Secure Runtime and Common Runtime

The most significant difference is that each Kata container (pod) runs on an independent micro-VM, has an independent OS kernel, and is securely isolated at the virtualization layer. With a secure runtime, kernels, compute resources, and networks are isolated between containers to protect pod resources and data from being preempted and stolen by other pods.

CCE Turbo clusters allow you to create workloads using a common runtime or secure runtime as required. The differences between them are as follows.

Category

Secure Runtime

Common Runtime

Node type used to run containers

ECS (PM)

ECS (VM)

ECS (PM)

Container engine

containerd

Docker and containerd

Container runtime

Kata

runC

Container kernel

Exclusive kernel

Sharing the kernel with the host

Container isolation

Lightweight VMs

cgroups and namespaces

Container engine storage driver

Device Mapper

  • Docker container: OverlayFS2

  • containerd container: OverlayFS

Pod overhead

Memory: 100 MiB

CPU: 0.1 cores

Pod overhead is a feature for accounting for the resources consumed by the pod infrastructure on top of the container requests and limits. For example, if limits.cpu is set to 0.5 cores and limits.memory to 256 MiB for a pod, the pod will request 0.6 CPU cores and 356 MiB of memory.

None

Minimize flavor

Memory: 256 MiB

CPU: 0.25 cores

It is recommended that the ratio of CPU (unit: core) to memory (unit: GiB) be in the range of 1:1 to 1:8. For example, if CPU is 0.5 cores, the memory should range form 512 MiB to 4 GiB.

None

Container engine CLI

crictl

  • Docker container: docker

  • containerd container: crictl

Pod computing resources

The request and limit values must be the same for both CPU and memory.

The request and limit values can be different for both CPU and memory.

hostNetwork

Not supported

Supported