Peer-pods is a new Red Hat OpenShift feature that enables an OpenShift sandboxed container (OSC) running on a bare-metal deployment to run on OpenShift in a public cloud and on VMware. It's not uncommon to want to run OpenShift in a virtual machine instead of on the bare-metal nodes. While it's possible to run a virtual machine inside a virtual machine, it demands a whole new subset of support concerns when you do it in production. In this article, I'll demonstrate how to solve this problem, using a combination of peer-pods and libvirt. By the end of this tutorial, you'll know how to create a VM image for a peer-pod deployment, and how to run a workload in a peer-pod using the host's libvirt.
Peer-pod libvirt support is still experimental. It's not officially supported by Red Hat, but I encourage you to experiment and share your feedback to improve the peer-pods solution. This article assumes you're familiar with Red Hat OpenShift and the libvirt provider.
The advantage of peer-pods
A peer-pod isn't restricted to just a cloud provider. It can be deployed on-premise in a locally installed OpenShift cluster. The architecture remains the same, together with all the benefits explained in the peer-pods solution overview blog. Once you've proven the solution is viable, you can enjoy those benefits in an on-premise OpenShift install.
Setup
To follow along with this tutorial, you need:
- git
- tar
- podman
- libvirt
- virsh
Additionally, you must have an OpenShift cluster, version 4.13 or higher. For the purpose of this guide, I assume the cluster was created using kcli. You must have this information about your cluster available:
- Network name (
LIBVIRT_NET_NAME
):kcli list network
- IP address (
LIBVIRT_NET_IP
):kcli list network
- Pool name (
LIBVIRT_POOL_NAME
):virsh -c qemu:///system pool-list
- SSH keys (
LIBVIRT_KEY_PUB
andLIBVIRT_KEY_PRIV
): This can be provided bykcli
or it can be generated using OpenSSH - Vxlan port (9000 by default)
Download the image
You need a virtual image that can run in libvirt. You'll invoke this image on the guest VM instead of the host bare-metal server. I recommend either CentOS or RHEL.
CentOS image
$ export IMAGE_PROVIDER=centos
$ export ARCH=amd64
$ curl \
https://raw.githubusercontent.com/confidential-containers/cloud-api-adaptor/v0.5.0/podvm/hack/download-image.sh | bash -s \
quay.io/confidential-containers/podvm-generic-$IMAGE_PROVIDER-$ARCH . \
-o podvm-amd64.qcow2'*.tar'
This creates an image file called podvm-amd64.qcow2
.
RHEL image
For a RHEL 8 or 9 image, follow the steps shown in peer-pods solution overview blog. At the end of the process, you have a qcow2 image. For the purpose of this guide, name the image podvm-amd64.qcow2
.
Set default image
Next, set the default image:
$ export IMAGE=path/to/podvm-amd64.qcow2
$ virsh -c qemu:///system vol-create-as --pool default \
--name podvm-base.qcow2 --capacity 20G \
--allocation 2G --prealloc-metadata --format qcow2
$ virsh -c qemu:///system vol-upload --vol podvm-base.qcow2 \
$IMAGE --pool default --sparse
Should this step fail because podvm-base.qcow2
already exists, topy the existing podvm-base.qcow2
file and rename it:
$ NEW_PODVM_NAME=podvm-base-centos.qcow2
$ virsh -c qemu:///system vol-clone \
podvm-base.qcow2 $NEW_PODVM_NAME --pool default
Then delete podvm-base.qcow2
:
$ virsh -c qemu:///system vol-delete podvm-base.qcow2 --pool default
And then recreate podvm-base.qcow2
as demonstrated previously.
Verify that the image has been set:
$ virsh -c qemu:///system vol-info --pool default podvm-base.qcow2
Name: podvm-base.qcow2
Type: file
Capacity: 6.00 GiB
Allocation: 631.52 MiB
Deploy the OSC operator
To deplay the 1.4.0 operator, go to the marketplace and install it. For step-by-step instructions, read the official installation guide.
The libvirt provider is not currently supported officially in OSC 1.4.0, so you must update the internal coud-api-adaptor (CAA) to an upstream version:
$ export UPSTREAM_CAA=quay.io/confidential-containers/cloud-api-adaptor:latest
$ oc set image ds/peerpodconfig-ctrl-caa-daemon \
-n openshift-sandboxed-containers-operator \
cc-runtime-install-pod=$UPSTREAM_CAA
Collect peer-pods configuration parameters for libvirt
Now you must prepare the operator to run with peer-pods.
