On-boarding Kata Containers into OpenShift CI

[wainersm]

This is an initial implementation on kata-containers's side of the requirements to get it on-boarded into the OpenShift CI. On the README file added on this PR there are more detailed technical information about the openshift-ci and how the scripts/files proposed on this PR are used. On openshift-ci's side there will be needed to have openshift/release#9009 merged too. Please, refer to that README (and the openshift-ci documentation pointers it provides) for further information.

In the issue #2527 I describe the ultimate goal with these changes which is to run e2e openshift 4 tests with latest kata-containers code. However this initial implementation provides only a smoke test suite that I used for the purpose of testing the CI code itself. So once this initial backbone is merged I will be able to work on the execution of e2e tests properly saying.

On my development cluster the proposed here pipeline installs kata correctly and the smoke tests pass. However, on the openshift-ci environment the pipeline seems to install kata correctly but the smoke test fails. I've debugged it but I don't have a solution so far and the problem seems alike cri-o/cri-o#2984 .

Also there is a known issue (and a colleague is helping me to solve):

• Long story short: it fails to build osbuilder because the scripts use docke, instead we will need to use the Dracut method for osbuilder.
• The long story is: the build_install.sh basically exports the variables to produce the desired kata installation (under runtime/_out/build_install) then calls the tests/.ci/Install_kata.sh script. It tries to fetch pre-built artifacts from Jenkins and when the cache fails it attempts to build them locally. The problem is that in openshift-ci build environment it is not allowed to evoke docker because it is already in a containerized context (i.e. no nested containers allowed).

Regardless the limitations and known issues I explained before, I would like to have a general review on this PR because I've spent too much time on the code and likely there are stuffs that I missed (and I don't want to spend much more time fixing it :)

[wainersm]

@GabyCT @chavafg Hi! kata-check-markdown complain about the following but I don't know how to fix. Could you help here?

ERROR: Document .ci/openshift-ci/README.md is not referenced

[chavafg]

Thanks @wainersm for this PR. To solve the not referenced issue, you can create a reference in the main README.md to the .ci/openshift-ci/README.md file. Maybe adding a small description of the OpenShift CI in the CI Content section of the main readme.
wdyt @jodh-intel ?

[wainersm]

Thanks @wainersm for this PR. To solve the not referenced issue, you can create a reference in the main README.md to the .ci/openshift-ci/README.md file. Maybe adding a small description of the OpenShift CI in the CI Content section of the main readme.

Thanks @chavafg ! I've added an entry on .ci/README.md 's scripts table that made this error away.

There is another issue however. On my readme I am referencing urls that should be available only when openshift/release#9009 gets merged. It is a chicken-and-eggs problem. How usually you guys overcome this?

[jodh-intel]

Hi @wainersm - thanks for raising! Travis is failing as the new file isn't referenced by any others:

ERROR: Document .ci/openshift-ci/README.md is not referenced

Please add a link to the new file in the .ci/README.md file for example (or the top-level README.md?)

Note that looking at the doc, there are some words our spell checker will complain about. Once you've re-pushed Travis will run that for you, but you might want to run the spell checker locally until you get a clean pass.

[jodh-intel]

Thanks for raising @wainersm. A few comments and suggestions...

[jodh-intel]

Nit: very long lines, which makes diff harder to read.

[wainersm]

I'm re-writing the README to keep the lines under 80-chars limit.

[jodh-intel]

The spell checker won't like this I think so I'd suggest changing to kata-containers/.

[jodh-intel]

"ci-operator" isn't a dictionary word to you either need to add it to our spell checker dictionary (see https://github.com/kata-containers/tests/tree/master/cmd/check-spelling), or -- simpler -- just refer to it as "CI operator" instead maybe?

[wainersm]

Yes, I changed the README to use "CI operator" instead.

[jodh-intel]

The project should always be referred to as "Kata Containers" in documentation. But here I think you are referring to the directory? In which case, put it in back-ticks: kata-containers/.

[wainersm]

I re-wrote the README to use the project's name correctly as "Kata Containers".

[jodh-intel]

That's a long time; does it need to be this long?

[wainersm]

I ran this script in OpenShift CI many times, the kata-deploy daemonset never finished before 2min. Usually it takes 3 iterations to finish (~6 min). So I don't think 2 min on this sleep is a long time.

[jodh-intel]

Nit: odd indentation (tabs vs. spaces?)

[wainersm]

I've rewrite the script to fix those tabs vs spaces and long-than-80-chars lines. Thanks!

