yexinru/doc-exports
1
0
Fork 0
forked from docs/doc-exports
Code Pull Requests Activity
Files
218900ecfc237f6c0ba9f9684f9afa10f1d5ea9a
doc-exports/docs/cce/umn/cce_10_0463.html
qiujiandong1 6d480dcc20 CCE UMN update 20250912 version 
Reviewed-by: Eotvos, Oliver <oliver.eotvos@t-systems.com>
Co-authored-by: qiujiandong1 <qiujiandong1@huawei.com>
Co-committed-by: qiujiandong1 <qiujiandong1@huawei.com>
2025-10-29 10:20:57 +00:00

107 lines
8.0 KiB
HTML
Raw Blame History

<a name="cce_10_0463"></a><a name="cce_10_0463"></a>
<h1 class="topictitle1">Secure Runtime and Common Runtime</h1>
<div id="body0000001389560674"><p id="cce_10_0463__p13611030182615">Compared with a common runtime, a secure runtime allows each container (pod) to run on its own micro-VM with a separate OS kernel. This ensures secure isolation at the virtualization layer. With a secure runtime, kernels, compute resources, and networks are isolated between containers to protect pod resources and data from being preempted and stolen by other pods.</p>
<p id="cce_10_0463__p119042411320">CCE Turbo clusters allow you to create workloads using a common runtime or secure runtime as required. The differences between them are as follows.</p>
<div class="tablenoborder"><table cellpadding="4" cellspacing="0" summary="" id="cce_10_0463__table7735928151311" frame="border" border="1" rules="all"><thead align="left"><tr id="cce_10_0463__row1978816285135"><th align="left" class="cellrowborder" valign="top" width="20%" id="mcps1.3.3.1.4.1.1"><p id="cce_10_0463__p7788142811132"><strong id="cce_10_0463__b867383211104">Category</strong></p>
</th>
<th align="left" class="cellrowborder" valign="top" width="50%" id="mcps1.3.3.1.4.1.2"><p id="cce_10_0463__p17788112811134"><strong id="cce_10_0463__b173594361656">Secure Runtime</strong></p>
</th>
<th align="left" class="cellrowborder" valign="top" width="30%" id="mcps1.3.3.1.4.1.3"><p id="cce_10_0463__p2078842881319"><strong id="cce_10_0463__b2019218481753">Common Runtime</strong></p>
</th>
</tr>
</thead>
<tbody><tr id="cce_10_0463__row185153106411"><td class="cellrowborder" valign="top" width="20%" headers="mcps1.3.3.1.4.1.1 "><p id="cce_10_0463__p152517212098">Node type used to run containers</p>
</td>
<td class="cellrowborder" valign="top" width="50%" headers="mcps1.3.3.1.4.1.2 "><p id="cce_10_0463__p75254214913">ECS (PM)</p>
</td>
<td class="cellrowborder" valign="top" width="30%" headers="mcps1.3.3.1.4.1.3 "><p id="cce_10_0463__p7525021599">ECS (VM)</p>
<p id="cce_10_0463__p1266116194597">ECS (PM)</p>
</td>
</tr>
<tr id="cce_10_0463__row953462111916"><td class="cellrowborder" valign="top" width="20%" headers="mcps1.3.3.1.4.1.1 "><p id="cce_10_0463__p65258219915">Container engine</p>
</td>
<td class="cellrowborder" valign="top" width="50%" headers="mcps1.3.3.1.4.1.2 "><p id="cce_10_0463__p8525821797">containerd</p>
</td>
<td class="cellrowborder" valign="top" width="30%" headers="mcps1.3.3.1.4.1.3 "><p id="cce_10_0463__p115259211298">Docker and containerd</p>
</td>
</tr>
<tr id="cce_10_0463__row68981259143316"><td class="cellrowborder" valign="top" width="20%" headers="mcps1.3.3.1.4.1.1 "><p id="cce_10_0463__p1989855911335">Container runtime</p>
</td>
<td class="cellrowborder" valign="top" width="50%" headers="mcps1.3.3.1.4.1.2 "><p id="cce_10_0463__p12898185920339">Kata</p>
</td>
<td class="cellrowborder" valign="top" width="30%" headers="mcps1.3.3.1.4.1.3 "><p id="cce_10_0463__p1889814594334">runC</p>
</td>
</tr>
<tr id="cce_10_0463__row125346216916"><td class="cellrowborder" valign="top" width="20%" headers="mcps1.3.3.1.4.1.1 "><p id="cce_10_0463__p1052519218916">Container kernel</p>
</td>
<td class="cellrowborder" valign="top" width="50%" headers="mcps1.3.3.1.4.1.2 "><p id="cce_10_0463__p75252211696">Exclusive kernel</p>
</td>
<td class="cellrowborder" valign="top" width="30%" headers="mcps1.3.3.1.4.1.3 "><p id="cce_10_0463__p1752510211993">Sharing the kernel with the host</p>
</td>
</tr>
<tr id="cce_10_0463__row453414211995"><td class="cellrowborder" valign="top" width="20%" headers="mcps1.3.3.1.4.1.1 "><p id="cce_10_0463__p552562119914">Container isolation</p>
</td>
<td class="cellrowborder" valign="top" width="50%" headers="mcps1.3.3.1.4.1.2 "><p id="cce_10_0463__p252514211797">Lightweight VMs</p>
</td>
<td class="cellrowborder" valign="top" width="30%" headers="mcps1.3.3.1.4.1.3 "><p id="cce_10_0463__p185251921799">cgroups and namespaces</p>
