首页 > 其他分享 >Kata环境搭建1 —— kata+containerd

Kata环境搭建1 —— kata+containerd

时间:2023-02-10 10:44:23浏览次数:69  
标签:containerd sudo agent install kata Kata containers

Kata + containerd

environment

  • ubuntu 22.04 (刚开始用20.04,编译的时候musl出现一些问题)

img

Build and install Kata Containers

install neccesary tools

需要注意,先git clone kata-conatneir的代码之后再安装以下软件,并且一定要按照katacontainer/version.yaml中的对应版本进行下载,不然后期编译可能会出现很多难解决的问题。

  • golang:安装之后添加系统路径
  • rust:可以使用kata-containers/ci/install_rust.sh下载
  • make
  • gcc

Build and install the Kata Containers runtime

$ git clone https://github.com/kata-containers/kata-containers.git
$ git checkout 3.1.0-alpha1
$ pushd kata-containers/src/runtime
$ make && sudo -E "PATH=$PATH" make install
$ sudo mkdir -p /etc/kata-containers/
$ sudo install -o root -g root -m 0640 /usr/share/defaults/kata-containers/configuration.toml /etc/kata-containers
$ popd

Configure to use rootfs image

$ sudo sed -i 's/^\(initrd =.*\)/# \1/g' /etc/kata-containers/configuration.toml # uncommented congiguration file

Enable seccomp

$ sudo sed -i '/^disable_guest_seccomp/ s/true/false/' /etc/kata-containers/configuration.toml

Enable full debug

$ sudo sed -i -e 's/^# *\(enable_debug\).*=.*$/\1 = true/g' /etc/kata-containers/configuration.toml
$ sudo sed -i -e 's/^kernel_params = "\(.*\)"/kernel_params = "\1 agent.log=debug initcall_debug"/g' /etc/kata-containers/configuration.toml

Create and install rootfs and initrd image

Build a custom Kata agent

You should only do this step if you are testing with the latest version of the agent

  • configure default libc(musl)
$ export ARCH="$(uname -m)"
$ if [ "$ARCH" = "ppc64le" -o "$ARCH" = "s390x" ]; then export LIBC=gnu; else export LIBC=musl; fi
$ [ "${ARCH}" == "ppc64le" ] && export ARCH=powerpc64le
$ rustup target add "${ARCH}-unknown-linux-${LIBC}"
  • build the agent
$ make -C kata-containers/src/agent

在这步可能会出错:

/usr/bin/ld: /home/niteesh/github/kata-containers/src/agent/target/x86_64-unknown-linux-musl/release/deps/kata_agent-46b61c92992321dd.kata_agent.c2ef787b-cgu.3.rcgu.o: undefined reference to symbol 'pthread_mutex_lock@@GLIBC_2.2.5'
/usr/bin/ld: /lib/x86_64-linux-gnu/libc.so.6: error adding symbols: DSO missing from command line
collect2: error: ld returned 1 exit status

此处错误需要安装libseccomp并将其静态链接到musl上。解决方法:

# Install libseccomp for static linking
sudo -E PATH=$PATH GOPATH=$GOPATH kata-containers/ci/install_libseccomp.sh /tmp/kata-libseccomp /tmp/kata-gperf
export LIBSECCOMP_LINK_TYPE=static
export LIBSECCOMP_LIB_PATH=/tmp/kata-libseccomp/lib

需要注意rust和版本一定要和version.yaml一致,否则很大可能报错

来源参考:

https://github.com/kata-containers/kata-containers/issues/5044

Create a rootfs image

Create a local rootfs

  • install docker

  • run rootfs.sh

    $ export distro="ubuntu" # example
    $ export ROOTFS_DIR="$(realpath kata-containers/tools/osbuilder/rootfs-builder/rootfs)"
    $ sudo rm -rf "${ROOTFS_DIR}"
    $ pushd kata-containers/tools/osbuilder/rootfs-builder
    $ script -fec 'sudo -E USE_DOCKER=true ./rootfs.sh "${distro}"'
    $ popd
    

Add a custom agent to the image

You should only do this step if you are testing with the latest version of the agent

$ sudo install -o root -g root -m 0550 -t "${ROOTFS_DIR}/usr/bin" "${ROOTFS_DIR}/../../../../src/agent/target/x86_64-unknown-linux-musl/release/kata-agent"
$ sudo install -o root -g root -m 0440 "${ROOTFS_DIR}/../../../../src/agent/kata-agent.service" "${ROOTFS_DIR}/usr/lib/systemd/system/"
$ sudo install -o root -g root -m 0440 "${ROOTFS_DIR}/../../../../src/agent/kata-containers.target" "${ROOTFS_DIR}/usr/lib/systemd/system/"

