Open stevefan1999-personal opened 2 weeks ago
cc @kata-containers/architecture-committee
@stevefan1999-personal, there are several things on your PR that are worth covering.
Whether or not having this enabled by default is out of my scope, but what's the main issue on building this on your side? This will be used to evaluated and have an educated decision on the topic.
Another question is, would it be okay if we release a kernel with such support, but do not use this kernel by default? If this would help, I'd say this is worth considering, and then the work on adapting the configuration file to point to this kernel would still be on whoever is using it. At least this would be simpler than forcing users to build their own kernel.
Whether or not having this enabled by default is out of my scope, but what's the main issue on building this on your side? This will be used to evaluated and have an educated decision on the topic.
I used Talos Linux as a foundation for my Kubernetes cluster, and although their extension is available here, it is not trivial to track and build a custom kernel. But it is still possible.
Another question is, would it be okay if we release a kernel with such support, but do not use this kernel by default? If this would help, I'd say this is worth considering, and then the work on adapting the configuration file to point to this kernel would still be on whoever is using it. At least this would be simpler than forcing users to build their own kernel.
Interesting take, but how do we make sure that it is easy for the end user to use that kernel? I'm using Kata Container on Kubernetes and the configuration is immutable on Talos Linux, so it is not easy to change the manifest to point to that kernel either. If you have auto Kata deployment on K8S it is also not easy to either since every time you hit kata-deploy
your configuration file would reset.
The 32-bit support was the base for this attack: https://ahoi-attacks.github.io/heckler/ against confidential VMs. Having this per default may have unseen consequences for all our use-cases.
The 32-bit support was the base for this attack: https://ahoi-attacks.github.io/heckler/ against confidential VMs. Having this per default may have unseen consequences for all our use-cases.
Per @fidencio's suggestion, is it possible to provide an alternative kernel that non-confidential VM users can easily enable? As a game server operator confidentiality is often not required, rather strong CPU and memory isolation is more than enough. Valve's model towards game server such as TF2 and CS2 is to use KVM and implemented a fast hypervisor tailored for game servers, and I believe Kata is the way to go even further.
Another real world issue: SteamCMD 32-bit requirement. According to Valve's wiki:
Since SteamCMD is a 32-bit binary, 32-bit libraries are required.
This is a hard requirement and I do not foresee any change in the future. Almost all public dedicated servers today need to use steamcmd for administration such as downloading and validating server assets, making this a hard requirement for a proper game server.
I used Talos Linux as a foundation for my Kubernetes cluster, and although their extension is available here, it is not trivial to track and build a custom kernel. But it is still possible.
Talos is using official releases, AFAIK. We could, though, work with this on the Talos side and ensure they're fine providing a kernel with this change. WDYT?
Revival of #3760, this should enable 32-bit emulation support. Here's the quote of the original justification:
Shorter, tl;dr version:
There is a whole fleet of game servers and all of them often requires 32-bit support due to Steam API library still being used as 32-bit at large (despite 64-bit library is available). One example I reckon is the dedicated server for Insurgency Sandstorm.
Some dedicated server for old games (such as Sven Coop and TF2) are also 32-bit only.
This is not a "corner case" and it is a typical problem with Kata Container's adoption with popular game server in real world.