diff --git a/docs/how-to/containerd-kata.md b/docs/how-to/containerd-kata.md index 9cd82128dd..6a7449aea8 100644 --- a/docs/how-to/containerd-kata.md +++ b/docs/how-to/containerd-kata.md @@ -72,7 +72,6 @@ $ command -v containerd ### Install CNI plugins -> **Note:** You do not need to install CNI plugins if you do not want to use containerd with Kubernetes. > If you have installed Kubernetes with `kubeadm`, you might have already installed the CNI plugins. You can manually install CNI plugins as follows: @@ -131,74 +130,42 @@ For The `RuntimeClass` is suggested. -The following configuration includes three runtime classes: +The following configuration includes two runtime classes: - `plugins.cri.containerd.runtimes.runc`: the runc, and it is the default runtime. - `plugins.cri.containerd.runtimes.kata`: The function in containerd (reference [the document here](https://github.com/containerd/containerd/tree/master/runtime/v2#binary-naming)) where the dot-connected string `io.containerd.kata.v2` is translated to `containerd-shim-kata-v2` (i.e. the binary name of the Kata implementation of [Containerd Runtime V2 (Shim API)](https://github.com/containerd/containerd/tree/master/runtime/v2)). -- `plugins.cri.containerd.runtimes.katacli`: the `containerd-shim-runc-v1` calls `kata-runtime`, which is the legacy process. ```toml [plugins.cri.containerd] no_pivot = false [plugins.cri.containerd.runtimes] - [plugins.cri.containerd.runtimes.runc] - runtime_type = "io.containerd.runc.v1" - [plugins.cri.containerd.runtimes.runc.options] - NoPivotRoot = false - NoNewKeyring = false - ShimCgroup = "" - IoUid = 0 - IoGid = 0 - BinaryName = "runc" - Root = "" - CriuPath = "" - SystemdCgroup = false + [plugins."io.containerd.grpc.v1.cri".containerd.runtimes.runc] + privileged_without_host_devices = false + runtime_type = "io.containerd.runc.v2" + [plugins."io.containerd.grpc.v1.cri".containerd.runtimes.runc.options] + BinaryName = "" + CriuImagePath = "" + CriuPath = "" + CriuWorkPath = "" + IoGid = 0 [plugins.cri.containerd.runtimes.kata] runtime_type = "io.containerd.kata.v2" - [plugins.cri.containerd.runtimes.katacli] - runtime_type = "io.containerd.runc.v1" - [plugins.cri.containerd.runtimes.katacli.options] - NoPivotRoot = false - NoNewKeyring = false - ShimCgroup = "" - IoUid = 0 - IoGid = 0 - BinaryName = "/usr/bin/kata-runtime" - Root = "" - CriuPath = "" - SystemdCgroup = false -``` - -From Containerd v1.2.4 and Kata v1.6.0, there is a new runtime option supported, which allows you to specify a specific Kata configuration file as follows: - -```toml - [plugins.cri.containerd.runtimes.kata] - runtime_type = "io.containerd.kata.v2" - privileged_without_host_devices = true - [plugins.cri.containerd.runtimes.kata.options] - ConfigPath = "/etc/kata-containers/config.toml" + privileged_without_host_devices = true + pod_annotations = ["io.katacontainers.*"] + container_annotations = ["io.katacontainers.*"] + [plugins."io.containerd.grpc.v1.cri".containerd.runtimes.kata.options] + ConfigPath = "/opt/kata/share/defaults/kata-containers/configuration.toml" ``` `privileged_without_host_devices` tells containerd that a privileged Kata container should not have direct access to all host devices. If unset, containerd will pass all host devices to Kata container, which may cause security issues. +`pod_annotations` is the list of pod annotations passed to both the pod sandbox as well as container through the OCI config. + +`container_annotations` is the list of container annotations passed through to the OCI config of the containers. + This `ConfigPath` option is optional. If you do not specify it, shimv2 first tries to get the configuration file from the environment variable `KATA_CONF_FILE`. If neither are set, shimv2 will use the default Kata configuration file paths (`/etc/kata-containers/configuration.toml` and `/usr/share/defaults/kata-containers/configuration.toml`). -If you use Containerd older than v1.2.4 or a version of Kata older than v1.6.0 and also want to specify a configuration file, you can use the following workaround, since the shimv2 accepts an environment variable, `KATA_CONF_FILE` for the configuration file path. Then, you can create a -shell script with the following: - -```bash -#!