QUESTION: Is there any requirement for the kata guest kernel?

[lining2020x]

Description of problem

Hi guys:

I used the centos kernel as the kata guest OS kernel (Just for testing). And the kata container didn't start up normally.

Is there any requirements for the kata guest OS kernel? We want to use our own kernel to replace the default guest kernel which kata provides.

What I did

I replaced the default kernel and initramfs setting with the centos' in the hypervisor.qemu section:

kernel = "/usr/share/kata-containers/vmlinuz-3.10.0-1127.8.2.el7.x86_64"
initrd = "/usr/share/kata-containers/initramfs-3.10.0-1127.8.2.el7.x86_64.img"

The I use the containerd client cmdline tool 'ctr' to start a kata container

ctr containers create --runtime io.containerd.kata.v2 docker.io/library/busybox:latest b1 sleep 1000
ctr tasks start b1

The kata container can't start up and there is a key error message in journal:

May 26 20:27:28 centos0 kata[4617]: time="2020-05-26T20:27:28.320066217+08:00" level=error msg="Failed to read agent logs" ID=b1 console-protocol=unix console-socket=/run/vc/vm/b1/console.sock error="read unix  @->/run/vc/vm/b1/console.sock: use of closed network connection" sandbox=b1 source=virtcontainers subsystem=kata_agent

Expected result

The kata container can run normally.

Actual result

It failed.

[fidencio]

https://github.com/kata-containers/documentation/blob/master/Developer-Guide.md#install-guest-kernel-images may the a good starting point.

Here, specifically under the fragments folder, you can find pretty much what's needed.

I'm not aware, though, of any documentation specifying what exactly is needed.

About your error, please, more info would be needed. The first few things that come to my mind are:

• component version;
• configuration file;
• full debug log from journal;

[lining2020x]

@fidencio Thanks. I will take a look at the kernel config. I would add some details below.

[lining2020x]

Here is the kata config and version details:

