linux

Kata Containers

→ What ?

Kata containers, wrapp docker within ligh virtual machines. This leads to provide security enhancement for docker applications.

→ Install

Docker config:

# edit /lib/systemd/system/docker.service
ExecStart=/usr/bin/dockerd --add-runtime kata-runtime=/usr/bin/kata-runtime -H fd:// --containerd=/run/containerd/containerd.sock

Containerd config:

# Add this above /etc/containerd/config.toml
[plugins]
  [plugins."io.containerd.grpc.v1.cri"]
    [plugins."io.containerd.grpc.v1.cri".containerd]
      default_runtime_name = "kata"
      [plugins."io.containerd.grpc.v1.cri".containerd.runtimes]
        [plugins."io.containerd.grpc.v1.cri".containerd.runtimes.kata]
          runtime_type = "io.containerd.kata.v2"

Download the latest kata bin version:

cd /opt
wget https://github.com/kata-containers/kata-containers/releases/download/3.0.2/kata-static-3.0.2-x86_64.tar.xz
tar -xvf /opt/kata-static-3.0.2-x86_64.tar.xz

# those are needed
ln -s /opt/kata/bin/kata-runtime /usr/bin/kata-runtime
ln -s /opt/kata/bin/kata-collect-data.sh /usr/bin/kata-collect-data.sh

Load kernel modules:

modprobe vhost-vsock
modprobe vhost-net
modprobe vsock

Restart docker and containerd:

systemctl restart containerd docker

Now you can start with kata runtime:

docker run --rm  -itd  --runtime "io.containerd.kata.v2" --network none  --name busybox2 busybox

React ?

This page was last modified: 2023-04-02 14:27