github/kata-containers
1
0
Fork 1
mirror of https://github.com/kata-containers/kata-containers.git synced 2025-08-19 16:38:00 +00:00
Code Issues Projects Releases Wiki Activity

CCv0: Merge main into CCv0 branch

Browse Source 
Merge remote-tracking branch 'upstream/main' into CCv0

Fixes: #4345
Signed-off-by: Georgina Kinge <Georgina.Kinge@ibm.com>
This commit is contained in:
Georgina Kinge 2022-05-31 13:50:38 +01:00
commit 7eb74e51be
11 changed files with 150 additions and 100 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

104
docs/how-to/containerd-kata.md
View File

@ -72,7 +72,6 @@ $ command -v containerd
### Install CNI plugins
> **Note:** You do not need to install CNI plugins if you do not want to use containerd with Kubernetes.
> If you have installed Kubernetes with `kubeadm`, you might have already installed the CNI plugins.
You can manually install CNI plugins as follows:
@ -131,74 +130,42 @@ For
The `RuntimeClass` is suggested.
The following configuration includes three runtime classes:
The following configuration includes two runtime classes:
- `plugins.cri.containerd.runtimes.runc`: the runc, and it is the default runtime.
- `plugins.cri.containerd.runtimes.kata`: The function in containerd (reference [the document here](https://github.com/containerd/containerd/tree/master/runtime/v2#binary-naming))
where the dot-connected string `io.containerd.kata.v2` is translated to `containerd-shim-kata-v2` (i.e. the
binary name of the Kata implementation of [Containerd Runtime V2 (Shim API)](https://github.com/containerd/containerd/tree/master/runtime/v2)).
- `plugins.cri.containerd.runtimes.katacli`: the `containerd-shim-runc-v1` calls `kata-runtime`, which is the legacy process.
```toml
[plugins.cri.containerd]
no_pivot = false
[plugins.cri.containerd.runtimes]
[plugins.cri.containerd.runtimes.runc]
runtime_type = "io.containerd.runc.v1"
[plugins.cri.containerd.runtimes.runc.options]
NoPivotRoot = false
NoNewKeyring = false
ShimCgroup = ""
IoUid = 0
IoGid = 0
BinaryName = "runc"
Root = ""
CriuPath = ""
SystemdCgroup = false
[plugins."io.containerd.grpc.v1.cri".containerd.runtimes.runc]
privileged_without_host_devices = false
runtime_type = "io.containerd.runc.v2"
[plugins."io.containerd.grpc.v1.cri".containerd.runtimes.runc.options]
BinaryName = ""
CriuImagePath = ""
CriuPath = ""
CriuWorkPath = ""
IoGid = 0
[plugins.cri.containerd.runtimes.kata]
runtime_type = "io.containerd.kata.v2"
[plugins.cri.containerd.runtimes.katacli]
runtime_type = "io.containerd.runc.v1"
[plugins.cri.containerd.runtimes.katacli.options]
NoPivotRoot = false
NoNewKeyring = false
ShimCgroup = ""
IoUid = 0
IoGid = 0
BinaryName = "/usr/bin/kata-runtime"
Root = ""
CriuPath = ""
SystemdCgroup = false
```
From Containerd v1.2.4 and Kata v1.6.0, there is a new runtime option supported, which allows you to specify a specific Kata configuration file as follows:
```toml
[plugins.cri.containerd.runtimes.kata]
runtime_type = "io.containerd.kata.v2"
privileged_without_host_devices = true
[plugins.cri.containerd.runtimes.kata.options]
ConfigPath = "/etc/kata-containers/config.toml"
privileged_without_host_devices = true
pod_annotations = ["io.katacontainers.*"]
container_annotations = ["io.katacontainers.*"]
[plugins."io.containerd.grpc.v1.cri".containerd.runtimes.kata.options]
ConfigPath = "/opt/kata/share/defaults/kata-containers/configuration.toml"
```
`privileged_without_host_devices` tells containerd that a privileged Kata container should not have direct access to all host devices. If unset, containerd will pass all host devices to Kata container, which may cause security issues.
`pod_annotations` is the list of pod annotations passed to both the pod sandbox as well as container through the OCI config.
