LTS

    Innovation Version

      Connecting to the iSula Secure Container

      Overview

      To provide a better isolation environment for containers and improve system security, you can interconnect StratoVirt with iSula secure containers.

      Connecting to the iSula Secure Container

      Prerequisites

      iSulad and kata-containers have been installed, and iSulad supports the containerd-kata-shim-v2 container runtime and devicemapper storage driver.

      The following describes how to install and configure iSulad and kata-containers.

      1. Configure the Yum source and install iSulad and kata-containers as the root user.

        # yum install iSulad
        # yum install kata-containers
        
      2. Create and configure a storage device.

        You need to plan the drive, for example, /dev/sdxx, which will be formatted.

        # pvcreate /dev/sdxx
        # vgcreate isulaVG0 /dev/sdxx
        # lvcreate --wipesignatures y -n thinpool isulaVG0 -l 95%VG
        # lvcreate --wipesignatures y -n thinpoolmeta isulaVG0 -l 1%VG
        # lvconvert -y --zero n -c 512K --thinpool isulaVG0/thinpool --poolmetadata isulaVG0/thinpoolmeta
        

        Add the following information to the /etc/lvm/profile/isulaVG0-thinpool.profile configuration file:

        activation {
            thin_pool_autoextend_threshold=80
            thin_pool_autoextend_percent=20
        }
        

        Modify storage-driver and storage-opts in the /etc/isulad/daemon.json configuration file as follows. Set the default storage driver type overlay to devicemapper.

        "storage-driver": "devicemapper",
        "storage-opts": [
         "dm.thinpooldev=/dev/mapper/isulaVG0-thinpool",
         "dm.fs=ext4",
         "dm.min_free_space=10%"
        ],
        
      3. Restart isulad.

        # systemctl daemon-reload
        # systemctl restart isulad
        
      4. Check whether the iSula storage driver is successfully configured.

        # isula info
        

        If the following information is displayed, the configuration is successful:

        Storage Driver: devicemapper
        

      Interconnection Guide

      This section describes how to interconnect StratoVirt with kata-containers to access the iSula container ecosystem.

      Connecting to a Lightweight VM

      1. Modify the kata configuration file. Its default path is /usr/share/defaults/kata-containers/configuration.toml. You can also configure the file by referring to configuration-stratovirt.toml in the same directory. Modify the hypervisor type of the secure container to stratovirt, kernel to the absolute path of the kernel image of kata-containers, and initrd to the initrd image file of kata-containers. (If you use Yum to install kata-containers, the two image files are downloaded and stored in the /var/lib/kata/ directory by default. You can also use other images during the configuration.)

        The modified configurations are as follows:

        [hypervisor.stratovirt]
        path = "/usr/bin/stratovirt"
        kernel = "/var/lib/kata/kernel"
        initrd = "/var/lib/kata/kata-containers-initrd.img"
        machine_type = "microvm"
        block_device_driver = "virtio-mmio"
        use_vsock = true
        enable_netmon = true
        internetworking_model="tcfilter"
        sandbox_cgroup_with_emulator = false
        disable_new_netns = false
        disable_block_device_use = false
        disable_vhost_net = true
        
      2. Run the isula command with root permissions to start the BusyBox secure container and interconnect StratoVirt with it.

        # isula run -tid --runtime "io.containerd.kata.v2" --net=none --name test busybox:latest sh
        
      3. Run the isula ps command to check whether the secure container test is running properly. Then run the following command to access the container:

        # isula exec –ti test sh
        
      4. Use a VM snapshot to accelerate startup of the secure container and reduce the VM memory overhead.

        Modify the kata configuration file configuration.toml and set enable_template to true to allow the VM to start by creating a snapshot.

        [factory]
        # VM templating support. Once enabled, new VMs are created from template
        # using vm cloning. They will share the same initial kernel, initramfs and
        # agent memory by mapping it readonly. It helps speeding up new container
        # creation and saves a lot of memory if there are many kata containers running
        # on the same host.
        #
        # When disabled, new VMs are created from scratch.
        #
        # Note: Requires "initrd=" to be set ("image=" is not supported).
        #
        # Default false
        enable_template = true
        

        After the enable_template configuration item is set to true, kata-containers checks whether a snapshot file exists in the default path (/run/vc/vm/template) during secure container creation. If yes, kata-containers starts the VM using the snapshot file. If no, kata-containers creates a VM snapshot and start the VM using the snapshot file.

