github/kata-containers
1
0
Fork 1
mirror of https://github.com/kata-containers/kata-containers.git synced 2025-08-25 11:13:15 +00:00
Code Issues Projects Releases Wiki Activity

Merge pull request #6352 from stevenhorsman/kata-deploy

Browse Source 
kata-deploy: Add cri-o support
This commit is contained in:
Steve Horsman 2023-03-21 13:43:25 +00:00 committed by GitHub
commit 7ea4357723
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 116 additions and 37 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

153
tools/packaging/kata-deploy-cc/scripts/kata-deploy.sh
View File

@ -8,15 +8,18 @@ set -o errexit
set -o pipefail set -o pipefail
set -o nounset set -o nounset
crio_drop_in_conf_dir="/etc/crio/crio.conf.d/"
crio_drop_in_conf_file="${crio_drop_in_conf_dir}/99-kata-deploy"
containerd_conf_file="/etc/containerd/config.toml" containerd_conf_file="/etc/containerd/config.toml"
containerd_conf_file_backup="${containerd_conf_file}.bak" containerd_conf_file_backup="${containerd_conf_file}.bak"
shims=( shims=(
"qemu" "remote"
"qemu-tdx" "qemu"
"qemu-sev" "qemu-tdx"
"clh" "qemu-sev"
"clh-tdx" "clh"
"clh-tdx"
) )
default_shim="qemu" default_shim="qemu"
@ -63,6 +66,9 @@ function configure_cri_runtime() {
configure_different_shims_base configure_different_shims_base
case $1 in case $1 in
crio)
configure_crio
;;
containerd | k3s | k3s-agent | rke2-agent | rke2-server) containerd | k3s | k3s-agent | rke2-agent | rke2-server)
configure_containerd configure_containerd
;; ;;
@ -138,6 +144,47 @@ function cleanup_different_shims_base() {
restore_shim "${default_shim_file}" restore_shim "${default_shim_file}"
} }
function configure_crio_runtime() {
local runtime="kata"
local configuration="configuration"
if [ -n "${1-}" ]; then
runtime+="-$1"
configuration+="-$1"
fi
local kata_path="/usr/local/bin/containerd-shim-${runtime}-v2"
local kata_conf="crio.runtime.runtimes.${runtime}"
local kata_config_path="/opt/confidential-containers/share/defaults/kata-containers/$configuration.toml"
cat <<EOF | tee -a "$crio_drop_in_conf_file"
[$kata_conf]
runtime_path = "${kata_path}"
runtime_type = "vm"
runtime_root = "/run/vc"
runtime_config_path = "${kata_config_path}"
privileged_without_host_devices = true
EOF
}
function configure_crio() {
# Configure crio to use Kata:
echo "Add Kata Containers as a supported runtime for CRIO:"
# As we don't touch the original configuration file in any way,
# let's just ensure we remove any exist configuration from a
# previous deployment.
mkdir -p "$crio_drop_in_conf_dir"
rm -f "$crio_drop_in_conf_file"
touch "$crio_drop_in_conf_file"
configure_crio_runtime
for shim in "${shims[@]}"; do
configure_crio_runtime $shim
done
}
function configure_containerd_runtime() { function configure_containerd_runtime() {
local runtime="kata" local runtime="kata"
local configuration="configuration" local configuration="configuration"
@ -151,6 +198,10 @@ function configure_containerd_runtime() {
fi fi
local runtime_table="plugins.${pluginid}.containerd.runtimes.$runtime" local runtime_table="plugins.${pluginid}.containerd.runtimes.$runtime"
local runtime_type="io.containerd.$runtime.v2" local runtime_type="io.containerd.$runtime.v2"
local cri_handler_value=""
if echo "${runtime_type}" | grep -q -v -e "kata-remote\.v2" -e "kata\.v2"; then
cri_handler_value="cc"
fi
local options_table="$runtime_table.options" local options_table="$runtime_table.options"
local config_path="/opt/confidential-containers/share/defaults/kata-containers/$configuration.toml" local config_path="/opt/confidential-containers/share/defaults/kata-containers/$configuration.toml"
if grep -q "\[$runtime_table\]" $containerd_conf_file; then if grep -q "\[$runtime_table\]" $containerd_conf_file; then
@ -159,7 +210,7 @@ function configure_containerd_runtime() {
else else
cat <<EOF | tee -a "$containerd_conf_file" cat <<EOF | tee -a "$containerd_conf_file"
[$runtime_table] [$runtime_table]
cri_handler = "cc" cri_handler = "${cri_handler_value}"
runtime_type = "${runtime_type}" runtime_type = "${runtime_type}"
privileged_without_host_devices = true privileged_without_host_devices = true
pod_annotations = ["io.katacontainers.*"] pod_annotations = ["io.katacontainers.*"]
