github/kata-containers
1
0
Fork 2
mirror of https://github.com/kata-containers/kata-containers.git synced 2025-09-03 09:54:33 +00:00
Code Issues Projects Releases Wiki Activity

Merge pull request #304 from egernst/kata-deploy-1.5.0-rc2

Browse Source 
kata deploy rewrites
This commit is contained in:
James O. D. Hunt
2019-02-01 09:17:21 +00:00
committed by GitHub
parent a6b5d7e5e4 b4ba52d432
commit 970b26c349
13 changed files with 536 additions and 243 deletions
Download Patch File Download Diff File Expand all files Collapse all files

11
kata-deploy/Dockerfile
View File

@@ -1,18 +1,23 @@
FROM centos/systemd FROM centos/systemd
ARG KATA_VER=1.4.0 ARG KATA_VER
ARG ARCH=x86_64 ARG ARCH=x86_64
ARG KUBE_ARCH=amd64
ARG KATA_URL=https://github.com/kata-containers/runtime/releases/download/${KATA_VER} ARG KATA_URL=https://github.com/kata-containers/runtime/releases/download/${KATA_VER}
ARG KATA_FILE=kata-static-${KATA_VER}-${ARCH}.tar.xz ARG KATA_FILE=kata-static-${KATA_VER}-${ARCH}.tar.xz
ARG KUBECTL_VER=v1.10.2
RUN \ RUN \
yum install -y epel-release && \
yum install -y bzip2 jq && \
curl -sOL ${KATA_URL}/${KATA_FILE} && \ curl -sOL ${KATA_URL}/${KATA_FILE} && \
mkdir -p /opt/kata-artifacts && \ mkdir -p /opt/kata-artifacts && \
tar xvf ${KATA_FILE} -C /opt/kata-artifacts/ && \ tar xvf ${KATA_FILE} -C /opt/kata-artifacts/ && \
rm ${KATA_FILE} rm ${KATA_FILE}
RUN \ RUN \
curl -s -o /bin/kubectl https://storage.googleapis.com/kubernetes-release/release/${KUBECTL_VER}/bin/linux/amd64/kubectl && \ curl -Lso /bin/kubectl https://storage.googleapis.com/kubernetes-release/release/$(curl -s https://storage.googleapis.com/kubernetes-release/release/stable.txt)/bin/linux/${KUBE_ARCH}/kubectl && \
chmod +x /bin/kubectl chmod +x /bin/kubectl
COPY scripts /opt/kata-artifacts/scripts COPY scripts /opt/kata-artifacts/scripts
RUN \
ln -s /opt/kata-artifacts/scripts/kata-deploy-docker.sh /usr/bin/kata-deploy-docker && \
ln -s /opt/kata-artifacts/scripts/kata-deploy.sh /usr/bin/kata-deploy

163
kata-deploy/README.md
View File

@@ -2,7 +2,11 @@
- [kata-deploy](#kata-deploy) - [kata-deploy](#kata-deploy)
* [Quick start](#quick-start-) * [Docker quick start](#docker-quick-start-)
+ [Install Kata and configure Docker](#install-kata-and-configure-docker)
+ [Run a sample workload](#run-a-sample-workload-utilizing-kata-containers)
+ [Remove Kata](#remove-kata)
* [Kubernetes quick start](#kubernetes-quick-start-)
+ [Install Kata on a running Kubernetes cluster](#install-kata-on-a-running-kubernetes-cluster) + [Install Kata on a running Kubernetes cluster](#install-kata-on-a-running-kubernetes-cluster)
+ [Run a sample workload](#run-a-sample-workload-) + [Run a sample workload](#run-a-sample-workload-)
+ [Remove Kata from the Kubernetes cluster](#remove-kata-from-the-kubernetes-cluster-) + [Remove Kata from the Kubernetes cluster](#remove-kata-from-the-kubernetes-cluster-)
@@ -16,12 +20,54 @@
[kata-deploy](kata-deploy) provides a Dockerfile, which contains all of the binaries [kata-deploy](kata-deploy) provides a Dockerfile, which contains all of the binaries
and artifacts required to run Kata Containers, as well as reference daemonsets, which can and artifacts required to run Kata Containers, as well as reference daemonsets, which can
be utilized to install Kata Containers on a running Kubernetes cluster. be utilized to install Kata Containers for both Docker and on a running Kubernetes cluster.
