diff --git a/.github/pull_request_template.md b/.github/pull_request_template.md new file mode 100644 index 00000000..4a0e1c27 --- /dev/null +++ b/.github/pull_request_template.md @@ -0,0 +1,16 @@ +## Goal + + +## Changes + + +## Testing + + +## Artifacts & Screenshots + + +## Checklist +- [ ] Clear title +- [ ] Docs updated +- [ ] No secrets in code diff --git a/labs/lab12/analysis/cpu-comparison.txt b/labs/lab12/analysis/cpu-comparison.txt new file mode 100644 index 00000000..7525d8bf --- /dev/null +++ b/labs/lab12/analysis/cpu-comparison.txt @@ -0,0 +1,5 @@ +=== CPU Model Comparison === +Host CPU: +model name : 12th Gen Intel(R) Core(TM) i5-1240P +Kata VM CPU: +model name : 12th Gen Intel(R) Core(TM) i5-1240P diff --git a/labs/lab12/analysis/kernel-comparison.txt b/labs/lab12/analysis/kernel-comparison.txt new file mode 100644 index 00000000..a313d000 --- /dev/null +++ b/labs/lab12/analysis/kernel-comparison.txt @@ -0,0 +1,3 @@ +=== Kernel Version Comparison === +Host kernel (runc uses this): 6.17.0-23-generic +Kata guest kernel: Linux version 6.18.15 (@a3f44c86bab0) (gcc (Ubuntu 11.4.0-1ubuntu1~22.04.3) 11.4.0, GNU ld (GNU Binutils for Ubuntu) 2.38) #1 SMP Sat May 2 16:07:11 UTC 2026 diff --git a/labs/lab12/bench/curl-3012.txt b/labs/lab12/bench/curl-3012.txt new file mode 100644 index 00000000..c71af5e6 --- /dev/null +++ b/labs/lab12/bench/curl-3012.txt @@ -0,0 +1,50 @@ +0.002474 +0.001807 +0.001857 +0.002336 +0.001764 +0.001998 +0.001573 +0.002732 +0.002119 +0.001999 +0.001635 +0.001614 +0.002609 +0.001186 +0.001452 +0.001451 +0.002112 +0.001805 +0.002066 +0.001779 +0.001723 +0.001547 +0.001871 +0.001750 +0.001559 +0.001712 +0.001352 +0.001986 +0.001477 +0.001591 +0.001483 +0.001389 +0.001591 +0.001325 +0.003747 +0.001759 +0.001635 +0.001821 +0.002386 +0.002252 +0.001587 +0.001825 +0.003954 +0.001552 +0.001947 +0.001617 +0.002185 +0.002051 +0.001439 +0.001354 diff --git a/labs/lab12/bench/http-latency.txt b/labs/lab12/bench/http-latency.txt new file mode 100644 index 00000000..1d3247f3 --- /dev/null +++ b/labs/lab12/bench/http-latency.txt @@ -0,0 +1,3 @@ +=== HTTP Latency Test (juice-runc) === +Results for port 3012 (juice-runc): +avg=0.0019s min=0.0012s max=0.0040s n=50 diff --git a/labs/lab12/bench/startup.txt b/labs/lab12/bench/startup.txt new file mode 100644 index 00000000..4d8a979e --- /dev/null +++ b/labs/lab12/bench/startup.txt @@ -0,0 +1,7 @@ +=== Startup Time Comparison === +runc: +real 0.57 +test +Kata: +real 5.95 +test diff --git a/labs/lab12/isolation/dmesg.txt b/labs/lab12/isolation/dmesg.txt new file mode 100644 index 00000000..2e9d30cb --- /dev/null +++ b/labs/lab12/isolation/dmesg.txt @@ -0,0 +1,7 @@ +=== dmesg Access Test === +Kata VM (separate kernel boot logs): +[ 0.000000] Linux version 6.18.15 (@a3f44c86bab0) (gcc (Ubuntu 11.4.0-1ubuntu1~22.04.3) 11.4.0, GNU ld (GNU Binutils for Ubuntu) 2.38) #1 SMP Sat May 2 16:07:11 UTC 2026 +[ 0.000000] Command line: reboot=k panic=1 systemd.unit=kata-containers.target systemd.mask=systemd-networkd.service root=/dev/pmem0p1 rootflags=dax,data=ordered,errors=remount-ro ro rootfstype=ext4 cgroup_no_v1=all systemd.unified_cgroup_hierarchy=1 selinux=0 console=hvc0 +[ 0.000000] BIOS-provided physical RAM map: +[ 0.000000] BIOS-e820: [mem 0x0000000000000000-0x000000000009fbff] usable +[ 0.000000] BIOS-e820: [mem 0x000000000009fc00-0x00000000000fffff] reserved diff --git a/labs/lab12/isolation/modules.txt b/labs/lab12/isolation/modules.txt new file mode 100644 index 00000000..ff3c7dba --- /dev/null +++ b/labs/lab12/isolation/modules.txt @@ -0,0 +1,3 @@ +=== Kernel Modules Count === +Host kernel modules: 378 +Kata guest kernel modules: 79 diff --git a/labs/lab12/isolation/network.txt b/labs/lab12/isolation/network.txt new file mode 100644 index 00000000..608a5add --- /dev/null +++ b/labs/lab12/isolation/network.txt @@ -0,0 +1,8 @@ +=== Network Interfaces === +Kata VM network: +1: lo: mtu 65536 qdisc noqueue state UNKNOWN qlen 1000 + link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 + inet 127.0.0.1/8 scope host lo + valid_lft forever preferred_lft forever + inet6 ::1/128 scope host noprefixroute + valid_lft forever preferred_lft forever diff --git a/labs/lab12/isolation/proc.txt b/labs/lab12/isolation/proc.txt new file mode 100644 index 00000000..4acc31ef --- /dev/null +++ b/labs/lab12/isolation/proc.txt @@ -0,0 +1,3 @@ +=== /proc Entries Count === +Host: 719 +Kata VM: 54 diff --git a/labs/lab12/kata/cpu.txt b/labs/lab12/kata/cpu.txt new file mode 100644 index 00000000..710550ce --- /dev/null +++ b/labs/lab12/kata/cpu.txt @@ -0,0 +1 @@ +model name : 12th Gen Intel(R) Core(TM) i5-1240P diff --git a/labs/lab12/kata/kernel.txt b/labs/lab12/kata/kernel.txt new file mode 100644 index 00000000..b497f27c --- /dev/null +++ b/labs/lab12/kata/kernel.txt @@ -0,0 +1 @@ +6.18.15 diff --git a/labs/lab12/kata/test1.txt b/labs/lab12/kata/test1.txt new file mode 100644 index 00000000..9417bcb6 --- /dev/null +++ b/labs/lab12/kata/test1.txt @@ -0,0 +1 @@ +Linux fc6eb5c2bf6a 6.18.15 #1 SMP Sat May 2 16:07:11 UTC 2026 x86_64 Linux diff --git a/labs/lab12/runc/health.txt b/labs/lab12/runc/health.txt new file mode 100644 index 00000000..848dc384 --- /dev/null +++ b/labs/lab12/runc/health.txt @@ -0,0 +1 @@ +juice-runc: HTTP 200 diff --git a/labs/lab12/runc/juice-runc-run.txt b/labs/lab12/runc/juice-runc-run.txt new file mode 100644 index 00000000..b68e5b14 --- /dev/null +++ b/labs/lab12/runc/juice-runc-run.txt @@ -0,0 +1 @@ +03d44c19e8b3108c0ee87305f79c5efdad8db160c9a83b18bbdcf9e20a7e2fd2 diff --git a/labs/lab12/setup/.gitignore b/labs/lab12/setup/.gitignore new file mode 100644 index 00000000..d03a4065 --- /dev/null +++ b/labs/lab12/setup/.gitignore @@ -0,0 +1,6 @@ +kata-build/ +kata-out/containerd-shim-kata-v2 +nerdctl/ +kata-static-*.tar.zst +cni/ +cni-plugins-*.tgz diff --git a/labs/lab12/setup/build-kata-runtime.log b/labs/lab12/setup/build-kata-runtime.log new file mode 100644 index 00000000..73434a5f --- /dev/null +++ b/labs/lab12/setup/build-kata-runtime.log @@ -0,0 +1,224 @@ +Building Kata runtime in Docker... +Get:1 http://deb.debian.org/debian bookworm InRelease [151 kB] +Get:2 http://deb.debian.org/debian bookworm-updates InRelease [55.4 kB] +Get:3 http://deb.debian.org/debian-security bookworm-security InRelease [48.0 kB] +Get:4 http://deb.debian.org/debian bookworm/main amd64 Packages [8792 kB] +Get:5 http://deb.debian.org/debian bookworm-updates/main amd64 Packages [6924 B] +Get:6 http://deb.debian.org/debian-security bookworm-security/main amd64 Packages [299 kB] +Fetched 9352 kB in 2s (5084 kB/s) +Reading package lists... +Reading package lists... +Building dependency tree... +Reading state information... +make is already the newest version (4.3-4.1). +gcc is already the newest version (4:12.2.0-3). +g++ is already the newest version (4:12.2.0-3). +pkg-config is already the newest version (1.8.1-1). +pkg-config set to manually installed. +The following additional packages will be installed: + cmake-data git-man libarchive13 libjq1 libjsoncpp25 libonig5 librhash0 + libseccomp2 libuv1 musl musl-dev +Suggested packages: + cmake-doc cmake-format elpa-cmake-mode ninja-build gettext-base + git-daemon-run | git-daemon-sysvinit git-doc git-email git-gui gitk gitweb + git-cvs git-mediawiki git-svn lrzip seccomp +Recommended packages: + less linux-musl-dev +The following NEW packages will be installed: + cmake cmake-data jq libarchive13 libjq1 libjsoncpp25 libonig5 librhash0 + libseccomp-dev libuv1 musl musl-dev musl-tools +The following packages will be upgraded: + ca-certificates git git-man libseccomp2 +4 upgraded, 13 newly installed, 0 to remove and 166 not upgraded. +Need to get 22.4 MB of archives. +After this operation, 47.9 MB of additional disk space will be used. +Get:1 http://deb.debian.org/debian bookworm/main amd64 libseccomp2 amd64 2.5.4-1+deb12u1 [46.8 kB] +Get:2 http://deb.debian.org/debian bookworm/main amd64 ca-certificates all 20230311+deb12u1 [155 kB] +Get:3 http://deb.debian.org/debian bookworm/main amd64 libarchive13 amd64 3.6.2-1+deb12u3 [343 kB] +Get:4 http://deb.debian.org/debian bookworm/main amd64 libjsoncpp25 amd64 1.9.5-4 [78.6 kB] +Get:5 http://deb.debian.org/debian bookworm/main amd64 librhash0 amd64 1.4.3-3 [134 kB] +Get:6 http://deb.debian.org/debian bookworm/main amd64 libuv1 amd64 1.44.2-1+deb12u1 [136 kB] +Get:7 http://deb.debian.org/debian bookworm/main amd64 cmake-data all 3.25.1-1 [2026 kB] +Get:8 http://deb.debian.org/debian bookworm/main amd64 cmake amd64 3.25.1-1 [8692 kB] +Get:9 http://deb.debian.org/debian bookworm/main amd64 git amd64 1:2.39.5-0+deb12u3 [7264 kB] +Get:10 http://deb.debian.org/debian bookworm/main amd64 git-man all 1:2.39.5-0+deb12u3 [2053 kB] +Get:11 http://deb.debian.org/debian bookworm/main amd64 libonig5 amd64 6.9.8-1 [188 kB] +Get:12 http://deb.debian.org/debian bookworm/main amd64 libjq1 amd64 1.6-2.1+deb12u1 [134 kB] +Get:13 http://deb.debian.org/debian bookworm/main amd64 jq amd64 1.6-2.1+deb12u1 [63.7 kB] +Get:14 http://deb.debian.org/debian bookworm/main amd64 libseccomp-dev amd64 2.5.4-1+deb12u1 [90.8 kB] +Get:15 http://deb.debian.org/debian bookworm/main amd64 musl amd64 1.2.3-1 [406 kB] +Get:16 http://deb.debian.org/debian bookworm/main amd64 musl-dev amd64 1.2.3-1 [587 kB] +Get:17 http://deb.debian.org/debian bookworm/main amd64 musl-tools amd64 1.2.3-1 [42.3 kB] +debconf: delaying package configuration, since apt-utils is not installed +Fetched 22.4 MB in 2s (10.4 MB/s) +(Reading database ... (Reading database ... 