optimizes the time to load user code into a
pre-warm running containers
• Use lazy unmount (https://github.com/kata-
containers/runtime/pull/963)
THANKS.