Skip to content
Saikrishna Edupuganti edited this page Feb 8, 2019 · 5 revisions

Trying Kata Containers with Firecracker (and QEMU)

asciicast

Clearlinux bundles Kata Containers as well a firecracker.

To quickly experience how Kata Containers can be used to setup a cluster that can run Kubernetes with different types of isolation mechanisms we have created a simple developer enviornment. With this you can run workloads with runc (using cgroups, namespaces provided by the host kernel for isolation), Kata with QEMU/KVM (uses VT-x for isolation and QEMU as the hypervisor) and Kata with Firecracker (uses VT-x for isolation and the minimal Firecracker VMM).

So you can match your isolation, security and feature requirement on a workload by workload basis.

Here is a quick start guide based on the README.md

Assuming you have vagrant setup

git clone https://github.com/clearlinux/cloud-native-setup

cd ./cloud-native-setup/clr-k8s-examples

#Ensure the vagrant enviornment is current
vagrant destroy -f
vagrant box update
vagrant box prune

#Create a vagrant VM to run kubernetes
vagrant destroy -f; NODES=1 CPUS=8 vagrant up --provider=libvirt

#ssh into the vagrant VM
vagrant ssh clr-01
cd clr-k8s-examples

#Bring up a minimal kubernetes stack
./create_stack.sh minimal
watch kubectl get po --all-namespaces
   
# Run a Kata POD using firecracker
kubectl apply -f ./tests/deploy-svc-ing/test-deploy-kata-fc.yaml

#Wait for the POD to come up
watch kubectl describe pod

#Check that it works
http_proxy="" https_proxy="" curl -w "\n" -s $(kubectl get svc php-apache-kata-fc | awk 'NR==2 {print $3}')
   
#Run a Kata POD using QEMU
kubectl apply -f ./tests/deploy-svc-ing/test-deploy-kata-qemu.yaml
http_proxy="" https_proxy="" curl -w "\n" -s $(kubectl get svc php-apache-kata-qemu | awk 'NR==2 {print $3}')
   
#Run a Kata POD using runc
kubectl apply -f ./tests/deploy-svc-ing/test-deploy-runc.yaml
http_proxy="" https_proxy="" curl -w "\n" -s $(kubectl get svc php-apache-runc | awk 'NR==2 {print $3}')   
Clone this wiki locally