aljaz/kata-containers
1
0
Fork 0
mirror of https://github.com/aljazceru/kata-containers.git synced 2026-02-14 02:54:21 +01:00
Code Issues Packages Projects Releases Wiki Activity

doc: Add pull image support to shim

Browse Source 
- Add a ctr shim pull image function to CCv0.sh
- Add information on how to use it in the how-to doc

Signed-off-by: stevenhorsman <steven@uk.ibm.com>
This commit is contained in:
stevenhorsman
2021-10-15 09:52:52 +01:00
parent 02f6db595c
commit d57648eb13
2 changed files with 99 additions and 23 deletions
Download Patch File Download Diff File Expand all files Collapse all files

14
docs/how-to/ccv0.sh
View File

@@ -88,6 +88,7 @@ Commands:
- open_kata_console: Stream the kata runtime's console
- open_kata_shell: Open a shell into the kata runtime
- agent_pull_image: Run PullImage command against the agent with agent-ctl
- shim_pull_image: Run PullImage command against the shim with ctr
- agent_create_container: Run CreateContainer command against the agent with agent-ctl
- test: Test using kata with containerd
- test_capture_logs: Test using kata with containerd and capture the logs in the user's home directory
@@ -399,11 +400,17 @@ agent_pull_image() {
run_agent_ctl_command "PullImage image=${PULL_IMAGE} cid=${CONTAINER_ID} source_creds=${SOURCE_CREDS}"
}
agent_create_container() {
run_agent_ctl_command "CreateContainer cid=${CONTAINER_ID}"
}
shim_pull_image() {
get_ids
ctr_shim_command="ctr --namespace k8s.io shim --id ${sandbox_id} pull-image ${PULL_IMAGE} ${CONTAINER_ID}"
echo "Issuing command '${ctr_shim_command}'"
${ctr_shim_command}
}
main() {
while getopts "dh" opt; do
case "$opt" in
@@ -491,10 +498,13 @@ main() {
agent_create_container)
agent_create_container
;;
shim_pull_image)
shim_pull_image
;;
*)
usage 1
;;
esac
}
main $@
main $@

