kata-containers Compile And Installed

本文轉載自查看原文 2020-10-09 10:44 420 firecracker

kata-containers 編譯安裝

kata-runtime 編譯安裝

# download source code
$ go get -d -u github.com/kata-containers/runtime
$ cd ${GOPATH}/src/github.com/kata-containers/runtime
# compile and install
$ make
$ make install

# Install Dir
/usr/libexec/kata-containers/kata-netmon
/usr/local/bin/kata-runtime
/usr/local/bin/containerd-shim-kata-v2
/usr/share/defaults/kata-containers/*

kata-shim 編譯安裝

# download source code
$ go get -d -u github.com/kata-containers/shim
$ cd ${GOTAH}/src/github.com/kata-containers/shim
# compile and install 
$ makn
$ make install

# Install Dir
/usr/libexec/kata-containers/kata-shim

kata-proxy 編譯安裝

# download source code
$ go get -d -u github.com/kata-containers/proxy
$ cd ${GOTAH}/src/github.com/kata-containers/proxy
# compile and install 
$ make
$ make install

# Install Dir
/usr/libexec/kata-containers/kata-proxy

編譯 kata 所需的 kernel

# download source code
$ go get -d -u github.com/kata-containers/packaging
$ cd ${GOTAH}/src/github.com/kata-containers/packaging/kernel

# On Ubuntu20.04 should install some essential packages
$ sudo apt install -y \
 gcc \
 make \
 libncurses5-dev \
 openssl \
 libssl-dev \
 build-essential \
 pkg-config \
 libc6-dev \
 bison \
 flex \
 libelf-dev
# Also you should install yq from github: https://github.com/mikefarah/yq
# 注意：如果缺少依賴，會導致內核編譯所需要的 .config 文件，無法主動生成，可以將 configs/ 和 configs/fragments 目錄下對應文件拼接成完整文件。
$ ./build-kernel.sh -d setup
# compile kernel
$ ./build-kernel.sh -d build

# Output File:
${GOPATH}/src/github.com/kata-containers/packaging/kernel/kata-linux-5.4.32-89/vmlinux

# Install Dir:
/usr/share/kata-containers/vmlinux

編譯 agent (可選)

1 2	$ go get -d -u github.com/kata-containers/agent $ cd $GOPATH/src/github.com/kata-containers/agent && make

編譯 rootfs 文件系統

# download source code
$ go get -d -u github.com/kata-containers/osbuilder

# generate rootfs
$ export ROOTFS_DIR=${GOPATH}/src/github.com/kata-containers/osbuilder/rootfs-builder/rootfs
$ sudo rm -rf ${ROOTFS_DIR}
$ cd $GOPATH/src/github.com/kata-containers/osbuilder/rootfs-builder
# ${distro} 需要替換成具體的系統，推薦 centos
# 此處增加額外的包，是為了后續便於進入虛擬機調試
#$ script -fec 'sudo -E GOPATH=$GOPATH USE_DOCKER=true EXTRA_PKGS="bash coreutils" ./rootfs.sh ${distro}'
$ script -fec 'sudo -E GOPATH=$GOPATH USE_DOCKER=true EXTRA_PKGS="bash coreutils vim net-tools procps curl iproute" http_proxy=http://{proxy}:{ip} https_proxy=http://{proxy}:{ip} ./rootfs.sh ${distro}'
# 由於網絡原因，可以構建時候添加 http_proxy 代理;
$ script -fec 'sudo -E GOPATH=$GOPATH USE_DOCKER=true EXTRA_PKGS="bash coreutils" http_proxt=http://{IP}:{PORT} ./rootfs.sh ${distro}'

# Create a debug systemd service
$ cat <<EOT | sudo tee ${ROOTFS_DIR}/lib/systemd/system/kata-debug.service
[Unit]
Description=Kata Containers debug console

[Service]
Environment=PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
StandardInput=tty
StandardOutput=tty
# Must be disabled to allow the job to access the real console
PrivateDevices=no
Type=simple
ExecStart=/bin/bash
Restart=always
EOT

