Merge pull request #4039 from fidencio/wip/ccv0.sh-also-support-cloud-hypervisor

CCv0 | ccv0.sh: Expand to also using Cloud Hypervisor
2025-08-20 08:54:03 +00:00 · 2022-04-06 18:06:54 +02:00 · 2022-04-06 18:06:54 +02:00 · c95dd8f57e
commit c95dd8f57e
parent 8fe5b97c2b bdb0f6b471
2 changed files with 40 additions and 8 deletions
--- a/docs/how-to/ccv0.sh
+++ b/docs/how-to/ccv0.sh
@ -91,6 +91,7 @@ Commands:
 - build_and_install_all:            Build and install everything
 - build_and_install_rootfs:         Builds and installs the rootfs image
 - build_kata_runtime:               Build and install the kata runtime
+- build_cloud_hypervisor            Checkout, patch, build and install Cloud Hypervisor
 - build_qemu:                       Checkout, patch, build and install QEMU
 - configure:                        Configure Kata to use rootfs and enable debug
 - connect_to_ssh_demo_pod:          Ssh into the ssh demo pod, showing that the decryption succeeded
@ -127,7 +128,18 @@ build_and_install_all() {
    create_a_local_rootfs
    build_and_install_rootfs
    install_guest_kernel_image
-    build_qemu
+    case "$KATA_HYPERVISOR" in
+        "qemu") 
+            build_qemu
+            ;;
+        "cloud-hypervisor") 
+            build_cloud_hypervisor
+            ;;
+        *)
+            echo "Invalid option: $KATA_HYPERVISOR is not supported." >&2
+            ;;
+    esac
+
    check_kata_runtime
    if [ "${KUBERNETES}" == "yes" ]; then
        init_kubernetes
@ -199,7 +211,7 @@ check_out_repos() {

 build_and_install_kata_runtime() {
    pushd ${katacontainers_repo_dir}/src/runtime
-    make clean && make && sudo -E PATH=$PATH make install
+    make clean && make DEFAULT_HYPERVISOR=${KATA_HYPERVISOR} && sudo -E PATH=$PATH make DEFAULT_HYPERVISOR=${KATA_HYPERVISOR} install
    debug_output "We should have created Kata runtime binaries:: /usr/local/bin/kata-runtime and /usr/local/bin/containerd-shim-kata-v2"
    debug_output "We should have made the Kata configuration file: /usr/share/defaults/kata-containers/configuration.toml"
    debug_output "kata-runtime version: $(kata-runtime version)"
@ -330,6 +342,14 @@ build_qemu() {
    ${tests_repo_dir}/.ci/install_qemu.sh
 }

+build_cloud_hypervisor() {
+    # While we still rely on the C version of virtiofsd, let's
+    # install QEMU, which will then bring virtiofsd together.
+    build_qemu
+
+    ${tests_repo_dir}/.ci/install_cloud_hypervisor.sh
+}
+
 check_kata_runtime() {
    sudo kata-runtime check
 }
@ -467,7 +487,7 @@ run_kata_and_capture_logs() {

 get_ids() {
    guest_cid=$(sudo ss -H --vsock | awk '{print $6}' | cut -d: -f1)
-    sandbox_id=$(ps -ef | grep qemu | egrep -o "sandbox-[^,][^,]*" | sed 's/sandbox-//g' | awk '{print $1}')
+    sandbox_id=$(ps -ef | grep containerd-shim-kata-v2 | egrep -o "id [^,][^,].* " | awk '{print $2}')
 }

 open_kata_shell() {
@ -580,6 +600,9 @@ main() {
        install_guest_kernel)
            install_guest_kernel_image
            ;;
+        build_cloud_hypervisor)
+            build_cloud_hypervisor
+            ;;
        build_qemu)
            build_qemu
            ;;
--- a/docs/how-to/how-to-build-and-test-ccv0.md
+++ b/docs/how-to/how-to-build-and-test-ccv0.md
@ -44,6 +44,12 @@ $ chmod u+x ccv0.sh
      ```
      `skopeo` is
      required for passing source credentials and verifying container image signatures using the kata agent.
+    - By default the build and configuration are using `QEMU` as the hypervisor. In order to use `Cloud Hypervisor` instead
+      set:
+      ```
+      $ export KATA_HYPERVISOR="cloud-hypervisor"
+      ```
+      before running the build.

