Kubernetes & security

Kubernetes & security

To compare hyeprcontainer and rkt's kvm-based stage1 is in fact comparing hypercontainer vs. clearcontainer since kvm-based stage1 in rkt leverages clearcontainer.

hypercontainer and clearcontainer are different implementations of the same idea of hypervisor-based appc runtime. One difference is that clearcontainer depends on highly-customised qemu-kvm called qemu-lite, while hypercontainer is hypervisor-agnostic (qemu-kvm, xen, virtual box) and architecture-agnostic (X86_64, arm, ppc, s390). Another perhaps more important difference is that hypercontainer works on the de facto standard docker images while clearcontainer/rkt works on the rkt image format ACI and needs conversion to work with docker images.

One common part is that clearcontainer uses hypercontainer's core component hyperstart as its management portal inside the virtual machine. While these two are different implementations, there is ongoing work to unify the common part of them as virtcontainer.