Containers more secured? Use Cri-o Kata with Oracle Linux on Oracle Cloud
Thanks to Simon Coter, Product Director Oracle Linux
Containers here, there and everywhere. Since the rise of Cloud, DevOps, Microservices, plus a lot of other new technologytrends, also infrastructure has made a major transition in how to build, provision and operate a live production, serving the needs of always on 24*7, high demands of new and better functionality, and higher demands in non functional requirement such as performance and scalability.
Transition an existing infrastructure to a container-based landscape is something which has to land and evolve within an organisation and it’s not that it’s an easy task. One has to think of implementing all the benefits of this new way of working, but also keep in mind of things such as security and maintainability, and not only productivity.
More Security using Kata based containers
Kata Containers are other than Docker Containers. They are a lightweight Virtual Machine (VMs) but still feel and perform like containers.
Kata containers have their own kernel but still have all the characteristics and beneftis of containers; one of the benefits is that they become more secure. They provides the workload isolation and security advantages of VMs. but at the same time maintain the speed of deployment and usability of containers.by using Kata containers, instead of a namespace, small virtual machines are created on the kernel and be strongly isolated.
The technology of Kata Containers is based on QEMU. That’s why the level of isolation is equivalent to typical hypervisors. Also KVM is based on QEMU.
QEMU can emulate a complete machine in software without any
need for hardware virtualization support.
See in this diagram the main differences between traditional docker containers and kata containers:
Container Engine
Docker containers use the docker container engine to implement their API’S and being accessible. Kubernetes will, by default use the docker engine layer. Now a container engine provides some sort of a virtualization layer between the kernel and the container. The eventual container is a running process within Linux making use of it.
To make containers run you need a container runtime. Docker provides it’s own, but can also run on others such as containerd
See here the different k8s nodes running different container engines
For this you need to tell the kubelet which container engine to use:
mkdir -p /etc/systemd/system/kubelet.service.d/
cat << EOF |tee /etc/systemd/system/kubelet.service.d/0-containerd.conf
[Service]
Environment=”KUBELET_EXTRA_ARGS= — container-runtime=remote — runtime-request-timeout=15m — container-runtime-endpoint=unix:///run/containerd/containerd.sock”
EOF
And setup containerd to integrate with kubelet:
modprobe overlay
modprobe br_netfilter
Contents of /etc/sysctl.d/99-kubernetes-cri.conf :
Now containerd is compatible running kata-containers, by using the CRI plugin. You can also use CRI-O, another lightweighted container runtime interface, but for now I focussed on containerd
Components for building
The components I used for building a K8s cluster in the cloud were:
- 3 VM Instances in the Oracle Cloud Infrastructure
- These instances used the Oracle Linux 7.7 developer image because here a lot of the needed tools such as KVM utils were already installed:
- Use oracle-olcne-release-el7.x86_64
- enable ol7_kvm_utils
- kata-runtime
- Some Cloud storage, the basics for setting up VMs in the Oracle Cloud
I also wanted to let docker to make use of the kata-runtime bij creating a file
/etc/systemd/system/docker.service.d/kata-containers.conf
and to see which runtime Dockers uses, execute:
I won’t go through all the installation and setup details, you can find them here: https://community.oracle.com/docs/DOC-1033391
Use Kata in Kubernetes and run an Oracle Database
To use kata containers in the proper runtime, you need to create a config file, to be generated with containerd
Per k8s node, you specifiy the runtime. Because I used Kubernetes version 1.12, some of the sections looked like this
In higher versions you have to use the kata version 2
[plugins.cri.containerd]
[plugins.cri.containerd.default_runtime]
runtime_type = "io.containerd.kata.v2"
Do not forget to reload system daemons and restart the containerd service to apply changes.
To let K8s make use of kata, a few yamls need to be deployed to kube-system with kata-runtime.yaml, to implement runtime classes. These were introduced in v1.12, so the apiVersion hete should be v1alpha1:
For enabling deployment of kata containers, also https://raw.githubusercontent.com/kata-containers/packaging/master/kata-deploy/kata-deploy/base/kata-deploy.yaml needs ro be deployed to the k8s cluster.
And finally, some RBAC settings by using https://raw.githubusercontent.com/kata-containers/packaging/master/kata-deploy/kata-rbac/base/kata-rbac.yaml for labeling nodes as kata runtime nodes:
Deploy an Oracle Database
My endgoal is to deploy an entire WebLogic environment but first I installed the database using a yaml file. Here specified the kata runtime class and a node selector:
By applying the database, on k8s-worker2 the pod was scheduled and qemu was started to emulate a VM based container:
Conclusion
There is a lot going on in container landscape. There is also a lot of information, which is sometimes difficult tot get it all together in a understandable story. This is just a beginning and certainly a lot need to be adjusted to transition to a more secure container platform. I hope you will learn something of it and improve by doing ot yourself.
Next article I will deepdive into cri-o and how it will be used with WebLogic Cloud Native.