Add support for kata container

Change-Id: I8de21dd0317734711ba3778c241a428f0325ea85

README.rst

@@ -31,6 +31,16 @@ For installing container engine only, using the following config:
      enable_plugin devstack-plugin-container https://opendev.org/openstack/devstack-plugin-container
      END
 
+For installing Kata Containers, using the following config:
+
+.. code-block:: ini
+
+     cat > /opt/stack/devstack/local.conf << END
+     [[local|localrc]]
+     enable_plugin devstack-plugin-container https://opendev.org/openstack/devstack-plugin-container
+     ENABLE_KATA_CONTAINERS=True
+     END
+
 For installing Kubernetes, using the following config in master node:
 
 .. code-block:: ini

devstack/lib/docker

@@ -26,9 +26,12 @@ DOCKER_ENGINE_PORT=${DOCKER_ENGINE_PORT:-2375}
 DOCKER_CLUSTER_STORE=${DOCKER_CLUSTER_STORE:-}
 DOCKER_GROUP=${DOCKER_GROUP:-$STACK_USER}
 DOCKER_CGROUP_DRIVER=${DOCKER_CGROUP_DRIVER:-}
+# TODO(hongbin): deprecate and remove clear container
 ENABLE_CLEAR_CONTAINER=$(trueorfalse False ENABLE_CLEAR_CONTAINER)
+ENABLE_KATA_CONTAINERS=$(trueorfalse False ENABLE_KATA_CONTAINERS)
 ENABLE_LIVE_RESTORE=$(trueorfalse False ENABLE_LIVE_RESTORE)
 ENABLE_IPV6=$(trueorfalse False ENABLE_IPV6)
+KATA_BRANCH=${KATA_BRANCH:-master}
 
 # Functions
 # ---------
@@ -77,9 +80,23 @@ function install_docker {
         fi
         yum_install docker-ce
     fi
-    if [[ "$ENABLE_CLEAR_CONTAINER" == "True" ]]; then
+    if [[ "$ENABLE_KATA_CONTAINERS" == "True" ]]; then
+        # Kata Containers can't run inside VM, so check whether virtualization
+        # is enabled or not
+        if sudo grep -E 'svm|vmx' /proc/cpuinfo &> /dev/null; then
+            if is_ubuntu; then
+                install_kata_container_ubuntu
+            elif is_fedora; then
+                install_kata_container_fedora
+            fi
+        else
+            (>&2 echo "WARNING: Kata Containers needs the CPU extensions svm or vmx which is not enabled. Skipping Kata Containers installation.")
+        fi
+    # TODO(hongbin): deprecate and remove clear container
+    elif [[ "$ENABLE_CLEAR_CONTAINER" == "True" ]]; then
         # Clear Container can't run inside VM, so check whether virtualization
         # is enabled or not
+        (>&2 echo "WARNING: Clear Container support is deprecated in Train release and will be removed in U release.")
         if sudo grep -E 'svm|vmx' /proc/cpuinfo &> /dev/null; then
             if is_ubuntu; then
                 install_clear_container_ubuntu
@@ -101,7 +118,18 @@ function configure_docker {
         cluster_store_opts+="\"cluster-store\": \"$DOCKER_CLUSTER_STORE\","
     fi
     local runtime_opts=""
-    if [[ "$ENABLE_CLEAR_CONTAINER" == "True" ]]; then
+    if [[ "$ENABLE_KATA_CONTAINERS" == "True" ]]; then
+        if sudo grep -E 'svm|vmx' /proc/cpuinfo &> /dev/null; then
+            runtime_opts+="\"runtimes\": {
+                \"kata-runtime\": {
+                    \"path\": \"/usr/bin/kata-runtime\"
+                }
+            },
+            \"default-runtime\": \"kata-runtime\","
+        fi
+    # TODO(hongbin): deprecate and remove clear container
+    elif [[ "$ENABLE_CLEAR_CONTAINER" == "True" ]]; then
+        (>&2 echo "WARNING: Clear Container support is deprecated in Train release and will be removed in U release.")
         if sudo grep -E 'svm|vmx' /proc/cpuinfo &> /dev/null; then
             runtime_opts+="\"runtimes\": {
                 \"cor\": {
@@ -172,6 +200,11 @@ function stop_docker {
     sudo systemctl stop docker.service || true
 }
 