Show kata-collect-data.sh details

# Meta details Running `kata-collect-data.sh` version `1.11.0-rc0 (commit 5cef3e7b53f9f5567ef668c34fc159810ef38e1e-dirty)` at `2020-05-27.14:11:58.853871857+0800`. --- Runtime is `/usr/local/bin/kata-runtime`. # `kata-env` Output of "`/usr/local/bin/kata-runtime kata-env`": ```toml [Meta] Version = "1.0.24" [Runtime] Debug = true Trace = false DisableGuestSeccomp = true DisableNewNetNs = false SandboxCgroupOnly = false Path = "/usr/local/bin/kata-runtime" [Runtime.Version] OCI = "1.0.1-dev" [Runtime.Version.Version] Semver = "1.11.0-rc0" Major = 1 Minor = 11 Patch = 0 Commit = "5cef3e7b53f9f5567ef668c34fc159810ef38e1e-dirty" [Runtime.Config] Path = "/etc/kata-containers/configuration.toml" [Hypervisor] MachineType = "pc" Version = "QEMU emulator version 4.1.1\nCopyright (c) 2003-2019 Fabrice Bellard and the QEMU Project developers" Path = "/usr/bin/qemu-vanilla-system-x86_64" BlockDeviceDriver = "virtio-scsi" EntropySource = "/dev/urandom" SharedFS = "virtio-9p" VirtioFSDaemon = "/usr/bin/virtiofsd" Msize9p = 8192 MemorySlots = 10 PCIeRootPort = 0 HotplugVFIOOnRootBus = false Debug = true UseVSock = false [Image] Path = "" [Kernel] Path = "/usr/share/kata-containers/vmlinuz-3.10.0-1127.8.2.el7.x86_64" Parameters = "scsi_mod.scan=none agent.log=debug agent.log=debug initcall_debug agent.log=debug initcall_debug" [Initrd] Path = "/usr/share/kata-containers/initramfs-3.10.0-1127.8.2.el7.x86_64.img" [Proxy] Type = "kataProxy" Path = "/usr/libexec/kata-containers/kata-proxy" Debug = true [Proxy.Version] Semver = "1.11.0-rc0-a6f55340a4a2edfb097de9d7d83ce7f5572209a8" Major = 1 Minor = 11 Patch = 0 Commit = "<>" [Shim] Type = "kataShim" Path = "/usr/libexec/kata-containers/kata-shim" Debug = true [Shim.Version] Semver = "1.11.0-rc0-ad49288c3120bd780bff150bdb6d9e1607392e1f" Major = 1 Minor = 11 Patch = 0 Commit = "<>" [Agent] Type = "kata" Debug = true Trace = false TraceMode = "" TraceType = "" [Host] Kernel = "3.10.0-1127.8.2.el7.x86_64" Architecture = "amd64" VMContainerCapable = true SupportVSocks = false [Host.Distro] Name = "CentOS Linux" Version = "7" [Host.CPU] Vendor = "GenuineIntel" Model = "Intel(R) Core(TM) i7-9750H CPU @ 2.60GHz" [Netmon] Path = "/usr/libexec/kata-containers/kata-netmon" Debug = true Enable = false [Netmon.Version] Semver = "1.11.0-rc0" Major = 1 Minor = 11 Patch = 0 Commit = "<>" ``` --- # Runtime config files ## Runtime default config files ``` /etc/kata-containers/configuration.toml /usr/share/defaults/kata-containers/configuration.toml ``` ## Runtime config file contents Output of "`cat "/etc/kata-containers/configuration.toml"`": ```toml # Copyright (c) 2017-2019 Intel Corporation # # SPDX-License-Identifier: Apache-2.0 # # XXX: WARNING: this file is auto-generated. # XXX: # XXX: Source file: "cli/config/configuration-qemu.toml.in" # XXX: Project: # XXX: Name: Kata Containers # XXX: Type: kata [hypervisor.qemu] path = "/usr/bin/qemu-vanilla-system-x86_64" machine_type = "pc" #path = "/usr/bin/qemu-system-x86_64" #initrd = "/usr/share/kata-containers/kata-containers-initrd.img" #kernel = "/usr/share/kata-containers/vmlinuz.container" #image = "/usr/share/kata-containers/kata-containers.img" kernel = "/usr/share/kata-containers/vmlinuz-3.10.0-1127.8.2.el7.x86_64" initrd = "/usr/share/kata-containers/initramfs-3.10.0-1127.8.2.el7.x86_64.img" # Optional space-separated list of options to pass to the guest kernel. # For example, use `kernel_params = "vsyscall=emulate"` if you are having # trouble running pre-2.15 glibc. # # WARNING: - any parameter specified here will take priority over the default # parameter value of the same name used to start the virtual machine. # Do not set values here unless you understand the impact of doing so as you # may stop the virtual machine from booting. # To see the list of default parameters, enable hypervisor debug, create a # container and look for 'default-kernel-parameters' log entries. kernel_params = " agent.log=debug initcall_debug agent.log=debug initcall_debug" # Path to the firmware. # If you want that qemu uses the default firmware leave this option empty firmware = "" # Machine accelerators # comma-separated list of machine accelerators to pass to the hypervisor. # For example, `machine_accelerators = "nosmm,nosmbus,nosata,nopit,static-prt,nofw"` machine_accelerators="" # CPU features # comma-separated list of cpu features to pass to the cpu # For example, `cpu_features = "pmu=off,vmx=off" cpu_features="pmu=off" # Default number of vCPUs per SB/VM: # unspecified or 0 --> will be set to 1 # < 0 --> will be set to the actual number of physical cores # > 0 <= number of physical cores --> will be set to the specified number # > number of physical cores --> will be set to the actual number of physical cores default_vcpus = 1 # Default maximum number of vCPUs per SB/VM: # unspecified or == 0 --> will be set to the actual number of physical cores or to the maximum number # of vCPUs supported by KVM if that number is exceeded # > 0 <= number of physical cores --> will be set to the specified number # > number of physical cores --> will be set to the actual number of physical cores or to the maximum number # of vCPUs supported by KVM if that number is exceeded # WARNING: Depending of the architecture, the maximum number of vCPUs supported by KVM is used when # the actual number of physical cores is greater than it. # WARNING: Be aware that this value impacts the virtual machine's memory footprint and CPU # the hotplug functionality. For example, `default_maxvcpus = 240` specifies that until 240 vCPUs # can be added to a SB/VM, but the memory footprint will be big. Another example, with # `default_maxvcpus = 8` the memory footprint will be small, but 8 will be the maximum number of # vCPUs supported by the SB/VM. In general, we recommend that you do not edit this variable, # unless you know what are you doing. # NOTICE: on arm platform with gicv2 interrupt controller, set it to 8. default_maxvcpus = 0 # Bridges can be used to hot plug devices. # Limitations: # * Currently only pci bridges are supported # * Until 30 devices per bridge can be hot plugged. # * Until 5 PCI bridges can be cold plugged per VM. # This limitation could be a bug in qemu or in the kernel # Default number of bridges per SB/VM: # unspecified or 0 --> will be set to 1 # > 1 <= 5 --> will be set to the specified number # > 5 --> will be set to 5 default_bridges = 1 # Default memory size in MiB for SB/VM. # If unspecified then it will be set 2048 MiB. default_memory = 1024 # # Default memory slots per SB/VM. # If unspecified then it will be set 10. # This is will determine the times that memory will be hotadded to sandbox/VM. #memory_slots = 10 # The size in MiB will be plused to max memory of hypervisor. # It is the memory address space for the NVDIMM devie. # If set block storage driver (block_device_driver) to "nvdimm", # should set memory_offset to the size of block device. # Default 0 #memory_offset = 0 # Specifies virtio-mem will be enabled or not. # Please note that this option should be used with the command # "echo 1 > /proc/sys/vm/overcommit_memory". # Default false #enable_virtio_mem = true # Disable block device from being used for a container's rootfs. # In case of a storage driver like devicemapper where a container's # root file system is backed by a block device, the block device is passed # directly to the hypervisor for performance reasons. # This flag prevents the block device from being passed to the hypervisor, # 9pfs is used instead to pass the rootfs. disable_block_device_use = false # Shared file system type: # - virtio-9p (default) # - virtio-fs shared_fs = "virtio-9p" # Path to vhost-user-fs daemon. virtio_fs_daemon = "/usr/bin/virtiofsd" # Default size of DAX cache in MiB virtio_fs_cache_size = 1024 # Extra args for virtiofsd daemon # # Format example: # ["-o", "arg1=xxx,arg2", "-o", "hello world", "--arg3=yyy"] # # see `virtiofsd -h` for possible options. virtio_fs_extra_args = [] # Cache mode: # # - none # Metadata, data, and pathname lookup are not cached in guest. They are # always fetched from host and any changes are immediately pushed to host. # # - auto # Metadata and pathname lookup cache expires after a configured amount of # time (default is 1 second). Data is cached while the file is open (close # to open consistency). # # - always # Metadata, data, and pathname lookup are cached in guest and never expire. virtio_fs_cache = "always" # Block storage driver to be used for the hypervisor in case the container # rootfs is backed by a block device. This is virtio-scsi, virtio-blk # or nvdimm. block_device_driver = "virtio-scsi" # Specifies cache-related options will be set to block devices or not. # Default false #block_device_cache_set = true # Specifies cache-related options for block devices. # Denotes whether use of O_DIRECT (bypass the host page cache) is enabled. # Default false #block_device_cache_direct = true # Specifies cache-related options for block devices. # Denotes whether flush requests for the device are ignored. # Default false #block_device_cache_noflush = true # Enable iothreads (data-plane) to be used. This causes IO to be # handled in a separate IO thread. This is currently only implemented # for SCSI. # enable_iothreads = false # Enable pre allocation of VM RAM, default false # Enabling this will result in lower container density # as all of the memory will be allocated and locked # This is useful when you want to reserve all the memory # upfront or in the cases where you want memory latencies # to be very predictable # Default false #enable_mem_prealloc = true # Enable huge pages for VM RAM, default false # Enabling this will result in the VM memory # being allocated using huge pages. # This is useful when you want to use vhost-user network # stacks within the container. This will automatically # result in memory pre allocation #enable_hugepages = true # Enable vhost-user storage device, default false # Enabling this will result in some Linux reserved block type # major range 240-254 being chosen to represent vhost-user devices. enable_vhost_user_store = false # The base directory specifically used for vhost-user devices. # Its sub-path "block" is used for block devices; "block/sockets" is # where we