Interconnecting with iSula Security Containers

Overview

To provide a better isolation environment for containers and improve system security, you can interconnect StratoVirt with iSula security containers.

Interconnecting with an iSula Security Container

Prerequisites

iSulad and kata-containers have been installed, and iSulad supports the kata-runtime container runtime and devicemapper storage driver.

The following describes how to install and configure iSulad and kata-containers.

  1. Configure the yum source and install iSulad and kata-containers as the root user.

    # yum install iSulad
    # yum install kata-containers
    
  2. Create and configure a storage device.

    You need to plan the disks, for example, /dev/sdxx, which will be formatted.

    # pvcreate /dev/sdxx
    # vgcreate isulaVG0 /dev/sdxx
    # lvcreate --wipesignatures y -n thinpool isulaVG0 -l 95%VG
    # lvcreate --wipesignatures y -n thinpoolmeta isulaVG0 -l 1%VG
    # lvconvert -y --zero n -c 512K --thinpool isulaVG0/thinpool --poolmetadata isulaVG0/thinpoolmeta
    

    Add the following information to the /etc/lvm/profile/isulaVG0-thinpool.profile configuration file:

    activation {
        thin_pool_autoextend_threshold=80
        thin_pool_autoextend_percent=20
    }
    

    Modify storage-driver and storage-opts in the /etc/isulad/daemon.json configuration file as follows. Set the default storage driver type overlay to devicemapper.

    "storage-driver": "devicemapper",
    "storage-opts": [
     "dm.thinpooldev=/dev/mapper/isulaVG0-thinpool",
     "dm.fs=ext4",
     "dm.min_free_space=10%"
    ],
    
  3. Restart isulad.

    # systemctl daemon-reload
    # systemctl restart isulad
    
  4. Check whether the iSula storage driver is successfully configured.

    # isula info
    

    If the following information is displayed, the configuration is successful:

    Storage Driver: devicemapper
    
  5. Open the /etc/isulad/daemon.json file. If kata-runtime is not configured, set runtime to kata-runtime.

    "runtimes": {                                                                               
        "kata-runtime": {                                                                   
            "path": "/usr/bin/kata-runtime",                                                 
            "runtimeArgs": [                                                                
                "--kata-config",                                                               
                "/usr/share/defaults/kata-containers/configuration.toml"                       
            ]                                                                                 
        }
    },
    

Interconnection Guide

This section describes how to interconnect StratoVirt with kata-runtime in the iSula security container.

  1. Create the stratovirt.sh script in any directory (for example, /home) and add the execute permission to the file as the root user.

    # touch /home/stratovirt.sh
    # chmod +x /home/stratovirt.sh
    

    The content of stratovirt.sh is as follows, which is used to specify the path of StratoVirt:

    #!/bin/bash
    export STRATOVIRT_LOG_LEVEL=info  # set log level which includes trace, debug, info, warn and error.
    /usr/bin/stratovirt $@
    
  2. Modify the kata configuration file (default path: /usr/share/defaults/kata-containers/configuration.toml). Set the Hypervisor type of the security container to stratovirt, kernel to the absolute path of the kernel image of StratoVirt, and initrd to the initrd image file of kata-containers. (If you use yum to install kata-containers, the two image files are downloaded and stored in the /var/lib/kata/ directory by default. You can also use other images during the configuration.)

    The configuration reference is as follows:

    [hypervisor.stratovirt]
    path = "/home/stratovirt.sh"
    kernel = "/var/lib/kata/vmlinux.bin"
    initrd = "/var/lib/kata/kata-containers-initrd.img"
    block_device_driver = "virtio-mmio"
    use_vsock = true
    enable_netmon = true
    internetworking_model="tcfilter"
    sandbox_cgroup_with_emulator = false
    disable_new_netns = false
    disable_block_device_use = false
    disable_vhost_net = true
    
  3. Use the root permission and isula command to run the BusyBox security container and interconnect StratoVirt with it.

    # isula run -tid --runtime=kata-runtime --net=none --name test busybox:latest sh
    
  4. Run the isula ps command to check whether the security container test is running properly. Then run the following command to access the container:

    # isula exec –ti test sh
    

You can now run container commands in the test container.

有奖捉虫

“有虫”文档片段

存在的问题

提交类型 issue
有点复杂...
找人问问吧。
PR
小问题,全程线上修改...
一键搞定!
问题类型
规范和低错类

● 错别字或拼写错误;标点符号使用错误;

● 链接错误、空单元格、格式错误;

● 英文中包含中文字符;

● 界面和描述不一致,但不影响操作;

● 表述不通顺,但不影响理解;

● 版本号不匹配:如软件包名称、界面版本号;

易用性

● 关键步骤错误或缺失,无法指导用户完成任务;

● 缺少必要的前提条件、注意事项等;

● 图形、表格、文字等晦涩难懂;

● 逻辑不清晰,该分类、分项、分步骤的没有给出;

正确性

● 技术原理、功能、规格等描述和软件不一致,存在错误;

● 原理图、架构图等存在错误;

● 命令、命令参数等错误;

● 代码片段错误;

● 命令无法完成对应功能;

● 界面错误,无法指导操作;

风险提示

● 对重要数据或系统存在风险的操作,缺少安全提示;

内容合规

● 违反法律法规,涉及政治、领土主权等敏感词;

● 内容侵权;

您对文档的总体满意度

非常不满意
非常满意
创Issue赢奖品
根据您的反馈,会自动生成issue模板。您只需点击按钮,创建issue即可。