Why Kata Containers?
Traditional Linux containers share the host kernel, meaning a kernel exploit in one container can potentially compromise the entire host. Kata Containers eliminates this attack surface by running each container inside its own virtual machine with a dedicated kernel.
This makes Kata ideal for multi-tenant environments, untrusted workload execution, CI/CD pipelines processing third-party code, and compliance-sensitive deployments.
1
Prerequisites
RamNode KVM VPS Requirements
| Component | Minimum | Recommended |
|---|---|---|
| VPS Type | KVM (required) | KVM |
| CPU | 2 vCPUs | 4+ vCPUs |
| RAM | 4 GB | 8+ GB |
| Storage | 30 GB NVMe | 60+ GB NVMe |
| OS | Ubuntu 22.04 LTS | Ubuntu 24.04 LTS |
| Nested Virt | Required | Enabled by default on KVM |
KVM VPS Required: Kata Containers requires hardware virtualization (nested KVM). OpenVZ and LXC-based VPS plans will NOT work. Ensure you provision a RamNode KVM VPS.
Knowledge Prerequisites
- Comfortable with Linux command line and SSH
- Basic understanding of containers (Docker experience helpful)
- Familiarity with systemd service management
2
Initial Server Setup
Update system and install base packages
sudo apt update && sudo apt upgrade -y
sudo apt install -y curl wget gnupg2 apt-transport-https \
ca-certificates software-properties-common lsb-releaseVerify Nested Virtualization
Confirm your RamNode VPS supports KVM nested virtualization:
Check KVM support
# Check for KVM support
grep -cw vmx /proc/cpuinfo # Intel (should return > 0)
grep -cw svm /proc/cpuinfo # AMD (should return > 0)
# Verify /dev/kvm exists
ls -la /dev/kvm
# Install and run kvm-ok
sudo apt install -y cpu-checker
kvm-okYou should see "KVM acceleration can be used" in the output. If not, contact RamNode support to verify your VPS plan supports nested virtualization.
Configure a Non-Root User (Recommended)
Create deploy user
# Create a deploy user
adduser deploy
usermod -aG sudo deploy
# Copy SSH keys
rsync --archive --chown=deploy:deploy ~/.ssh /home/deploy
# Switch to the new user
su - deploy3
Install containerd
Kata Containers integrates with containerd as its container runtime. Install containerd first, then configure it to use Kata as a runtime class.
Add Docker repository and install containerd
# Add Docker's official GPG key
sudo install -m 0755 -d /etc/apt/keyrings
curl -fsSL https://download.docker.com/linux/ubuntu/gpg \
| sudo gpg --dearmor -o /etc/apt/keyrings/docker.gpg
sudo chmod a+r /etc/apt/keyrings/docker.gpg
# Add the Docker repository
echo "deb [arch=$(dpkg --print-architecture) \
signed-by=/etc/apt/keyrings/docker.gpg] \
https://download.docker.com/linux/ubuntu \
$(lsb_release -cs) stable" \
| sudo tee /etc/apt/sources.list.d/docker.list > /dev/null
# Install containerd
sudo apt update
sudo apt install -y containerd.ioConfigure containerd
# Generate default config
sudo mkdir -p /etc/containerd
containerd config default | sudo tee /etc/containerd/config.toml
# Enable systemd cgroup driver
sudo sed -i "s/SystemdCgroup = false/SystemdCgroup = true/" \
/etc/containerd/config.toml
# Restart containerd
sudo systemctl restart containerd
sudo systemctl enable containerd4
Install Kata Containers
Add Kata Containers repository
# Download and install the Kata Containers GPG key
ARCH=$(uname -m)
BRANCH="stable-3.x"
sudo mkdir -p /etc/apt/keyrings
wget -qO- https://packages.kata-containers.io/kata-containers/\
releases/keys/kata-containers-release.key | \
sudo gpg --dearmor -o /etc/apt/keyrings/kata-containers.gpg
# Add the repository
echo "deb [signed-by=/etc/apt/keyrings/kata-containers.gpg] \
http://packages.kata-containers.io/kata-containers/\
stable/ubuntu/$(lsb_release -cs)/ main" | \
sudo tee /etc/apt/sources.list.d/kata-containers.listInstall and verify Kata runtime
# Install Kata Containers
sudo apt update
sudo apt install -y kata-containers
# Verify the installation
kata-runtime --version
# Run the environment check
sudo kata-runtime checkThe kata-runtime check command validates that your system meets all requirements, including KVM support, kernel configuration, and available resources. All checks should pass on a properly configured RamNode KVM VPS.
