-
Notifications
You must be signed in to change notification settings - Fork 993
/
kata-deploy.sh
executable file
·236 lines (197 loc) · 6.13 KB
/
kata-deploy.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
#!/usr/bin/env bash
# Copyright (c) 2019 Intel Corporation
#
# SPDX-License-Identifier: Apache-2.0
#
set -o errexit
set -o pipefail
set -o nounset
crio_conf_file="/etc/crio/crio.conf"
crio_conf_file_backup="${crio_conf_file}.bak"
containerd_conf_file="/etc/containerd/config.toml"
containerd_conf_file_backup="${containerd_conf_file}.bak"
shim_binary="containerd-shim-kata-v2"
shim_file="/usr/local/bin/${shim_binary}"
shim_backup="/usr/local/bin/${shim_binary}.bak"
# If we fail for any reason a message will be displayed
die() {
msg="$*"
echo "ERROR: $msg" >&2
exit 1
}
function print_usage() {
echo "Usage: $0 [install/cleanup/reset]"
}
function get_container_runtime() {
local runtime=$(kubectl describe node $NODE_NAME)
if [ "$?" -ne 0 ]; then
die "invalid node name"
fi
echo "$runtime" | awk -F'[:]' '/Container Runtime Version/ {print $2}' | tr -d ' '
}
function install_artifacts() {
echo "copying kata artifacts onto host"
cp -a /opt/kata-artifacts/opt/kata/* /opt/kata/
chmod +x /opt/kata/bin/*
}
function configure_cri_runtime() {
case $1 in
crio)
configure_crio
;;
containerd)
configure_containerd
;;
esac
systemctl daemon-reload
systemctl restart $1
}
function configure_crio() {
# Configure crio to use Kata:
echo "Add Kata Containers as a supported runtime for CRIO:"
# backup the CRIO.conf only if a backup doesn't already exist (don't override original)
cp -n "$crio_conf_file" "$crio_conf_file_backup"
local kata_qemu_path="/opt/kata/bin/kata-qemu"
local kata_fc_path="/opt/kata/bin/kata-fc"
local kata_qemu_conf="crio.runtime.runtimes.kata-qemu"
local kata_fc_conf="crio.runtime.runtimes.kata-fc"
if grep -q "^\[$kata_qemu_conf\]" $crio_conf_file; then
echo "Configuration exists $kata_qemu_conf, overwriting"
sed -i "/^\[$kata_qemu_conf\]/,+1s#runtime_path.*#runtime_path = \"${kata_qemu_path}\"#" $crio_conf_file
else
cat <<EOT | tee -a "$crio_conf_file"
# Path to the Kata Containers runtime binary that uses the QEMU hypervisor.
[$kata_qemu_conf]
runtime_path = "${kata_qemu_path}"
EOT
fi
if grep -q "^\[$kata_fc_conf\]" $crio_conf_file; then
echo "Configuration exists for $kata_fc_conf, overwriting"
sed -i "/^\[$kata_fc_conf\]/,+1s#runtime_path.*#runtime_path = \"${kata_fc_path}\"#" $crio_conf_file
else
cat <<EOT | tee -a "$crio_conf_file"
# Path to the Kata Containers runtime binary that uses the firecracker hypervisor.
[$kata_fc_conf]
runtime_path = "${kata_fc_path}"
EOT
fi
# Replace if exists, insert otherwise
grep -Fq 'manage_network_ns_lifecycle =' $crio_conf_file \
&& sed -i '/manage_network_ns_lifecycle =/c manage_network_ns_lifecycle = true' $crio_conf_file \
|| sed -i '/\[crio.runtime\]/a manage_network_ns_lifecycle = true' $crio_conf_file
}
function configure_containerd() {
# Configure containerd to use Kata:
echo "Add Kata Containers as a supported runtime for containerd"
mkdir -p /etc/containerd/
if [ -f "$containerd_conf_file" ]; then
cp "$containerd_conf_file" "$containerd_conf_file_backup"
fi
# TODO: While there isn't a default here anyway, it'd probably be best to
# add sed magic to insert into appropriate location if config.toml already exists
# https://github.com/kata-containers/packaging/issues/307
cat <<EOT | tee "$containerd_conf_file"
[plugins]
[plugins.cri]
[plugins.cri.containerd]
[plugins.cri.containerd.runtimes.kata]
runtime_type = "io.containerd.kata.v2"
EOT
#Currently containerd has an assumption on the location of the shimv2 implementation
#Until support is added (see https://github.com/containerd/containerd/issues/3073),
#create a link in /usr/local/bin/ to the v2-shim implementation in /opt/kata/bin.
if [ -f ${shim_file} ]; then
echo "warning: ${shim_binary} already exists" >&2
if [ ! -f ${shim_backup} ]; then
mv ${shim_file} ${shim_backup}
else
rm ${shim_file}
fi
fi
mkdir -p /usr/local/bin
cat << EOT | tee "$shim_file"
#!/bin/bash
KATA_CONF_FILE=/opt/kata/share/defaults/kata-containers/configuration.toml /opt/kata/bin/${shim_binary} \$@
EOT
chmod +x $shim_file
}
function remove_artifacts() {
echo "deleting kata artifacts"
rm -rf /opt/kata/
}
function cleanup_cri_runtime() {
case $1 in
crio)
cleanup_crio
;;
containerd)
cleanup_containerd
;;
esac
}
function cleanup_crio() {
if [ -f "$crio_conf_file_backup" ]; then
cp "$crio_conf_file_backup" "$crio_conf_file"
fi
}
function cleanup_containerd() {
rm -f /etc/containerd/config.toml
if [ -f "$containerd_conf_file_backup" ]; then
mv "$containerd_conf_file_backup" "$containerd_conf_file"
fi
#Currently containerd has an assumption on the location of the shimv2 implementation
#Until support is added (see https://github.com/containerd/containerd/issues/3073), we manage
# a symlink to the v2-shim implementation
if [ -f "$shim_backup" ]; then
mv "$shim_backup" "$shim_file"
fi
}
function reset_runtime() {
kubectl label node $NODE_NAME katacontainers.io/kata-runtime-
systemctl daemon-reload
systemctl restart $1
systemctl restart kubelet
}
function main() {
# script requires that user is root
euid=`id -u`
if [[ $euid -ne 0 ]]; then
die "This script must be run as root"
fi
runtime=$(get_container_runtime)
# CRI-O isn't consistent with the naming -- let's use crio to match the service file
if [ "$runtime" == "cri-o" ]; then
runtime="crio"
fi
action=${1:-}
if [ -z $action ]; then
print_usage
die "invalid arguments"
fi
# only install / remove / update if we are dealing with CRIO or containerd
if [ "$runtime" == "crio" ] || [ "$runtime" == "containerd" ]; then
case $action in
install)
install_artifacts
configure_cri_runtime $runtime
kubectl label node $NODE_NAME --overwrite katacontainers.io/kata-runtime=true
;;
cleanup)
cleanup_cri_runtime $runtime
kubectl label node $NODE_NAME --overwrite katacontainers.io/kata-runtime=cleanup
remove_artifacts
;;
reset)
reset_runtime $runtime
;;
*)
echo invalid arguments
print_usage
;;
esac
fi
#It is assumed this script will be called as a daemonset. As a result, do
# not return, otherwise the daemon will restart and rexecute the script
sleep infinity
}
main $@