| kata-irc-bot | <jrieck> I have successfully booted kata-fc containers but I am not getting internet connectivity, I have been trying different CNI configurations but none seem to work, has anyone successfully booted a kata-fc container with internet connectivity? confs I've tried ```{ "cniVersion": "0.4.0", "name": "fcnet", "plugins": [ { "type": "bridge", "bridge": "fc-br1", "isGateway": true, "ipMasq": true, "ipam": | 13:54 |
|---|---|---|
| kata-irc-bot | { "type": "host-local", "subnet": "192.168.1.0/24", "routes": [ { "dst": "0.0.0.0/0" } ] } }, { "type": "firewall" }, { "type": "tc-redirect-tap" } ] }``` However my coredns pods do not work due to timeouts trying to talk to the kube api: ```resourceVersion=0": dial tcp 10.96.0.1:443: connect: no route to host E0727 13:53:46.111760 1 | 13:54 |
| kata-irc-bot | reflector.go:127] pkg/mod/k8s.io/client-go@v0.19.2/tools/cache/reflector.go:156: Failed to watch *v1.Service: failed to list *v1.Service: Get "https://10.96.0.1:443/api/v1/services?limit=500&resourceVersion=0": dial tcp 10.96.0.1:443: connect: no route to host``` I would love some CNI wisdom :slightly_smiling_face: | 13:54 |
| kata-irc-bot | <jakob.naucke> I'm not familiar with this part of the agent, but let me get this straight. So usually, `do_create_container` would receive some spec that contains a path in the shared FS to the container image, is that correct? Then you should be able to instead put your decrypted image (?) what am I missing? | 14:22 |
| kata-irc-bot | <david_hay> Yeah, so for background, I've created some functions inside `kata-agent` that allow me to (a) pull (b) verify signature and (c) unbundle an image from IBM Container Registry This results in the image being pulled to, and unbundled into, the Pod Sandbox Right now, I'm using `/tmp` so I have a subdirectory such as `/tmp/image_bundle` within the Pod Sandbox, containing: - ```-rw-r--r-- 1 root root 3272 Jul 27 06:52 config.json | 14:29 |
| kata-irc-bot | drwxr-xr-x 20 root root 420 Jan 1 1970 rootfs -rw-r--r-- 1 root root 315410 Jul 27 06:52 sha256_40859eb4d97466e50982d00c0cfe63b61e635ad00f604ca5363784d801013327.mtree``` So I'm trying to trick the agent into creating / starting a container from that bundle, either using the existing `CreateContainer` endpoint ( I'm poking the Agent via `kata-agent-ctl`, which invokes `do_create_container` ( also, for the record, at this time we have no | 14:29 |
| kata-irc-bot | encr/decryption going on, so the image is merely a bundle ) | 14:29 |
| kata-irc-bot | <david_hay> As far as I can establish, `kata-agent-ctl` can create a container using a bundle passed in on the request, via the `CreateContainer` function if we specify `spec=` pointing at the bundle *outside* the Pod Sandbox Therefore, I'm trying to spoof it to do the same **inside* the Pod Sandbox i.e. I'm not giving you a bundle on the wire, I'm giving you the location of a bundle that already exists *inside* the Sandbox .... | 14:31 |
| kata-irc-bot | <jakob.naucke> currently looking at https://github.com/kata-containers/kata-containers/blob/9806e88963a0ce0b9853abdda3e054a592a38b09/tools/agent-ctl/src/client.rs#L856, I'm a bit confused because `spec` is not mentioned except in a comment… | 14:53 |
| kata-irc-bot | <david_hay> Yeah, that's partly what I was trying to understand ..... | 14:55 |
Generated by irclog2html.py 2.17.2 by Marius Gedminas - find it at https://mg.pov.lt/irclog2html/!