Secure Runtime and Common Runtime¶
The most significant difference is that each Kata container (pod) runs on an independent micro-VM, has an independent OS kernel, and is securely isolated at the virtualization layer. With a secure runtime, kernels, compute resources, and networks are isolated between containers to protect pod resources and data from being preempted and stolen by other pods.
CCE Turbo clusters allow you to create workloads using a common runtime or secure runtime as required. The differences between them are as follows.
Category | Secure Runtime | Common Runtime |
|---|---|---|
Node type used to run containers | ECS (PM) | ECS (VM) ECS (PM) |
Container engine | containerd | Docker and containerd |
Container runtime | Kata | runC |
Container kernel | Exclusive kernel | Sharing the kernel with the host |
Container isolation | Lightweight VMs | cgroups and namespaces |
Container engine storage driver | Device Mapper |
|
Memory: 100 MiB CPU: 0.1 cores Pod overhead is a feature for accounting for the resources consumed by the pod infrastructure on top of the container requests and limits. For example, if limits.cpu is set to 0.5 cores and limits.memory to 256 MiB for a pod, the pod will request 0.6 CPU cores and 356 MiB of memory. | None | |
Minimize flavor | Memory: 256 MiB CPU: 0.25 cores It is recommended that the ratio of CPU (unit: core) to memory (unit: GiB) be in the range of 1:1 to 1:8. For example, if CPU is 0.5 cores, the memory should range form 512 MiB to 4 GiB. | None |
Container engine CLI | crictl |
|
Pod computing resources | The request and limit values must be the same for both CPU and memory. | The request and limit values can be different for both CPU and memory. |
Not supported | Supported |