secure container in iot segment extend kata to acrn iot ... · • kata-runtime heavily utilizes...
TRANSCRIPT
Secure container in IoT segment –
Extend KATA to ACRN IoT hypervisor
Yu Wang, Intel SSP
Table of Contents
PART1: ACRN Overview
PART2: Introducing Container to IoT
PART3: Why KATA Container
PART4: Extend KATA to ACRN
What is ACRN?
ACRNTM is a Big Little Hypervisor for IoT Development
ACRN™ is a flexible, lightweight reference hypervisor, built with real-time and safety-criticality in mind, optimized to streamline embedded development through an open source platform
ACRN Focus
Small Footprint
Built for IoT
Adaptability
Built for Real-Time
Safety Criticality
Truly Open Source
Virtualization User Cases for IoT
In-Vehicle-Infotainment Robotics
IndustrialPrecision instrument
Why introducing container to IoT?
• Container technology is easy deployment, provide consistent
behavior on any supported hardware platforms.
• More and more various of workloads need to be execute into
single IoT embedded system, container technology provides
isolation to avoid influence.
• Container image is built up from a serial of layers, can easy
derives new features base on the mature container images.
Accelerate the development of IoT production iteration with easy
maintenance and upgradability.
Container vs Virtual Machine
Virtual Machine Container
Heavyweight Lightweight
Limited performance Native performance
Startup time in minute Startup time in seconds
Allocates required memory Requires less memory space
Hardware-level virtualization OS virtualization
Fully isolated and hence more secure Process-level isolation, possibly less secure
Container is not secure!!
What & Why is KATA?
• Kata provides a lightweight VM and individual kernel for additional isolation.
• Utilize the hardware virtualization technology to provide more secure isolation.
Virtual Machine
Namespaces
Process A
Linux Kernel A
Hardwarevirtualization
Virtual Machine
Namespaces
Process B
Linux Kernel B
Hardwarevirtualization
Virtual Machine
Namespaces
Process C
Linux Kernel C
Hardwarevirtualization
Linux Kernel
katacontainers
Additional isolation with a lightweight VMand individual kernels
Namespaces
Process A
Linux Kernel
Traditional Containers
Isolation by namespaces, cgroups with shared kernel
Namespaces
Process A
Namespaces
Process A
CPU Memory Network Storage
What are included in KATA?
Kata-runtime: A OCI compatible runtime.
Kata-shim: A CRI friendly shim.
Kata-proxy: A multiplex to route between kata-shim/kata-runtime and kata-agent.
Kata-agent: A process running in the VM as a supervisor for managing containers and processes running with those containers.
KATA+ACRN = secure container for IoT
Real time workload
FuSa workload
Container workload
Hardware node Hardware node Hardware node
Consolidated Workloads
KATA + ACRN high level architecture
ACRN hypervisor
Service VM
ACRN Device Model
OSPM
VT-d EPT
VMX
ACRN DM (Device Model)
Hypercalls
containerd-shim-kata-v2
Native device drivers
VM
Container workload
KATA-agent
Safety VM/Realtime VM
Passthru Device Drivers
HV Emulated Device Drivers
HV Device Drivers(WDT/ UART/Host Bridge/Timer/…)
VM
Container workload
KATA-agentVM
Container workload
KATA-agent
Guest VM
Container workload
kata-agent
ACRN Device ModelACRN DM
(Device Model)
orchestrationsAcrn is a type-1 hypervisor. All Kata container’s VM will share the same service VM.
Per Kata VM be launched by separated acrn-dm in service VM for providing mediator supports.
The guest VM executes the Kata provided highly performance optimized kernel and rootfs.
Kata optimized guest kernel
Kata optimized rootfs(clear Linux)
Acrn device model exports two PCI virtio console devices to guest VM, and provides UNIX domain socket interfaces for Kata host side services.
The Acrn guest VM is created by kata-runtime who will spawn the kata-proxy.
kata-proxy will connect to kata-agent over virtio consoles.
kata-proxy will offer access to the VM kata-agent to multiple kata-shim and kata-runtime clients associated with the VM.
KATA + ACRN low level architecture
ACRN hypervisor
Service VM
ACRN
Safety VM/Realtime VM
Guest VM
Container
kata-agent
ACRN DM
virtio blockvirtio-
console
virtio-console
virtio-consoleBE
virtio-consoleBE
kata-proxy
kata-shimkata-shim
OCI compatible orchestrators
kata-runtime
Launch VM
process process
Serial port Console port
virtio net
socket
gPRC
gPRC sever
OCI Commands I/O
KATA + ACRN low level architecture
ACRN hypervisor
Service VM
ACRN
Safety VM/Realtime VM
Guest VM
Container
kata-agent
ACRN DM
virtio blockvirtio-
console
virtio-console
virtio-consoleBE
virtio-consoleBE
kata-proxy
kata-shimkata-shim
OCI compatible orchestrators
kata-runtime
Launch VM
process process
Serial port Console port
virtio net
socket
gPRC
gPRC sever
Create containers
Start Proxy
OCI Create Command I/O
Acrn device model exports two PCI virtio console devices to guest VM, and provides UNIX domain socket interfaces for Kata host side services.
The Acrn guest VM is created by kata-runtime who will spawn the kata-proxy.
kata-proxy will connect to kata-agent over virtio consoles.
kata-proxy will offer access to the VM kata-agent to multiple kata-shim and kata-runtime clients associated with the VM.
How to extend KATA to ACRN?
Kata-runtimeCommandhandlers
VM(Sandbox)
Pod
containercontainer
container
OCI compatible orchestration
kata-agent
create
start
delete
…
exec
kill
pause
help
virtcontainer
Sandbox APIs
Container APIs agent client
Hypervisor interface
qemu hypervisor
acrn hypervisor
ACRN DM
Virtio-consoleBE
Kata-proxygRPC
socket
Launch VM
Sandbox control flow
Container control flow
• Kata-runtime heavily utilizes the virtcontainer which provides a generic, runtime-specification agnostic, hardware-virtualized containers library.
• The virtcontainer abstracts the operations for the sandbox and container on different hypervisor solution. Adds a new hypervisor operation instance for Acrn.
Call for
Participation
https://projectacrn.github.io/index.html
https://projectacrn.org
Joining ACRN Community Today!!!
Questions?