kata container in rke2

# kata container in rke2 ## prequest - [x] 已安裝好 rke2 cluster ## 安裝 kata runtime ``` $ git clone https://github.com/kata-containers/kata-containers $ cd kata-containers/tools/packaging/kata-deploy $ kubectl apply -f kata-rbac/base/kata-rbac.yaml $ kubectl apply -k kata-deploy/overlays/rke2 ``` ## 宣告環境變數 ``` $ ls -l /opt/kata/bin total 324040 -rwxr-xr-x 1 1001 123 3569976 Jul 4 19:02 cloud-hypervisor -rwxr-xr-x 1 1001 123 51280032 Aug 3 02:07 containerd-shim-kata-v2 -rwxr-xr-x 1 1001 123 2574080 Jun 14 07:29 firecracker -rwxr-xr-x 1 1001 123 1672056 Jun 14 07:29 jailer -rwxr-xr-x 1 1001 123 16694 Aug 3 02:07 kata-collect-data.sh -rwxr-xr-x 1 1001 123 42333152 Aug 3 02:07 kata-monitor -rwxr-xr-x 1 1001 123 52724432 Aug 3 02:07 kata-runtime -rwxr-xr-x 1 1001 123 80353448 Aug 3 02:19 qemu-system-x86_64 -rwxr-xr-x 1 1001 123 18265144 Aug 2 15:29 qemu-system-x86_64-snp-experimental -rwxr-xr-x 1 1001 123 79000328 Aug 2 15:28 qemu-system-x86_64-tdx-experimental ``` ``` $ echo 'export PATH=$PATH:/opt/kata/bin' | sudo tee -a /etc/profile ``` * 重新 login ``` $ kata-runtime --version kata-runtime : 3.2.0-alpha4 commit : cf8899f260c6e8c473754efbd0795c73f413888e OCI specs: 1.0.2-dev ``` * 檢查本機是否可以虛擬化 ``` $ kata-runtime kata-check WARN[0000] Not running network checks as super user arch=amd64 name=kata-runtime pid=32704 source=runtime System is capable of running Kata Containers System can currently create Kata Containers ``` ## 修改 containerd 設定檔 * rke2 的 containerd 設定檔是在 `/var/lib/rancher/rke2/agent/etc/containerd/config.toml` 這個位置 ``` $ sudo cp /var/lib/rancher/rke2/agent/etc/containerd/config.toml /var/lib/rancher/rke2/agent/etc/containerd/config.toml.tmpl ``` ``` $ cat <<EOF | sudo tee -a /var/lib/rancher/rke2/agent/etc/containerd/config.toml.tmpl [plugins."io.containerd.grpc.v1.cri".containerd.runtimes.kata] runtime_type = "io.containerd.kata.v2" EOF ``` ``` $ sudo systemctl restart rke2-server.service ``` ## 建立 RuntimeClass ``` $ cat <<EOF | kubectl apply -f - apiVersion: node.k8s.io/v1 kind: RuntimeClass metadata: name: kata handler: kata EOF ``` * 確保 kata-deploy 已準備就緒 ``` $ kubectl -n kube-system wait --timeout=10m --for=condition=Ready -l name=kata-deploy pod pod/kata-deploy-bzg69 condition met ``` ``` $ kubectl get runtimeclass NAME HANDLER AGE kata kata 4s ``` ## 測試 kata container ``` # 需要宣告 RuntimeClass $ cat <<EOF | kubectl apply -f - apiVersion: v1 kind: Pod metadata: name: nginx-kata spec: runtimeClassName: kata containers: - name: nginx image: nginx EOF ``` * 本機 sles15-sp4 與 kata container kernel 比較 ``` $ uname -r 5.14.21-150400.24.81-default $ kubectl exec -it nginx-kata -- bash root@nginx-kata:/# uname -a Linux nginx-kata 6.1.38 #1 SMP Wed Aug 2 07:31:13 UTC 2023 x86_64 GNU/Linux ``` * 使用 crictl 命令檢查 ``` $ sudo crictl ps -a | grep nginx-kata bd7555f23d6de bc649bab30d15 3 minutes ago Running nginx 0 822d80431a145 nginx-kata ``` * 是使用 kata 這個 runtime 啟動的 ``` $ sudo crictl inspect bd7555f23d6de | grep runtimeType "runtimeType": "io.containerd.kata.v2", ``` ## 建立 ubuntu container * kata container 的資源限制，預設是 cpu:1C RAM:2G 如果在 k8s 上 limit， VM 最終的資源大小為 limit + default * k8s 限制 container: CPU:2C、RAM:4G - 在 VM 看到的是: CPU:3C、RAM:6G ``` kind: Deployment apiVersion: apps/v1 metadata: name: kata-ubuntu labels: app: ubuntu spec: replicas: 1 selector: matchLabels: app: ubuntu template: metadata: labels: app: ubuntu spec: runtimeClassName: kata containers: - name: ubuntu image: ubuntu tty: true resources: repuests: cpu: 100m memory: 1024Mi limits: cpu: 2 memory: 4096Mi ``` ![image.png](https://hackmd.io/_uploads/BkdWgaxm6.png) 原文網址：https://read01.com/Jy2BaP6.html