Containers will replace virtual machines. They said so, but looking at the statistics and, for example, the Kata-containers project, I think that these entities coexist very well.
Currently, 2/3 of OpenStack, Docker, and Kubernetes users are the same users. What happened that after the initial enthusiasm for containers, a moment of reflection came and virtual machines returned to favor?
Security. It's no secret that the biggest advantage of containers is also their biggest disadvantage. Containers are lightweight and start up quickly because they share access to the host operating system. But therefore, having access to one container, it is quite easy to hack into the others on the same operating system. Virtual machines at this layer provide much better hypervisor separation and are therefore more secure. What if we could connect these two worlds?
Great idea. A common approach is to pack K8s clusters into virtual machines so that each project or application has its own container cluster. This way with the use of OpenStack as a layer to run K8s improves the situation, although it is also not ideal, because we already have to manage two intermediate layers. And the situation becomes even more complicated. OpenStack is extremely flexible but also complicated environment to manage. Currently, the most popular way to implement and maintain it is Kolla Ansible - nothing but OpenStack services in containers. Can you see where this is going?
Exactly - Kata-containers. The idea has been developed by OpenInfra for over 3 years, and it was born in Intel and Hyper labs. Even though big companies like IBM and Oracle are joining it, it is an open source project with very dynamic community support. What is going on? Kata-containers allow you to pack containers into lightweight virtual machines, each of which has its own kernel, but very truncated. The only job of this machine is to run the container. So the pods are separated by server virtualizer mechanisms, but the orchestration is done with a K8s, for example, and the container orchestrator doesn't even know it's dealing with a VM. This is because a specially created communication channel and an agent on the host server are used. Such Kata-containers start slower than the native container, but they ensure the safety of virtual machines. And it is extremely important that both containers and virtual machines can coexist in one OpenStack environment, which was to be proved.