| kata-irc-bot | <starun.1998> looked on this i get package under `src/` by why `export GO11MODULE=off` but had reset it to export `GO11MODULE=auto` because of some error !! | 06:25 |
|---|---|---|
| kata-irc-bot | <starun.1998> hi i was getting ths error on running `kata-runtime check` ERRO[0000] /usr/share/defaults/kata-containers/configuration-qemu.toml: file /usr/share/kata-containers/vmlinux.container does not exist arch=amd64 name=kata-runtime pid=13640 source=runtime /usr/share/defaults/kata-containers/configuration-qemu.toml: file /usr/share/kata-containers/vmlinux.container does not exist | 06:27 |
| kata-irc-bot | <fidencio> It means that the file you're pointing at doesn't exist. Can you share that specific part of the configuration file and also the output of `tree /usr/share/kata-containers` ? | 07:09 |
| kata-irc-bot | <starun.1998> https://github.com/kata-containers/kata-containers/blob/main/docs/Developer-Guide.md#build-and-install-the-kata-containers-runtime but im just following this guide and build with make. | 08:14 |
| kata-irc-bot | <starun.1998> ouput of `tree /usr/share/kata-containers` `/usr/share/kata-containers/ └── defaults └── configuration.toml` | 08:15 |
| kata-irc-bot | <starun.1998> yes there is no vmlinux.container in this /usr/share | 08:16 |
| kata-irc-bot | <fidencio> So, you need to build and provide a kernel / initrd that the kata-containers VM can use. | 08:20 |
| kata-irc-bot | <starun.1998> how can you explain more im just trying out to contribute in this repo | 08:32 |
| kata-irc-bot | <fidencio> First thing, are you trying to use or to develop for kata-containers? | 08:35 |
| kata-irc-bot | <starun.1998> i was trying to contribute and was making a dev env ! | 10:30 |
| kata-irc-bot | <fidencio> Okay, that's cool, and welcome! | 10:36 |
| kata-irc-bot | <fidencio> Are you familiar with using kata-containers already? | 10:36 |
| kata-irc-bot | <starun.1998> No, actually i was just exploring containers and things until i find this runtime. and trying to contribute in this :slightly_smiling_face: | 11:29 |
| kata-irc-bot | <fidencio> Okay, let's take a step back and get you to use kata-containers, to understand a little bit about what's needed, and then we can get to contributing to kata-containers. | 11:37 |
| kata-irc-bot | <starun.1998> sure !! :slightly_smiling_face: | 11:39 |
| kata-irc-bot | <fidencio> I'd suggest you to take a look at: https://youtu.be/4gmLXyMeYWI That's not up-to-date, but will give you a reasonable idea about the project. | 11:40 |
| kata-irc-bot | <fidencio> Then, after you take a look at that, I'd suggest you give it a try on kata-containers using minikube. | 11:40 |
| kata-irc-bot | <fidencio> But first, give it a try on minikube | 11:40 |
| kata-irc-bot | <fidencio> https://minikube.sigs.k8s.io/docs/start/ | 11:40 |
| kata-irc-bot | <fidencio> Check out that you can run your workloads there | 11:41 |
| kata-irc-bot | <fidencio> Then, you can try to deploy kata-containers there using `kata-deploy` (https://quay.io/repository/kata-containers/kata-deploy?tab=info | 11:41 |
| kata-irc-bot | <starun.1998> okk !! will be back soon after checking this thanks!! ! | 11:41 |
| kata-irc-bot | <fidencio> Then you can try to run the previous workloads using kata-containers | 11:42 |
| kata-irc-bot | <fidencio> and then, after understanding those artefacts, you will have a better understanding of how and what to you want to contribute | 11:42 |