- First, create and deploy a peer-pods Secret YAML definition:
cat > peer-pods-secret.yaml <<EOF
apiVersion: v1
kind: Secret
metadata:
name: peer-pods-secret
namespace: openshift-sandboxed-containers-operator
type: Opaque
stringData:
CLOUD_PROVIDER: "libvirt"
VXLAN_PORT: "${LIBVIRT_VXLAN_PORT}"
LIBVIRT_URI: "qemu+ssh://root@${LIBVIRT_NET_IP}.1/system?no_verify=1"
LIBVIRT_NET: "${LIBVIRT_NET_NAME}"
LIBVIRT_POOL: "${LIBVIRT_POOL_NAME}"
EOF
$ oc apply -f peer-pods-secret.yaml
- Create and deploy the peer-pods ConfigMap YAML definition:
$ cat > peer-pods-config-map.yaml <<EOF
apiVersion: v1
kind: ConfigMap
metadata:
name: peer-pods-cm
namespace: openshift-sandboxed-containers-operator
data:
CLOUD_PROVIDER: "libvirt"
EOF
$ oc apply -f peer-pods-config-map.yaml
- You need an SSH key. The Kubernetes Secret contains the private key, which the CAA pod uses to connect to the host's libvirt, which in turn has the public key in
/root/.ssh/authorized_keys
.
$ oc create secret generic ssh-key-secret \
-n openshift-sandboxed-containers-operator \
--from-file=id_rsa.pub=${LIBVIRT_KEY_PUB} \
--from-file=id_rsa=${LIBVIRT_KEY_PRIV}
Alternatively, if no is LIBVIRT_KEY_*
is present, you can generate one and add it to /root/.ssh/authorized_keys
:
$ ssh-keygen -f ./id_rsa -N ""
$ oc create secret generic ssh-key-secret \
-n openshift-sandboxed-containers-operator \
--from-file=id_rsa.pub=./id_rsa.pub \
--from-file=id_rsa=./id_rsa
If you need to modify any of the parameters in the peer-pods-cm
and peer-pods-secret
objects, you can change values in the respective YAML files, and then deploy the files using oc apply -f example.yaml
. Restart the cloud-api-adaptor
pods with:
$ oc set env ds/peerpodconfig-ctrl-caa-daemon \
-n openshift-sandboxed-containers-operator \
REBOOT="$(date)"
Set up the peer-pods
You're ready to run peer-pods.
First, create KataConfig CRD from the Openshift Sandboxed Containers operator page, or deploy KataConfig from the terminal:
$ cat > kataconfig.yaml <<EOF
apiVersion: kataconfiguration.openshift.io/v1
kind: KataConfig
metadata:
name: example-kataconfig
spec:
enablePeerPods: true
EOF
$ oc apply -f kataconfig.yaml
Wait for installation to complete:
$ oc wait --for=condition=Updating=false \
machineconfigpool/kata-oc --timeout=-1s
$ oc rollout status daemonset peerpodconfig-ctrl-caa-daemon \
-n openshift-sandboxed-containers-operator --timeout=60s
If you're using the web console, switch to the openshift-sandboxed-containers-operator namespace and navigate to Workloads > Pods. Depending on your cluster setup, there are at least controller-manager-{} and peerpodconfig-ctrl-caa-daemon-{} pods in the Running state.
Next, you must update the coud-api-adaptor (CAA). Wait until the peerpodconfig-ctrl-caa-daemon-{*}
objects are created. They're likely to show up in the Error/CrashBackLoop
state, because the default operator doesn't accept libvirt as a cloud provider. To solve this issue, update the CAA to use the upstream code:
$ UPSTREAM_CAA=quay.io/confidential-containers/cloud-api-adaptor:latest
$ oc set image ds/peerpodconfig-ctrl-caa-daemon \
-n openshift-sandboxed-containers-operator \
cc-runtime-install-pod=$UPSTREAM_CAA
After that, the pods automatically restart. This can take some time, so be patient and monitor your cluster using your browser or the oc wait
command.
After the installation's complete, you have two runtime classes:
- kata: Creates sandboxed containers using Qemu and KVM. This one is created by default.
- kata-remote-cc: Creates sandboxed containers using peer-pods.
Peer-pods has been installed!
Run a peer-pod workload
Now that you've installed peer-pods, you can run your first pod. The example hello-openshift
web application prints "Hello OpenShift!" to visitors. Try it out.
