Merge pull request #6352 from stevenhorsman/kata-deploy

kata-deploy: Add cri-o support
2025-08-24 18:52:08 +00:00 · 2023-03-21 13:43:25 +00:00 · 2023-03-21 13:43:25 +00:00 · 7ea4357723
commit 7ea4357723
parent d12e53b5a1 6a7c39824a
1 changed files with 116 additions and 37 deletions
--- a/tools/packaging/kata-deploy-cc/scripts/kata-deploy.sh
+++ b/tools/packaging/kata-deploy-cc/scripts/kata-deploy.sh
@ -8,10 +8,13 @@ set -o errexit
 set -o pipefail
 set -o nounset

+crio_drop_in_conf_dir="/etc/crio/crio.conf.d/"
+crio_drop_in_conf_file="${crio_drop_in_conf_dir}/99-kata-deploy"
 containerd_conf_file="/etc/containerd/config.toml"
 containerd_conf_file_backup="${containerd_conf_file}.bak"

 shims=(
+        "remote"
        "qemu"
        "qemu-tdx"
        "qemu-sev"
@ -63,6 +66,9 @@ function configure_cri_runtime() {
 	configure_different_shims_base

 	case $1 in
+	crio)
+		configure_crio
+		;;
 	containerd | k3s | k3s-agent | rke2-agent | rke2-server)
 		configure_containerd
 		;;
@ -138,6 +144,47 @@ function cleanup_different_shims_base() {
 	restore_shim "${default_shim_file}"
 }

+function configure_crio_runtime() {
+	local runtime="kata"
+	local configuration="configuration"
+	if [ -n "${1-}" ]; then
+		runtime+="-$1"
+		configuration+="-$1"
+	fi
+
+	local kata_path="/usr/local/bin/containerd-shim-${runtime}-v2"
+	local kata_conf="crio.runtime.runtimes.${runtime}"
+	local kata_config_path="/opt/confidential-containers/share/defaults/kata-containers/$configuration.toml"
+
+	cat <<EOF | tee -a "$crio_drop_in_conf_file"
+
+[$kata_conf]
+	runtime_path = "${kata_path}"
+	runtime_type = "vm"
+	runtime_root = "/run/vc"
+	runtime_config_path = "${kata_config_path}"
+	privileged_without_host_devices = true
+EOF
+}
+
+function configure_crio() {
+        # Configure crio to use Kata:
+        echo "Add Kata Containers as a supported runtime for CRIO:"
+
+        # As we don't touch the original configuration file in any way,
+        # let's just ensure we remove any exist configuration from a
+        # previous deployment.
+        mkdir -p "$crio_drop_in_conf_dir"
+        rm -f "$crio_drop_in_conf_file"
+        touch "$crio_drop_in_conf_file"
+
+        configure_crio_runtime
+
+        for shim in "${shims[@]}"; do
+                configure_crio_runtime $shim
+        done
+}
+
 function configure_containerd_runtime() {
 	local runtime="kata"
 	local configuration="configuration"
@ -151,6 +198,10 @@ function configure_containerd_runtime() {
 	fi
 	local runtime_table="plugins.${pluginid}.containerd.runtimes.$runtime"
 	local runtime_type="io.containerd.$runtime.v2"
+	local cri_handler_value=""
+        if echo "${runtime_type}" | grep -q -v -e "kata-remote\.v2" -e "kata\.v2"; then
+                cri_handler_value="cc"
+	fi
 	local options_table="$runtime_table.options"
 	local config_path="/opt/confidential-containers/share/defaults/kata-containers/$configuration.toml"
 	if grep -q "\[$runtime_table\]" $containerd_conf_file; then
@ -159,7 +210,7 @@ function configure_containerd_runtime() {
 	else
 		cat <<EOF | tee -a "$containerd_conf_file"
 [$runtime_table]
-  cri_handler = "cc"
+  cri_handler = "${cri_handler_value}"
  runtime_type = "${runtime_type}"
  privileged_without_host_devices = true
  pod_annotations = ["io.katacontainers.*"]
@ -219,10 +270,21 @@ function remove_artifacts() {
 function cleanup_cri_runtime() {
 	cleanup_different_shims_base

+	case $1 in
+	crio)
+		cleanup_crio
+		;;
+	containerd | k3s | k3s-agent | rke2-agent | rke2-server)
 		cleanup_containerd
+		;;
+	esac

 }

+function cleanup_crio() {
+	rm $crio_drop_in_conf_file
+}
+
 function cleanup_containerd() {
 	rm -f $containerd_conf_file
 	if [ -f "$containerd_conf_file_backup" ]; then
@ -234,7 +296,9 @@ function reset_runtime() {
 	kubectl label node "$NODE_NAME" katacontainers.io/kata-runtime-
 	systemctl daemon-reload
 	systemctl restart "$1"
+	if [ "$1" == "crio" ] || [ "$1" == "containerd" ]; then
 		systemctl restart kubelet
+	fi
 }

 function main() {
@ -245,14 +309,25 @@ function main() {
 	fi

 	runtime=$(get_container_runtime)
-	if [ "$runtime" != "containerd" ]; then
-		die "$runtime is not supported for now"
+
+	if [ "$runtime" == "k3s" ] || [ "$runtime" == "k3s-agent" ] || [ "$runtime" == "rke2-agent" ] || [ "$runtime" == "rke2-server" ]; then
+		containerd_conf_tmpl_file="${containerd_conf_file}.tmpl"
+		if [ ! -f "$containerd_conf_tmpl_file" ]; then
+			cp "$containerd_conf_file" "$containerd_conf_tmpl_file"
 		fi

+		containerd_conf_file="${containerd_conf_tmpl_file}"
+		containerd_conf_file_backup="${containerd_conf_file}.bak"
+	elif [ "$runtime" == "containerd" ]; then
+		# runtime == containerd
 		if [ ! -f "$containerd_conf_file" ] && [ -d $(dirname "$containerd_conf_file") ] && \
 			[ -x $(command -v containerd) ]; then
 			containerd config default > "$containerd_conf_file"
 		fi
+	# CRI-O isn't consistent with the naming -- let's use crio to match the service file
+	elif [ "$runtime" == "cri-o" ]; then
+		runtime="crio"
+	fi

 	action=${1:-}
 	if [ -z "$action" ]; then
@ -260,6 +335,9 @@ function main() {
 		die "invalid arguments"
 	fi

+	# only install / remove / update if we are dealing with containerd
+	if [[ "$runtime" =~ ^(containerd|k3s|k3s-agent|rke2-agent|rke2-server|crio)$ ]]; then
+
 		case "$action" in
 		install)
 			install_artifacts
@ -279,6 +357,7 @@ function main() {
 			print_usage
 			;;
 		esac
+	fi

 	#It is assumed this script will be called as a daemonset. As a result, do
        # not return, otherwise the daemon will restart and rexecute the script