Browse Source
gVisor: initial support for gVisor container runtime (#7661)
gVisor: initial support for gVisor container runtime (#7661)
* Docker/Containerd: move downloads urls to containerd-common * gVisor: initial support for gVisor container runtimepull/7727/head
Cristian Calin
3 years ago
committed by
GitHub
GitHub
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
20 changed files with 336 additions and 14 deletions
Split View
Diff Options
-
1docs/_sidebar.md
-
16docs/gvisor.md
-
15roles/container-engine/containerd-common/defaults/main.yml
-
4roles/container-engine/containerd/templates/config.toml.j2
-
14roles/container-engine/docker/defaults/main.yml
-
11roles/container-engine/gvisor/molecule/default/converge.yml
-
17roles/container-engine/gvisor/molecule/default/files/10-mynet.conf
-
10roles/container-engine/gvisor/molecule/default/files/container.json
-
10roles/container-engine/gvisor/molecule/default/files/sandbox.json
-
44roles/container-engine/gvisor/molecule/default/molecule.yml
-
48roles/container-engine/gvisor/molecule/default/prepare.yml
-
29roles/container-engine/gvisor/molecule/default/tests/test_default.py
-
20roles/container-engine/gvisor/tasks/main.yml
-
8roles/container-engine/meta/main.yml
-
47roles/download/defaults/main.yml
-
33roles/kubernetes-apps/container_runtimes/gvisor/tasks/main.yaml
-
6roles/kubernetes-apps/container_runtimes/gvisor/templates/runtimeclass-gvisor.yml.j2
-
7roles/kubernetes-apps/container_runtimes/meta/main.yml
-
6roles/kubernetes/preinstall/tasks/0020-verify-settings.yml
-
4roles/kubespray-defaults/defaults/main.yaml
@ -0,0 +1,16 @@ |
|||
# gVisor |
|||
|
|||
[gVisor](https://gvisor.dev/docs/) is an application kernel, written in Go, that implements a substantial portion of the Linux system call interface. It provides an additional layer of isolation between running applications and the host operating system. |
|||
|
|||
gVisor includes an Open Container Initiative (OCI) runtime called runsc that makes it easy to work with existing container tooling. The runsc runtime integrates with Docker and Kubernetes, making it simple to run sandboxed containers. |
|||
|
|||
## Usage |
|||
|
|||
To enable gVisor you should be using a container manager that is compatible with selecting the [RuntimeClass](https://kubernetes.io/docs/concepts/containers/runtime-class/) such as `containerd`. |
|||
|
|||
Containerd support: |
|||
|
|||
```yaml |
|||
container_manager: containerd |
|||
gvisor_enabled: true |
|||
``` |
|||
@ -1,2 +1,17 @@ |
|||
--- |
|||
containerd_package: 'containerd.io' |
|||
|
|||
# Fedora docker-ce repo |
|||
docker_fedora_repo_base_url: 'https://download.docker.com/linux/fedora/{{ ansible_distribution_major_version }}/$basearch/stable' |
|||
docker_fedora_repo_gpgkey: 'https://download.docker.com/linux/fedora/gpg' |
|||
# CentOS/RedHat docker-ce repo |
|||
docker_rh_repo_base_url: 'https://download.docker.com/linux/centos/{{ ansible_distribution_major_version }}/$basearch/stable' |
|||
docker_rh_repo_gpgkey: 'https://download.docker.com/linux/centos/gpg' |
|||
# Ubuntu docker-ce repo |
|||
docker_ubuntu_repo_base_url: "https://download.docker.com/linux/ubuntu" |
|||
docker_ubuntu_repo_gpgkey: 'https://download.docker.com/linux/ubuntu/gpg' |
|||
docker_ubuntu_repo_repokey: '9DC858229FC7DD38854AE2D88D81803C0EBFCD88' |
|||
# Debian docker-ce repo |
|||
docker_debian_repo_base_url: "https://download.docker.com/linux/debian" |
|||
docker_debian_repo_gpgkey: 'https://download.docker.com/linux/debian/gpg' |
|||
docker_debian_repo_repokey: '9DC858229FC7DD38854AE2D88D81803C0EBFCD88' |
|||
@ -0,0 +1,11 @@ |
|||
--- |
|||
- name: Converge |
|||
hosts: all |
|||
become: true |
|||
vars: |
|||
gvisor_enabled: true |
|||
container_manager: containerd |
|||
roles: |
|||
- role: kubespray-defaults |
|||
- role: containerd |
|||
- role: gvisor |
|||
@ -0,0 +1,17 @@ |
|||
{ |
|||
"cniVersion": "0.2.0", |
|||
"name": "mynet", |
|||
"type": "bridge", |
|||
"bridge": "cni0", |
|||
"isGateway": true, |
|||
"ipMasq": true, |
|||
"ipam": { |
|||
"type": "host-local", |
|||
"subnet": "172.19.0.0/24", |
|||
"routes": [ |
|||
{ |
|||
"dst": "0.0.0.0/0" |
|||
} |
|||
] |
|||
} |
|||
} |
|||
@ -0,0 +1,10 @@ |
|||
{ |
|||
"metadata": { |
|||
"name": "gvisor1" |
|||
}, |
|||
"image": { |
|||
"image": "docker.io/library/hello-world:latest" |
|||
}, |
|||
"log_path": "gvisor1.0.log", |
|||
"linux": {} |
|||
} |
|||
@ -0,0 +1,10 @@ |
|||
{ |
|||
"metadata": { |
|||
"name": "gvisor1", |
|||
"namespace": "default", |
|||
"attempt": 1, |
|||
"uid": "hdishd83djaidwnduwk28bcsb" |
|||
}, |
|||
"linux": {}, |
|||
"log_directory": "/tmp" |
|||
} |
|||
@ -0,0 +1,44 @@ |
|||
--- |
|||
driver: |
|||
name: vagrant |
|||
provider: |
|||
name: libvirt |
|||
options: |
|||
driver: kvm |
|||
lint: | |
|||
set -e |
|||
yamllint -c ../../../.yamllint . |
|||
platforms: |
|||
- name: ubuntu20 |
|||
box: generic/ubuntu2004 |
|||
cpus: 1 |
|||
memory: 1024 |
|||
nested: true |
|||
groups: |
|||
- kube_control_plane |
|||
- name: centos8 |
|||
box: generic/centos8 |
|||
cpus: 1 |
|||
memory: 1024 |
|||
nested: true |
|||
groups: |
|||
- kube_control_plane |
|||
provisioner: |
|||
name: ansible |
|||
env: |
|||
ANSIBLE_ROLES_PATH: ../../../../ |
|||
config_options: |
|||
defaults: |
|||
callback_whitelist: profile_tasks |
|||
lint: |
|||
name: ansible-lint |
|||
options: |
|||
c: ../../../.ansible-lint |
|||
inventory: |
|||
group_vars: |
|||
all: |
|||
become: true |
|||
verifier: |
|||
name: testinfra |
|||
lint: |
|||
name: flake8 |
|||
@ -0,0 +1,48 @@ |
|||
--- |
|||
- name: Prepare generic |
|||
hosts: all |
|||
become: true |
|||
roles: |
|||
- role: kubespray-defaults |
|||
- role: bootstrap-os |
|||
- role: ../adduser |
|||
user: "{{ addusers.kube }}" |
|||
tasks: |
|||
- include_tasks: "../../../../download/tasks/download_file.yml" |
|||
vars: |
|||
download: "{{ download_defaults | combine(downloads.cni) }}" |
|||
|
|||
- name: Prepare container runtime |
|||
hosts: all |
|||
become: true |
|||
vars: |
|||
container_manager: containerd |
|||
kube_network_plugin: cni |
|||
roles: |
|||
- role: kubespray-defaults |
|||
- role: ../network_plugin/cni |
|||
- role: crictl |
|||
tasks: |
|||
- name: Copy test container files |
|||
copy: |
|||
src: "{{ item }}" |
|||
dest: "/tmp/{{ item }}" |
|||
owner: root |
|||
mode: 0644 |
|||
with_items: |
|||
- container.json |
|||
- sandbox.json |
|||
- name: Create /etc/cni/net.d directory |