expect vhost-user sockets to live; "block/devices" is where # simulated block device nodes for vhost-user devices to live. vhost_user_store_path = "/var/run/kata-containers/vhost-user" # Enable file based guest memory support. The default is an empty string which # will disable this feature. In the case of virtio-fs, this is enabled # automatically and '/dev/shm' is used as the backing folder. # This option will be ignored if VM templating is enabled. #file_mem_backend = "" # Enable swap of vm memory. Default false. # The behaviour is undefined if mem_prealloc is also set to true #enable_swap = true # This option changes the default hypervisor and kernel parameters # to enable debug output where available. This extra output is added # to the proxy logs, but only when proxy debug is also enabled. # # Default false enable_debug = true # Disable the customizations done in the runtime when it detects # that it is running on top a VMM. This will result in the runtime # behaving as it would when running on bare metal. # #disable_nesting_checks = true # This is the msize used for 9p shares. It is the number of bytes # used for 9p packet payload. #msize_9p = 8192 # If true and vsocks are supported, use vsocks to communicate directly # with the agent and no proxy is started, otherwise use unix # sockets and start a proxy to communicate with the agent. # Default false use_vsock = false # If false and nvdimm is supported, use nvdimm device to plug guest image. # Otherwise virtio-block device is used. # Default is false #disable_image_nvdimm = true # VFIO devices are hotplugged on a bridge by default. # Enable hotplugging on root bus. This may be required for devices with # a large PCI bar, as this is a current limitation with hotplugging on # a bridge. This value is valid for "pc" machine type. # Default false #hotplug_vfio_on_root_bus = true # Before hot plugging a PCIe device, you need to add a pcie_root_port device. # Use this parameter when using some large PCI bar devices, such as Nvidia GPU # The value means the number of pcie_root_port # This value is valid when hotplug_vfio_on_root_bus is true and machine_type is "q35" # Default 0 #pcie_root_port = 2 # If vhost-net backend for virtio-net is not desired, set to true. Default is false, which trades off # security (vhost-net runs ring0) for network I/O performance. #disable_vhost_net = true # # Default entropy source. # The path to a host source of entropy (including a real hardware RNG) # /dev/urandom and /dev/random are two main options. # Be aware that /dev/random is a blocking source of entropy. If the host # runs out of entropy, the VMs boot time will increase leading to get startup # timeouts. # The source of entropy /dev/urandom is non-blocking and provides a # generally acceptable source of entropy. It should work well for pretty much # all practical purposes. #entropy_source= "/dev/urandom" # Path to OCI hook binaries in the *guest rootfs*. # This does not affect host-side hooks which must instead be added to # the OCI spec passed to the runtime. # # You can create a rootfs with hooks by customizing the osbuilder scripts: # https://github.com/kata-containers/osbuilder # # Hooks must be stored in a subdirectory of guest_hook_path according to their # hook type, i.e. "guest_hook_path/{prestart,postart,poststop}". # The agent will scan these directories for executable files and add them, in # lexicographical order, to the lifecycle of the guest container. # Hooks are executed in the runtime namespace of the guest. See the official documentation: # https://github.com/opencontainers/runtime-spec/blob/v1.0.1/config.md#posix-platform-hooks # Warnings will be logged if any error is encountered will scanning for hooks, # but it will not abort container execution. #guest_hook_path = "/usr/share/oci/hooks" [factory] # VM templating support. Once enabled, new VMs are created from template # using vm cloning. They will share the same initial kernel, initramfs and # agent memory by mapping it readonly. It helps speeding up new container # creation and saves a lot of memory if there are many kata containers running # on the same host. # # When disabled, new VMs are created from scratch. # # Note: Requires "initrd=" to be set ("image=" is not supported). # # Default false #enable_template = true # Specifies the path of template. # # Default "/run/vc/vm/template" #template_path = "/run/vc/vm/template" # The number of caches of VMCache: # unspecified or == 0 --> VMCache is disabled # > 0 --> will be set to the specified number # # VMCache is a function that creates VMs as caches before using it. # It helps speed up new container creation. # The function consists of a server and some clients communicating # through Unix socket. The protocol is gRPC in protocols/cache/cache.proto. # The VMCache server will create some VMs and cache them by factory cache. # It will convert the VM to gRPC format and transport it when gets # requestion from clients. # Factory grpccache is the VMCache client. It will request gRPC format # VM and convert it back to a VM. If VMCache function is enabled, # kata-runtime will request VM from factory grpccache when it creates # a new sandbox. # # Default 0 #vm_cache_number = 0 # Specify the address of the Unix socket that is used by VMCache. # # Default /var/run/kata-containers/cache.sock #vm_cache_endpoint = "/var/run/kata-containers/cache.sock" [proxy.kata] path = "/usr/libexec/kata-containers/kata-proxy" # If enabled, proxy messages will be sent to the system log # (default: disabled) enable_debug = true [shim.kata] path = "/usr/libexec/kata-containers/kata-shim" # If enabled, shim messages will be sent to the system log # (default: disabled) enable_debug = true # If enabled, the shim will create opentracing.io traces and spans. # (See https://www.jaegertracing.io/docs/getting-started). # # Note: By default, the shim runs in a separate network namespace. Therefore, # to allow it to send trace details to the Jaeger agent running on the host, # it is necessary to set 'disable_new_netns=true' so that it runs in the host # network namespace. # # (default: disabled) #enable_tracing = true [agent.kata] # If enabled, make the agent display debug-level messages. # (default: disabled) enable_debug = true # Enable agent tracing. # # If enabled, the default trace mode is "dynamic" and the # default trace type is "isolated". The trace mode and type are set # explicity with the `trace_type=` and `trace_mode=` options. # # Notes: # # - Tracing is ONLY enabled when `enable_tracing` is set: explicitly # setting `trace_mode=` and/or `trace_type=` without setting `enable_tracing` # will NOT activate agent tracing. # # - See https://github.com/kata-containers/agent/blob/master/TRACING.md for # full details. # # (default: disabled) #enable_tracing = true # #trace_mode = "dynamic" #trace_type = "isolated" # Comma separated list of kernel modules and their parameters. # These modules will be loaded in the guest kernel using modprobe(8). # The following example can be used to load two kernel modules with parameters # - kernel_modules=["e1000e InterruptThrottleRate=3000,3000,3000 EEE=1", "i915 enable_ppgtt=0"] # The first word is considered as the module name and the rest as its parameters. # Container will not be started when: # * A kernel module is specified and the modprobe command is not installed in the guest # or it fails loading the module. # * The module is not available in the guest or it doesn't met the guest kernel # requirements, like architecture and version. # kernel_modules=[] [netmon] # If enabled, the network monitoring process gets started when the # sandbox is created. This allows for the detection of some additional # network being added to the existing network namespace, after the # sandbox has been created. # (default: disabled) #enable_netmon = true # Specify the path to the netmon binary. path = "/usr/libexec/kata-containers/kata-netmon" # If enabled, netmon messages will be sent to the system log # (default: disabled) enable_debug = true [runtime] # If enabled, the runtime will log additional debug messages to the # system log # (default: disabled) enable_debug = true # # Internetworking model # Determines how the VM should be connected to the # the container network interface # Options: # # - macvtap # Used when the Container network interface can be bridged using # macvtap. # # - none # Used when customize network. Only creates a tap device. No veth pair. # # - tcfilter # Uses tc filter rules to redirect traffic from the network interface # provided by plugin to a tap interface connected to the VM. # internetworking_model="tcfilter" # disable guest seccomp # Determines whether container seccomp profiles are passed to the virtual # machine and applied by the kata agent. If set to true, seccomp is not applied # within the guest # (default: true) disable_guest_seccomp=true # If enabled, the runtime will create opentracing.io traces and spans. # (See https://www.jaegertracing.io/docs/getting-started). # (default: disabled) #enable_tracing = true # If enabled, the runtime will not create a network namespace for shim and hypervisor processes. # This option may have some potential impacts to your host. It should only be used when you know what you're doing. # `disable_new_netns` conflicts with `enable_netmon` # `disable_new_netns` conflicts with `internetworking_model=tcfilter` and `internetworking_model=macvtap`. It works only # with `internetworking_model=none`. The tap device will be in the host network namespace and can connect to a bridge # (like OVS) directly. # If you are using docker, `disable_new_netns` only works with `docker run --net=none` # (default: false) #disable_new_netns = true # if enabled, the runtime will add all the kata processes inside one dedicated cgroup. # The container cgroups in the host are not created, just one single cgroup per sandbox. # The runtime caller is free to restrict or collect cgroup stats of the overall Kata sandbox. # The sandbox cgroup path is the parent cgroup of a container with the PodSandbox annotation. # The sandbox cgroup is constrained if there is no container type annotation. # See: https://godoc.org/github.com/kata-containers/runtime/virtcontainers#ContainerType sandbox_cgroup_only=false # Enabled experimental