Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Introduce Runtime Core (Spawn, Pods, Containers, Instances, VMs, and Cells) #73

Merged
merged 17 commits into from Oct 23, 2022
Merged

Introduce Runtime Core (Spawn, Pods, Containers, Instances, VMs, and Cells) #73

merged 17 commits into from Oct 23, 2022

Conversation

krisnova
Copy link
Contributor

@krisnova krisnova commented Oct 22, 2022
edited

Introduce the concept of Pods, Instances, Cells, Virtual Machines, Executables, and Containers to Aurae.

This calls out the Core service in the Runtime subsystem.

  rpc RunExecutable(Executable) returns (ExecutableStatus) {}
  rpc RunPod(Pod) returns (PodStatus) {}
  rpc Spawn(SpawnRequest) returns (SpawnResponse) {}
  rpc RunVirtualMachine(VirtualMachine) returns (VirtualMachineStatus) {}
  rpc RunCell(Cell) returns (CellStatus) {}

What is an "Aurae Pod"?

In order to play as nicely as possible with Kubernetes and the community we make the assumption that most users of Aurae will try to "run pods".

In order to introduce an added layer of security, and make the secure path the easy path we make Aurae pods behave like normal Kubernetes pods, but create a more secure and elaborate runtime isolation zone.

An Aurae pod is a set of containers (called a Cell in Aurae) running in a unique cgroup. This cell runs inside of a nested Aurae virtual instance that is created using the Spawn() RPC.

First Aurae spawns a new virtual instance of itself, and inherits properties from the parent. Then a cell of containers is established in the newly created nested Aurae instance.

What about the Kubelet? Will it be a drop in replacement?

In short, no. Aurae will not be a drop-in replacement for the kubelet. However we can build and support adapter patterns, shims, and translation services later if necessary.

The rational to keep the pod nomenclature is as follows:

If we intend to support the Kubernetes control plane (which I believe we should) we will need to play as nice as possible with the API server. While I don't believe Aurae itself should be a drop in replacement for the Kubelet. There is nothing wrong with building a lightweight service in the future to spoof the Kubelet the same way the virtual kubelet has.

Kubelet Documentation To Consider while developing.

In an effort to bring light to the Kubelet documentation here are some notes from my years of hacking on Kube.

Signed-off-by: Kris Nóva kris@nivenly.com

@krisnova
Introduce a Pod...
ef88cd8 
Signed-off-by: Kris Nóva <kris@nivenly.com>
@krisnova
Introduce youki for containers
35b6025 
Signed-off-by: Kris Nóva <kris@nivenly.com>
@krisnova krisnova changed the title Introduce the concept of a Pod Introduce Runtime.RunP() for Pods (Youki) Oct 22, 2022
@krisnova krisnova changed the title Introduce Runtime.RunP() for Pods (Youki) WIP Introduce Runtime.RunP() for Pods (Youki) Oct 22, 2022
@krisnova krisnova changed the title WIP Introduce Runtime.RunP() for Pods (Youki) WIP "The Pod PR" Oct 22, 2022
@krisnova krisnova changed the title WIP "The Pod PR" WIP The Pod PR Oct 22, 2022
@krisnova krisnova changed the title WIP The Pod PR WIP "The Pod" PR Oct 22, 2022
@krisnova
More cargo improvements
58c9f5b 
Signed-off-by: Kris Nóva <kris@nivenly.com>
@krisnova
Introduce Youki container builder
eb82ffd 
Signed-off-by: Kris Nóva <kris@nivenly.com>
@krisnova
Bump cargo and update proto
fba08bd 
Signed-off-by: Kris Nóva <kris@nivenly.com>
@krisnova
Adding docs to the PR
ce8523d 
Signed-off-by: Kris Nóva <kris@nivenly.com>
@krisnova
The big decision commit
b53637e 
Signed-off-by: Kris Nóva <kris@nivenly.com>
@krisnova
Compiling and plumbing for the new API
66493ef 
Signed-off-by: Kris Nóva <kris@nivenly.com>
@krisnova
Corresponding docs
e82eddf 
Signed-off-by: Kris Nóva <kris@nivenly.com>
@krisnova
rename to core service
73b27f1 
Signed-off-by: Kris Nóva <kris@nivenly.com>
@krisnova
Compile and test plumbing
f3f3364 
Signed-off-by: Kris Nóva <kris@nivenly.com>
@krisnova krisnova changed the title WIP "The Pod" PR Introduce Runtime Core (Spawn, Pods, Containers, Instances, VMs, and Cells) Oct 23, 2022
@krisnova
Docs and build improvement
fc779ce 
Signed-off-by: Kris Nóva <kris@nivenly.com>
@krisnova
Introduce libseccomp to build
e7822b6 
Signed-off-by: Kris Nóva <kris@nivenly.com>
@krisnova
Update libseccomp name
85bced8 
Signed-off-by: Kris Nóva <kris@nivenly.com>
@krisnova
update compile build
b42d317 
Signed-off-by: Kris Nóva <kris@nivenly.com>
@krisnova
Comment out dead code for a clean main branch
1e056c1 
Signed-off-by: Kris Nóva <kris@nivenly.com>
@krisnova
Cleaning up imports...
7efe657 
Signed-off-by: Kris Nóva <kris@nivenly.com>
@krisnova krisnova merged commit 4ecdebc into main Oct 23, 2022
@krisnova krisnova deleted the pods branch October 24, 2022 14:14
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@MalteJ MalteJ MalteJ approved these changes

Assignees
No one assigned
Labels
Access Granted
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@krisnova @MalteJ