Kata Containers version 1.x agent (for version 2.x see https://github.com/kata-containers/kata-containers). Virtual Machine agent for hardware virtualized containers
cpusetcgroup details
This project implements an agent called
kata-agentthat runs inside a virtual machine (VM).
The agent manages container processes inside the VM, on behalf of the runtime running on the host.
To enable agent debug output, add the
agent.log=debugoption to the guest kernel command line.
See the developer guide for further details.
Add
agent.devmodeto the guest kernel command line to allow the agent process to coredump (disabled by default). Specifying this option implicitly enables debug mode.
See the tracing guide.
Add
agent.debug_consoleto the guest kernel command line to allow the agent process to start a debug console. Debug console is only available if
bashor
shis installed in the rootfs or initrd image. Developers can connect to the virtual machine using the debug console
Firecracker doesn't have a UNIX socket connected to
/dev/console, hence the kernel command line option
agent.debug_consolewill not work for firecracker. Fortunately, firecracker supports
hybrid vsocks, and they can be used to communicate processes in the guest with processes in the host. The kernel command line option
agent.debug_console_vportwas added to allow developers specify on which
vsockport the debugging console should be connected.
In firecracker, the UNIX socket that is connected to the
vsockend is created at
/var/lib/vc/firecracker/$CID/root/kata.hvsock, where
$CIDis the container ID.
Run the following commands to have a debugging console in firecracker.
$ conf="/usr/share/defaults/kata-containers/configuration.toml" $ sudo sed -i 's/^kernel_params.*/kernel_params="agent.debug_console_vport=1026"/g' "${conf}" $ sudo su -c 'cd /var/lib/vc/firecracker/08facf/root/ && socat stdin unix-connect:kata.hvsock' CONNECT 1026
NOTE: Ports 1024 and 1025 are reserved for communication with the agent and gathering of agent logs respectively
cpusetcgroup details
See the cpuset cgroup documentation.
When hot plugging devices into the Kata VM, the agent will wait by default for 3 seconds for the device to be plugged in and the corresponding add uevent for the device. If the timeout is reached without the above happening, the hot plug action will fail.
The length of the timeout can be increased by specifying the
agent.hotplug_timeoutto the guest kernel command line. For example,
agent.hotplug_timeout=10swill increase the timeout to 10 seconds. The value of the option is in the Go duration format.
Any invalid values used for
agent.hotplug_timeoutwill fall back to the default of 3 seconds.
Same as
systemd, the
kata-agenthas an option to enable or disable the unified cgroup hierarchy (cgroups v2) in the guest through the kernel command line. Set
agent.unified_cgroup_hierarchyto
1or
trueto enable cgroups v2. For example,
agent.unified_cgroup_hierarchy=truewill enable cgroups v2 in the guest. Set
agent.unified_cgroup_hierarchyto
0or
falseto disable cgroups v2. For example,
agent.unified_cgroup_hierarchy=0will disable cgroups v2 in the guest. By default cgroups v2 is disabled.
The agent will configure a Pipe for stdio (stdout, stderr, stdin) for each container. By default, this will use the OS' defaults in terms of pipe capacity. However, some workloads may require a larger pipe when writing to stdout/stderr in non-blocking mode.
The pipe's capacity for stdout/stderr can be modified by specifying the
agent.container_pipe_sizeflag to the guest kernel command line. For example,
agent.container_pipe_size=2097152will set the stdout and stderr pipes to 2097152 bytes.