| *** jugs has quit IRC | 00:45 | |
| *** jugs has joined #kata-dev | 00:47 | |
| *** zerocoolback has joined #kata-dev | 00:49 | |
| *** zerocoolback has quit IRC | 00:53 | |
| kata-irc-bot | <xu> @cole.mickens @raravena80 the `io.containerd.runtime.kata.v2` is currently in PR #572 and has not been merged yet. The feature is ready, but we need do some cleanup and code re-organizing still. However, it could be tried with this document https://gist.github.com/gnawux/d06c34b845aa3350799cbeaeb3c1270e by @fupan. | 03:13 |
|---|---|---|
| kata-irc-bot | <cole.mickens> It's easy for me to pin to a different release of kata if it would help, but I'm really just looking for some basic kata+containerd sanity checks without having to go up another layer to k8s. | 03:14 |
| kata-irc-bot | <cole.mickens> aka, is there a `ctr` or `crictl` command that I can use, regardless of the identifier, to invoke the "untrusted_workload_runtime" ? | 03:15 |
| kata-irc-bot | <xu> with the doc, you may use ctr | 03:15 |
| kata-irc-bot | <xu> sorry, `crictl` | 03:16 |
| kata-irc-bot | <raravena80> @xu the links seem broken, probably because they pointed to the original repo. Do you know which one that is? | 04:18 |
| kata-irc-bot | <raravena80> I guess it's this: https://github.com/containerd/cri/blob/master/docs/crictl.md | 04:20 |
| kata-irc-bot | <raravena80> hmm, I still don't see how to invoke the untrusted pod through the command line. I'll ask around. | 04:28 |
| kata-irc-bot | <cole.mickens> @xu thank you very much for the link, I see that's using a custom branch and a new executable. Is there anywhere I can go to learn more about this change? like a design doc or something? I'm trying to understand-- I'm going to take a bit of an educated guess... before shimv2, Kata could be the unprivileged runtime, but it was using the default containerd shim, maybe? Is `the shim`==`the runtime identier as it appears in | 06:38 |
| kata-irc-bot | containerd.toml`? But with the new doc, there's a Kata shim for the Kata runtime and I will then be able to select it via the `--runtime` flag to `ctr`. | 06:38 |
| kata-irc-bot | <cole.mickens> I guess maybe another thing that would make it all click... how does `"io.containerd.runtime.kata.v2"` map to ` /usr/local/bin/containerd-shim-kata-v2` ? | 06:39 |
| kata-irc-bot | <xu> let @fupan answer the detailed questions. And the code has already in runtime#572 PR and need some adjustment before being merged. | 06:41 |
| kata-irc-bot | <cole.mickens> hm, that document makes it the default runtime though... | 06:46 |
| kata-irc-bot | <cole.mickens> I'll try it out with it as just the untrusted one and see if I can still select it with ctr | 06:46 |
| kata-irc-bot | <cole.mickens> the picture gets clearer: https://github.com/containerd/cri/pull/891 | 07:00 |
| kata-irc-bot | <cole.mickens> I think I'm starting to piece it together a bit | 07:00 |
| kata-irc-bot | <cole.mickens> I suspect that if I use head of containerd, I can specify multiple runtimes and select between them using `ctr`, based on Tim's PR there. | 07:03 |
| kata-irc-bot | <cole.mickens> And the k8s side is "RuntimeClass" (https://github.com/kubernetes/community/blob/master/keps/sig-node/0014-runtime-class.md) | 07:04 |
| kata-irc-bot | <fupan> Hi @cole.mickens you can set [plugins.cri.containerd.untrusted_workload_runtime] runtime_type = “io.containerd.kata.v2” for you containerd config file to us kata as the untrusted workload runtime for crictl cmd line, if you want to use ctr cmd line, you can pass --runtime=io.containerd.kata.v2 to it, containerd will automatically translate “io.containerd.kata.v2" to binary name containerd-shim-kata-v2 and try to find it in | 07:05 |
| kata-irc-bot | $PATH env | 07:05 |
| kata-irc-bot | <cole.mickens> aha! I wondered if there was some magic auto conversion. And I think because of my particular OS setup, containerd can't see the shim right now, so this makes sense. | 07:06 |
| kata-irc-bot | <cole.mickens> Thank you, I'll give it all another shot. | 07:06 |
| kata-irc-bot | <cole.mickens> I think I made some progress. | 08:45 |
| kata-irc-bot | <cole.mickens> But when containerd invokes the containerd v2 shim, I get this warning: `Sep 15 08:45:06 kix.cluster.lol containerd[24713]: time="2018-09-15T08:45:06.640280400Z" level=warning msg="fetch sandbox device failed" ID=redis0 error="open /run/vc/sbs/redis0/devices.json: no such file or directory" sandbox=redis0 sandboxid=redis0 source=virtcontainers subsystem=sandbox` | 08:45 |
| kata-irc-bot | <cole.mickens> and `ctr` returns `ctr: no such file or directory: not found` | 08:46 |
| kata-irc-bot | <cole.mickens> @fupan ^ any tips? | 08:47 |
| kata-irc-bot | <fupan> Which cmd triggered this error? Can you tell me How can I reproduce it? | 08:54 |
| kata-irc-bot | <cole.mickens> @fupan http://ix.io/1mJX | 08:59 |
| kata-irc-bot | <cole.mickens> that's HEAD of containerd/ctr and shimv2 of kata-runtime from hyperhq | 09:00 |
| kata-irc-bot | <cole.mickens> If I specify an incorrect runtime name, the error is explicit and says that it can't find <autogenerated-shim-name> | 09:00 |
| kata-irc-bot | <cole.mickens> but when it is correctly pointed at kata, it just gives this vague error | 09:00 |
| kata-irc-bot | <fupan> Hi @cole.mickens It seems there is a bug for latest shimv2 cooperated with the ctr, but the crictl can work well, you can have a try with crictl first, and I’ll have a look with this issue. | 09:53 |
| kata-irc-bot | <cole.mickens> oh I see, thank you for confirming. I was avoiding learning crictl but now I will :slightly_smiling_face:. thanks. | 09:55 |
| kata-irc-bot | <fupan> @cole.mickens This issue is that the latest kata codes moved the running of the network hooks from virtruntime to cli, which caused ctr command failed to start sandbox, but crictl will use cni network mode which will not involve the network hooks, thus it works well. I’ll fix this issue in the shimv2 later. | 10:31 |
| *** zerocoolback has joined #kata-dev | 11:12 | |
| *** zerocoolback has quit IRC | 14:09 | |
| kata-irc-bot | <raravena80> @fupan just curious, any ideas on how to run it with `crictl`? meaning specify something like `io.containerd.kata.v2`? other than making Kata your default runtime. | 17:54 |
| *** marco_ has joined #kata-dev | 18:54 | |
| *** marcov has quit IRC | 18:56 | |
| kata-irc-bot | <cole.mickens> There's a PR out for crictl that takes a --runtime flag for `runp`. | 19:15 |
| kata-irc-bot | <cole.mickens> Granted, I didn't actually get it working quite yet, but I'm quite close. Custom builds of kata-runtime, container, cri-tools, fun stuff :slightly_smiling_face: | 19:15 |
Generated by irclog2html.py 2.15.3 by Marius Gedminas - find it at mg.pov.lt!