</td>
</tr>
<tr id="cce_10_0463__row145341921791"><td class="cellrowborder" valign="top" width="20%" headers="mcps1.3.3.1.4.1.1 "><p id="cce_10_0463__p35256211999">Container engine storage driver</p>
</td>
<td class="cellrowborder" valign="top" width="50%" headers="mcps1.3.3.1.4.1.2 "><p id="cce_10_0463__p752582113913">Device Mapper</p>
</td>
<td class="cellrowborder" valign="top" width="30%" headers="mcps1.3.3.1.4.1.3 "><ul id="cce_10_0463__ul5865193217160"><li id="cce_10_0463__li5865153261616">Docker container: OverlayFS2</li><li id="cce_10_0463__li186553216168">containerd container: OverlayFS</li></ul>
</td>
</tr>
<tr id="cce_10_0463__row1753372115912"><td class="cellrowborder" valign="top" width="20%" headers="mcps1.3.3.1.4.1.1 "><p id="cce_10_0463__p11525321495"><a href="https://kubernetes.io/docs/concepts/scheduling-eviction/pod-overhead/" target="_blank" rel="noopener noreferrer">Pod overhead</a></p>
</td>
<td class="cellrowborder" valign="top" width="50%" headers="mcps1.3.3.1.4.1.2 "><p id="cce_10_0463__p69621414132319">Memory: 100 MiB</p>
<p id="cce_10_0463__p1213422142320">CPU: 0.1 cores</p>
<p id="cce_10_0463__p1325184142613">Pod overhead is a feature for accounting for the resources consumed by the pod infrastructure on top of the container requests and limits. For example, if <strong id="cce_10_0463__b19570174910375">limits.cpu</strong> is set to 0.5 cores and <strong id="cce_10_0463__b1357014943714">limits.memory</strong> to 256 MiB for a pod, the pod will request 0.6 CPU cores and 356 MiB of memory.</p>
</td>
<td class="cellrowborder" valign="top" width="30%" headers="mcps1.3.3.1.4.1.3 "><p id="cce_10_0463__p1452510214911">None</p>
</td>
</tr>
<tr id="cce_10_0463__row114111106308"><td class="cellrowborder" valign="top" width="20%" headers="mcps1.3.3.1.4.1.1 "><p id="cce_10_0463__p54113033015">Minimize flavor</p>
</td>
<td class="cellrowborder" valign="top" width="50%" headers="mcps1.3.3.1.4.1.2 "><p id="cce_10_0463__p104113013304">Memory: 256 MiB</p>
<p id="cce_10_0463__p540452918310">CPU: 0.25 cores</p>
<p id="cce_10_0463__p0859515379">It is recommended that the ratio of CPU (unit: core) to memory (unit: GiB) be in the range of 1:1 to 1:8. For example, if the CPU is 0.5 cores, the memory should range from 512 MiB to 4 GiB.</p>
</td>
<td class="cellrowborder" valign="top" width="30%" headers="mcps1.3.3.1.4.1.3 "><p id="cce_10_0463__p34112093012">None</p>
</td>
</tr>
<tr id="cce_10_0463__row68812038164219"><td class="cellrowborder" valign="top" width="20%" headers="mcps1.3.3.1.4.1.1 "><p id="cce_10_0463__p1878862812136">Container engine CLI</p>
</td>
<td class="cellrowborder" valign="top" width="50%" headers="mcps1.3.3.1.4.1.2 "><p id="cce_10_0463__p478819289134">crictl</p>
</td>
<td class="cellrowborder" valign="top" width="30%" headers="mcps1.3.3.1.4.1.3 "><ul id="cce_10_0463__ul1160995515160"><li id="cce_10_0463__li56099555163">Docker container: docker</li><li id="cce_10_0463__li6609155501615">containerd container: crictl</li></ul>
</td>
</tr>
<tr id="cce_10_0463__row55101249388"><td class="cellrowborder" valign="top" width="20%" headers="mcps1.3.3.1.4.1.1 "><p id="cce_10_0463__p145100242386">Pod computing resources</p>
</td>
<td class="cellrowborder" valign="top" width="50%" headers="mcps1.3.3.1.4.1.2 "><p id="cce_10_0463__p77887281138">The request and limit values must be the same for both CPU and memory.</p>
</td>
<td class="cellrowborder" valign="top" width="30%" headers="mcps1.3.3.1.4.1.3 "><p id="cce_10_0463__p127886286135">The request and limit values can be different for both CPU and memory.</p>
</td>
</tr>
<tr id="cce_10_0463__row141611128378"><td class="cellrowborder" valign="top" width="20%" headers="mcps1.3.3.1.4.1.1 "><p id="cce_10_0463__p31681214377"><a href="cce_10_0402.html">hostNetwork</a></p>
</td>
<td class="cellrowborder" valign="top" width="50%" headers="mcps1.3.3.1.4.1.2 "><p id="cce_10_0463__p46341018133713">Not supported</p>
</td>
<td class="cellrowborder" valign="top" width="30%" headers="mcps1.3.3.1.4.1.3 "><p id="cce_10_0463__p13634118193715">Supported</p>
</td>
</tr>
</tbody>
</table>
</div>
</div>
<div>
<div class="familylinks">
<div class="parentlink"><strong>Parent topic:</strong> <a href="cce_10_0130.html">Configuring a Workload</a></div>
</div>
</div>
View Git Blame Copy Permalink