-
Notifications
You must be signed in to change notification settings - Fork 1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
WIP: CC Adding image pull on host with snapshotter #8186
Comments
I like this idea @stevenhorsman. But the main issue is that the guest kernel used in the CoCo is blocking the tests of pulling on host, which I had created an issue to track(#8083). So I think we need to fix it first. |
Add the implementation for `DmVerityInfo` to support to create/destroy dm-verity device. Fixes kata-containers#8186 Signed-off-by: ChengyuZhu6 <chengyu.zhu@intel.com> Co-authored-by: Jiang Liu <gerry@linux.alibaba.com>
Add the implementation for `DmVerityInfo` to support to create/destroy dm-verity device. Fixes kata-containers#8186 Depends-on: github.com/kata-containers#8471 Signed-off-by: ChengyuZhu6 <chengyu.zhu@intel.com> Co-authored-by: Jiang Liu <gerry@linux.alibaba.com>
Add the implementation for `DmVerityInfo` to support to create/destroy dm-verity device. Fixes: kata-containers#8186 Depends-on: github.com/kata-containers#8471 Signed-off-by: ChengyuZhu6 <chengyu.zhu@intel.com> Co-authored-by: Jiang Liu <gerry@linux.alibaba.com>
Add the implementation for `DmVerityInfo` to support to create/destroy dm-verity device. Fixes: kata-containers#8186 Depends-on:github.com/kata-containers#8471 Signed-off-by: ChengyuZhu6 <chengyu.zhu@intel.com> Co-authored-by: Jiang Liu <gerry@linux.alibaba.com>
Add the implementation for `DmVerityInfo` to support to create/destroy dm-verity device. Fixes: kata-containers#8186 Depends-on:github.com/kata-containers#8471 Signed-off-by: ChengyuZhu6 <chengyu.zhu@intel.com> Co-authored-by: Jiang Liu <gerry@linux.alibaba.com>
Add the implementation for `DmVerityInfo` to support to create/destroy dm-verity device. Fixes: kata-containers#8186 Depends-on:github.com/kata-containers#8471 Signed-off-by: ChengyuZhu6 <chengyu.zhu@intel.com> Co-authored-by: Jiang Liu <gerry@linux.alibaba.com>
Add the implementation for `DmVerityInfo` to support to create/destroy dm-verity device. Fixes: kata-containers#8186 Signed-off-by: ChengyuZhu6 <chengyu.zhu@intel.com> Co-authored-by: Jiang Liu <gerry@linux.alibaba.com>
Add the implementation for `DmVerityInfo` to support to create/destroy dm-verity device. Fixes: kata-containers#8186 Signed-off-by: ChengyuZhu6 <chengyu.zhu@intel.com> Co-authored-by: Jiang Liu <gerry@linux.alibaba.com>
Add the implementation for `DmVerityInfo` to support to create/destroy dm-verity device. Fixes: kata-containers#8186 Signed-off-by: ChengyuZhu6 <chengyu.zhu@intel.com> Co-authored-by: Jiang Liu <gerry@linux.alibaba.com>
Add the implementation for `DmVerityInfo` to support to create/destroy dm-verity device. Fixes: kata-containers#8186 Signed-off-by: ChengyuZhu6 <chengyu.zhu@intel.com> Co-authored-by: Jiang Liu <gerry@linux.alibaba.com>
Add the implementation for `DmVerityInfo` to support to create/destroy dm-verity device. Fixes: kata-containers#8186 Signed-off-by: ChengyuZhu6 <chengyu.zhu@intel.com> Co-authored-by: Jiang Liu <gerry@linux.alibaba.com>
Add the implementation for `DmVerityInfo` to support to create/destroy dm-verity device. Fixes: kata-containers#8186 Signed-off-by: ChengyuZhu6 <chengyu.zhu@intel.com> Co-authored-by: Jiang Liu <gerry@linux.alibaba.com>
Add the implementation for `DmVerityInfo` to support to create/destroy dm-verity device. Fixes: kata-containers#8186 Signed-off-by: ChengyuZhu6 <chengyu.zhu@intel.com> Co-authored-by: Jiang Liu <gerry@linux.alibaba.com>
Add the implementation for `DmVerityInfo` to support to create/destroy dm-verity device. Fixes kata-containers#8186 Signed-off-by: ChengyuZhu6 <chengyu.zhu@intel.com> Co-authored-by: Jiang Liu <gerry@linux.alibaba.com>
Add the implementation for `DmVerityInfo` to support to create/destroy dm-verity device. Fixes kata-containers#8186 Signed-off-by: ChengyuZhu6 <chengyu.zhu@intel.com> Co-authored-by: Jiang Liu <gerry@linux.alibaba.com>
Add the implementation for `DmVerityInfo` to support to create/destroy dm-verity device. Fixes kata-containers#8186 Signed-off-by: ChengyuZhu6 <chengyu.zhu@intel.com> Co-authored-by: Jiang Liu <gerry@linux.alibaba.com>