feature list, format: ["a", "b"]. # Experimental features are features not stable enough for production, # they may break compatibility, and are prepared for a big version bump. # Supported experimental features: # (default: []) experimental=[] ``` Output of "`cat "/usr/share/defaults/kata-containers/configuration.toml"`": ```toml # Copyright (c) 2017-2019 Intel Corporation # # SPDX-License-Identifier: Apache-2.0 # # XXX: WARNING: this file is auto-generated. # XXX: # XXX: Source file: "cli/config/configuration-qemu.toml.in" # XXX: Project: # XXX: Name: Kata Containers # XXX: Type: kata [hypervisor.qemu] path = "/usr/bin/qemu-system-x86_64" kernel = "/usr/share/kata-containers/vmlinuz.container" initrd = "/usr/share/kata-containers/kata-containers-initrd.img" image = "/usr/share/kata-containers/kata-containers.img" machine_type = "pc" # Optional space-separated list of options to pass to the guest kernel. # For example, use `kernel_params = "vsyscall=emulate"` if you are having # trouble running pre-2.15 glibc. # # WARNING: - any parameter specified here will take priority over the default # parameter value of the same name used to start the virtual machine. # Do not set values here unless you understand the impact of doing so as you # may stop the virtual machine from booting. # To see the list of default parameters, enable hypervisor debug, create a # container and look for 'default-kernel-parameters' log entries. kernel_params = "" # Path to the firmware. # If you want that qemu uses the default firmware leave this option empty firmware = "" # Machine accelerators # comma-separated list of machine accelerators to pass to the hypervisor. # For example, `machine_accelerators = "nosmm,nosmbus,nosata,nopit,static-prt,nofw"` machine_accelerators="" # CPU features # comma-separated list of cpu features to pass to the cpu # For example, `cpu_features = "pmu=off,vmx=off" cpu_features="pmu=off" # Default number of vCPUs per SB/VM: # unspecified or 0 --> will be set to 1 # < 0 --> will be set to the actual number of physical cores # > 0 <= number of physical cores --> will be set to the specified number # > number of physical cores --> will be set to the actual number of physical cores default_vcpus = 1 # Default maximum number of vCPUs per SB/VM: # unspecified or == 0 --> will be set to the actual number of physical cores or to the maximum number # of vCPUs supported by KVM if that number is exceeded # > 0 <= number of physical cores --> will be set to the specified number # > number of physical cores --> will be set to the actual number of physical cores or to the maximum number # of vCPUs supported by KVM if that number is exceeded # WARNING: Depending of the architecture, the maximum number of vCPUs supported by KVM is used when # the actual number of physical cores is greater than it. # WARNING: Be aware that this value impacts the virtual machine's memory footprint and CPU # the hotplug functionality. For example, `default_maxvcpus = 240` specifies that until 240 vCPUs # can be added to a SB/VM, but the memory footprint will be big. Another example, with # `default_maxvcpus = 8` the memory footprint will be small, but 8 will be the maximum number of # vCPUs supported by the SB/VM. In general, we recommend that you do not edit this variable, # unless you know what are you doing. # NOTICE: on arm platform with gicv2 interrupt controller, set it to 8. default_maxvcpus = 0 # Bridges can be used to hot plug devices. # Limitations: # * Currently only pci bridges are supported # * Until 30 devices per bridge can be hot plugged. # * Until 5 PCI bridges can be cold plugged per VM. # This limitation could be a bug in qemu or in the kernel # Default number of bridges per SB/VM: # unspecified or 0 --> will be set to 1 # > 1 <= 5 --> will be set to the specified number # > 5 --> will be set to 5 default_bridges = 1 # Default memory size in MiB for SB/VM. # If unspecified then it will be set 512 MiB. default_memory = 512 # # Default memory slots per SB/VM. # If unspecified then it will be set 10. # This is will determine the times that memory will be hotadded to sandbox/VM. #memory_slots = 10 # The size in MiB will be plused to max memory of hypervisor. # It is the memory address space for the NVDIMM devie. # If set block storage driver (block_device_driver) to "nvdimm", # should set memory_offset to the size of block device. # Default 0 #memory_offset = 0 # Specifies virtio-mem will be enabled or not. # Please note that this option should be used with the command # "echo 1 > /proc/sys/vm/overcommit_memory". # Default false #enable_virtio_mem = true # Disable block device from being used for a container's rootfs. # In case of a storage driver like devicemapper where a container's # root file system is backed by a block device, the block device is passed # directly to the hypervisor for performance reasons. # This flag prevents the block device from being passed to the hypervisor, # 9pfs is used instead to pass the rootfs. disable_block_device_use = false # Shared file system type: # - virtio-9p (default) # - virtio-fs shared_fs = "virtio-9p" # Path to vhost-user-fs daemon. virtio_fs_daemon = "/usr/bin/virtiofsd" # Default size of DAX cache in MiB virtio_fs_cache_size = 1024 # Extra args for virtiofsd daemon # # Format example: # ["-o", "arg1=xxx,arg2", "-o", "hello world", "--arg3=yyy"] # # see `virtiofsd -h` for possible options. virtio_fs_extra_args = [] # Cache mode: # # - none # Metadata, data, and pathname lookup are not cached in guest. They are # always fetched from host and any changes are immediately pushed to host. # # - auto # Metadata and pathname lookup cache expires after a configured amount of # time (default is 1 second). Data is cached while the file is open (close # to open consistency). # # - always # Metadata, data, and pathname lookup are cached in guest and never expire. virtio_fs_cache = "always" # Block storage driver to be used for the hypervisor in case the container # rootfs is backed by a block device. This is virtio-scsi, virtio-blk # or nvdimm. block_device_driver = "virtio-scsi" # Specifies cache-related options will be set to block devices or not. # Default false #block_device_cache_set = true # Specifies cache-related options for block devices. # Denotes whether use of O_DIRECT (bypass the host page cache) is enabled. # Default false #block_device_cache_direct = true # Specifies cache-related options for block devices. # Denotes whether flush requests for the device are ignored. # Default false #block_device_cache_noflush = true # Enable iothreads (data-plane) to be used. This causes IO to be # handled in a separate IO thread. This is currently only implemented # for SCSI. # enable_iothreads = false # Enable pre allocation of VM RAM, default false # Enabling this will result in lower container density # as all of the memory will be allocated and locked # This is useful when you want to reserve all the memory # upfront or in the cases where you want memory latencies # to be very predictable # Default false #enable_mem_prealloc = true # Enable huge pages for VM RAM, default false # Enabling this will result in the VM memory # being allocated using huge pages. # This is useful when you want to use vhost-user network # stacks within the container. This will automatically # result in memory pre allocation #enable_hugepages = true # Enable vhost-user storage device, default false # Enabling this will result in some Linux reserved block type # major range 240-254 being chosen to represent vhost-user devices. enable_vhost_user_store = false # The base directory specifically used for vhost-user devices. # Its sub-path "block" is used for block devices; "block/sockets" is # where we expect vhost-user sockets to live; "block/devices" is where # simulated block device nodes for vhost-user devices to live. vhost_user_store_path = "/var/run/kata-containers/vhost-user" # Enable file based guest memory support. The default is an empty string which # will disable this feature. In the case of virtio-fs, this is enabled # automatically and '/dev/shm' is used as the backing folder. # This option will be ignored if VM templating is enabled. #file_mem_backend = "" # Enable swap of vm memory. Default false. # The behaviour is undefined if mem_prealloc is also set to true #enable_swap = true # This option changes the default hypervisor and kernel parameters # to enable debug output where available. This extra output is added # to the proxy logs, but only when proxy debug is also enabled. # # Default false #enable_debug = true # Disable the customizations done in the runtime when it detects # that it is running on top a VMM. This will result in the runtime # behaving as it would when running on bare metal. # #disable_nesting_checks = true # This is the msize used for 9p shares. It is the number of bytes # used for 9p packet payload. #msize_9p = 8192 # If true and vsocks are supported, use vsocks to communicate directly # with the agent and no proxy is started, otherwise use unix # sockets and start a proxy to communicate with the agent. # Default false use_vsock = false # If false and nvdimm is supported, use nvdimm device to plug guest image. # Otherwise virtio-block device is used. # Default is false #disable_image_nvdimm = true # VFIO devices are hotplugged on a bridge by default. # Enable hotplugging on root bus. This may be required for devices with # a large PCI bar, as this is a current limitation with hotplugging on # a bridge. This value is valid for "pc" machine type. # Default false #hotplug_vfio_on_root_bus = true # Before hot plugging a PCIe device, you need to add a pcie_root_port device. # Use this parameter when using some large PCI bar devices, such as Nvidia GPU # The value means the number of pcie_root_port # This value is valid when hotplug_vfio_on_root_bus is true and machine_type is "q35" # Default 0 #pcie_root_port = 2 # If vhost-net backend for virtio-net is not desired, set to true. Default is false, which trades off # security (vhost-net runs ring0) for network I/O performance. #disable_vhost_net = true # # Default entropy source. # The path to a host source of entropy (including a real hardware RNG) # /dev/urandom and /dev/random are two main options. # Be aware that /dev/random is a blocking source of entropy. If the host # runs out of entropy, the VMs boot time will increase leading to get startup # timeouts. # The source of entropy /dev/urandom is non-blocking and provides a # generally acceptable source of entropy. It should work well for pretty much # all practical purposes. #entropy_source= "/dev/urandom" # Path to OCI hook binaries in the *guest rootfs*. # This does not affect host-side hooks which must instead be added to # the OCI spec passed to the runtime. # # You can create a rootfs with hooks by customizing the osbuilder scripts: # https://github.com/kata-containers/osbuilder # # Hooks must be stored in a subdirectory of guest_hook_path according to their # hook type, i.e. "guest_hook_path/{prestart,postart,poststop}". # The agent will scan these directories for executable files and add them, in # lexicographical order, to the lifecycle of the guest container. # Hooks are executed in the runtime namespace of the guest. See the official documentation: # https://github.com/opencontainers/runtime-spec/blob/v1.0.1/config.md#posix-platform-hooks # Warnings will be logged if any error is encountered will scanning for hooks, # but it will not abort container execution. #guest_hook_path = "/usr/share/oci/hooks" [factory] # VM templating support. Once enabled, new VMs are created from template # using vm cloning. They will share the same initial kernel, initramfs and # agent memory by mapping it readonly. It helps speeding up new container # creation and saves a lot of memory if there are many kata containers running # on the same host. # # When disabled, new VMs are created from scratch. # # Note: Requires "initrd=" to be set ("image=" is not supported). # # Default false #enable_template = true # Specifies the path of template. # # Default "/run/vc/vm/template" #template_path = "/run/vc/vm/template" # The number of caches of VMCache: # unspecified or == 0 --> VMCache is disabled # > 0 --> will be set to the specified number # # VMCache is a function that creates VMs as caches before using it. # It helps speed up new container creation. # The function consists of a server and some clients communicating # through Unix socket. The protocol is gRPC in protocols/cache/cache.proto. # The VMCache server will create some VMs and cache them by factory cache. # It will convert the VM to gRPC format and transport it when gets # requestion from clients. # Factory grpccache is the VMCache client. It will request gRPC format # VM and convert it back to a VM. If VMCache function is enabled, # kata-runtime will request VM from factory grpccache when it creates # a new sandbox. # # Default 0 #vm_cache_number = 0 # Specify the address of the Unix socket that is used by VMCache. # # Default /var/run/kata-containers/cache.sock #vm_cache_endpoint = "/var/run/kata-containers/cache.sock" [proxy.kata] path = "/usr/libexec/kata-containers/kata-proxy" # If enabled, proxy messages will be sent to the system log # (default: disabled) #enable_debug = true [shim.kata] path = "/usr/libexec/kata-containers/kata-shim" # If enabled, shim messages will be sent to the system log # (default: disabled) #enable_debug = true # If enabled, the shim will create opentracing.io traces and spans. # (See https://www.jaegertracing.io/docs/getting-started). # # Note: By default, the shim runs in a separate network namespace. Therefore, # to allow it to send trace details to the Jaeger agent running on the host, # it is necessary to set 'disable_new_netns=true' so that it runs in the host # network namespace. # # (default: disabled) #enable_tracing = true [agent.kata] # If enabled, make the agent display debug-level messages. # (default: disabled) #enable_debug = true # Enable agent tracing. # # If enabled, the default trace mode is "dynamic" and the # default trace type is "isolated". The trace mode and type are set # explicity with the `trace_type=` and `trace_mode=` options. # # Notes: # # - Tracing is ONLY enabled when `enable_tracing` is set: explicitly # setting `trace_mode=` and/or `trace_type=` without setting `enable_tracing` # will NOT activate agent tracing. # # - See https://github.com/kata-containers/agent/blob/master/TRACING.md for # full details. # # (default: disabled) #enable_tracing = true # #trace_mode = "dynamic" #trace_type = "isolated" # Comma separated list of kernel modules and their parameters. # These modules will be loaded in the guest kernel using modprobe(8). # The following example can be used to load two kernel modules with parameters # - kernel_modules=["e1000e InterruptThrottleRate=3000,3000,3000 EEE=1", "i915 enable_ppgtt=0"] # The first word is considered as the module name and the rest as its parameters. # Container will not be started when: # * A kernel module is specified and the modprobe command is not installed in the guest # or it fails loading the module. # * The module is not available in the guest or it doesn't met the guest kernel # requirements, like architecture and version. # kernel_modules=[] [netmon] # If enabled, the network monitoring process gets started when the # sandbox is created. This allows for the detection of some additional # network being added to the existing network namespace, after the # sandbox has been created. # (default: disabled) #enable_netmon = true # Specify the path to the netmon binary. path = "/usr/libexec/kata-containers/kata-netmon" # If enabled, netmon messages will be sent to the system log # (default: disabled) #enable_debug = true [runtime] # If enabled, the runtime will log additional debug messages to the # system log # (default: disabled) #enable_debug = true # # Internetworking model # Determines how the VM should be connected to the # the container network interface # Options: # # - macvtap # Used when the Container network interface can be bridged using # macvtap. # # - none # Used when customize network. Only creates a tap device. No veth pair. # # - tcfilter # Uses tc filter rules to redirect traffic from the network interface # provided by plugin to a tap interface connected to the VM. # internetworking_model="tcfilter" # disable guest seccomp # Determines whether container seccomp profiles are passed to the virtual # machine and applied by the kata agent. If set to true, seccomp is not applied # within the guest # (default: true) disable_guest_seccomp=true # If enabled, the runtime will create opentracing.io traces and spans. # (See https://www.jaegertracing.io/docs/getting-started). # (default: disabled) #enable_tracing = true # If enabled, the runtime will not create a network namespace for shim and hypervisor processes. # This option may have some potential impacts to your host. It should only be used when you know what you're doing. # `disable_new_netns` conflicts with `enable_netmon` # `disable_new_netns` conflicts with `internetworking_model=tcfilter` and `internetworking_model=macvtap`. It works only # with `internetworking_model=none`. The tap device will be in the host network namespace and can connect to a bridge # (like OVS) directly. # If you are using docker, `disable_new_netns` only works with `docker run --net=none` # (default: false) #disable_new_netns = true # if enabled, the runtime will add all the kata processes inside one dedicated cgroup. # The container cgroups in the host are not created, just one single cgroup per sandbox. # The runtime caller is free to restrict or collect cgroup stats of the overall Kata sandbox. # The sandbox cgroup path is the parent cgroup of a container with the PodSandbox annotation. # The sandbox cgroup is constrained if there is no container type annotation. # See: https://godoc.org/github.com/kata-containers/runtime/virtcontainers#ContainerType sandbox_cgroup_only=false # Enabled experimental feature list, format: ["a", "b"]. # Experimental features are features not stable enough for production, # they may break compatibility, and are prepared for a big version bump. # Supported experimental features: # (default: []) experimental=[] ``` --- # KSM throttler ## version Output of "` --version`": ``` /usr/local/bin/kata-collect-data.sh: line 178: --version: command not found ``` ## systemd service # Image details No image --- # Initrd details ```yaml unknown ``` --- # Logfiles ## Runtime logs No recent runtime problems found in system journal. ## Proxy logs No recent proxy problems found in system journal. ## Shim logs No recent shim problems found in system journal. ## Throttler logs No recent throttler problems found in system journal. --- # Container manager details Have `docker` ## Docker Output of "`docker version`": ``` Client: Docker Engine - Community Version: 19.03.3 API version: 1.40 Go version: go1.12.10 Git commit: a872fc2f86 Built: Tue Oct 8 00:58:10 2019 OS/Arch: linux/amd64 Experimental: false Server: Docker Engine - Community Engine: Version: 19.03.3 API version: 1.40 (minimum version 1.12) Go version: go1.12.10 Git commit: a872fc2f86 Built: Tue Oct 8 00:56:46 2019 OS/Arch: linux/amd64 Experimental: false containerd: Version: 1.2.6 GitCommit: 894b81a4b802e4eb2a91d1ce216b8817763c29fb runc: Version: 1.0.0-rc8 GitCommit: 425e105d5a03fabd737a126ad93d62a9eeede87f docker-init: Version: 0.18.0 GitCommit: fec3683 ``` Output of "`docker info`": ``` Client: Debug Mode: false Server: Containers: 18 Running: 0 Paused: 0 Stopped: 18 Images: 57 Server Version: 19.03.3 Storage Driver: overlay2 Backing Filesystem: xfs Supports d_type: true Native Overlay Diff: true Logging Driver: json-file Cgroup Driver: cgroupfs Plugins: Volume: local Network: bridge host ipvlan macvlan null overlay Log: awslogs fluentd gcplogs gelf journald json-file local logentries splunk syslog Swarm: inactive Runtimes: runc Default Runtime: runc Init Binary: docker-init containerd version: 894b81a4b802e4eb2a91d1ce216b8817763c29fb runc version: 425e105d5a03fabd737a126ad93d62a9eeede87f init version: fec3683 Security Options: seccomp Profile: default Kernel Version: 3.10.0-1127.8.2.el7.x86_64 Operating System: CentOS Linux 7 (Core) OSType: linux Architecture: x86_64 CPUs: 4 Total Memory: 1.777GiB Name: centos0 ID: IRPV:SF57:QOTS:6OH6:GVBW:OH7J:GHSY:SFZF:BB4Y:2JBA:ESAY:3AF6 Docker Root Dir: /var/lib/docker Debug Mode: false Registry: https://index.docker.io/v1/ Labels: Experimental: false Insecure Registries: 127.0.0.0/8 Registry Mirrors: https://y7oivp0s.mirror.aliyuncs.com/ Live Restore Enabled: false WARNING: bridge-nf-call-iptables is disabled WARNING: bridge-nf-call-ip6tables is disabled ``` Output of "`systemctl show docker`": ``` Type=notify Restart=always NotifyAccess=main RestartUSec=2s TimeoutStartUSec=0 TimeoutStopUSec=0 WatchdogUSec=0 WatchdogTimestamp=Tue 2020-05-26 19:53:46 CST WatchdogTimestampMonotonic=6704952 StartLimitInterval=60000000 StartLimitBurst=3 StartLimitAction=none FailureAction=none PermissionsStartOnly=no RootDirectoryStartOnly=no RemainAfterExit=no GuessMainPID=yes MainPID=1399 ControlPID=0 FileDescriptorStoreMax=0 StatusErrno=0 Result=success ExecMainStartTimestamp=Tue 2020-05-26 19:53:45 CST ExecMainStartTimestampMonotonic=5501276 ExecMainExitTimestampMonotonic=0 ExecMainPID=1399 ExecMainCode=0 ExecMainStatus=0 ExecStart={ path=/usr/bin/dockerd ; argv[]=/usr/bin/dockerd -H fd:// --containerd=/run/containerd/containerd.sock ; ignore_errors=no ; start_time=[Tue 2020-05-26 19:53:45 CST] ; stop_time=[n/a] ; pid=1399 ; code=(null) ; status=0/0 } ExecReload={ path=/bin/kill ; argv[]=/bin/kill -s HUP $MAINPID ; ignore_errors=no ; start_time=[n/a] ; stop_time=[n/a] ; pid=0 ; code=(null) ; status=0/0 } Slice=system.slice ControlGroup=/system.slice/docker.service MemoryCurrent=96595968 TasksCurrent=16 Delegate=yes CPUAccounting=no CPUShares=18446744073709551615 StartupCPUShares=18446744073709551615 CPUQuotaPerSecUSec=infinity BlockIOAccounting=no BlockIOWeight=18446744073709551615 StartupBlockIOWeight=18446744073709551615 MemoryAccounting=no MemoryLimit=18446744073709551615 DevicePolicy=auto TasksAccounting=no TasksMax=18446744073709551615 UMask=0022 LimitCPU=18446744073709551615 LimitFSIZE=18446744073709551615 LimitDATA=18446744073709551615 LimitSTACK=18446744073709551615 LimitCORE=18446744073709551615 LimitRSS=18446744073709551615 LimitNOFILE=18446744073709551615 LimitAS=18446744073709551615 LimitNPROC=18446744073709551615 LimitMEMLOCK=65536 LimitLOCKS=18446744073709551615 LimitSIGPENDING=7184 LimitMSGQUEUE=819200 LimitNICE=0 LimitRTPRIO=0 LimitRTTIME=18446744073709551615 OOMScoreAdjust=0 Nice=0 IOScheduling=0 CPUSchedulingPolicy=0 CPUSchedulingPriority=0 TimerSlackNSec=50000 CPUSchedulingResetOnFork=no NonBlocking=no StandardInput=null StandardOutput=journal StandardError=inherit TTYReset=no TTYVHangup=no TTYVTDisallocate=no SyslogPriority=30 SyslogLevelPrefix=yes SecureBits=0 CapabilityBoundingSet=18446744073709551615 AmbientCapabilities=0 MountFlags=0 PrivateTmp=no PrivateNetwork=no PrivateDevices=no ProtectHome=no ProtectSystem=no SameProcessGroup=no IgnoreSIGPIPE=yes NoNewPrivileges=no SystemCallErrorNumber=0 RuntimeDirectoryMode=0755 KillMode=process KillSignal=15 SendSIGKILL=yes SendSIGHUP=no Id=docker.service Names=docker.service Requires=basic.target system.slice docker.socket Wants=network-online.target BindsTo=containerd.service WantedBy=multi-user.target ConsistsOf=docker.socket Conflicts=shutdown.target Before=shutdown.target multi-user.target After=basic.target network-online.target containerd.service docker.socket firewalld.service systemd-journald.socket system.slice TriggeredBy=docker.socket Documentation=https://docs.docker.com Description=Docker Application Container Engine LoadState=loaded ActiveState=active SubState=running FragmentPath=/usr/lib/systemd/system/docker.service UnitFileState=enabled UnitFilePreset=disabled InactiveExitTimestamp=Tue 2020-05-26 19:53:45 CST InactiveExitTimestampMonotonic=5501455 ActiveEnterTimestamp=Tue 2020-05-26 19:53:46 CST ActiveEnterTimestampMonotonic=6704976 ActiveExitTimestampMonotonic=0 InactiveEnterTimestampMonotonic=0 CanStart=yes CanStop=yes CanReload=yes CanIsolate=no StopWhenUnneeded=no RefuseManualStart=no RefuseManualStop=no AllowIsolate=no DefaultDependencies=yes OnFailureJobMode=replace IgnoreOnIsolate=no IgnoreOnSnapshot=no NeedDaemonReload=no JobTimeoutUSec=0 JobTimeoutAction=none ConditionResult=yes AssertResult=yes ConditionTimestamp=Tue 2020-05-26 19:53:45 CST ConditionTimestampMonotonic=5497441 AssertTimestamp=Tue 2020-05-26 19:53:45 CST AssertTimestampMonotonic=5497441 Transient=no ``` No `kubectl` No `crio` Have `containerd` ## containerd Output of "`containerd --version`": ``` containerd containerd.io 1.2.6 894b81a4b802e4eb2a91d1ce216b8817763c29fb ``` Output of "`systemctl show containerd`": ``` Type=simple Restart=no NotifyAccess=none RestartUSec=100ms TimeoutStartUSec=1min 30s TimeoutStopUSec=1min 30s WatchdogUSec=0 WatchdogTimestamp=Tue 2020-05-26 19:53:45 CST WatchdogTimestampMonotonic=5497105 StartLimitInterval=10000000 StartLimitBurst=5 StartLimitAction=none FailureAction=none PermissionsStartOnly=no RootDirectoryStartOnly=no RemainAfterExit=no GuessMainPID=yes MainPID=1398 ControlPID=0 FileDescriptorStoreMax=0 StatusErrno=0 Result=success ExecMainStartTimestamp=Tue 2020-05-26 19:53:45 CST ExecMainStartTimestampMonotonic=5497066 ExecMainExitTimestampMonotonic=0 ExecMainPID=1398 ExecMainCode=0 ExecMainStatus=0 ExecStartPre={ path=/sbin/modprobe ; argv[]=/sbin/modprobe overlay ; ignore_errors=yes ; start_time=[Tue 2020-05-26 19:53:45 CST] ; stop_time=[Tue 2020-05-26 19:53:45 CST] ; pid=1391 ; code=exited ; status=0 } ExecStart={ path=/usr/bin/containerd ; argv[]=/usr/bin/containerd ; ignore_errors=no ; start_time=[Tue 2020-05-26 19:53:45 CST] ; stop_time=[n/a] ; pid=1398 ; code=(null) ; status=0/0 } Slice=system.slice ControlGroup=/system.slice/containerd.service MemoryCurrent=121819136 TasksCurrent=16 Delegate=yes CPUAccounting=no CPUShares=18446744073709551615 StartupCPUShares=18446744073709551615 CPUQuotaPerSecUSec=infinity BlockIOAccounting=no BlockIOWeight=18446744073709551615 StartupBlockIOWeight=18446744073709551615 MemoryAccounting=no MemoryLimit=18446744073709551615 DevicePolicy=auto TasksAccounting=no TasksMax=18446744073709551615 UMask=0022 LimitCPU=18446744073709551615 LimitFSIZE=18446744073709551615 LimitDATA=18446744073709551615 LimitSTACK=18446744073709551615 LimitCORE=18446744073709551615 LimitRSS=18446744073709551615 LimitNOFILE=1048576 LimitAS=18446744073709551615 LimitNPROC=18446744073709551615 LimitMEMLOCK=65536 LimitLOCKS=18446744073709551615 LimitSIGPENDING=7184 LimitMSGQUEUE=819200 LimitNICE=0 LimitRTPRIO=0 LimitRTTIME=18446744073709551615 OOMScoreAdjust=0 Nice=0 IOScheduling=0 CPUSchedulingPolicy=0 CPUSchedulingPriority=0 TimerSlackNSec=50000 CPUSchedulingResetOnFork=no NonBlocking=no StandardInput=null StandardOutput=journal StandardError=inherit TTYReset=no TTYVHangup=no TTYVTDisallocate=no SyslogPriority=30 SyslogLevelPrefix=yes SecureBits=0 CapabilityBoundingSet=18446744073709551615 AmbientCapabilities=0 MountFlags=0 PrivateTmp=no PrivateNetwork=no PrivateDevices=no ProtectHome=no ProtectSystem=no SameProcessGroup=no IgnoreSIGPIPE=yes NoNewPrivileges=no SystemCallErrorNumber=0 RuntimeDirectoryMode=0755 KillMode=process KillSignal=15 SendSIGKILL=yes SendSIGHUP=no Id=containerd.service Names=containerd.service Requires=basic.target system.slice BoundBy=docker.service Conflicts=shutdown.target Before=shutdown.target docker.service After=network.target basic.target systemd-journald.socket system.slice Documentation=https://containerd.io Description=containerd container runtime LoadState=loaded ActiveState=active SubState=running FragmentPath=/usr/lib/systemd/system/containerd.service UnitFileState=disabled UnitFilePreset=disabled InactiveExitTimestamp=Tue 2020-05-26 19:53:45 CST InactiveExitTimestampMonotonic=5457065 ActiveEnterTimestamp=Tue 2020-05-26 19:53:45 CST ActiveEnterTimestampMonotonic=5497121 ActiveExitTimestampMonotonic=0 InactiveEnterTimestampMonotonic=0 CanStart=yes CanStop=yes CanReload=no CanIsolate=no StopWhenUnneeded=no RefuseManualStart=no RefuseManualStop=no AllowIsolate=no DefaultDependencies=yes OnFailureJobMode=replace IgnoreOnIsolate=no IgnoreOnSnapshot=no NeedDaemonReload=no JobTimeoutUSec=0 JobTimeoutAction=none ConditionResult=yes AssertResult=yes ConditionTimestamp=Tue 2020-05-26 19:53:45 CST ConditionTimestampMonotonic=5450940 AssertTimestamp=Tue 2020-05-26 19:53:45 CST AssertTimestampMonotonic=5450940 Transient=no ``` Output of "`cat /etc/containerd/config.toml`": ``` root = "/var/lib/containerd" state = "/run/containerd" oom_score = 0 [grpc] address = "/run/containerd/containerd.sock" uid = 0 gid = 0 max_recv_message_size = 16777216 max_send_message_size = 16777216 [debug] address = "" uid = 0 gid = 0 level = "debug" [metrics] address = "" grpc_histogram = false [cgroup] path = "" [plugins] [plugins.cgroups] no_prometheus = false [plugins.cri] stream_server_address = "127.0.0.1" stream_server_port = "0" enable_selinux = false sandbox_image = "k8s.gcr.io/pause:3.1" stats_collect_period = 10 systemd_cgroup = false enable_tls_streaming = false max_container_log_line_size = 16384 [plugins.cri.containerd] snapshotter = "overlayfs" no_pivot = false [plugins.cri.containerd.default_runtime] runtime_type = "io.containerd.runtime.v1.linux" runtime_engine = "" runtime_root = "" [plugins.cri.containerd.untrusted_workload_runtime] runtime_type = "" runtime_engine = "" runtime_root = "" [plugins.cri.cni] bin_dir = "/opt/cni/bin" conf_dir = "/etc/cni/net.d" conf_template = "" [plugins.cri.registry] [plugins.cri.registry.mirrors] [plugins.cri.registry.mirrors."docker.io"] endpoint = ["https://registry-1.docker.io"] [plugins.cri.x509_key_pair_streaming] tls_cert_file = "" tls_key_file = "" [plugins.diff-service] default = ["walking"] [plugins.linux] shim = "containerd-shim" runtime = "runc" runtime_root = "" no_shim = false shim_debug = true [plugins.opt] path = "/opt/containerd" [plugins.restart] interval = "10s" [plugins.scheduler] pause_threshold = 0.02 deletion_threshold = 0 mutation_threshold = 100 schedule_delay = "0s" startup_delay = "100ms" ``` --- # Packages No `dpkg` Have `rpm` Output of "`rpm -qa|egrep "(cc-oci-runtimecc-runtimerunv|kata-proxy|kata-runtime|kata-shim|kata-ksm-throttler|kata-containers-image|linux-container|qemu-)"`": ``` kata-shim-bin-1.11.0~rc0-44.2.x86_64 qemu-vanilla-data-4.1.1+git.99c5874a9b-50.2.x86_64 kata-containers-image-1.11.0~rc0-45.2.x86_64 kata-linux-container-5.4.32.73-62.2.x86_64 kata-proxy-1.11.0~rc0-46.2.x86_64 kata-shim-1.11.0~rc0-44.2.x86_64 ipxe-roms-qemu-20180825-2.git133f4c.el7.noarch qemu-vanilla-bin-4.1.1+git.99c5874a9b-50.2.x86_64 kata-proxy-bin-1.11.0~rc0-46.2.x86_64 ``` ---