      5. Use the security component Ozone to further enhance the isolation of secure containers.

        Modify the kata configuration file configuration.toml and set the configuration item ozone_path to the path of the Ozone executable file. (If StratoVirt is installed using Yum, the Ozone executable file is stored in the /usr/bin directory by default.) After this item is configured, the Ozone security sandbox function is enabled to protect the VM against attacks after the virtualization layer isolation is broken and further enhance the isolation of StratoVirt secure containers.

        # Path for the ozone specific to stratovirt
        # If the ozone path is set, stratovirt will be launched in
        # ozone secure environment. It is disabled by default.
        ozone_path = "/usr/bin/ozone"
        

      You can now run container commands in the test container.

      Connecting to a Standard VM

      To use a StratoVirt standard VM as the sandbox of a secure container, you need to modify some other configurations.

      1. The configurations are as follows:

        [hypervisor.stratovirt]
        path = "/usr/bin/stratovirt"
        kernel = "/var/lib/kata/kernel"
        initrd = "/var/lib/kata/kata-containers-initrd.img"
        # x86_64 architecture
        machine_type = "q35"
        # AArch64 architecture
        machine_type = "virt"
        block_device_driver = "virtio-blk"
        pcie_root_port = 2
        use_vsock = true
        enable_netmon = true
        internetworking_model = "tcfilter"
        sandbox_cgroup_with_emulator = false
        disable_new_netns = false
        disable_block_device_use = false
        disable_vhost_net = true
        

        In the configurations above, modify the VM type according to the architecture of the host machine. Change the value of block_device_driver to virtio-blk. StratoVirt supports only devices hot-plugged to the root port. Set a proper value of pcie_root_port based on the number of devices to be hot-plugged.

      2. Install the firmware required for starting a standard VM.

        x86_64 architecture:

        # yum install -y edk2-ovmf
        

        AArch64 architecture:

        # yum install -y edk2-aarch64
        
      3. Build and replace the binary file of kata-containers 2.x.

        Currently, a StratoVirt standard VMs can only be used as the sandbox of a kata-containers 2.x container (corresponding to the openEuler-23.03 branch in the kata-containers repository). You need to download and compile the kata-containers source code and replace the containerd-shim-kata-v2 binary file in the /usr/bin directory.

        # mkdir -p /root/go/src/github.com/
        # cd /root/go/src/github.com/
        # git clone https://gitee.com/src-openeuler/kata-containers.git
        # cd kata-containers
        # git checkout openEuler-23.03
        # ./apply-patches
        # cd src/runtime
        # make
        

        Back up the kata binary file in the /usr/bin/ directory and replace it with the compiled binary file containerd-shim-kata-v2.

        # cp /usr/bin/containerd-shim-kata-v2 /usr/bin/containerd-shim-kata-v2.bk
        # cp containerd-shim-kata-v2 /usr/bin/containerd-shim-kata-v2
        
      4. Run the isula command with root permissions to start the BusyBox secure container and interconnect StratoVirt with it.

        # isula run -tid --runtime "io.containerd.kata.v2" --net=none --name test busybox:latest sh
        
      5. Run the isula ps command to check whether the secure container test is running properly. Then run the following command to access the container:

        # isula exec -ti test sh
        

      Bug Catching

      Buggy Content

      Bug Description

      Submit As Issue

      It's a little complicated....

      I'd like to ask someone.

      PR

      Just a small problem.

      I can fix it online!

      Bug Type
      Specifications and Common Mistakes

      ● Misspellings or punctuation mistakes;

      ● Incorrect links, empty cells, or wrong formats;

      ● Chinese characters in English context;

      ● Minor inconsistencies between the UI and descriptions;

      ● Low writing fluency that does not affect understanding;

      ● Incorrect version numbers, including software package names and version numbers on the UI.

      Usability

      ● Incorrect or missing key steps;

      ● Missing prerequisites or precautions;

      ● Ambiguous figures, tables, or texts;

      ● Unclear logic, such as missing classifications, items, and steps.

      Correctness

      ● Technical principles, function descriptions, or specifications inconsistent with those of the software;

      ● Incorrect schematic or architecture diagrams;

      ● Incorrect commands or command parameters;

      ● Incorrect code;

      ● Commands inconsistent with the functions;

      ● Wrong screenshots.

      Risk Warnings

      ● Lack of risk warnings for operations that may damage the system or important data.

      Content Compliance

      ● Contents that may violate applicable laws and regulations or geo-cultural context-sensitive words and expressions;

      ● Copyright infringement.

      How satisfied are you with this document

      Not satisfied at all
      Very satisfied
      Submit
      Click to create an issue. An issue template will be automatically generated based on your feedback.
      Bug Catching
      编组 3备份