*** GonZo2000 has joined #kata-general | 00:00 | |
*** GonZo2000 has joined #kata-general | 00:00 | |
*** GonZo2000 has quit IRC | 00:52 | |
*** GonZo2000 has joined #kata-general | 00:57 | |
*** dlw has joined #kata-general | 01:15 | |
*** LinuxMe has joined #kata-general | 03:48 | |
*** LinuxMe has quit IRC | 03:53 | |
*** LinuxMe has joined #kata-general | 04:11 | |
*** LinuxMe has quit IRC | 04:15 | |
*** dlw1 has joined #kata-general | 06:36 | |
kata-dev-irc-bot | <vizard561> Hi team, please give me a tip, how i can to enter ssh to kata-vm(nginx untrusted deployed in k8s)? | 06:37 |
---|---|---|
*** dlw has quit IRC | 06:38 | |
*** dlw1 is now known as dlw | 06:38 | |
kata-dev-irc-bot | <xu> do an `exec`? | 06:38 |
kata-dev-irc-bot | <vizard561> @xu no:) if it is vm, i have to deploy ssh inside? | 07:01 |
kata-dev-irc-bot | <xu> think kata containers are containers instead of vm, though we employ virtualization technologies. | 07:06 |
kata-dev-irc-bot | <vizard561> File uploaded https://katacontainers.slack.com/files/UAYGC1Q4D/FB07VV5HN/kata-scheme.png / https://slack-files.com/T86U7NQTT-FB07VV5HN-e8ef447022 | 07:07 |
kata-dev-irc-bot | <vizard561> then what it is?) | 07:07 |
kata-dev-irc-bot | <xu> that’s the implementation detail, from application view, it is a container. A vm in kata, is only the pod sandbox. don’t use it like a traditional vm. | 07:09 |
kata-dev-irc-bot | <vizard561> so it is a clearcontainer image, and inside a few pods? | 07:10 |
kata-dev-irc-bot | <xu> kata containers run standard docker images | 07:10 |
kata-dev-irc-bot | <vizard561> as i know, vm=vm, and inside vm(guest kernel) we have a namespace. And inside namespace we have an application image. I'm wrong? | 07:14 |
kata-dev-irc-bot | <vizard561> File uploaded https://katacontainers.slack.com/files/UAYGC1Q4D/FB0CF091P/image.png / https://slack-files.com/T86U7NQTT-FB0CF091P-56c383a64b | 07:14 |
kata-dev-irc-bot | <vizard561> website told me kata use lightweight vm | 07:15 |
kata-dev-irc-bot | <xu> the application image is come from docker image | 07:15 |
kata-dev-irc-bot | <vizard561> yeah, but this image running inside clearcontainer img, right? | 07:16 |
kata-dev-irc-bot | <xu> no clearcontainer image | 07:16 |
kata-dev-irc-bot | <xu> there is a rootfs, which is an initrd or a static minimal rootfs disk, however, there is no daemon configured inside. | 07:21 |
kata-dev-irc-bot | <vizard561> @xu now i've deployed nginx-untrusted, and he use an image: /usr/share/kata-containers/kata-containers-image_clearlinux_agent_a099747.img | 07:50 |
*** jodh has joined #kata-general | 07:51 | |
kata-dev-irc-bot | <zhangwei555> I think you can choose to setup SSH inside a kata container, then ssh into container. Does this meet your need? | 07:52 |
*** gwhaley has joined #kata-general | 08:02 | |
kata-dev-irc-bot | <vizard561> i'm again confuse:) what is a virtual machine? what is app? I think kata create a shell outside a docker-image for isolate him(memory leaked etc.) | 08:08 |
kata-dev-irc-bot | <vizard561> docker or containerd just an interface for operate images | 08:08 |
kata-dev-irc-bot | <vizard561> or "what is name a vm, if it's not a vm" | 08:10 |
kata-dev-irc-bot | <xu> so, as I said before, > think kata containers are containers instead of vm, though we employ virtualization technologies. don’t try to access sandbox stuff outside containers. | 08:10 |
kata-dev-irc-bot | <xu> technically, the sandbox is a vm, however, it doesn’t give the guest OS control to the users. | 08:11 |
kata-dev-irc-bot | <vizard561> thanks! (already better);) | 08:12 |
kata-dev-irc-bot | <vizard561> File uploaded https://katacontainers.slack.com/files/UAYGC1Q4D/FB08V0WD6/kata-sandbox.png / https://slack-files.com/T86U7NQTT-FB08V0WD6-b9fbd9d9a1 | 08:14 |
