Steps to run kata with containerd on k8s with sev-snp

• #Host kernel built on top of AMDESE/linux with branch origin/sev-snp-iommu-avic_5.19-rc6_v3 and commit 0aaa1e599

• #Applied patches for EM hardware git diff

• #Build and install kata containers

  git clone https://github.com/jpecholt/kata-containers.git
  pushd kata-containers/src/runtime
  git checkout snp-support
  make && sudo -E "PATH=$PATH" make install
  sudo mkdir -p /etc/kata-containers/
  sudo install -o root -g root -m 0640 /usr/share/defaults/kata-containers/configuration.toml /etc/kata-containers
  popd
  

• #Create a local rootfs for initrd image

  export distro="ubuntu"
  export ROOTFS_DIR="$(realpath kata-containers/tools/osbuilder/rootfs-builder/rootfs)"
  sudo rm -rf "${ROOTFS_DIR}"
  pushd kata-containers/tools/osbuilder/rootfs-builder/
  script -fec 'sudo -E AGENT_INIT=yes ./rootfs.sh "${distro}"'
  popd
  export ARCH="$(uname -m)"
  [ "${ARCH}" == "ppc64le" ] || [ "${ARCH}" == "s390x" ] && export LIBC=gnu || export LIBC=musl
  [ "${ARCH}" == "ppc64le" ] && export ARCH=powerpc64le
  sudo install -o root -g root -m 0550 -T "${ROOTFS_DIR}/../../../../src/agent/target/${ARCH}-unknown-linux-${LIBC}/release/kata-agent" "${ROOTFS_DIR}/sbin/init"
  

• #Build an initrd image

  pushd kata-containers/tools/osbuilder/initrd-builder
  script -fec 'sudo -E AGENT_INIT=yes USE_DOCKER=true ./initrd_builder.sh "${ROOTFS_DIR}"'
  popd
  

• #Install the initrd image

  pushd kata-containers/tools/osbuilder/initrd-builder
  commit="$(git log --format=%h -1 HEAD)"
  date="$(date +%Y-%m-%d-%T.%N%z)"
  image="kata-containers-initrd-${date}-${commit}"
  sudo install -o root -g root -m 0640 -D kata-containers-initrd.img "/usr/share/kata-containers/${image}"
  (cd /usr/share/kata-containers && sudo ln -sf "$image" kata-containers-initrd.img)
  popd
  

• #Build virtiofsd

  pushd kata-containers/tools/packaging/static-build/virtiofsd
  ./build-static-virtiofsd.sh
  popd
  

• #Build the SNP-specific kernel

  pushd kata-containers/tools/packaging/kernel/
  ./build-kernel.sh -a x86_64 -x snp setup
  ./build-kernel.sh -a x86_64 -x snp build
  sudo -E PATH="${PATH}" ./build-kernel.sh -x snp install
  popd
  

• #Build a current OVMF capable of SEV-SNP

  pushd kata-containers/tools/packaging/static-build/ovmf
  ./build.sh
  tar -xvf edk2-x86_64.tar.gz
  popd
  

• #Build a custom QEMU

  source kata-containers/tools/packaging/scripts/lib.sh
  qemu_url="$(get_from_kata_deps "assets.hypervisor.qemu.snp.url")"
  qemu_branch="$(get_from_kata_deps "assets.hypervisor.qemu.snp.branch")"
  qemu_commit="$(get_from_kata_deps "assets.hypervisor.qemu.snp.commit")"
  git clone -b "${qemu_branch}" "${qemu_url}"
  pushd qemu
  git checkout "${qemu_commit}"
  ./configure --target-list=x86_64-softmmu --enable-debug
  make -j "$(nproc)"
  popd
  

• #Apply the patch to kata config to support SNP-VMs diff -up /usr/share/defaults/kata-containers/configuration.toml /etc/kata-containers/configuration.toml

• #Configure containerd to use kata config and restart

  cat /etc/containerd/config.toml | grep -A 4 "io.containerd.grpc.v1.cri\".containerd.runtimes.kata"
  systemctl restart containerd
  systemctl status containerd
  

• #Create a minikube cluster with following command

  minikube start --driver=none --container-runtime=containerd --network-plugin=cni
  

• #Apply cni of your choice

• #Create kata runtimeclass object

  cat <<EOF | kubectl apply -f -
  apiVersion: node.k8s.io/v1
  handler: kata
  kind: RuntimeClass
  metadata:
    name: kata
  EOF
  

• #Create pod using kata runtime

  cat <<EOF | kubectl apply -f -
  apiVersion: v1
  kind: Pod
  metadata:
    name: nginx-kata
  spec:
    runtimeClassName: kata
    containers:
    - name: nginx
      image: nginx
  EOF
  

• #SSH into pod and check for active SNP

  kubectl exec -it nginx-kata -- bash -c dmesg | grep -i sev