2026-02-18
Setup Kata Containers
Download the static release for your system. It expands everything to ./opt/kata. I recommend moving the kata folder to /opt. Then create symlinks:
sudo ln -sf /opt/kata/bin/kata-runtime /usr/local/bin/kata-runtime
sudo ln -sf /opt/kata/bin/containerd-shim-kata-v2 /usr/local/bin/containerd-shim-kata-v2
sudo ln -s /opt/kata/share/defaults/kata-containers /etc/kata-containers
Run the kata-check to load and verify everything:
# Initially I had to run
sudo kata-runtime check
# Then I could run
kata-runtime check
# Optionally
kata-runtime version
kata-runtime env
Presuming your check returns System is capable of running Kata Containers, you can run the following docker command:
sudo docker run --rm -ti --runtime io.containerd.run.kata.v2 ubuntu /bin/bash
That command will do the usual downloading of an ubuntu:latest image if one is not already cached on the system. The --rm -ti is for cleanup on exit and attaching the to STDIO. Finally, the --runtime defines the runtime system to use. To docker, this is simply a string. The string is then passed to containerd where its chopped up and converted into containerd-shim-kata-v2. By default, docker uses io.containerd.run.runc.v2.
If all goes well, the above command will drop you into a bash prompt similar to:
root@50f07071b45b:/#
At this point, you are running in a qemu isolated environment.
Verifying Isolation
Try these on host, runc, and kata to see the differences:
uname -acat /proc/cmdlinemountdmesgNote: works in kata, not in runc
Rerun the Kata container with privileged mode and it will have no access to the host kernel.