Merge pull request #1423 from fidencio/wip/kata-deploy-crio-plus-shimv2

kata-deploy: Ensure CRI-O uses shimv2 & the "vm" runtime type

tools/packaging/kata-deploy/README.md

@@ -133,17 +133,14 @@ This image contains all the necessary artifacts for running Kata Containers, all
 from the [Kata Containers release page](https://github.com/kata-containers/runtime/releases).
 
 Host artifacts:
+* `cloud-hypervisor`, `firecracker`, `qemu-system-x86_64`, `qemu-virtiofs-system-x86_64` and supporting binaries
+* `containerd-shim-kata-v2`
+* `kata-collect-data.sh`
 * `kata-runtime`
-* `kata-fc`
-* `kata-qemu`
-* `kata-proxy`
-* `kata-shim`
-* `firecracker`
-* `qemu-system-x86_64` and supporting binaries
 
 Virtual Machine artifacts:
-* `kata-containers.img`: pulled from Kata GitHub releases page
+* `kata-containers.img` and `kata-containers-initrd.img`: pulled from Kata GitHub releases page
-* `vmlinuz.container`: pulled from Kata GitHub releases page
+* `vmlinuz.container` and `vmlinuz-virtiofs.container`: pulled from Kata GitHub releases page
 
 ### DaemonSets and RBAC
 

tools/packaging/kata-deploy/scripts/kata-deploy.sh

@@ -54,6 +54,8 @@ function install_artifacts() {
 }
 
 function configure_cri_runtime() {
+	configure_different_shims_base
+
 	case $1 in
 	crio)
 		configure_crio
@@ -66,6 +68,77 @@ function configure_cri_runtime() {
 	systemctl restart "$1"
 }
 
+function configure_different_shims_base() {
+	# Currently containerd has an assumption on the location of the shimv2 implementation
+	# This forces kata-deploy to create files in a well-defined location that's part of
+	# the PATH, pointing to the containerd-shim-kata-v2 binary in /opt/kata/bin
+	# Issues:
+	#   https://github.com/containerd/containerd/issues/3073
+	#   https://github.com/containerd/containerd/issues/5006
+
+	mkdir -p /usr/local/bin
+
+	for shim in "${shims[@]}"; do
+		local shim_binary="containerd-shim-kata-${shim}-v2"
+		local shim_file="/usr/local/bin/${shim_binary}"
+		local shim_backup="/usr/local/bin/${shim_binary}.bak"
+
+		if [ -f "${shim_file}" ]; then
+			echo "warning: ${shim_binary} already exists" >&2
+			if [ ! -f "${shim_backup}" ]; then
+				mv "${shim_file}" "${shim_backup}"
+			else
+				rm "${shim_file}"
+			fi
+		fi
+
+		cat << EOT | tee "$shim_file"
+#!/bin/bash
+KATA_CONF_FILE=/opt/kata/share/defaults/kata-containers/configuration-${shim}.toml /opt/kata/bin/containerd-shim-kata-v2 "\$@"
+EOT
+		chmod +x "$shim_file"
+	done
+}
+
+function cleanup_different_shims_base() {
+	for shim in "${shims[@]}"; do
+		local shim_binary="containerd-shim-kata-${shim}-v2"
+		local shim_file="/usr/local/bin/${shim_binary}"
+		local shim_backup="/usr/local/bin/${shim_binary}.bak"
+
+		rm "${shim_file}" || true
+
+		if [ -f "${shim_backup}" ]; then
+			mv "$shim_backup" "$shim_file"
+		fi
+	done
+}
+
+function configure_crio_runtime() {
+	local runtime="kata"
+	if [ -n "${1-}" ]; then
+		runtime+="-$1"
+	fi
+
+	local kata_path="/usr/local/bin/containerd-shim-${runtime}-v2"
+	local kata_conf="crio.runtime.runtimes.${runtime}"
+
+	if grep -qEe "^\[$kata_conf\]" $crio_conf_file; then
+		echo "Configuration exists $kata_conf, overwriting"
+		sed -i "/\[$kata_conf\]/\[$kata_conf-original\]/" $crio_conf_file
+	fi
+
+	cat <<EOT | tee -a "$crio_conf_file"
+
+# Path to the Kata Containers runtime binary that uses the $1
+[$kata_conf]
+	runtime_path = "${kata_path}"
+	runtime_type = "vm"
+	runtime_root = "/run/vc"
+	privileged_without_host_devices = true
+EOT
+}
+
 function configure_crio() {
 	# Configure crio to use Kata:
 	echo "Add Kata Containers as a supported runtime for CRIO:"
@@ -73,73 +146,9 @@ function configure_crio() {
 	# backup the CRIO.conf only if a backup doesn't already exist (don't override original)
 	cp -n "$crio_conf_file" "$crio_conf_file_backup"
 
