During the KubeCon + CloudNativeCon EU 2023 event, Huawei announced that it had open-sourced Kuasar, a Rust-based container runtime that supports multiple types of sandboxes, including microVMs, Linux containers, app kernels, and WebAssembly runtimes.
(Kuasar was open sourced on KubeCon EU 2023. Source)
At KubeCon EU 2023, over 50% of attendees attended the flagship Kubernetes conference for the first time. Kubernetes and the cloud-native application paradigm it empowers appear to be crossing the chasm into mainstream IT organizations. As Kubernetes gains popularity, developers are increasingly applying cloud-native architecture beyond traditional data centers, such as edge data centers, data streaming applications, blockchains, autonomous vehicles, and even IoT devices.
These new cloud-native applications need to handle diverse workloads. The one-size-fits-all Linux container approach is no longer sufficient. For example, some applications require VM-level security and isolation, while others need to run lightweight isolation sandboxes such as WebAssembly (Wasm).
In the past, numerous efforts have been made to enable VM and Wasm workloads to run side by side with Linux containers in the same Kubernetes cluster. For example, the KubeVirt project can manage both VMs and containers. The crun project supports both Linux containers and Wasm runtimes at the OCI level. With the help of runwasi, the containerd project can manage Wasm runtimes, such as WasmEdge, and Linux containers side by side. However, those projects use the Linux container framework to support other sandboxes and hence have numerous inefficiencies and unexpected behaviors when using VM or Wasm sandboxes. To see the complexity of running Wasm containers in traditional Kubernetes environments, several tutorials can be consulted.
Kuasar is designed to support multiple types of sandboxes and containers from the ground up. Built on top of containerd’s Sandbox API, Kuasar introduces a unified approach for sandbox support and management. The Sandbox API is a low-level target for resource management of multiple containers, which is implemented and orchestrated independently without any Go dependencies. That allows Kuasar to be implemented in Rust, which provides additional safety and performance benefits at the infrastructure level. Chris Aniszczyk, CTO of CNCF, tweeted about the announcement of Kuasar:
new open source project taking advantage of sandbox API to run containers, wasm etc - planning to contribute to CNCF! look forward to see how the sandbox API evolve in cri/containerd land this year!
(The architecture of Kuasar. Source)
Compared with Kata, which is another secure container runtime, Kuasar starts up within half of the time and consumes less memory. Such performance gains are achieved by:
- Using the Rust programming language.
- A re-design to remove all pause containers.
- A re-design to replace shim processes with a single resident sandboxer process.
(Kuasar’s support for WasmEdge Source)
As a unified container runtime, Kuasar already supports MicroVM sandboxes such as Cloud Hypervisor, StratoVirt, and QEMU, app kernel sandboxes like Quark, and Wasm sandboxes like WasmEdge. Kuasar can seamlessly integrate into high-level CRI container management tools, such as containerd, cri-o, docker, and iSulad. Bill Ren, a CNCF board director, shared his vision and hope for Kuasar at KubeCon EU:
The open-source Kuasar will provide developers with more choices and support, offering users a more efficient, complete, and flexible cloud-native container solution for their scenarios.
(The ecosystem of Kuasar. Source)
Kuasar is jointly developed by multiple commercial and open-source organizations, including Huawei Cloud, the Agricultural Bank of China, WasmEdge (Project under CNCF), and the openEuler community.
Kuasar is an open-source project under Apache 2.0. The source code is available at GitHub. If you are interested in container runtime, check it out and make a contribution.