Kata コンテナのソースを表示

[[Category:サンドボックス]]
[[Category:セキュリティ]]
[[Category:仮想化]]
[[en:Kata Containers]]
{{Related articles start}}
{{Related|Docker}}
{{Related|Podman}}
{{Related articles end}}
Kata Containers（以前の Clear Containers）は、OCI 互換のアプリケーションコンテナランタイムで、仮想化を利用して、潜在的に信頼できないプロセスを、ホストシステムや他のプロセスから隔離することを目的としています。現在、アップストリームでサポートされているハイパーバイザーは、{{pkg|qemu}}、{{aur|firecracker-bin}} と {{aur|cloud-hypervisor}} です。

== Architecture ==

* {{ic|kata-agent}} - supervisor process running on the hypervised guest sandbox, tasked with managing its lifetime
* {{ic|kata-runtime}} - container runtime component responsible for handling commands specified by the OCI runtime specification and tasked with launching shims
* {{ic|kata-proxy}} (before 2.0) - routes I/O streams and signals between on-guest agent and host-side processes associated with running a given sandbox using gRPC
* {{ic|kata-shim}} (before 2.0) - container process monitor and reaper
* {{ic|kata-ksm-throttler}} (optional, before 2.0) -
* {{ic|kata-linux-container}} - patched kernel used to launch VMs serving as container/pod sandboxes
* {{ic|kata-containers-image}} - initramfs and rootfs images used for spawning VM sandboxes

== Usage ==

Kata, by default, picks up its configuration from {{ic|/etc/kata-containers/configuration.toml}}, but that can be overridden by providing a path to configuration through the {{ic|KATA_CONF_FILE}} environment variable. Be sure to initialize configuration from {{ic|/usr/share/defaults/kata-containers/configuration-qemu.toml}}.

=== v1 ===

Install the runtime {{aur|kata-runtime-bin}}, {{aur|kata-proxy-bin}}{{Broken package link|package not found}}, {{aur|kata-shim-bin}}{{Broken package link|package not found}}, kernel {{aur|kata-linux-container-bin}} and set of initrd and rootfs {{aur|kata-containers-image-bin}}.

==== Docker ====

In order to use Kata Containers with Docker, the user needs to add it to supported runtimes in {{ic|/etc/docker/daemon.json}}:

  {
    "runtimes": {
      "kata": {
        "path": "/usr/bin/kata-runtime"
      }
    }
  }

To use it as the default runtime for Docker: {{ic|{"default-runtime": "kata"} }}.

To use it with the Firecracker hypervisor, due to its limitations, the {{ic|devicemapper}} storage driver [https://docs.docker.com/storage/storagedriver/select-storage-driver/] has to be used: {{ic|{"storage-driver": "devicemapper"} }}.

Afterward you can use the runtime key: {{ic|docker run --runtime kata --rm -ti archlinux/base /bin/bash}}.

==== Podman ====

Running a container: {{ic|podman --runtime /usr/bin/kata-runtime run --rm -ti archlinux/base /bin/bash}}.

Keep in mind that a Kata VM sandbox conceptually maps to Kubernetes pods or a shared netns, not just individual containers.

=== v2 ===

Since release 2.0, Kata Containers exclusively uses OCI runtime shim API v2, however Docker has that API version hard-coded to v1, making it unfeasible to use this combination as of this writing.

Install the runtime {{aur|kata2-runtime-bin}}, kernel {{aur|kata2-linux-container-bin}} and set of initrd and rootfs {{aur|kata2-containers-image-bin}}.

==== Containerd CLI ====

 # ctr image pull docker.io/archlinux/base:latest
 # ctr run --rm -t --runtime io.containerd.kata.v2 docker.io/archlinux/base:latest example-container-name date

== See also ==
* [https://katacontainers.io/ Project's official site]
* [https://github.com/kata-containers/documentation/blob/master/design/architecture.md Architecture reference documentation]
* [https://github.com/kata-containers/documentation/blob/master/Developer-Guide.md Developer Guide (useful for debugging)]