Kata Containers on Edge Cloud

Jin, Yuntong (Yuntong.jin@intel.com)

Bai,Yu (baiyu10@baidu.com)

Kata Containers Innovate Edge Cloud

Kata@Baidu DuerEdge

Agenda

HOST LINUX* KERNEL

Standard ContainersMore prone to exploits

PROCESS

namespaces

Kata* ContainersEach container or pod is more isolated in its own lightweight VM

GUEST LINUX* KERNEL

HW VIRTUALIZATION

VM

PROCESS

namespaces

GUEST LINUX* KERNEL

HW VIRTUALIZATION

VM

PROCESS

namespaces

GUEST LINUX* KERNEL

HW VIRTUALIZATION

VM

PROCESS

namespaces

PROCESS

namespaces

PROCESS

namespaces

HOST LINUX* KERNEL

* Other names and brands may be claimed as the property of others.

What is Kata Containers?

* Other names and brands may be claimed as the property of others.

Kata ContainersThe speed of containers, the security of VMs

Hypervisor

Shim Agent

Kernel

Virtual Machine

Runtime

I/O OCI cmd/spec

gRPC

gRPCShim

Container namespaces

ContainerCommand

ContainerExec

Hypervisor VSOCK socket *Other names and brands may be claimed as the property of others.

Kubelet

Container Runtime Interface (CRI)

CRI-O

runc kata-runtime

PodVM

Pod

CRI-O and Kata Containers

7

Kata Containers - Innovate Edge Cloud

CaaS/Serverless

Edge Cloud Central Cloud Edge Cloud

8

Serverless Kuberntes * Cluster for Multi-tenant

k8s k8s

IaaS

containercontainer Pod

VM

containercontainer Pod

VM

containercontainer Pod

VM

containercontainer Pod

VM

CaaS

Pod

VM

k8s

Pod

VM

Pod

VM

Pod

VM

Pod

VM

Pod

VM

Pod

VM

Pod

VM

*Other names and brands may be claimed as the property of others.

KATA@DuerEdge

10

DuerEdge - Baidu Edge Network Computing

Baidu aims to use the power of edge network computing to break

through the data transmission and network traffic problems between

cloud and end, and to improve business flexibility and operational

efficiency.

The platform relies on Baidu's core technology, service nodes are all

over the backbone network of the country, supporting customized

functions on demand, providing customers with flexible, low-cost,

high-reliable solutions.

11

DuEdge Features

Network all over the world

• China and overseas network

• Low latency

Customizable

• Function programming• Application Strategy

Pay on-demand

• On calls• On bandwidth

Low cost

• Serverless• NoOps

AI ability

• AI function API• Local inference

Security defense

• Security function API• Multi-tenant isolation

12

Why use kata containers

• Edge computing multi-tenant runtime environment

• Supports VM level isolation

• Performs like a standard container

• Supports k8s CRI and OCI

• Customizable Kernel

• Uses different kernel from the host

• Easy to change the container kernel

• Easy to adjust the host kernel parameters

• Resource isolation and restriction

• Provides isolation of network, I/O, CPU and memory

• Utilizes hardware-enforced isolation with virtualization VT

extensions

• High Security

• Minimizes attack surface in VM

13

DuerEdge Framework

• Deploys in CDN and MEC edge node, multiple network traffic access

• Supports runc and kata computing containers

• Developing APIs help to improve the efficient of programing

• Developers can quickly develop apps and deploy online using console and CI/CD tools

• Provides log management system to view and download access logs and debug logs

• Metric and alarm are collected centrally and processed automatically

• Various recipes can be found in Github：

• https://github.com/baidu/duedge-recipes

14

Container Architecture

• Programming language sandboxprovides a trusted execution environment

• AI APIs makes it easy for developers to doinference on the edge of the network

• Providing security check APIs and can beused in functions

• Supporting flow computing onHTTP/HTTPS, big data can be processed inreal time

• Single container can processingconcurrent requests, a cluster can handle massive concurrent requests

• Developers can configure a global KV orcreate a shared KV in a cluster

• Cache APIs enable users to store files atthe edge and accelerate files download

( ( ( (

) ( (

( )

&

N am espace

&

N am espace

&

N am espace

& &

&

&

15

Where to use kata containers

• Running user debugging code

• Dead loop

• Network requests flood

• Memory leak

• High risk code

• Failure to pass code auto-check

• Suspected malicious code

• Isolated service container runtime

• Isolated kernel

• Isolated network

• Needed special kernel

• Legacy kernel

• Unsafe language sandbox container

runtime

16

Set TriggerCoding

AccessNode

Things ComputingNode

Cache/KV

Origin

Service API

Deploy

triggerhttp/https http/https

Baidu Edge Computing Node

How to use DuerEdge

Step 1. Write Function

Step 2. Modify DNSresolve

17

Consoles

• Function Editor

• multi-file editor

• upload zip code

• version control

• syntax prompt

• syntax highlight

• Trigger Rule

• regular expression url

• select function by name

• adjustable rule priority

• rule switch

• searching rule

• Data Report

• function request number

• function run time

• function timeout

• multiple dimensional views

• log download

18

Programming APIs

• Event (JSON object)

• request : request information

• response : response data to client

• config : user configure

• env : environment variables

• Event.fetch (function)

• fetch(url[, request][, config])

• Event.cache (class)• find

• put

• purge

• Event.kv (class)• get

• mget

• put

• delete

• Event.ai (class)• FaceDetect

• ImageCensor

• AntiPorn

• PoliticianCensor

• TerrorCensor

• Event.console (class)

• log

• Event.security (class)• JSChallengeResult

• RatelimitResult

• JSResponse

Entry function:

exports.handler = (event) => {}

• PassThrough (stream class)

• readable.pipe(destination[,

options])

• Event: 'data', 'end', 'close', etc

19

Anti-Crawler Use Case

• Malicious crawler issue

• Steals copyright content and business secret

• Wastes a lot of computing and bandwidth resource of origin

• Affects search engine ranking

• Anti-crawler solution

• Uses kata containers to isolate multi-tenant business and

resource

• Providing security check APIs makes development easier

• Supports invoking cloud anti-crawler service to check from

the whole network

• Uses fake origin to cheat malicious crawler

• Automatically increasing containers with increasing requests

• Results and Benefits

• Significant reduction in malicious crawler requests (3.9)

• Better SEO results lead to increased website traffic (3.20)

A

-

RESTful API

A

20

0 200 400 600 800 1000 1200

TARGET

runC

kata containers

Container Startup Time (ms)

0 2 4 6 8 10

TARGET

runC

kata containers

Pre-warm Container Startup Time (ms)

Startup Speed Optimization

• Edge computing should respond in a short

time, the delay is expected less than 10ms

• Kata and runC containers startup time is

much longer than 10ms

• Pre-warm containers significantly reduce

startup time

• Optimizes the time to load user code into a

pre-warm running containers

• Use lazy unmount (https://github.com/kata-

containers/runtime/pull/963)

THANKS.