Use host systemctl #242
Merged
Use host systemctl #242
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
FYI: i haven't tested this in any way, i hope we have sufficient CI coverage.... |
|
/test |
|
/test |
|
@jepio, nice that you have updated the pre-install payload to do the same, but you'll also need to update https://github.com/confidential-containers/operator/blob/main/install/pre-install-payload/scripts/container-engine-for-cc-deploy.sh |
fidencio
added a commit
to fidencio/enclave-cc
that referenced
this pull request
Aug 9, 2023
The operator started using HostPID=true, allowing us to use nsenter to interact with systemd in the host. We do the same for kata payload installation with kata-deploy. There's a little bit of chicken-egg problem here, as this PR depends on confidential-containers/operator#242, and that PR depends on this one. Signed-off-by: Fabiano Fidêncio <[email protected]>
|
To get enclave-cc properly tested, let's use vanilla kind node image and update ccruntime-enclave-cc.yaml |
|
trying it right now |
|
/test |
Kata-deploy in kata now uses the host's systemctl through nsenter, which requires running the pod with HostPID=true and allows dropping mounts for systemd/dbus sockets. Fixes: #7520 Signed-off-by: Jeremi Piotrowski <[email protected]>
Now that we run with HostPID=true, we can use nsenter to interact with systemd in the host. We do the same for kata payload installation with kata-deploy. Fixes: #7520 Signed-off-by: Jeremi Piotrowski <[email protected]>
Since we switched to using host systemctl through nsenter, we no longer need to install systemd. We also don't need to worry about host/container systemd compatibility so we can update the pre-install image to the latest Ubuntu LTS. Signed-off-by: Jeremi Piotrowski <[email protected]>
This bloats the image size and the tarball sits unused. Signed-off-by: Jeremi Piotrowski <[email protected]>
These are not needed because enclave-cc's deploy script moved to using host systemctl via nsenter. The other mounts lower in the file are still needed because the containerd deploy script still relies on them (in the specified container image version). Signed-off-by: Jeremi Piotrowski <[email protected]>
fidencio
force-pushed
the
host-systemctl
branch
from
c8d0f5d to
881eb53
Compare
|
I've rebased the branch (using GitHub WebUI) as the PR that this one was depending on was merged. Let's get the tests running now. |
|
/test |
mythi
approved these changes
Aug 10, 2023
|
/test-tdx |
|
TDX tests are not passing, but I'm 100% sure this is not related to this PR, this I'm taking the bullet and merging it. |
fidencio
approved these changes
Aug 14, 2023
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This adapts the operator to changes that happened in kata-deploy in kata-containers/kata-containers#7520, which switched to using nsenter to interact with systemd.