Note, installation through daemonsets successfully installs `kata-containers.io/kata-runtime` on Note, installation through daemonsets successfully installs `katacontainers.io/kata-runtime` on
a node only if it uses either containerd or CRI-O CRI-shims. a node only if it uses either containerd or CRI-O CRI-shims.
## Quick start: ## Docker quick start:
The kata-deploy container image makes use of a script, `kata-deploy-docker`, for installation of
Kata artifacts and configuration of Docker to utilize the runtime. The following volumes are required to be mounted
to aid in this:
- /opt/kata: this is where all kata artifacts are installed on the system
- /var/run/dbus, /run/systemd: this is require for reloading the the Docker service
- /etc/docker: this is required for updating `daemon.json` in order to configure the kata runtimes in Docker
### Install Kata and configure Docker
To install:
```
docker run -v /opt/kata:/opt/kata -v /var/run/dbus:/var/run/dbus -v /run/systemd:/run/systemd -v /etc/docker:/etc/docker -it katadocker/kata-deploy kata-deploy-docker install
```
Once complete, `/etc/docker/daemon.json` is updated or created to include the Kata runtimes: kata-qemu and kata-fc, for utilizing
QEMU and Firecracker, respectively, for the VM isolation layer.
### Run a sample workload utilizing Kata containers:
Run a QEMU QEMU isolated Kata container:
```
docker run --runtime=kata-qemu -itd alpine
```
Run a Firecracker isolated Kata container:
```
docker run --runtime=kata-fc -itd alpine
```
### Remove Kata
To uninstall:
```
docker run -v /opt/kata:/opt/kata -v /var/run/dbus:/var/run/dbus -v /run/systemd:/run/systemd -v /etc/docker:/etc/docker -it katadocker/kata-deploy kata-deploy-docker remove
```
After completing, the original daemon.json, if it existed, is restored and all Kata artifacts from /opt/kata are removed.
## Kubernetes quick start
### Install Kata on a running Kubernetes cluster ### Install Kata on a running Kubernetes cluster
@@ -32,49 +78,44 @@ kubectl apply -f kata-deploy.yaml
### Run a sample workload ### Run a sample workload
Untrusted workloads can node-select based on ```kata-containers.io/kata-runtime=true```, and are
run through ```kata-containers.io/kata-runtime``` if they are marked with the appropriate CRIO or containerd
annotation:
```
CRIO: io.kubernetes.cri-o.TrustedSandbox: "false"
containerd: io.kubernetes.cri.untrusted-workload: "true"
```
The following is a sample workload for running untrusted on a kata-enabled node: Workloads which utilize Kata can node-select based on ```katacontainers.io/kata-runtime=true```, and are
run through an applicable runtime if they are marked with the appropriate runtimeClass annotation.
