mirror of https://github.com/kata-containers/kata-containers.git synced 2025-04-27 11:31:05 +00:00

History

Fabiano Fidêncio 585f82f730 osbuilder: ubuntu: Ensure OS_VERSION is passed & used Right now we're hitting an interesting situation with osbuilder, where regardless of what's being passed Ubuntu 20.04 (focal) is being used when building the rootfs-image, as shown in the snippets of the logs below: ``` ffidenci@tatu:~/src/upstream/kata-containers/kata-containers$ make rootfs-image-confidential-tarball /home/ffidenci/src/upstream/kata-containers/kata-containers/tools/packaging/kata-deploy/local-build//kata-deploy-copy-libseccomp-installer.sh "agent" make agent-tarball-build ... make pause-image-tarball-build ... make coco-guest-components-tarball-build ... make kernel-confidential-tarball-build ... make rootfs-image-confidential-tarball-build make[1]: Entering directory '/home/ffidenci/src/upstream/kata-containers/kata-containers' /home/ffidenci/src/upstream/kata-containers/kata-containers/tools/packaging/kata-deploy/local-build//kata-deploy-binaries-in-docker.sh --build=rootfs-image-confidential sha256:f16c57890b0e85f6e1bbe1957926822495063bc6082a83e6ab7f7f13cabeeb93 Build kata version 3.13.0: rootfs-image-confidential INFO: DESTDIR /home/ffidenci/src/upstream/kata-containers/kata-containers/tools/packaging/kata-deploy/local-build/build/rootfs-image-confidential/destdir INFO: Create image build image ~/src/upstream/kata-containers/kata-containers/tools/osbuilder ~/src/upstream/kata-containers/kata-containers/tools/packaging/kata-deploy/local-build/build/rootfs-image-confidential/builddir INFO: Build image INFO: image os: ubuntu INFO: image os version: latest Creating rootfs for ubuntu /home/ffidenci/src/upstream/kata-containers/kata-containers/tools/osbuilder/rootfs-builder/rootfs.sh -o 3.13.0-13f0807e9f5687d8e5e9a0f4a0a8bb57ca50d00c-dirty -r /home/ffidenci/src/upstream/kata-containers/kata-containers/tools/packaging/kata-deploy/local-build/build/rootfs-image-confidential/builddir/rootfs-image/ubuntu_rootfs ubuntu INFO: rootfs_lib.sh file found. Loading content ~/src/upstream/kata-containers/kata-containers/tools/osbuilder/rootfs-builder/ubuntu ~/src/upstream/kata-containers/kata-containers/tools/osbuilder ~/src/upstream/kata-containers/kata-containers/tools/osbuilder INFO: rootfs_lib.sh file found. Loading content INFO: build directly WARNING: apt does not have a stable CLI interface. Use with caution in scripts. Get:1 http://security.ubuntu.com/ubuntu focal-security InRelease [128 kB] Get:2 http://archive.ubuntu.com/ubuntu focal InRelease [265 kB] Get:3 http://archive.ubuntu.com/ubuntu focal-updates InRelease [128 kB] Get:4 http://security.ubuntu.com/ubuntu focal-security/restricted amd64 Packages [4276 kB] Get:5 http://archive.ubuntu.com/ubuntu focal-backports InRelease [128 kB] Get:6 http://archive.ubuntu.com/ubuntu focal/universe amd64 Packages [11.3 MB] Get:7 http://security.ubuntu.com/ubuntu focal-security/universe amd64 Packages [1297 kB] Get:8 http://security.ubuntu.com/ubuntu focal-security/multiverse amd64 Packages [30.9 kB] Get:9 http://security.ubuntu.com/ubuntu focal-security/main amd64 Packages [4187 kB] Get:10 http://archive.ubuntu.com/ubuntu focal/restricted amd64 Packages [33.4 kB] Get:11 http://archive.ubuntu.com/ubuntu focal/main amd64 Packages [1275 kB] Get:12 http://archive.ubuntu.com/ubuntu focal/multiverse amd64 Packages [177 kB] Get:13 http://archive.ubuntu.com/ubuntu focal-updates/main amd64 Packages [4663 kB] Get:14 http://archive.ubuntu.com/ubuntu focal-updates/universe amd64 Packages [1589 kB] Get:15 http://archive.ubuntu.com/ubuntu focal-updates/multiverse amd64 Packages [34.6 kB] Get:16 http://archive.ubuntu.com/ubuntu focal-updates/restricted amd64 Packages [4463 kB] Get:17 http://archive.ubuntu.com/ubuntu focal-backports/main amd64 Packages [55.2 kB] Get:18 http://archive.ubuntu.com/ubuntu focal-backports/universe amd64 Packages [28.6 kB] Fetched 34.1 MB in 5s (6284 kB/s) ... ``` The reason this is happening is due to a few issues in different places: 1. IMG_OS_VERSION, passed to osbuilder, is not used anywhere and OS_VERSION should be used instead. And we should break if OS_VERSION is not properly passed down 2. Using UBUNTU_CODENAME is simply wrong, as it'll use whatever comes as the base container from kata-deploy's local-build scripts, and it has just been working by luck Note that at the same time this commit fixes the wrong behaviour, it would break the rootfses build as they are, this we need to set the versions.yaml to use 20.04 were it was already using 20.04 even without us knowing. Signed-off-by: Fabiano Fidêncio <fabiano@fidencio.org>		2025-01-27 14:19:42 +01:00
..
dockerfiles/QAT	scrips: Fix indentation in QAT run script	2024-07-08 20:23:50 +00:00
dracut	tools: Fix container image build warning	2024-08-07 15:49:01 +08:00
image-builder	rootfs: delete systemd units/files from rootfs.sh	2025-01-13 21:28:23 +00:00
initrd-builder	gpu: rootfs/initrd build init	2024-07-22 10:19:05 +00:00
rootfs-builder	osbuilder: ubuntu: Ensure OS_VERSION is passed & used	2025-01-27 14:19:42 +01:00
scripts	rootfs: Install Rust only when necessary	2024-06-28 22:19:46 +00:00
tests	osbuilder: Drop Clear Linux	2024-11-11 15:22:55 +01:00
.gitignore	tools: Add some new gitignore items	2022-12-14 11:38:23 +08:00
Makefile	build: allow rootfs builds w/o git or VERSION file deps	2024-06-13 22:46:52 +00:00
README.md	osbuilder: Drop Clear Linux	2024-11-11 15:22:55 +01:00
VERSION	build: Only keep one VERSION file	2021-03-31 23:51:20 +02:00