5% (Reading database ... 10% (Reading database ... 15% (Reading database ... 20% (Reading database ... 25% (Reading database ... 30% (Reading database ... 35% (Reading database ... 40% (Reading database ... 45% (Reading database ... 50% (Reading database ... 55% (Reading database ... 60% (Reading database ... 65% (Reading database ... 70% (Reading database ... 75% (Reading database ... 80% (Reading database ... 85% (Reading database ... 90% (Reading database ... 95% (Reading database ... 100% (Reading database ... 23259 files and directories currently installed.) +Preparing to unpack .../libseccomp2_2.5.4-1+deb12u1_amd64.deb ... +Unpacking libseccomp2:amd64 (2.5.4-1+deb12u1) over (2.5.4-1+b3) ... +Setting up libseccomp2:amd64 (2.5.4-1+deb12u1) ... +(Reading database ... (Reading database ... 5% (Reading database ... 10% (Reading database ... 15% (Reading database ... 20% (Reading database ... 25% (Reading database ... 30% (Reading database ... 35% (Reading database ... 40% (Reading database ... 45% (Reading database ... 50% (Reading database ... 55% (Reading database ... 60% (Reading database ... 65% (Reading database ... 70% (Reading database ... 75% (Reading database ... 80% (Reading database ... 85% (Reading database ... 90% (Reading database ... 95% (Reading database ... 100% (Reading database ... 23258 files and directories currently installed.) +Preparing to unpack .../00-ca-certificates_20230311+deb12u1_all.deb ... +Unpacking ca-certificates (20230311+deb12u1) over (20230311) ... +Selecting previously unselected package libarchive13:amd64. +Preparing to unpack .../01-libarchive13_3.6.2-1+deb12u3_amd64.deb ... +Unpacking libarchive13:amd64 (3.6.2-1+deb12u3) ... +Selecting previously unselected package libjsoncpp25:amd64. +Preparing to unpack .../02-libjsoncpp25_1.9.5-4_amd64.deb ... +Unpacking libjsoncpp25:amd64 (1.9.5-4) ... +Selecting previously unselected package librhash0:amd64. +Preparing to unpack .../03-librhash0_1.4.3-3_amd64.deb ... +Unpacking librhash0:amd64 (1.4.3-3) ... +Selecting previously unselected package libuv1:amd64. +Preparing to unpack .../04-libuv1_1.44.2-1+deb12u1_amd64.deb ... +Unpacking libuv1:amd64 (1.44.2-1+deb12u1) ... +Selecting previously unselected package cmake-data. +Preparing to unpack .../05-cmake-data_3.25.1-1_all.deb ... +Unpacking cmake-data (3.25.1-1) ... +Selecting previously unselected package cmake. +Preparing to unpack .../06-cmake_3.25.1-1_amd64.deb ... +Unpacking cmake (3.25.1-1) ... +Preparing to unpack .../07-git_1%3a2.39.5-0+deb12u3_amd64.deb ... +Unpacking git (1:2.39.5-0+deb12u3) over (1:2.39.2-1.1) ... +Preparing to unpack .../08-git-man_1%3a2.39.5-0+deb12u3_all.deb ... +Unpacking git-man (1:2.39.5-0+deb12u3) over (1:2.39.2-1.1) ... +Selecting previously unselected package libonig5:amd64. +Preparing to unpack .../09-libonig5_6.9.8-1_amd64.deb ... +Unpacking libonig5:amd64 (6.9.8-1) ... +Selecting previously unselected package libjq1:amd64. +Preparing to unpack .../10-libjq1_1.6-2.1+deb12u1_amd64.deb ... +Unpacking libjq1:amd64 (1.6-2.1+deb12u1) ... +Selecting previously unselected package jq. +Preparing to unpack .../11-jq_1.6-2.1+deb12u1_amd64.deb ... +Unpacking jq (1.6-2.1+deb12u1) ... +Selecting previously unselected package libseccomp-dev:amd64. +Preparing to unpack .../12-libseccomp-dev_2.5.4-1+deb12u1_amd64.deb ... +Unpacking libseccomp-dev:amd64 (2.5.4-1+deb12u1) ... +Selecting previously unselected package musl:amd64. +Preparing to unpack .../13-musl_1.2.3-1_amd64.deb ... +Unpacking musl:amd64 (1.2.3-1) ... +Selecting previously unselected package musl-dev:amd64. +Preparing to unpack .../14-musl-dev_1.2.3-1_amd64.deb ... +Unpacking musl-dev:amd64 (1.2.3-1) ... +Selecting previously unselected package musl-tools. +Preparing to unpack .../15-musl-tools_1.2.3-1_amd64.deb ... +Unpacking musl-tools (1.2.3-1) ... +Setting up libseccomp-dev:amd64 (2.5.4-1+deb12u1) ... +Setting up libarchive13:amd64 (3.6.2-1+deb12u3) ... +Setting up ca-certificates (20230311+deb12u1) ... +debconf: unable to initialize frontend: Dialog +debconf: (TERM is not set, so the dialog frontend is not usable.) +debconf: falling back to frontend: Readline +debconf: unable to initialize frontend: Readline +debconf: (This frontend requires a controlling tty.) +debconf: falling back to frontend: Teletype +Updating certificates in /etc/ssl/certs... +rehash: warning: skipping ca-certificates.crt,it does not contain exactly one certificate or CRL +2 added, 0 removed; done. +Setting up libuv1:amd64 (1.44.2-1+deb12u1) ... +Setting up libjsoncpp25:amd64 (1.9.5-4) ... +Setting up musl:amd64 (1.2.3-1) ... +Setting up librhash0:amd64 (1.4.3-3) ... +Setting up git-man (1:2.39.5-0+deb12u3) ... +Setting up cmake-data (3.25.1-1) ... +Setting up libonig5:amd64 (6.9.8-1) ... +Setting up libjq1:amd64 (1.6-2.1+deb12u1) ... +Setting up musl-dev:amd64 (1.2.3-1) ... +Setting up git (1:2.39.5-0+deb12u3) ... +Setting up jq (1.6-2.1+deb12u1) ... +Setting up cmake (3.25.1-1) ... +Setting up musl-tools (1.2.3-1) ... +Processing triggers for libc-bin (2.36-9+deb12u4) ... +Processing triggers for ca-certificates (20230311+deb12u1) ... +Updating certificates in /etc/ssl/certs... +0 added, 0 removed; done. +Running hooks in /etc/ca-certificates/update.d... +done. +Updating certificates in /etc/ssl/certs... +0 added, 0 removed; done. +Running hooks in /etc/ca-certificates/update.d... +done. +rustc 1.75.0 (82e1608df 2023-12-21) +cargo 1.75.0 (1d8b05cdd 2023-11-20) +info: This is the version for the rustup toolchain manager, not the rustc compiler. +rustup 1.26.0 (5af9b9484 2023-04-05) +info: The currently active `rustc` version is `rustc 1.75.0 (82e1608df 2023-12-21)` +info: syncing channel updates for '1.93-x86_64-unknown-linux-gnu' +info: latest update on 2026-02-12, rust version 1.93.1 (01f6ddf75 2026-02-11) +info: downloading component 'cargo' +info: downloading component 'rust-std' +info: downloading component 'rustc' +info: installing component 'cargo' +info: installing component 'rust-std' +info: installing component 'rustc' +info: downloading component 'rust-std' for 'x86_64-unknown-linux-musl' +info: installing component 'rust-std' for 'x86_64-unknown-linux-musl' +warning: profiles for the non root package will be ignored, specify profiles at the workspace root: +package: /work/kata-containers/src/agent/Cargo.toml +workspace: /work/kata-containers/Cargo.toml +containerd-shim-kata-v2 - version 3.30.0 (commit 5f6512ac938af9134753dc07e9fd70ccfb69cc26) + +• Project: + name: Kata Containers + url: https://github.com/kata-containers + component: containerd-shim-kata-v2 + +• Target: containerd-shim-kata-v2 + +• Architecture: x86_64 + +• Rust: + cargo: cargo 1.93.1 (083ac5135 2025-12-15) + rustc: rustc 1.93.1 (01f6ddf75 2026-02-11) + rustup: rustup 1.26.0 (5af9b9484 2023-04-05) + toolchain: 1.93-x86_64-unknown-linux-gnu (overridden by '/work/kata-containers/rust-toolchain.toml') + +• Hypervisors: + Default: qemu + Known: clh-runtime-rs dragonball firecracker qemu remote + Available for this architecture: clh-runtime-rs dragonball firecracker qemu remote + +• Summary: + + destination install path (DESTDIR) : / + binary installation path (BINDIR) : /usr/local/bin + binaries