Build a rootfs image

$ pushd  kata-containers/tools/osbuilder/image-builder
$ script -fec 'sudo -E USE_DOCKER=true ./image_builder.sh "${ROOTFS_DIR}"'
$ popd

Install the rootfs image

$ pushd kata-containers/tools/osbuilder/image-builder
$ commit="$(git log --format=%h -1 HEAD)"
$ date="$(date +%Y-%m-%d-%T.%N%z)"
$ image="kata-containers-${date}-${commit}"
$ sudo install -o root -g root -m 0640 -D kata-containers.img "/usr/share/kata-containers/${image}"
$ (cd /usr/share/kata-containers && sudo ln -sf "$image" kata-containers.img)
$ popd

Install guest kernel images

Setup kernel source code

$ git clone github.com/kata-containers/kata-containers
$ cd kata-containers/tools/packaging/kernel
$ ./build-kernel.sh setup

Build the kernel

$ ./build-kernel.sh build

在build的过程中可能会缺少一些头文件,如xxx.h,解决方法是安装相应的库,通常库名为libxxx-dev,即:

$ sudo apt-get install libxxx-dev

Install the Kernel in the default path for Kata

$ sudo ./build-kernel.sh install

Install a hypervisor

Build a custom QEMU

  • get qemu version suitable to kata

    $ source kata-containers/tools/packaging/scripts/lib.sh
    $ qemu_version="$(get_from_kata_deps "assets.hypervisor.qemu.version")"
    $ echo "${qemu_version}"
    
  • Get source from the matching branch of QEMU

    $ git clone -b "${qemu_version}" https://github.com/qemu/qemu.git
    $ your_qemu_directory="$(realpath qemu)"
    
  • manage the build and packaging of QEMU

    $ packaging_dir="$(realpath kata-containers/tools/packaging)"
    $ "$packaging_dir/scripts/apply_patches.sh" "$packaging_dir/qemu/patches/5.2.x/" #apply patch
    
  • build utilizing the same options as Kata

    $ pushd "$your_qemu_directory"
    $ "$packaging_dir/scripts/configure-hypervisor.sh" kata-qemu > kata.cfg
    $ eval ./configure "$(cat kata.cfg)"
    $ make -j $(nproc --ignore=1)
    # Optional
    $ sudo -E make install
    $ popd
    

Build virtiofsd

  • When using the file system type virtio-fs (default), virtiofsd is required
$ pushd kata-containers/tools/packaging/static-build/virtiofsd
$ ./build.sh
$ popd
  • Modify /etc/kata-containers/configuration.toml and update value virtio_fs_daemon = "/path/to/kata-containers/tools/packaging/static-build/virtiofsd/virtiofsd/virtiofsd" to point to the binary.

Check hardware requirements

  • If your system is not able to run Kata Containers, the command will error out and explain why:
$ sudo kata-runtime check

error :kernel property kvm_amd not found

solution:此处需要注意,如果是vmware下运行Ubuntu系统需要在vmware设置里将虚拟化引擎打开:

image-20230120140028113

同时主机的hyper-V要关闭,因为Vmware与Hyper-v不兼容,否则会导致报错(如"此平台不支持虚拟化的AMD-V/RVI"),解决方案参考:

[关于“ VMware Workstation 16 此平台不支持虚拟化的Intel VT-x/EPT. 不使用虚拟化的Intel VT-x/EPT,是否继续?”的有关问题的总结解答]

Run Kata Containers with Containerd

Install

  • install containerd

可以下载二进制文件解压,也可以用apt直接安装。我使用的是apt安装的方式,和下载二进制文件不同的是,还需要自己安装CNI

  • install CNI plugins
$ git clone https://github.com/containernetworking/plugins.git
$ pushd plugins
$ ./build_linux.sh
$ sudo mkdir /opt/cni
$ sudo cp -r bin /opt/cni/
$ popd
  • install cri-tools
$ git clone https://github.com/kubernetes-sigs/cri-tools.git
$ pushd cri-tools
$ make
$ sudo -E make install
$ popd

Configuration

  • Configure containerd to use Kata Containers

    # /etc/containerd/config.toml
    [plugins]
      [plugins.cri]
        [plugins.cri.cni]
          # conf_dir is the directory in which the admin places a CNI conf.
          conf_dir = "/etc/cni/net.d"
        [plugins.cri.containerd]
          no_pivot = false
        [plugins.cri.containerd.runtimes]
          [plugins.cri.containerd.default_runtime]
             runtime_type = "io.containerd.runtime.v1.linux"
          [plugins."io.containerd.grpc.v1.cri".containerd.runtimes.runc]
             privileged_without_host_devices = false
             runtime_type = "io.containerd.runc.v2"
            [plugins."io.containerd.grpc.v1.cri".containerd.runtimes.runc.options]
                BinaryName = ""
                CriuImagePath = ""
                CriuPath = ""
                CriuWorkPath = ""
                IoGid = 0
          [plugins.cri.containerd.runtimes.kata]
             runtime_type = "io.containerd.kata.v2"
             privileged_without_host_devices = true
             pod_annotations = ["io.katacontainers.*"]
             container_annotations = ["io.katacontainers.*"]
             [plugins."io.containerd.grpc.v1.cri".containerd.runtimes.kata.options]
                ConfigPath = "/opt/kata/share/defaults/kata-containers/configuration.toml"
    
