Host Filesystem Sharing

[raduweiss]

This feature is in high demand, and we formerly rejected the p9-based implementation for security concerns. With the advent of things like virtio-fs and other ideas of how to achieve this functionality, we will need to research our options and revisit the threat model impact.

Related issues: #889

[zgen0623]

With this feature, can the firecracker work with overlay-fs just like docker?

[raduweiss]

We don't know yet. The next step here will be to research the existing options and their trade-offs.

Basically, everything int he Researching part of the roadmap has a "feature is desirable but design & plans TBD" status.

[fanux]

I think support kubernetes PV block is better...

[zmlcc]

VirioFS has been merged into mainline. I think support this driver would solve the sharing problem

[raduweiss]

Closing this for now as it doesn't look like a path we need to take Firecracker on. More detailed our line of reasoning reasoning in #1351 . @zmlcc thanks for the work on that PR, it eventually caused to to consider this carefully and reach a decision here.

[wenhuizhang]

I used configuration:

root@n192-191-015:~/opt/kata/share/defaults/kata-containers# cat /etc/kata-containers/configuration.toml
[hypervisor.firecracker]
path = "/root/opt/kata/bin/firecracker"
kernel = "/usr/share/kata-containers/vmlinux.container"
image = "/root/opt/kata/share/kata-containers/kata-containers.img"

rootfs_type="ext4"
enable_annotations = ["enable_iommu"]
valid_hypervisor_paths = ["/root/opt/kata/bin/firecracker"]
jailer_path = "/root/opt/kata/bin/jailer"
valid_jailer_paths = ["/root/opt/kata/bin/jailer"]
kernel_params = ""
default_vcpus = 1
default_bridges = 1
default_memory = 2048
default_maxmemory = 0

disable_block_device_use = false
shared_fs = "virtio-fs"
virtio_fs_daemon = "/root/opt/kata/libexec/virtiofsd"
valid_virtio_fs_daemon_paths = ["/root/opt/kata/libexec/virtiofsd"]
virtio_fs_cache_size = 0
virtio_fs_queue_size = 1024
virtio_fs_extra_args = ["--thread-pool-size=1", "-o", "announce_submounts"]
virtio_fs_cache = "auto"
block_device_driver = "virtio-scsi"
block_device_aio = "io_uring"
enable_iothreads = false
enable_vhost_user_store = false
vhost_user_store_path = "/var/run/kata-containers/vhost-user"
valid_vhost_user_store_paths = ["/var/run/kata-containers/vhost-user"]
vhost_user_reconnect_timeout_sec = 0
valid_file_mem_backends = [""]
pflashes = []
valid_entropy_sources = ["/dev/urandom","/dev/random",""]
disable_selinux=false
disable_guest_selinux=true

[factory]

[agent.kata]
kernel_modules=[]

[runtime]
internetworking_model="tcfilter"
disable_guest_seccomp=true
sandbox_cgroup_only=false
static_sandbox_resource_mgmt=true
disable_guest_empty_dir=false
experimental=[]

and got

root@n192-191-015:~/opt/kata/share/defaults/kata-containers# sudo ctr run --snapshotter devmapper --runtime io.containerd.run.kata-fc.v2 -t --rm docker.io/library/ubuntu:latest test
ctr: failed to create shim task: Timeout after 3s waiting for uevent ScsiBlockMatcher { search: "/0:0:0:0/block/" }: unknown

[dianpopa]

hi @wenhuizhang

Firstly, The configuration you posted seems to contain some virtio-fs setup. Firecracker does not have support for that. Secondly, the replication steps posted are specific to kata-container setup and we, as the Firecracker maintainers, are not able to provide the proper expertise to help with that.

Thanks!

[alexandru0-dev]

Firstly, The configuration you posted seems to contain some virtio-fs setup. Firecracker does not have support for that.

Is virtio-fs going to be supported?

[zulinx86]

Hello @alexandru0-dev

virtio-fs support is not currently on our roadmap as we answered on this comment. If you have specific use case requiring virtio-fs, feel free to share it with us.

Thanks!

[alexandru0-dev]

@zulinx86 virtiofs would allow high performance for a shared filesystem with the host for when the host or multiple VMs. I agree on the decision to not add support to 9p.

Also rust-vmm should now support virtio-fs if I'm not mistaken.

I would be happy to discuss the topic.

[paulbaumgart]

As an alternative, https://github.com/cloud-hypervisor/cloud-hypervisor is a rust-vmm-based lightweight hypervisor that has virtio-fs support.

[alexandru0-dev]

@paulbaumgart yeah in fact I was using that one for now but I was also interested in this project