The following YAML snippet shows how to specify a workload should use Kata with QEMU:
``` ```
apiVersion: v1
kind: Pod
metadata:
name: nginx
annotations:
io.kubernetes.cri-o.TrustedSandbox: "false"
io.kubernetes.cri.untrusted-workload: "true"
labels:
env: test
spec: spec:
containers: template:
- name: nginx spec:
image: nginx runtimeClassName: kata-qemu
imagePullPolicy: IfNotPresent
nodeSelector:
kata-containers.io/kata-runtime: "true"
```
To run:
```
kubectl apply -f examples/nginx-untrusted.yaml
``` ```
Now, you should see the pod start. You can verify that the pod is making use of The following YAML snippet shows how to specify a workload should use Kata with Firecracker:
```kata-containers.io/kata-runtime``` by comparing the container ID observed with the following:
``` ```
/opt/kata/bin/kata-containers.io/kata-runtime list spec:
kubectl describe pod nginx-untrusted template:
spec:
runtimeClassName: kata-fc
``` ```
The following removes the test pod:
To run an example with kata-qemu:
``` ```
kubectl delete -f examples/nginx-untrusted.yaml kubectl apply -f https://raw.githubusercontent.com/kata-containers/packaging/master/kata-deploy/examples/test-deploy-kata-qemu.yaml
```
To run an example with kata-fc:
```
kubectl apply -f https://raw.githubusercontent.com/kata-containers/packaging/master/kata-deploy/examples/test-deploy-kata-fc.yaml
```
The following removes the test pods:
```
kubectl delete -f https://raw.githubusercontent.com/kata-containers/packaging/master/kata-deploy/examples/test-deploy-kata-qemu.yaml
kubectl delete -f https://raw.githubusercontent.com/kata-containers/packaging/master/kata-deploy/examples/test-deploy-kata-fc.yaml
``` ```
### Remove Kata from the Kubernetes cluster ### Remove Kata from the Kubernetes cluster
@@ -89,16 +130,18 @@ kubectl delete -f kata-rbac.yaml
## kata-deploy Details ## kata-deploy Details
### Dockerfile ### Dockerfile
The [Dockerfile](kata-deploy/Dockerfile) used to create the container image deployed in the DaemonSet is provided here.
The Dockerfile used to create the container image deployed in the DaemonSet is provided here. This image contains all the necessary artifacts for running Kata Containers, all of which are pulled
This image contains all the necessary artifacts for running Kata Containers. from the [Kata Containers release page](https://github.com/kata-containers/runtime/releases).
Host artifacts: Host artifacts:
* kata-containers.io/kata-runtime: pulled from Kata GitHub releases page * kata-runtime
* kata-proxy: pulled from Kata GitHub releases page * kata-fc
* kata-shim: pulled from Kata GitHub releases page * kata-qemu
* qemu-system-x86_64: statically built and included in this repo, based on Kata's QEMU repo * kata-proxy
* qemu/* : supporting binaries required for qemu-system-x86_64 * kata-shim
* firecracker
* qemu-system-x86_64 and supporting binaries
Virtual Machine artifacts: Virtual Machine artifacts:
* kata-containers.img: pulled from Kata github releases page * kata-containers.img: pulled from Kata github releases page
@@ -106,27 +149,19 @@ Virtual Machine artifacts:
### Daemonsets and RBAC: ### Daemonsets and RBAC:
A few daemonsets are introduced for kata-deploy, as well as an RBAC to facilitate Two daemonsets are introduced for kata-deploy, as well as an RBAC to facilitate
applying labels to the nodes. applying labels to the nodes.
#### runtime-labeler: #### Kata installer: kata-deploy
This daemonset creates a label on each node in This daemonset installs the necessary kata binaries, configuration files, and virtual machine artifacts on
the cluster identifying the CRI shim in use. For example, the node. Once installed, the daemonset adds a node label `katacontainers.io/kata-runtime=true` and reconfigures
`kata-containers.io/container-runtime=crio` or `kata-containers.io/container-runtime=containerd.` either CRI-O or containerd to register two runtimeClasses: `kata-qemu` (for QEMU isolation) and `kata-fc` (for Firecracker isolation).
As a final step the daemonset restarts either CRI-O or containerd. Upon deletion, the daemonset removes the
#### CRI-O and containerd kata installer Kata binaries and VM artifacts and updates the node label to `katacontainers.io/kata-runtime=cleanup.`
Depending on the value of `kata-containers.io/container-runtime` label on the node, either the CRI-O or
containerd kata installation daemonset executes. These daemonsets install
the necessary kata binaries, configuration files, and virtual machine artifacts on
the node. Once installed, the daemonset adds a node label `kata-containers.io/kata-runtime=true` and reconfigures
either CRI-O or containerd to make use of Kata for untrusted workloads. As a final step the daemonset
restarts either CRI-O or containerd and kubelet. Upon deletion, the daemonset removes the kata binaries
and VM artifacts and updates the node label to `kata-containers.io/kata-runtime=cleanup.`
### Kata cleanup: ### Kata cleanup:
This daemonset runs of the node has the label `kata-containers.io/kata-runtime=cleanup.` These daemonsets removes This daemonset runs of the node has the label `katacontainers.io/kata-runtime=cleanup.` These daemonsets removes
the `kata-containers.io/container-runtime` and `kata-containers.io/kata-runtime` labels as well as restarts either CRI-O or containerd systemctl the `katacontainers.io/kata-runtime` label as well as restarts either CRI-O or containerd systemctl
daemon and kubelet. You cannot execute these resets during the preStopHook of the Kata installer daemonset, daemon. You cannot execute these resets during the preStopHook of the Kata installer daemonset,
which necessitated this final cleanup daemonset. which necessitated this final cleanup daemonset.

