Kata + containerd
environment
- ubuntu 22.04 (刚开始用20.04,编译的时候musl出现一些问题)
Build and install Kata Containers
install neccesary tools
需要注意,先git clone kata-conatneir的代码之后再安装以下软件,并且一定要按照katacontainer/version.yaml中的对应版本进行下载,不然后期编译可能会出现很多难解决的问题。
- golang:安装之后添加系统路径
- rust:可以使用
kata-containers/ci/install_rust.sh下载 - make
- gcc
Build and install the Kata Containers runtime
$ git clone https://github.com/kata-containers/kata-containers.git
$ git checkout 3.1.0-alpha1
$ pushd kata-containers/src/runtime
$ make && sudo -E "PATH=$PATH" make install
$ sudo mkdir -p /etc/kata-containers/
$ sudo install -o root -g root -m 0640 /usr/share/defaults/kata-containers/configuration.toml /etc/kata-containers
$ popd
Configure to use rootfs image
$ sudo sed -i 's/^\(initrd =.*\)/# \1/g' /etc/kata-containers/configuration.toml # uncommented congiguration file
Enable seccomp
$ sudo sed -i '/^disable_guest_seccomp/ s/true/false/' /etc/kata-containers/configuration.toml
Enable full debug
$ sudo sed -i -e 's/^# *\(enable_debug\).*=.*$/\1 = true/g' /etc/kata-containers/configuration.toml
$ sudo sed -i -e 's/^kernel_params = "\(.*\)"/kernel_params = "\1 agent.log=debug initcall_debug"/g' /etc/kata-containers/configuration.toml
Create and install rootfs and initrd image
Build a custom Kata agent
You should only do this step if you are testing with the latest version of the agent
- configure default libc(musl)
$ export ARCH="$(uname -m)"
$ if [ "$ARCH" = "ppc64le" -o "$ARCH" = "s390x" ]; then export LIBC=gnu; else export LIBC=musl; fi
$ [ "${ARCH}" == "ppc64le" ] && export ARCH=powerpc64le
$ rustup target add "${ARCH}-unknown-linux-${LIBC}"
- build the agent
$ make -C kata-containers/src/agent
在这步可能会出错:
/usr/bin/ld: /home/niteesh/github/kata-containers/src/agent/target/x86_64-unknown-linux-musl/release/deps/kata_agent-46b61c92992321dd.kata_agent.c2ef787b-cgu.3.rcgu.o: undefined reference to symbol 'pthread_mutex_lock@@GLIBC_2.2.5' /usr/bin/ld: /lib/x86_64-linux-gnu/libc.so.6: error adding symbols: DSO missing from command line collect2: error: ld returned 1 exit status此处错误需要安装libseccomp并将其静态链接到musl上。解决方法:
# Install libseccomp for static linking sudo -E PATH=$PATH GOPATH=$GOPATH kata-containers/ci/install_libseccomp.sh /tmp/kata-libseccomp /tmp/kata-gperf export LIBSECCOMP_LINK_TYPE=static export LIBSECCOMP_LIB_PATH=/tmp/kata-libseccomp/lib需要注意rust和版本一定要和version.yaml一致,否则很大可能报错
来源参考:
https://github.com/kata-containers/kata-containers/issues/5044
Create a rootfs image
Create a local rootfs
-
install docker
-
run
rootfs.sh$ export distro="ubuntu" # example $ export ROOTFS_DIR="$(realpath kata-containers/tools/osbuilder/rootfs-builder/rootfs)" $ sudo rm -rf "${ROOTFS_DIR}" $ pushd kata-containers/tools/osbuilder/rootfs-builder $ script -fec 'sudo -E USE_DOCKER=true ./rootfs.sh "${distro}"' $ popd
Add a custom agent to the image
You should only do this step if you are testing with the latest version of the agent
$ sudo install -o root -g root -m 0550 -t "${ROOTFS_DIR}/usr/bin" "${ROOTFS_DIR}/../../../../src/agent/target/x86_64-unknown-linux-musl/release/kata-agent"
$ sudo install -o root -g root -m 0440 "${ROOTFS_DIR}/../../../../src/agent/kata-agent.service" "${ROOTFS_DIR}/usr/lib/systemd/system/"
$ sudo install -o root -g root -m 0440 "${ROOTFS_DIR}/../../../../src/agent/kata-containers.target" "${ROOTFS_DIR}/usr/lib/systemd/system/"
Build a rootfs image
$ pushd kata-containers/tools/osbuilder/image-builder
$ script -fec 'sudo -E USE_DOCKER=true ./image_builder.sh "${ROOTFS_DIR}"'
$ popd
Install the rootfs image
$ pushd kata-containers/tools/osbuilder/image-builder
$ commit="$(git log --format=%h -1 HEAD)"
$ date="$(date +%Y-%m-%d-%T.%N%z)"
$ image="kata-containers-${date}-${commit}"
$ sudo install -o root -g root -m 0640 -D kata-containers.img "/usr/share/kata-containers/${image}"
$ (cd /usr/share/kata-containers && sudo ln -sf "$image" kata-containers.img)
$ popd
Install guest kernel images
Setup kernel source code
$ git clone github.com/kata-containers/kata-containers
$ cd kata-containers/tools/packaging/kernel
$ ./build-kernel.sh setup
Build the kernel
$ ./build-kernel.sh build
在build的过程中可能会缺少一些头文件,如xxx.h,解决方法是安装相应的库,通常库名为libxxx-dev,即:
$ sudo apt-get install libxxx-dev
Install the Kernel in the default path for Kata
$ sudo ./build-kernel.sh install
Install a hypervisor
Build a custom QEMU
-
get qemu version suitable to kata
$ source kata-containers/tools/packaging/scripts/lib.sh $ qemu_version="$(get_from_kata_deps "assets.hypervisor.qemu.version")" $ echo "${qemu_version}" -
Get source from the matching branch of QEMU
$ git clone -b "${qemu_version}" https://github.com/qemu/qemu.git $ your_qemu_directory="$(realpath qemu)" -
manage the build and packaging of QEMU
$ packaging_dir="$(realpath kata-containers/tools/packaging)" $ "$packaging_dir/scripts/apply_patches.sh" "$packaging_dir/qemu/patches/5.2.x/" #apply patch -
build utilizing the same options as Kata
$ pushd "$your_qemu_directory" $ "$packaging_dir/scripts/configure-hypervisor.sh" kata-qemu > kata.cfg $ eval ./configure "$(cat kata.cfg)" $ make -j $(nproc --ignore=1) # Optional $ sudo -E make install $ popd
Build virtiofsd
- When using the file system type virtio-fs (default),
virtiofsdis required
$ pushd kata-containers/tools/packaging/static-build/virtiofsd
$ ./build.sh
$ popd
- Modify
/etc/kata-containers/configuration.tomland update valuevirtio_fs_daemon = "/path/to/kata-containers/tools/packaging/static-build/virtiofsd/virtiofsd/virtiofsd"to point to the binary.
Check hardware requirements
- If your system is not able to run Kata Containers, the command will error out and explain why:
$ sudo kata-runtime check
error :kernel property kvm_amd not found
solution:此处需要注意,如果是vmware下运行Ubuntu系统需要在vmware设置里将虚拟化引擎打开:
同时主机的hyper-V要关闭,因为Vmware与Hyper-v不兼容,否则会导致报错(如"此平台不支持虚拟化的AMD-V/RVI"),解决方案参考:
[关于“ VMware Workstation 16 此平台不支持虚拟化的Intel VT-x/EPT. 不使用虚拟化的Intel VT-x/EPT,是否继续?”的有关问题的总结解答]
Run Kata Containers with Containerd
Install
- install containerd
可以下载二进制文件解压,也可以用apt直接安装。我使用的是apt安装的方式,和下载二进制文件不同的是,还需要自己安装CNI
- install CNI plugins
$ git clone https://github.com/containernetworking/plugins.git
$ pushd plugins
$ ./build_linux.sh
$ sudo mkdir /opt/cni
$ sudo cp -r bin /opt/cni/
$ popd
- install cri-tools
$ git clone https://github.com/kubernetes-sigs/cri-tools.git
$ pushd cri-tools
$ make
$ sudo -E make install
$ popd
Configuration
-
Configure containerd to use Kata Containers
# /etc/containerd/config.toml [plugins] [plugins.cri] [plugins.cri.cni] # conf_dir is the directory in which the admin places a CNI conf. conf_dir = "/etc/cni/net.d" [plugins.cri.containerd] no_pivot = false [plugins.cri.containerd.runtimes] [plugins.cri.containerd.default_runtime] runtime_type = "io.containerd.runtime.v1.linux" [plugins."io.containerd.grpc.v1.cri".containerd.runtimes.runc] privileged_without_host_devices = false runtime_type = "io.containerd.runc.v2" [plugins."io.containerd.grpc.v1.cri".containerd.runtimes.runc.options] BinaryName = "" CriuImagePath = "" CriuPath = "" CriuWorkPath = "" IoGid = 0 [plugins.cri.containerd.runtimes.kata] runtime_type = "io.containerd.kata.v2" privileged_without_host_devices = true pod_annotations = ["io.katacontainers.*"] container_annotations = ["io.katacontainers.*"] [plugins."io.containerd.grpc.v1.cri".containerd.runtimes.kata.options] ConfigPath = "/opt/kata/share/defaults/kata-containers/configuration.toml" -
add the CNI configuration in the containerd configuration
$ mkdir -p /etc/cni/net.d $ cat >/etc/cni/net.d/10-mynet.conf <<EOF { "cniVersion": "0.2.0", "name": "mynet", "type": "bridge", "bridge": "cni0", "isGateway": true, "ipMasq": true, "ipam": { "type": "host-local", "subnet": "10.1.0.0/16", "routes": [ { "dst": "0.0.0.0/0" } ] } } EOF -
reference the configuration directory through containerd
/etc/containerd/onfig.toml[plugins.cri.cni] # conf_dir is the directory in which the admin places a CNI conf. conf_dir = "/etc/cni/net.d" -
The configuration file of
crictlcommand line tool incri-toolslocates at/etc/crictl.yamlruntime-endpoint: unix:///var/run/containerd/containerd.sock image-endpoint: unix:///var/run/containerd/containerd.sock timeout: 10 debug: true
Run
$ sudo ctr image pull docker.io/library/busybox:latest
$ sudo ctr run --cni --runtime io.containerd.run.kata.v2 -t --rm docker.io/library/busybox:latest hello sh