Kata images

• Introduction
• Comparing Rootfs images with initrd images
  • General
  • Specific features
• systemd as the init daemon
  • systemd as init advantages
  • systemd as init disadvantages
• Kata agent as the init daemon
  • Kata agent as init advantages
  • Kata agent as init disadvantages
• Other binaries that kata needs inside the guest
• Further reading

Introduction

This page provides information on Kata Containers "mini O/S" images.

Note:

The original (and now out of date) version of this page existed as https://github.com/kata-containers/documentation/wiki/Kata-images.

Comparing Rootfs images with initrd images

General

Image type	init	Boot speed	Image Size	osbuilder rootfs creation	osbuilder image creation	Packaged asset name	Config option	Notes
rootfs	systemd	good	small	make rootfs AGENT_INIT=no	make image	kata-containers.img	image=	Flexible as easy to customise.
rootfs	agent	faster	smaller	make rootfs AGENT_INIT=yes	make image	n/a	image=	No advantage over using initrd=.
initrd	agent	fastest	smallest	make rootfs AGENT_INIT=yes	make initrd	kata-containers-initrd.img	initrd=	Not flexible - users cannot just add an extra service to a custom image. All extra functionality needs to be provided by the agent (potentially "re-inventing the wheel").
initrd	systemd	may be faster than "good"	smallish	make rootfs AGENT_INIT=no	make initrd	n/a	initrd=	No advantage over using image=.

Specific features

Comparison of running Kata with a image= entry with running Kata with an initrd= entry in the configuration.toml configuration file.

Feature	systemd-specific	Available in image	Available in initrd	Notes
Agent start	-	yes (systemd starts the agent)	yes (kernel starts the agent)	kata-agent is the init daemon in an initrd image.
Debug console	yes	yes	yes	Agent handles creating a debug console when debug_console_enabled=true.
Factory	no	no	yes
Guest time sync	yes	yes	yes	systemd based images use a chrony service. Agent init based images use the SetGuestDateTime) agent API.

systemd as the init daemon

systemd as init advantages

• De facto Linux init daemon.

• Avoids having to "re-invent the wheel" by implementing additional functionality in the agent

  Just drop in a standard service, otherwise the logic has to be implemented on the agent.

• Allows users to add additional services to custom images.

• Automatically handles mounting standard mounts (/dev, etc) (agent as init already handle it as well)

• Leverage systemd boot time

  With performance improvements from Clear Linux.

• Allows underlying osbuilder distro to be changed with minimal impact on the environment.

systemd as init disadvantages

• Large binary Increases size of image.

• Large potential attack surface.

  • Image needs to be updated not only with agent related changes but also to fix Systemd CVEs.

• Sometimes from upgrades of systemd break use cases.

• Slower boot that using the agent-as-init approach

  Systemd has to start, and then start the (minimal) defined set of services, which includes the Kata agent).

• Maintenance costs

  Providing multiple different images variants increases the cost of maintaining the system (CI, tests, patches, etc).

Kata agent as the init daemon

Kata agent as init advantages

• Simpler, smaller and faster image.

Kata agent as init disadvantages

• Difficult to support extra services.

  Rather than adding a new systemd .service file, the agent needs to be changed to add extra functionality.

Other binaries that kata needs inside the guest

• chrony: Synchronize guest clock with host.

• iptables: used by kata agent to setup iptables rules inside the guest, it uses the iptables provided by the O/S guest.

Further reading

• Read the Kata Containers architecture document, specifically the section on guest assets.