kata-dev-irc-bot | <vizard561> so that is a vm | 08:14 |
kata-dev-irc-bot | <xu> yes, the sandbox itself is a vm indeed, though it tries to hide the fact | 08:15 |
kata-dev-irc-bot | <vizard561> and this vms(sandbox pods) are isolated? | 08:16 |
kata-dev-irc-bot | <xu> every pod sandbox is isolated each other | 08:17 |
kata-dev-irc-bot | <vizard561> @xu thanks very much for describe! And thanks kata-team for your presentations on Vancouver2018, it is do much easier to understand Kata :grinning: | 08:19 |
kata-dev-irc-bot | <xu> Thanks to the attendee of Copenhagen KubeCon and Vancouver Summit, I collected many valuable questions. And I am working on an updated version of the slides. | 08:21 |
kata-dev-irc-bot | <xu> And your question is one of the FAQ as well, we need explain it more clearly. | 08:23 |
kata-dev-irc-bot | <vizard561> @xu exuse me, maybe you can to give me answer about it: https://katacontainers.slack.com/archives/C86U7NZND/p1527938517000043 ? | 08:24 |
kata-dev-irc-bot | <xu> the kata containers is an OCI runtime, a k8s CRI shim (cri-o, containerd/cri, frakti) will launch pod through kata containers. In the launching process, the CRI shim got the resource limitation from kubelet, and create sandbox with these limitation through kata. | 08:31 |
kata-dev-irc-bot | <xu> In short, the k8s defines the resource limits, and the kata implement it. | 08:32 |
kata-dev-irc-bot | <vizard561> Yes, it's true. So technically, i just need to limit pods, or namespaces where my pods is deployed | 08:35 |
*** GonZo2000 has quit IRC | 08:39 | |
kata-dev-irc-bot | <zhangwei555> @vizard561 You can always limit every container in the pod, or if you are thinking about limiting the hypervisor, there's an issue tracking this: https://github.com/kata-containers/runtime/issues/344 | 08:40 |
*** GonZo2000 has joined #kata-general | 08:40 | |
kata-dev-irc-bot | <vizard561> whoa | 08:40 |
*** GonZo2000 has quit IRC | 09:23 | |
*** GonZo2000 has joined #kata-general | 09:25 | |
*** GonZo2000 has quit IRC | 09:35 | |
*** GonZo2000 has joined #kata-general | 09:48 | |
*** GonZo2000 has joined #kata-general | 09:48 | |
*** GonZo2000 has quit IRC | 10:16 | |
*** gwhaley has quit IRC | 11:14 | |
*** dlw has quit IRC | 11:42 | |
*** gwhaley has joined #kata-general | 12:24 | |
*** LinuxMe has joined #kata-general | 12:28 | |
*** LinuxMe has quit IRC | 13:05 | |
*** LinuxMe_ has joined #kata-general | 13:31 | |
*** dlw has joined #kata-general | 14:12 | |
*** annabelleB has joined #kata-general | 14:15 | |
*** LinuxMe_ has quit IRC | 14:36 | |
*** LinuxMe has joined #kata-general | 14:41 | |
*** dlw has quit IRC | 14:46 | |
kata-dev-irc-bot | <sudeep.batra> Hi All, can anyone suggest how I can use KataContainer with my Kubernetes Cluster. I see this link https://github.com/kata-containers/documentation/blob/master/architecture.md but the steps are not getting fully clear to me.. | 15:54 |
kata-dev-irc-bot | <vizard561> @sudeep.batra need more information | 15:56 |
kata-dev-irc-bot | <eric.ernst> Hey @sudeep.batra | 15:58 |
kata-dev-irc-bot | <eric.ernst> there's a PR for updated docs around K8S inflight. | 15:58 |
kata-dev-irc-bot | <eric.ernst> https://github.com/kata-containers/documentation/pull/135 | 15:59 |
kata-dev-irc-bot | <eric.ernst> It should help clarify what is there today. | 15:59 |
kata-dev-irc-bot | <sudeep.batra> Basically I have a Kubernetes Cluster and now I want to use Kata Containers, How do I do it, steps ? Also how do I determine some pods I want to run as Katacontainer and some as usual docker containers. | 15:59 |
kata-dev-irc-bot | <sudeep.batra> @eric.ernst - Thanks, will look into.. | 16:00 |
kata-dev-irc-bot | <eric.ernst> What CRI shim are you using? | 16:01 |