108
docs/how-to/how-to-build-and-test-ccv0.md
View File

@@ -2,34 +2,61 @@
## Introduction and Background
In order to try and make building (locally) and demoing the Kata Containers `CCv0` code base as simple as possible I've shared a script [`ccv0.sh`](./ccv0.sh). This script was originally my attempt to automate the steps of the [Developer Guide](https://github.com/kata-containers/kata-containers/blob/main/docs/Developer-Guide.md) so that I could do different sections of them repeatedly and reliably as I was playing around with make changes to different parts of the Kata code base. I then tried to weave in some of the [`tests/.ci`](https://github.com/kata-containers/tests/tree/main/.ci) scripts in order to have less duplicated code and to make it support for platforms. Finally I extended it to include some calls to start kata pods in Kubernetes and call [`agent-ctl`](https://github.com/kata-containers/kata-containers/tree/main/tools/agent-ctl) to test the agent endpoint for pull image on guest for the CCv0 roadmap.
In order to try and make building (locally) and demoing the Kata Containers `CCv0` code base as simple as possible I've
shared a script [`ccv0.sh`](./ccv0.sh). This script was originally my attempt to automate the steps of the
[Developer Guide](https://github.com/kata-containers/kata-containers/blob/main/docs/Developer-Guide.md) so that I could do
different sections of them repeatedly and reliably as I was playing around with make changes to different parts of the
Kata code base. I then tried to weave in some of the [`tests/.ci`](https://github.com/kata-containers/tests/tree/main/.ci)
scripts in order to have less duplicated code and to make it support for platforms. Finally I extended it to include some
calls to start kata pods in Kubernetes and call
[`agent-ctl`](https://github.com/kata-containers/kata-containers/tree/main/tools/agent-ctl) and [`ctr shim`] to test the
shim and agent endpoint for pull image on guest for the CCv0 roadmap.
At the time of writing we only have some basic Kata agent pull image support for CCv0 included into the [`CCv0` branch](https://github.com/kata-containers/kata-containers/tree/CCv0), so the testing is limited to this, but as more functionality is added I'm hoping that this script can grow and expand to handle it.
At the time of writing we only have some basic Kata agent and containerd shim support for image offload included into the
[`CCv0` branch](https://github.com/kata-containers/kata-containers/tree/CCv0), so the testing is limited to this, but as
more functionality is added I'm hoping that this script can grow and expand to handle it.
*Disclaimer: This script has mostly just been used and tested by me ([@stevenhorsman](https://github.com/stevenhorsman)), so there might be issues with it. I'm happy to try and help solve these if possible, but this shouldn't be considered a fully supported process by the Kata Containers community.*
*Disclaimer: This script has mostly just been used and tested by me ([@stevenhorsman](https://github.com/stevenhorsman)),*
*so there might be issues with it. I'm happy to try and help solve these if possible, but this shouldn't be considered a*
*fully supported process by the Kata Containers community.*
## Basic demo How-to
In order to build, and demo the CCv0 functionality, these are the steps I take:
In order to build, and demo the CCv0 functionality, these are the steps I take (*Note: I've only tested this script*
*running as root*):
- Provision a new VM
- *I choose a Ubuntu 20.04 8GB VM for this as I had one available. I think that the only part of the script that is OS dependent is the install of `git`, `socat` and `qemu-utils`(optional) using apt-get to bootstrap the rest of the installs. In order to run this on any platform just use your package manager to install these before running the `ccv0.sh` script and comment out the apt-get line with `sudo sed -i -e 's/\(sudo apt-get update .*\)$/# \1/g' ccv0.sh`*.
- Copy the script over to your VM *(I put it in the home directory)* and ensure it has execute permission by running `chmod u+x ccv0.sh`
- *I choose a Ubuntu 20.04 8GB VM for this as I had one available. There are some dependences on apt-get installed*
*packages, so these will need re-working to be compatible with other platforms.*
- Copy the script over to your VM *(I put it in the home directory)* and ensure it has execute permission by running
`chmod u+x ccv0.sh`
- Optionally set up some environment variables
- By default the script checks out the `CCv0` branches of the `kata-containers/kata-containers` and `kata-containers/tests` repositories, but it is designed to be used to test of personal forks and branches as well. If you want to build and run these you can export the `katacontainers_repo`, `katacontainers_branch`, `tests_repo` and `tests_branch` variables e.g. `export katacontainers_repo=github.com/stevenhorsman/kata-containers && export katacontainers_branch=stevenh/agent-pull-image-endpoint && export tests_repo=github.com/stevenhorsman/tests && export tests_branch=stevenh/add-ccvo-changes-to-build` before running the script.
- By default the script checks out the `CCv0` branches of the `kata-containers/kata-containers` and
