kata-containers booting an encrypted VM guest on baremetal EM machine.

by knrt10
Download
.cast - original recording .txt - plain text version .gif - animated GIF
GNU/Linux xterm-256color bash 350 views

Steps to run kata with containerd on k8s with sev-snp

  • #Host kernel built on top of AMDESE/linux with branch origin/sev-snp-iommu-avic_5.19-rc6_v3 and commit 0aaa1e599

  • #Applied patches for EM hardware git diff

  • #Build and install kata containers 

    git clone https://github.com/jpecholt/kata-containers.git
pushd kata-containers/src/runtime
git checkout snp-support
make && sudo -E "PATH=$PATH" make install
sudo mkdir -p /etc/kata-containers/
sudo install -o root -g root -m 0640 /usr/share/defaults/kata-containers/configuration.toml /etc/kata-containers
popd

  • #Create a local rootfs for initrd image 

    export distro="ubuntu"
export ROOTFS_DIR="$(realpath kata-containers/tools/osbuilder/rootfs-builder/rootfs)"
sudo rm -rf "${ROOTFS_DIR}"
pushd kata-containers/tools/osbuilder/rootfs-builder/
script -fec 'sudo -E AGENT_INIT=yes ./rootfs.sh "${distro}"'
popd
export ARCH="$(uname -m)"
[ "${ARCH}" == "ppc64le" ] || [ "${ARCH}" == "s390x" ] && export LIBC=gnu || export LIBC=musl
[ "${ARCH}" == "ppc64le" ] && export ARCH=powerpc64le
sudo install -o root -g root -m 0550 -T "${ROOTFS_DIR}/../../../../src/agent/target/${ARCH}-unknown-linux-${LIBC}/release/kata-agent" "${ROOTFS_DIR}/sbin/init"

  • #Build an initrd image 

    pushd kata-containers/tools/osbuilder/initrd-builder
script -fec 'sudo -E AGENT_INIT=yes USE_DOCKER=true ./initrd_builder.sh "${ROOTFS_DIR}"'
popd

  • #Install the initrd image 

    pushd kata-containers/tools/osbuilder/initrd-builder
commit="$(git log --format=%h -1 HEAD)"
date="$(date +%Y-%m-%d-%T.%N%z)"
image="kata-containers-initrd-${date}-${commit}"
sudo install -o root -g root -m 0640 -D kata-containers-initrd.img "/usr/share/kata-containers/${image}"
(cd /usr/share/kata-containers && sudo ln -sf "$image" kata-containers-initrd.img)
popd

  • #Build virtiofsd 

    pushd kata-containers/tools/packaging/static-build/virtiofsd
./build-static-virtiofsd.sh
popd

  • #Build the SNP-specific kernel 

    pushd kata-containers/tools/packaging/kernel/
./build-kernel.sh -a x86_64 -x snp setup
./build-kernel.sh -a x86_64 -x snp build
sudo -E PATH="${PATH}" ./build-kernel.sh -x snp install
popd

  • #Build a current OVMF capable of SEV-SNP 

    pushd kata-containers/tools/packaging/static-build/ovmf
./build.sh
tar -xvf edk2-x86_64.tar.gz
popd

  • #Build a custom QEMU 

    source kata-containers/tools/packaging/scripts/lib.sh
qemu_url="$(get_from_kata_deps "assets.hypervisor.qemu.snp.url")"
qemu_branch="$(get_from_kata_deps "assets.hypervisor.qemu.snp.branch")"
qemu_commit="$(get_from_kata_deps "assets.hypervisor.qemu.snp.commit")"
git clone -b "${qemu_branch}" "${qemu_url}"
pushd qemu
git checkout "${qemu_commit}"
./configure --target-list=x86_64-softmmu --enable-debug
make -j "$(nproc)"
popd

  • #Apply the patch to kata config to support SNP-VMs diff -up /usr/share/defaults/kata-containers/configuration.toml /etc/kata-containers/configuration.toml

  • #Configure containerd to use kata config and restart 

    cat /etc/containerd/config.toml | grep -A 4 "io.containerd.grpc.v1.cri\".containerd.runtimes.kata"
systemctl restart containerd
systemctl status containerd

  • #Create a minikube cluster with following command 

    minikube start --driver=none --container-runtime=containerd --network-plugin=cni

  • #Apply cni of your choice

  • #Create kata runtimeclass object 

    cat <<EOF | kubectl apply -f -
apiVersion: node.k8s.io/v1
handler: kata
kind: RuntimeClass
metadata:
name: kata
EOF

  • #Create pod using kata runtime 

    cat <<EOF | kubectl apply -f -
apiVersion: v1
kind: Pod
metadata:
name: nginx-kata
spec:
runtimeClassName: kata
containers:
- name: nginx
  image: nginx
EOF

  • #SSH into pod and check for active SNP 

    kubectl exec -it nginx-kata -- bash -c dmesg | grep -i sev

More recordings by knrt10

posbench 0:58

by knrt10

kata-containers booting an encrypted VM guest on baremetal 1:43

by knrt10

proxify demo 3:42

by knrt10
Share this recording
https://asciinema.org/a/521683
Copied!

Append ?t=30 to start the playback at 30s, ?t=3:20 to start the playback at 3m 20s.

See sharing docs for more link customization options.

Embed as image link

Use snippets below to display a preview image linking to this recording.
Ideal for places where scripts are not allowed, such as project README files.

HTML: 

<a href="https://asciinema.org/a/521683" target="_blank"><img src="https://asciinema.org/a/521683.svg" /></a>
Copied!

Markdown: 

[![asciicast](https://asciinema.org/a/521683.svg)](https://asciinema.org/a/521683)
Copied!

Embed the player

If you're embedding on your own page or on a site which permits script tags, you can use the full player widget:

<script src="https://asciinema.org/a/521683.js" id="asciicast-521683" async="true"></script>
Copied!

Paste the above script tag where you want the player to be displayed on your page.

See embedding docs for more player customization options.

Download this recording

You can download this recording in asciicast v2 format, as a .cast file.

Download

Replay in terminal

You can replay the downloaded recording in your terminal using the asciinema play command: 

asciinema play 521683.cast
Copied!

If you don't have asciinema CLI installed then see installation instructions.

Use with stand-alone player on your website

Download asciinema player from the releases page (you only need .js and .css file), then use it like this: 

<!DOCTYPE html>
<html>
<head>
  <link rel="stylesheet" type="text/css" href="/assets/asciinema-player.css" />
</head>
<body>
  <div id="player"></div>
  <script src="/assets/asciinema-player.min.js"></script>
  <script>
    AsciinemaPlayer.create(
      '/assets/521683.cast',
      document.getElementById('player'),
      { cols: 238, rows: 63 }
    );
  </script>
</body>
</html>

See asciinema player quick-start guide for full usage instructions.

Generate GIF from this recording

While this site doesn't provide GIF conversion at the moment, you can still do it yourself with the help of asciinema GIF generator utility - agg.

Once you have it installed, generate a GIF with the following command:

agg https://asciinema.org/a/521683 demo.gif
Copied!

Or, if you already downloaded the recording file:

agg demo.cast demo.gif
Copied!

Check agg --help for all available options. You can change font family and size, select color theme, adjust speed and more.

See agg manual for full usage instructions.