42
kata-deploy/examples/test-deploy-kata-fc.yaml Normal file
View File

@@ -0,0 +1,42 @@
apiVersion: apps/v1
kind: Deployment
metadata:
labels:
run: php-apache-kata-fc
name: php-apache-kata-fc
spec:
replicas: 1
selector:
matchLabels:
run: php-apache-kata-fc
template:
metadata:
labels:
run: php-apache-kata-fc
spec:
runtimeClassName: kata-fc
containers:
- image: k8s.gcr.io/hpa-example
imagePullPolicy: Always
name: php-apache
ports:
- containerPort: 80
protocol: TCP
resources:
requests:
cpu: 200m
restartPolicy: Always
---
apiVersion: v1
kind: Service
metadata:
name: php-apache-kata-fc
spec:
ports:
- port: 80
protocol: TCP
targetPort: 80
selector:
run: php-apache-kata-fc
sessionAffinity: None
type: ClusterIP

45
kata-deploy/examples/test-deploy-kata-qemu.yaml Normal file
View File

@@ -0,0 +1,45 @@
apiVersion: apps/v1
kind: Deployment
metadata:
labels:
run: php-apache-kata-qemu
name: php-apache-kata-qemu
spec:
replicas: 1
selector:
matchLabels:
run: php-apache-kata-qemu
template:
metadata:
annotations:
io.kubernetes.cri-o.TrustedSandbox: "false"
io.kubernetes.cri.untrusted-workload: "true"
labels:
run: php-apache-kata-qemu
spec:
runtimeClassName: kata-qemu
containers:
- image: k8s.gcr.io/hpa-example
imagePullPolicy: Always
name: php-apache
ports:
- containerPort: 80
protocol: TCP
resources:
requests:
cpu: 200m
restartPolicy: Always
---
apiVersion: v1
kind: Service
metadata:
name: php-apache-kata-qemu
spec:
ports:
- port: 80
protocol: TCP
targetPort: 80
selector:
run: php-apache-kata-qemu
sessionAffinity: None
type: ClusterIP

41
kata-deploy/examples/test-deploy-runc.yaml Normal file
View File

@@ -0,0 +1,41 @@
apiVersion: apps/v1
kind: Deployment
metadata:
labels:
run: php-apache-runc
name: php-apache-runc
spec:
replicas: 1
selector:
matchLabels:
run: php-apache-runc
template:
metadata:
labels:
run: php-apache-runc
spec:
containers:
- image: k8s.gcr.io/hpa-example
imagePullPolicy: Always
name: php-apache
ports:
- containerPort: 80
protocol: TCP
resources:
requests:
cpu: 200m
restartPolicy: Always
---
apiVersion: v1
kind: Service
metadata:
name: php-apache-runc
spec:
ports:
- port: 80
protocol: TCP
targetPort: 80
selector:
run: php-apache-runc
sessionAffinity: None
type: ClusterIP

11
kata-deploy/kata-cleanup.yaml
View File

@@ -15,19 +15,12 @@ spec:
spec: spec:
serviceAccountName: kata-label-node serviceAccountName: kata-label-node
nodeSelector: nodeSelector:
kata-containers.io/kata-runtime: cleanup katacontainers.io/kata-runtime: cleanup
containers: containers:
- name: kube-kata-cleanup - name: kube-kata-cleanup
image: katadocker/kata-deploy image: katadocker/kata-deploy
imagePullPolicy: Always imagePullPolicy: Always
command: [ "sh", "-c" ] command: [ "bash", "-c", "/opt/kata-artifacts/scripts/kata-deploy.sh", "reset" ]
args:
- kubectl label node $NODE_NAME kata-containers.io/container-runtime- kata-containers.io/kata-runtime-;
systemctl daemon-reload;
systemctl restart containerd;
systemctl restart crio;
systemctl restart kubelet;
sleep infinity;
env: env:
- name: NODE_NAME - name: NODE_NAME
valueFrom: valueFrom:

125