[jodh-intel]

Missing break?

[wainersm]

It doesn't need a break here. I check the number of running ds_pods in the begin of the loop.

[jodh-intel]

Please resolve and remove the comment, or add a ref to a GitHub issue.

[wainersm]

Done

[jodh-intel]

This is starting to look a bit like lisp :)

[wainersm]

To be honest, I found it a little bit uncommon (so to speak). But I wanted the config files versioned in plain-text so that any change would be properly visualized with diff. So the only solution I've found was to convert from text to base64 on run-time. Perhaps the if [ -z "$KATA_CRIO_CONF_BASE64" ]; then is not needed....

[wainersm]

Hi @jodh-intel , thanks for your careful initial review! I tried to address as much as possible the comments you made on this new version. One important thing I added was the logic to wait the worker nodes to reboot after a change in the system configuration.

I see that Travis warns me about missing license on some files, I will address it in a following version.

v1 -> v2:

• run_smoke_test.sh
  • Correctly handle waitForProcess call
  • Increased timeout to 600s
  • Broke long lines
• cluster/install_kata.sh
  • Added the code to wait the workers to reboot (wait_for_reboot())
  • Fixed tab vs whitespace
  • Broke long lines
• README.md
  • Added toc
  • Fix 'readme not referenced' error
  • Fixed invalid urls
  • Now spell-checker likes me
• build_install.sh
  • Replaced `` with $()
  • Usage as [ -z "$1" ] && die (...)
  • Properly quoting variables
  • vsock TODO reference to ci/install_runtime: check if vhost_vsock module need to be loaded manually #2614
  • Check build root is CentOS

[wainersm]

v2 -> v3:

• Added missing license header

[jodh-intel]

Thanks @wainersm. A few more comments.

[jodh-intel]

Nit: You could specify ```sh or ```bash to get syntax highlighting here.

[wainersm]

done

[jodh-intel]

Nit: missing periods at the end of the full sentences in these bullets.

[wainersm]

done

[jodh-intel]

s/In other to achieve/In order to achieve/ ?

[wainersm]

yet another good catch. thanks!

[wainersm]

done

[jodh-intel]

In a nutshell

🌰 This might be confusing for non-native English speakers 🌰 <-- That's a nut folks, not what you might be thinking! 😄

[wainersm]

hehehehehe Good to know. I always assumed 'in a nutshell' were an expression widely understood in technical communities. Maybe because the first computer books I got access were the ' in a nutshell' series of O'REILLY? Oh, I am getting old... :D

[jodh-intel]

Nit (defensive programming): We try to check params at the start of a function:

wait_for_reboot() {
    local timeout="${1:-}"

    [ -z "$timeout" ] && die "need timeout"

    # ...

}

[wainersm]

Going to change to local delta="${1:-1800}". So I don't need to pass a repeated value on the two calls made in this script, yet let the function configurable for future usage.

[jodh-intel]

This line looks potentially fragile - where is 50-kata defined and is it guaranteed to ever change? Maybe "surface" it by creating a readonly variable at the top of the file.

[wainersm]

The 50-kata is defined inside ${deployments_dir}/machineconfig_kata_runtime.yaml.in. I just learned that I can get the return code of oc get -f ${deployments_dir}/machineconfig_kata_runtime.yaml.in instead.

[jodh-intel]

Nit: duplicated timeout value - maybe define a variable at the top of the file to avoid duplication?

[wainersm]

Done. Now the wait_for_reboot has 1800 as default timeout.

[wainersm]

@jodh-intel Hi James, version 4 just came out of the oven ;)

v3 -> v4:

• README.md
  • All suggestions made by James
• build_install.sh
  • Using the standard QEMU. It was using the experimental (i.e. with
    virtiofs) but in OCP 4.5 the host kernel does not match the minimum version
    required.
• cluster/install_kata.sh
  • Set default timeout for wait_for_reboot()
  • Removed fragile if [ $(oc get machineconfigs|grep 50-kata|wc -l) != "0" ]; then statement

[wainersm]

/cc @fidencio

[c3d]

Probably want to add a comment here explaining why you expect CentOS. I had the same reaction as @jodh-intel when I saw that test.

[c3d]

Two questions about this

1. What happens if you try to use the CentOS golang? (just curiosity on my part)
2. The install script installs go using curl. Should you add yum install curl for safety where you also install sudo?

