K
Q

Kata Containers vs gVisor?

5/2/2018

As I understand, Kata Containers

Kata Container build a standard implementation of lightweight Virtual Machines (VMs) that feel and perform like containers but provide the workload isolation and security advantages of VMs

On the other hand, gvisor

gVisor is a user-space kernel for containers. It limits the host kernel surface accessible to the application while still giving the application access to all the features it expects.

As I believe, both of these technology trying to add linux space into containers in order to enhance security.

My question is How do they differ from each other ? Is there overlapping in functionalities?

-- Suresh Vishnoi
gvisor
kata-containers
kubernetes

Similar Questions

Label deployment pod templates
How to avoid repeating GUID in deployment definition
hostname doesn't get updated in kubectl get nodes command after hostname change
Destroy unready pod when readinessProbe fails

2 Answers

5/3/2018

From what I gather from the gVisor blog:

Kata Containers

  • Full Kernel on top of a lightweight QEMU/KVM VM.
  • Lets system calls go through freely
  • Performance penalty due to the VM layer. Not clear yet how slower or faster than gVisor
  • On paper, slower startup time.
  • Can run any application.
  • Can run in nested virtualized environments if the hypervisor and hardware support it.

gVisor

  • Partial Kernel in userspace.
  • Intercepts syscalls
  • Performance penalty at runtime due to syscall filtering. Not clear how slower or faster than Kata yet.
  • On paper, faster startup time.
  • Can run only applications that use supported system calls.
  • On paper, you may not need nested virtualization.
-- Rico
Source: StackOverflow
8/10/2018

Here's a simple explanation

Kata Containers

Some kind of Containers which run on Hardware.

Traditional Virtual Machines are secure but not as fast as Containers. Kata Containers Project is like a Virtual Machine as lightweight as a Container. In other words, Kata Containers solved the low speed problem of VMs.

gVisor

Containers running inside a sandbox named gVisor (there's a sandbox per container)

Containers are fast but not as secure as Virtual Machines. gVisor is something like a sandbox and every container should run inside one sandbox. In other words, gVisor solved the security problem of Containers.

-- Iman Ravakhah
Source: StackOverflow