Add the implementation for `DmVerityInfo` to support to create/destroy dm-verity device. Fixes kata-containers#8186 Signed-off-by: ChengyuZhu6 <chengyu.zhu@intel.com> Co-authored-by: Jiang Liu <gerry@linux.alibaba.com>
Add the implementation for `DmVerityInfo` to support to create/destroy dm-verity device. Fixes kata-containers#8186 Signed-off-by: ChengyuZhu6 <chengyu.zhu@intel.com> Co-authored-by: Jiang Liu <gerry@linux.alibaba.com>
Add the implementation for `DmVerityInfo` to support to create/destroy dm-verity device. Fixes kata-containers#8186 Signed-off-by: ChengyuZhu6 <chengyu.zhu@intel.com> Co-authored-by: Jiang Liu <gerry@linux.alibaba.com>
Add the implementation for `DmVerityInfo` to support to create/destroy dm-verity device. Fixes kata-containers#8186 Signed-off-by: ChengyuZhu6 <chengyu.zhu@intel.com> Co-authored-by: Jiang Liu <gerry@linux.alibaba.com>
Add the implementation for `DmVerityInfo` to support to create/destroy dm-verity device. Fixes kata-containers#8186 Signed-off-by: ChengyuZhu6 <chengyu.zhu@intel.com> Co-authored-by: Jiang Liu <gerry@linux.alibaba.com>
Add the implementation for `DmVerityInfo` to support to create/destroy dm-verity device. Fixes kata-containers#8186 Signed-off-by: ChengyuZhu6 <chengyu.zhu@intel.com> Co-authored-by: Jiang Liu <gerry@linux.alibaba.com>
Update `run k8s tests on coco` workflows to deploy nydus snapshotter enabling the host-share-with-block feature, which allows us to execute the tests with this feature active. Fixes: kata-containers#8186 -- part I Signed-off-by: ChengyuZhu6 <chengyu.zhu@intel.com>
Now the following tasks need to be completed::
|
…ing feature Update `run k8s tests on coco` workflow to deploy nydus snapshotter enabling `host-share-with-block` feature, which allows us to execute the tests with this feature active. Fixes: kata-containers#8186 -- part I Signed-off-by: ChengyuZhu6 <chengyu.zhu@intel.com>
Update `run k8s tests on coco` workflow to deploy nydus snapshotter enabling `host-share-with-block` feature, which allows us to execute the tests with this feature active. Fixes: kata-containers#8186 -- part I Signed-off-by: ChengyuZhu6 <chengyu.zhu@intel.com>
Update `run k8s tests on coco` workflow to deploy nydus snapshotter enabling `host-share-with-block` feature, which allows us to execute the tests with this feature active. Fixes: kata-containers#8186 -- part I Signed-off-by: ChengyuZhu6 <chengyu.zhu@intel.com>
Update `run k8s tests on coco` workflow to deploy nydus snapshotter enabling `host-share-image-block` feature, which allows us to execute the tests with this feature active. Fixes: kata-containers#8186 -- part I Signed-off-by: ChengyuZhu6 <chengyu.zhu@intel.com>
Add the implementation for `DmVerityInfo` to support to create/destroy dm-verity device. Fixes kata-containers#8186 -- part II Signed-off-by: ChengyuZhu6 <chengyu.zhu@intel.com> Co-authored-by: Jiang Liu <gerry@linux.alibaba.com>
Update `run k8s tests on coco` workflow to deploy nydus snapshotter enabling `host-share-image-block` feature, which allows us to execute the tests with this feature active. Fixes: kata-containers#8186 -- part I Signed-off-by: ChengyuZhu6 <chengyu.zhu@intel.com>
Update `run k8s tests on coco` workflow to deploy nydus snapshotter enabling `host-share-image-block` feature, which allows us to execute the tests with this feature active. Fixes: kata-containers#8186 -- part I Signed-off-by: ChengyuZhu6 <chengyu.zhu@intel.com>
Update `run k8s tests on coco` workflow to deploy nydus snapshotter enabling `host-share-image-block` feature, which allows us to execute the tests with this feature active. Fixes: kata-containers#8186 -- part I Signed-off-by: ChengyuZhu6 <chengyu.zhu@intel.com>
Add the implementation for `DmVerityInfo` to support to create/destroy dm-verity device. Fixes kata-containers#8186 -- part II Signed-off-by: ChengyuZhu6 <chengyu.zhu@intel.com> Co-authored-by: Jiang Liu <gerry@linux.alibaba.com>
Update `run k8s tests on coco` workflow to deploy nydus snapshotter enabling `host-share-image-block` feature, which allows us to execute the tests with this feature active. Fixes: kata-containers#8186 -- part I Signed-off-by: ChengyuZhu6 <chengyu.zhu@intel.com>
I will outline various scenarios that this feature currently supports, as well as some challenges that need addressing. Thanks @wainersm for the nice summary table.