`container_annotations` is the list of container annotations passed through to the OCI config of the containers.
This `ConfigPath` option is optional. If you do not specify it, shimv2 first tries to get the configuration file from the environment variable `KATA_CONF_FILE`. If neither are set, shimv2 will use the default Kata configuration file paths (`/etc/kata-containers/configuration.toml` and `/usr/share/defaults/kata-containers/configuration.toml`).
If you use Containerd older than v1.2.4 or a version of Kata older than v1.6.0 and also want to specify a configuration file, you can use the following workaround, since the shimv2 accepts an environment variable, `KATA_CONF_FILE` for the configuration file path. Then, you can create a
shell script with the following:
```bash
#!/usr/bin/env bash
KATA_CONF_FILE=/etc/kata-containers/firecracker.toml containerd-shim-kata-v2 $@
```
Name it as `/usr/local/bin/containerd-shim-katafc-v2` and reference it in the configuration of containerd:
```toml
[plugins.cri.containerd.runtimes.kata-firecracker]
runtime_type = "io.containerd.katafc.v2"
```
#### Kata Containers as the runtime for untrusted workload
For cases without `RuntimeClass` support, we can use the legacy annotation method to support using Kata Containers
@ -218,28 +185,8 @@ and then, run an untrusted workload with Kata Containers:
runtime_type = "io.containerd.kata.v2"
```
For the earlier versions of Kata Containers and containerd that do not support Runtime V2 (Shim API), you can use the following alternative configuration:
```toml
[plugins.cri.containerd]
# "plugins.cri.containerd.default_runtime" is the runtime to use in containerd.
[plugins.cri.containerd.default_runtime]
# runtime_type is the runtime type to use in containerd e.g. io.containerd.runtime.v1.linux
runtime_type = "io.containerd.runtime.v1.linux"
# "plugins.cri.containerd.untrusted_workload_runtime" is a runtime to run untrusted workloads on it.
[plugins.cri.containerd.untrusted_workload_runtime]
# runtime_type is the runtime type to use in containerd e.g. io.containerd.runtime.v1.linux
runtime_type = "io.containerd.runtime.v1.linux"
# runtime_engine is the name of the runtime engine used by containerd.
runtime_engine = "/usr/bin/kata-runtime"
```
You can find more information on the [Containerd config documentation](https://github.com/containerd/cri/blob/master/docs/config.md)
#### Kata Containers as the default runtime
If you want to set Kata Containers as the only runtime in the deployment, you can simply configure as follows:
@ -250,15 +197,6 @@ If you want to set Kata Containers as the only runtime in the deployment, you ca
runtime_type = "io.containerd.kata.v2"
```
Alternatively, for the earlier versions of Kata Containers and containerd that do not support Runtime V2 (Shim API), you can use the following alternative configuration:
```toml
[plugins.cri.containerd]
[plugins.cri.containerd.default_runtime]
runtime_type = "io.containerd.runtime.v1.linux"
runtime_engine = "/usr/bin/kata-runtime"
```
### Configuration for `cri-tools`
> **Note:** If you skipped the [Install `cri-tools`](#install-cri-tools) section, you can skip this section too.
@ -312,10 +250,12 @@ To run a container with Kata Containers through the containerd command line, you
```bash
$ sudo ctr image pull docker.io/library/busybox:latest
$ sudo ctr run --runtime io.containerd.run.kata.v2 -t --rm docker.io/library/busybox:latest hello sh
$ sudo ctr run --cni --runtime io.containerd.run.kata.v2 -t --rm docker.io/library/busybox:latest hello sh
```
This launches a BusyBox container named `hello`, and it will be removed by `--rm` after it quits.
The `--cni` flag enables CNI networking for the container. Without this flag, a container with just a
loopback interface is created.
### Launch Pods with `crictl` command line