Alternative: You can also install from pre-built binaries by downloading the latest tarball from the Kata Containers GitHub releases and extracting it to /opt/kata/.
5
Configure containerd for Kata
Add Kata as a runtime plugin in the containerd configuration file.
Add Kata runtime to /etc/containerd/config.toml
[plugins."io.containerd.grpc.v1.cri".containerd.runtimes.kata]
runtime_type = "io.containerd.kata.v2"
privileged_without_host_devices = true
[plugins."io.containerd.grpc.v1.cri".containerd.runtimes.kata.options]
ConfigPath = "/opt/kata/share/defaults/kata-containers/configuration.toml"Restart and verify containerd
sudo systemctl restart containerd
sudo systemctl status containerd6
Install nerdctl CLI
nerdctl is a Docker-compatible CLI for containerd that makes it easy to run containers using different runtimes, including Kata.
Download and install nerdctl
# Download nerdctl
NERDCTL_VERSION=$(curl -s https://api.github.com/repos/\
containerd/nerdctl/releases/latest | grep tag_name | \
cut -d \" -f 4 | sed "s/v//")
wget https://github.com/containerd/nerdctl/releases/download/\
v${NERDCTL_VERSION}/nerdctl-${NERDCTL_VERSION}-linux-amd64.tar.gz
# Install
sudo tar -xzf nerdctl-${NERDCTL_VERSION}-linux-amd64.tar.gz \
-C /usr/local/bin/
# Install CNI plugins (required for networking)
CNI_VERSION=$(curl -s https://api.github.com/repos/\
containernetworking/plugins/releases/latest | grep tag_name | \
cut -d \" -f 4 | sed "s/v//")
sudo mkdir -p /opt/cni/bin
wget https://github.com/containernetworking/plugins/releases/download/\
v${CNI_VERSION}/cni-plugins-linux-amd64-v${CNI_VERSION}.tgz
sudo tar -xzf cni-plugins-linux-amd64-v${CNI_VERSION}.tgz -C /opt/cni/bin/7
Run Your First Kata Container
Standard Container (Baseline)
First, run a standard runc container for comparison:
Run standard container
sudo nerdctl run --rm -it alpine uname -r
# Returns the host kernel version (containers share the host kernel)Kata Container (Hardware-Isolated)
Now run the same image using the Kata runtime:
Run Kata container
sudo nerdctl run --rm -it --runtime io.containerd.kata.v2 alpine uname -r
# Returns a DIFFERENT kernel version — the Kata guest kernel
# This confirms hardware-level VM isolationPractical Example: Isolated Web Server
Deploy Nginx in a Kata container
# Run Nginx in a Kata container
sudo nerdctl run -d --name kata-nginx \
--runtime io.containerd.kata.v2 \
-p 8080:80 nginx:alpine
# Verify it's running
sudo nerdctl ps
# Test the web server
curl http://localhost:8080
# Check the kernel inside the container
sudo nerdctl exec kata-nginx uname -r8
Kubernetes Integration (Optional)
If you are running Kubernetes on your RamNode VPS (e.g., via k3s or kubeadm), you can configure Kata as a RuntimeClass to selectively run pods in hardware-isolated VMs.