[wainersm]

Two questions about this

1. What happens if you try to use the CentOS golang? (just curiosity on my part)

Good question. I don't remember If I ever tried the CentOS golang. What I remember is that something used to fail if the environment had the CentOS golang package installed.

The fact is that I tried to adhere this build script as much as possible with the process used in all the Kata Jenkins jobs. And they don't use the distro's golang, instead it is installed the version suggested (runtime/versions.yaml) via tests/.ci/install_go.sh.

2. The install script installs go using `curl`. Should you add `yum install curl` for safety where you also install `sudo`?

Yes, maybe. In the CentOS image used as build root container has curl installed so I didn't bothered.

[c3d]

I don't understand this sentence. Even grammatically.

Do you mean that the CI also installs qemu, and that we need to add our stuff in the same spot (if so, why?). Is it because the prefix will be used for the configuration files, and passing /opt/kata "magically" generates configuration files that point to the right qemu? If so, it really needs to be explained. That's what I understood reading the sentence, but clearly. the sed below adjusts the configuration to point back to /usr/bin. so I'm a bit confused.

From a CI point of view, does that mean that what we test with the CI is not installed in the path where it would be installed on an RHCOS system? What are the implications, if any?

[wainersm]

I don't understand this sentence. Even grammatically.

Reading it again, I even didn't understand what I wrote. :)
I will rephrase it.

Do you mean that the CI also installs qemu, and that we need to add our stuff in the same spot (if so, why?). Is it because the prefix will be used for the configuration files, and passing /opt/kata "magically" generates configuration files that point to the right qemu? If so, it really needs to be explained. That's what I understood reading the sentence, but clearly. the sed below adjusts the configuration to point back to /usr/bin. so I'm a bit confused.

The outcome of buildall_install.sh is a full installation of Kata Containers under runtime/_out/build_install. This is later packaged in a container image along with a install script. By the use of Kubernetes DaemonSets, the content of runtime/_out/build_install is rsync'ed with the node's filesystem.

That said, some facts:

1. By default Kata Containers build to /usr/ and PREFIX=/usr
2. On the cluster node (rhcos):

• /usr is read-only and should not be changed. (see rhcos architecture)
• /opt is a symlink to /var/opt
• /var is writable but, for the sake of support, it should be changed only by machineconfig objects.

3. Kata CI jobs use statically built QEMU rather than of the distros. The CI script will simply fetch and uncompress the tarball in the test machine.

• Kata provides two flavours of QEMU for CI:
  • "experimental" QEMU and virtiofs (see qemu-experimental-nightly-x86_64 job) built for /opt/kata prefix.
  • "standard" QEMU (see the qemu-nightly-x86_64 job) which unlike the experimental QEMU is built for /usr/

4. Kata CI jobs also use built kernel (guest OS) and rootfs (initrd or ramdisk)

• Alike QEMU those files are fetched from Jenkins and uncompressed in the system. Moreover, they will be uncompressed following the PREFIX value.

5. Based on the value of PREFIX the CI scripts will configure Kata's configuration.toml so that it contain the right paths to QEMU (virtiofsd, if the case), Kernel and rootfs.

In buildall_install.sh script PREFIX is set to /opt/kata so that Kata is built to /opt/kata and then I avoid the fact 2 (/usr being readonly). The kernel and rootfs are properly copied to under /opt/kata (fact 4), the "standard" QEMU goes to /usr (fact 3) -- here is the problem -- and then the configuration.toml file gets mis-configured (fact 5). So I change the configuration.toml to fix that as you can see below.

You might ask:

Q: How do you install QEMU in /usr given it is readonly?
A: Dirty hack. Notice that on runtime/.ci/openshift-ci/images/entrypoint.sh script the /usr is re-mounted as read-write

Q: QEMU is static, so can't you simply copy the binary to /opt/kata/bin?
A: It is possible but there is another issue. It is built the firmwares as well, and the QEMU binary still expect them under /usr. Perhaps that can be fixed by changing to firmware location on configuration.toml too.

Q: Can't it be solved differently then?
A: Yes, if we have a "standard" QEMU built with /opt/kata prefix and cached in Jenkins the problem will likely to be over. Honestly, I plan to work on it after this PR gets merged.

Q: Why don't you use QEMU from rhcos?
A: It is trick and brings in a completely different string of issues. We can discuss that in details later but, briefly speaking, rhcos doesn't package QEMU. We could use, say, the CentOS package but on openshift 4.5 it doesn't install smoothly (conflicts with glusterfs....).

