aljaz/kata-containers
1
0
Fork 0
mirror of https://github.com/aljazceru/kata-containers.git synced 2025-12-31 21:14:25 +01:00
Code Issues Packages Projects Releases Wiki Activity
Files
7d37fbfdfba05be660b11f2b4d6545dfdfbecd63
kata-containers/tools/packaging/kata-deploy
History
Fabiano Fidêncio 54832cd052 release: Kata Containers 2.2.0-alpha0 
- Update CC=gcc setting for Fedora s390x
- osbuilder: Streamline s390x CMake & musl handling
- runtime: remove the call to storeSandbox at the end of createSandboxFromConfig
- virtcontainers: Add support for Secure Execution
- agent: Conform to the latest nix version (0.21.0)
- docs: Update the stable branch strategy to what was proposed in our ML
- runtime: add more traces for network
- tools/packaging: clone meson and dependencies before building QEMU
- runtime: remove covertool from cli test
- factory: Use lazy unmount
- docs: Fix Release Process document
- Add sandbox and container ID to trace spans
- agent: Fix fd leak caused by netlink
- metrics: Add virtiofsd exporter
- versions: Update kubernetes to 1.21.1
- tracing: Add basic VSOCK tracing
- agent: Upgrade tokio-vsock to fix fd leak of vsock socket
- runtime: fix some comments and logs
- runtime: Add support for PEF
- cleanup TODOs in runtime
- tracing: Make runtime span attributes more consistent
- virtiofsd: refactor qemu.go to use code in virtiofsd.go
- runtime: remove unused doc.go
- cgroup: fix the issue of set mem.limit and mem.swap
- agent: re-enable the standard SIGPIPE behavior
- virtiofsd: Fix file descriptors leak and return correct PID
- runtime: and cgroup and SandboxCgroupOnly check for check sub-command
- kernel: add ppc64le fragments
- docs: Use --ignore-preflight-errors=all flag
- agent: fix start container failed when dropping all capabilities
- agent: Remove unnecessary underscore(_) variables
- docs: Add instructions for getting QEMU source
- qemu: align before memory hotplug on arm64
- workflows: release kata 2.x snap through the stable channel
- Sandbox bindmount cleanup
- docs: Update add customer agent command
- agent: Stop relying in the unmaintained prctl crate
- how-to-use-virtio-mem-with-kata.md: Update doc to make it clear
- docs: Add document for memory hotplug on arm64
- github: Run require porting labels only at main
- kernel: add confidential guest build option
- rustjail: separated the propagation flags from mount flags
- runtime: improve sandbox cleanup logic
- docs: add note for connecting debug console for old versions
- image_build: align image size to 128M for arm64
- agent: avoid reaping the exit signal of execute_hook in the reaper
- agent: move the dependency tempfile to the dev-dependencies section
- docs: Document test repository changes when creating a stable branch
- docs: Remove horizontal ruler markers that disable spell checks
- docs/Developer-Guide: Add instructions to apply QEMU patches
- runtime: make dialing timeout configurable
- Get sandbox metrics cli
- Support TDx
- packaging/kata-cleanup: add k3s containerd volume
- osbuilder: Upgrade alpine version to 3.13.5
- Monitor cleanup
- Open CONFIG_VIRTIO_MEM in x86_64 Linux kernel
- agent: delete code which is no longer used
- cli: delete tracing code for kata-runtime binary
- docs: add per-Pod Kata configurations for `enable_pprof`
- Fix issue of virtio-mem
- Set fixed NOFILE limit value for kata-agent
- ci/install_yq.sh: install_yq: Check version before return
- runtime: use s.ctx instead ctx for checking cancellation
- runtime: fix some comments