-	local kata_clh_path="/opt/kata/bin/kata-clh"
+	for shim in "${shims[@]}"; do
-	local kata_clh_conf="crio.runtime.runtimes.kata-clh"
+		configure_crio_runtime $shim
-
+	done
-	local kata_fc_path="/opt/kata/bin/kata-fc"
-	local kata_fc_conf="crio.runtime.runtimes.kata-fc"
-
-	local kata_qemu_path="/opt/kata/bin/kata-qemu"
-	local kata_qemu_conf="crio.runtime.runtimes.kata-qemu"
-
-	local kata_qemu_virtiofs_path="/opt/kata/bin/kata-qemu-virtiofs"
-	local kata_qemu_virtiofs_conf="crio.runtime.runtimes.kata-qemu-virtiofs"
-
-	# add kata-qemu config
-	if grep -qEe "^\[$kata_qemu_conf\]" $crio_conf_file; then
-		echo "Configuration exists $kata_qemu_conf, overwriting"
-		sed -i "/\[$kata_qemu_conf\]/,+1s#runtime_path.*#runtime_path = \"${kata_qemu_path}\"#" $crio_conf_file
-	else
-		cat <<EOT | tee -a "$crio_conf_file"
-
-# Path to the Kata Containers runtime binary that uses the QEMU hypervisor.
-[$kata_qemu_conf]
-  runtime_path = "${kata_qemu_path}"
-  privileged_without_host_devices = true
-EOT
-	fi
-
-        # add kata-qemu-virtiofs config
-	if grep -qEe "^\[$kata_qemu_virtiofs_conf\]" $crio_conf_file; then
-		echo "Configuration exists $kata_qemu_virtiofs_conf, overwriting"
-		sed -i "/\[$kata_qemu_virtiofs_conf\]/,+1s#runtime_path.*#runtime_path = \"${kata_qemu_virtiofs_path}\"#" $crio_conf_file
-	else
-		cat <<EOT | tee -a "$crio_conf_file"
-
-# Path to the Kata Containers runtime binary that uses the QEMU hypervisor with virtiofs support.
-[$kata_qemu_virtiofs_conf]
-  runtime_path = "${kata_qemu_virtiofs_path}"
-  privileged_without_host_devices = true
-EOT
-        fi
-
-	# add kata-fc config
-	if grep -qEe "^\[$kata_fc_conf\]" $crio_conf_file; then
-		echo "Configuration exists for $kata_fc_conf, overwriting"
-		sed -i "/\[$kata_fc_conf\]/,+1s#runtime_path.*#runtime_path = \"${kata_fc_path}\"#" $crio_conf_file
-	else
-		cat <<EOT | tee -a "$crio_conf_file"
-
-# Path to the Kata Containers runtime binary that uses the firecracker hypervisor.
-[$kata_fc_conf]
-  runtime_path = "${kata_fc_path}"
-  privileged_without_host_devices = true
-EOT
-	fi
-
-	# add kata-clh config
-	if grep -qEe "^\[$kata_clh_conf\]" $crio_conf_file; then
-		echo "Configuration exists $kata_clh_conf, overwriting"
-		sed -i "/\[$kata_clh_conf\]/,+1s#runtime_path.*#runtime_path = \"${kata_clh_path}\"#" $crio_conf_file
-	else
-		cat <<EOT | tee -a "$crio_conf_file"
-
-# Path to the Kata Containers runtime binary that uses the Cloud Hypervisor.
-[$kata_clh_conf]
-  runtime_path = "${kata_clh_path}"
-  privileged_without_host_devices = true
-EOT
-	fi
 