- Create a
hello-openshift.yaml
file with the following contents:
apiVersion: v1 kind: Pod metadata: name: hello-openshift labels: app: hello-openshift spec: runtimeClassName: kata-remote-cc containers: - name: hello-openshift image: quay.io/openshift/origin-hello-openshift ports: - containerPort: 8888 securityContext: privileged: false allowPrivilegeEscalation: false runAsNonRoot: true runAsUser: 1001 capabilities: drop: - ALL seccompProfile: type: RuntimeDefault --- kind: Service apiVersion: v1 metadata: name: hello-openshift-service labels: app: hello-openshift spec: selector: app: hello-openshift ports: - port: 8888
- Deploy it:
$ oc apply -f hello-openshift.yaml
$ oc get pod/hello-openshift
- Create an OpenShift route:
$ oc expose service hello-openshift-service -l app=hello-openshift
$ export APP_URL=$(oc get routes/hello-openshift-service -o jsonpath='{.spec.host}')
Done! Now verify that the application is responding:
$ curl ${APP_URL}
Inspecting peer-pods
To learn how to inspect peer-pods to gain insight into how and what they're running, read this article.
Undeploy peer-pods
To undeploy your peer-pods:
- Delete
hello-openshift
:
$ oc delete all -l app=hello-openshift
- Delete
kataconfig
:
$ oc delete kataconfigs/example-kataconfig \
-n openshift-sandboxed-containers-operator
If this command hangs, do NOT cancel the command. In a separate terminal, run oc edit kataconfigs/example-kataconfig
and remove the section called "finalizers".
- Delete
ConfigMap
:
$ oc delete configmaps/peer-pods-cm \
-n openshift-sandboxed-containers-operator
- Delete
PeerPodsSecret
:
$ oc delete secrets/peer-pods-secret \
-n openshift-sandboxed-containers-operator
- Delete the operator from the Openshift Marketplace.
Conclusion
You've installed and deployed peer-pods, and tested a simple example web application. For further information, refer to part one and part two of this series.
Über den Autor
Emanuele Giuseppe Esposito is a Software Engineer at Red Hat, with focus on Confidential Computing, QEMU and KVM. He joined Red Hat in 2021, right after getting a Master Degree in CS at ETH Zürich. Emanuele is passionate about the whole virtualization stack, ranging from Openshift Sandboxed Containers to low-level features in QEMU and KVM.
Nach Thema durchsuchen
Automatisierung
Das Neueste zum Thema IT-Automatisierung für Technologien, Teams und Umgebungen
Künstliche Intelligenz
Erfahren Sie das Neueste von den Plattformen, die es Kunden ermöglichen, KI-Workloads beliebig auszuführen
Open Hybrid Cloud
Erfahren Sie, wie wir eine flexiblere Zukunft mit Hybrid Clouds schaffen.
Sicherheit
Erfahren Sie, wie wir Risiken in verschiedenen Umgebungen und Technologien reduzieren
Edge Computing
Erfahren Sie das Neueste von den Plattformen, die die Operations am Edge vereinfachen
Infrastruktur
Erfahren Sie das Neueste von der weltweit führenden Linux-Plattform für Unternehmen
Anwendungen
Entdecken Sie unsere Lösungen für komplexe Herausforderungen bei Anwendungen
Original Shows
Interessantes von den Experten, die die Technologien in Unternehmen mitgestalten
Produkte
- Red Hat Enterprise Linux
- Red Hat OpenShift
- Red Hat Ansible Automation Platform
- Cloud-Services
- Alle Produkte anzeigen
Tools
- Training & Zertifizierung
- Eigenes Konto
- Kundensupport
- Für Entwickler
- Partner finden
- Red Hat Ecosystem Catalog
- Mehrwert von Red Hat berechnen
- Dokumentation
Testen, kaufen und verkaufen
Kommunizieren
Über Red Hat
Als weltweit größter Anbieter von Open-Source-Software-Lösungen für Unternehmen stellen wir Linux-, Cloud-, Container- und Kubernetes-Technologien bereit. Wir bieten robuste Lösungen, die es Unternehmen erleichtern, plattform- und umgebungsübergreifend zu arbeiten – vom Rechenzentrum bis zum Netzwerkrand.
Wählen Sie eine Sprache
Red Hat legal and privacy links
- Über Red Hat
- Jobs bei Red Hat
- Veranstaltungen
- Standorte
- Red Hat kontaktieren
- Red Hat Blog
- Diversität, Gleichberechtigung und Inklusion
- Cool Stuff Store
- Red Hat Summit