# Add a dependency to start the debug console:
$ sudo sed -i '$a Requires=kata-debug.service' ${ROOTFS_DIR}/lib/systemd/system/kata-containers.target

# Output File:
${GOPATH}/src/github.com/kata-containers/osbuilder/rootfs-builder/rootfs

編譯 rootfs.img

# make sure rootfs is not MODIFIED!!! if you want to add new Agent
# install agent (optional)
$ sudo install -o root -g root -m 0550 -t ${ROOTFS_DIR}/bin ../../agent/kata-agent
$ sudo install -o root -g root -m 0440 ../../agent/kata-agent.service ${ROOTFS_DIR}/usr/lib/systemd/system/
$ sudo install -o root -g root -m 0440 ../../agent/kata-containers.target ${ROOTFS_DIR}/usr/lib/systemd/system/

# Compile
$ cd $GOPATH/src/github.com/kata-containers/osbuilder/image-builder
$ script -fec 'sudo -E USE_DOCKER=true ./image_builder.sh ${ROOTFS_DIR}'

# install
$ commit=$(git log --format=%h -1 HEAD)
$ date=$(date +%Y-%m-%d-%T.%N%z)
$ image="kata-containers-${date}-${commit}"
$ sudo install -o root -g root -m 0640 -D kata-containers.img "/usr/share/kata-containers/${image}"
$ (cd /usr/share/kata-containers && sudo ln -sf "$image" kata-containers.img)

# Output File:
$GOPATH/src/github.com/kata-containers/osbuilder/image-builder/kata-containers.img

編譯 initrd.img

# make sure rootfs is not MODIFIED!!! if you want to add new Agent
# install agent(optional)
$ sudo install -o root -g root -m 0550 -T ../../agent/kata-agent ${ROOTFS_DIR}/sbin/init

# Compile
$ cd $GOPATH/src/github.com/kata-containers/osbuilder/initrd-builder
$ script -fec 'sudo -E AGENT_INIT=yes USE_DOCKER=true ./initrd_builder.sh ${ROOTFS_DIR}'

# install
$ commit=$(git log --format=%h -1 HEAD)
$ date=$(date +%Y-%m-%d-%T.%N%z)
$ image="kata-containers-initrd-${date}-${commit}"
$ sudo install -o root -g root -m 0640 -D kata-containers-initrd.img "/usr/share/kata-containers/${image}"
$ (cd /usr/share/kata-containers && sudo ln -sf "$image" kata-containers-initrd.img)

# Output File:
$GOPATH/src/github.com/kata-containers/osbuilder/initrd-builder/kata-containers-initrd.img

編譯 qemu on aarch64

# 下載代碼
$ go get -d github.com/kata-containers/tests
# 准備依賴
$ sudo apt install -y libcap-ng-dev libglib2.0-dev libpixman-1-dev librbd-dev libattr1-dev libcap-dev
# 編譯構建
$ script -fec 'sudo -E ${GOPATH}/src/github.com/kata-containers/tests/.ci/install_qemu.sh'

# 注意：如果安裝失敗，清直接刪除文件夾，然后重新跑升級腳本
$ sudo rm -rf ${GOPATH}/src/github.com/kata-containers/packaging
$ sudo rm -rf ${GOPATH}/src/github.com/qemu

Docker 對接 kata-runtime

修改 Docker 配置文件/etc/docker/daemon.json

{
 "debug": true,
 "default-runtime": "runc", # 可替換成 kata-runtime
 "runtimes": {
 "kata": {
 "path": "/usr/local/bin/kata-runtime" # 不支持直接配置成 containerd-shim-kata-v2
 }
 }
}

重啟 docker 服務（必須）

驗證修改生效

sudo docker run --rm --name test busybox:latest uname -a 與宿主機內核對比，驗證是否生效

調試 kata-runtime

# docker 開啟 debug: /etc/docker/daemon.json 添加參數 (需重啟服務)
{ "debug": true }
# kata配置文件/etc/kata-containers/configuration.toml，開啟 enable_debug

# 查看日志
$ journalctl -ft kata-runtime

Containerd 對接 containerd-shim-kata-v2

修改 containerd 的配置/etc/containerd/config.toml

containerd config default 生成當前版本默認配置

root = "/var/lib/containerd"
state = "/run/containerd"
oom_score = 0

[grpc]
 address = "/run/containerd/containerd.sock"
 uid = 0
 gid = 0
 max_recv_message_size = 16777216
 max_send_message_size = 16777216

[debug]
 address = ""
 uid = 0
 gid = 0
 level = "debug" # 開啟 debug

[metrics]
 address = ""
 grpc_histogram = false

[cgroup]
 path = ""

[plugins]
 [plugins.cgroups]
 no_prometheus = false
 [plugins.cri]
 stream_server_address = "127.0.0.1"
 stream_server_port = "0"
 enable_selinux = false
 sandbox_image = "docker.io/bevisy/pause:3.1"
 stats_collect_period = 10
 systemd_cgroup = false
 enable_tls_streaming = false
 max_container_log_line_size = 16384
 disable_proc_mount = false
 [plugins.cri.containerd]
 snapshotter = "overlayfs"
 no_pivot = false
 [plugins.cri.containerd.default_runtime]
 runtime_type = "io.containerd.runtime.v1.linux"
 runtime_engine = ""
 runtime_root = ""
 [plugins.cri.containerd.untrusted_workload_runtime]
 runtime_type = ""
 runtime_engine = ""
 runtime_root = ""
 [plugins."io.containerd.grpc.v1.cri".containerd.runtimes] # 新增 >>>
 [plugins."io.containerd.grpc.v1.cri".containerd.runtimes.kata]
 runtime_type = "io.containerd.kata.v2"
 shim_debug = true # <<<
 [plugins.cri.cni]
 bin_dir = "/opt/cni/bin"
 conf_dir = "/etc/cni/net.d"
 conf_template = ""
 [plugins.cri.registry]
 [plugins.cri.registry.mirrors]
 [plugins.cri.registry.mirrors."docker.io"]
 endpoint = ["https://registry-1.docker.io"]
 [plugins.cri.x509_key_pair_streaming]
 tls_cert_file = ""
 tls_key_file = ""
 [plugins.diff-service]
 default = ["walking"]
 [plugins.linux]
 shim = "containerd-shim"
 runtime = "runc"
 runtime_root = ""
 no_shim = false
 shim_debug = false
 [plugins.opt]
 path = "/opt/containerd"
 [plugins.restart]
 interval = "10s"
 [plugins.scheduler]
 pause_threshold = 0.02
 deletion_threshold = 0
 mutation_threshold = 100
 schedule_delay = "0s"
 startup_delay = "100ms"

注意：確保containerd-shim-kata-v2 文件在 $PATH 目錄下

驗證：

# 創建容器
sudo ctr -n testns run --runtime io.containerd.kata.v2 -d --rm docker.io/library/busybox:latest busybox
# 查看容器 id
sudo ctr -n testns t ls
# 進入容器
sudo ctr -n testns t exec -t --exec-id {ID} busybox sh
# 查看內核版本
$ uname -a # 對比宿主機內核

調試 containerd-shim-runtime-v2

# containerd 配置開啟 debug(需重啟服務)
# kata配置文件/etc/kata-containers/configuration.toml，開啟 enable_debug (需重新創建安全容器)

# 查看日志
$ journalctl -ft kata

附錄

kata-containers 2.0 安裝

下載release包

Release 地址

下載 Kata Containers 2.0.0-alpha3

解壓后，拷貝至文件夾 /opt

准備配置文件和containerd-shim-kata-v2

# 准備配置文件
$ cp /opt/kata/share/defaults/kata-containers/configuration-qemu.toml /etc/kata-containers/configuration.toml
# 准備 containerd-shim-kata-v2
$ cp /opt/kata/bin/containerd-shim-kata-v2 /usr/local/bin/