/usr/bin/env bash -KATA_CONF_FILE=/etc/kata-containers/firecracker.toml containerd-shim-kata-v2 $@ -``` - -Name it as `/usr/local/bin/containerd-shim-katafc-v2` and reference it in the configuration of containerd: - -```toml - [plugins.cri.containerd.runtimes.kata-firecracker] - runtime_type = "io.containerd.katafc.v2" -``` - #### Kata Containers as the runtime for untrusted workload For cases without `RuntimeClass` support, we can use the legacy annotation method to support using Kata Containers @@ -218,28 +185,8 @@ and then, run an untrusted workload with Kata Containers: runtime_type = "io.containerd.kata.v2" ``` -For the earlier versions of Kata Containers and containerd that do not support Runtime V2 (Shim API), you can use the following alternative configuration: - -```toml - [plugins.cri.containerd] - - # "plugins.cri.containerd.default_runtime" is the runtime to use in containerd. - [plugins.cri.containerd.default_runtime] - # runtime_type is the runtime type to use in containerd e.g. io.containerd.runtime.v1.linux - runtime_type = "io.containerd.runtime.v1.linux" - - # "plugins.cri.containerd.untrusted_workload_runtime" is a runtime to run untrusted workloads on it. - [plugins.cri.containerd.untrusted_workload_runtime] - # runtime_type is the runtime type to use in containerd e.g. io.containerd.runtime.v1.linux - runtime_type = "io.containerd.runtime.v1.linux" - - # runtime_engine is the name of the runtime engine used by containerd. - runtime_engine = "/usr/bin/kata-runtime" -``` - You can find more information on the [Containerd config documentation](https://github.com/containerd/cri/blob/master/docs/config.md) - #### Kata Containers as the default runtime If you want to set Kata Containers as the only runtime in the deployment, you can simply configure as follows: @@ -250,15 +197,6 @@ If you want to set Kata Containers as the only runtime in the deployment, you ca runtime_type = "io.containerd.kata.v2" ``` -Alternatively, for the earlier versions of Kata Containers and containerd that do not support Runtime V2 (Shim API), you can use the following alternative configuration: - -```toml - [plugins.cri.containerd] - [plugins.cri.containerd.default_runtime] - runtime_type = "io.containerd.runtime.v1.linux" - runtime_engine = "/usr/bin/kata-runtime" -``` - ### Configuration for `cri-tools` > **Note:** If you skipped the [Install `cri-tools`](#install-cri-tools) section, you can skip this section too. @@ -312,10 +250,12 @@ To run a container with Kata Containers through the containerd command line, you ```bash $ sudo ctr image pull docker.io/library/busybox:latest -$ sudo ctr run --runtime io.containerd.run.kata.v2 -t --rm docker.io/library/busybox:latest hello sh +$ sudo ctr run --cni --runtime io.containerd.run.kata.v2 -t --rm docker.io/library/busybox:latest hello sh ``` This launches a BusyBox container named `hello`, and it will be removed by `--rm` after it quits. +The `--cni` flag enables CNI networking for the container. Without this flag, a container with just a +loopback interface is created. ### Launch Pods with `crictl` command line diff --git a/snap/snapcraft.yaml b/snap/snapcraft.yaml index 06f2899b66..94fd2a8c97 100644 --- a/snap/snapcraft.yaml +++ b/snap/snapcraft.yaml @@ -1,4 +1,5 @@ name: kata-containers +website: https://github.com/kata-containers/kata-containers summary: Build lightweight VMs that seamlessly plug into the containers ecosystem description: | Kata Containers is an open source project and community working to build a @@ -19,10 +20,9 @@ parts: - git-extras override-pull: | version="9999" - kata_url="https://github.com/kata-containers/kata-containers" - if echo "${GITHUB_REF}" | grep -q -E "^refs/tags"; then - version=$(echo ${GITHUB_REF} | cut -d/ -f3) + if echo "${GITHUB_REF:-}" | grep -q -E "^refs/tags"; then + version=$(echo ${GITHUB_REF:-} | cut -d/ -f3) git checkout ${version} fi @@ -46,7 +46,8 @@ parts: # put everything in stage cd ${SNAPCRAFT_STAGE} - yq_path="./yq" + mkdir -p "${SNAPCRAFT_STAGE}/bin/" + yq_path="${SNAPCRAFT_STAGE}/bin/yq" yq_pkg="github.com/mikefarah/yq" goos="linux" case "$(uname -m)" in @@ -82,7 +83,7 @@ parts: override-build: | [ "$(uname -m)" = "ppc64le" ] || [ "$(uname -m)" = "s390x" ] && sudo apt-get --no-install-recommends install -y protobuf-compiler - yq=${SNAPCRAFT_STAGE}/yq + yq=${SNAPCRAFT_STAGE}/bin/yq # set GOPATH export GOPATH=${SNAPCRAFT_STAGE}/gopath @@ -185,7 +186,7 @@ parts: - bison - flex override-build: | - yq=${SNAPCRAFT_STAGE}/yq + yq=${SNAPCRAFT_STAGE}/bin/yq export PATH="${PATH}:${SNAPCRAFT_STAGE}" export GOPATH=${SNAPCRAFT_STAGE}/gopath kata_dir=${GOPATH}/src/github.com/${SNAPCRAFT_PROJECT_NAME}/${SNAPCRAFT_PROJECT_NAME} @@ -249,7 +250,7 @@ parts: - libselinux1-dev - ninja-build override-build: | - yq=${SNAPCRAFT_STAGE}/yq + yq=${SNAPCRAFT_STAGE}/bin/yq export GOPATH=${SNAPCRAFT_STAGE}/gopath export GO111MODULE="auto" kata_dir=${GOPATH}/src/github.com/${SNAPCRAFT_PROJECT_NAME}/${SNAPCRAFT_PROJECT_NAME} @@ -316,12 +317,47 @@ parts: # Hack: move qemu to / "snap/kata-containers/current/": "./" + virtiofsd: + plugin: nil + after: [godeps] + override-build: | + # Currently, only one platform uses the new rust virtiofsd. The + # others make use of QEMU's C implementation. + # + # See "tools/packaging/scripts/configure-hypervisor.sh". + if [ "$(uname -m)" = 'x86_64' ] + then + echo "INFO: Building rust version of virtiofsd" + else + echo "INFO: Building QEMU's C version of virtiofsd" + # Handled by the 'qemu' part, so nothing more to do here. + exit 0 + fi + + # put everything in stage + cd ${SNAPCRAFT_STAGE} + + export PATH="$PATH:${SNAPCRAFT_STAGE}/bin" + export GOPATH=${SNAPCRAFT_STAGE}/gopath + + kata_dir=${GOPATH}/src/github.com/${SNAPCRAFT_PROJECT_NAME}/${SNAPCRAFT_PROJECT_NAME} + cd "${kata_dir}" + # Download the rust implementation of virtiofsd + tools/packaging/static-build/virtiofsd/build-static-virtiofsd.sh + sudo install \ + --owner='root' \ + --group='root' \ + --mode=0755 \ + -D \ + --target-directory="${SNAPCRAFT_PART_INSTALL}/usr/libexec/" \ + virtiofsd/virtiofsd + cloud-hypervisor: plugin: nil after: [godeps] override-build: | arch=$(uname -m) - if [ "{$arch}" == "aarch64" ] || [ "${arch}" == "x64_64" ]; then + if [ "{$arch}" == "aarch64" ] || [ "${arch}" == "x64_64" ]; then sudo apt-get -y update sudo apt-get -y install ca-certificates curl gnupg lsb-release curl -fsSL https://download.docker.com/linux/ubuntu/gpg | sudo gpg --batch --yes --dearmor -o /usr/share/keyrings/docker-archive-keyring.gpg diff --git a/src/runtime/virtcontainers/pkg/cloud-hypervisor/client/api/openapi.yaml b/src/runtime/virtcontainers/pkg/cloud-hypervisor/client/api/openapi.yaml index 43b2e9737a..4687c425e8 100644 --- a/src/runtime/virtcontainers/pkg/cloud-hypervisor/client/api/openapi.yaml +++ b/src/runtime/virtcontainers/pkg/cloud-hypervisor/client/api/openapi.yaml @@ -606,6 +606,7 @@ components: - 3 - 3 num_pci_segments: 3 + serial_number: serial_number pmem: - pci_segment: 6 mergeable: false @@ -948,6 +949,7 @@ components: - 3 - 3 num_pci_segments: 3 + serial_number: serial_number pmem: - pci_segment: 6 mergeable: false @@ -1169,6 +1171,7 @@ components: - 3 - 3 num_pci_segments: 3 + serial_number: serial_number properties: num_pci_segments: format: int16 @@ -1178,6 +1181,8 @@ components: format: int16 type: integer type: array + serial_number: + type: string type: object MemoryZoneConfig: example: diff --git a/src/runtime/virtcontainers/pkg/cloud-hypervisor/client/docs/PlatformConfig.md