|||
file: |
|||
path: /etc/cni/net.d |
|||
state: directory |
|||
owner: kube |
|||
mode: 0755 |
|||
- name: Setup CNI |
|||
copy: |
|||
src: "{{ item }}" |
|||
dest: "/etc/cni/net.d/{{ item }}" |
|||
owner: root |
|||
mode: 0644 |
|||
with_items: |
|||
- 10-mynet.conf |
|||
@ -0,0 +1,29 @@ |
|||
import os |
|||
|
|||
import testinfra.utils.ansible_runner |
|||
|
|||
testinfra_hosts = testinfra.utils.ansible_runner.AnsibleRunner( |
|||
os.environ['MOLECULE_INVENTORY_FILE']).get_hosts('all') |
|||
|
|||
|
|||
def test_run(host): |
|||
gvisorruntime = "/usr/local/bin/runsc" |
|||
with host.sudo(): |
|||
cmd = host.command(gvisorruntime + " --version") |
|||
assert cmd.rc == 0 |
|||
assert "runsc version" in cmd.stdout |
|||
|
|||
|
|||
def test_run_pod(host): |
|||
runtime = "runsc" |
|||
|
|||
run_command = "/usr/local/bin/crictl run --with-pull --runtime {} /tmp/container.json /tmp/sandbox.json".format(runtime) |
|||
with host.sudo(): |
|||
cmd = host.command(run_command) |
|||
assert cmd.rc == 0 |
|||
|
|||
with host.sudo(): |
|||
log_f = host.file("/tmp/gvisor1.0.log") |
|||
|
|||
assert log_f.exists |
|||
assert b"Hello from Docker!" in log_f.content |
|||
@ -0,0 +1,20 @@ |
|||
--- |
|||
- name: gVisor | Download runsc binary |
|||
include_tasks: "../../../download/tasks/download_file.yml" |
|||
vars: |
|||
download: "{{ download_defaults | combine(downloads.gvisor_runsc) }}" |
|||
|
|||
- name: gVisor | Download containerd-shim-runsc-v1 binary |
|||
include_tasks: "../../../download/tasks/download_file.yml" |
|||
vars: |
|||
download: "{{ download_defaults | combine(downloads.gvisor_containerd_shim) }}" |
|||
|
|||
- name: gVisor | Copy binaries |
|||
copy: |
|||
src: "{{ local_release_dir }}/gvisor-{{ item }}" |
|||
dest: "{{ bin_dir }}/{{ item }}" |
|||
mode: 0755 |
|||
remote_src: yes |
|||
with_items: |
|||
- runsc |
|||
- containerd-shim-runsc-v1 |
|||
@ -0,0 +1,33 @@ |
|||
--- |
|||
- name: gVisor | Create addon dir |
|||
file: |
|||
path: "{{ kube_config_dir}}/addons/gvisor" |
|||
owner: root |
|||
group: root |
|||
mode: 0755 |
|||
recurse: true |
|||
|
|||
- name: gVisor | Templates List |
|||
set_fact: |
|||
gvisor_templates: |
|||
- { name: runtimeclass-gvisor, file: runtimeclass-gvisor.yml, type: runtimeclass } |
|||
|
|||
- name: gVisort | Create manifests |
|||
template: |
|||
src: "{{ item.file }}.j2" |
|||
dest: "{{ kube_config_dir}}/addons/gvisor/{{ item.file }}" |
|||
with_items: "{{ gvisor_templates }}" |
|||
register: gvisor_manifests |
|||
when: |
|||
- inventory_hostname == groups['kube_control_plane'][0] |
|||
|
|||
- name: gVisor | Apply manifests |
|||
kube: |
|||
name: "{{ item.item.name }}" |
|||
kubectl: "{{ bin_dir}}/kubectl" |
|||
resource: "{{ item.item.type }}" |
|||
filename: "{{ kube_config_dir }}/addons/gvisor/{{ item.item.file }}" |
|||
state: "latest" |
|||
with_items: "{{ gvisor_manifests.results }}" |
|||
when: |
|||
- inventory_hostname == groups['kube_control_plane'][0] |
|||
@ -0,0 +1,6 @@ |
|||
--- |
|||
kind: RuntimeClass |
|||
apiVersion: node.k8s.io/v1{{ 'beta1' if kube_version is version('v1.20.0', '<') else '' }} |
|||
metadata: |
|||
name: gvisor |
|||
handler: runsc |
|||
Write
Preview
Loading…
Cancel
Save