+function cleanup_docker {
+    uninstall_package docker-ce
+}
+
+# TODO(hongbin): deprecate and remove clear container
 function install_clear_container_ubuntu {
     sudo sh -c "echo 'deb http://download.opensuse.org/repositories/home:/clearlinux:/preview:/clear-containers-2.1/xUbuntu_$(lsb_release -rs)/ /' >> /etc/apt/sources.list.d/cc-oci-runtime.list"
     curl -fsSL http://download.opensuse.org/repositories/home:/clearlinux:/preview:/clear-containers-2.1/xUbuntu_$(lsb_release -rs)/Release.key | sudo apt-key add -
@@ -179,6 +212,7 @@ function install_clear_container_ubuntu {
     apt_get install cc-oci-runtime
 }
 
+# TODO(hongbin): deprecate and remove clear container
 function install_clear_container_fedora {
     source /etc/os-release
     local lsb_dist=${os_VENDOR,,}
@@ -190,5 +224,31 @@ function install_clear_container_fedora {
     yum_install cc-oci-runtime linux-container
 }
 
+function install_kata_container_ubuntu {
+    sudo sh -c "echo 'deb http://download.opensuse.org/repositories/home:/katacontainers:/releases:/$(arch):/${KATA_BRANCH}/xUbuntu_${os_RELEASE}/ /' \
+        > /etc/apt/sources.list.d/kata-containers.list"
+    curl -sL  http://download.opensuse.org/repositories/home:/katacontainers:/releases:/$(arch):/${KATA_BRANCH}/xUbuntu_${os_RELEASE}/Release.key \
+        | sudo apt-key add -
+    REPOS_UPDATED=False apt_get_update
+    apt_get install kata-runtime kata-proxy kata-shim
+}
+
+function install_kata_container_fedora {
+    source /etc/os-release
+    if [[ -x $(command -v dnf 2>/dev/null) ]]; then
+        sudo dnf -y install dnf-plugins-core
+        sudo -E dnf config-manager --add-repo \
+            "http://download.opensuse.org/repositories/home:/katacontainers:/releases:/$(arch):/${KATA_BRANCH}/Fedora_${VERSION_ID}/home:katacontainers:releases:$(arch):${KATA_BRANCH}.repo"
+    elif [[ -x $(command -v yum 2>/dev/null) ]]; then
+        # all rh patforms (fedora, centos, rhel) have this pkg
+        sudo yum -y install yum-utils
+        sudo -E yum-config-manager --add-repo \
+            "http://download.opensuse.org/repositories/home:/katacontainers:/releases:/$(arch):/${KATA_BRANCH}/CentOS_${VERSION_ID}/home:katacontainers:releases:$(arch):${KATA_BRANCH}.repo"
+    else
+        die $LINENO "Unable to find or auto-install Kata Containers"
+    fi
+    yum_install kata-runtime kata-proxy kata-shim
+}
+
 # Restore xtrace
 $_XTRACE_DOCKER

devstack/plugin.sh

@@ -36,8 +36,9 @@ if is_service_enabled container; then
     fi
 
     if [[ "$1" == "clean" ]]; then
-        # nothing needed here
+        if [[ ${CONTAINER_ENGINE} == "docker" ]]; then
-        :
+            cleanup_docker
+        fi
     fi
 fi
 

devstack/settings

@@ -2,7 +2,9 @@
 
 # Supported options are "docker" and "crio".
 CONTAINER_ENGINE=${CONTAINER_ENGINE:-docker}
+# TODO(hongbin): deprecate and remove clear container
 ENABLE_CLEAR_CONTAINER=${ENABLE_CLEAR_CONTAINER:-false}
+ENABLE_KATA_CONTAINERS=${ENABLE_KATA_CONTAINERS:-false}
 ENABLE_LIVE_RESTORE=${ENABLE_LIVE_RESTORE:-false}
 ENABLE_IPV6=${ENABLE_IPV6:-false}
 

releasenotes/notes/add-support-for-kata-containers-49eae38b994aeae8.yaml

@@ -0,0 +1,11 @@
+---
+prelude: >
+    Support installing Kata Containers.
+features:
+  - |
+    In this release, it adds support for Kata Containers and configure it
+    to work with Docker.
+deprecations:
+  - |
+    The support of Clear Container is deprecated in this release and will be
+    removed in the next release.