diff --git a/docs/design/architecture/README.md b/docs/design/architecture/README.md index 1fc2275b93..89c877b4ef 100644 --- a/docs/design/architecture/README.md +++ b/docs/design/architecture/README.md @@ -510,50 +510,7 @@ created with containerd using our [example command](example-command.md): ## Networking -Containers will typically live in their own, possibly shared, networking namespace. -At some point in a container lifecycle, container engines will set up that namespace -to add the container to a network which is isolated from the host network, but -which is shared between containers - -In order to do so, container engines will usually add one end of a virtual -ethernet (`veth`) pair into the container networking namespace. The other end of -the `veth` pair is added to the host networking namespace. - -This is a very namespace-centric approach as many hypervisors or VM -Managers (VMMs) such as `virt-manager` cannot handle `veth` -interfaces. Typically, `TAP` interfaces are created for VM -connectivity. - -To overcome incompatibility between typical container engines expectations -and virtual machines, Kata Containers networking transparently connects `veth` -interfaces with `TAP` ones using Traffic Control: - -![Kata Containers networking](../arch-images/network.png) - -With a TC filter in place, a redirection is created between the container network and the -virtual machine. As an example, the CNI may create a device, `eth0`, in the container's network -namespace, which is a VETH device. Kata Containers will create a tap device for the VM, `tap0_kata`, -and setup a TC redirection filter to mirror traffic from `eth0`'s ingress to `tap0_kata`'s egress, -and a second to mirror traffic from `tap0_kata`'s ingress to `eth0`'s egress. - -Kata Containers maintains support for MACVTAP, which was an earlier implementation used in Kata. TC-filter -is the default because it allows for simpler configuration, better CNI plugin compatibility, and performance -on par with MACVTAP. - -Kata Containers has deprecated support for bridge due to lacking performance relative to TC-filter and MACVTAP. - -Kata Containers supports both -[CNM](https://github.com/docker/libnetwork/blob/master/docs/design.md#the-container-network-model) -and [CNI](https://github.com/containernetworking/cni) for networking management. - -### Network Hotplug - -Kata Containers has developed a set of network sub-commands and APIs to add, list and -remove a guest network endpoint and to manipulate the guest route table. - -The following diagram illustrates the Kata Containers network hotplug workflow. - -![Network Hotplug](../arch-images/kata-containers-network-hotplug.png) +See the [networking document](networking.md). ## Storage diff --git a/docs/design/architecture/networking.md b/docs/design/architecture/networking.md new file mode 100644 index 0000000000..80a6b7d27a --- /dev/null +++ b/docs/design/architecture/networking.md @@ -0,0 +1,48 @@ +# Networking + +See the [networking document](networking.md). + +Containers will typically live in their own, possibly shared, networking namespace. +At some point in a container lifecycle, container engines will set up that namespace +to add the container to a network which is isolated from the host network, but +which is shared between containers + +In order to do so, container engines will usually add one end of a virtual +ethernet (`veth`) pair into the container networking namespace. The other end of +the `veth` pair is added to the host networking namespace. + +This is a very namespace-centric approach as many hypervisors or VM +Managers (VMMs) such as `virt-manager` cannot handle `veth` +interfaces. Typically, `TAP` interfaces are created for VM +connectivity. + +To overcome incompatibility between typical container engines expectations +and virtual machines, Kata Containers networking transparently connects `veth` +interfaces with `TAP` ones using Traffic Control: + +![Kata Containers networking](../arch-images/network.png) + +With a TC filter in place, a redirection is created between the container network and the +virtual machine. As an example, the CNI may create a device, `eth0`, in the container's network +namespace, which is a VETH device. Kata Containers will create a tap device for the VM, `tap0_kata`, +and setup a TC redirection filter to mirror traffic from `eth0`'s ingress to `tap0_kata`'s egress, +and a second to mirror traffic from `tap0_kata`'s ingress to `eth0`'s egress. + +Kata Containers maintains support for MACVTAP, which was an earlier implementation used in Kata. TC-filter +is the default because it allows for simpler configuration, better CNI plugin compatibility, and performance +on par with MACVTAP. + +Kata Containers has deprecated support for bridge due to lacking performance relative to TC-filter and MACVTAP. + +Kata Containers supports both +[CNM](https://github.com/docker/libnetwork/blob/master/docs/design.md#the-container-network-model) +and [CNI](https://github.com/containernetworking/cni) for networking management. + +## Network Hotplug + +Kata Containers has developed a set of network sub-commands and APIs to add, list and +remove a guest network endpoint and to manipulate the guest route table. + +The following diagram illustrates the Kata Containers network hotplug workflow. + +![Network Hotplug](../arch-images/kata-containers-network-hotplug.png)