kata-dev-irc-bot | <eric.ernst> Default (dockershim), or do you have it configured to use CRIO or Containerd? | 16:01 |
kata-dev-irc-bot | <vizard561> @sudeep.batra i have to recommend you look at my posts higher) kata maybe isn't what you need to use:) | 16:01 |
kata-dev-irc-bot | <sudeep.batra> default | 16:02 |
kata-dev-irc-bot | <eric.ernst> So, to use Kata in K8S, you need a CRI shim which understands and makes use of a oci compliant runtime. Containerd and CRIO are recommended. | 16:02 |
kata-dev-irc-bot | <eric.ernst> containerd or crio** | 16:02 |
kata-dev-irc-bot | <eric.ernst> once you have that setup, using kata is very easy :slightly_smiling_face: | 16:03 |
kata-dev-irc-bot | <vizard561> File uploaded https://katacontainers.slack.com/files/UAYGC1Q4D/FB127Q87N/kata-scheme.png / https://slack-files.com/T86U7NQTT-FB127Q87N-02f66a8dd8 | 16:03 |
kata-dev-irc-bot | <sudeep.batra> Basically the use case is : There are certain Applications in our Project, like Firewalls(lets say Palo alto Firewalls) or it could also be some VNFs that need extra security - for these applications we are looking towards using Kata containers | 16:03 |
kata-dev-irc-bot | <vizard561> where vm is a pod with guest-kernel | 16:03 |
kata-dev-irc-bot | <eric.ernst> yep, makes sense. | 16:04 |
kata-dev-irc-bot | <eric.ernst> mixed workload trust - a common use case. | 16:04 |
kata-dev-irc-bot | <eric.ernst> so, the 'hard part' is getting k8s to use either CRIO or containerd (relative -- it isn't really hard) | 16:04 |
kata-dev-irc-bot | <eric.ernst> These have the notion of running a mix of runc and kata containes. | 16:04 |
kata-dev-irc-bot | <eric.ernst> I blog post (s/clear/kata) which shows this with CRIO is @ https://medium.com/cri-o/intel-clear-containers-and-cri-o-70824fb51811 | 16:05 |
kata-dev-irc-bot | <vizard561> File uploaded https://katacontainers.slack.com/files/UAYGC1Q4D/FB2AA2Q6T/image.png / https://slack-files.com/T86U7NQTT-FB2AA2Q6T-ed73783207 | 16:05 |
kata-dev-irc-bot | <vizard561> i think better way - use docker i spend a week on containerd)) | 16:06 |
kata-dev-irc-bot | <eric.ernst> A demo of it @ https://www.youtube.com/watch?v=ripOu5XIMME (shameless plug), with deployment example @ https://github.com/egernst/kata-deploy Again... this is based on assumption you have cluster which uses crio or containerd. | 16:06 |
kata-dev-irc-bot | <eric.ernst> I have some examples I can share for installation / updating to use both crio and containerd. | 16:07 |
kata-dev-irc-bot | <sudeep.batra> Thanks a ton guys, I wont say I have understood 100% but that a lot of information , let me go thru.. | 16:09 |
kata-dev-irc-bot | <sudeep.batra> yep examples will help, I intend to do some small setup on GCP | 16:09 |
kata-dev-irc-bot | <eric.ernst> Sure. I know @jonolson went through this a couple weeks ago on GCP | 16:09 |
kata-dev-irc-bot | <eric.ernst> let me check his twitter link :slightly_smiling_face: | 16:09 |
kata-dev-irc-bot | <sudeep.batra> so bottomline is I need to use crio or containerd, default dockershim wont work | 16:10 |
kata-dev-irc-bot | <sudeep.batra> oh great, that wd help a lot.. | 16:10 |
kata-dev-irc-bot | <jonolson> this should get you going: https://github.com/jon/kubeadm-single-node-cluster/tree/kata | 16:10 |
kata-dev-irc-bot | <jonolson> note that it’s under the ‘kata’ branch (not master) | 16:11 |
kata-dev-irc-bot | <jonolson> that’ll get you a single-node cluster — if you want to do multi-node there are some minor tweaks you’d want to make, but the general outline should still get you started | 16:11 |
kata-dev-irc-bot | <jonolson> “big” difference for multi-node is removing this one line :slightly_smiling_face: https://github.com/jon/kubeadm-single-node-cluster/blob/kata/startup.sh#L64 | 16:12 |
