Skip to content
This repository has been archived by the owner on May 12, 2021. It is now read-only.

Initial release of Kata Containers with Firecracker support

Graham Whaley edited this page May 14, 2019 · 19 revisions

Kata Containers with Firecracker hypervisor

The 1.5.0 release of Kata Containers introduces support for the Firecracker hypervisor. While we do not yet have packages available for Firecracker, we do have the built binary included as part of our release tarball. A Firecracker specific tarball was created which includes all of the configurations and binaries required for running Kata+Firecracker.

This is a quick guide to show how to quickly start playing with Kata + Firecracker in docker. This is the initial introduction, and we have plenty of work around optimizations, but I expect users to be able to use block based volumes (up to 7 per container right now) as well as multiple network interfaces with these containers.

See this issue for current limitations of Kata+FC.

Pre-requisuites

In order to run Kata + Firecracker, there are a few mandatory requirements your host system/container stack will need to support:

  • Your host must support the vhost_vsock kernel module
  • Your container stack must provide a block based storage ('graph driver'), such as devicemapper

Without these pre-requisites, Kata + Firecracker will not work.

Quick Start - Docker

Get the static binaries

The static binaries are posted on our release page, and 1.5.0 can be obtained as follows:

wget https://github.com/kata-containers/runtime/releases/download/1.5.0/kata-static-1.5.0-x86_64.tar.xz

The tarball is designed to be decompressed into /, placing all of the files within /opt/kata/. The runtime configuration is expected to land at /opt/kata/share/defaults/kata-containers/configuration.toml. Your mileage will vary if you make further changes. To install Kata on your system:

sudo tar -xvf kata-static-1.5.0-x86_64.tar.xz -C /

Install and configure Docker

Docker 18.06 is required for running Kata with Firecracker. For Kata+Firecracker, a block based driver like devicemapper is required. The latest release of Docker, 18.09, does not support devicemapper and is not compatible.

NOTE if you are changing storage drivers for Docker, please take care to cleanup existing containers and container images on your host, as these will be lost!

To configure Docker for devicemapper and Kata, set /etc/docker/daemon.json with the following contents:

{
  "runtimes": {
    "kata-fc": {
      "path": "/opt/kata/bin/kata-fc"
    },
   "kata-qemu": {
      "path": "/opt/kata/bin/kata-qemu"
    }
  },
  "storage-driver": "devicemapper"
}

Then restart docker:

sudo systemctl daemon-reload
sudo systemctl restart docker

Run a Kata container utilizing Firecracker

Note, you'll need to make sure vsock is supported on your host system:

sudo modprobe vhost_vsock

Assuming vsock is supported, run the kata container:

docker run --runtime=kata-fc -itd --name=oh-sweet-fc alpine sh

You'll see firecracker is now running on your system, as well as a kata-shim process:

$ ps -ae | grep -E "kata|fire"
10174 ?        00:00:05 firecracker
10194 pts/5    00:00:00 kata-shim

You can exec into the container, providing a shell into a container which is running inside of a firecracker based virtual machine:

docker exec -it oh-sweet-fc sh
#

You can also run a Kata Container utilizing the QEMU hypervisor:

docker run --runtime=kata-qemu -itd --name=oh-sweet-qemu-too alpine sh

After exiting the shell, you can then remove the container:

docker kill oh-sweet-fc
docker kill oh-sweet-qemu-too
docker rm oh-sweet-fc
docker rm oh-sweet-qemu-too