All in all, there are plenty of improvements and important decisions to be taken but I am deferring them to after I get this merged. Because I think what I propose here works pretty much well as the v0 to get Kata on-boarded on Openshift CI.

[c3d]

• Kata provides two flavours of QEMU for CI:

  • "experimental" QEMU and virtiofs (see qemu-experimental-nightly-x86_64 job) built for /opt/kata prefix.
  • "standard" QEMU (see the qemu-nightly-x86_64 job) which unlike the experimental QEMU is built for /usr/

That's good news. I thought it was only testing the experimental one.

In buildall_install.sh script PREFIX is set to /opt/kata so that Kata is built to /opt/kata and then I avoid the fact 2 (/usr being readonly). The kernel and rootfs are properly copied to under /opt/kata (fact 4), the "standard" QEMU goes to /usr (fact 3) -- here is the problem -- and then the configuration.toml file gets mis-configured (fact 5). So I change the configuration.toml to fix that as you can see below.

A meta Q about that. If RHCOS is supposed to be a read-only system, why does it let you install stuff in /opt at all? 😃

Q: How do you install QEMU in /usr given it is readonly?
A: Dirty hack. Notice that on runtime/.ci/openshift-ci/images/entrypoint.sh script the /usr is re-mounted as read-write

That part I was aware of, but it's definitely useful to mention it in the comments (it's not obvious at all IMO to someone not familiar with RHCOS)

Q: QEMU is static, so can't you simply copy the binary to /opt/kata/bin?
A: It is possible but there is another issue. It is built the firmwares as well, and the QEMU binary still expect them under /usr. Perhaps that can be fixed by changing to firmware location on configuration.toml too.

A longer term solution might be to mount some subset of the container root fs into the target location (to avoid copies while preserving the right paths)

Q: Can't it be solved differently then?
A: Yes, if we have a "standard" QEMU built with /opt/kata prefix and cached in Jenkins the problem will likely to be over. Honestly, I plan to work on it after this PR gets merged.

Sounds good.

Q: Why don't you use QEMU from rhcos?
A: It is trick and brings in a completely different string of issues. We can discuss that in details later but, briefly speaking, rhcos doesn't package QEMU. We could use, say, the CentOS package but on openshift 4.5 it doesn't install smoothly (conflicts with glusterfs....).

That's another Q I did not have personally, but that would be a valuable addition to the commit message.

All in all, there are plenty of improvements and important decisions to be taken but I am deferring them to after I get this merged. Because I think what I propose here works pretty much well as the v0 to get Kata on-boarded on Openshift CI.

I think that your Q / A is an excellent addition to the commit msg. Thanks a bunch.

[c3d]

Where does that qemu come from? Is that the one built with kata, which we are trying to get rid of?

Shouldn't we try to go with a yum install qemu and get the dependencies that way instead?

[wainersm]

Answered those questions on previous reply.

[wainersm]

v4 -> v5:

• buildall_install.sh:
  • Comment on why it exists if not running in CentOS.

[wainersm]

@jodh-intel , @c3d , what else should I do to get those changes merged?

[jodh-intel]

@wainersm - thanks for updating. There are a number of unanswered questions on this PR though. I think they should all be relatively quick to resolve but please could you respond to them?

[wainersm]

v5 -> v6:

• cluster/install_kata.sh
  • Replaced oc get machineconfig/50-kata to pass the yaml file

[wainersm]

@wainersm - thanks for updating. There are a number of unanswered questions on this PR though. I think they should all be relatively quick to resolve but please could you respond to them?

Hi @jodh-intel , I scan through the question on this PR, and either I answered or change the code properly. Should I "resolve conversation" for every and each conversation? Sorry, I am not used to the review process for Kata... so I might be missing some steps.

[jodh-intel]

Thanks @wainersm.

lgtm

[jodh-intel]

/test

[wainersm]

Thanks @wainersm.

lgtm

Thanks @jodh-intel ! I appreciated your careful review!
I will have a look at the jobs failing.

[wainersm]

@devimc Hi Julio, since you reviewed the required changes on runtime side (kata-containers/runtime#2891) ...mind to review this one as well?

[devimc]

lgtm - thanks @wainersm

[fidencio]

I've spoken with Wainer Yesterday and this part is the first thing we need merged.
Once it's merged, we can work on the OpenShift side and then it'll be good to actually start running it.

@wainersm, thanks a ton for the immense work done on this!

@GabyCT, @chavafg, I'd really feel more comfortable if one you would be merging this PR!

[jodh-intel]

Thanks again for this @wainersm!