| kata-irc-bot | <fidencio> Okay? | 11:42 |
| kata-irc-bot | <starun.1998> yeah sure :) | 11:43 |
| kata-irc-bot | <eric.ernst> I’ve been looking at @feng.wang’s PR https://github.com/kata-containers/kata-containers/pull/2432/files for rootless VMM execution, focusing on the user part of it. | 16:44 |
| kata-irc-bot | <eric.ernst> I didn’t love calling useradd directly, and was working to see if we could just do this directly instead. | 16:45 |
| kata-irc-bot | <eric.ernst> AFAIU, all we’d need to do is update /etc/group and /etc/passwd, and then mkdir/chown where the VMM artifacts will live. | 16:45 |
| kata-irc-bot | <eric.ernst> However… the more I look at it, the more I think this is more error prone, since we’ll need to handle selection of the uid, verifying that it doesn’t already exist, etc. | 16:46 |
| kata-irc-bot | <eric.ernst> Perhaps calling the binary is the least error prone. | 16:46 |
| kata-irc-bot | <eric.ernst> Curious if other folks have thought through this or have input. | 16:46 |
| kata-irc-bot | <eric.ernst> @samuel.ortiz @fidencio @archana.m.shinde ^ | 16:47 |
| kata-irc-bot | <eric.ernst> devimc ? | 16:47 |
| kata-irc-bot | <eric.ernst> I’m not totally clear what else is done on the fs / sysfs when -M is utilized (no home directory) | 16:48 |
| kata-irc-bot | <eric.ernst> strace from adduser: https://gist.github.com/egernst/4fcc2f5fe595dc633d73005bb63b8291 | 16:49 |
| kata-irc-bot | <fidencio> I would *not* like to have it done directly, we have tools to do that, we use the well known and tested tools to do that :slightly_smiling_face: | 16:50 |
| kata-irc-bot | <fidencio> One thing that crossed my mind was, maybe, for a future interaction, have that done entirely by a different binary that one can confine properly / apply the SELinux labels they prefer | 16:51 |
| kata-irc-bot | <fidencio> rather than letting the binary do that | 16:51 |
| kata-irc-bot | <fidencio> And the runtime would just call the binary | 16:51 |
| kata-irc-bot | <feng.wang> is Kata calling “useradd” more dangerous than calling “qemu” or “containerd-shim-v2” binary? | 16:51 |
| kata-irc-bot | <fidencio> But I still don't know whether it has much advantages. | 16:51 |
| kata-irc-bot | <eric.ernst> since shim is running as root today, i think having another binary do it doesn’t help much, @fidencio? | 16:52 |
| kata-irc-bot | <eric.ernst> i think if we wanted to run rootless in the future completely its something we could explore. | 16:52 |
| kata-irc-bot | <fidencio> @eric.ernst, yep, that's my idea *for the future*. | 16:58 |
| kata-irc-bot | <fidencio> And I do think kata calling something it shouldn't be calling is conceptually dangerous, @feng.wang. The runtime is not supposed to be creating users, but I also mentioned I'm fine about going on with the PR as long as we explicitly mention this is *experimental* and don't advertise folks to use it. | 16:59 |
| kata-irc-bot | <fidencio> @feng.wang, about the `-runas`, have you explored that option as suggested by @sbrivio? | 17:00 |
| kata-irc-bot | <feng.wang> I haven’t. -`runas` would still require calling `useradd` to create the user first, right? | 17:02 |
| kata-irc-bot | <fidencio> It would, that's not related to avoid that path. | 17:03 |
| kata-irc-bot | <fidencio> But some of the logic you do in the runtime could be removed and we could rely solely on QEMU to do run with the user you created | 17:04 |
