[WIP] PoC support for shim v2 to run kata containers v2 #11238
Conversation
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: EduardoVega The full list of commands accepted by this bot can be found here.
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
|
@EduardoVega Could you check to see how much the size of Podman grows with this PR? |
|
I love wee little PRs. |
|
go version go1.15.14 linux/amd64 main shimv2 branch My bad, first time working on something this big, I can definitely make any change to improve this. |
|
What is the benefit of this over executing kata OCI Runtime directly? Is there any way to do this without sucking in so much code. |
|
I think the benefit is that the Kata runtime is deprecated and going away 😄 I'll try and do a full review this afternoon |
|
Adding three megabytes in size in order to talk to a socket, seems a little extreme. |
| func isShimv2(name string, paths []string) bool { | ||
| // Check if oci runtime name is shimv2 | ||
| // i.e containerd.shim.kata.v2 | ||
| r, _ := regexp.Compile(shimv2NameRegex) |
There was a problem hiding this comment.
Could we use string contains or match operations did not understand the use-case of regexp it seems costly.
There was a problem hiding this comment.
thanks, I'll replace this with a new field in containers.conf to specify when shimv2 is used as suggested in the other comment.
|
|
||
| // Check if any of the oci runtime paths is shimv2 | ||
| // i.e /path/to/containerd-shim-kata-v2 | ||
| r, _ = regexp.Compile(shimv2BinaryRegex) |
There was a problem hiding this comment.
Same could we try string match or contains instead of regexp
There was a problem hiding this comment.
Same here, this will change.
| @@ -441,7 +441,8 @@ func makeRuntime(ctx context.Context, runtime *Runtime) (retErr error) { | |||
| runtime.defaultOCIRuntime = ociRuntime | |||
| } | |||
| } | |||
| logrus.Debugf("Using OCI runtime %q", runtime.defaultOCIRuntime.Path()) | |||
| logrus.Debugf("Using OCI runtime name: %q", runtime.defaultOCIRuntime.Name()) | |||
There was a problem hiding this comment.
Nit: Using OCI runtime %s with path %s instead of two log lines.
libpod/shimv2.go
Outdated
| "syscall" | ||
| "time" | ||
|
|
||
| tasktypes "github.com/containerd/containerd/api/types/task" |
There was a problem hiding this comment.
Not sure can we abstract this into podman, vendoring seems too much just for a small use-case. I maybe wrong could you help me understand.
There was a problem hiding this comment.
ok, I'll try to abstract this into podman. thanks
|
How does Podman monitor this. podman run -d --runtime=kata ... How do we get notified that the container exited, and what is the status? No conmon to watch it. How do we cleanup the storage? |
|
|
||
| // isShimv2 verifies if the oci runtime needs to use shimv2 daemon | ||
| // to create containers i.e kata containers v2 | ||
| func isShimv2(name string, paths []string) bool { |
There was a problem hiding this comment.
Instead of regexing, it's probably safer to do something in containers.conf indicating this is a shimv2 runtime - explicitly set it in the config file for safety.
There was a problem hiding this comment.
yes, that's definitely better. I have seen that this is referred as a runtime_type=vm or runtime_version=v2 , is there any preference for this ?
Should this be also configured as a flag when running podman ? i.e podman run --runtime_type=v2 ...
There was a problem hiding this comment.
I would just have it be --runtime, let's not add more flags.
libpod/shimv2.go
Outdated
| @@ -0,0 +1,776 @@ | |||
| // +build linux | |||
There was a problem hiding this comment.
I think we need a dedicated build tag for this - kata, maybe - so we can optional build out support.
libpod/shimv2.go
Outdated
| return "", fmt.Errorf("not supported") | ||
| } | ||
|
|
||
| func (r *shimv2) UpdateContainerStatus(ctr *Container) error { |
There was a problem hiding this comment.
Is this the only way Kata updates us on containers exiting? IE, We have to poll them to see when containers exited? My primary concerns are round container exit - we don't have a Conmon, so we don't have a cleanup process and the container will not be unmounted into the user manually invokes a Podman command that updates its status.
There was a problem hiding this comment.
I agree, Podman has gone away, so something needs to record the status of the container. In my opinion this is still conmon. Just we need a way for conmon to wait for container exit.
There was a problem hiding this comment.
From my understanding, the shimv2 daemon when is started, uses a ttrpc server exposed by containerd to publish events back.
I tried to mimic what cri-o was doing since both rely on conmon, and I think this is not being set when kata v2 is used. I will try to understand more about how cri-o handles kata container events
openshift-ci
bot
added
the
needs-rebase
|
@EduardoVega: PR needs rebase. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
EduardoVega
changed the title
openshift-ci
bot
added
the
do-not-merge/work-in-progress
|
Updates After some more research, I was able to understand better how the Shimv2 can be used with Podman, so the following diagram will try to explain it
So based on these findings and the feedback provided in this PR, these could be the following items to be worked
Finally, this past months I've been very busy but I should be able to get more progress on this now. Thanks |
|
This sounds good, but we still need to be able to run traditional OCI containers and shimv2 containers at the same time. podman ps It needs to be easy to switch between the two podman --runtime shimv2 run .... Not sure we want to call this shimv2, perhaps katav2 or something like that might be easier for users to understand. |
|
@rhatdan understood. The shimv2 is just an interface that can be implemented by any runtime project, examples:
This is an example of how this could be run
Run Podman Let me know if I'm missing something, thanks. |
|
No that looks perfect. |
This PR is a PoC to integrate the shimv2 as a container runtime to run kata containers version 2. A very basic functionality has been added to create, run and stop containers. Some actions are a bit buggy, mainly those related to attach, interactive and tty but the options can be used. Signed-off-by: Eduardo Vega <edvegavalerio@gmail.com>
EduardoVega
force-pushed
the
8579-shimv2-integration
branch
from
ddf8f4d to
2b8eeb8
Compare
|
A friendly reminder that this PR had no activity for 30 days. |
|
@EduardoVega Still working on this? |
|
A friendly reminder that this PR had no activity for 30 days. |
|
Since I have not heard back, I am going to close this PR, if/when someone wants to work on it, we can reopeon or create a new PR. |
github-actions
bot
added
the
locked - please file new issue/PR
This PR is a PoC to integrate the shim v2 as a container monitor to run kata containers version 2. A very basic functionality has been added to create, run and stop containers. Some actions are a bit buggy, mainly those related to attach, interactive and tty but the options can be used.
Fixes #8579
All the code changes are based on https://github.com/cri-o/cri-o/blob/master/internal/oci/runtime_vm.go
An important change to consider is that the version of
github.com/golang/protobufhad to be downgraded due to this issue containerd/ttrpc#62Testing information
Host:
Kata version:
Examples:
Bugs:
Bugs:
ERRO[0061] Failed to close stdin for container "8cf1b8d3a0c8" error="invalid argument: Invalid exec id: invalid argument"Signed-off-by: Eduardo Vega edvegavalerio@gmail.com