`kata-containers/tests` repositories, but it is designed to be used to test of personal forks and branches as well.
If you want to build and run these you can export the `katacontainers_repo`, `katacontainers_branch`, `tests_repo`
and `tests_branch` variables e.g. `export katacontainers_repo=github.com/stevenhorsman/kata-containers && export katacontainers_branch=stevenh/agent-pull-image-endpoint && export tests_repo=github.com/stevenhorsman/tests && export tests_branch=stevenh/add-ccvo-changes-to-build`
before running the script.
- Run the full build process with `. ~/ccv0.sh -d build_and_install_all`
- *I run this script sourced just so that the required installed components are accessible on the `PATH` to the rest of the process without having to reload the session.*
- *I run this script sourced just so that the required installed components are accessible on the `PATH` to the rest*
*of the process without having to reload the session.*
- The steps that `build_and_install_all` takes is:
- Checkout the git repos for the `tests` and `kata-containers` repos as specified by the environment variables (default to `CCv0` branches if they are not supplied)
- Checkout the git repos for the `tests` and `kata-containers` repos as specified by the environment variables
(default to `CCv0` branches if they are not supplied)
- Use the `tests/.ci` scripts to install the build dependencies
- Build and install the Kata runtime
- Configure Kata to use containerd and for debug to be enabled (including enabling console access to the kata-runtime, which should only be done in development)
- Create, build and install a rootfs for the Kata hypervisor to use. For 'CCv0' this is currently based on Fedora 34 and has extra packages like `skopeo` and `umoci` added.
- Configure Kata to use containerd and for debug to be enabled (including enabling console access to the
kata-runtime, which should only be done in development)
- Create, build and install a rootfs for the Kata hypervisor to use. For 'CCv0' this is currently based on Ubuntu
20.04 and has extra packages like `skopeo` and `umoci` added.
- Build the Kata guest kernel
- Install QEMU
- Set up `agent-ctl` testing by building the binary and configuring a bundle directory for it
- Initialising Kubernetes to use the VM as a single node cluster
- The first time this runs it may take a while, but subsequent runs will be quicker as more things are already installed and they can be further cut down by not running all the above steps [see "Additional script usage" below](#additional-script-usage)
- *Depending on how where your VMs are and how IPs are shared you might possibly get an error during "Store custom stress image in registry" from docker matching `ERROR: toomanyrequests: Too Many Requests`. In order to get around this log into docker hub with `sudo docker login` and re-run the step with `. ~/ccv0.sh -d init_kubernetes`.*
- The first time this runs it may take a while, but subsequent runs will be quicker as more things are already
installed and they can be further cut down by not running all the above steps
[see "Additional script usage" below](#additional-script-usage)
- *Depending on how where your VMs are and how IPs are shared you might possibly get an error during "Store custom*
*stress image in registry" from docker matching `ERROR: toomanyrequests: Too Many Requests`. In order to get around*
*this log into docker hub with `docker login` and re-run the step with `. ~/ccv0.sh -d init_kubernetes`.*
- Check that your Kubernetes cluster has been correctly set-up:
```
$ kubectl get nodes
@@ -49,7 +76,8 @@ $ kubectl get pods
NAME READY STATUS RESTARTS AGE
nginx-kata 1/1 Running 0 29s
```
- Create a new terminal to the VM and open shell into kata container and check the `/run/kata-containers` directory doesn't have a bundle unpack for container id `0123456789`:
- Create a new terminal to the VM and open shell into kata container and check the `/run/kata-containers` directory
doesn't have a bundle unpack for container id `0123456789`:
```
$ ~/ccv0.sh -d open_kata_shell
bash-5.1# ls -al /run/kata-containers/
@@ -65,13 +93,44 @@ drwxr-xr-x 3 root root 60 Sep 6 09:44 shared
```
$ ~/ccv0.sh -d open_kata_console
```
- In the first terminal run the pull image agent endpoint:
- In the first terminal run the pull image on guest command against the Kata agent, via the shim (`containerd-shim-kata-v2`).
This can be achieved using the [containerd](https://github.com/containerd/containerd) CLI tool, `ctr`, which can be used to
interact with the shim directly. The command takes the form
`ctr --namespace k8s.io shim --id <sandbox-id> pull-image <image> <new-container-id>` and can been run directly, or through
the `ccv0.sh` script to automatically fill in the variables:
- Optionally set up some environment variables to set the image and credentials used:
- By default the agent pull test in `ccv0.sh` will use the image `registry.fedoraproject.org/fedora:latest` which requires no authentication. If you want to use a different image, first set the `PULL_IMAGE` environment variable e.g. `export PULL_IMAGE="docker.io/library/busybox:latest"`.
- If the container registry for the image requires authentication then this can be set with an environment variable `SOURCE_CREDS`. For example to use `docker.io` as an authenticated user first run `export SOURCE_CREDS="<dockerhub username>:<dockerhub api key>"`
