Installation and Deployment
Installation Methods
Prerequisites
- root permissions are required for installing a secure container.
- For better performance, a secure container needs to run on the bare metal server and must not run on VMs.
- A secure container depends on the following components from the corresponding openEuler version. Ensure that the required components have been installed in the environment. To install iSulad, refer to Installation Methods.
- docker-engine
- qemu
Installation Procedure
Released secure container components are integrated in the kata-containers-version.rpm package. You can run the rpm command to install the corresponding software.
rpm -ivh kata-containers-<version>.rpm
Deployment Configuration
Configuring the Docker Engine
To enable the Docker engine to support kata-runtime, perform the following steps to configure the Docker engine:
Ensure that all software packages (docker-engine and kata-containers) have been installed in the environment.
Stop the Docker engine.
systemctl stop docker
Modify the configuration file /etc/docker/daemon.json of the Docker engine and add the following configuration:
{ "runtimes": { "kata-runtime": { "path": "/usr/bin/kata-runtime", "runtimeArgs": [ "--kata-config", "/usr/share/defaults/kata-containers/configuration.toml" ] } } }
Restart the Docker engine.
systemctl start docker
iSulad Configuration
To enable the iSulad to support the new container runtime kata-runtime, perform the following steps which are similar to those for the container engine docker-engine:
Ensure that all software packages (iSulad and kata-containers) have been installed in the environment.
Stop iSulad.
systemctl stop isulad
Modify the /etc/isulad/daemon.json configuration file of the iSulad and add the following configurations:
{ "runtimes": { "kata-runtime": { "path": "/usr/bin/kata-runtime", "runtime-args": [ "--kata-config", "/usr/share/defaults/kata-containers/configuration.toml" ] } } }
Restart iSulad.
systemctl start isulad
Configuration.toml
The secure container provides a global configuration file configuration.toml. Users can also customize the path and configuration options of the secure container configuration file.
In the runtimeArges field of Docker engine, you can use --kata-config to specify a private file. The default configuration file path is /usr/share/defaults/kata-containers/configuration.toml.
The following lists the common fields in the configuration file. For details about the configuration file options, see configuration.toml.
hypervisor.qemu
- path: specifies the execution path of the virtualization QEMU.
- kernel: specifies the execution path of the guest kernel.
- initrd: specifies the guest initrd execution path.
- machine_type: specifies the type of the analog chip. The value is virt for the ARM architecture and pc for the x86 architecture.
- kernel_params: specifies the running parameters of the guest kernel.
proxy.kata
- path: specifies the kata-proxy running path.
- enable_debug: enables the debugging function for the kata-proxy process.
agent.kata
- enable_blk_mount: enables guest mounting of the block device.
- enable_debug: enables the debugging function for the kata-agent process.
runtime
- enable_cpu_memory_hotplug: enables CPU and memory hot swap.
- enable_debug: enables debugging for the kata-runtime process.