a1247bc0 agent: Conform to the latest nix version (0.21.0)
3130e66d runtime: remove storeSandbox at the end of createSandboxFromConfig
7593ebf9 runtime: Use CC=gcc on Fedora s390x
a484d6db osbuilder: Streamline s390x CMake & musl handling
da2d9ab8 osbuilder: Remove CC=gcc for Fedora s390x
c0c05c73 virtcontainers: Add support for Secure Execution
78f21710 virtcontainers/s390x: Put consts into one block
784025bb runtime: add more traces for network
9ec9bbba tools/packaging: clone meson and dependencies before building QEMU
9158ec68 docs: Fix Release Process document
9e3349c1 agent: Fix fd leak caused by netlink
3d0e0b27 tracing: Add network model to span
8ca02072 tracing: Add sandbox and container ID to trace spans
a9a0eccf tracing: Add basic VSOCK tracing
2234b730 metrics: Add virtiofsd exporter
9bf781d7 agent: Upgrade tokio-vsock to fix fd leak of vsock socket
b68334a1 runtime: fix some comments and logs
1f5b229b runtime: remove FIXME in SandboxState about CgroupPath
fee0004a runtime: remove TODO about hot add memory in qemu.go
2e29ef9c runtime: remove TODO comment from StatusContainer
72cd8f5e virtiofsd: refactor qemu.go to use code in virtiofsd.go
0b22c48d runtime: remove unused doc.go
30f4834c cgroup: fix the issue of set mem.limit and mem.swap
0ae364c8 agent: re-enable the standard SIGPIPE behavior
05a46fed tracing: Make runtime span attributes more consistent
727bfc45 runtime: and cgroup and SandboxCgroupOnly check for check sub-command
b25ad1ab tracing: Make trace-forwarder async
45f02227 tracing: Add trace points
773deca2 virtiofsd: Fix file descriptors leak and return correct PID
37a426b4 runtime: Add support for PEF
fe670c5d docs: Use --ignore-preflight-errors=all flag
5b5047bd docs: Add instructions for getting QEMU source
3e4ebe10 agent: fix start container failed when dropping all capabilities
9a43d76d workflows: release kata 2.x snap through the stable channel
7f1030d3 sandbox-bindmount: persist mount information
089a7484 sandbox: Cleanup if failure to setup sandbox-bindmount occurs
f65acc20 docs: Update add customer agent command
20a382c1 agent: Remove unnecessary underscore(_) variables
4b88532c docs: Don't use Docker as an example of a container manager
4142e424 docs: Don't mention 1.x components as part of the stable branch strategy
a0af2bd7 docs: Use stable-2.x / 2.x.y as example in the branch strategy document
a5e1f66a docs: Maintain only one stable branch per major release
419773b8 docs: Emphasize behaviour changes may be a reason for a major bump
54a75008 docs: Refer to `main` branch in the stable branch strategy document
7dde0b5d kernel: add ppc64le fragments
84906181 kernel: skip fragments for ppc64le
9676b86b kernel: move CONFIG_RANDOMIZE_BASE
bd0cde40 factory: Use lazy unmount
f52468be agent/agent-ctl: Replace prctl crate by the capctl one
d289b1d6 agent-ctl: Perform a `cargo update`
bc36b7b4 qemu: align before memory hotplug on arm64
8aefc793 agent: Perform a `cargo update`
785be0bb how-to-use-virtio-mem-with-kata.md: Update doc to make it clear
f8a16c17 kernel: add confidential guest build option
a65f11ea docs: Add document for memory hotplug on arm64
1b607056 runtime: remove covertool from cli test
fc42dc07 github: Run require porting labels only at main
dbef2b29 versions: Update kubernetes to 1.21.1
35151f17 runtime: sandbox delete should succeed after verifying sandbox state
e5fe572f rustjail: separated the propagation flags from mount flags
ffbb4d9b docs: add note for connecting debug console for old versions
a5bb383c agent: avoid reaping the exit signal of execute_hook in the reaper
ce7a5ba2 agent: move the dependency tempfile to the dev-dependencies section
e24e9462 docs/Developer-Guide: Add instructions to apply QEMU patches
850cf8cd docs: Document test repository changes when creating a stable branch
8068a469 kata-runtime: add `metrics` command
37873061 kata-monitor: export get stats for sandbox
01b56d6c runtime: make dialing timeout configurable
e8038718 osbuilder: Upgrade alpine version to 3.13.5
3caed6f8 runtime: shim: dedup client, socket addr code
4bc006c8 runtime: Short the shim-monitor path
5fdf617e docs: Fix spell-check errors found after new text is discovered
42425456 docs: Remove horizontal ruler markers that disable spell checks
3883e4e2 kernel: configs: Open CONFIG_VIRTIO_MEM in x86_64 Linux kernel
4f61f4b4 virtcontainers: Support TDX
0affe886 virtcontainers: define confidential guest framework
539afba0 runtime: define config options to enable confidential computing
79831faf runtime: use s.ctx instead ctx for checking cancellation
f6d5fbf9 runtime: fix some comments
9381e5f3 packaging/kata-cleanup: add k3s containerd volume
7f7c3fc8 qemu.go: qemu: resizeMemory: Fix virtio-mem resize overflow issue
c9053ea3 qemu.go: qemu: setupVirtioMem: let sizeMB be multiple of 2Mib
a188577e agent: Set fixed NOFILE limit value for kata-agent
88cf3db6 runtime: implement CPUFlags function
2b0d5b25 image_build: align image size to 128M for arm64
d601ae34 agent: delete not used comments
6038da19 agent: delete rustjail/src/configs directory
84ee8aa8 agent: delete not used functions
d8896157 ci/install_yq.sh: install_yq: Check version before return
95e54e3f docs: add per-Pod Kata configurations for enable_pprof
13c23fec cli: delete tracing code for kata-runtime binary

Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
2021-06-11 16:10:01 +02:00
..
action
kata-deploy: don't update worker pool nodes
2021-04-29 09:24:51 -07:00
examples
kata-deploy: QEMU, for 2.x, already includes virtiofs
2021-02-23 14:24:48 +01:00
kata-cleanup
release: Kata Containers 2.2.0-alpha0
2021-06-11 16:10:01 +02:00
kata-deploy
release: Kata Containers 2.2.0-alpha0
2021-06-11 16:10:01 +02:00
kata-rbac/base
packaging: merge packaging repository
2020-06-23 22:58:18 -07:00
runtimeclasses
runtimeclass: add nodeSelector
2021-04-28 10:41:28 -07:00
scripts
kata-deploy: Adapt CRI-O config to use drop-in files
2021-04-30 23:14:19 +02:00
Dockerfile
kata-deploy: Add copyright to the kata-deploy's Dockerfile
2021-02-23 14:25:00 +01:00
README.md
runtimeclass: add nodeSelector
2021-04-28 10:41:28 -07:00

README.md

kata-deploy

kata-deploy provides a Dockerfile, which contains all of the binaries and artifacts required to run Kata Containers, as well as reference DaemonSets, which can be utilized to install Kata Containers on a running Kubernetes cluster.

Note, installation through DaemonSets successfully installs katacontainers.io/kata-runtime on a node only if it uses either containerd or CRI-O CRI-shims.

Kubernetes quick start

Install Kata on a running Kubernetes cluster

$ cd $GOPATH/src/github.com/kata-containers/kata-containers/tools/packaging/kata-deploy
$ kubectl apply -f kata-rbac/base/kata-rbac.yaml
$ kubectl apply -f kata-deploy/base/kata-deploy.yaml

or on a k3s cluster:

$ cd $GOPATH/src/github.com/kata-containers/kata-containers/tools/packaging/kata-deploy
$ kubectl apply -k kata-deploy/overlays/k3s