[lining2020x]

Here is the log during running the command ctr tasks start -d b1

logs

``` May 27 14:05:14 centos0 containerd[1398]: time="2020-05-27T14:05:14.810134845+08:00" level=debug msg="get snapshot mounts" key=b1 May 27 14:05:14 centos0 containerd[1398]: time="2020-05-27T14:05:14.863167083+08:00" level=debug msg="registering ttrpc server" May 27 14:05:14 centos0 containerd[1398]: time="2020-05-27T14:05:14.863268880+08:00" level=debug msg="serving api on abstract socket" socket="[inherited from parent]" May 27 14:05:14 centos0 containerd[1398]: time="2020-05-27T14:05:14.863294062+08:00" level=info msg="starting signal loop" namespace=default path=/run/containerd/io.containerd.runtime.v2.task/default/b1 pid=15899 May 27 14:05:14 centos0 containerd[1398]: time="2020-05-27T14:05:14.863639351+08:00" level=debug msg="converting /run/containerd/io.containerd.runtime.v2.task/default/b1/config.json" ID=b1 source=virtcontainers subsystem=compatoci May 27 14:05:14 centos0 kata[15899]: time="2020-05-27T14:05:14.866197227+08:00" level=info msg="loaded configuration" ID=b1 file=/etc/kata-containers/configuration.toml format=TOML source=katautils May 27 14:05:14 centos0 kata[15899]: time="2020-05-27T14:05:14.866395601+08:00" level=debug ID=b1 default-kernel-parameters= source=katautils May 27 14:05:14 centos0 containerd[1398]: time="2020-05-27T14:05:14.866197227+08:00" level=info msg="loaded configuration" ID=b1 file=/etc/kata-containers/configuration.toml format=TOML source=katautils May 27 14:05:14 centos0 containerd[1398]: time="2020-05-27T14:05:14.866395601+08:00" level=debug ID=b1 default-kernel-parameters= source=katautils May 27 14:05:14 centos0 kata[15899]: time="2020-05-27T14:05:14.867245112+08:00" level=debug msg="container rootfs: /run/containerd/io.containerd.runtime.v2.task/default/b1/rootfs" source=virtcontainers subsystem=oci May 27 14:05:14 centos0 kata[15899]: time="2020-05-27T14:05:14.867316438+08:00" level=info msg="shm-size detected: 67108864" source=virtcontainers subsystem=oci May 27 14:05:14 centos0 containerd[1398]: time="2020-05-27T14:05:14.867245112+08:00" level=debug msg="container rootfs: /run/containerd/io.containerd.runtime.v2.task/default/b1/rootfs" source=virtcontainers subsystem=oci May 27 14:05:14 centos0 containerd[1398]: time="2020-05-27T14:05:14.867316438+08:00" level=info msg="shm-size detected: 67108864" source=virtcontainers subsystem=oci May 27 14:05:14 centos0 kata[15899]: time="2020-05-27T14:05:14.872410896+08:00" level=info msg="create netns" ID=b1 netns=/var/run/netns/cnitest-7ee8555a-9569-68b4-8555-87b9806f59b1 source=katautils May 27 14:05:14 centos0 containerd[1398]: time="2020-05-27T14:05:14.872410896+08:00" level=info msg="create netns" ID=b1 netns=/var/run/netns/cnitest-7ee8555a-9569-68b4-8555-87b9806f59b1 source=katautils May 27 14:05:14 centos0 containerd[1398]: time="2020-05-27T14:05:14.872592773+08:00" level=debug msg="restore sandbox failed" ID=b1 error="open /run/vc/sbs/b1/persist.json: no such file or directory" sandbox=b1 source=virtcontainers subsystem=sandbox May 27 14:05:14 centos0 containerd[1398]: time="2020-05-27T14:05:14.872766673+08:00" level=debug msg="Creating bridges" ID=b1 source=virtcontainers subsystem=qemu May 27 14:05:14 centos0 containerd[1398]: time="2020-05-27T14:05:14.872789632+08:00" level=debug msg="Creating UUID" ID=b1 source=virtcontainers subsystem=qemu May 27 14:05:14 centos0 containerd[1398]: time="2020-05-27T14:05:14.873182444+08:00" level=info msg="adding volume" ID=b1 source=virtcontainers subsystem=qemu volume-type=virtio-9p May 27 14:05:14 centos0 containerd[1398]: time="2020-05-27T14:05:14.873526311+08:00" level=info msg="Endpoints found after scan" ID=b1 endpoints="[]" source=virtcontainers subsystem=network May 27 14:05:14 centos0 containerd[1398]: time="2020-05-27T14:05:14.873594349+08:00" level=debug msg="Network added" ID=b1 source=virtcontainers subsystem=network May 27 14:05:14 centos0 containerd[1398]: time="2020-05-27T14:05:14.873613774+08:00" level=info msg="Starting VM" ID=b1 sandbox=b1 source=virtcontainers subsystem=sandbox May 27 14:05:14 centos0 containerd[1398]: time="2020-05-27T14:05:14.873648997+08:00" level=debug ID=b1 default-kernel-parameters="tsc=reliable no_timer_check rcupdate.rcu_expedited=1 i8042.direct=1 i8042.dumbkbd=1 i8042.nopnp=1 i8042.noaux=1 noreplace-smp reboot=k console=hvc0 console=hvc1 iommu=off cryptomgr.notests net.ifnames=0 pci=lastbus=0 debug" source=virtcontainers subsystem=qemu May 27 14:05:14 centos0 containerd[1398]: time="2020-05-27T14:05:14.873854202+08:00" level=info msg="launching /usr/bin/qemu-vanilla-system-x86_64 with: [-name sandbox-b1 -uuid 5208064f-95bb-4351-aba8-526fead35624 -machine pc,accel=kvm,kernel_irqchip -cpu host,pmu=off -qmp unix:/run/vc/vm/b1/qmp.sock,server,nowait -m 1024M,slots=10,maxmem=2843M -device pci-bridge,bus=pci.0,id=pci-bridge-0,chassis_nr=1,shpc=on,addr=2,romfile= -device virtio-serial-pci,disable-modern=true,id=serial0,romfile= -device virtconsole,chardev=charconsole0,id=console0 -chardev socket,id=charconsole0,path=/run/vc/vm/b1/console.sock,server,nowait -device virtio-scsi-pci,id=scsi0,disable-modern=true,romfile= -object rng-random,id=rng0,filename=/dev/urandom -device virtio-rng-pci,rng=rng0,romfile= -device virtserialport,chardev=charch0,id=channel0,name=agent.channel.0 -chardev socket,id=charch0,path=/run/vc/vm/b1/kata.sock,server,nowait -device virtio-9p-pci,disable-modern=true,fsdev=extra-9p-kataShared,mount_tag=kataShared,romfile= -fsdev local,id=extra-9p-kataShared,path=/run/kata-containers/shared/sandboxes/b1,security_model=none -global kvm-pit.lost_tick_policy=discard -vga none -no-user-config -nodefaults -nographic -daemonize -object memory-backend-ram,id=dimm1,size=1024M -numa node,memdev=dimm1 -kernel /usr/share/kata-containers/vmlinuz-3.10.0-1127.8.2.el7.x86_64 -initrd /usr/share/kata-containers/initramfs-3.10.0-1127.8.2.el7.x86_64.img -append tsc=reliable no_timer_check rcupdate.rcu_expedited=1 i8042.direct=1 i8042.dumbkbd=1 i8042.nopnp=1 i8042.noaux=1 noreplace-smp reboot=k console=hvc0 console=hvc1 iommu=off cryptomgr.notests net.ifnames=0 pci=lastbus=0 debug panic=1 nr_cpus=4 agent.use_vsock=false scsi_mod.scan=none agent.log=debug initcall_debug agent.log=debug initcall_debug -pidfile /run/vc/vm/b1/pid -D /run/vc/vm/b1/qemu.log -smp 1,cores=1,threads=1,sockets=4,maxcpus=4]" ID=b1 source=virtcontainers subsystem=qmp May 27 14:05:14 centos0 kata[15899]: time="2020-05-27T14:05:14.872592773+08:00" level=debug msg="restore sandbox failed" ID=b1 error="open /run/vc/sbs/b1/persist.json: no such file or directory" sandbox=b1 source=virtcontainers subsystem=sandbox May 27 14:05:14 centos0 kata[15899]: time="2020-05-27T14:05:14.872766673+08:00" level=debug msg="Creating bridges" ID=b1 source=virtcontainers subsystem=qemu May 27 14:05:14 centos0 kata[15899]: time="2020-05-27T14:05:14.872789632+08:00" level=debug msg="Creating UUID" ID=b1 source=virtcontainers subsystem=qemu May 27 14:05:14 centos0 kata[15899]: time="2020-05-27T14:05:14.873182444+08:00" level=info msg="adding volume" ID=b1 source=virtcontainers subsystem=qemu volume-type=virtio-9p May 27 14:05:14 centos0 kata[15899]: time="2020-05-27T14:05:14.873526311+08:00" level=info msg="Endpoints found after scan" ID=b1 endpoints="[]" source=virtcontainers subsystem=network May 27 14:05:14 centos0 kata[15899]: time="2020-05-27T14:05:14.873594349+08:00" level=debug msg="Network added" ID=b1 source=virtcontainers subsystem=network May 27 14:05:14 centos0 kata[15899]: time="2020-05-27T14:05:14.873613774+08:00" level=info msg="Starting VM" ID=b1 sandbox=b1 source=virtcontainers subsystem=sandbox May 27 14:05:14 centos0 kata[15899]: time="2020-05-27T14:05:14.873648997+08:00" level=debug ID=b1 default-kernel-parameters="tsc=reliable no_timer_check rcupdate.rcu_expedited=1 i8042.direct=1 i8042.dumbkbd=1 i8042.nopnp=1 i8042.noaux=1 noreplace-smp reboot=k console=hvc0 console=hvc1 iommu=off cryptomgr.notests net.ifnames=0 pci=lastbus=0 debug" source=virtcontainers subsystem=qemu May 27 14:05:14 centos0 kata[15899]: time="2020-05-27T14:05:14.873854202+08:00" level=info msg="launching /usr/bin/qemu-vanilla-system-x86_64 with: [-name sandbox-b1 -uuid 5208064f-95bb-4351-aba8-526fead35624 -machine pc,accel=kvm,kernel_irqchip -cpu host,pmu=off -qmp unix:/run/vc/vm/b1/qmp.sock,server,nowait -m 1024M,slots=10,maxmem=2843M -device pci-bridge,bus=pci.0,id=pci-bridge-0,chassis_nr=1,shpc=on,addr=2,romfile= -device virtio-serial-pci,disable-modern=true,id=serial0,romfile= -device virtconsole,chardev=charconsole0,id=console0 -chardev socket,id=charconsole0,path=/run/vc/vm/b1/console.sock,server,nowait -device virtio-scsi-pci,id=scsi0,disable-modern=true,romfile= -object rng-random,id=rng0,filename=/dev/urandom -device virtio-rng-pci,rng=rng0,romfile= -device virtserialport,chardev=charch0,id=channel0,name=agent.channel.0 -chardev socket,id=charch0,path=/run/vc/vm/b1/kata.sock,server,nowait -device virtio-9p-pci,disable-modern=true,fsdev=extra-9p-kataShared,mount_tag=kataShared,romfile= -fsdev local,id=extra-9p-kataShared,path=/run/kata-containers/shared/sandboxes/b1,security_model=none -global kvm-pit.lost_tick_policy=discard -vga none -no-user-config -nodefaults -nographic -daemonize -object memory-backend-ram,id=dimm1,size=1024M -numa node,memdev=dimm1 -kernel /usr/share/kata-containers/vmlinuz-3.10.0-1127.8.2.el7.x86_64 -initrd /usr/share/kata-containers/initramfs-3.10.0-1127.8.2.el7.x86_64.img -append tsc=reliable no_timer_check rcupdate.rcu_expedited=1 i8042.direct=1 i8042.dumbkbd=1 i8042.nopnp=1 i8042.noaux=1 noreplace-smp reboot=k console=hvc0 console=hvc1 iommu=off cryptomgr.notests net.ifnames=0 pci=lastbus=0 debug panic=1 nr_cpus=4 agent.use_vsock=false scsi_mod.scan=none agent.log=debug initcall_debug agent.log=debug initcall_debug -pidfile /run/vc/vm/b1/pid -D /run/vc/vm/b1/qemu.log -smp 1,cores=1,threads=1,sockets=4,maxcpus=4]" ID=b1 source=virtcontainers subsystem=qmp May 27 14:05:14 centos0 kvm[15916]: 1 guest now active May 27 14:05:14 centos0 kata[15899]: time="2020-05-27T14:05:14.941703497+08:00" level=info msg="{\"QMP\": {\"version\": {\"qemu\": {\"micro\": 1, \"minor\": 1, \"major\": 4}, \"package\": \"\"}, \"capabilities\": [\"oob\"]}}" ID=b1 source=virtcontainers subsystem=qmp May 27 14:05:14 centos0 kata[15899]: time="2020-05-27T14:05:14.94183877+08:00" level=info msg="QMP details" ID=b1 qmp-capabilities=oob qmp-major-version=4 qmp-micro-version=1 qmp-minor-version=1 source=virtcontainers subsystem=qemu May 27 14:05:14 centos0 containerd[1398]: time="2020-05-27T14:05:14.941703497+08:00" level=info msg="{\"QMP\": {\"version\": {\"qemu\": {\"micro\": 1, \"minor\": 1, \"major\": 4}, \"package\": \"\"}, \"capabilities\": [\"oob\"]}}" ID=b1 source=virtcontainers subsystem=qmp May 27 14:05:14 centos0 containerd[1398]: time="2020-05-27T14:05:14.941838770+08:00" level=info msg="QMP details" ID=b1 qmp-capabilities=oob qmp-major-version=4 qmp-micro-version=1 qmp-minor-version=1 source=virtcontainers subsystem=qemu May 27 14:05:14 centos0 containerd[1398]: time="2020-05-27T14:05:14.941883388+08:00" level=info msg="{\"execute\":\"qmp_capabilities\"}" ID=b1 source=virtcontainers subsystem=qmp May 27 14:05:14 centos0 kata[15899]: time="2020-05-27T14:05:14.941883388+08:00" level=info msg="{\"execute\":\"qmp_capabilities\"}" ID=b1 source=virtcontainers subsystem=qmp May 27 14:05:14 centos0 containerd[1398]: time="2020-05-27T14:05:14.942258784+08:00" level=info msg="{\"return\": {}}" ID=b1 source=virtcontainers subsystem=qmp May 27 14:05:14 centos0 kata[15899]: time="2020-05-27T14:05:14.942258784+08:00" level=info msg="{\"return\": {}}" ID=b1 source=virtcontainers subsystem=qmp May 27 14:05:14 centos0 kata[15899]: time="2020-05-27T14:05:14.942364882+08:00" level=info msg="sanner return error: read unix @->/run/vc/vm/b1/qmp.sock: use of closed network connection" ID=b1 source=virtcontainers subsystem=qmp May 27 14:05:14 centos0 kata[15899]: time="2020-05-27T14:05:14.94243328+08:00" level=info