kata: introduce kata container support

[egernst]

Signed-off-by: Eric Ernst [email protected]

What this PR does / why we need it:

PR adds support for Kata Containers.

Which issue this PR fixes :

fixes # 3463

Special notes for your reviewer:

Should look very familiar to initial Clear Container support PRs.

If applicable:

• documentation
• unit tests

Release note:

[msftclas]

All CLA requirements met.

[egernst]

testing still wip

[codecov]

Codecov Report

Merging #3465 into master will decrease coverage by <.01%.
The diff coverage is 100%.

@@            Coverage Diff             @@
##           master    #3465      +/-   ##
==========================================
- Coverage   55.83%   55.83%   -0.01%     
==========================================
  Files         105      105              
  Lines       15885    15884       -1     
==========================================
- Hits         8870     8869       -1     
  Misses       6270     6270              
  Partials      745      745

[egernst]

To test this PR, I built my branch of acs-engine locally and then tried the basic kata containers test I introduced. Unfortunately it failed with an error that isn't real clear -- perhaps just a timeout? If anyone has pointers, I'd appreciate it.

Details:

eernst-mac02:acs-engine eernst$ ./bin/acs-engine deploy --subscription-id xxxxx --dns-prefix kata-test --location westus2 --api-model kubernetes-kata-containers.json

WARN[0003] apimodel: missing masterProfile.dnsPrefix will use "kata-test"
WARN[0003] --resource-group was not specified. Using the DNS prefix from the apimodel as the resource group name: kata-test
WARN[0006] apimodel: ServicePrincipalProfile was missing or empty, creating application...
WARN[0008] created application with applicationID (ef542ac5-28c0-45c0-bbf4-f8eefec6a701) and servicePrincipalObjectID (2d64c93b-de51-4801-ba8b-9ab2bc3e5c55).
WARN[0008] apimodel: ServicePrincipalProfile was empty, assigning role to application...
INFO[0045] Starting ARM Deployment (kata-test-1196995142). This will take some time...
INFO[0259] Finished ARM Deployment (kata-test-1196995142). Error: resources.DeploymentsClient#CreateOrUpdate: Failure sending request: StatusCode=200 -- Original Error: Long running operation terminated with status 'Failed': Code="DeploymentFailed" Message="At least one resource deployment operation failed. Please list deployment operations for details. Please see https://aka.ms/arm-debug for usage details."
ERRO[0259] {"status":"Failed","error":{"code":"DeploymentFailed","message":"At least one resource deployment operation failed. Please list deployment operations for details. Please see https://aka.ms/arm-debug for usage details.","details":[{"code":"Conflict","message":"{
 \"status\": \"Failed\",
 \"error\": {
   \"code\": \"ResourceDeploymentFailure\",
   \"message\": \"The resource operation completed with terminal provisioning state 'Failed'.\",
   \"details\": [
     {
       \"code\": \"VMExtensionProvisioningError\",
       \"message\": \"VM has reported a failure when processing extension 'cse-agent-0'. Error message: \\\"Enable failed: failed to execute command: command terminated with exit status=2\\n[stdout]\\n\\n[stderr]\\n\\\".\"
     }
   ]
 }
}"},{"code":"Conflict","message":"{
 \"status\": \"Failed\",
 \"error\": {
   \"code\": \"ResourceDeploymentFailure\",
   \"message\": \"The resource operation completed with terminal provisioning state 'Failed'.\",
   \"details\": [
     {
       \"code\": \"VMExtensionProvisioningError\",
       \"message\": \"VM has reported a failure when processing extension 'cse-agent-2'. Error message: \\\"Enable failed: failed to execute command: command terminated with exit status=2\\n[stdout]\\n\\n[stderr]\\n\\\".\"
     }
   ]
 }
}"},{"code":"Conflict","message":"{
 \"status\": \"Failed\",
 \"error\": {
   \"code\": \"ResourceDeploymentFailure\",
   \"message\": \"The resource operation completed with terminal provisioning state 'Failed'.\",
   \"details\": [
     {
       \"code\": \"VMExtensionProvisioningError\",
       \"message\": \"VM has reported a failure when processing extension 'cse-agent-1'. Error message: \\\"Enable failed: failed to execute command: command terminated with exit status=2\\n[stdout]\\n\\n[stderr]\\n\\\".\"
     }
   ]
 }
}"},{"code":"Conflict","message":"{
 \"status\": \"Failed\",
 \"error\": {
   \"code\": \"ResourceDeploymentFailure\",
   \"message\": \"The resource operation completed with terminal provisioning state 'Failed'.\",
   \"details\": [
     {
       \"code\": \"VMExtensionProvisioningError\",
       \"message\": \"VM has reported a failure when processing extension 'cse-master-0'. Error message: \\\"Enable failed: failed to execute command: command terminated with exit status=2\\n[stdout]\\n\\n[stderr]\\n\\\".\"
     }
   ]
 }
}"}]}}
FATA[0259] resources.DeploymentsClient#CreateOrUpdate: Failure sending request: StatusCode=200 -- Original Error: Long running operation terminated with status 'Failed': Code="DeploymentFailed" Message="At least one resource deployment operation failed. Please list deployment operations for details. Please see https://aka.ms/arm-debug for usage details."

