799433d863
- Update kata-deploy to use CRI-O drop-in files - Update dependencies versions - fix build kernel shell error when setup with `-f` - virtcontainers: Fix virtio-fs on s390x - Runtimeclass updates - versions: Upgrade to cloud-hypervisor v15.0 - clh: return error if apiSocketPath failed - runtime: fix dropped error - agent: Update seccomp configuration for errnoRet and flags - Fix the issue that sandbox size is not right after update - docs: Document limitation regarding subpaths - qemu: kill virtiofsd if failure to start VMM - runtime/virtcontainers: Fix typo on qmp error msg - cli: delete not used files - runtime: delete not used function parameter builtIn - add io.katacontainers.config.hypervisor.virtio_fs_extra_args handling - Entropy source annotation - runtime: Fix stdout/stderr output from container being truncated - fix the issue of missing set fsGroup for EphemeralStorage - qemu: Fix assertion failure on shutdown - Assorted clippy fixes for Rust agent - agent: use channel instead of pipe(2) to send exit signal of process - Improve agent shutdown handling - Enable virtio-fs on s390x - block: Generate PCI path for virtio-blk devices on clh - runtime: Disable trace for healthcheck - agent/rustjail: Fix accidental damage from tokio conversion - cli: Use genericGetExpectedHostDetails on s390x - runtime/tests: Change "moo FAILURE" message - Update the information about the release process - remove ProcessListContainer API2047f26fkata-deploy: Adapt CRI-O config to use drop-in files8de2f914kata-deploy: Rely on CRIO default's values for manage_ns_lifecycleea9936e0versions: Bump runc to v1.0.0-rc939c333b2cversions: Bump CRI-O version to 1.21.xe33f207bversions: Bump critools version to 1.21.08e5df723versions: Bump kubernetes version to 1.21.0d15f84c9versions: Remove Docker entry516f4ec0versions: Remove OpenShift entrybe101ac1versions: Remove CRI-O meta dependencies1ca6bedfversions: Upgrade to cloud-hypervisor v15.0906c0df4kata-deploy: don't update worker pool nodes3ee61776virtcontainers: Enable virtio-fs on s390x8385ff95runtime: Re-vendor GoVMMadba4532virtcontainers: Revert "virtcontainers: Allow s390x appendVhostUserDevice"ede078bckata-deploy: aks-test: bump kubernetes/containerd484af12bkata-deploy: update to handle new runtimeclass path05c224c3runtimeclass: add nodeSelectoree7de8abtools: fix build kernel shell error7d5a4252docs: Document limitation regarding subpaths36776408runtime/virtcontainers: Fix typo on qmp error msg12a65d23runtimeclass: drop stale runtimeclass definitions0787ea80cgroupsCreate: not set resources to c.config.Resources831224aaSandbox: Fix ContainerConfig ptr in CreateContainer and createContainersa57c8ab1qemu: kill virtiofsd if failure to start VMMff2b9e54cli: delete not used files0d0a520dclh: return error if apiSocketPath failedfc6bb01aruntime: fix dropped error30ff6ee8runtime: handle io.katacontainers.config.hypervisor.virtio_fs_extra_args677f0d99runtime: delete not used function parameter builtIndcb9f403config: Protect annotation for entropy_sourcef4c26aadagent: fix the issue of missing set fsGroup for EphemeralStorage628d55bfkata-agent: fix the issue of fsGroup missing0405beb2agent: Remove unused Default implementation for NamespaceType7b83b7ecagent/uevent: Better initialize Uevent in testb0190a40agent: Use vec![] macro rather than init-then-push1c43245eagent/device: Remove unneeded Result<> wrappers from uev matcherse41cdb8bagent: Use str::is_empty() method in config::get_string_value()2377c097agent: Use CamelCase for NamespaceType values75eca6d5agent/rustjail: Clean up error path in execute_hook()s async task6ce1e56dagent/rustjail: Remove an unnecessary PathBuf3c4485ecagent/rustjail: Clean up some static definitions with vec! macroeaec5a6cagent/oci: Change name case to make clippy happy3f5fdae0agent/rustjail: (trivial) Clean up comment on process_grpc_to_oci()210f39a4agent/rustjail: Simplify renaming importsd4a54137runtime: Fix stdout/stderr output from container being truncated8ecf8e5cagent: use channel instead of pipe to send exit signal of process81c5ff12agent: Update seccomp configuration for errnoRet and flags8a33bd4cqemu: Fix assertion failure on shutdown7f609113virtcontainers: Allow s390x appendVhostUserDevice67ac4f45runtime: update GoVMM for memory backend support6577b01aagent/rustjail: Fix accidental damage from tokio conversionde2631e7utils: Make WaitLocalProcess safer9256e590shutdown: Don't sever console watcher too early51ab8700utils: Improve WaitLocalProcess507ef636utils: Add waitLocalProcess function1d5098deagent/block: Generate PCI path for virtio-blk devices on clhe7c97f0fruntime/tests: Change "moo FAILURE" message8bc53498docs: Simplify the repo bumping section8a47b05adocs: Mention that an app token should be used with hubd434c2e9docs: OBS account is not require anymore543f9da3runtime: Disable trace for healthcheck421439c6API: remove ProcessListContainer/ListProcesses1366f0fbcli: Use genericGetExpectedHostDetails on s390x Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
kata-deploy
kata-deploy provides a Dockerfile, which contains all of the binaries
and artifacts required to run Kata Containers, as well as reference DaemonSets, which can
be utilized to install Kata Containers on a running Kubernetes cluster.
