The development team behind the open-source container runtime Kata Containers has released version 3.0. The new version is based on Rust and now supports a wider range of hardware platforms.

Kata Containers is a secure container runtime environment with lightweight virtual machines that appear and act like containers but provide stronger workload isolation by leveraging hardware virtualisation technology as a second layer of defence. This solution allows for the quick and secure deployment of everything from highly regulated workloads to untrusted code. It spans public and private clouds, containers-as-a-service, and edge computing use cases.

Kata Containers Agent was rewritten in Rust in version 2.0, and in version 3.0, the runtime is also rewritten in Rust. As a result, users should benefit from lower overhead compared to the previous runtime environment written in Go. Furthermore, the integrated Rust hypervisor, which is optional, should reduce the resource requirements of Kata Containers even further by ensuring, among other things, that only one host component is created for each POD.

The Cloud Hypervisor has been updated to version 26.0, also written in Rust. This is accompanied by a number of improvements that provide Kata Containers with more direct access to a variety of hardware systems — resulting in better performance and security. For example, the Cloud Hypervisor update collaborates closely with Intel's Trust Domain Extensions (TDX), the successor to Intel's Software Guard Extensions (SGX), to ensure VMs run in complete isolation for a secure computing environment. TDX uses the Secure Arbitration Mode (SEAM) provided by Intel CPUs to isolate the VMs. Users should also be able to run legacy applications in the virtual machines without memory and performance restrictions. Another enhancement in Kata Containers 3.0 is more direct access to PCI hardware such as graphics accelerators. VMs can directly access the GPU via Virtual Function I/O (VFIO) to almost fully utilise its performance.

The Kata Containers community is monitored by the Open Infrastructure Foundation, which promotes the development and adoption of open infrastructure worldwide. The code is available on GitHub under the Apache 2 licence.