- *Note: the credentials support on the agent request is a tactical solution for the short-term proof of concept to allow more images to be pulled and tested. Once we have support for getting keys into the kata guest using the attestation-agent and/or KBS I'd expect container registry credentials to be looked up using that mechanism.*
- Run the pull image agent endpoint with `~/ccv0.sh -d agent_pull_image`:
- *For unknown reasons sometimes the unpack fails the first time and the sandbox crashes, but seems to work the second time and the pod will restart automatically, so just re-open the shell and console and re-run the agent_pull_image.*
- By default the shim pull image test in `ccv0.sh` will use the image `registry.fedoraproject.org/fedora:latest`
which requires no authentication. If you want to use a different image, first set the `PULL_IMAGE` environment
variable e.g. `export PULL_IMAGE="docker.io/library/busybox:latest"`. Currently the containerd shim pull image
code doesn't support using a container registry that requires authentication, so if this is required, see the
below steps to run the pull image command against the agent directly.
- Run the pull image agent endpoint with `~/ccv0.sh -d shim_pull_image`:
- *For reasons, we think are related to the disk space remaining when unpacking the image bundle, sometimes the*
*[unpack fails the first time and the sandbox crashes](https://github.com/kata-containers/kata-containers/issues/2876),*
*but seems to work the second time and the pod will restart automatically, so just re-open the shell and console and*
*re-run the shim_pull_image.*
```bash
$ ~/ccv0.sh shim_pull_image
Issuing command 'ctr --namespace k8s.io shim --id 4cabb081a0d90e0d041e433eebf315983ef2a945f1b1759dea51ea41ceff3ac8 pull-image registry.fedoraproject.org/fedora:latest 0123456789'
```
- Alternatively you can issue the command directly to the kata-agent pull image endpoint, which also supports
credentials in order to pull from an authenticated registry:
- Optionally set up some environment variables to set the image and credentials used:
- Set the `PULL_IMAGE` environment variable e.g. `export PULL_IMAGE="docker.io/library/busybox:latest"`
if a specific container image is required.
- If the container registry for the image requires authentication then this can be set with an environment
variable `SOURCE_CREDS`. For example to use `docker.io` as an authenticated user first run
`export SOURCE_CREDS="<dockerhub username>:<dockerhub api key>"`
- *Note: the credentials support on the agent request is a tactical solution for the short-term*
*proof of concept to allow more images to be pulled and tested. Once we have support for getting*
*keys into the kata guest using the attestation-agent and/or KBS I'd expect container registry*
*credentials to be looked up using that mechanism.*
- Run the pull image agent endpoint with `~/ccv0.sh -d agent_pull_image`:
- *For reasons, we think are related to the disk space remaining when unpacking the image bundle,*
*sometimes the*
*[unpack fails the first time and the sandbox crashes](https://github.com/kata-containers/kata-containers/issues/2876),*
*but seems to work the second time and the pod will restart automatically, so just re-open the shell and console*
*and re-run the agent_pull_image.*
```
$ ~/ccv0.sh -d agent_pull_image
Finished release [optimized] target(s) in 0.21s
@@ -188,7 +247,14 @@ pod "nginx-kata" deleted
## Additional script usage
As well as being able to use the script as above to build all of kata-containers from scratch it can be used to just re-build bits of it by running the script with different parameters. For example after the first build you will often not need to re-install the dependencies, QEMU or the Guest kernel, but just test code changes made to the runtime and agent. This can be done by running `. ~/ccv0.sh -d rebuild_and_install_kata` (*Note this re-does the checkout from git, do you changes are only made locally it is better to do the individual steps e.g. `. ~/ccv0.sh -d build_kata_runtime && . ~/ccv0.sh -d build_and_add_agent_to_rootfs && . ~/ccv0.sh -d build_and_install_rootfs`).* There are commands for a lot of steps in building, setting up and testing and the full list can be seen by running `~/ccv0.sh help`:
As well as being able to use the script as above to build all of kata-containers from scratch it can be used to just
re-build bits of it by running the script with different parameters. For example after the first build you will often
not need to re-install the dependencies, QEMU or the Guest kernel, but just test code changes made to the runtime and
agent. This can be done by running `. ~/ccv0.sh -d rebuild_and_install_kata`. (*Note this does a hard checkout*
*from git, so if your changes are only made locally it is better to do the individual steps e.g.*
`. ~/ccv0.sh -d build_kata_runtime && . ~/ccv0.sh -d build_and_add_agent_to_rootfs && . ~/ccv0.sh -d build_and_install_rootfs`).
There are commands for a lot of steps in building, setting up and testing and the full list can be seen by running
`~/ccv0.sh help`:
```
$ ~/ccv0.sh help
Overview: