A comparison between native and secure runtimes : Using Podman to compare crun and Kata Containers

Sammanfattning: Containers is a widely used way of developing and delivering software today. As they take use of abilities in the kernel to provide isolation and control, they provide a small overhead compared to traditional Virtual Machines. But with using a shared kernel comes additional security threats. A solution to this is to provide a extra layer of virtualization to provide extra isolation.The aim of this research is to study two different runtimes. The selected runtimes are Crun and Kata Containers. Where as Crun is a native low level runtime and Kata Containers offers an additional layer of isolation. To test these runtimes, this study use a Python benchmarking suite called pyperformance, to be able to measure what modules and libraries are affected by this extra layer of isolation.The findings are that the overhead in ranges from <1x up to 44x comparing the two runtimes. This research show what modules and libraries in Python are affected in a significant way when executed in Kata Containers.