52
snap/snapcraft.yaml
View File

@ -1,4 +1,5 @@
name: kata-containers
website: https://github.com/kata-containers/kata-containers
summary: Build lightweight VMs that seamlessly plug into the containers ecosystem
description: |
Kata Containers is an open source project and community working to build a
@ -19,10 +20,9 @@ parts:
- git-extras
override-pull: |
version="9999"
kata_url="https://github.com/kata-containers/kata-containers"
if echo "${GITHUB_REF}" | grep -q -E "^refs/tags"; then
version=$(echo ${GITHUB_REF} | cut -d/ -f3)
if echo "${GITHUB_REF:-}" | grep -q -E "^refs/tags"; then
version=$(echo ${GITHUB_REF:-} | cut -d/ -f3)
git checkout ${version}
fi
@ -46,7 +46,8 @@ parts:
# put everything in stage
cd ${SNAPCRAFT_STAGE}
yq_path="./yq"
mkdir -p "${SNAPCRAFT_STAGE}/bin/"
yq_path="${SNAPCRAFT_STAGE}/bin/yq"
yq_pkg="github.com/mikefarah/yq"
goos="linux"
case "$(uname -m)" in
@ -82,7 +83,7 @@ parts:
override-build: |
[ "$(uname -m)" = "ppc64le" ] || [ "$(uname -m)" = "s390x" ] && sudo apt-get --no-install-recommends install -y protobuf-compiler
yq=${SNAPCRAFT_STAGE}/yq
yq=${SNAPCRAFT_STAGE}/bin/yq
# set GOPATH
export GOPATH=${SNAPCRAFT_STAGE}/gopath
@ -185,7 +186,7 @@ parts:
- bison
- flex
override-build: |
yq=${SNAPCRAFT_STAGE}/yq
yq=${SNAPCRAFT_STAGE}/bin/yq
export PATH="${PATH}:${SNAPCRAFT_STAGE}"
export GOPATH=${SNAPCRAFT_STAGE}/gopath
kata_dir=${GOPATH}/src/github.com/${SNAPCRAFT_PROJECT_NAME}/${SNAPCRAFT_PROJECT_NAME}
@ -249,7 +250,7 @@ parts:
- libselinux1-dev
- ninja-build
override-build: |
yq=${SNAPCRAFT_STAGE}/yq
yq=${SNAPCRAFT_STAGE}/bin/yq
export GOPATH=${SNAPCRAFT_STAGE}/gopath
export GO111MODULE="auto"
kata_dir=${GOPATH}/src/github.com/${SNAPCRAFT_PROJECT_NAME}/${SNAPCRAFT_PROJECT_NAME}
@ -316,12 +317,47 @@ parts:
# Hack: move qemu to /
"snap/kata-containers/current/": "./"
virtiofsd:
plugin: nil
after: [godeps]
override-build: |
# Currently, only one platform uses the new rust virtiofsd. The
# others make use of QEMU's C implementation.
#
# See "tools/packaging/scripts/configure-hypervisor.sh".
if [ "$(uname -m)" = 'x86_64' ]
then
echo "INFO: Building rust version of virtiofsd"
else
echo "INFO: Building QEMU's C version of virtiofsd"
# Handled by the 'qemu' part, so nothing more to do here.
exit 0
fi
# put everything in stage
cd ${SNAPCRAFT_STAGE}
export PATH="$PATH:${SNAPCRAFT_STAGE}/bin"
export GOPATH=${SNAPCRAFT_STAGE}/gopath
kata_dir=${GOPATH}/src/github.com/${SNAPCRAFT_PROJECT_NAME}/${SNAPCRAFT_PROJECT_NAME}
cd "${kata_dir}"
# Download the rust implementation of virtiofsd
tools/packaging/static-build/virtiofsd/build-static-virtiofsd.sh
sudo install \
--owner='root' \
--group='root' \
--mode=0755 \
-D \
--target-directory="${SNAPCRAFT_PART_INSTALL}/usr/libexec/" \
virtiofsd/virtiofsd
cloud-hypervisor:
plugin: nil
after: [godeps]
override-build: |
arch=$(uname -m)
if [ "{$arch}" == "aarch64" ] || [ "${arch}" == "x64_64" ]; then
if [ "{$arch}" == "aarch64" ] || [ "${arch}" == "x64_64" ]; then
sudo apt-get -y update
sudo apt-get -y install ca-certificates curl gnupg lsb-release
curl -fsSL https://download.docker.com/linux/ubuntu/gpg | sudo gpg --batch --yes --dearmor -o /usr/share/keyrings/docker-archive-keyring.gpg

5
src/runtime/virtcontainers/pkg/cloud-hypervisor/client/api/openapi.yaml
View File

@ -606,6 +606,7 @@ components:
- 3
- 3
num_pci_segments: 3
serial_number: serial_number
pmem:
- pci_segment: 6
mergeable: false
@ -948,6 +949,7 @@ components:
- 3
- 3
num_pci_segments: 3
serial_number: serial_number
pmem:
- pci_segment: 6
mergeable: false
@ -1169,6 +1171,7 @@ components:
- 3
- 3
num_pci_segments: 3
serial_number: serial_number
properties:
num_pci_segments:
format: int16
@ -1178,6 +1181,8 @@ components:
format: int16
type: integer
type: array
serial_number:
type: string
type: object
MemoryZoneConfig:
example:

26
src/runtime/virtcontainers/pkg/cloud-hypervisor/client/docs/PlatformConfig.md
View File

@ -6,6 +6,7 @@ Name | Type | Description | Notes
------------ | ------------- | ------------- | -------------
**NumPciSegments** | Pointer to **int32** | | [optional]
**IommuSegments** | Pointer to **[]int32** | | [optional]
**SerialNumber** | Pointer to **string** | | [optional]
## Methods
@ -76,6 +77,31 @@ SetIommuSegments sets IommuSegments field to given value.
HasIommuSegments returns a boolean if a field has been set.
### GetSerialNumber
`func (o *PlatformConfig) GetSerialNumber() string`
GetSerialNumber returns the SerialNumber field if non-nil, zero value otherwise.
### GetSerialNumberOk
`func (o *PlatformConfig) GetSerialNumberOk() (*string, bool)`
GetSerialNumberOk returns a tuple with the SerialNumber field if it's non-nil, zero value otherwise
and a boolean to check if the value has been set.
### SetSerialNumber
`func (o *PlatformConfig) SetSerialNumber(v string)`
SetSerialNumber sets SerialNumber field to given value.
### HasSerialNumber
`func (o *PlatformConfig) HasSerialNumber() bool`
HasSerialNumber returns a boolean if a field has been set.
[[Back to Model list]](../README.md#documentation-for-models) [[Back to API list]](../README.md#documentation-for-api-endpoints) [[Back to README]](../README.md)

36
src/runtime/virtcontainers/pkg/cloud-hypervisor/client/model_platform_config.go
View File

@ -18,6 +18,7 @@ import (
type PlatformConfig struct {
NumPciSegments *int32 `json:"num_pci_segments,omitempty"`
IommuSegments *[]int32 `json:"iommu_segments,omitempty"`
SerialNumber *string `json:"serial_number,omitempty"`
}
// NewPlatformConfig instantiates a new PlatformConfig object
@ -101,6 +102,38 @@ func (o *PlatformConfig) SetIommuSegments(v []int32) {
o.IommuSegments = &v
}
// GetSerialNumber returns the SerialNumber field value if set, zero value otherwise.
func (o *PlatformConfig) GetSerialNumber() string {
if o == nil || o.SerialNumber == nil {
var ret string
return ret
}
return *o.SerialNumber
}
// GetSerialNumberOk returns a tuple with the SerialNumber field value if set, nil otherwise
// and a boolean to check if the value has been set.
func (o *PlatformConfig) GetSerialNumberOk() (*string, bool) {
if o == nil || o.SerialNumber == nil {
return nil, false
}
return o.SerialNumber, true
}
// HasSerialNumber returns a boolean if a field has been set.
func (o *PlatformConfig) HasSerialNumber() bool {
if o != nil && o.SerialNumber != nil {
return true
}
return false
}
// SetSerialNumber gets a reference to the given string and assigns it to the SerialNumber field.
func (o *PlatformConfig) SetSerialNumber(v string) {
o.SerialNumber = &v
}
func (o PlatformConfig) MarshalJSON() ([]byte, error) {
toSerialize := map[string]interface{}{}
if o.NumPciSegments != nil {
@ -109,6 +142,9 @@ func (o PlatformConfig) MarshalJSON() ([]byte, error) {
if o.IommuSegments != nil {
toSerialize["iommu_segments"] = o.IommuSegments
}
if o.SerialNumber != nil {
toSerialize["serial_number"] = o.SerialNumber
}
return json.Marshal(toSerialize)
}