kata-deploy/kata-deploy.yaml
View File

@@ -2,71 +2,27 @@
apiVersion: apps/v1 apiVersion: apps/v1
kind: DaemonSet kind: DaemonSet
metadata: metadata:
name: kubelet-runtime-labeler name: kata-deploy
namespace: kube-system namespace: kube-system
spec: spec:
selector: selector:
matchLabels: matchLabels:
name: kubelet-runtime-labeler name: kata-deploy
template: template:
metadata: metadata:
labels: labels:
name: kubelet-runtime-labeler name: kata-deploy
spec: spec:
serviceAccountName: kata-label-node serviceAccountName: kata-label-node
containers: containers:
- name: kubelet-runtime-labeler-pod
image: katadocker/kata-deploy
imagePullPolicy: Always
command: [ "sh", "-c" ]
args:
- printenv NODE_NAME;
kubectl get node $NODE_NAME --show-labels;
kubectl label node $NODE_NAME kata-containers.io/container-runtime=$(kubectl describe node $NODE_NAME | awk -F'[:]' '/Container Runtime Version/ {print $2}' | tr -d ' ');
kubectl get node $NODE_NAME --show-labels;
sleep infinity;
env:
- name: NODE_NAME
valueFrom:
fieldRef:
fieldPath: spec.nodeName
securityContext:
privileged: false
updateStrategy:
rollingUpdate:
maxUnavailable: 1
type: RollingUpdate
---
apiVersion: apps/v1
kind: DaemonSet
metadata:
name: kubelet-cri-o-kata
namespace: kube-system
spec:
selector:
matchLabels:
name: kubelet-cri-o-kata
template:
metadata:
labels:
name: kubelet-cri-o-kata
spec:
serviceAccountName: kata-label-node
nodeSelector:
kata-containers.io/container-runtime: cri-o
containers:
- name: kube-kata - name: kube-kata
image: katadocker/kata-deploy image: katadocker/kata-deploy
imagePullPolicy: Always imagePullPolicy: Always
lifecycle: lifecycle:
preStop: preStop:
exec: exec:
command: ["sh", "-c", "/opt/kata-artifacts/scripts/remove-kata-crio.sh && kubectl label node $NODE_NAME --overwrite kata-containers.io/kata-runtime=cleanup"] command: ["bash", "-c", "/opt/kata-artifacts/scripts/kata-deploy.sh", "cleanup"]
command: [ "sh", "-ce" ] command: [ "bash", "-c", "/opt/kata-artifacts/scripts/kata-deploy.sh", "install" ]
args:
- /opt/kata-artifacts/scripts/install-kata-crio.sh && kubectl label node $NODE_NAME kata-containers.io/kata-runtime=true;
kubectl get node $NODE_NAME --show-labels;
sleep infinity;
env: env:
- name: NODE_NAME - name: NODE_NAME
valueFrom: valueFrom:
@@ -77,6 +33,8 @@ spec:
volumeMounts: volumeMounts:
- name: crio-conf - name: crio-conf
mountPath: /etc/crio/ mountPath: /etc/crio/
- name: containerd-conf
mountPath: /etc/containerd/
- name: kata-artifacts - name: kata-artifacts
mountPath: /opt/kata/ mountPath: /opt/kata/
- name: dbus - name: dbus
@@ -87,6 +45,9 @@ spec:
- name: crio-conf - name: crio-conf
hostPath: hostPath:
path: /etc/crio/ path: /etc/crio/
- name: containerd-conf
hostPath:
path: /etc/containerd/
- name: kata-artifacts - name: kata-artifacts
hostPath: hostPath:
path: /opt/kata/ path: /opt/kata/
@@ -101,69 +62,3 @@ spec:
rollingUpdate: rollingUpdate:
maxUnavailable: 1 maxUnavailable: 1
type: RollingUpdate type: RollingUpdate
---
apiVersion: apps/v1
kind: DaemonSet
metadata:
name: kubelet-cri-containerd-kata
namespace: kube-system
spec:
selector:
matchLabels:
name: kubelet-cri-containerd-kata
template:
metadata:
labels:
name: kubelet-cri-containerd-kata
spec:
serviceAccountName: kata-label-node
nodeSelector:
kata-containers.io/container-runtime: containerd
containers:
- name: kube-kata
image: katadocker/kata-deploy
imagePullPolicy: Always
lifecycle:
preStop:
exec:
command: ["sh", "-c", "/opt/kata-artifacts/scripts/remove-kata-containerd.sh && kubectl label node $NODE_NAME --overwrite kata-containers.io/kata-runtime=cleanup"]
command: [ "sh", "-c" ]
args:
- /opt/kata-artifacts/scripts/install-kata-containerd.sh && kubectl label node $NODE_NAME kata-containers.io/kata-runtime=true;
kubectl get node $NODE_NAME --show-labels;
sleep infinity;
env:
- name: NODE_NAME
valueFrom:
fieldRef:
fieldPath: spec.nodeName
securityContext:
privileged: false
volumeMounts:
- name: containerd-conf
mountPath: /etc/containerd/
- name: kata-artifacts
mountPath: /opt/kata/
- name: dbus
mountPath: /var/run/dbus
- name: systemd
mountPath: /run/systemd
volumes:
- name: containerd-conf
hostPath:
path: /etc/containerd/
type: DirectoryOrCreate
- name: kata-artifacts
hostPath:
path: /opt/kata/
type: DirectoryOrCreate
- name: dbus
hostPath:
path: /var/run/dbus
- name: systemd
hostPath:
path: /run/systemd
updateStrategy:
rollingUpdate:
maxUnavailable: 1
type: RollingUpdate

26
kata-deploy/scripts/install-kata-containerd.sh
View File

@@ -1,26 +0,0 @@
#!/bin/sh
echo "copying kata artifacts onto host"
cp -R /opt/kata-artifacts/opt/kata/* /opt/kata/
chmod +x /opt/kata/bin/*
# Configure containerd to use Kata:
echo "create containerd configuration for Kata"
mkdir -p /etc/containerd/
if [ -f /etc/containerd/config.toml ]; then
cp /etc/containerd/config.toml /etc/containerd/config.toml.bak
fi
cat <<EOT | tee /etc/containerd/config.toml
[plugins]
[plugins.cri.containerd]
[plugins.cri.containerd.untrusted_workload_runtime]
runtime_type = "io.containerd.runtime.v1.linux"
runtime_engine = "/opt/kata/bin/kata-runtime"
runtime_root = ""
EOT
echo "Reload systemd services"
systemctl daemon-reload
systemctl restart containerd

14
kata-deploy/scripts/install-kata-crio.sh
View File

@@ -1,14 +0,0 @@
#!/bin/sh
echo "copying kata artifacts onto host"
cp -R /opt/kata-artifacts/opt/kata/* /opt/kata/
chmod +x /opt/kata/bin/*
# Configure crio to use Kata:
echo "Set Kata containers as default runtime in CRI-O for untrusted workloads"
cp /etc/crio/crio.conf /etc/crio/crio.conf.bak
sed -i '/runtime_untrusted_workload = /c\runtime_untrusted_workload = "/opt/kata/bin/kata-runtime"' /etc/crio/crio.conf
echo "Reload systemd services"
systemctl daemon-reload
systemctl restart crio

111
kata-deploy/scripts/kata-deploy-docker.sh Executable file
View File

@@ -0,0 +1,111 @@
#!/usr/bin/env bash
# Copyright (c) 2019 Intel Corporation
#
# SPDX-License-Identifier: Apache-2.0
#
set -o errexit
set -o pipefail
set -o nounset
conf_file="/etc/docker/daemon.json"
conf_file_backup="${conf_file}.bak"
snippet="${conf_file}.snip"
tmp_file="${conf_file}.tmp"
# If we fail for any reason a message will be displayed
die() {
msg="$*"
echo "ERROR: $msg" >&2
exit 1
}
function print_usage() {
echo "Usage: $0 [install/remove]"
}
function install_artifacts() {
echo "copying kata artifacts onto host"
cp -a /opt/kata-artifacts/opt/kata/* /opt/kata/
chmod +x /opt/kata/bin/*
}
function configure_docker() {
echo "configuring docker"
cat <<EOT | tee -a "$snippet"
{
"runtimes": {
"kata-qemu": {
"path": "/opt/kata/bin/kata-runtime",
"runtimeArgs": [ "--kata-config", "/opt/kata/share/defaults/kata-containers/configuration-qemu.toml" ]
},
"kata-fc": {
"path": "/opt/kata/bin/kata-runtime",
"runtimeArgs": [ "--kata-config", "/opt/kata/share/defaults/kata-containers/configuration-fc.toml" ]
}
}
}
EOT
if [ -f ${conf_file} ]; then
cp -n "$conf_file" "$conf_file_backup"
# Merge in the json snippet:
jq -s '[.[] | to_entries] | flatten | reduce .[] as $dot ({}; .[$dot.key] += $dot.value)' "${conf_file}" "${snippet}" > "${tmp_file}"
mv "${tmp_file}" "${conf_file}"
rm "${snippet}"
else
mv "${snippet}" "${conf_file}"
fi
systemctl daemon-reload
systemctl reload docker
}
function remove_artifacts() {
echo "deleting kata artifacts"
rm -rf /opt/kata/
}
function cleanup_runtime() {
echo "cleanup docker"
rm -f "${conf_file}"
if [ -f "${conf_file_backup}" ]; then
cp "${conf_file_backup}" "${conf_file}"
fi
systemctl daemon-reload
systemctl reload docker
}
function main() {
# script requires that user is root
euid=`id -u`
if [[ $euid -ne 0 ]]; then
die "This script must be run as root"
fi
action=${1:-}
if [ -z $action ]; then
print_usage
die "invalid arguments"
fi
case $action in
install)
install_artifacts
configure_docker
;;
remove)
cleanup_runtime
remove_artifacts
;;
*)
echo invalid arguments
print_usage
;;
esac
}
main $@

178
kata-deploy/scripts/kata-deploy.sh Executable file
View File

@@ -0,0 +1,178 @@
#!/usr/bin/env bash
# Copyright (c) 2019 Intel Corporation
#
# SPDX-License-Identifier: Apache-2.0
#
set -o errexit
set -o pipefail
set -o nounset
crio_conf_file="/etc/crio/crio.conf"
crio_conf_file_backup="${crio_conf_file}.bak"
containerd_conf_file="/etc/containerd/config.toml"
containerd_conf_file_backup="${containerd_conf_file}.bak"
# If we fail for any reason a message will be displayed
die() {
msg="$*"
echo "ERROR: $msg" >&2
exit 1
}
function print_usage() {
echo "Usage: $0 [install/cleanup/reset]"
}
function get_container_runtime() {
local runtime=$(kubectl describe node $NODE_NAME)
if [ "$?" -ne 0 ]; then
die "invalid node name"
fi
echo "$runtime" | awk -F'[:]' '/Container Runtime Version/ {print $2}' | tr -d ' '
}
function install_artifacts() {
echo "copying kata artifacts onto host"
cp -a /opt/kata-artifacts/opt/kata/* /opt/kata/
chmod +x /opt/kata/bin/*
}
function configure_cri_runtime() {
case $1 in
crio)
configure_crio
;;
containerd)
configure_containerd
;;
esac
systemctl daemon-reload
systemctl restart $1
}
function configure_crio() {
# Configure crio to use Kata:
echo "Add Kata Containers as a supported runtime for CRIO:"
# backup the CRIO.conf only if a backup doesn't already exist (don't override original)
cp -n "$crio_conf_file" "$crio_conf_file_backup"