配置文件修改如下：

[hypervisor.qemu]
path = "/opt/kata/bin/qemu-system-x86_64"
kernel = "/opt/kata/share/kata-containers/vmlinuz.container"
image = "/opt/kata/share/kata-containers/kata-containers.img"
machine_type = "pc"
kernel_params = ""
firmware = ""
machine_accelerators=""
cpu_features="pmu=off"
default_vcpus = 1
default_maxvcpus = 2
default_bridges = 1
default_memory = 2048
disable_block_device_use = false
shared_fs = "virtio-9p"
virtio_fs_daemon = "/opt/kata/bin/virtiofsd"
virtio_fs_cache_size = 1024
virtio_fs_extra_args = []
virtio_fs_cache = "auto"
block_device_driver = "virtio-scsi"
enable_iothreads = false
enable_vhost_user_store = false
vhost_user_store_path = "/var/run/kata-containers/vhost-user"
enable_debug = true
[factory]
[agent.kata]
enable_debug = true
kernel_modules=[]
[netmon]
path = "/opt/kata/libexec/kata-containers/kata-netmon"
enable_debug = true
[runtime]
enable_debug = true
internetworking_model="tcfilter"
disable_guest_seccomp=true
sandbox_cgroup_only=false
experimental=[]
EnablePprof = true

對接docker和containerd需要注意

注意：此版本無法與 docker配合使用，與containerd 使用正常。

In this article, you will learn how to use Kata Containers on IBM Power systems.

#Prerequisites:

You need to install golang version 1.8.3 or newer, make, gcc, qemu.

#Steps:

1.Build and install the Kata Containers runtime

$ go get -d -u github.com/kata-containers/runtime$ cd $GOPATH/src/github.com/kata-containers/runtime$ make && sudo -E PATH=$PATH make install

The build will create the following:

runtime binary: /usr/local/bin/kata-runtime

configuration file: /usr/share/defaults/kata-containers/configuration.toml

2. Check if your system is capable of creating a Kata Container:

$ sudo kata-runtime kata-check

If your system is not able to run Kata Containers, the previous command will error out and explain why.

3. Configure to use initrd image

$ sudo sed -i ‘s/^\(image =.*\)/# \1/g’ /usr/share/defaults/kata-containers/configuration.toml

4. Enable full debug

$ sudo sed -i -e ‘s/^# *\(enable_debug\).*=.*$/\1 = true/g’ /usr/share/defaults/kata-containers/configuration.toml$ sudo sed -i -e ‘s/^kernel_params = “\(.*\)”/kernel_params = “\1 agent.log=debug”/g’ /usr/share/defaults/kata-containers/configuration.toml

5. Build and install Kata proxy

$ go get -d -u github.com/kata-containers/proxy$ cd $GOPATH/src/github.com/kata-containers/proxy && make && sudo make install

6. Build and install Kata shim

$ go get -d -u github.com/kata-containers/shim$ cd $GOPATH/src/github.com/kata-containers/shim && make && sudo make install

7. Get the osbuilder

$ go get -d -u github.com/kata-containers/osbuilder

8. Build a custom Kata agent — OPTIONAL

$ go get -d -u github.com/kata-containers/agent$ cd $GOPATH/src/github.com/kata-containers/agent && make

9. Create an initrd image

$ export ROOTFS_DIR=”${GOPATH}/src/github.com/kata-containers/osbuilder/rootfs-builder/rootfs"$ sudo rm -rf ${ROOTFS_DIR}$ cd $GOPATH/src/github.com/kata-containers/osbuilder/rootfs-builder$ script -fec ‘sudo -E GOPATH=$GOPATH AGENT_INIT=yes USE_DOCKER=true ./rootfs.sh ${distro}’

AGENT_INIT controls if the guest image uses kata agent as the guest init process. When you create an initrd image, always set AGENT_INIT to yes.

You MUST choose one of alpine, centos and fedora for ${distro}.