| kata-irc-bot | <feng.wang> Okay. I can give it a try. | 17:05 |
| kata-irc-bot | <apocalipse89> i’m trying to deploy kata on `aarch64` . i wanted to use `kata-deploy` however the container is baked only for `amd64` is there any reasons? I’ve looked at the `Dockerfile` and I could not find anything there that would restrict a build for an `aarch64`arch. I would like to give a try. could you please advice in case there is any blockers that would prevent that? just to prevent to lose a lot of time. | 20:33 |
| kata-irc-bot | <fidencio> I guess the main issue is how to build & distribute the binaries for aarch64 | 20:38 |
| kata-irc-bot | <fidencio> Right now we build the binaries as part of an AKS job, and I have no idea whether Azure has aarch64 machines handy that we could use to build those binaries. | 20:38 |
| kata-irc-bot | <feng.wang> @fidencio I tried using the `-runas` flag in QEMU (the commit), but the QEMU fails to start with segfault: ```Sep 14 20:26:44 ip-10-110-22-245 kernel: [95831.828294] qemu-system-x86[86375]: segfault at 10 ip 00007ff4f1f6cd8d sp 00007ff4f16a0a20 error 4 Sep 14 20:26:44 ip-10-110-22-245 kernel: [95831.828299] qemu-system-x86[86363]: segfault at 10 ip 00007ff4f1f6cd8d sp 00007ff4f3e37ae0 error 4 Sep 14 20:26:44 ip-10-110-22-245 kernel: | 20:38 |
| kata-irc-bot | [95831.828301] in libpthread-2.27.so[7ff4f1f67000+1a000] Sep 14 20:26:44 ip-10-110-22-245 kernel: [95831.828308] Code: 89 f3 48 83 ec 08 8b 6e 10 e8 4f fa ff ff 39 c5 74 0b 48 83 c4 08 5b 5d c3 0f 1f 40 00 83 7b 08 fa 75 ef 48 8b 05 43 86 21 00 <48> 8b 70 10 48 8b 78 08 48 8b 50 18 8b 00 0f 05 48 8b 3d 2c 86 21 Sep 14 20:26:44 ip-10-110-22-245 kernel: [95831.828309] in libpthread-2.27.so[7ff4f1f67000+1a000] Sep 14 20:26:44 ip-10-110-22-245 | 20:38 |
| kata-irc-bot | kernel: [95831.828315] Code: 89 f3 48 83 ec 08 8b 6e 10 e8 4f fa ff ff 39 c5 74 0b 48 83 c4 08 5b 5d c3 0f 1f 40 00 83 7b 08 fa 75 ef 48 8b 05 43 86 21 00 <48> 8b 70 10 48 8b 78 08 48 8b 50 18 8b 00 0f 05 48 8b 3d 2c 86 21 Sep 14 20:26:44 ip-10-110-22-245 kernel: [95831.828319] qemu-system-x86[86373]: segfault at 10 ip 00007ff4f1f6cd8d sp 00007ff4f1ea1b20 error 4 in libpthread-2.27.so[7ff4f1f67000+1a000] Sep 14 20:26:44 ip-10-110-22-245 kernel: | 20:38 |
| kata-irc-bot | [95831.828328] Code: 89 f3 48 83 ec 08 8b 6e 10 e8 4f fa ff ff 39 c5 74 0b 48 83 c4 08 5b 5d c3 0f 1f 40 00 83 7b 08 fa 75 ef 48 8b 05 43 86 21 00 <48> 8b 70 10 48 8b 78 08 48 8b 50 18 8b 00 0f 05 48 8b 3d 2c 86 21``` | 20:38 |
| kata-irc-bot | <fidencio> Mind to open one and CC me? | 20:39 |
| kata-irc-bot | <fidencio> Cool, just add that info to the PR (as a simple comment) and that's it. We tried, we couldn't make it work, that's it. If someone wants to debug it, they can. | 20:40 |
| kata-irc-bot | <anastassios.nanos> hey, so let me share some of our findings for the aarch64 builds -- we've tried building kata on aarch64 successfully and created container images for kata-deploy etc. however we only have them available for our customized use-case, so for instance only firecracker is available (+ some of our additional binaries) | 21:05 |
| kata-irc-bot | <feng.wang> It looks like the consensus is, we’ll call the `useradd` for now instead of directly updating `/etc/group` and `/etc/passwd`. We can refactor the code to a separate binary in the future. For using `-runas` flag, I gave it a try but couldn’t get it working. The QEMU fails to start with segfault. I’ll stick with the current implementation. @fidencio @eric.ernst Do I summarize it correctly? Any other action items do you want me to t | 21:07 |