Create a RuntimeClass
apiVersion: node.k8s.io/v1
kind: RuntimeClass
metadata:
name: kata
handler: kataApply RuntimeClass and deploy a pod
# Apply the RuntimeClass
kubectl apply -f kata-runtimeclass.yaml
# Deploy a pod with Kata isolation
cat <<EOF | kubectl apply -f -
apiVersion: v1
kind: Pod
metadata:
name: kata-nginx
spec:
runtimeClassName: kata
containers:
- name: nginx
image: nginx:alpine
ports:
- containerPort: 80
EOF
# Verify the pod is running
kubectl get pods kata-nginx
# Confirm Kata runtime
kubectl exec kata-nginx -- uname -r9
Performance Tuning
Hypervisor Selection
| Hypervisor | Startup Time | Memory | Best For |
|---|---|---|---|
| QEMU (default) | ~200ms | Moderate | General workloads |
| Cloud Hypervisor | ~100ms | Lower | Microservices |
| Firecracker | ~125ms | Lowest | Serverless / FaaS |
| ACRN | Varies | Low | Real-time / IoT |
Switch to Cloud Hypervisor
Edit /opt/kata/share/defaults/kata-containers/configuration.toml
[hypervisor.clh]
path = "/opt/kata/bin/cloud-hypervisor"
kernel = "/opt/kata/share/kata-containers/vmlinux-clh.container"
image = "/opt/kata/share/kata-containers/kata-containers.img"Memory Configuration
Memory settings in configuration.toml
# Under [hypervisor.qemu]
default_memory = 2048 # MB per container VM
memory_slots = 10 # Hot-pluggable memory slots
memory_offset = 0
# Enable memory hotplug for dynamic scaling
enable_mem_prealloc = false
enable_hugepages = false # Enable if host has hugepagesCPU Pinning
On RamNode VPS plans with 4+ vCPUs, pin Kata VM CPUs for consistent performance:
CPU settings in configuration.toml
default_vcpus = 2
default_maxvcpus = 410
Security Hardening
Enable Seccomp Filtering
Even with VM-level isolation, applying seccomp profiles adds defense in depth:
Seccomp settings in configuration.toml
disable_new_netns = false
sandbox_cgroup_only = true
# Enable seccomp
enable_seccomp = trueRestrict Guest Kernel Parameters
Kernel params in configuration.toml
# Debug mode (for troubleshooting)
kernel_params = "agent.log=debug agent.hotplug_timeout=10"
# Production mode (recommended)
kernel_params = "quiet"Network Isolation
Create isolated network for Kata containers
# Create isolated network
sudo nerdctl network create kata-isolated \
--subnet 172.28.0.0/16
# Run container on isolated network
sudo nerdctl run -d --name secure-app \
--runtime io.containerd.kata.v2 \
--network kata-isolated \
your-app:latest
# Apply UFW rules
sudo ufw allow from 172.28.0.0/16 to any port 5432
sudo ufw deny from 172.28.0.0/16 to any11
Monitoring & Logging
Container runtime metrics
# Check Kata runtime info for a running container
sudo kata-runtime env
# View containerd events
sudo nerdctl events
# Monitor resource usage
sudo nerdctl statsKata-Specific Logging
Enable detailed logging
# In configuration.toml, set:
# enable_debug = true
# View Kata runtime logs
sudo journalctl -u containerd -f | grep kata
# View hypervisor logs
sudo journalctl -t kata-runtime12
Troubleshooting
Common Issues
| Issue | Cause | Solution |
|---|---|---|
| /dev/kvm not found | KVM not enabled | Ensure RamNode KVM plan; contact support |
| kata-runtime check fails | Missing kernel modules | Run: sudo modprobe kvm kvm_intel (or kvm_amd) |
| Container fails to start | Insufficient memory | Increase default_memory in configuration.toml |
| Slow container startup | Using QEMU default | Switch to Cloud Hypervisor |
| Network connectivity issues | CNI plugin missing | Install CNI plugins to /opt/cni/bin/ |
| Permission denied errors | Non-root without config | Run with sudo or configure rootless |
Diagnostic Commands
Debug Kata installation
# Full system check
sudo kata-runtime check --verbose
# Check containerd runtime plugins
sudo ctr plugins ls | grep kata
# Verify containerd config includes Kata
containerd config dump | grep -A5 kata
# Test container creation in debug mode
sudo kata-runtime --log=/tmp/kata.log \
--log-level=debug13
Maintenance
Container cleanup
# List all containers
sudo nerdctl ps -a
# Remove stopped containers
sudo nerdctl container prune -f
# Remove unused images
sudo nerdctl image prune -fUpdate Kata Containers
# Update from package repository
sudo apt update
sudo apt upgrade kata-containers
# Verify the new version
kata-runtime --version
# Restart containerd to pick up changes
sudo systemctl restart containerdQuick Reference Commands
| Action | Command |
|---|---|
| Check KVM support | kvm-ok |
| Verify Kata install | kata-runtime --version |
| System check | sudo kata-runtime check |
| Run Kata container | sudo nerdctl run --runtime io.containerd.kata.v2 ... |
| List containers | sudo nerdctl ps -a |
| View logs | sudo journalctl -u containerd -f |
| Container stats | sudo nerdctl stats |
| Kata environment | sudo kata-runtime env |
| Update Kata | sudo apt upgrade kata-containers |
| containerd status | sudo systemctl status containerd |
Kata Containers Deployed Successfully!
Your RamNode VPS is now running Kata Containers, providing hardware-isolated container security with near-native performance. Each container runs inside its own lightweight VM with a dedicated kernel, giving you the best of both worlds: container simplicity with VM-level security.