展开查看详情
1 .Kubernetes VM Solutions for
Multi-Tenant Applications
Guangxu Li, Senior Software Engineer, ZTE
li.guangxu@zte.com.cn
�
2 .Container and VM Ecosystem
Kubernetes
Docker Swarm
Marathon
Nomad
Container
OpenStack
Others
�
3 .Why We Run VM on Kubernetes?
• Traditional Applications
• No linux based Applications
• Functions provided by host kernel are not satisfied
• OpenStack is too complex
• Unified infrastructure
• Better isolation
�
4 .VM related Projects
Virtlet
KubeVirt Kata Container
RancherVM
Focus : deploy REAL vm Focus : container security
(traditional vm app)
�
5 .Virtlet
Virtlet is a Kubernetes runtime server
which allows you to run VM workloads,
based on QCOW2 images.
https://github.com/Mirantis/virtlet
�
6 .Virtlet compares with other CRI
�
7 .Virtlet Architecture
Daemonset Pod
�
8 .Virtlet Deploying Objects
DaemonSet
ConfigMap
ClusterRole/Role
virtlet solution
Service Account
�
9 .Virtlet Pros
define VM as Pod
supports using multiple
SR-IOV
interfaces
NFV Environments
�
10 .Virtlet Cons
limited storage options
more configurations
VM actions limited by Pod
�
11 .KubeVirt
Building a virtualization API for
Kubernetes
https://github.com/kubevirt
�
12 .KubeVirt Architecture
�
13 .KubeVirt Application Layout
KubeVirt Components
• virt-controller
• virt-handler
• libvirtd
KubeVirt Managed Pods
• VMI Foo
• VMI Bar
�
14 .KubeVirt Pros & Cons
Pros
• Kubernetes cluster addon
• freedom - not limited by Pod definition
Cons
• VMs need to be managed separately from kubelet
• a new controller
• much bigger codebase
�
15 .RancherVM
Package and run KVM images as Kubernetes
pods, run at scale.
https://github.com/rancher/vm
�
16 .RancherVM Architecture
�
18 .Container Security
gVisor
NFV?
�
19 .Kata Container
The speed of containers, the security of VMs
https://github.com/kata-containers
�
20 .Kata Container Architecture
�
21 .How to use kata container?
�
22 . k8s + docker + kata not easy
kubernetes(dockershim)
does not support to choose
OCI runtime
�
23 .k8s + docker + kata not easy
kata container network hotplug (support now)
kubernetes
Dockershim
Containerd Cri-o
/ Docker
a.create pause container a.create netns
b.get container netns b.create net resources in netns
c.create net resources in netns c.create pause container and app container
�
24 .k8s + docker + kata create pod
�
25 .k8s + docker + runc create pod
�
26 .How ZTE Uses kata container in NFV
ZTE OpenPalette
kubernetes based PAAS
kata container 1.3
�
27 .How ZTE Use kata container in NFV
ZTE Knitter
CNI based
networking solution
�
28 .gVisor
gVisor is a user-space kernel that
implements a substantial portion of the
Linux system surface
https://github.com/google/gvisor
�
29 .Why does gVisor exist?
ü a single, shared kernel also mean that
container escape is possible
ü gVisor implements Linux by way of Linux
ü another approach to enhance container
isolation
�
热门城市
