From 5fdbdaafd3e53588c8f8a3bdce4bca2b18b7816e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= Date: Mon, 4 Apr 2022 15:08:27 +0200 Subject: [PATCH 1/3] ccv0: Don't use the QEMU process to get the sandbox ID MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Instead, rely on the conntainerd-shim-kata-v2 process, as this makes this script VMM agnostic. Signed-off-by: Fabiano FidĂȘncio --- docs/how-to/ccv0.sh | 2 +- docs/how-to/how-to-build-and-test-ccv0.md | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/how-to/ccv0.sh b/docs/how-to/ccv0.sh index a1fc01d3de..3f6d10c589 100755 --- a/docs/how-to/ccv0.sh +++ b/docs/how-to/ccv0.sh @@ -467,7 +467,7 @@ run_kata_and_capture_logs() { get_ids() { guest_cid=$(sudo ss -H --vsock | awk '{print $6}' | cut -d: -f1) - sandbox_id=$(ps -ef | grep qemu | egrep -o "sandbox-[^,][^,]*" | sed 's/sandbox-//g' | awk '{print $1}') + sandbox_id=$(ps -ef | grep containerd-shim-kata-v2 | egrep -o "id [^,][^,].* " | awk '{print $2}') } open_kata_shell() { diff --git a/docs/how-to/how-to-build-and-test-ccv0.md b/docs/how-to/how-to-build-and-test-ccv0.md index 1f5ea11e42..8321a0d622 100644 --- a/docs/how-to/how-to-build-and-test-ccv0.md +++ b/docs/how-to/how-to-build-and-test-ccv0.md @@ -189,7 +189,7 @@ there. pulled on the guest: - Find all the `rootfs` directories under in the pod's shared directory with: ```bash - $ pod_id=$(ps -ef | grep qemu | egrep -o "sandbox-[^,][^,]*" | sed 's/sandbox-//g' | awk '{print $1}') + $ pod_id=$(ps -ef | grep containerd-shim-kata-v2 | egrep -o "id [^,][^,].* " | awk '{print $2}') $ sudo find /run/kata-containers/shared/sandboxes/${pod_id}/shared -name rootfs ``` which should only show a single `rootfs` directory if the container image was pulled on the guest, not the host From c5b39c5686d9bd45e080a468dfaa83825a2787e2 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= Date: Mon, 4 Apr 2022 14:25:48 +0200 Subject: [PATCH 2/3] ccv0.sh: Expand to also using Cloud Hypervisor MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Right now the script only support QEMU, but there's not a reason to do that, mainly considering we already have the tests parity in the CIs between QEMU and Clouud Hypervisor. With this in mind, let's expand this script to also using Cloud Hypervisor. Whether this script should use QEMU or Cloud Hypervisor is defined according to the KATA_HYPERVISOR environment variable. Fixes: #4038 Signed-off-by: Fabiano FidĂȘncio --- docs/how-to/ccv0.sh | 27 +++++++++++++++++++++-- docs/how-to/how-to-build-and-test-ccv0.md | 15 ++++++++++--- 2 files changed, 37 insertions(+), 5 deletions(-) diff --git a/docs/how-to/ccv0.sh b/docs/how-to/ccv0.sh index 3f6d10c589..5e8e9130bf 100755 --- a/docs/how-to/ccv0.sh +++ b/docs/how-to/ccv0.sh @@ -91,6 +91,7 @@ Commands: - build_and_install_all: Build and install everything - build_and_install_rootfs: Builds and installs the rootfs image - build_kata_runtime: Build and install the kata runtime +- build_cloud_hypervisor Checkout, patch, build and install Cloud Hypervisor - build_qemu: Checkout, patch, build and install QEMU - configure: Configure Kata to use rootfs and enable debug - connect_to_ssh_demo_pod: Ssh into the ssh demo pod, showing that the decryption succeeded @@ -127,7 +128,18 @@ build_and_install_all() { create_a_local_rootfs build_and_install_rootfs install_guest_kernel_image - build_qemu + case "$KATA_HYPERVISOR" in + "qemu") + build_qemu + ;; + "cloud-hypervisor") + build_cloud_hypervisor + ;; + *) + echo "Invalid option: $KATA_HYPERVISOR is not supported." >&2 + ;; + esac + check_kata_runtime if [ "${KUBERNETES}" == "yes" ]; then init_kubernetes @@ -199,7 +211,7 @@ check_out_repos() { build_and_install_kata_runtime() { pushd ${katacontainers_repo_dir}/src/runtime - make clean && make && sudo -E PATH=$PATH make install + make clean && make DEFAULT_HYPERVISOR=${KATA_HYPERVISOR} && sudo -E PATH=$PATH make DEFAULT_HYPERVISOR=${KATA_HYPERVISOR} install debug_output "We should have created Kata runtime binaries:: /usr/local/bin/kata-runtime and /usr/local/bin/containerd-shim-kata-v2" debug_output "We should have made the Kata configuration file: /usr/share/defaults/kata-containers/configuration.toml" debug_output "kata-runtime version: $(kata-runtime version)" @@ -330,6 +342,14 @@ build_qemu() { ${tests_repo_dir}/.ci/install_qemu.sh } +build_cloud_hypervisor() { + # While we still rely on the C version of virtiofsd, let's + # install QEMU, which will then bring virtiofsd together. + build_qemu + + ${tests_repo_dir}/.ci/install_cloud_hypervisor.sh +} + check_kata_runtime() { sudo kata-runtime check } @@ -580,6 +600,9 @@ main() { install_guest_kernel) install_guest_kernel_image ;; + build_cloud_hypervisor) + build_cloud_hypervisor + ;; build_qemu) build_qemu ;; diff --git a/docs/how-to/how-to-build-and-test-ccv0.md b/docs/how-to/how-to-build-and-test-ccv0.md index 8321a0d622..864fa9f988 100644 --- a/docs/how-to/how-to-build-and-test-ccv0.md +++ b/docs/how-to/how-to-build-and-test-ccv0.md @@ -44,6 +44,12 @@ $ chmod u+x ccv0.sh ``` `skopeo` is required for passing source credentials and verifying container image signatures using the kata agent. + - By default the build and configuration are using `QEMU` as the hypervisor. In order to use `Cloud Hypervisor` instead + set: + ``` + $ export KATA_HYPERVISOR="cloud-hypervisor" + ``` + before running the build. - At this point you can provision a Kata confidential containers pod and container with either [`crictl`](#using-crictl-for-end-to-end-provisioning-of-a-kata-confidential-containers-pod-with-an-unencrypted-image), @@ -55,6 +61,7 @@ $ chmod u+x ccv0.sh - Run the full build process with Kubernetes off, so it's configure doesn't interfere with `crictl` using: ```bash $ export KUBERNETES="no" + $ export KATA_HYPERVISOR="qemu" $ ~/ccv0.sh -d build_and_install_all ``` > **Note**: Much of this script has to be run as `sudo`, so you are likely to get prompted for your password. @@ -70,7 +77,8 @@ $ chmod u+x ccv0.sh - Create, build and install a rootfs for the Kata hypervisor to use. For 'CCv0' this is currently based on Ubuntu 20.04 and has extra packages like `umoci` added. - Build the Kata guest kernel - - Install QEMU + - Install the hypervisor (in order to select which hypervisor will be used, the `KATA_HYPERVISOR` environment + variable can be used to select between `qemu` or `cloud-hypervisor`) > **Note**: Depending on how where your VMs are hosted and how IPs are shared you might get an error from docker during matching `ERROR: toomanyrequests: Too Many Requests`. To get past this, login into Docker Hub and pull the images used with: @@ -454,8 +462,8 @@ it ever being available to the host. As well as being able to use the script as above to build all of `kata-containers` from scratch it can be used to just re-build bits of it by running the script with different parameters. For example after the first build you will often -not need to re-install the dependencies, QEMU or the Guest kernel, but just test code changes made to the runtime and -agent. This can be done by running `~/ccv0.sh rebuild_and_install_kata`. (*Note this does a hard checkout* +not need to re-install the dependencies, the hypervisor or the Guest kernel, but just test code changes made to the +runtime and agent. This can be done by running `~/ccv0.sh rebuild_and_install_kata`. (*Note this does a hard checkout* *from git, so if your changes are only made locally it is better to do the individual steps e.g.* `~/ccv0.sh build_kata_runtime && ~/ccv0.sh build_and_add_agent_to_rootfs && ~/ccv0.sh build_and_install_rootfs`). There are commands for a lot of steps in building, setting up and testing and the full list can be seen by running @@ -480,6 +488,7 @@ Commands: - build_and_add_agent_to_rootfs:Builds the kata-agent and adds it to the rootfs - build_and_install_rootfs: Builds and installs the rootfs image - install_guest_kernel: Setup, build and install the guest kernel +- build_cloud_hypervisor Checkout, patch, build and install Cloud Hypervisor - build_qemu: Checkout, patch, build and install QEMU - init_kubernetes: initialize a Kubernetes cluster on this system - crictl_create_cc_pod Use crictl to create a new kata cc pod From bdb0f6b471f7aca7f761f9ac090550dcedacba75 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= Date: Tue, 5 Apr 2022 19:41:21 +0200 Subject: [PATCH 3/3] how-to,ccv0: Reword the full build sentence MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Let's reword the sentence so it's easier for someone who's not a native nor familiar with the project to understand. Signed-off-by: Fabiano FidĂȘncio --- docs/how-to/how-to-build-and-test-ccv0.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/how-to/how-to-build-and-test-ccv0.md b/docs/how-to/how-to-build-and-test-ccv0.md index 864fa9f988..fc06b4b14f 100644 --- a/docs/how-to/how-to-build-and-test-ccv0.md +++ b/docs/how-to/how-to-build-and-test-ccv0.md @@ -58,7 +58,7 @@ $ chmod u+x ccv0.sh ### Using `crictl` for end-to-end provisioning of a Kata confidential containers pod with an unencrypted image -- Run the full build process with Kubernetes off, so it's configure doesn't interfere with `crictl` using: +- Run the full build process with Kubernetes turned off, so its configuration doesn't interfere with `crictl` using: ```bash $ export KUBERNETES="no" $ export KATA_HYPERVISOR="qemu"