Run a sample workload

Workloads specify the runtime they'd like to utilize by setting the appropriate runtimeClass object within the Pod specification. The runtimeClass examples provided define a node selector to match node label katacontainers.io/kata-runtime:"true", which will ensure the workload is only scheduled on a node that has Kata Containers installed

runtimeClass is a built-in type in Kubernetes. To apply each Kata Containers runtimeClass:

  $ cd $GOPATH/src/github.com/kata-containers/kata-containers/tools/packaging/kata-deploy/runtimeclasses
  $ kubectl apply -f kata-runtimeClasses.yaml

The following YAML snippet shows how to specify a workload should use Kata with Cloud Hypervisor:

spec:
  template:
    spec:
      runtimeClassName: kata-clh

The following YAML snippet shows how to specify a workload should use Kata with Firecracker:

spec:
  template:
    spec:
      runtimeClassName: kata-fc

The following YAML snippet shows how to specify a workload should use Kata with QEMU:

spec:
  template:
    spec:
      runtimeClassName: kata-qemu

To run an example with kata-qemu:

$ cd $GOPATH/src/github.com/kata-containers/kata-containers/tools/packaging/kata-deploy/examples
$ kubectl apply -f test-deploy-kata-qemu.yaml

To run an example with kata-fc:

$ cd $GOPATH/src/github.com/kata-containers/kata-containers/tools/packaging/kata-deploy/examples
$ kubectl apply -f test-deploy-kata-fc.yaml

The following removes the test pods:

$ cd $GOPATH/src/github.com/kata-containers/kata-containers/tools/packaging/kata-deploy/examples
$ kubectl delete -f test-deploy-kata-qemu.yaml
$ kubectl delete -f test-deploy-kata-fc.yaml

Remove Kata from the Kubernetes cluster

$ cd $GOPATH/src/github.com/kata-containers/kata-containers/tools/packaging/kata-deploy
$ kubectl delete -f kata-deploy/base/kata-deploy.yaml
$ kubectl apply -f kata-cleanup/base/kata-cleanup.yaml
$ kubectl delete -f kata-cleanup/base/kata-cleanup.yaml
$ kubectl delete -f kata-rbac/base/kata-rbac.yaml
$ kubectl delete -f runtimeclasses/kata-runtimeClasses.yaml

kata-deploy details

Dockerfile

The Dockerfile used to create the container image deployed in the DaemonSet is provided here. This image contains all the necessary artifacts for running Kata Containers, all of which are pulled from the Kata Containers release page.

Host artifacts:

  • cloud-hypervisor, firecracker, qemu-system-x86_64, and supporting binaries
  • containerd-shim-kata-v2
  • kata-collect-data.sh
  • kata-runtime

Virtual Machine artifacts:

  • kata-containers.img and kata-containers-initrd.img: pulled from Kata GitHub releases page
  • vmlinuz.container and vmlinuz-virtiofs.container: pulled from Kata GitHub releases page

DaemonSets and RBAC

Two DaemonSets are introduced for kata-deploy, as well as an RBAC to facilitate applying labels to the nodes.

Kata deploy

This DaemonSet installs the necessary Kata binaries, configuration files, and virtual machine artifacts on the node. Once installed, the DaemonSet adds a node label katacontainers.io/kata-runtime=true and reconfigures either CRI-O or containerd to register three runtimeClasses: kata-clh (for Cloud Hypervisor isolation), kata-qemu (for QEMU isolation), and kata-fc (for Firecracker isolation). As a final step the DaemonSet restarts either CRI-O or containerd. Upon deletion, the DaemonSet removes the Kata binaries and VM artifacts and updates the node label to katacontainers.io/kata-runtime=cleanup.

Kata cleanup

This DaemonSet runs of the node has the label katacontainers.io/kata-runtime=cleanup. These DaemonSets removes the katacontainers.io/kata-runtime label as well as restarts either CRI-O or containerd systemctl daemon. You cannot execute these resets during the preStopHook of the Kata installer DaemonSet, which necessitated this final cleanup DaemonSet.