Featured in Blog >

Kata Containers 1.3 & 1.4 Release Updates

The Kata Containers project has made some rapid advancements as of late. Since September, we’ve done several releases which introduce features to help Cloud Service Providers (CSPs) and others who plan to deploy Kata into production.  

We are fortunate to have input to the Kata community project from some of the world’s largest cloud service providers, operating system vendors and telecom equipment makers such that we can better serve their internal infrastructure needs as well as enterprise customers.

The Kata Containers 1.4.0 release has several nice new features and many bug-fixes. All users are recommended to upgrade. We also released a new stable release (v 1.3.1) for which only kernel changes were relevant. 

The 1.4.0 release highlights following features:

- Host cgroups support:  The virtual machine is now constrained in a host side cpu cgroup, enabling the requested cpu quota and periods to be better honored. This protects against a single container using up host resources which could lead to things like denial of service.

- NEMU `virt` machine type support:  This new machine type is specially optimized for cloud environments and a great fit for Kata Containers use cases. NEMU is a lighter weight version of QEMU intended to reduce the attack footprint of the VM, thus improving the security model even more. To learn more about NEMU, see https://github.com/intel/nemu.

- New Internetworking Model `none`: It works with tap endpoint types so that enlightened CNI plugins can add tap devices to a sandbox directly, skipping extra steps and complexity introduced with the host’s  network namespaces.

- New Internetworking Model `tcfilter`:  Yet another method for Kata Containers to bridge the host netns veth and guest tap device, with TC filter rules. With it, Kata Containers have more compatibility with different network endpoint types and CNI plugins.

- Enable macvlan and ipvlan network support:  These two networking models provide lightweight and fast access to underlay or host interfaces without NATing.

- Guest rootfs image can now have a `guest_hook_path` that specifies the path to OCI hook binaries within the guest to provide support to run OCI hooks within the guest. This feature helps with vendor-specific device passthrough to the Kata VM, for example.

For full details of v1.4 release features, please see
https://github.com/kata-containers/runtime/releases/tag/1.4.0

For the new stable v1.3.1 release, only kernel changes were relevant for that branch.
https://github.com/kata-containers/runtime/releases/tag/1.3.1

In September we released the 1.3.0 release and 1.2.2 stable releases with features like Network and Memory hotplug in order to better support CSP customers’ running production environments. We also continued our pursuit to be cross-architecture by adding more support for ARM64 as well as Intel(R) Graphics Virtualization Technology.

To re-cap v1.3.0 feature highlights in case you missed the announcement:

- Network hotplug:  Sandbox network can now be dynamically changed by the "kata-runtime network" subcommand. This allows customized CNI plugins to create more Kata-native network endpoints within a running container and better support for live dynamic network reconfiguration.

- Network monitoring:  a new kata component (kata-netmon) is added to monitor container netns on the host. Now CNI hooks to dynamically change the network setup of a running container and "docker network connect" work with Kata Containers.

- Network multiqueue support:  Network cards are added to to the guest with multiqueue support allowing Kata Containers to gain better network performance by running multiple threads in parallel.

- Memory hotplug: "kata-runtime update" subcommand can now add extra memory to a running container for long-lived dynamically reconfigured pods.

- Better container memory constraint support:  containers in the same Kata sandbox (VM) can be constrained by memcg inside the guest.

- GPU support:  both Intel(R) GVT-g and GVT-d GPU devices can now be used by Kata Containers.

- Architecture/ARM64: add GICv4 or higher support.

For full details, please see  https://github.com/kata-containers/runtime/releases/tag/1.3.0

The 1.2.2 stable release had several important fixes. Users who want to stick with stable-1.2 branch were recommended to update. For full details, please see https://github.com/kata-containers/runtime/releases/tag/1.2.2

Thanks to all contributors who are helping to advance Kata Containers in order to better serve our growing number of users!