Note, installation through DaemonSets successfully installs katacontainers.io/kata-runtime on
a node only if it uses either containerd or CRI-O CRI-shims.
Kubernetes quick start
Install Kata on a running Kubernetes cluster
$ cd $GOPATH/src/github.com/kata-containers/kata-containers/tools/packaging/kata-deploy
$ kubectl apply -f kata-rbac/base/kata-rbac.yaml
$ kubectl apply -f kata-deploy/base/kata-deploy.yaml
or on a k3s cluster:
$ cd $GOPATH/src/github.com/kata-containers/kata-containers/tools/packaging/kata-deploy
$ kubectl apply -k kata-deploy/overlays/k3s
Run a sample workload
Workloads specify the runtime they'd like to utilize by setting the appropriate runtimeClass object within
the Pod specification. The runtimeClass examples provided define a node selector to match node label katacontainers.io/kata-runtime:"true",
which will ensure the workload is only scheduled on a node that has Kata Containers installed
runtimeClass is a built-in type in Kubernetes. To apply each Kata Containers runtimeClass:
$ cd $GOPATH/src/github.com/kata-containers/kata-containers/tools/packaging/kata-deploy/runtimeclasses
$ kubectl apply -f kata-runtimeClasses.yaml
The following YAML snippet shows how to specify a workload should use Kata with Cloud Hypervisor:
spec:
template:
spec:
runtimeClassName: kata-clh
The following YAML snippet shows how to specify a workload should use Kata with Firecracker:
spec:
template:
spec:
runtimeClassName: kata-fc
The following YAML snippet shows how to specify a workload should use Kata with QEMU:
spec:
template:
spec:
runtimeClassName: kata-qemu
To run an example with kata-qemu:
$ cd $GOPATH/src/github.com/kata-containers/kata-containers/tools/packaging/kata-deploy/examples
$ kubectl apply -f test-deploy-kata-qemu.yaml
To run an example with kata-fc:
$ cd $GOPATH/src/github.com/kata-containers/kata-containers/tools/packaging/kata-deploy/examples
$ kubectl apply -f test-deploy-kata-fc.yaml
The following removes the test pods:
$ cd $GOPATH/src/github.com/kata-containers/kata-containers/tools/packaging/kata-deploy/examples
$ kubectl delete -f test-deploy-kata-qemu.yaml
$ kubectl delete -f test-deploy-kata-fc.yaml
Remove Kata from the Kubernetes cluster
$ cd $GOPATH/src/github.com/kata-containers/kata-containers/tools/packaging/kata-deploy
$ kubectl delete -f kata-deploy/base/kata-deploy.yaml
$ kubectl apply -f kata-cleanup/base/kata-cleanup.yaml
$ kubectl delete -f kata-cleanup/base/kata-cleanup.yaml
$ kubectl delete -f kata-rbac/base/kata-rbac.yaml
$ kubectl delete -f runtimeclasses/kata-runtimeClasses.yaml
kata-deploy details
Dockerfile
The Dockerfile used to create the container image deployed in the DaemonSet is provided here. This image contains all the necessary artifacts for running Kata Containers, all of which are pulled from the Kata Containers release page.
Host artifacts:
cloud-hypervisor,firecracker,qemu-system-x86_64, and supporting binariescontainerd-shim-kata-v2kata-collect-data.shkata-runtime
Virtual Machine artifacts:
kata-containers.imgandkata-containers-initrd.img: pulled from Kata GitHub releases pagevmlinuz.containerandvmlinuz-virtiofs.container: pulled from Kata GitHub releases page
DaemonSets and RBAC
Two DaemonSets are introduced for kata-deploy, as well as an RBAC to facilitate
applying labels to the nodes.
Kata deploy
This DaemonSet installs the necessary Kata binaries, configuration files, and virtual machine artifacts on
the node. Once installed, the DaemonSet adds a node label katacontainers.io/kata-runtime=true and reconfigures
either CRI-O or containerd to register three runtimeClasses: kata-clh (for Cloud Hypervisor isolation), kata-qemu (for QEMU isolation),
and kata-fc (for Firecracker isolation). As a final step the DaemonSet restarts either CRI-O or containerd. Upon deletion,
the DaemonSet removes the Kata binaries and VM artifacts and updates the node label to katacontainers.io/kata-runtime=cleanup.
Kata cleanup
This DaemonSet runs of the node has the label katacontainers.io/kata-runtime=cleanup. These DaemonSets removes
the katacontainers.io/kata-runtime label as well as restarts either CRI-O or containerd systemctl
daemon. You cannot execute these resets during the preStopHook of the Kata installer DaemonSet,
which necessitated this final cleanup DaemonSet.