 - At this point you can provision a Kata confidential containers pod and container with either
  [`crictl`](#using-crictl-for-end-to-end-provisioning-of-a-kata-confidential-containers-pod-with-an-unencrypted-image),
@ -52,9 +58,10 @@ $ chmod u+x ccv0.sh

 ### Using `crictl` for end-to-end provisioning of a Kata confidential containers pod with an unencrypted image

- Run the full build process with Kubernetes off, so it's configure doesn't interfere with `crictl` using:
+- Run the full build process with Kubernetes turned off, so its configuration doesn't interfere with `crictl` using:
  ```bash
  $ export KUBERNETES="no"
+  $ export KATA_HYPERVISOR="qemu"
  $ ~/ccv0.sh -d build_and_install_all
  ```
    > **Note**: Much of this script has to be run as `sudo`, so you are likely to get prompted for your password.
@ -70,7 +77,8 @@ $ chmod u+x ccv0.sh
        - Create, build and install a rootfs for the Kata hypervisor to use. For 'CCv0' this is currently based on Ubuntu
        20.04 and has extra packages like `umoci` added.
        - Build the Kata guest kernel
-        - Install QEMU
+        - Install the hypervisor (in order to select which hypervisor will be used, the `KATA_HYPERVISOR` environment
+        variable can be used to select between `qemu` or `cloud-hypervisor`)
    > **Note**: Depending on how where your VMs are hosted and how IPs are shared you might get an error from docker
    during matching `ERROR: toomanyrequests: Too Many Requests`. To get past
    this, login into Docker Hub and pull the images used with:
@ -189,7 +197,7 @@ there.
  pulled on the guest:
    - Find all the `rootfs` directories under in the pod's shared directory with:
      ```bash
-      $ pod_id=$(ps -ef | grep qemu | egrep -o "sandbox-[^,][^,]*" | sed 's/sandbox-//g' | awk '{print $1}')
+      $ pod_id=$(ps -ef | grep containerd-shim-kata-v2 | egrep -o "id [^,][^,].* " | awk '{print $2}')
      $ sudo find /run/kata-containers/shared/sandboxes/${pod_id}/shared -name rootfs
      ```
      which should only show a single `rootfs` directory if the container image was pulled on the guest, not the host
@ -454,8 +462,8 @@ it ever being available to the host.

 As well as being able to use the script as above to build all of `kata-containers` from scratch it can be used to just
 re-build bits of it by running the script with different parameters. For example after the first build you will often
-not need to re-install the dependencies, QEMU or the Guest kernel, but just test code changes made to the runtime and
-agent. This can be done by running `~/ccv0.sh rebuild_and_install_kata`. (*Note this does a hard checkout*
+not need to re-install the dependencies, the hypervisor or the Guest kernel, but just test code changes made to the
+runtime and agent. This can be done by running `~/ccv0.sh rebuild_and_install_kata`. (*Note this does a hard checkout*
 *from git, so if your changes are only made locally it is better to do the individual steps e.g.* 
 `~/ccv0.sh build_kata_runtime && ~/ccv0.sh build_and_add_agent_to_rootfs && ~/ccv0.sh build_and_install_rootfs`).
 There are commands for a lot of steps in building, setting up and testing and the full list can be seen by running
@ -480,6 +488,7 @@ Commands:
 - build_and_add_agent_to_rootfs:Builds the kata-agent and adds it to the rootfs
 - build_and_install_rootfs:     Builds and installs the rootfs image
 - install_guest_kernel:         Setup, build and install the guest kernel
+- build_cloud_hypervisor        Checkout, patch, build and install Cloud Hypervisor
 - build_qemu:                   Checkout, patch, build and install QEMU
 - init_kubernetes:              initialize a Kubernetes cluster on this system
 - crictl_create_cc_pod          Use crictl to create a new kata cc pod