2
src/runtime/virtcontainers/pkg/cloud-hypervisor/cloud-hypervisor.yaml
View File

@ -616,6 +616,8 @@ components:
items:
type: integer
format: int16
serial_number:
type: string
MemoryZoneConfig:
required:

12
src/tools/runk/libcontainer/src/builder.rs
View File

@ -37,20 +37,20 @@ impl Container {
// If the rootfs path in the spec file is a relative path,
// convert it into a canonical path to pass validation of rootfs in the agent.
if !&rootfs_path.is_absolute() {
let rootfs_name = rootfs_path
.file_name()
.ok_or_else(|| anyhow!("invalid rootfs name"))?;
spec_root.path = bundle_canon
.join(rootfs_name)
.join(rootfs_path)
.canonicalize()?
.to_str()
.map(|s| s.to_string())
.ok_or_else(|| anyhow!("failed to convert bundle path"))?;
.ok_or_else(|| {
anyhow!("failed to convert a rootfs path into a canonical path")
})?;
}
}
Ok(ContainerContext {
id: self.id,
bundle: self.bundle,
bundle: bundle_canon,
state_root: self.root,
spec,
// TODO: liboci-cli does not support --no-pivot option for create and run command.

3
src/tools/runk/libcontainer/src/container.rs
View File

@ -95,6 +95,7 @@ impl ContainerContext {
let oci_state = ctr.oci_state()?;
let status = Status::new(
&self.state_root,
&self.bundle,
oci_state,
ctr.init_process_start_time,
ctr.created,
@ -141,7 +142,7 @@ mod tests {
#[test]
fn test_get_fifo_path() {
let test_data = PathBuf::from(TEST_BUNDLE_PATH)
let test_data = PathBuf::from(TEST_STATE_ROOT_PATH)
.join(TEST_CONTAINER_ID)
.join(EXEC_FIFO_FILENAME);
let status = create_dummy_status();

4
src/tools/runk/libcontainer/src/status.rs
View File

@ -42,6 +42,7 @@ pub struct Status {
impl Status {
pub fn new(
root: &Path,
bundle: &Path,
oci_state: OCIState,
process_start_time: u64,
created_time: SystemTime,
@ -64,7 +65,7 @@ impl Status {
id: oci_state.id,
pid: oci_state.pid,
root: root.to_path_buf(),
bundle: PathBuf::from(&oci_state.bundle),
bundle: bundle.to_path_buf(),
rootfs,
process_start_time,
created,
@ -209,6 +210,7 @@ mod tests {
let oci_state = create_dummy_oci_state();
let created = SystemTime::now();
let status = Status::new(
Path::new(TEST_STATE_ROOT_PATH),
Path::new(TEST_BUNDLE_PATH),
oci_state.clone(),
1,

4
src/tools/runk/libcontainer/src/utils.rs
View File

@ -45,7 +45,8 @@ pub(crate) mod test_utils {
use std::time::SystemTime;
pub const TEST_CONTAINER_ID: &str = "test";
pub const TEST_BUNDLE_PATH: &str = "/test";
pub const TEST_STATE_ROOT_PATH: &str = "/state";
pub const TEST_BUNDLE_PATH: &str = "/bundle";
pub const TEST_ANNOTATION: &str = "test";
pub const TEST_CGM_DATA: &str = r#"{
"paths": {
@ -92,6 +93,7 @@ pub(crate) mod test_utils {
let oci_state = create_dummy_oci_state();
let created = SystemTime::now();
let status = Status::new(
Path::new(TEST_STATE_ROOT_PATH),
Path::new(TEST_BUNDLE_PATH),
oci_state.clone(),
1,

2
versions.yaml
View File

@ -75,7 +75,7 @@ assets:
url: "https://github.com/cloud-hypervisor/cloud-hypervisor"
uscan-url: >-
https://github.com/cloud-hypervisor/cloud-hypervisor/tags.*/v?(\d\S+)\.tar\.gz
version: "v23.1"
version: "v24.0"
firecracker:
description: "Firecracker micro-VMM"