[egernst]

@scooley, @jessfraz - let me know if this failure is familiar, or if you have tips on where to look for more details. Thx!

[adelina-t]

@egernst I ran into the same issue while running windows k8s CI jobs on this PR. Basically the k8s script that provisions the master node failed. You can see logs on the master node in /var/log/azure/cluster-provision.log . You basically forgot a "||" operator at L367 and L373 ( letf a comment inline as well ) :) That's the reason for "VM has reported a failure when processing extension 'cse-master-0'"

[adelina-t]

Forgot "||" operator here :)

[adelina-t]

and here :) that's why you got cse-master-0 error.

[egernst]

Oh, that's embarrassing -- thanks for the help.

[egernst]

@adelina-t - sweet, thanks for teaching me to fish - the /var/log/azure/cluster-provision.log is very helpful; that's what I was missing.

[egernst]

@adelina-t -- repushed with these fixed.

I verified I could create a cluster using the added example, kubernetes-kata-containers.json

You mentioned a comment inline? Can you clarify.

[adelina-t]

@egernst By "comment inline" I was referring to the comments I left on the commit. Probably not the clearest choice of words on my part :)

[CecileRobertMichon]

I don't think we need the example json in both places, we have a //todo item to move the feature examples in e2e-tests/ so you can probably keep just the other one

[egernst]

ACK.

[CecileRobertMichon]

let's add a new exit code specific to Kata install here

[CecileRobertMichon]

You can see installDocker() for a model

[egernst]

ACK.

[CecileRobertMichon]

this should be apt_get_update || exit $ERR_APT_UPDATE_TIMEOUT

[egernst]

ack

[CecileRobertMichon]

and apt_get_install 20 30 120 kata-runtime || exit $ERR_KATA_INSTALL_TIMEOUT here, ERR_KATA_INSTALL_TIMEOUT needs to be defined at the top of the file

[egernst]

ack

[CecileRobertMichon]

I realize that my comments in this function also apply to installClearContainersRuntime(), which is probably why you did it that way but I think installClearContainersRuntime needs to be changed as well to have proper exit codes.

[egernst]

No worries. Okay to update the example function, installClearContainersRuntime(), in a follow-on PR?

[CecileRobertMichon]

Of course!

[CecileRobertMichon]

what happens if this is false?

[egernst]

in that case, the given node would not install kata container artifacts

[CecileRobertMichon]

Would the node be functional? Does that mean there would be no container runtime installed?

[egernst]

It'll be fully functional, though the user may hope to use Kata, but in reality be using runc.
When Kata is installed, the operator deploying workloads would have option of either using runc or kata-runtime. In the case VMX isn't supported on the node, any workloads targeting kata-runtime would be handled by the default runtime, runc.

[CecileRobertMichon]

Sounds good, thanks for clarifying

[CecileRobertMichon]

Is kata-containers supported for all k8s versions?

[egernst]

Kata is more tightly couple with the CRI-shim version (in this case, containerd). I think if there's an error, it'll likely be a mismatch between containerd + k8s?

[egernst]

Thanks for the quick feedback, @CecileRobertMichon. The updates error codes will definitely make debug much easier - updated per your feedback. PTAL.

[egernst]

ACK.

[egernst]

Kata is more tightly couple with the CRI-shim version (in this case, containerd). I think if there's an error, it'll likely be a mismatch between containerd + k8s?

[egernst]

No worries. Okay to update the example function, installClearContainersRuntime(), in a follow-on PR?

[egernst]

ack

[egernst]

ack

[egernst]

ACK.

[egernst]

in that case, the given node would not install kata container artifacts

[CecileRobertMichon]

any reason why tiller and dashboard are disabled explicitly? If not, we can probably let them go to default

[egernst]

No, this was just me being lazy and copying what was done for Clear Containers in the past.

[egernst]

@CecileRobertMichon I verified example after suggested lines. PTAL

[egernst]

I'm not sure if there is any action required on my end for kicking this CI (waiting for status to be reported), but please let me know if I can do anything to help push this along.

[CecileRobertMichon]

@egernst I'll kick off ci once the PR is approved, will finish reviewing later today if I have time. Thank you for following this through!

[CecileRobertMichon]

lgtm