to install : + - /usr/local/bin/containerd-shim-kata-v2 + configs to install (CONFIGS) : + - config/configuration-clh-runtime-rs.toml + - config/configuration-dragonball.toml + - config/configuration-qemu-coco-dev-runtime-rs.toml + - config/configuration-qemu-runtime-rs.toml + - config/configuration-qemu-se-runtime-rs.toml + - config/configuration-qemu-snp-runtime-rs.toml + - config/configuration-qemu-tdx-runtime-rs.toml + - config/configuration-remote.toml + - config/configuration-rs-fc.toml + install paths (CONFIG_PATHS) : + - /usr/share/defaults/kata-containers/runtime-rs/configuration-clh-runtime-rs.toml + - /usr/share/defaults/kata-containers/runtime-rs/configuration-dragonball.toml + - /usr/share/defaults/kata-containers/runtime-rs/configuration-qemu-coco-dev-runtime-rs.toml + - /usr/share/defaults/kata-containers/runtime-rs/configuration-qemu-runtime-rs.toml + - /usr/share/defaults/kata-containers/runtime-rs/configuration-qemu-se-runtime-rs.toml + - /usr/share/defaults/kata-containers/runtime-rs/configuration-qemu-snp-runtime-rs.toml + - /usr/share/defaults/kata-containers/runtime-rs/configuration-qemu-tdx-runtime-rs.toml + - /usr/share/defaults/kata-containers/runtime-rs/configuration-remote.toml + - /usr/share/defaults/kata-containers/runtime-rs/configuration-rs-fc.toml + alternate config paths (SYSCONFIG_PATHS) : + - /etc/kata-containers/configuration-clh-runtime-rs.toml + - /etc/kata-containers/configuration-dragonball.toml + - /etc/kata-containers/configuration-qemu-coco-dev-runtime-rs.toml + - /etc/kata-containers/configuration-qemu-runtime-rs.toml + - /etc/kata-containers/configuration-qemu-se-runtime-rs.toml + - /etc/kata-containers/configuration-qemu-snp-runtime-rs.toml + - /etc/kata-containers/configuration-qemu-tdx-runtime-rs.toml + - /etc/kata-containers/configuration-remote.toml + - /etc/kata-containers/configuration-rs-fc.toml + default install path for qemu (CONFIG_PATH) : /usr/share/defaults/kata-containers/runtime-rs/configuration.toml + default alternate config path (SYSCONFIG) : /etc/kata-containers/configuration.toml + qemu hypervisor path (QEMUPATH) : /usr/bin/qemu-system-x86_64 + clh-runtime-rs hypervisor path (CLHPATH) : /usr/bin/cloud-hypervisor + firecracker hypervisor path (FCPATH) : /usr/bin/firecracker + assets path (PKGDATADIR) : /usr/share/kata-containers + shim path (PKGLIBEXECDIR) : /usr/libexec/kata-containers + +Kata Containers containerd shim (Rust): id: io.containerd.kata.v2, version: 3.30.0, commit: 5f6512ac938af9134753dc07e9fd70ccfb69cc26 +Done. Binary saved to: /home/dart/Programming/DevSecOps-Intro/labs/lab12/setup/kata-out/containerd-shim-kata-v2 diff --git a/labs/lab12/setup/build-kata-runtime.sh b/labs/lab12/setup/build-kata-runtime.sh index b909a410..15742ab3 100644 --- a/labs/lab12/setup/build-kata-runtime.sh +++ b/labs/lab12/setup/build-kata-runtime.sh @@ -24,7 +24,7 @@ docker run --rm \ rust:1.75-bookworm bash -lc ' set -euo pipefail apt-get update && apt-get install -y --no-install-recommends \ - git make gcc pkg-config ca-certificates musl-tools libseccomp-dev && \ + git make gcc g++ cmake jq pkg-config ca-certificates musl-tools libseccomp-dev && \ update-ca-certificates || true # Ensure cargo/rustup are available @@ -44,7 +44,7 @@ docker run --rm \ make # Collect the produced binary - f=$(find target -type f -name containerd-shim-kata-v2 | head -n1) + f=$(find ../../target -type f -name containerd-shim-kata-v2 | head -n1) if [ -z "$f" ]; then echo "ERROR: built binary not found" >&2; exit 1 fi diff --git a/labs/lab12/setup/cleanup-stuck-kata-ctr.txt b/labs/lab12/setup/cleanup-stuck-kata-ctr.txt new file mode 100644 index 00000000..e69de29b diff --git a/labs/lab12/setup/cleanup-stuck-kata.txt b/labs/lab12/setup/cleanup-stuck-kata.txt new file mode 100644 index 00000000..7ba3e0c2 --- /dev/null +++ b/labs/lab12/setup/cleanup-stuck-kata.txt @@ -0,0 +1 @@ +time="2026-05-07T10:20:47+03:00" level=error msg="1 errors:\nunknown container status unknown" diff --git a/labs/lab12/setup/cni-installed.txt b/labs/lab12/setup/cni-installed.txt new file mode 100644 index 00000000..172b426a --- /dev/null +++ b/labs/lab12/setup/cni-installed.txt @@ -0,0 +1,2 @@ +/opt/cni/bin/bridge +/opt/cni/bin/loopback diff --git a/labs/lab12/setup/configure-containerd-kata.log b/labs/lab12/setup/configure-containerd-kata.log new file mode 100644 index 00000000..b816d8da --- /dev/null +++ b/labs/lab12/setup/configure-containerd-kata.log @@ -0,0 +1,2 @@ +Updated /etc/containerd/config.toml with Kata runtime: io.containerd.kata.v2 +Restart containerd to apply: sudo systemctl restart containerd diff --git a/labs/lab12/setup/containerd-journal-tail.txt b/labs/lab12/setup/containerd-journal-tail.txt new file mode 100644 index 00000000..4c457741 --- /dev/null +++ b/labs/lab12/setup/containerd-journal-tail.txt @@ -0,0 +1,94 @@ +May 07 10:14:27 McLaren kata[125780]: begin to run service +May 07 10:14:27 McLaren kata[125780]: wait server message +May 07 10:14:27 McLaren kata[125780]: get config path "" +May 07 10:14:27 McLaren kata[125780]: load configuration from: /opt/kata/share/defaults/kata-containers/runtime-rs/configuration-qemu-runtime-rs.toml +May 07 10:14:27 McLaren kata[125780]: Adjusting hypervisor configuration ["qemu"] +May 07 10:14:27 McLaren kata[125780]: get kata config: TomlConfig { agent: {"kata": Agent { debug: false, log_level: "info", enable_tracing: false, debug_console_enabled: false, server_port: 1024, log_port: 1025, passfd_listener_port: 1027, dial_timeout_ms: 10, reconnect_timeout_ms: 3000, request_timeout_ms: 30000, health_check_request_timeout_ms: 90000, kernel_modules: [], container_pipe_size: 0, launch_process_timeout: 0, mem_agent: MemAgent { enable: false, memcg_disable: Some(false), memcg_swap: Some(false), memcg_swappiness_max: Some(50), memcg_period_secs: Some(600), memcg_period_psi_percent_limit: Some(1), memcg_eviction_psi_percent_limit: Some(1), memcg_eviction_run_aging_count_min: Some(3), compact_disable: Some(false), compact_period_secs: Some(600), compact_period_psi_percent_limit: Some(1), compact_psi_percent_limit: Some(5), compact_sec_max: Some(300), compact_order: Some(9), compact_threshold: Some(1024), compact_force_times: Some(9223372036854775807) }, policy: "" }}, hypervisor: {"qemu": Hypervisor { path: "/opt/kata/bin/qemu-system-x86_64", valid_hypervisor_paths: ["/opt/kata/bin/qemu-system-x86_64"], ctlpath: "", valid_ctlpaths: [], jailer_path: "", valid_jailer_paths: [], disable_nesting_checks: false, enable_iothreads: false, blockdev_info: BlockDeviceInfo { disable_block_device_use: false, block_device_driver: "virtio-scsi", block_device_aio: "io_uring", block_device_cache_set: false, block_device_cache_direct: false, block_device_cache_noflush: false, block_device_logical_sector_size: 0, block_device_physical_sector_size: 0, disable_image_nvdimm: false, memory_offset: 0, enable_vhost_user_store: false, vhost_user_store_path: "", valid_vhost_user_store_paths: ["/var/run/kata-containers/vhost-user"], disk_rate_limiter_bw_max_rate: 0, disk_rate_limiter_bw_one_time_burst: None, disk_rate_limiter_ops_max_rate: 0, disk_rate_limiter_ops_one_time_burst: None, queue_size: 128, num_queues: 1 }, boot_info: BootInfo { kernel: "/opt/kata/share/kata-containers/vmlinux-6.18.15-192", kernel_params: "cgroup_no_v1=all systemd.unified_cgroup_hierarchy=1", kernel_verity_params: "", initrd: "", image: "/opt/kata/share/kata-containers/kata-ubuntu-noble.image", rootfs_type: "ext4", firmware: "", vm_rootfs_driver: "virtio-pmem" }, cpu_info: CpuInfo { cpu_features: "pmu=off", default_vcpus: 1.0, default_maxvcpus: 16 }, debug_info: DebugInfo { enable_debug: false, log_level: "info", guest_memory_dump_paging: false, guest_memory_dump_path: "", extra_monitor_socket: "" }, device_info: DeviceInfo { default_bridges: 1, hotplug_vfio_on_root_bus: false, pcie_root_port: 0, pcie_switch_port: 0, enable_iommu: false, enable_iommu_platform: false, reclaim_guest_freed_memory: false }, machine_info: MachineInfo { machine_type: "q35", machine_accelerators: "", pflashes: [], entropy_source: "/dev/urandom", valid_entropy_sources: ["/dev/urandom", "/dev/random", ""] }, memory_info: MemoryInfo { default_memory: 2048, default_maxmemory: 15714, memory_slots: 10, file_mem_backend: "", valid_file_mem_backends: [""], enable_mem_prealloc: false, enable_hugepages: false, hugepage_type: Hugetlbfs, enable_virtio_mem: false, enable_guest_swap: false, guest_swap_path: "/run/kata-containers/swap", guest_swap_size_percent: 100, guest_swap_create_threshold_secs: 60 }, network_info: NetworkInfo { disable_vhost_net: false, rx_rate_limiter_max_rate: 0, tx_rate_limiter_max_rate: 0, network_queues: 1 }, security_info: SecurityInfo { rootless: false, rootless_user: None, disable_seccomp: false, confidential_guest: false, sev_snp_guest: false, snp_id_block: "", snp_id_auth: "", snp_guest_policy: 196608, guest_hook_path: "", initdata: "", enable_annotations: ["enable_iommu", "virtio_fs_extra_args", "kernel_params", "kernel_verity_params", "default_vcpus", "default_memory"], qgs_port: 4050, seccomp_sandbox: Some(""), selinux_label: None }, shared_fs: SharedFsInfo { shared_fs: Some("virtio-fs"), virtio_fs_daemon: "/opt/kata/libexec/virtiofsd", valid_virtio_fs_daemon_paths: ["/opt/kata/libexec/virtiofsd"], virtio_fs_extra_args: ["--thread-pool-size=1", "-o", "announce_submounts"], virtio_fs_cache: "auto", virtio_fs_cache_size: 0, virtio_fs_queue_size: 1024, virtio_fs_is_dax: false }, remote_info: RemoteInfo { hypervisor_socket: "", hypervisor_timeout: 0, default_gpus: 0, default_gpu_model: "" }, vm_template: VmTemplateInfo { boot_to_be_template: false, boot_from_template: false, memory_path: "", device_state_path: "" }, factory: Factory { enable_template: false, template_path: "/run/vc/vm/template" }, prefetch_list_path: "", vendor: HypervisorVendor, disable_guest_selinux: true, disable_selinux: false }}, runtime: Runtime { name: "virt_container", hypervisor_name: "qemu", agent_name: "kata", debug: false, log_level: "info", experimental: [], internetworking_model: "tcfilter", disable_new_netns: false, sandbox_bind_mounts: [], sandbox_cgroup_only: false, enable_vcpus_pinning: false, enable_tracing: false, jaeger_endpoint: "", jaeger_user: "", jaeger_password: "", enable_pprof: false, static_sandbox_resource_mgmt: false, disable_guest_seccomp: true, disable_guest_empty_dir: false, vfio_mode: "guest-kernel", vendor: RuntimeVendor, keep_abnormal: false, dan_conf: "", shared_mounts: [], use_passfd_io: false, passfd_listener_port: 1027 } } +May 07 10:14:27 McLaren kata[125780]: Annotation nerdctl/auto-remove not enabled +May 07 10:14:27 McLaren kata[125780]: Annotation nerdctl/networks not enabled +May 07 10:14:27 McLaren kata[125780]: Annotation nerdctl/name not enabled +May 07 10:14:27 McLaren kata[125780]: Annotation nerdctl/hostname not enabled +May 07 10:14:27 McLaren kata[125780]: Annotation nerdctl/log-config not enabled +May 07 10:14:27 McLaren kata[125780]: Annotation nerdctl/namespace not enabled +May 07 10:14:27 McLaren kata[125780]: Annotation nerdctl/state-dir not enabled +May 07 10:14:27 McLaren kata[125780]: Annotation nerdctl/dns not enabled +May 07 10:14:27 McLaren kata[125780]: Annotation nerdctl/extraHosts not enabled +May 07 10:14:27 McLaren kata[125780]: Annotation nerdctl/host-config not enabled +May 07 10:14:27 McLaren kata[125780]: Annotation nerdctl/network-namespace not enabled +May 07 10:14:27 McLaren kata[125780]: Annotation nerdctl/ipc not enabled +May 07 10:14:27 McLaren kata[125780]: Annotation nerdctl/domainname not enabled +May 07 10:14:27 McLaren kata[125780]: Annotation nerdctl/platform not enabled +May 07 10:14:27 McLaren kata[125780]: Annotation nerdctl/log-uri not enabled +May 07 10:14:27 McLaren kata[125780]: Adjusting hypervisor configuration ["qemu"] +May 07 10:14:27 McLaren kata[125780]: get config content TomlConfig { agent: {"kata": Agent { debug: false, log_level: "info", enable_tracing: false, debug_console_enabled: false, server_port: 1024, log_port: 1025, passfd_listener_port: 1027, dial_timeout_ms: 10, reconnect_timeout_ms: 3000, request_timeout_ms: 30000, health_check_request_timeout_ms: 90000, kernel_modules: [], container_pipe_size: 0, launch_process_timeout: 0, mem_agent: MemAgent { enable: false, memcg_disable: Some(false), memcg_swap: Some(false), memcg_swappiness_max: Some(50), memcg_period_secs: Some(600), memcg_period_psi_percent_limit: Some(1), memcg_eviction_psi_percent_limit: Some(1), memcg_eviction_run_aging_count_min: Some(3), compact_disable: Some(false), compact_period_secs: Some(600), compact_period_psi_percent_limit: Some(1), compact_psi_percent_limit: Some(5), compact_sec_max: Some(300), compact_order: Some(9), compact_threshold: Some(1024), compact_force_times: Some(9223372036854775807) }, policy: "" }}, hypervisor: {"qemu": Hypervisor { path: "/opt/kata/bin/qemu-system-x86_64", valid_hypervisor_paths: ["/opt/kata/bin/qemu-system-x86_64"], ctlpath: "", valid_ctlpaths: [], jailer_path: "", valid_jailer_paths: [], disable_nesting_checks: false, enable_iothreads: false, blockdev_info: BlockDeviceInfo { disable_block_device_use: false, block_device_driver: "virtio-scsi", block_device_aio: "io_uring", block_device_cache_set: false, block_device_cache_direct: false, block_device_cache_noflush: false, block_device_logical_sector_size: 0, block_device_physical_sector_size: 0, disable_image_nvdimm: false, memory_offset: 0, enable_vhost_user_store: false, vhost_user_store_path: "", valid_vhost_user_store_paths: ["/var/run/kata-containers/vhost-user"], disk_rate_limiter_bw_max_rate: 0, disk_rate_limiter_bw_one_time_burst: None, disk_rate_limiter_ops_max_rate: 0, disk_rate_limiter_ops_one_time_burst: None, queue_size: 128, num_queues: 1 }, boot_info: BootInfo { kernel: "/opt/kata/share/kata-containers/vmlinux-6.18.15-192", kernel_params: "cgroup_no_v1=all systemd.unified_cgroup_hierarchy=1", kernel_verity_params: "", initrd: "", image: "/opt/kata/share/kata-containers/kata-ubuntu-noble.image", rootfs_type: "ext4", firmware: "", vm_rootfs_driver: "virtio-pmem" }, cpu_info: CpuInfo { cpu_features: "pmu=off", default_vcpus: 1.0, default_maxvcpus: 16 }, debug_info: DebugInfo { enable_debug: false, log_level: "info", guest_memory_dump_paging: false, guest_memory_dump_path: "", extra_monitor_socket: "" }, device_info: DeviceInfo { default_bridges: 1, hotplug_vfio_on_root_bus: false, pcie_root_port: 0, pcie_switch_port: 0, enable_iommu: false, enable_iommu_platform: false, reclaim_guest_freed_memory: false }, machine_info: MachineInfo { machine_type: "q35", machine_accelerators: "", pflashes: [], entropy_source: "/dev/urandom", valid_entropy_sources: ["/dev/urandom", "/dev/random", ""] }, memory_info: MemoryInfo { default_memory: 2048, default_maxmemory: 15714, memory_slots: 10, file_mem_backend: "", valid_file_mem_backends: [""], enable_mem_prealloc: false, enable_hugepages: false, hugepage_type: Hugetlbfs, enable_virtio_mem: false, enable_guest_swap: false, guest_swap_path: "/run/kata-containers/swap", guest_swap_size_percent: 100, guest_swap_create_threshold_secs: 60 }, network_info: NetworkInfo { disable_vhost_net: false, rx_rate_limiter_max_rate: 0, tx_rate_limiter_max_rate: 0, network_queues: 1 }, security_info: SecurityInfo { rootless: false, rootless_user: None, disable_seccomp: false, confidential_guest: false, sev_snp_guest: false, snp_id_block: "", snp_id_auth: "", snp_guest_policy: 196608, guest_hook_path: "", initdata: "", enable_annotations: ["enable_iommu", "virtio_fs_extra_args", "kernel_params", "kernel_verity_params", "default_vcpus", "default_memory"], qgs_port: 4050, seccomp_sandbox: Some(""), selinux_label: None }, shared_fs: SharedFsInfo { shared_fs: Some("virtio-fs"), virtio_fs_daemon: "/opt/kata/libexec/virtiofsd", valid_virtio_fs_daemon_paths: ["/opt/kata/libexec/virtiofsd"], virtio_fs_extra_args: ["--thread-pool-size=1", "-o", "announce_submounts"], virtio_fs_cache: "auto", virtio_fs_cache_size: 0, virtio_fs_queue_size: 1024, virtio_fs_is_dax: false }, remote_info: RemoteInfo { hypervisor_socket: "", hypervisor_timeout: 0, default_gpus: 0, default_gpu_model: "" }, vm_template: VmTemplateInfo { boot_to_be_template: false, boot_from_template: false, memory_path: "", device_state_path: "" }, factory: Factory { enable_template: false, template_path: "/run/vc/vm/template" }, prefetch_list_path: "", vendor: HypervisorVendor, disable_guest_selinux: true, disable_selinux: false }}, runtime: Runtime { name: "virt_container", hypervisor_name: "qemu", agent_name: "kata", debug: false, log_level: "info", experimental: [], internetworking_model: "tcfilter", disable_new_netns: false, sandbox_bind_mounts: [], sandbox_cgroup_only: false, enable_vcpus_pinning: false, enable_tracing: false, jaeger_endpoint: "", jaeger_user: "", jaeger_password: "", enable_pprof: false, static_sandbox_resource_mgmt: false, disable_guest_seccomp: true, disable_guest_empty_dir: false, vfio_mode: "guest-kernel", vendor: RuntimeVendor, keep_abnormal: false, dan_conf: "", shared_mounts: [], use_passfd_io: false, passfd_listener_port: 1027 } } +May 07 10:14:27 McLaren kata[125780]: (from PodSandbox's annotation / SingleContainer's spec) initial size: vcpu=0, mem_mb=0 +May 07 10:14:27 McLaren kata[125780]: new runtime handler virt_container +May 07 10:14:27 McLaren kata[125780]: QemuInner::hypervisor_config() +May 07 10:14:27 McLaren kata[125780]: shim management http server starts +May 07 10:14:27 McLaren kata[125780]: Preparing QEMU VM +May 07 10:14:27 McLaren kata[125780]: QemuInner::hypervisor_config() +May 07 10:14:27 McLaren kata[125780]: prepare vm socket config for sandbox. +May 07 10:14:27 McLaren kata[125780]: QemuInner::hypervisor_config() +May 07 10:14:27 McLaren kata[125780]: QemuInner::hypervisor_config() +May 07 10:14:27 McLaren kata[125780]: QemuInner::hypervisor_config() +May 07 10:14:27 McLaren kata[125780]: QemuInner::hypervisor_config() +May 07 10:14:27 McLaren kata[125780]: QemuInner::hypervisor_config() +May 07 10:14:27 McLaren kata[125780]: QemuInner::hypervisor_config() +May 07 10:14:27 McLaren kata[125780]: QemuInner::hypervisor_config() +May 07 10:14:27 McLaren kata[125780]: sandbox: available protection: NoProtection +May 07 10:14:27 McLaren kata[125780]: No PCIe ports available for VM. +May 07 10:14:27 McLaren kata[125780]: QemuInner::add_device() Vsock(VsockDevice { id: "993e62ce8d7dcfa", config: VsockConfig { guest_cid: 4294967295 } }) +May 07 10:14:27 McLaren kata[125780]: QemuInner::hypervisor_config() +May 07 10:14:27 McLaren kata[125780]: QemuInner::hypervisor_config() +May 07 10:14:27 McLaren kata[125780]: QemuInner::add_device() ShareFs(ShareFsDevice { device_id: "6e4aaf3bd2e34ebf", config: ShareFsConfig { host_shared_path: "/run/kata-containers/shared/sandboxes/b9b6ad3abf32f4a2d3f1836632635ff26eb93958b44bd2fc4cbd9e7df7faa1f9/ro", fs_type: "virtio-fs", sock_path: "/run/kata/b9b6ad3abf32f4a2d3f1836632635ff26eb93958b44bd2fc4cbd9e7df7faa1f9/root/virtiofsd.sock", mount_tag: "kataShared", queue_size: 0, queue_num: 0, options: [], mount_config: None } }) +May 07 10:14:27 McLaren kata[125780]: QemuInner::hypervisor_config() +May 07 10:14:27 McLaren kata[125780]: mgmt-svr: binding to path unix:///run/kata/b9b6ad3abf32f4a2d3f1836632635ff26eb93958b44bd2fc4cbd9e7df7faa1f9/shim-monitor.sock +May 07 10:14:27 McLaren kata[125780]: source: virtiofsd [2026-05-07T07:14:27Z WARN virtiofsd] Use of deprecated option format '-o': Please specify options without it (e.g., '--cache auto' instead of '-o cache=auto') +May 07 10:14:27 McLaren kata[125780]: source: virtiofsd [2026-05-07T07:14:27Z INFO virtiofsd] Waiting for vhost-user socket connection... +May 07 10:14:27 McLaren kata[125780]: start virtiofsd successfully +May 07 10:14:27 McLaren kata[125780]: sandbox bindmounts empty, just skip it. +May 07 10:14:27 McLaren kata[125780]: QemuInner::add_device() Block(BlockDevice { device_id: "6477b665736d62a1", attach_count: 1, config: BlockConfig { path_on_host: "/opt/kata/share/kata-containers/kata-ubuntu-noble.image", is_readonly: true, no_drop: false, format: Raw, is_direct: None, index: 0, blkdev_aio: IoUring, driver_option: "nvdimm", virt_path: "/dev/pmem0", pci_path: None, scsi_addr: None, ccw_addr: None, attach_count: 0, major: 0, minor: 0, queue_size: 0, num_queues: 0, logical_sector_size: 0, physical_sector_size: 0 } }) +May 07 10:14:27 McLaren kata[125780]: Starting QEMU VM +May 07 10:14:27 McLaren kata[125780]: qemu args: -name sandbox-b9b6ad3abf32f4a2d3f1836632635ff26eb93958b44bd2fc4cbd9e7df7faa1f9 -kernel /opt/kata/share/kata-containers/vmlinux-6.18.15-192 -append reboot=k panic=1 systemd.unit=kata-containers.target systemd.mask=systemd-networkd.service root=/dev/pmem0p1 rootflags=dax,data=ordered,errors=remount-ro ro rootfstype=ext4 cgroup_no_v1=all systemd.unified_cgroup_hierarchy=1 selinux=0 console=hvc0 -smp 1,maxcpus=16 -machine q35,accel=kvm,nvdimm=on -cpu host,pmu=off -m 2G,slots=10,maxmem=15714M -object memory-backend-file,id=entire-guest-memory-share,mem-path=/dev/shm,size=2G,share=on,prealloc=off,readonly=off -qmp unix:fd=19,server=on,wait=off -rtc base=utc,clock=host,driftfix=slew -object rng-random,id=rng0,filename=/dev/urandom -device virtio-rng-pci,rng=rng0 -device pci-bridge,bus=pcie.0,id=pci-bridge-0,chassis_nr=1,shpc=off,addr=2,io-reserve=4k,mem-reserve=1m,pref64-reserve=1m -device virtio-scsi-pci,id=scsi0 -device vhost-vsock-pci,vhostfd=20,guest-cid=115222660 -chardev socket,id=virtiofsd-chardev,path=/run/kata/b9b6ad3abf32f4a2d3f1836632635ff26eb93958b44bd2fc4cbd9e7df7faa1f9/root/virtiofsd.sock -device vhost-user-fs-pci,chardev=virtiofsd-chardev,tag=kataShared -numa node,memdev=entire-guest-memory-share -object memory-backend-file,id=TODO,mem-path=/opt/kata/share/kata-containers/kata-ubuntu-noble.image,size=256M,share=off,prealloc=off,readonly=on -device nvdimm,memdev=TODO,unarmed=on -device virtio-serial-pci,id=serial0 -device virtconsole,id=console0,chardev=charconsole0 -chardev socket,id=charconsole0,server=on,wait=off,path=/run/kata/b9b6ad3abf32f4a2d3f1836632635ff26eb93958b44bd2fc4cbd9e7df7faa1f9/root/console.sock -vga none -no-user-config -nodefaults -nographic -no-reboot +May 07 10:14:27 McLaren kata[125780]: qemu cmd: Command { std: "/opt/kata/bin/qemu-system-x86_64" "-name" "sandbox-b9b6ad3abf32f4a2d3f1836632635ff26eb93958b44bd2fc4cbd9e7df7faa1f9" "-kernel" "/opt/kata/share/kata-containers/vmlinux-6.18.15-192" "-append" "reboot=k panic=1 systemd.unit=kata-containers.target systemd.mask=systemd-networkd.service root=/dev/pmem0p1 rootflags=dax,data=ordered,errors=remount-ro ro rootfstype=ext4 cgroup_no_v1=all systemd.unified_cgroup_hierarchy=1 selinux=0 console=hvc0" "-smp" "1,maxcpus=16" "-machine" "q35,accel=kvm,nvdimm=on" "-cpu" "host,pmu=off" "-m" "2G,slots=10,maxmem=15714M" "-object" "memory-backend-file,id=entire-guest-memory-share,mem-path=/dev/shm,size=2G,share=on,prealloc=off,readonly=off" "-qmp" "unix:fd=19,server=on,wait=off" "-rtc" "base=utc,clock=host,driftfix=slew" "-object" "rng-random,id=rng0,filename=/dev/urandom" "-device" "virtio-rng-pci,rng=rng0" "-device" "pci-bridge,bus=pcie.0,id=pci-bridge-0,chassis_nr=1,shpc=off,addr=2,io-reserve=4k,mem-reserve=1m,pref64-reserve=1m" "-device" "virtio-scsi-pci,id=scsi0" "-device" "vhost-vsock-pci,vhostfd=20,guest-cid=115222660" "-chardev" "socket,id=virtiofsd-chardev,path=/run/kata/b9b6ad3abf32f4a2d3f1836632635ff26eb93958b44bd2fc4cbd9e7df7faa1f9/root/virtiofsd.sock" "-device" "vhost-user-fs-pci,chardev=virtiofsd-chardev,tag=kataShared" "-numa" "node,memdev=entire-guest-memory-share" "-object" "memory-backend-file,id=TODO,mem-path=/opt/kata/share/kata-containers/kata-ubuntu-noble.image,size=256M,share=off,prealloc=off,readonly=on" "-device" "nvdimm,memdev=TODO,unarmed=on" "-device" "virtio-serial-pci,id=serial0" "-device" "virtconsole,id=console0,chardev=charconsole0" "-chardev" "socket,id=charconsole0,server=on,wait=off,path=/run/kata/b9b6ad3abf32f4a2d3f1836632635ff26eb93958b44bd2fc4cbd9e7df7faa1f9/root/console.sock" "-vga" "none" "-no-user-config" "-nodefaults" "-nographic" "-no-reboot", kill_on_drop: false } +May 07 10:14:27 McLaren kata[125780]: qemu process started +May 07 10:14:27 McLaren kata[125780]: source: virtiofsd [2026-05-07T07:14:27Z INFO virtiofsd] Client connected, servicing requests +May 07 10:14:27 McLaren kata[125780]: QMP initialized: QMP { + version: VersionInfo { + package: "kata-static", + qemu: VersionTriple { + major: 10, + micro: 1, + minor: 2, + }, + }, + capabilities: [ + Unknown( + String("oob"), + ), + ], + } +May 07 10:14:27 McLaren kata[125780]: starting reading qemu stderr +May 07 10:14:27 McLaren kata[125780]: start vm +May 07 10:14:27 McLaren kata[125780]: QemuInner::get_vmm_master_tid() +May 07 10:14:27 McLaren kata[125780]: QemuInner::get_vmm_master_tid(): returning 125802 +May 07 10:14:27 McLaren kata[125780]: execute hook Hook { path: "/usr/local/bin/nerdctl", args: Some(["/usr/local/bin/nerdctl", "internal", "oci-hook", "createRuntime"]), env: Some(["PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin", "HOSTNAME=McLaren", "HOME=/root", "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/sbin:/sbin"]), timeout: None } +May 07 10:14:27 McLaren kata[125780]: exit status of hook Hook { path: "/usr/local/bin/nerdctl", args: Some(["/usr/local/bin/nerdctl", "internal", "oci-hook", "createRuntime"]), env: Some(["PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin", "HOSTNAME=McLaren", "HOME=/root", "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/sbin:/sbin"]), timeout: None } : Exited(0) +May 07 10:14:27 McLaren kata[125780]: hook Hook { path: "/usr/local/bin/nerdctl", args: Some(["/usr/local/bin/nerdctl", "internal", "oci-hook", "createRuntime"]), env: Some(["PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin", "HOSTNAME=McLaren", "HOME=/root", "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/sbin:/sbin"]), timeout: None } succeeds +May 07 10:14:27 McLaren kata[125780]: hook /usr/local/bin/nerdctl finished +May 07 10:14:27 McLaren kata[125780]: QemuInner::hypervisor_config() +May 07 10:14:27 McLaren kata[125780]: get network entity from config NetworkWithNetNsConfig { network_model: "tcfilter", netns_path: "/var/run/netns/cnitest-64f8f60e-4617-ddc0-e97d-4e35bf4e7e4d", queues: 1, network_created: true } tid Pid(125979) +May 07 10:14:27 McLaren kata[125780]: set netns from old File { fd: 27, path: "net:[4026531833]", read: true, write: false } to new File { fd: 28, path: "/run/netns/cnitest-64f8f60e-4617-ddc0-e97d-4e35bf4e7e4d", read: true, write: false } tid 125979 +May 07 10:14:27 McLaren kata[125780]: set netns from old File { fd: 29, path: "net:[4026532675]", read: true, write: false } to new File { fd: 30, path: "/run/netns/cnitest-64f8f60e-4617-ddc0-e97d-4e35bf4e7e4d", read: true, write: false } tid 125979 +May 07 10:14:27 McLaren kata[125780]: veth network interface found: eth0 +May 07 10:14:27 McLaren kata[125780]: create link with fds [File { fd: 30, path: "/dev/net/tun", read: true, write: true }] +May 07 10:14:27 McLaren kata[125780]: network info NetworkInfoFromLink { interface: Interface { device: "eth0", name: "eth0", ip_addresses: [IPAddress { family: V4, address: "10.4.0.2", mask: "24" }, IPAddress { family: V6, address: "fe80::1090:e8ff:fe20:3f75", mask: "64" }], mtu: 1500, hw_addr: "12:90:e8:20:3f:75", device_path: "", field_type: "veth", raw_flags: 0 }, neighs: [ARPNeighbor { to_ip_address: Some(IPAddress { family: V6, address: "ff02::16", mask: "" }), device: "eth0", ll_addr: "33:33:00:00:00:16", state: 64, flags: 0 }, ARPNeighbor { to_ip_address: Some(IPAddress { family: V6, address: "ff02::2", mask: "" }), device: "eth0", ll_addr: "33:33:00:00:00:02", state: 64, flags: 0 }], routes: [Route { dest: "", gateway: "10.4.0.1", device: "eth0", source: "", scope: 0, family: V4, flags: 0, mtu: 0 }] } +May 07 10:14:27 McLaren kata[125780]: set netns to old 29 +May 07 10:14:27 McLaren kata[125780]: set netns to old 27 +May 07 10:14:27 McLaren kata[125780]: set netns from old File { fd: 27, path: "net:[4026531833]", read: true, write: false } to new File { fd: 29, path: "/run/netns/cnitest-64f8f60e-4617-ddc0-e97d-4e35bf4e7e4d", read: true, write: false } tid 125979 +May 07 10:14:29 McLaren containerd[2004]: time="2026-05-07T10:14:29.313289892+03:00" level=error msg="get state for b9b6ad3abf32f4a2d3f1836632635ff26eb93958b44bd2fc4cbd9e7df7faa1f9" error="context deadline exceeded" +May 07 10:14:29 McLaren containerd[2004]: time="2026-05-07T10:14:29.313340747+03:00" level=warning msg="unknown status" status=0 +May 07 10:18:15 McLaren containerd[2004]: time="2026-05-07T10:18:15.967451026+03:00" level=info msg="connecting to shim 1afb84a466b6954d9055ce7554d1c778bef744125debcddcbbeb4d22b8fb80ff" address="unix:///run/containerd/s/83a7486a71f4e9471f54a11349a2dd65d0127e6aa8013277a8a9fad334974234" namespace=moby protocol=ttrpc version=3 +May 07 10:18:15 McLaren containerd[2004]: time="2026-05-07T10:18:15.967640056+03:00" level=info msg="connecting to shim bf0390680a9ed024528821dfc36ebe86c4226a62351945e214dcaab00f67f94e" address="unix:///run/containerd/s/44f5886f2e4b53b4b40582360f57b9d0b2a4ce4efb2326b5cb98c069516b1d86" namespace=moby protocol=ttrpc version=3 +May 07 10:18:16 McLaren containerd[2004]: time="2026-05-07T10:18:16.020880807+03:00" level=warning msg="error from *cgroupsv2.Manager.EventChan" error="failed to create inotify fd: too many open files" +May 07 10:18:16 McLaren containerd[2004]: time="2026-05-07T10:18:16.023498942+03:00" level=warning msg="error from *cgroupsv2.Manager.EventChan" error="failed to create inotify fd: too many open files" diff --git a/labs/lab12/setup/containerd-kata-config.txt b/labs/lab12/setup/containerd-kata-config.txt new file mode 100644 index 00000000..01f2c790 --- /dev/null +++ b/labs/lab12/setup/containerd-kata-config.txt @@ -0,0 +1,2 @@ +33:[plugins.'io.containerd.grpc.v1.cri'.containerd.runtimes.kata] +34: runtime_type = 'io.containerd.kata.v2' diff --git a/labs/lab12/setup/containerd-status.txt b/labs/lab12/setup/containerd-status.txt new file mode 100644 index 00000000..584c8478 --- /dev/null +++ b/labs/lab12/setup/containerd-status.txt @@ -0,0 +1 @@ +active diff --git a/labs/lab12/setup/ctr-containers-after-stuck.txt b/labs/lab12/setup/ctr-containers-after-stuck.txt new file mode 100644 index 00000000..11ccfa9f --- /dev/null +++ b/labs/lab12/setup/ctr-containers-after-stuck.txt @@ -0,0 +1,2 @@ +CONTAINER IMAGE RUNTIME +b9b6ad3abf32f4a2d3f1836632635ff26eb93958b44bd2fc4cbd9e7df7faa1f9 docker.io/library/alpine:3.19 io.containerd.kata.v2 diff --git a/labs/lab12/setup/ctr-tasks-after-stuck.txt b/labs/lab12/setup/ctr-tasks-after-stuck.txt new file mode 100644 index 00000000..1580a418 --- /dev/null +++ b/labs/lab12/setup/ctr-tasks-after-stuck.txt @@ -0,0 +1 @@ +TASK PID STATUS diff --git a/labs/lab12/setup/extract-kata-static.log b/labs/lab12/setup/extract-kata-static.log new file mode 100644 index 00000000..e69de29b diff --git a/labs/lab12/setup/install-kata-assets.log b/labs/lab12/setup/install-kata-assets.log new file mode 100644 index 00000000..11a10b40 --- /dev/null +++ b/labs/lab12/setup/install-kata-assets.log @@ -0,0 +1,5 @@ +Installing Kata static assets 3.30.0 for amd64 + % Total % Received % Xferd Average Speed Time Time Time Current + Dload Upload Total Spent Left Speed + 0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0 0 0 0 0 0 0 0 0 --:--:-- 0:00:01 --:--:-- 0 0 0 0 0 0 0 0 0 --:--:-- 0:00:02 --:--:-- 0 0 0 0 0 0 0 0 0 --:--:-- 0:00:03 --:--:-- 0 0 0 0 0 0 0 0 0 --:--:-- 0:00:04 --:--:-- 0 0 0 0 0 0 0 0 0 --:--:-- 0:00:05 --:--:-- 0 0 0 0 0 0 0 0 0 --:--:-- 0:00:06 --:--:-- 0 0 0 0 0 0 0 0 0 --:--:-- 0:00:07 --:--:-- 0 0 0 0 0 0 0 0 0 --:--:-- 0:00:08 --:--:-- 0 0 0 0 0 0 0 0 0 --:--:-- 0:00:09 --:--:-- 0 0 0 0 0 0 0 0 0 --:--:-- 0:00:10 --:--:-- 0 0 0 0 0 0 0 0 0 --:--:-- 0:00:11 --:--:-- 0 0 0 0 0 0 0 0 0 --:--:-- 0:00:12 --:--:-- 0 0 0 0 0 0 0 0 0 --:--:-- 0:00:13 --:--:-- 0 0 0 0 0 0 0 0 0 --:--:-- 0:00:14 --:--:-- 0 0 0 0 0 0 0 0 0 --:--:-- 0:00:15 --:--:-- 0 0 0 0 0 0 0 0 0 --:--:-- 0:00:16 --:--:-- 0 0 0 0 0 0 0 0 0 --:--:-- 0:00:17 --:--:-- 0 0 0 0 0 0 0 0 0 --:--:-- 0:00:18 --:--:-- 0 0 0 0 0 0 0 0 0 --:--:-- 0:00:19 --:--:-- 0 0 0 0 0 0 0 0 0 --:--:-- 0:00:20 --:--:-- 0 0 0 0 0 0 0 0 0 --:--:-- 0:00:21 --:--:-- 0 0 0 0 0 0 0 0 0 --:--:-- 0:00:22 --:--:-- 0 0 0 0 0 0 0 0 0 --:--:-- 0:00:23 --:--:-- 0 0 0 0 0 0 0 0 0 --:--:-- 0:00:24 --:--:-- 0 0 0 0 0 0 0 0 0 --:--:-- 0:00:25 --:--:-- 0 0 0 0 0 0 0 0 0 --:--:-- 0:00:26 --:--:-- 0 0 0 0 0 0 0 0 0 --:--:-- 0:00:27 --:--:-- 0 0 0 0 0 0 0 0 0 --:--:-- 0:00:28 --:--:-- 0 0 0 0 0 0 0 0 0 --:--:-- 0:00:29 --:--:-- 0 0 0 0 0 0 0 0 0 --:--:-- 0:00:30 --:--:-- 0 0 0 0 0 0 0 0 0 --:--:-- 0:00:31 --:--:-- 0 0 0 0 0 0 0 0 0 --:--:-- 0:00:32 --:--:-- 0 0 0 0 0 0 0 0 0 --:--:-- 0:00:33 --:--:-- 0 0 0 0 0 0 0 0 0 --:--:-- 0:00:34 --:--:-- 0 0 0 0 0 0 0 0 0 --:--:-- 0:00:35 --:--:-- 0 0 0 0 0 0 0 0 0 --:--:-- 0:00:36 --:--:-- 0 0 0 0 0 0 0 0 0 --:--:-- 0:00:37 --:--:-- 0 0 0 0 0 0 0 0 0 --:--:-- 0:00:38 --:--:-- 0 0 0 0 0 0 0 0 0 --:--:-- 0:00:39 --:--:-- 0 0 0 0 0 0 0 0 0 --:--:-- 0:00:40 --:--:-- 0 0 0 0 0 0 0 0 0 --:--:-- 0:00:41 --:--:-- 0 0 0 0 0 0 0 0 0 --:--:-- 0:00:42 --:--:-- 0 0 0 0 0 0 0 0 0 --:--:-- 0:00:43 --:--:-- 0 0 0 0 0 0 0 0 0 --:--:-- 0:00:44 --:--:-- 0 0 0 0 0 0 0 0 0 --:--:-- 0:00:45 --:--:-- 0 0 0 0 0 0 0 0 0 --:--:-- 0:00:46 --:--:-- 0 0 0 0 0 0 0 0 0 --:--:-- 0:00:47 --:--:-- 0 