|
For guest-pull, we can support to pull images in the guest by image-rs with two image types: oci and nydus.
|
For image host sharing, we offer two sharing types: per image ( All cases for image sharing could be enabled both on TEE and non-TEE platforms. |
To deploy nydus snapshotter for image sharing on CI, I have submitted a patch to deploy it with |
Unfortunately, currently the snapshotter is limited to handling a single export_mode at any given time. Consequently, setting |
It’s important to note that the processes of |
One concern I have is whether we should create a new matrix of jobs to run image sharing tests for four sharing types, or simply introduce new columns to the current k8s jobs matrix (such as |
Add the implementation for `DmVerityInfo` to support to create/destroy dm-verity device. Fixes kata-containers#8186 -- part II Signed-off-by: ChengyuZhu6 <chengyu.zhu@intel.com> Co-authored-by: Jiang Liu <gerry@linux.alibaba.com>
This is a tricky one. On one hand my general principle is that we only say that things are support which we have CI tests for, so that would suggest that we should be testing all four The more concerning bit, as you pointed out, is for the TEE platforms, which run on bare-metal, so we can't just throw away the clusters and configuration after each run and this means that we need to be more careful about the snapshotter switching bugs in containerd. Maybe to reduce this we could test all four modes on non-TEE, but only the verity modes on the TEEs? I'm not sure that massively helps us though. As a wildcard, I've seen that containerd 2.0 is in rc now, so has anyone checked to see if the snapshotter issues and/or image transfer service have made it in as stable yet as I'd hate us to do a lot of work to get around issues that we could simplify just by bumping to a newer containerd in the near future? |
I’ll check the latest updates and get back to you on that. |
Update `run k8s tests on coco` workflow to deploy nydus snapshotter enabling `host-share-image-block` feature, which allows us to execute the tests with this feature active. Fixes: kata-containers#8186 -- part I Signed-off-by: ChengyuZhu6 <chengyu.zhu@intel.com>
Good news, the related patches to support per runtime class image management are merged both on containerd and kubernetes. Bad news, the related patches are hard to backport to containerd 1.6.x or containerd 1.7.x, and kubernetes 1.24.0 which is the kubernetes version used on CI. |
Great - thanks for looking into this. So my opinion is that Kubernetes 1.24 is 2 years and 5 release old, so I have no issues in bumping our CI to use that as a when needed (though we'd need to be clear of the dependency for this feature to users). containerd is tricker, but I think given that several features we want to use are just experimental in 1.7, it is inevitable that we'll have to depend on containerd 2.0 in the near future, once we've validated that everything works as we expect. |
This feature builds upon the initial basic image pull work in #8103 as one of the possible next steps to extend it to support more of the current
CCv0
feature set.The scope of this is to add the ability to pull the image on the host via the nydus snapshotter using tarfs to share data from the host to the guest. There are two modes for this -
image_block
andimage_block_with_verity
which also adds integrity protection to the images that are shared to ensure that anyone with host access cannot modify themThings to note/include with this work
Questions
The text was updated successfully, but these errors were encountered: