Build and run CoCo/Kata Container with RME Support
- Kevin Zhao
Build Kata container with RME Support
Build Environment
Ubuntu 22.04 Arm64, Kernel 6.5.0-28-generic, native build.
Build process
Due to the quick code change for CCA software stack, the Kata-container is working well with v1.0-eac5 Guest kernel and Qemu. We skip the RFCv2 integration, and WIP on Kata-support with RFCv3.
The original v1.0-eac5 is not working with TSM report modules, and there is a backport patch to support this: https://git.codelinaro.org/linaro/dcap/cca-demos/build-ccs/-/blob/clo/main/shrinkwrap/config/linux/TSM-CCA-Prototype.patch?ref_type=heads
Download build-ccs repository and run the command as below:
git clone https://git.codelinaro.org/linaro/dcap/cca-demos/build-ccs.git
cd build-ccs
git checkout origin/dev/clo/main
make kata-deployAfter run the command, it will automatically build the:
Kata Guest Kernel(v1.0-eac5 with TSM support)
Kata rootfs image/Kata initrd image(Kata-agent and CoCo guest components will be also included)
Qemu with CCA enabled (v1.0-eac5)
Kata container Binaries/virtiofsd
All the binaries will be moved to build-ccs/binaries
Prepare Kata container Host
In order to launch the Kata-container, it needs the host kernel have different configurations. The demo kernel configuration is https://people.linaro.org/~kevin.zhao/config-cca-host-v1.0-eac5
Repo: https://gitlab.arm.com/linux-arm/linux-cca cca-full/rmm-v1.0-eac5
cd linux-cca
cp config-cca-host-v1.0-eac5
make CROSS_COMPILE=aarch64-linux-gnu- ARCH=arm64 -j8Follow the instructions show here Building an RME stack for QEMU | Build the Ubuntu Rootfs , you will get a ubuntu rootfs. Assume it is named as ubuntu22.img, mount at /root/mnt, then make modules install to put the modules to the rootfs.
sudo mount /root/ubuntu22.img /root/mnt
cd ../linux-cca
sudo make modules_install ARCH=arm64 CROSS_COMPILE=aarch64-linux-gnu- INSTALL_MOD_PATH=/root/mnt
sudo umount /root/mntInstall and Configure the Kata container
Launch the Kata container Host
Can refer to : https://linaro.atlassian.net/wiki/spaces/QEMU/pages/29051027459/Building+an+RME+stack+for+QEMU#With-the-OP-TEE-build-environment. Assume that you are using the OPTEE build environment to set up the pure software stack, and that will be also easy to launch the host.
Then, Change the Makefile script, re-direct the kernel/rootfs you just get from Build and run CoCo/Kata Container with RME Support | Prepare Kata container Host .
Next step, copy the binaries to the Kata host.
Install Kata from tarball
Configure the Kata-containers
Get the Kata container configuration from: https://people.linaro.org/~kevin.zhao/configuration.toml, copy it to /etc/kata-containers/
Set some configuration items in /etc/kata-containers/configuration.toml. Kata containers can run with either an initrd image or a rootfs image. But they can just be set either rootfs or initrd, please do not set both. Here we test rootfs. Some essential configurations items should be changed as below.
Configure the Containerd to use Kata-container. Copy https://people.linaro.org/~kevin.zhao/config.toml.containerd to /etc/containerd/config.toml
More things for Kata with containerd, please refer here: https://github.com/kata-containers/kata-containers/blob/main/docs/install/container-manager/containerd/containerd-install.md
Install CNI and nerdctl to launch the container
CNI - Container network interface
CNI is essential for container network. CNI can be installed either binaries or build from source, check :
More things for Kata with containerd, please refer here:
Nerdctl command line
Install nerdctl command line. nerdctl cmdline will automatically set up the CNI network with host-local, and it is compatible with docker command line. Just copy the binaries to the host and it is ready to go. See more for Nerdctl
Run command like below to launch Kata container:
Â