diff --git a/maybe-gvisor.sh b/maybe-gvisor.sh new file mode 100644 index 0000000000000000000000000000000000000000..890c1c9810ecc9836a9b0fe4e2d008979436208c --- /dev/null +++ b/maybe-gvisor.sh @@ -0,0 +1,87 @@ +# This script will probably install gVisor and associated runtimes and make +# gVisor accessible as a Kubernetes RuntimeClass. These commands are adapted +# from the following locations: +# +# https://gvisor.dev/docs/user_guide/containerd/quick_start/ +# https://gvisor.dev/docs/tutorials/cni/ +# https://gvisor.dev/docs/user_guide/faq/#app-compatibility + +# 1. Install the latest gVisor release. +( + set -e + ARCH=$(uname -m) + URL=https://storage.googleapis.com/gvisor/releases/release/latest/${ARCH} + wget ${URL}/runsc ${URL}/runsc.sha512 \ + ${URL}/containerd-shim-runsc-v1 ${URL}/containerd-shim-runsc-v1.sha512 + sha512sum -c runsc.sha512 \ + -c containerd-shim-runsc-v1.sha512 + rm -f *.sha512 + chmod a+rx runsc containerd-shim-runsc-v1 + sudo mv runsc containerd-shim-runsc-v1 /usr/local/bin +) + +# 2. Install containerd (these instructions are for v1.7.0; check the downloads page +# for more recent releases: +# https://containerd.io/downloads/ +# NB: Uncomment the below lines only if containerd isn't already present. +# wget https://github.com/containerd/containerd/releases/download/v1.7.0/containerd-1.7.0-linux-amd64.tar.gz +# tar xvf containerd-1.7.0-linux-amd64.tar.gz +# sudo mv /bin/* /usr/local/bin + +# 3. Add containerd as a runtime. +cat <<EOF | sudo tee /etc/containerd/config.toml +version = 2 +[plugins."io.containerd.runtime.v1.linux"] + shim_debug = true +[plugins."io.containerd.grpc.v1.cri".containerd.runtimes.runc] + runtime_type = "io.containerd.runc.v2" +[plugins."io.containerd.grpc.v1.cri".containerd.runtimes.runsc] + runtime_type = "io.containerd.runsc.v1" +EOF + +sudo systemctl restart containerd + +# 4. Configure CNI plugin. +sudo mkdir -p /opt/cni/bin + +wget https://github.com/containernetworking/plugins/releases/download/v0.8.3/cni-plugins-linux-amd64-v0.8.3.tgz + +sudo tar -xvf cni-plugins-linux-amd64-v0.8.3.tgz -C /opt/cni/bin/ + +sudo mkdir -p /etc/cni/net.d + +sudo sh -c 'cat > /etc/cni/net.d/10-bridge.conf << EOF +{ + "cniVersion": "0.3.1", + "name": "mynet", + "type": "bridge", + "bridge": "cni0", + "isGateway": true, + "ipMasq": true, + "ipam": { + "type": "host-local", + "subnet": "10.22.0.0/16", + "routes": [ + { "dst": "0.0.0.0/0" } + ] + } +} +EOF' + +sudo sh -c 'cat > /etc/cni/net.d/99-loopback.conf << EOF +{ + "cniVersion": "0.3.1", + "name": "lo", + "type": "loopback" +} +EOF' + +# 5. Create a Kubernetes RuntimeClass for gVisor. +# If `handler: runsc` does not work, try `handler: runc`. +cat <<EOF | kubectl apply -f - +apiVersion: node.k8s.io/v1 +kind: RuntimeClass +metadata: + name: gvisor +handler: runsc +EOF diff --git a/templates/function-evaluator.yaml b/templates/function-evaluator.yaml index 554de1bc3da2921e0a956951ed8c42ccbf7f3091..411f3e3aacbb31191ec68f31ad2b95d7948922a8 100644 --- a/templates/function-evaluator.yaml +++ b/templates/function-evaluator.yaml @@ -15,6 +15,7 @@ spec: app: {{ .Release.Name }}-wikifunctions tier: function-evaluator spec: + runtimeClassName: gvisor containers: - name: function-evaluator image: docker-registry.wikimedia.org/wikimedia/mediawiki-services-function-evaluator:latest