msg="VM started" ID=b1 sandbox=b1 source=virtcontainers subsystem=sandbox May 27 14:05:14 centos0 kata[15899]: time="2020-05-27T14:05:14.942482115+08:00" level=debug msg="Start to watch the console" ID=b1 sandbox=b1 source=virtcontainers subsystem=kata_agent May 27 14:05:14 centos0 kata[15899]: time="2020-05-27T14:05:14.942517792+08:00" level=info msg="proxy started" ID=b1 proxy-pid=15913 proxy-url=/run/vc/vm/b1/kata.sock sandbox=b1 source=virtcontainers subsystem=kata_agent May 27 14:05:14 centos0 kata[15899]: time="2020-05-27T14:05:14.942538954+08:00" level=debug msg="DNS file not present in ociMounts. Sandbox DNS will not be set." ID=b1 source=virtcontainers subsystem=kata_agent May 27 14:05:14 centos0 kata[15899]: time="2020-05-27T14:05:14.942557341+08:00" level=info msg="New client" ID=b1 proxy=15913 source=virtcontainers subsystem=kata_agent url=/run/vc/vm/b1/kata.sock May 27 14:05:14 centos0 containerd[1398]: time="2020-05-27T14:05:14.942364882+08:00" level=info msg="sanner return error: read unix @->/run/vc/vm/b1/qmp.sock: use of closed network connection" ID=b1 source=virtcontainers subsystem=qmp May 27 14:05:14 centos0 containerd[1398]: time="2020-05-27T14:05:14.942433280+08:00" level=info msg="VM started" ID=b1 sandbox=b1 source=virtcontainers subsystem=sandbox May 27 14:05:14 centos0 containerd[1398]: time="2020-05-27T14:05:14.942482115+08:00" level=debug msg="Start to watch the console" ID=b1 sandbox=b1 source=virtcontainers subsystem=kata_agent May 27 14:05:14 centos0 containerd[1398]: time="2020-05-27T14:05:14.942517792+08:00" level=info msg="proxy started" ID=b1 proxy-pid=15913 proxy-url=/run/vc/vm/b1/kata.sock sandbox=b1 source=virtcontainers subsystem=kata_agent May 27 14:05:14 centos0 containerd[1398]: time="2020-05-27T14:05:14.942538954+08:00" level=debug msg="DNS file not present in ociMounts. Sandbox DNS will not be set." ID=b1 source=virtcontainers subsystem=kata_agent May 27 14:05:14 centos0 containerd[1398]: time="2020-05-27T14:05:14.942557341+08:00" level=info msg="New client" ID=b1 proxy=15913 source=virtcontainers subsystem=kata_agent url=/run/vc/vm/b1/kata.sock May 27 14:05:14 centos0 containerd[1398]: time="2020-05-27T14:05:14.942977682+08:00" level=debug msg="sending request" ID=b1 name=grpc.CheckRequest req= source=virtcontainers subsystem=kata_agent May 27 14:05:14 centos0 kata[15899]: time="2020-05-27T14:05:14.942977682+08:00" level=debug msg="sending request" ID=b1 name=grpc.CheckRequest req= source=virtcontainers subsystem=kata_agent May 27 14:05:34 centos0 kata[15899]: time="2020-05-27T14:05:34.944946714+08:00" level=error msg="Failed to read agent logs" ID=b1 console-protocol=unix console-socket=/run/vc/vm/b1/console.sock error="read unix @->/run/vc/vm/b1/console.sock: use of closed network connection" sandbox=b1 source=virtcontainers subsystem=kata_agent May 27 14:05:34 centos0 containerd[1398]: time="2020-05-27T14:05:34.944946714+08:00" level=error msg="Failed to read agent logs" ID=b1 console-protocol=unix console-socket=/run/vc/vm/b1/console.sock error="read unix @->/run/vc/vm/b1/console.sock: use of closed network connection" sandbox=b1 source=virtcontainers subsystem=kata_agent May 27 14:05:34 centos0 containerd[1398]: time="2020-05-27T14:05:34.945017053+08:00" level=info msg="Stopping Sandbox" ID=b1 source=virtcontainers subsystem=qemu May 27 14:05:34 centos0 kata[15899]: time="2020-05-27T14:05:34.945017053+08:00" level=info msg="Stopping Sandbox" ID=b1 source=virtcontainers subsystem=qemu May 27 14:05:34 centos0 kata[15899]: time="2020-05-27T14:05:34.945995148+08:00" level=info msg="{\"QMP\": {\"version\": {\"qemu\": {\"micro\": 1, \"minor\": 1, \"major\": 4}, \"package\": \"\"}, \"capabilities\": [\"oob\"]}}" ID=b1 source=virtcontainers subsystem=qmp May 27 14:05:34 centos0 containerd[1398]: time="2020-05-27T14:05:34.945995148+08:00" level=info msg="{\"QMP\": {\"version\": {\"qemu\": {\"micro\": 1, \"minor\": 1, \"major\": 4}, \"package\": \"\"}, \"capabilities\": [\"oob\"]}}" ID=b1 source=virtcontainers subsystem=qmp May 27 14:05:34 centos0 containerd[1398]: time="2020-05-27T14:05:34.946667087+08:00" level=info msg="{\"execute\":\"qmp_capabilities\"}" ID=b1 source=virtcontainers subsystem=qmp May 27 14:05:34 centos0 kata[15899]: time="2020-05-27T14:05:34.946667087+08:00" level=info msg="{\"execute\":\"qmp_capabilities\"}" ID=b1 source=virtcontainers subsystem=qmp May 27 14:05:34 centos0 containerd[1398]: time="2020-05-27T14:05:34.947680323+08:00" level=info msg="{\"return\": {}}" ID=b1 source=virtcontainers subsystem=qmp May 27 14:05:34 centos0 containerd[1398]: time="2020-05-27T14:05:34.947781551+08:00" level=info msg="{\"execute\":\"quit\"}" ID=b1 source=virtcontainers subsystem=qmp May 27 14:05:34 centos0 kata[15899]: time="2020-05-27T14:05:34.947680323+08:00" level=info msg="{\"return\": {}}" ID=b1 source=virtcontainers subsystem=qmp May 27 14:05:34 centos0 containerd[1398]: time="2020-05-27T14:05:34.947985343+08:00" level=info msg="{\"return\": {}}" ID=b1 source=virtcontainers subsystem=qmp May 27 14:05:34 centos0 containerd[1398]: time="2020-05-27T14:05:34.948023253+08:00" level=info msg="{\"timestamp\": {\"seconds\": 1590559534, \"microseconds\": 947977}, \"event\": \"SHUTDOWN\", \"data\": {\"guest\": false, \"reason\": \"host-qmp-quit\"}}" ID=b1 source=virtcontainers subsystem=qmp May 27 14:05:34 centos0 containerd[1398]: time="2020-05-27T14:05:34.948103439+08:00" level=info msg="cleanup vm path" ID=b1 dir=/run/vc/vm/b1 link=/run/vc/vm/b1 source=virtcontainers subsystem=qemu May 27 14:05:34 centos0 containerd[1398]: time="2020-05-27T14:05:34.948277275+08:00" level=debug msg="Network removed" ID=b1 source=virtcontainers subsystem=network May 27 14:05:34 centos0 containerd[1398]: time="2020-05-27T14:05:34.948311223+08:00" level=info msg="Network namespace \"/var/run/netns/cnitest-7ee8555a-9569-68b4-8555-87b9806f59b1\" deleted" ID=b1 source=virtcontainers subsystem=network May 27 14:05:34 centos0 kata[15899]: time="2020-05-27T14:05:34.947781551+08:00" level=info msg="{\"execute\":\"quit\"}" ID=b1 source=virtcontainers subsystem=qmp May 27 14:05:34 centos0 kata[15899]: time="2020-05-27T14:05:34.947985343+08:00" level=info msg="{\"return\": {}}" ID=b1 source=virtcontainers subsystem=qmp May 27 14:05:34 centos0 kata[15899]: time="2020-05-27T14:05:34.948023253+08:00" level=info msg="{\"timestamp\": {\"seconds\": 1590559534, \"microseconds\": 947977}, \"event\": \"SHUTDOWN\", \"data\": {\"guest\": false, \"reason\": \"host-qmp-quit\"}}" ID=b1 source=virtcontainers subsystem=qmp May 27 14:05:34 centos0 kata[15899]: time="2020-05-27T14:05:34.948103439+08:00" level=info msg="cleanup vm path" ID=b1 dir=/run/vc/vm/b1 link=/run/vc/vm/b1 source=virtcontainers subsystem=qemu May 27 14:05:34 centos0 kata[15899]: time="2020-05-27T14:05:34.948277275+08:00" level=debug msg="Network removed" ID=b1 source=virtcontainers subsystem=network May 27 14:05:34 centos0 containerd[1398]: time="2020-05-27T14:05:34.950280356+08:00" level=info msg="sanner return error: " ID=b1 source=virtcontainers subsystem=qmp May 27 14:05:34 centos0 kata[15899]: time="2020-05-27T14:05:34.948311223+08:00" level=info msg="Network namespace \"/var/run/netns/cnitest-7ee8555a-9569-68b4-8555-87b9806f59b1\" deleted" ID=b1 source=virtcontainers subsystem=network May 27 14:05:34 centos0 kata[15899]: time="2020-05-27T14:05:34.950280356+08:00" level=info msg="sanner return error: " ID=b1 source=virtcontainers subsystem=qmp May 27 14:05:34 centos0 kata[15899]: time="2020-05-27T14:05:34.954720673+08:00" level=debug msg="Deleting sandbox cgroup" ID=b1 sandbox=b1 source=virtcontainers subsystem=sandbox May 27 14:05:34 centos0 kata[15899]: time="2020-05-27T14:05:34.95484038+08:00" level=warning msg="sandbox cgroups path is empty" ID=b1 sandbox=b1 source=virtcontainers subsystem=sandbox May 27 14:05:34 centos0 kata[15899]: time="2020-05-27T14:05:34.954896335+08:00" level=info msg="cleanup agent" ID=b1 path=/run/kata-containers/shared/sandboxes/b1 source=virtcontainers subsystem=kata_agent May 27 14:05:34 centos0 kata[15899]: time="2020-05-27T14:05:34.954948729+08:00" level=warning msg="failed to cleanup netns" ID=b1 error="failed to get netns /var/run/netns/cnitest-7ee8555a-9569-68b4-8555-87b9806f59b1: failed to Statfs \"/var/run/netns/cnitest-7ee8555a-9569-68b4-8555-87b9806f59b1\": no such file or directory" path=/var/run/netns/cnitest-7ee8555a-9569-68b4-8555-87b9806f59b1 source=katautils May 27 14:05:34 centos0 containerd[1398]: time="2020-05-27T14:05:34.954720673+08:00" level=debug msg="Deleting sandbox cgroup" ID=b1 sandbox=b1 source=virtcontainers subsystem=sandbox May 27 14:05:34 centos0 containerd[1398]: time="2020-05-27T14:05:34.954840380+08:00" level=warning msg="sandbox cgroups path is empty" ID=b1 sandbox=b1 source=virtcontainers subsystem=sandbox May 27 14:05:34 centos0 containerd[1398]: time="2020-05-27T14:05:34.954896335+08:00" level=info msg="cleanup agent" ID=b1 path=/run/kata-containers/shared/sandboxes/b1 source=virtcontainers subsystem=kata_agent May 27 14:05:34 centos0 containerd[1398]: time="2020-05-27T14:05:34.954948729+08:00" level=warning msg="failed to cleanup netns" ID=b1 error="failed to get netns /var/run/netns/cnitest-7ee8555a-9569-68b4-8555-87b9806f59b1: failed to Statfs \"/var/run/netns/cnitest-7ee8555a-9569-68b4-8555-87b9806f59b1\": no such file or directory" path=/var/run/netns/cnitest-7ee8555a-9569-68b4-8555-87b9806f59b1 source=katautils May 27 14:05:35 centos0 kvm[15922]: 0 guests now active ```

[lining2020x]

Any more guides or tips about the kata guest kernel customizing are welcome. : )

[jodh-intel]

Hi @lining2020 - I'm not sure what else we can provide. @fidencio pointed you to https://github.com/kata-containers/packaging/tree/master/kernel/configs, which contains all the kernel config options we use for Kata kernels. If your kernel doesn't work with Kata, you'd need to check to see if any of the kernel config options required by Kata are missing from your kernel.

Out of interest, why are you trying to use a CentOS kernel? The Kata guest kernels only enable the features required rather that enabling every config setting. Also note that the default Kata guest kernel doesn't use any modules, whereas a standard "host kernel" generally uses (or atleast supports) many modules. However, Kata does support kernel module loading (which you may need possibly) - see https://github.com/kata-containers/documentation/blob/master/how-to/how-to-load-kernel-modules-with-kata.md.

@grahamwhaley may have further insights into this whole topic.

[grahamwhaley]

Given it appears to be such an old kernel (v3.10?), I suspect there may be a number of KVM features, improvements and fixes that Kata requires that are possibly are not in that kernel. Maybe they have been backported by Centos, but I don't know. @dagrh - would you maybe know if a Centos 3.10 kernel has any chance of working as the Kata guest?

[dagrh]

We certainly haven't backported virtiofs to it (and probably has any 9p stuff configured out). The 3.10 stream has got kvm fixes until the last few months I think and then bug fixes; but nothing major now.It's also not obvious to me what the state of vsock is in it. The 8.2 kernel shoud be more interesting for that.

[lining2020x]

@jodh-intel The default guest kernel provided by kata is vmlinux-5.4.32.73-62.2.container. We are not sure the v5.4 kernel is secure and stable enough. So we are considering to used the centos kernel to replace it or use our own kernel. ( And I though maybe the 4.18 of centos 8.x would be more proper if we have to).

I used the v3.10 just because my host kernel is v3.10, and I copied it to /usr/share/kata-containers for a quick test.

[dagrh]

@lining2020 If you want a CentOS kernel then the 8.x branch would be a better bet; 8.2 has the virtiofs code in it; I'm not sure if CentOS has built 8.2 yet, but it might be in the CentOS stream set.

[lining2020x]

@dagrh Thanks. I would hava a try later if 8.2 kernel available.