dockerd supports Kata Containers

[neersighted]

Hey all,

I just wanted to let you know that for some time now (since March), dockerd has natively supported Kata v2 via the containerd shim. I don't have the bandwidth to send a PR updating your README/docs right now, but hopefully it's not too much effort to clean things up to make a more accurate comparison with Kata.

If you'd like to test out Docker (23.0+) + Kata for yourself, try docker run --runtime io.containerd.kata.v2.

[struanb]

Hi @neersighted. Thank you for flagging this up. That's great news Kata v2 is now natively supported by Docker. I'm not sure why we weren't already alerted to this, as we've been subscribed to a wide variety of relevant Kata and Docker Github issues.

We will look to update the RunCVM docs. It will now be interesting to outline for potential users the pros/cons of Kata vs RunCVM, or at least respective use-cases. For example, RunCVM is easily installable in some environments like Github CodeSpaces, where installing Kata may be more difficult. RunCVM is also a very simple project that can be easily customised or extended to specific needs.

If you're a Kata v2 user, I'd be interested to hear any thoughts you may have on this.

[struanb]

The README is now updated, in commit https://github.com/newsnowlabs/runcvm/commit/a00d389e9c8459dd18a7be52f8a727f6a2dbf90d, to acknowledge changes in status of Docker/Kata compatibility may have occurred since the original conception of the project.

The language should now be accurate, although it is intentionally a bit circumspect for the time being, with the intention being to update the README again later to provide the comparison with Kata.

[struanb]

@neersighted The README has now been updated by 5325da599c20f371c7fc3bb760f836d156296625 (RunCVM vs Kata comparison documentation) and 204e99f4d8fc5b2afbf8e3e31cb1cf8dd598a6a9 (Fix footnote formatting).

Further clarity as to differences between RunCVM and Kata will be provided as they come to light, and the intention will be to periodically recompare and update the documentation.

The most significant difference to come to light from our tests, notwithstanding apparent serious bugs in Kata container DNS resolution (now documented), appears to be this:

• Kata aims to launch standard container images inside a restricted-privileges namespace inside a VM running a single fixed and heavily customised kernel and Linux distribution optimised for this purpose
• RunCVM intentionally aims to launch standard or bespoke container (or VM) images as the VM root filesystem using stock or bespoke Linux kernels

One is not better than the other, but Kata's approach is likely to be more secure and offer faster boot times for standard images, whereas RunCVM's approach is able to run VM workloads that Kata's security and kernel model appear to explicitly prevent.

As examples of this:

1. RunCVM is 'reentrant' in the sense that an 'inner' RunCVM container/VM guest can now be launched by Docker running within an 'outer' RunCVM container/VM guest (assuming the host supports nested VMs).
2. RunCVM can launch a stock OpenWRT image (documentation coming soon).

This has been an interesting and revealing exercise. I hope this helps and will close this issue accordingly.