cat <<EOT | tee -a "$crio_conf_file"
[crio.runtime.runtimes.kata-qemu]
runtime_path = "/opt/kata/bin/kata-qemu"
[crio.runtime.runtimes.kata-fc]
runtime_path = "/opt/kata/bin/kata-fc"
EOT
sed -i 's|\(\[crio\.runtime\]\)|\1\nmanage_network_ns_lifecycle = true|' "$crio_conf_file"
}
function configure_containerd() {
# Configure containerd to use Kata:
echo "Add Kata Containers as a supported runtime for containerd"
mkdir -p /etc/containerd/
if [ -f "$containerd_conf_file" ]; then
cp "$containerd_conf_file" "$containerd_conf_file_backup"
fi
# TODO: While there isn't a default here anyway, it'd probably be best to
# add sed magic to insert into appropriate location if config.toml already exists
# https://github.com/kata-containers/packaging/issues/307
cat <<EOT | tee "$containerd_conf_file"
[plugins]
[plugins.cri.containerd]
[plugins.cri.containerd.untrusted_workload_runtime]
runtime_type = "io.containerd.runtime.v1.linux"
runtime_engine = "/opt/kata/bin/kata-runtime"
runtime_root = ""
EOT
}
function remove_artifacts() {
echo "deleting kata artifacts"
rm -rf /opt/kata/
}
function cleanup_cri_runtime() {
case $1 in
crio)
cleanup_crio
;;
containerd)
cleanup_containerd
;;
esac
}
function cleanup_crio() {
if [ -f "$crio_conf_file_backup" ]; then
cp "$crio_conf_file_backup" "$crio_conf_file"
fi
}
function cleanup_containerd() {
rm -f /etc/containerd/config.toml
if [ -f "$containerd_conf_file_backup" ]; then
mv "$containerd_conf_file_backup" "$containerd_conf_file"
fi
}
function reset_runtime() {
kubectl label node $NODE_NAME katacontainers.io/kata-runtime-
systemctl daemon-reload
systemctl restart $1
systemctl restart kubelet
}
function main() {
# script requires that user is root
euid=`id -u`
if [[ $euid -ne 0 ]]; then
die "This script must be run as root"
fi
runtime=$(get_container_runtime)
# CRI-O isn't consistent with the naming -- let's use crio to match the service file
if [ "$runtime" == "cri-o" ]; then
runtime="crio"
fi
action=${1:-}
if [ -z $action ]; then
print_usage
die "invalid arguments"
fi
# only install / remove / update if we are dealing with CRIO or containerd
if [ "$runtime" == "crio" ] || [ "$runtime" == "containerd" ]; then
case $action in
install)
install_artifacts
configure_cri_runtime $runtime
;;
cleanup)
remove_artifacts
cleanup_cri_runtime $runtime
kubectl label node $NODE_NAME --overwrite katacontainers.io/kata-runtime=cleanup
;;
reset)
reset_runtime $runtime
;;
*)
echo invalid arguments
print_usage
;;
esac
fi
#It is assumed this script will be called as a daemonset. As a result, do
# not return, otherwise the daemon will restart and rexecute the script
sleep infinity
}
main $@

8
kata-deploy/scripts/remove-kata-containerd.sh
View File

@@ -1,8 +0,0 @@
#!/bin/sh
echo "delete kata artifacts"
rm -rf /opt/kata
rm -f /etc/containerd/config.toml
if [ -f /etc/containerd/config.toml.bak ]; then
mv /etc/containerd/config.toml.bak /etc/containerd/config.toml
fi

4
kata-deploy/scripts/remove-kata-crio.sh
View File

@@ -1,4 +0,0 @@
#!/bin/sh
echo "deleting kata artifacts"
rm -rf /opt/kata/
mv /etc/crio/crio.conf.bak /etc/crio/crio.conf