search

kata-containers / kata-containers

Kata Containers is an open source project and community working to build a standard implementation of lightweight Virtual Machines (VMs) that feel and perform like containers, but provide the workload isolation and security advantages of VMs. https://katacontainers.io/
Apache License 2.0
5.08k stars 1k forks source link

kernel: Enable 32bits emulation support (again) #9831

Open stevefan1999-personal opened 2 weeks ago

stevefan1999-personal commented 2 weeks ago

Revival of #3760, this should enable 32-bit emulation support. Here's the quote of the original justification:

@fidencio Is it possible to reconsider this PR? I have a bunch of game servers that needs Steam access, but it currently lacks 32-bit compatibility due to Steam native library is still 32-bit based, rendering Kata hard to use in this case, because even if you have 64-bit game server, you will still fail to initialize Steam and the whole server just crashed at that point. Also, older HLDS and SRCDS servers like Counter Strike 1.6 and Garry's Mod dedicated servers are also 32-bit only at this moment. It is not certain for CS2 but I think the 32-bit Steam library would still be a stopper.

It takes quite a huge effort to build a kata-deploy for such use. Wonder why we can't just add CONFIG_IA32_EMULATION=y to the config matrix?

Shorter, tl;dr version:

Please reconsider this PR. I have game servers needing Steam access, but the Steam native library is still 32-bit, making it difficult to use with Kata due to 64-bit game servers failing to initialize Steam. Older servers like Counter Strike 1.6 and Garry's Mod are also 32-bit only. Why not add CONFIG_IA32_EMULATION=y to the config matrix?

There is a whole fleet of game servers and all of them often requires 32-bit support due to Steam API library still being used as 32-bit at large (despite 64-bit library is available). One example I reckon is the dedicated server for Insurgency Sandstorm.

Some dedicated server for old games (such as Sven Coop and TF2) are also 32-bit only.

This is not a "corner case" and it is a typical problem with Kata Container's adoption with popular game server in real world.

fidencio commented 1 week ago

cc @kata-containers/architecture-committee

fidencio commented 1 week ago

@stevefan1999-personal, there are several things on your PR that are worth covering.

Whether or not having this enabled by default is out of my scope, but what's the main issue on building this on your side? This will be used to evaluated and have an educated decision on the topic.

Another question is, would it be okay if we release a kernel with such support, but do not use this kernel by default? If this would help, I'd say this is worth considering, and then the work on adapting the configuration file to point to this kernel would still be on whoever is using it. At least this would be simpler than forcing users to build their own kernel.

stevefan1999-personal commented 1 week ago

Whether or not having this enabled by default is out of my scope, but what's the main issue on building this on your side? This will be used to evaluated and have an educated decision on the topic.

I used Talos Linux as a foundation for my Kubernetes cluster, and although their extension is available here, it is not trivial to track and build a custom kernel. But it is still possible.

Another question is, would it be okay if we release a kernel with such support, but do not use this kernel by default? If this would help, I'd say this is worth considering, and then the work on adapting the configuration file to point to this kernel would still be on whoever is using it. At least this would be simpler than forcing users to build their own kernel.

Interesting take, but how do we make sure that it is easy for the end user to use that kernel? I'm using Kata Container on Kubernetes and the configuration is immutable on Talos Linux, so it is not easy to change the manifest to point to that kernel either. If you have auto Kata deployment on K8S it is also not easy to either since every time you hit kata-deploy your configuration file would reset.

zvonkok commented 1 week ago

The 32-bit support was the base for this attack: https://ahoi-attacks.github.io/heckler/ against confidential VMs. Having this per default may have unseen consequences for all our use-cases.

stevefan1999-personal commented 1 week ago

The 32-bit support was the base for this attack: https://ahoi-attacks.github.io/heckler/ against confidential VMs. Having this per default may have unseen consequences for all our use-cases.

Per @fidencio's suggestion, is it possible to provide an alternative kernel that non-confidential VM users can easily enable? As a game server operator confidentiality is often not required, rather strong CPU and memory isolation is more than enough. Valve's model towards game server such as TF2 and CS2 is to use KVM and implemented a fast hypervisor tailored for game servers, and I believe Kata is the way to go even further.

stevefan1999-personal commented 1 week ago

Another real world issue: SteamCMD 32-bit requirement. According to Valve's wiki:

Since SteamCMD is a 32-bit binary, 32-bit libraries are required.

This is a hard requirement and I do not foresee any change in the future. Almost all public dedicated servers today need to use steamcmd for administration such as downloading and validating server assets, making this a hard requirement for a proper game server.

fidencio commented 1 week ago

I used Talos Linux as a foundation for my Kubernetes cluster, and although their extension is available here, it is not trivial to track and build a custom kernel. But it is still possible.

Talos is using official releases, AFAIK. We could, though, work with this on the Talos side and ensure they're fine providing a kernel with this change. WDYT?