@ -210,19 +261,30 @@ function remove_artifacts() {
/opt/confidential-containers/bin/cloud-hypervisor \ /opt/confidential-containers/bin/cloud-hypervisor \
/opt/confidential-containers/runtime-rs /opt/confidential-containers/runtime-rs
# Try to remove the /opt/confidential-containers directory. # Try to remove the /opt/confidential-containers directory.
# If it's not empty, don't bother force removing it, as the # If it's not empty, don't bother force removing it, as the
# pre-install script also drops files here. # pre-install script also drops files here.
rmdir --ignore-fail-on-non-empty -p /opt/confidential-containers/bin rmdir --ignore-fail-on-non-empty -p /opt/confidential-containers/bin
} }
function cleanup_cri_runtime() { function cleanup_cri_runtime() {
cleanup_different_shims_base cleanup_different_shims_base
cleanup_containerd case $1 in
crio)
cleanup_crio
;;
containerd | k3s | k3s-agent | rke2-agent | rke2-server)
cleanup_containerd
;;
esac
} }
function cleanup_crio() {
rm $crio_drop_in_conf_file
}
function cleanup_containerd() { function cleanup_containerd() {
rm -f $containerd_conf_file rm -f $containerd_conf_file
if [ -f "$containerd_conf_file_backup" ]; then if [ -f "$containerd_conf_file_backup" ]; then
@ -234,7 +296,9 @@ function reset_runtime() {
kubectl label node "$NODE_NAME" katacontainers.io/kata-runtime- kubectl label node "$NODE_NAME" katacontainers.io/kata-runtime-
systemctl daemon-reload systemctl daemon-reload
systemctl restart "$1" systemctl restart "$1"
systemctl restart kubelet if [ "$1" == "crio" ] || [ "$1" == "containerd" ]; then
systemctl restart kubelet
fi
} }
function main() { function main() {
@ -245,13 +309,24 @@ function main() {
fi fi
runtime=$(get_container_runtime) runtime=$(get_container_runtime)
if [ "$runtime" != "containerd" ]; then
die "$runtime is not supported for now"
fi
if [ ! -f "$containerd_conf_file" ] && [ -d $(dirname "$containerd_conf_file") ] && \ if [ "$runtime" == "k3s" ] || [ "$runtime" == "k3s-agent" ] || [ "$runtime" == "rke2-agent" ] || [ "$runtime" == "rke2-server" ]; then
[ -x $(command -v containerd) ]; then containerd_conf_tmpl_file="${containerd_conf_file}.tmpl"
containerd config default > "$containerd_conf_file" if [ ! -f "$containerd_conf_tmpl_file" ]; then
cp "$containerd_conf_file" "$containerd_conf_tmpl_file"
fi
containerd_conf_file="${containerd_conf_tmpl_file}"
containerd_conf_file_backup="${containerd_conf_file}.bak"
elif [ "$runtime" == "containerd" ]; then
# runtime == containerd
if [ ! -f "$containerd_conf_file" ] && [ -d $(dirname "$containerd_conf_file") ] && \
[ -x $(command -v containerd) ]; then
containerd config default > "$containerd_conf_file"
fi
# CRI-O isn't consistent with the naming -- let's use crio to match the service file
elif [ "$runtime" == "cri-o" ]; then
runtime="crio"
fi fi
action=${1:-} action=${1:-}
@ -260,25 +335,29 @@ function main() {
die "invalid arguments" die "invalid arguments"
fi fi
case "$action" in # only install / remove / update if we are dealing with containerd
install) if [[ "$runtime" =~ ^(containerd|k3s|k3s-agent|rke2-agent|rke2-server|crio)$ ]]; then
install_artifacts
configure_cri_runtime "$runtime" case "$action" in
kubectl label node "$NODE_NAME" --overwrite katacontainers.io/kata-runtime=true install)
;; install_artifacts
cleanup) configure_cri_runtime "$runtime"
cleanup_cri_runtime "$runtime" kubectl label node "$NODE_NAME" --overwrite katacontainers.io/kata-runtime=true
kubectl label node "$NODE_NAME" --overwrite katacontainers.io/kata-runtime=cleanup ;;
remove_artifacts cleanup)
;; cleanup_cri_runtime "$runtime"
reset) kubectl label node "$NODE_NAME" --overwrite katacontainers.io/kata-runtime=cleanup
reset_runtime $runtime remove_artifacts
;; ;;
*) reset)
echo invalid arguments reset_runtime $runtime
print_usage ;;
;; *)
esac echo invalid arguments
print_usage
;;
esac
fi
#It is assumed this script will be called as a daemonset. As a result, do #It is assumed this script will be called as a daemonset. As a result, do
# not return, otherwise the daemon will restart and rexecute the script # not return, otherwise the daemon will restart and rexecute the script