b/src/runtime/virtcontainers/pkg/cloud-hypervisor/client/docs/PlatformConfig.md index 91adf0d99c..832444c1fe 100644 --- a/src/runtime/virtcontainers/pkg/cloud-hypervisor/client/docs/PlatformConfig.md +++ b/src/runtime/virtcontainers/pkg/cloud-hypervisor/client/docs/PlatformConfig.md @@ -6,6 +6,7 @@ Name | Type | Description | Notes ------------ | ------------- | ------------- | ------------- **NumPciSegments** | Pointer to **int32** | | [optional] **IommuSegments** | Pointer to **[]int32** | | [optional] +**SerialNumber** | Pointer to **string** | | [optional] ## Methods @@ -76,6 +77,31 @@ SetIommuSegments sets IommuSegments field to given value. HasIommuSegments returns a boolean if a field has been set. +### GetSerialNumber + +`func (o *PlatformConfig) GetSerialNumber() string` + +GetSerialNumber returns the SerialNumber field if non-nil, zero value otherwise. + +### GetSerialNumberOk + +`func (o *PlatformConfig) GetSerialNumberOk() (*string, bool)` + +GetSerialNumberOk returns a tuple with the SerialNumber field if it's non-nil, zero value otherwise +and a boolean to check if the value has been set. + +### SetSerialNumber + +`func (o *PlatformConfig) SetSerialNumber(v string)` + +SetSerialNumber sets SerialNumber field to given value. + +### HasSerialNumber + +`func (o *PlatformConfig) HasSerialNumber() bool` + +HasSerialNumber returns a boolean if a field has been set. + [[Back to Model list]](../README.md#documentation-for-models) [[Back to API list]](../README.md#documentation-for-api-endpoints) [[Back to README]](../README.md) diff --git a/src/runtime/virtcontainers/pkg/cloud-hypervisor/client/model_platform_config.go b/src/runtime/virtcontainers/pkg/cloud-hypervisor/client/model_platform_config.go index e480c8a911..17e8827f84 100644 --- a/src/runtime/virtcontainers/pkg/cloud-hypervisor/client/model_platform_config.go +++ b/src/runtime/virtcontainers/pkg/cloud-hypervisor/client/model_platform_config.go @@ -18,6 +18,7 @@ import ( type PlatformConfig struct { NumPciSegments *int32 `json:"num_pci_segments,omitempty"` IommuSegments *[]int32 `json:"iommu_segments,omitempty"` + SerialNumber *string `json:"serial_number,omitempty"` } // NewPlatformConfig instantiates a new PlatformConfig object @@ -101,6 +102,38 @@ func (o *PlatformConfig) SetIommuSegments(v []int32) { o.IommuSegments = &v } +// GetSerialNumber returns the SerialNumber field value if set, zero value otherwise. +func (o *PlatformConfig) GetSerialNumber() string { + if o == nil || o.SerialNumber == nil { + var ret string + return ret + } + return *o.SerialNumber +} + +// GetSerialNumberOk returns a tuple with the SerialNumber field value if set, nil otherwise +// and a boolean to check if the value has been set. +func (o *PlatformConfig) GetSerialNumberOk() (*string, bool) { + if o == nil || o.SerialNumber == nil { + return nil, false + } + return o.SerialNumber, true +} + +// HasSerialNumber returns a boolean if a field has been set. +func (o *PlatformConfig) HasSerialNumber() bool { + if o != nil && o.SerialNumber != nil { + return true + } + + return false +} + +// SetSerialNumber gets a reference to the given string and assigns it to the SerialNumber field. +func (o *PlatformConfig) SetSerialNumber(v string) { + o.SerialNumber = &v +} + func (o PlatformConfig) MarshalJSON() ([]byte, error) { toSerialize := map[string]interface{}{} if o.NumPciSegments != nil { @@ -109,6 +142,9 @@ func (o PlatformConfig) MarshalJSON() ([]byte, error) { if o.IommuSegments != nil { toSerialize["iommu_segments"] = o.IommuSegments } + if o.SerialNumber != nil { + toSerialize["serial_number"] = o.SerialNumber + } return json.Marshal(toSerialize) } diff --git a/src/runtime/virtcontainers/pkg/cloud-hypervisor/cloud-hypervisor.yaml b/src/runtime/virtcontainers/pkg/cloud-hypervisor/cloud-hypervisor.yaml index 8861f1e710..4c0cff139a 100644 --- a/src/runtime/virtcontainers/pkg/cloud-hypervisor/cloud-hypervisor.yaml +++ b/src/runtime/virtcontainers/pkg/cloud-hypervisor/cloud-hypervisor.yaml @@ -616,6 +616,8 @@ components: items: type: integer format: int16 + serial_number: + type: string MemoryZoneConfig: required: diff --git a/src/tools/runk/libcontainer/src/builder.rs b/src/tools/runk/libcontainer/src/builder.rs index 738c639ae2..28bb730461 100644 --- a/src/tools/runk/libcontainer/src/builder.rs +++ b/src/tools/runk/libcontainer/src/builder.rs @@ -37,20 +37,20 @@ impl Container { // If the rootfs path in the spec file is a relative path, // convert it into a canonical path to pass validation of rootfs in the agent. if !&rootfs_path.is_absolute() { - let rootfs_name = rootfs_path - .file_name() - .ok_or_else(|| anyhow!("invalid rootfs name"))?; spec_root.path = bundle_canon - .join(rootfs_name) + .join(rootfs_path) + .canonicalize()? .to_str() .map(|s| s.to_string()) - .ok_or_else(|| anyhow!("failed to convert bundle path"))?; + .ok_or_else(|| { + anyhow!("failed to convert a rootfs path into a canonical path") + })?; } } Ok(ContainerContext { id: self.id, - bundle: self.bundle, + bundle: bundle_canon, state_root: self.root, spec, // TODO: liboci-cli does not support --no-pivot option for create and run command. diff --git a/src/tools/runk/libcontainer/src/container.rs b/src/tools/runk/libcontainer/src/container.rs index d5464e9239..2d8b423178 100644 --- a/src/tools/runk/libcontainer/src/container.rs +++ b/src/tools/runk/libcontainer/src/container.rs @@ -95,6 +95,7 @@ impl ContainerContext { let oci_state = ctr.oci_state()?; let status = Status::new( &self.state_root, + &self.bundle, oci_state, ctr.init_process_start_time, ctr.created, @@ -141,7 +142,7 @@ mod tests { #[test] fn test_get_fifo_path() { - let test_data = PathBuf::from(TEST_BUNDLE_PATH) + let test_data = PathBuf::from(TEST_STATE_ROOT_PATH) .join(TEST_CONTAINER_ID) .join(EXEC_FIFO_FILENAME); let status = create_dummy_status(); diff --git a/src/tools/runk/libcontainer/src/status.rs b/src/tools/runk/libcontainer/src/status.rs index 21ba00cda4..3cd9768b10 100644 --- a/src/tools/runk/libcontainer/src/status.rs +++ b/src/tools/runk/libcontainer/src/status.rs @@ -42,6 +42,7 @@ pub struct Status { impl Status { pub fn new( root: &Path, + bundle: &Path, oci_state: OCIState, process_start_time: u64, created_time: SystemTime, @@ -64,7 +65,7 @@ impl Status { id: oci_state.id, pid: oci_state.pid, root: root.to_path_buf(), - bundle: PathBuf::from(&oci_state.bundle), + bundle: bundle.to_path_buf(), rootfs, process_start_time, created, @@ -209,6 +210,7 @@ mod tests { let oci_state = create_dummy_oci_state(); let created = SystemTime::now(); let status = Status::new( + Path::new(TEST_STATE_ROOT_PATH), Path::new(TEST_BUNDLE_PATH), oci_state.clone(), 1, diff --git a/src/tools/runk/libcontainer/src/utils.rs b/src/tools/runk/libcontainer/src/utils.rs index 5a356d7c2d..dcd9f7f7f1 100644 --- a/src/tools/runk/libcontainer/src/utils.rs +++ b/src/tools/runk/libcontainer/src/utils.rs @@ -45,7 +45,8 @@ pub(crate) mod test_utils { use std::time::SystemTime; pub const TEST_CONTAINER_ID: &str = "test"; - pub const TEST_BUNDLE_PATH: &str = "/test"; + pub const TEST_STATE_ROOT_PATH: &str = "/state"; + pub const TEST_BUNDLE_PATH: &str = "/bundle"; pub const TEST_ANNOTATION: &str = "test"; pub const TEST_CGM_DATA: &str = r#"{ "paths": { @@ -92,6 +93,7 @@ pub(crate) mod test_utils { let oci_state = create_dummy_oci_state(); let created = SystemTime::now(); let status = Status::new( + Path::new(TEST_STATE_ROOT_PATH), Path::new(TEST_BUNDLE_PATH), oci_state.clone(), 1, diff --git a/versions.yaml b/versions.yaml index 482f5ce9ed..7b13646b33 100644 --- a/versions.yaml +++ b/versions.yaml @@ -75,7 +75,7 @@ assets: url: "https://github.com/cloud-hypervisor/cloud-hypervisor" uscan-url: >- https://github.com/cloud-hypervisor/cloud-hypervisor/tags.*/v?(\d\S+)\.tar\.gz - version: "v23.1" + version: "v24.0" firecracker: description: "Firecracker micro-VMM"