docs: documentation for running rootless kata-runtime #553
Conversation
gabibeyer
force-pushed
the
podmanDocs
branch
5 times, most recently
from
9b975e1 to
3cbb6b6
Compare
There was a problem hiding this comment.
Thanks @gabibeyer for the doc, and for the all work you did to have this working in Kata / Podman!
I really appreciate the ability to run kata / podman rootless.
Take a look at the comments and suggested rewrite I left. To recap:
- the way to write notes should follow this
- the way to write code blocks should follow this
<br>are usually not needed, the markdown will render just fine without them!- Between a sentence and a code block, better to put some punctuation, otherwise it looks like the sentence is not typed out completely.
There was a problem hiding this comment.
Thanks @gabibeyer! This is going to be an increasingly useful doc I suspect.
A few comments to align this into the "standard form" ;)
|
@marcov @jodh-intel Thank you both so much for the detailed PR review; it was extremely helpful and I learned a lot about markdown! I made the first run of changes, but anticipated I missed a few things. I will look it over again in the morning :) Thank you again! |
gabibeyer
force-pushed
the
podmanDocs
branch
6 times, most recently
from
9adc162 to
dd69695
Compare
There was a problem hiding this comment.
I did another review round @gabibeyer, sorry if I am overwhelming you with comments.
Overall, I am satisfied with how this document is turning out!
|
@marcov Not overwhelming at all! I really appreciate the thoroughness of both your reviews, thank you! |
|
I don't have permission for labeling this, but should be DNM until the Podman and Kata releases, so that the versions can be updated in the table |
gabibeyer
force-pushed
the
podmanDocs
branch
from
dd69695 to
0f38775
Compare
Documentation for running Kata Containers with Podman as a non privileged user Fixes: kata-containers#540 Signed-off-by: gabi beyer <[email protected]>
|
|
||
| ## Requirements | ||
| - A Linux system, see [supported distributions](https://github.com/kata-containers/documentation/blob/master/install/README.md#supported-distributions) for an updated list. | ||
| - If using CentOS 7, `newuidmap` and `newgidmap` do not exist, and can be installed with: |
There was a problem hiding this comment.
Suggested rewrite:
If using CentOS 7, newuidmap and newgidmap do not exist. Install them with:
| > If installing Podman with a package manager, there is usually no need to install slirp4netns separately. | ||
|
|
||
| ## Configuration | ||
| Now that Kata Containers and Podman have been installed, they need to be configured for rootless execution. |
There was a problem hiding this comment.
Suggested rewrite:
Now that you have installed Kata Containers and Podman, you need to configure them for rootless execution.
| If SELinux is installed and enabled, it needs to be disabled with the following command (Kata Containers [does not support SELinux](https://github.com/kata-containers/documentation/blob/master/Limitations.md#selinux-support)). | ||
|
|
||
| > **Warning:** | ||
| > The following command may differ depending on the distro being used: |
There was a problem hiding this comment.
Suggested rewrite:
The following command might differ depending on the distro you use:
| ``` | ||
|
|
||
| #### 2. Add user to KVM group | ||
| If running a KVM based hypervisor, the user running the workload needs to be added to the KVM group: |
There was a problem hiding this comment.
Suggested rewrite:
If running a KVM based hypervisor, add the user running the workload to the KVM group:
| ``` | ||
|
|
||
| #### 3. Reboot | ||
| Reboot the system for the changes to take effect (a reboot is required when disabling SELinux, while logging out and back in is enough to have that user joining the `KVM` group). |
There was a problem hiding this comment.
Suggested rewrite:
... (when you disable SELinux you must reboot, while logging out and back in is enough to have that user joining the ‘KVM’ group).
|
|
||
| > **NOTE:** | ||
| > To obtain debug logs you can: | ||
| > - Enable [debug](https://github.com/kata-containers/documentation/blob/master/Developer-Guide.md#enable-full-debug) in Kata (logs are added to journald). |
There was a problem hiding this comment.
Suggested rewrite:
… (this adds the logs to journald).
| > **NOTE:** | ||
| > To obtain debug logs you can: | ||
| > - Enable [debug](https://github.com/kata-containers/documentation/blob/master/Developer-Guide.md#enable-full-debug) in Kata (logs are added to journald). | ||
| > - Pass `--log-level=debug` to Podman (logs are printed to stderr). |
There was a problem hiding this comment.
Suggested rewrite:
… (this prints the logs to stderr).
| > - Pass `--log-level=debug` to Podman (logs are printed to stderr). | ||
|
|
||
| ## Appendix: Possible Errors | ||
| If you are building from source you may encounter the following errors. |
There was a problem hiding this comment.
may => might
If you are building from source you might encounter the following errors.
| rpc error: code = Internal desc = Could not add route dest()/gw(10.0.2.2)/dev(tap0): network is unreachable: OCI runtime error | ||
| ``` | ||
| Solution: | ||
| You may need to [rebuild the agent](https://github.com/kata-containers/documentation/blob/master/Developer-Guide.md#add-a-custom-agent-to-the-image---optional); there was a change in both the [agent](https://github.com/kata-containers/agent/commit/a78e8cfda627cc350dc9d9ca9b969ebb642030c3) and [runtime](https://github.com/kata-containers/runtime/commit/cfedb06a19135e2ab4f18203a4f3147cdc3a4980) code. This would probably only occur if building latest from source, since the runtime version would have the change and the released agent does not. |
|
|
||
| ### Missing registry file | ||
| ``` | ||
| Error: unable to pull alpine: image name provided is a short name and no search registries are defined in the registries config file. |
There was a problem hiding this comment.
Suggested rewrite:
Error: unable to pull alpine: image name provided is a short name. The registries config file does not define the search registries.
There was a problem hiding this comment.
(but all other review feedback has been applied to the new PR).
|
|
||
| | Component | Version | Install Instructions| | ||
| | ----------------|:-------:|---------------------| | ||
| | Podman | WIP | [see here](https://github.com/containers/libpod/blob/master/install.md) |
There was a problem hiding this comment.
Does it work with Rootless Docker as well?
|
Closing this PR in favour of #565. |
The documentation was created assuming that the podman changes and kata changes have been merged into a release. At this time, this is not the case. In order to test/follow the documentation (if someone wants to do that prior to that) you will have to checkout my forks of podman and the kata-runtime. Additionally, they will need to be build from source with their dependencies. I also created a script/gist that may be helpful to set up this kind of pre-release environment: https://gist.github.com/gabibeyer/ca61f433eca00dd3123d3f70efbe7614
Documentation for running Kata Containers with Podman as a non
privileged user
Signed-off-by: gabi beyer [email protected]