问题
As I understand, Kata Containers
Kata Container build a standard implementation of lightweight Virtual Machines (VMs) that feel and perform like containers but provide the workload isolation and security advantages of VMs
On the other hand, gvisor
gVisor is a user-space kernel for containers. It limits the host kernel surface accessible to the application while still giving the application access to all the features it expects.
As I believe, both of these technology trying to add linux space into containers in order to enhance security.
My question is How do they differ from each other ? Is there overlapping in functionalities?
回答1:
From what I gather from the gVisor blog:
Kata Containers
- Full Kernel on top of a lightweight QEMU/KVM VM.
- Lets system calls go through freely
- Performance penalty due to the VM layer. Not clear yet how slower or faster than gVisor
- On paper, slower startup time.
- Can run any application.
- Can run in nested virtualized environments if the hypervisor and hardware support it.
gVisor
- Partial Kernel in userspace.
- Intercepts syscalls
- Performance penalty at runtime due to syscall filtering. Not clear how slower or faster than Kata yet.
- On paper, faster startup time.
- Can run only applications that use supported system calls.
- On paper, you may not need nested virtualization.
回答2:
Here's a simple explanation
Kata Containers
Some kind of Containers which run on Hardware.
Traditional Virtual Machines are secure but not as fast as Containers. Kata Containers Project is like a Virtual Machine as lightweight as a Container. In other words, Kata Containers solved the low speed problem of VMs.
gVisor
Containers running inside a sandbox named gVisor (there's a sandbox per container)
Containers are fast but not as secure as Virtual Machines. gVisor is something like a sandbox and every container should run inside one sandbox. In other words, gVisor solved the security problem of Containers.
来源:https://stackoverflow.com/questions/50143367/kata-containers-vs-gvisor