zoukankan      html  css  js  c++  java
  • Kata runc privileged

    There is another question related with '--privileged' in Kata:
    In runc, '--privileged' will translate capabilities of host dev into container.
    In Kata, '--privileged' will mean containers in Kata VM can access all the device in Kata guest VM(kata limitation: https://github.com/kata-containers/documentation/blob/master/Limitations.md#docker-run---privileged ).
    Per my understanding, we should translate the capabilities of guest VM device into kata container instead of host device.
    Host resource sharing
    docker run --privileged
    Privileged support in Kata is essentially different from runc containers. Kata does support docker run --privileged command, but in this case full access to the guest VM is provided in addition to some host access.
    
    The container runs with elevated capabilities within the guest and is granted access to guest devices instead of the host devices. This is also true with using securityContext privileged=true with Kubernetes.
    
    The container may also be granted full access to a subset of host devices (https://github.com/kata-containers/runtime/issues/1568).
    
    See Privileged Kata Containers for how to configure some of this behavior.
    Containerd and CRI
    The Containerd CRI allows configuring the privileged host devices behavior for each runtime in the CRI config. This is done with the privileged_without_host_devices option. Setting this to true will disable hot plugging of the host devices into the guest, even when privileged is enabled.
    
    Support for configuring privileged host devices behaviour was added in containerd 1.3.0 version.
    
    See below example config:
    
    [plugins]
      [plugins.cri]
        [plugins.cri.containerd]
           [plugins.cri.containerd.runtimes.runc]
             runtime_type = "io.containerd.runc.v1"
             privileged_without_host_devices = false
           [plugins.cri.containerd.runtimes.kata]
             runtime_type = "io.containerd.kata.v2"
             privileged_without_host_devices = true
             [plugins.cri.containerd.runtimes.kata.options]
               ConfigPath = "/opt/kata/share/defaults/kata-containers/configuration.toml"
    Kata Containers with Containerd and CRI documentation
    Containerd CRI config documentation
  • 相关阅读:
    [反汇编练习] 160个CrackMe之002
    [反汇编练习]160个CrackMe之001
    Leap Motion 开发笔记
    HTMLayout界面CSSS样式解析笔记
    DbgPrint输出格式 Unicodestring
    WinDbg调试命令汇总
    WDF模型驱动程序开发
    [Sciter系列] MFC下的Sciter–5.Sciter中GUI线程研究
    剑指offer第二版-4.二维数组中的查找
    剑指offer第二版-3.数组中重复的数
  • 原文地址:https://www.cnblogs.com/dream397/p/14000303.html
Copyright © 2011-2022 走看看