Add limitations doc #48
Conversation
|
This is a heavily reworked version of: Some questions:
/cc @gnawux, @sameo, @mcastelino, @bergwolf, @grahamwhaley. |
|
Hi @klynnrif - ptal. |
Limitations.md
Outdated
| use of VMs. | ||
|
|
||
| The [Kata Container runtime](https://github.com/kata-containers/runtime) launches each container within its own hardware isolated VM, and each VM has its own kernel. Due to this higher | ||
| degree of isolation, there are certain container capabilities that |
There was a problem hiding this comment.
Lines 47-48 suggested rewrite: degree of isolation, certain container capabilities cannot be supported or are implicitly enabled through the VM.
Limitations.md
Outdated
|
|
||
| The [Open Container Initiative](https://www.opencontainers.org/) [Runtime Specification](https://github.com/opencontainers/runtime-spec) ("OCI spec") defines the minimum specifications a runtime must support to interoperate with container managers such as Docker. If a runtime does not support some aspect of the OCI spec, it is by definition a limitation. | ||
|
|
||
| However, the OCI runtime reference implementation (`runc`) does not perfectly align with the OCI spec itself. Further since the default OCI runtime used by Docker is `runc`, Docker expects runtimes to behave as `runc` does. This implies that *another* form of limitation arises if the behaviour of a runtime implementation does not align with that of `runc`. These two "dual standards" (one documented, one undocumented) complicates the challenge of supporting a Docker environment since a runtime must support the official OCI spec *and* the non-standard extensions provided by `runc`. |
There was a problem hiding this comment.
Adding a comma and updating "behaviour" to "behavior":
Further, since the default OCI runtime used by Docker is runc, Docker expects runtimes to behave as runc does. This implies that another form of limitation arises if the behavior of a runtime implementation does not align with that of runc. These two "dual standards" (one documented and one undocumented) complicates the challenge of supporting a Docker environment since a runtime must support the official OCI spec and the non-standard extensions provided by runc.
Limitations.md
Outdated
|
|
||
| # Scope | ||
|
|
||
| Each known limitation is captured in a separate github issue containing detailed information about the issue. These issues are tagged with the `limitation` label. This document is a curated summary of important known limitations, providing links to the relevant github issues. |
There was a problem hiding this comment.
Suggested rewrite:
Each known limitation is captured in a separate github issue that contains detailed information about the issue. These issues are tagged with the limitation label. This document is a curated summary of important known limitations and provides links to the relevant github issues.
Limitations.md
Outdated
|
|
||
| Each known limitation is captured in a separate github issue containing detailed information about the issue. These issues are tagged with the `limitation` label. This document is a curated summary of important known limitations, providing links to the relevant github issues. | ||
|
|
||
| The link below shows the latest list of limitations: |
There was a problem hiding this comment.
The following link shows the latest list of limitations:
Limitations.md
Outdated
|
|
||
| # Pending items | ||
|
|
||
| This section lists items that may technically be fixable. |
There was a problem hiding this comment.
This section lists items that you might be able to fix.
There was a problem hiding this comment.
fyi - I've changed this to the following to avoid the "you":
This section lists items that might be possible to fix.
Limitations.md
Outdated
|
|
||
| - Inside the VM | ||
|
|
||
| Constrain the guest kernel. This could be achieved for example by passing particular values via the kernel command line used to boot the guest kernel. Alternatively, sysctl values could be applied at early boot. |
There was a problem hiding this comment.
Constrain the guest kernel. This can be achieved by passing particular values through the kernel command line used to boot the guest kernel. Alternatively, sysctl values can be applied at early boot.
Limitations.md
Outdated
|
|
||
| - Constrain the hypervisor process by applying host-level constraints. | ||
|
|
||
| - Constrain all processes running inside the hypervisor |
There was a problem hiding this comment.
Adding a period: Constrain all processes running inside the hypervisor.
Limitations.md
Outdated
|
|
||
| - Constrain all processes running inside the hypervisor | ||
|
|
||
| This could be achieved by specifying particular hypervisor configuration options. |
There was a problem hiding this comment.
This can be achieved by specifying particular hypervisor configuration options.
Limitations.md
Outdated
|
|
||
| This could be achieved by specifying particular hypervisor configuration options. | ||
|
|
||
| - Constrain the [shim](https://github.com/kata-containers/shim) process |
There was a problem hiding this comment.
Adding a period: Constrain the shim process.
Limitations.md
Outdated
|
|
||
| - Constrain the [proxy](https://github.com/kata-containers/proxy) process. | ||
|
|
||
| Note that in some circumstances it may be necessary to apply particular constraints at *more than one* of the areas above to achieve the desired level of isolation and resource control. |
There was a problem hiding this comment.
Suggested rewrite:
Note that in some circumstances it might be necessary to apply particular constraints to more than one of the previous areas to achieve the desired level of isolation and resource control.
jodh-intel
force-pushed
the
add-limitations-doc
branch
from
fa74ec5 to
b5be17d
Compare
|
Thanks for that epic review @klynnrif! Branch updated 😄 |
|
ping! |
Limitations.md
Outdated
| expects runtimes to behave as `runc` does. This implies that another form of | ||
| limitation arises if the behavior of a runtime implementation does not align | ||
| with that of `runc`. These two "dual standards" (one documented and one | ||
| undocumented) complicates the challenge of supporting a Docker environment |
There was a problem hiding this comment.
s/complicates/complicate/
or rewrite to 'Having two standards complicates....' etc.
| See issue https://github.com/kata-containers/runtime/issues/186 for more information. | ||
|
|
||
| ### ps command | ||
|
|
There was a problem hiding this comment.
Is this done with kata-containers/agent#194 and related (/cc @devimc to note we will need to update this doc if/when it is complete)
There was a problem hiding this comment.
I think we're blocked on kata-containers/runtime#130 for a functional ps command.
There was a problem hiding this comment.
@devimc - are we good to remove this ps limitation from the doc now?
Limitations.md
Outdated
|
|
||
| ## Docker ramdisk not supported | ||
|
|
||
| The magic `DOCKER_RAMDISK=true` environment variable used by Docker to force |
There was a problem hiding this comment.
s/magic// if you want
Limitations.md
Outdated
|
|
||
| ## The constraints challenge | ||
|
|
||
| Applying resource constraints such as cgroup, cpu, memory, and storage to a workload is not always straightforward with a VM based system. A Kata Container runs in an isolated environment inside a virtual machine. This, coupled with the architecture of Kata Containers, offers many more possibilities than are available to traditional Linux* containers due to the various layers and contexts. |
There was a problem hiding this comment.
'Linux' is mentioned previously on line 222 - you might want to move the * up there as the 'first mention'.
Add the list of known limitations. Fixes kata-containers#31. Signed-off-by: James O. D. Hunt <[email protected]>
Add links for the dev guide and limitations doc to the `README`. Signed-off-by: James O. D. Hunt <[email protected]>
Update the limitations document to remove the `spec` command limitation (implemented on kata-containers/runtime#196). Signed-off-by: James O. D. Hunt <[email protected]>
jodh-intel
force-pushed
the
add-limitations-doc
branch
from
2f2956e to
3e8400e
Compare
|
Thanks @grahamwhaley - branch updated. |
|
@bergwolf, @egernst, @WeiZhang555 - please could you review and approve if you're happy with it? We already have two acks on this PR (including 1 from the doc team) so it would be great to have this land... 😄 |
|
LGTM |
Add the list of known limitations.
Fixes #31.
Signed-off-by: James O. D. Hunt [email protected]