0 0 0 0 0 0 0 0 --:--:-- 0:00:48 --:--:-- 0 0 0 0 0 0 0 0 0 --:--:-- 0:00:49 --:--:-- 0 0 0 0 0 0 0 0 0 --:--:-- 0:00:50 --:--:-- 0 0 0 0 0 0 0 0 0 --:--:-- 0:00:51 --:--:-- 0 0 0 0 0 0 0 0 0 --:--:-- 0:00:52 --:--:-- 0 0 0 0 0 0 0 0 0 --:--:-- 0:00:53 --:--:-- 0 0 0 0 0 0 0 0 0 --:--:-- 0:00:54 --:--:-- 0 0 0 0 0 0 0 0 0 --:--:-- 0:00:55 --:--:-- 0 0 0 0 0 0 0 0 0 --:--:-- 0:00:56 --:--:-- 0 0 0 0 0 0 0 0 0 --:--:-- 0:00:57 --:--:-- 0 0 0 0 0 0 0 0 0 --:--:-- 0:00:58 --:--:-- 0 0 0 0 0 0 0 0 0 --:--:-- 0:00:59 --:--:-- 0 0 0 0 0 0 0 0 0 --:--:-- 0:01:00 --:--:-- 0 0 0 0 0 0 0 0 0 --:--:-- 0:01:01 --:--:-- 0 0 0 0 0 0 0 0 0 --:--:-- 0:01:02 --:--:-- 0 0 0 0 0 0 0 0 0 --:--:-- 0:01:03 --:--:-- 0 0 0 0 0 0 0 0 0 --:--:-- 0:01:04 --:--:-- 0 0 0 0 0 0 0 0 0 --:--:-- 0:01:05 --:--:-- 0 0 0 0 0 0 0 0 0 --:--:-- 0:01:06 --:--:-- 0 0 0 0 0 0 0 0 0 --:--:-- 0:01:07 --:--:-- 0 0 0 0 0 0 0 0 0 --:--:-- 0:01:08 --:--:-- 0 0 0 0 0 0 0 0 0 --:--:-- 0:01:09 --:--:-- 0 0 0 0 0 0 0 0 0 --:--:-- 0:01:10 --:--:-- 0 0 0 0 0 0 0 0 0 --:--:-- 0:01:11 --:--:-- 0 0 0 0 0 0 0 0 0 --:--:-- 0:01:12 --:--:-- 0 0 0 0 0 0 0 0 0 --:--:-- 0:01:13 --:--:-- 0 0 0 0 0 0 0 0 0 --:--:-- 0:01:14 --:--:-- 0 0 0 0 0 0 0 0 0 --:--:-- 0:01:15 --:--:-- 0 0 0 0 0 0 0 0 0 --:--:-- 0:01:16 --:--:-- 0 0 0 0 0 0 0 0 0 --:--:-- 0:01:17 --:--:-- 0 0 0 0 0 0 0 0 0 --:--:-- 0:01:18 --:--:-- 0 0 0 0 0 0 0 0 0 --:--:-- 0:01:19 --:--:-- 0 0 0 0 0 0 0 0 0 --:--:-- 0:01:20 --:--:-- 0 0 0 0 0 0 0 0 0 --:--:-- 0:01:21 --:--:-- 0 0 0 0 0 0 0 0 0 --:--:-- 0:01:22 --:--:-- 0 0 0 0 0 0 0 0 0 --:--:-- 0:01:23 --:--:-- 0 0 0 0 0 0 0 0 0 --:--:-- 0:01:24 --:--:-- 0 0 0 0 0 0 0 0 0 --:--:-- 0:01:25 --:--:-- 0 0 0 0 0 0 0 0 0 --:--:-- 0:01:26 --:--:-- 0 0 0 0 0 0 0 0 0 --:--:-- 0:01:27 --:--:-- 0 0 0 0 0 0 0 0 0 --:--:-- 0:01:28 --:--:-- 0 0 0 0 0 0 0 0 0 --:--:-- 0:01:29 --:--:-- 0 0 0 0 0 0 0 0 0 --:--:-- 0:01:30 --:--:-- 0 0 0 0 0 0 0 0 0 --:--:-- 0:01:31 --:--:-- 0 0 0 0 0 0 0 0 0 --:--:-- 0:01:32 --:--:-- 0 0 0 0 0 0 0 0 0 --:--:-- 0:01:33 --:--:-- 0 0 0 0 0 0 0 0 0 --:--:-- 0:01:34 --:--:-- 0 0 0 0 0 0 0 0 0 --:--:-- 0:01:35 --:--:-- 0 0 0 0 0 0 0 0 0 --:--:-- 0:01:36 --:--:-- 0 0 0 0 0 0 0 0 0 --:--:-- 0:01:37 --:--:-- 0 0 0 0 0 0 0 0 0 --:--:-- 0:01:38 --:--:-- 0 0 0 0 0 0 0 0 0 --:--:-- 0:01:39 --:--:-- 0 0 0 0 0 0 0 0 0 --:--:-- 0:01:40 --:--:-- 0 0 0 0 0 0 0 0 0 --:--:-- 0:01:41 --:--:-- 0 0 0 0 0 0 0 0 0 --:--:-- 0:01:42 --:--:-- 0 0 0 0 0 0 0 0 0 --:--:-- 0:01:43 --:--:-- 0 0 0 0 0 0 0 0 0 --:--:-- 0:01:44 --:--:-- 0 0 0 0 0 0 0 0 0 --:--:-- 0:01:45 --:--:-- 0 0 0 0 0 0 0 0 0 --:--:-- 0:01:46 --:--:-- 0 0 0 0 0 0 0 0 0 --:--:-- 0:01:47 --:--:-- 0 0 0 0 0 0 0 0 0 --:--:-- 0:01:48 --:--:-- 0 0 0 0 0 0 0 0 0 --:--:-- 0:01:49 --:--:-- 0 0 0 0 0 0 0 0 0 --:--:-- 0:01:50 --:--:-- 0 0 0 0 0 0 0 0 0 --:--:-- 0:01:51 --:--:-- 0 0 0 0 0 0 0 0 0 --:--:-- 0:01:52 --:--:-- 0 0 0 0 0 0 0 0 0 --:--:-- 0:01:53 --:--:-- 0 0 0 0 0 0 0 0 0 --:--:-- 0:01:54 --:--:-- 0 0 0 0 0 0 0 0 0 --:--:-- 0:01:55 --:--:-- 0 0 0 0 0 0 0 0 0 --:--:-- 0:01:56 --:--:-- 0 0 0 0 0 0 0 0 0 --:--:-- 0:01:57 --:--:-- 0 0 0 0 0 0 0 0 0 --:--:-- 0:01:58 --:--:-- 0 0 0 0 0 0 0 0 0 --:--:-- 0:01:59 --:--:-- 0 0 0 0 0 0 0 0 0 --:--:-- 0:02:00 --:--:-- 0 0 0 0 0 0 0 0 0 --:--:-- 0:02:01 --:--:-- 0 0 0 0 0 0 0 0 0 --:--:-- 0:02:02 --:--:-- 0 0 0 0 0 0 0 0 0 --:--:-- 0:02:03 --:--:-- 0 0 0 0 0 0 0 0 0 --:--:-- 0:02:04 --:--:-- 0 0 0 0 0 0 0 0 0 --:--:-- 0:02:05 --:--:-- 0 0 0 0 0 0 0 0 0 --:--:-- 0:02:06 --:--:-- 0 0 0 0 0 0 0 0 0 --:--:-- 0:02:07 --:--:-- 0 0 0 0 0 0 0 0 0 --:--:-- 0:02:08 --:--:-- 0 0 0 0 0 0 0 0 0 --:--:-- 0:02:09 --:--:-- 0 0 0 0 0 0 0 0 0 --:--:-- 0:02:10 --:--:-- 0 0 0 0 0 0 0 0 0 --:--:-- 0:02:11 --:--:-- 0 0 0 0 0 0 0 0 0 --:--:-- 0:02:12 --:--:-- 0 0 0 0 0 0 0 0 0 --:--:-- 0:02:13 --:--:-- 0 0 0 0 0 0 0 0 0 --:--:-- 0:02:13 --:--:-- 0 +curl: (28) Failed to connect to github.com port 443 after 133651 ms: Couldn't connect to server diff --git a/labs/lab12/setup/kata-built-version.txt b/labs/lab12/setup/kata-built-version.txt new file mode 100644 index 00000000..d7cc473d --- /dev/null +++ b/labs/lab12/setup/kata-built-version.txt @@ -0,0 +1 @@ +Kata Containers containerd shim (Rust): id: io.containerd.kata.v2, version: 3.30.0, commit: 5f6512ac938af9134753dc07e9fd70ccfb69cc26 diff --git a/labs/lab12/setup/kata-config-link.txt b/labs/lab12/setup/kata-config-link.txt new file mode 100644 index 00000000..b1697c0e --- /dev/null +++ b/labs/lab12/setup/kata-config-link.txt @@ -0,0 +1 @@ +lrwxrwxrwx 1 root root 86 May 7 07:11 /host/etc/kata-containers/runtime-rs/configuration.toml -> /opt/kata/share/defaults/kata-containers/runtime-rs/configuration-qemu-runtime-rs.toml diff --git a/labs/lab12/setup/kata-static-contents.txt b/labs/lab12/setup/kata-static-contents.txt new file mode 100644 index 00000000..ff94d133 --- /dev/null +++ b/labs/lab12/setup/kata-static-contents.txt @@ -0,0 +1,80 @@ +./ +./opt/ +./opt/kata/ +./opt/kata/runtime-rs/ +./opt/kata/runtime-rs/bin/ +./opt/kata/runtime-rs/bin/containerd-shim-kata-v2 +./opt/kata/libexec/ +./opt/kata/libexec/nydusd +./opt/kata/libexec/virtiofsd +./opt/kata/versions.yaml +./opt/kata/include/ +./opt/kata/include/libfdt_env.h +./opt/kata/include/fdt.h +./opt/kata/include/libfdt.h +./opt/kata/bin/ +./opt/kata/bin/kata-monitor +./opt/kata/bin/jailer +./opt/kata/bin/containerd-shim-kata-v2 +./opt/kata/bin/firecracker +./opt/kata/bin/cloud-hypervisor +./opt/kata/bin/qemu-system-x86_64 +./opt/kata/bin/qemu-system-x86_64-tdx-experimental +./opt/kata/bin/kata-collect-data.sh +./opt/kata/bin/kata-runtime +./opt/kata/bin/qemu-system-x86_64-snp-experimental +./opt/kata/lib/ +./opt/kata/lib/kata-qemu-tdx-experimental/ +./opt/kata/lib/kata-qemu-tdx-experimental/pkgconfig/ +./opt/kata/lib/kata-qemu-tdx-experimental/pkgconfig/libfdt.pc +./opt/kata/lib/kata-qemu-tdx-experimental/libfdt.a +./opt/kata/lib/kata-qemu/ +./opt/kata/lib/kata-qemu/pkgconfig/ +./opt/kata/lib/kata-qemu/pkgconfig/libfdt.pc +./opt/kata/lib/kata-qemu/libfdt.a +./opt/kata/lib/kata-qemu-snp-experimental/ +./opt/kata/lib/kata-qemu-snp-experimental/pkgconfig/ +./opt/kata/lib/kata-qemu-snp-experimental/pkgconfig/libfdt.pc +./opt/kata/lib/kata-qemu-snp-experimental/libfdt.a +./opt/kata/share/ +./opt/kata/share/kata-containers/ +./opt/kata/share/kata-containers/kata-containers-mariner.img +./opt/kata/share/kata-containers/kata-containers-nvidia-gpu-confidential.img +./opt/kata/share/kata-containers/vmlinuz.container +./opt/kata/share/kata-containers/vmlinux-6.18.22-192-dragonball-experimental +./opt/kata/share/kata-containers/kata-cbl-mariner-3.0-mariner.image +./opt/kata/share/kata-containers/vmlinux-6.18.15-192-nvidia-gpu +./opt/kata/share/kata-containers/vmlinuz-6.18.15-192 +./opt/kata/share/kata-containers/root_hash_nvidia-gpu.txt +./opt/kata/share/kata-containers/kata-ubuntu-noble-confidential.initrd +./opt/kata/share/kata-containers/vmlinux.container +./opt/kata/share/kata-containers/vmlinuz-debug.container +./opt/kata/share/kata-containers/vmlinuz-dragonball-experimental.container +./opt/kata/share/kata-containers/config-6.18.15-192-nvidia-gpu +./opt/kata/share/kata-containers/root_hash_nvidia-gpu-confidential.txt +./opt/kata/share/kata-containers/vmlinux-nvidia-gpu.container +./opt/kata/share/kata-containers/kata-alpine-3.22.initrd +./opt/kata/share/kata-containers/vmlinux-6.18.15-192 +./opt/kata/share/kata-containers/kata-containers-confidential.img +./opt/kata/share/kata-containers/vmlinuz-6.18.22-192-dragonball-experimental +./opt/kata/share/kata-containers/config-6.18.15-192-debug +./opt/kata/share/kata-containers/vmlinux-dragonball-experimental.container +./opt/kata/share/kata-containers/kata-containers.img +./opt/kata/share/kata-containers/System.map-6.18.22-192-dragonball-experimental +./opt/kata/share/kata-containers/kata-containers-initrd.img +./opt/kata/share/kata-containers/config-6.18.15-192 +./opt/kata/share/kata-containers/vmlinuz-6.18.15-192-debug +./opt/kata/share/kata-containers/System.map-6.18.15-192-nvidia-gpu +./opt/kata/share/kata-containers/kata-ubuntu-noble-nvidia-gpu-595.58.03.image +./opt/kata/share/kata-containers/vmlinux-6.18.15-192-debug +./opt/kata/share/kata-containers/config-6.18.22-192-dragonball-experimental +./opt/kata/share/kata-containers/kata-ubuntu-noble.image +./opt/kata/share/kata-containers/System.map-6.18.15-192 +./opt/kata/share/kata-containers/root_hash_confidential.txt +./opt/kata/share/kata-containers/vmlinux-debug.container +./opt/kata/share/kata-containers/kata-containers-initrd-confidential.img +./opt/kata/share/kata-containers/kata-ubuntu-noble-confidential.image +./opt/kata/share/kata-containers/kata-ubuntu-noble-nvidia-gpu-confidential-595.58.03.image +./opt/kata/share/kata-containers/kata-containers-nvidia-gpu.img +./opt/kata/share/kata-containers/vmlinuz-nvidia-gpu.container +./opt/kata/share/kata-containers/vmlinuz-6.18.15-192-nvidia-gpu diff --git a/labs/lab12/setup/kata-test-run-ctr.txt b/labs/lab12/setup/kata-test-run-ctr.txt new file mode 100644 index 00000000..9417bcb6 --- /dev/null +++ b/labs/lab12/setup/kata-test-run-ctr.txt @@ -0,0 +1 @@ +Linux fc6eb5c2bf6a 6.18.15 #1 SMP Sat May 2 16:07:11 UTC 2026 x86_64 Linux diff --git a/labs/lab12/setup/kata-test-run.txt b/labs/lab12/setup/kata-test-run.txt new file mode 100644 index 00000000..1d59bcf6 --- /dev/null +++ b/labs/lab12/setup/kata-test-run.txt @@ -0,0 +1 @@ +time="2026-05-07T10:14:27+03:00" level=warning msg="cannot set cgroup manager to \"systemd\" for runtime \"io.containerd.kata.v2\"" diff --git a/labs/lab12/setup/nerdctl-ps-after-kata-test.txt b/labs/lab12/setup/nerdctl-ps-after-kata-test.txt new file mode 100644 index 00000000..94b4f4dc --- /dev/null +++ b/labs/lab12/setup/nerdctl-ps-after-kata-test.txt @@ -0,0 +1,2 @@ +CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES +b9b6ad3abf32 docker.io/library/alpine:3.19 "uname -a" 3 minutes ago Unknown alpine-b9b6a diff --git a/labs/lab12/setup/nerdctl-root-version.txt b/labs/lab12/setup/nerdctl-root-version.txt new file mode 100644 index 00000000..d07970c0 --- /dev/null +++ b/labs/lab12/setup/nerdctl-root-version.txt @@ -0,0 +1 @@ +nerdctl version 2.2.0 diff --git a/labs/lab12/setup/nerdctl-version.txt b/labs/lab12/setup/nerdctl-version.txt new file mode 100644 index 00000000..d07970c0 --- /dev/null +++ b/labs/lab12/setup/nerdctl-version.txt @@ -0,0 +1 @@ +nerdctl version 2.2.0 diff --git a/labs/lab12/setup/restart-containerd.txt b/labs/lab12/setup/restart-containerd.txt new file mode 100644 index 00000000..e69de29b diff --git a/labs/submission12.md b/labs/submission12.md new file mode 100644 index 00000000..4f94275c --- /dev/null +++ b/labs/submission12.md @@ -0,0 +1,173 @@ +# Lab 12 Submission - Kata Containers VM-backed Sandboxing + +## Task 1 - Install and Configure Kata + +Hardware virtualization is available on this host (`egrep -c '(vmx|svm)' /proc/cpuinfo` returned `32`). `containerd` is active and was configured with the Kata runtime: + +```text +[plugins.'io.containerd.grpc.v1.cri'.containerd.runtimes.kata] + runtime_type = 'io.containerd.kata.v2' +``` + +Kata runtime-rs shim was built from source after updating the provided build script to include missing build dependencies (`g++`, `cmake`, and `jq`) and to copy the binary from the workspace-level Cargo target directory. + +Shim evidence: + +```text +Kata Containers containerd shim (Rust): id: io.containerd.kata.v2, version: 3.30.0, commit: 5f6512ac938af9134753dc07e9fd70ccfb69cc26 +``` + +Kata static assets 3.30.0 were installed under `/opt/kata`, and `/etc/kata-containers/runtime-rs/configuration.toml` was linked to: + +```text +/opt/kata/share/defaults/kata-containers/runtime-rs/configuration-qemu-runtime-rs.toml +``` + +The direct `nerdctl --runtime io.containerd.kata.v2` test reached VM creation but hit the known runtime-rs/nerdctl issue documented in the lab, leaving the test container in `Unknown` state. The successful Kata execution evidence was therefore captured with the documented workaround, direct `ctr`: + +```text +Linux fc6eb5c2bf6a 6.18.15 #1 SMP Sat May 2 16:07:11 UTC 2026 x86_64 Linux +``` + +Artifacts: + +- `labs/lab12/setup/kata-built-version.txt` +- `labs/lab12/setup/kata-test-run.txt` +- `labs/lab12/setup/kata-test-run-ctr.txt` +- `labs/lab12/setup/containerd-kata-config.txt` +- `labs/lab12/setup/kata-config-link.txt` +- `labs/lab12/setup/containerd-journal-tail.txt` + +## Task 2 - Run and Compare Containers + +The default runc workload was OWASP Juice Shop via `nerdctl`: + +```text +juice-runc: HTTP 200 +``` + +Kata short-lived Alpine tests were run with `ctr --runtime io.containerd.kata.v2`: + +```text +Linux fc6eb5c2bf6a 6.18.15 #1 SMP Sat May 2 16:07:11 UTC 2026 x86_64 Linux +6.18.15 +model name : 12th Gen Intel(R) Core(TM) i5-1240P +``` + +Kernel comparison: + +```text +Host kernel (runc uses this): 6.17.0-23-generic +Kata guest kernel: Linux version 6.18.15 ... #1 SMP Sat May 2 16:07:11 UTC 2026 +``` + +CPU comparison: + +```text +Host CPU: +model name : 12th Gen Intel(R) Core(TM) i5-1240P +Kata VM CPU: +model name : 12th Gen Intel(R) Core(TM) i5-1240P +``` + +Isolation implications: + +- **runc**: shares the host kernel. Namespaces/cgroups/seccomp provide isolation, but kernel attack surface remains shared with the host. +- **Kata**: runs the container workload inside a lightweight VM with a separate guest kernel. In this QEMU config the CPU model is passed through as host CPU, but the kernel boundary is still separate. + +Artifacts: + +- `labs/lab12/runc/health.txt` +- `labs/lab12/kata/test1.txt` +- `labs/lab12/kata/kernel.txt` +- `labs/lab12/kata/cpu.txt` +- `labs/lab12/analysis/kernel-comparison.txt` +- `labs/lab12/analysis/cpu-comparison.txt` + +## Task 3 - Isolation Tests + +dmesg from Kata shows guest VM boot logs, proving a separate kernel: + +```text +[ 0.000000] Linux version 6.18.15 (@a3f44c86bab0) ... +[ 0.000000] Command line: reboot=k panic=1 systemd.unit=kata-containers.target ... +[ 0.000000] BIOS-provided physical RAM map: +``` + +`/proc` visibility is much smaller inside the Kata VM: + +```text +Host: 719 +Kata VM: 54 +``` + +Network interface capture from the direct `ctr` workaround: + +```text +1: lo: mtu 65536 qdisc noqueue state UNKNOWN qlen 1000 + inet 127.0.0.1/8 scope host lo +``` + +Note: the `nerdctl` path created a CNI-backed network (`eth0` with `10.4.0.2`) according to `containerd-journal-tail.txt`, but the container then hit the known `Unknown` status issue. The stable `ctr` workaround used for evidence does not attach the nerdctl CNI network. + +Kernel module counts: + +```text +Host kernel modules: 378 +Kata guest kernel modules: 79 +``` + +Security implications: + +- **Container escape in runc**: a kernel-level escape can become a host compromise because the container and host share the same kernel. +- **Container escape in Kata**: an attacker first lands in the guest VM/kernel boundary; reaching the host generally requires a hypervisor, virtio, VM escape, or host integration flaw, which is a stronger isolation boundary. + +Artifacts: + +- `labs/lab12/isolation/dmesg.txt` +- `labs/lab12/isolation/proc.txt` +- `labs/lab12/isolation/network.txt` +- `labs/lab12/isolation/modules.txt` + +## Task 4 - Performance Comparison + +Startup timing: + +```text +runc: +real 0.57 + +Kata: +real 5.95 +``` + +HTTP latency for the runc Juice Shop baseline: + +```text +avg=0.0019s min=0.0012s max=0.0040s n=50 +``` + +Performance trade-offs: + +- **Startup overhead**: Kata was about 10x slower for this short-lived test because it boots a lightweight VM and guest kernel. +- **Runtime overhead**: once running, Kata should be acceptable for many services, but syscall, filesystem sharing, networking, and VM memory overhead are higher than runc. +- **CPU overhead**: CPU model was passed through, so CPU-bound work should be closer to native than startup-heavy workloads, but VM exits and device virtualization still add overhead. + +Recommendations: + +- **Use runc when**: workloads are trusted, high-density, latency-sensitive, short-lived, or need the simplest operational model. +- **Use Kata when**: workloads are multi-tenant, less trusted, exposed to untrusted input, or require a stronger boundary than Linux namespaces alone. + +Artifacts: + +- `labs/lab12/bench/startup.txt` +- `labs/lab12/bench/http-latency.txt` +- `labs/lab12/bench/curl-3012.txt` + +## Submission Checklist + +- [x] Task 1 - Kata shim built, installed, configured, and verified. +- [x] Task 2 - runc Juice Shop and Kata Alpine runtime comparison captured. +- [x] Task 3 - Isolation tests captured and analyzed. +- [x] Task 4 - Startup and HTTP latency snapshot captured. +- [x] Large local build/download artifacts are ignored via `labs/lab12/setup/.gitignore`.