| kata-irc-bot | regarding the PR? | 21:07 |
| kata-irc-bot | <anastassios.nanos> fwiw we found no blocking issues in building the runtime/kernel/rootfs etc. just that the kata agent needed > 4GB of memory (it was failing with OOM on our jetson NANOs) | 21:07 |
| kata-irc-bot | <anastassios.nanos> if it helps, for the next week or so we have access to an ampere system, so we can arrange a quick container build & push for the current stable version, just to get things going for you, but I guess we need to figure out a way to automate this | 21:10 |
| kata-irc-bot | <fidencio> Oh, how much memory does the Nano have? | 21:12 |
| kata-irc-bot | <fidencio> I was using a NX to do my aarch64 tests | 21:12 |
| kata-irc-bot | <apocalipse89> Sure fidencio i can open an issue | 21:12 |
| kata-irc-bot | <fidencio> @anastassios.nanos, maybe we can have that as part of our release system: https://docs.microsoft.com/en-us/azure/templates/microsoft.containerservice/managedclusters?tabs=json Seems that AKS supports aarch64 jobs. | 21:13 |
| kata-irc-bot | <apocalipse89> thanks ananos to share the findings. my final was to run them on a rpi 4 (8GB) | 21:13 |
| kata-irc-bot | <anastassios.nanos> we've tried on an 8GB pi4, it takes time but it finishes the build | 21:14 |
| kata-irc-bot | <anastassios.nanos> the nanos have 4GB unfortunately | 21:14 |
| kata-irc-bot | <fidencio> Aha. The NX has 8GB and that worked successfully here | 21:15 |
| kata-irc-bot | <fidencio> Anyways, @anastassios.nanos, would you have cycles to investigate whether we can support that on AKS? I can give you some pointers from next week and hopefully we can get that as part of our official release. | 21:16 |
| kata-irc-bot | <anastassios.nanos> sure, happy to get aarch64 binaries as part of the release -- what we currently do is kind of messy ;-) | 21:17 |
| kata-irc-bot | <apocalipse89> https://github.com/kata-containers/kata-containers/issues/2639 - i have created this issue guys | 21:17 |
| kata-irc-bot | <fidencio> I will go through that and decorate the issue Tomorrow | 21:18 |
| kata-irc-bot | <apocalipse89> thanks | 21:18 |
| kata-irc-bot | <fidencio> way too late in beerland, and you should also be off considering we're in the same country :slightly_smiling_face: | 21:19 |
| kata-irc-bot | <eric.ernst> Since it’s behind a feature gate, and you addressed opens; it’s okay with me. | 22:07 |
| kata-irc-bot | <anastassios.nanos> heh -- so I remembered now -- there's a container image platform mismatch for aarch64 (the systemd stuff that kata-deploy needs -- we ended up building our own, but I think there's a better solution for that) | 22:09 |
| kata-irc-bot | <eric.ernst> @simon.kaegi - looking at https://github.com/kata-containers/kata-containers/issues/2638 :thread: | 22:10 |
| kata-irc-bot | <fidencio> Same here | 22:10 |
| kata-irc-bot | <eric.ernst> is this failing *just* when _optional_ volume is specified? | 22:10 |
| kata-irc-bot | <anastassios.nanos> | 22:16 |
| kata-irc-bot | <anastassios.nanos> that would do the trick for now, but, again, we definitely need to find a better solution ;) | 22:17 |
Generated by irclog2html.py 2.17.2 by Marius Gedminas - find it at https://mg.pov.lt/irclog2html/!