Optionally, add your custom agent binary to the rootfs with the following:

$ sudo install -o root -g root -m 0550 -T ../../agent/kata-agent ${ROOTFS_DIR}/sbin/init

10. Build an initrd image

$ cd $GOPATH/src/github.com/kata-containers/osbuilder/initrd-builder$ script -fec ‘sudo -E AGENT_INIT=yes USE_DOCKER=true ./initrd_builder.sh ${ROOTFS_DIR}’

11. Install the initrd image

$ commit=$(git log — format=%h -1 HEAD)$ date=$(date +%Y-%m-%d-%T.%N%z)$ image=”kata-containers-initrd-${date}-${commit}”$ sudo install -o root -g root -m 0640 -D kata-containers-initrd.img “/usr/share/kata-containers/${image}”$ (cd /usr/share/kata-containers && sudo ln -sf “$image” kata-containers-initrd.img)

12. Install guest kernel images

As a prerequisite, you need to install libelf-dev and bc. Otherwise, you will not be able to build the kernel from sources.

$ go get github.com/kata-containers/tests$ cd $GOPATH/src/github.com/kata-containers/tests/.ci$ kernel_arch=”$(./kata-arch.sh)”$ kernel_dir=”$(./kata-arch.sh — kernel)”$ tmpdir=”$(mktemp -d)”$ pushd “$tmpdir”$ curl -L https://raw.githubusercontent.com/kata-containers/packaging/master/kernel/configs/${kernel_arch}_kata_kvm_4.14.x -o .config$ kernel_version=$(grep “Linux/[${kernel_arch}]*” .config | cut -d’ ‘ -f3 | tail -1)$ kernel_tar_file=”linux-${kernel_version}.tar.xz”$ kernel_url=”https://cdn.kernel.org/pub/linux/kernel/v$(echo $kernel_version | cut -f1 -d.).x/${kernel_tar_file}”$ curl -LOk ${kernel_url}$ tar -xf ${kernel_tar_file}$ mv .config “linux-${kernel_version}”$ pushd “linux-${kernel_version}”$ make ARCH=${kernel_dir} -j$(nproc)$ kata_kernel_dir=”/usr/share/kata-containers”$ kata_vmlinuz=”${kata_kernel_dir}/kata-vmlinuz-${kernel_version}.container”$ [ $kernel_arch = ppc64le ] && kernel_file=”$(realpath ./vmlinux)” || kernel_file=”$(realpath arch/${kernel_arch}/boot/bzImage)”$ sudo install -o root -g root -m 0755 -D “${kernel_file}” “${kata_vmlinuz}”$ sudo ln -sf “${kata_vmlinuz}” “${kata_kernel_dir}/vmlinuz.container”$ kata_vmlinux=”${kata_kernel_dir}/kata-vmlinux-${kernel_version}”$ sudo install -o root -g root -m 0755 -D “$(realpath vmlinux)” “${kata_vmlinux}”$ sudo ln -sf “${kata_vmlinux}” “${kata_kernel_dir}/vmlinux.container”$ popd$ popd$ rm -rf “${tmpdir}”

13. Run Kata Containers with Docker

Update Docker configuration

$ dir=/etc/systemd/system/docker.service.d$ file=”$dir/kata-containers.conf”$ sudo mkdir -p “$dir”$ sudo test -e “$file” || echo -e “[Service]\nType=simple\nExecStart=\nExecStart=/usr/bin/dockerd -D — default-runtime runc” | sudo tee “$file”$ sudo grep -q “kata-runtime=” $file || sudo sed -i ‘s!^\(ExecStart=[^$].*$\)!\1 — add-runtime kata-runtime=/usr/local/bin/kata-runtime!g’ “$file”$ sudo systemctl daemon-reload$ sudo systemctl restart docker

14. Create a Kata Container using Docker

$ sudo docker run -ti — runtime kata-runtime busybox sh

15. Check the logs in-case of failure

$ journalctl -q -o cat -a -t kata-runtime
$ journalctl -q -o cat -a -t kata-proxy

免責聲明！

本站轉載的文章為個人學習借鑒使用，本站對版權不負任何法律責任。如果侵犯了您的隱私權益，請聯系本站郵箱yoyou2525@163.com刪除。

猜您在找 認識kata-containers 從零開始入門 K8s | Kata Containers 創始人帶你入門安全容器技術 Kata 架構 Kata Container 介紹 kata-runtime來運行容器 kata-container環境搭建 pytorch Containers的Module部分 Removing Docker Containers and Images LXC與Docker Containers的區別 IBM Bluemix體驗：Containers