README.md

osbuilder

Introduction

The Kata Containers runtime creates a virtual machine (VM) to isolate a set of container workloads. The VM requires a guest kernel and a guest operating system ("guest OS") to boot and create containers inside the guest environment.

This repository contains tools to create a guest OS disk image.

Terms

This section describes the terms used for all documentation in this repository.

rootfs

The root filesystem or "rootfs" is a slight misnomer as it is not a true filesystem. It is a tree of files contained in a particular directory, which represents the root disk layout. A rootfs can be turned into either an image or an initrd.

See the rootfs creation section.
"Guest OS" (or "Guest Image")

A "virtual disk" or "disk image" built from a rootfs. It contains a filesystem that is used by the VM, in conjunction with a guest kernel, to create an environment to host the container. Neither the guest OS nor the guest kernel need to be the same as the host operating system.

See the image creation section.
initrd (or "initramfs")

A compressed cpio(1) archive, created from a rootfs which is loaded into memory and used as part of the Linux startup process. During startup, the kernel unpacks it into a special instance of a tmpfs that becomes the initial root filesystem.

See the initrd creation section.
"Base OS"

A particular version of a Linux distribution used to create a rootfs from.
dracut

A guest OS build method where the building host is used as the Base OS. For more information refer to the dracut homepage.
Agent init

The Guest OS should have the Kata Containers agent started on boot time.

That is achieved by using a system manager (for example, systemd) which will evoke the agent binary; or having the agent itself as the init process.

Building

The top-level Makefile contains an example of how to use the available components. Set DEBUG=true to execute build scripts in debug mode.

Two build methods are available, distro and dracut. By default, the distro build method is used, and this creates a rootfs using distro specific commands (e.g.: debootstrap for Debian or yum for CentOS). The dracut build method uses the distro-agnostic tool dracut to obtain the same goal.

By default components are run on the host system. However, some components offer the ability to run from within a container (for ease of setup) by setting the USE_DOCKER=true or USE_PODMAN=true variable. If both are set, USE_DOCKER=true takes precedence over USE_PODMAN=true.

For more detailed information, consult the documentation for a particular component.

When invoking the appropriate make target as showed below, a single command is used to generate an initrd or an image. This is what happens in details:

A rootfs is generated based on the specified target distribution.
The rootfs is provisioned with Kata-specific components and configuration files.
The rootfs is used as a base to generate an initrd or an image.

When using the dracut build method however, the build sequence is different:

An overlay directory is populated with Kata-specific components.
dracut is instructed to merge the overlay directory with the required host-side filesystem components to generate an initrd.
When generating an image, the initrd is extracted to obtain the base rootfs for the image.

Ubuntu is the default distro for building the rootfs, to use a different one, you can set DISTRO=alpine|debian|ubuntu|cbl-mariner. For example make USE_DOCKER=true DISTRO=alpine rootfs will make an Alpine rootfs using Docker.

Rootfs creation

This section shows how to build a basic rootfs using the default distribution. For further details, see the rootfs builder documentation.

Rootfs with systemd as init

$ sudo -E PATH=$PATH make USE_DOCKER=true rootfs

Rootfs with the agent as init

$ sudo -E PATH=$PATH make USE_DOCKER=true AGENT_INIT=yes rootfs

dracut based rootfs

Note

: the dracut build method does not need a rootfs as a base for an image or initrd. However, a rootfs can be generated by extracting the generated initrd.

$ sudo -E PATH=$PATH make BUILD_METHOD=dracut rootfs

Image creation

This section shows how to create an image from the already-created rootfs. For further details, see the image builder documentation.

Image with systemd as init

$ sudo -E PATH=$PATH make USE_DOCKER=true image

Image with the agent as init

$ sudo -E PATH=$PATH make USE_DOCKER=true AGENT_INIT=yes image

dracut based image

Note: the dracut build method generates an image by first building an initrd, and then using the rootfs extracted from it.

$ sudo -E PATH=$PATH make BUILD_METHOD=dracut image

Initrd creation

Rootfs based initrd

Create an initrd from the already-created rootfs and with the agent acting as the init daemon using:

$ sudo -E PATH=$PATH make AGENT_INIT=yes initrd

dracut based initrd

Create an initrd using the dracut build method with:

$ sudo -E PATH=$PATH make BUILD_METHOD=dracut AGENT_INIT=yes initrd

For further details, see the initrd builder documentation.

dracut options

Add kernel modules

If the initrd or image needs to contain kernel modules, this can be done by:

Specify the name of the modules (as reported by modinfo MODULE-NAME) in dracut/dracut.conf.d/10-drivers.conf. For example this file can contain:

drivers="9p 9pnet 9pnet_virtio"

Set the DRACUT_KVERSION make variable to the release name of the kernel that is paired with the built image or initrd, using the uname -r format. For example:

$ make BUILD_METHOD=dracut DRACUT_KVERSION=5.2.1-23-kata AGENT_INIT=yes initrd

Custom images

The Kata Containers kernel and rootfs images are by design "minimal". If advanced, site specific, or customized features are required, then building a customized kernel and/or rootfs may be required.

The below are some examples which may help or be useful for generating a customized system.

Intel® QuickAssist Technology (QAT) customized kernel and rootfs

As documented in the Intel® QAT Kata use-case documentation, enabling this hardware requires a customized kernel and rootfs to work with Kata. To ease building of the kernel and rootfs, a Dockerfile is supplied, that when run, generates the required kernel and rootfs binaries.

Testing

$ make test

For further details, see the tests documentation.

Platform-Distro Compatibility Matrix

The following table illustrates what target architecture is supported for each of the the osbuilder distributions.

Note: this table is not relevant for the dracut build method, since it supports any Linux distribution and architecture where dracut is available.

	Alpine	CentOS Stream	Clear Linux	Debian/Ubuntu	CBL-Mariner
ARM64	✔️	✔️
PPC64le		✔️		✔️
s390x		✔️		✔️
x86_64	✔️	✔️	✔️	✔️	✔️