 	# Replace if exists, insert otherwise
 	grep -Fq 'manage_network_ns_lifecycle =' $crio_conf_file \
@@ -199,32 +208,8 @@ function configure_containerd() {
 	# Add default Kata runtime configuration
 	configure_containerd_runtime
 
-	#Currently containerd has an assumption on the location of the shimv2 implementation
-	#Until support is added (see https://github.com/containerd/containerd/issues/3073),
-	#create a link in /usr/local/bin/ to the v2-shim implementation in /opt/kata/bin.
-
-	mkdir -p /usr/local/bin
-
 	for shim in "${shims[@]}"; do
 		configure_containerd_runtime $shim
-
-		local shim_binary="containerd-shim-kata-${shim}-v2"
-		local shim_file="/usr/local/bin/${shim_binary}"
-		local shim_backup="/usr/local/bin/${shim_binary}.bak"
-
-		if [ -f "${shim_file}" ]; then
-			echo "warning: ${shim_binary} already exists" >&2
-			if [ ! -f "${shim_backup}" ]; then
-				mv "${shim_file}" "${shim_backup}"
-			else
-				rm "${shim_file}"
-			fi
-		fi
-       cat << EOT | tee "$shim_file"
-#!/bin/bash
-KATA_CONF_FILE=/opt/kata/share/defaults/kata-containers/configuration-${shim}.toml /opt/kata/bin/containerd-shim-kata-v2 \$@
-EOT
-	chmod +x "$shim_file"
 	done
 }
 
@@ -234,6 +219,8 @@ function remove_artifacts() {
 }
 
 function cleanup_cri_runtime() {
+	cleanup_different_shims_base
+
 	case $1 in
 	crio)
 		cleanup_crio
@@ -244,6 +231,7 @@ function cleanup_cri_runtime() {
 	esac
 
 }
+
 function cleanup_crio() {
 	if [ -f "$crio_conf_file_backup" ]; then
 		cp "$crio_conf_file_backup" "$crio_conf_file"
@@ -255,23 +243,6 @@ function cleanup_containerd() {
 	if [ -f "$containerd_conf_file_backup" ]; then
 		mv "$containerd_conf_file_backup" "$containerd_conf_file"
 	fi
-
-	#Currently containerd has an assumption on the location of the shimv2 implementation
-	#Until support is added (see https://github.com/containerd/containerd/issues/3073), we manage
-	# a reference to the v2-shim implementation
-
-	for shim in "${shims[@]}"; do
-		local shim_binary="containerd-shim-kata-${shim}-v2"
-		local shim_file="/usr/local/bin/${shim_binary}"
-		local shim_backup="/usr/local/bin/${shim_binary}.bak"
-
-		rm "${shim_file}" || true
-
-		if [ -f "${shim_backup}" ]; then
-			mv "$shim_backup" "$shim_file"
-		fi
-	done
-
 }
 
 function reset_runtime() {

tools/packaging/release/kata-deploy-binaries.sh

@@ -215,32 +215,6 @@ install_kata_components() {
 	ln -sf "configuration-qemu.toml" configuration.toml
 	popd
 
-	pushd "${destdir}/${prefix}/bin"
-	cat <<EOT | sudo tee kata-fc
-#!/bin/bash
-${prefix}/bin/kata-runtime --config "${prefix}/share/defaults/${project}/configuration-fc.toml" \$@
-EOT
-	sudo chmod +x kata-fc
-
-	cat <<EOT | sudo tee kata-qemu
-#!/bin/bash
-${prefix}/bin/kata-runtime --config "${prefix}/share/defaults/${project}/configuration-qemu.toml" \$@
-EOT
-	sudo chmod +x kata-qemu
-
-	cat <<EOT | sudo tee kata-clh
-#!/bin/bash
-${prefix}/bin/kata-runtime --config "${prefix}/share/defaults/${project}/configuration-clh.toml" \$@
-EOT
-	sudo chmod +x kata-clh
-
-	cat <<EOT | sudo tee kata-qemu-virtiofs
-#!/bin/bash
-${prefix}/bin/kata-runtime --config "${prefix}/share/defaults/${project}/configuration-qemu-virtiofs.toml" \$@
-EOT
-	sudo chmod +x kata-qemu-virtiofs
-
-	popd
 	pushd ${destdir}
 	tar -czvf ../kata-static-kata-components.tar.gz *
 	popd