kata-dev-irc-bot | <eric.ernst> in particular: https://github.com/jon/kubeadm-single-node-cluster/commit/89373e67612aec4d5a8e233f35a382f2ef3fe9ca | 16:13 |
kata-dev-irc-bot | <jonolson> with that removed pods should be prevented from scheduling on the master, and you should be able to kubeadm join additional nodes to the master with the command that the startup script spits out to the VM’s serial console (snag it with gcloud compute instances get-serial-port-output) | 16:13 |
kata-dev-irc-bot | <sudeep.batra> ok so this list down the steps to create the cluster on GCE and automatically configures to use Katacontainers, enables containerd | 16:19 |
kata-dev-irc-bot | <sudeep.batra> good, let me try it out | 16:20 |
kata-dev-irc-bot | <eric.ernst> @jonolson - I may want to work with you soon on creating a .md covering the topic "so, you want to run Kata on GCE" | 16:20 |
kata-dev-irc-bot | <eric.ernst> Not sure how much really changes versus just doing it baremetal, but may just say "use this instance type" | 16:21 |
kata-dev-irc-bot | <sudeep.batra> thanks @jonolson and @eric.ernst | 16:21 |
kata-dev-irc-bot | <eric.ernst> I personally haven't done it, so may need input (if its still fresh in your mind) | 16:21 |
kata-dev-irc-bot | <eric.ernst> np @sudeep.batra Don't hesitate to keep asking questions, or open issues against our existing documnetation. | 16:21 |
kata-dev-irc-bot | <sudeep.batra> yeah - thats important to be able to do it on Baremetal | 16:21 |
kata-dev-irc-bot | <sudeep.batra> sure , I will, thanks a ton.. | 16:22 |
kata-dev-irc-bot | <sudeep.batra> the next thing will of course to be able to understand the architecture of Katacontainer in detail, so in case you have some writeup to unfold the architecture, pls do let me know.. | 16:25 |
kata-dev-irc-bot | <james.o.hunt> @sudeep.batra - I suggest you start by looking at https://github.com/kata-containers/runtime/#runtime which links to the architecture documentation. | 16:30 |
*** annabelleB has quit IRC | 16:43 | |
*** annabelleB has joined #kata-general | 16:52 | |
kata-dev-irc-bot | <sudeep.batra> Thanks @james.o.hunt, will look into. | 16:52 |
*** jodh has quit IRC | 17:01 | |
*** GonZo2000 has joined #kata-general | 17:02 | |
*** gwhaley has quit IRC | 17:03 | |
*** LinuxMe has quit IRC | 17:07 | |
*** LinuxMe has joined #kata-general | 17:22 | |
kata-dev-irc-bot | <jonolson> @eric.ernst I’m working on a PR, actually | 17:24 |
*** LinuxMe has quit IRC | 17:34 | |
*** LinuxMe has joined #kata-general | 17:38 | |
*** sjas has joined #kata-general | 17:49 | |
*** sjas has quit IRC | 17:52 | |
*** sjas has joined #kata-general | 17:52 | |
*** annabelleB has quit IRC | 18:33 | |
*** annabelleB has joined #kata-general | 18:37 | |
*** LinuxMe has quit IRC | 18:38 | |
*** LinuxMe has joined #kata-general | 18:54 | |
*** oikiki has joined #kata-general | 19:06 | |
*** GonZo2000 has quit IRC | 19:21 | |
*** annabelleB has quit IRC | 20:07 | |
*** annabelleB has joined #kata-general | 20:22 | |
*** annabelleB has quit IRC | 21:00 | |
*** annabelleB has joined #kata-general | 21:02 | |
*** LinuxMe has quit IRC | 21:32 | |
*** LinuxMe has joined #kata-general | 22:04 | |
*** LinuxMe has quit IRC | 22:09 | |
*** annabelleB has quit IRC | 22:28 | |
*** oikiki has quit IRC | 22:37 | |
*** oikiki has joined #kata-general | 22:39 | |
*** oikiki has quit IRC | 23:03 | |
*** oikiki has joined #kata-general | 23:06 | |
*** annabelleB has joined #kata-general | 23:08 | |
*** oikiki has quit IRC | 23:15 | |
*** oikiki has joined #kata-general | 23:17 | |
*** LinuxMe has joined #kata-general | 23:18 | |
*** LinuxMe has quit IRC | 23:23 | |
*** LinuxMe has joined #kata-general | 23:59 |
Generated by irclog2html.py 2.15.3 by Marius Gedminas - find it at mg.pov.lt!