  • add the CNI configuration in the containerd configuration

    $ mkdir -p /etc/cni/net.d
    $ cat >/etc/cni/net.d/10-mynet.conf <<EOF
    {
        "cniVersion": "0.2.0",
        "name": "mynet",
        "type": "bridge",
        "bridge": "cni0",
        "isGateway": true,
        "ipMasq": true,
        "ipam": {
            "type": "host-local",
            "subnet": "10.1.0.0/16",
            "routes": [
                { "dst": "0.0.0.0/0" }
            ]
        }
    }
    EOF
    
  • reference the configuration directory through containerd /etc/containerd/onfig.toml

    [plugins.cri.cni]
        # conf_dir is the directory in which the admin places a CNI conf.
        conf_dir = "/etc/cni/net.d"
    
  • The configuration file of crictl command line tool in cri-tools locates at /etc/crictl.yaml

    runtime-endpoint: unix:///var/run/containerd/containerd.sock
    image-endpoint: unix:///var/run/containerd/containerd.sock
    timeout: 10
    debug: true
    

Run

$ sudo ctr image pull docker.io/library/busybox:latest
$ sudo ctr run --cni --runtime io.containerd.run.kata.v2 -t --rm docker.io/library/busybox:latest hello sh

标签:containerd,sudo,agent,install,kata,Kata,containers
From: https://www.cnblogs.com/ppddcsz/p/17108101.html

相关文章

  • Containerd 的 Bug 导致容器被重建!如何避免?
    作者简介邓宇星,SUSERancher中国区软件架构师,6年云原生领域经验,参与Rancher1.x到Rancher2.x版本迭代,目前负责RancherForopenEuler(RFO) 项目开发。最近我们关注......
  • Containerd 的 Bug 导致容器被重建!如何避免?
    作者简介邓宇星,SUSERancher中国区软件架构师,6年云原生领域经验,参与Rancher1.x到Rancher2.x版本迭代,目前负责RancherForopenEuler(RFO) 项目开发。最近我们关注......
  • Containerd NRI 插件
    Github:https://github.com/containerd/nri.gitSlide:https://static.sched.com/hosted_files/kccncna2022/cc/KubeCon-NA-2022-NRI-presentation.pdf基本介绍NRI(NodeRes......
  • containerd 镜像构建工具 -- nerdctl 和 buildkit
    目录自我介绍nerdctl精简版使用方法配置nerdctl参数自动补齐nerdctl命令验证nerdctl完整版使用方法nerdcrtl构建镜像自我介绍kubernetes在1.24版本之后就要抛......
  • 基于containerd部署kubernetes v1.20.4
    本次集群部署采用的容器技术是containerd系统版本:CentOs8.1k8s版本:v1.20.4containerd版本:ctrcontainerd.io1.4.3master:192.168.43.151node1:192.168.43.152node2:......
  • containerd.service containerd-1.6.8-linux-amd64.tar.gz cni-plugins-linux-amd64-v
    配置K8S时可能会用到#systemcd来管理containerd,这https://raw.githubusercontent.com/containerd/containerd/main/containerd.service链接会访问出问题。这里附containe......
  • 02. Kubernetes - Containerd
    Containerd前面知道了DockerEngine中就有Containerd,只不过现在是将Containerd从DockerEngine里分离出来,作为一个独立的开源项目,目标是提供一个更加开放、稳定的......
  • 第11代Intel CPU下无法启动旧版本Nuke/Katana/Mari的解决方法
    现在越来越多的公司或朋友升级了自己的硬件(第10代或11代CPU),也接到一些朋友的求助,很多朋友发现自己旧版本的Nuke或Katana或Mari无法在新的硬件上启动或者启动后又崩溃了,py......
  • 光速上手k8s(2023)(containerd)(未完待续)
    又过了好久没写了,主要是近来状况也无聊一、了解概念(参考)概念Kubernetes是一个可移植、可扩展的开源平台,用于管理容器化的工作负载和服务,可促进声明式配置和自动化。Ku......
  • nerdctl buildkitd containerd构建容器镜像
    21.nerdctlbuildkitdcontainerd构建容器镜像21.1概述容器技术除了docker之外,还有coreOS的rkt、google的gvisor、以及docker开源的containerd、redhat的podman、阿里......