Using Kata Containers

Installing Kata Containers

To deploy Kata Containers you must first set up an Oracle Cloud Native Environment, including the kubernetes module. For information on installing and deploying Oracle Cloud Native Environment, see Getting Started.

Checking Hardware

You can test whether the hardware can run Kata Containers using the kata-runtime kata-check command. To use this command you must first have a running Kubernetes deployment. On a Kubernetes worker node, run:

sudo kata-runtime kata-check

For more information on using the kata-runtime command, use the kata-runtime --help command.

Creating Kata Containers

This section provide an example of creating a Kubernetes pod configuration file, which is used to create a container using kata-runtime as the runtime engine. Before you create Kata Containers, set up a Kubernetes runtime class for kata-runtime. For information on setting up a runtime class, see Setting Runtime Classes.

Example 3-1 Creating an NGINX container

This example uses a Kubernetes pod configuration file to create a Kata container. The pod configuration file creates an NGINX web server container, which is often used when testing containers.

To create an NGINX Kata container:

On a host that's set up to use the kubectl command to connect to the Kubernetes cluster, create a Kubernetes pod configuration file. To specify the container is to be run as a Kata container, use the notation runtimeClassName: kata-containers in the pod file. When CRI-O finds this runtime class in a pod file, it passes the container to kata-runtime to run the container.

This pod file is named kata-nginx.yaml.
```
apiVersion: v1
kind: Pod
metadata:
  name: kata-nginx
spec:
  runtimeClassName: kata-containers
  containers:
    - name: nginx
      image: container-registry.oracle.com/olcne/nginx:1.17.7
      ports:
      - containerPort: 80
```
Create the Kata container using the kata-nginx.yaml file with the kubectl apply command:
```
kubectl apply -f kata-nginx.yaml
```

To check the pod has been created, use the kubectl get pods command:

kubectl get pods

The output looks similar to:

NAME         READY   STATUS    RESTARTS   AGE
kata-nginx   1/1     Running   0          11s

Use the kubectl describe command to show a more detailed view of the pod, including which worker node is hosting the pod and the Container ID.

kubectl describe pod kata-nginx

The output looks similar to:

Name:               kata-nginx
Namespace:          default
Priority:           0
PriorityClassName:  <none>
Node:               worker1.example.com/192.0.2.24
Start Time:         <date> 01:53:35 +0100
Labels:             <none>
Annotations:        kubectl.kubernetes.io/last-applied-configuration:
                      {"apiVersion":"v1","kind":"Pod","metadata":{"annotations":{}...
Status:             Running
IP:                 10.244.3.3
Containers:
  mycontainer:
    Container ID:   cri-o://8f7d91a1893638498b3bbf74271e4b24361830e29ac65cc361a4c0...
    Image:          nginx
    Image ID:       docker.io/library/nginx@sha256:099019968725f0fc12c4b69b289a347...
    Port:           80/TCP
    Host Port:      0/TCP
    State:          Running
...

You can list the pods on a worker node using the crictl pods command. For example, on a worker node, run:

sudo crictl pods

The output looks similar to:

POD ID            CREATED         STATE    NAME                      NAMESPACE      ATTEMPT
03564d1e87df9     1 hours ago     Ready    kata-nginx                default        0
3bfabc5c7eea5     22 hours ago    Ready    kube-flannel-ds-6fkld     kube-system    0
bb0de1bff1cdf     22 hours ago    Ready    kube-proxy-cc7tb          kube-system    0

You can see the kata-nginx container is running on this worker node.

For more information on using the crictl command, use the crictl --help command.

You can get more detailed information about the containers on a worker node using the crictl ps command. For example:

sudo crictl ps

The output looks similar to:

CONTAINER           IMAGE                       NAME                POD ID
8f7d91a189363     docker.io/library/ngin...     nginx        ...    03564d1e87df9
0e9db3f09163a     0a95ca9313ebb9fc3708d8...     kube-flannel ...    3bfabc5c7eea5
f8350c6fe0c55     container-registry.ora...     kube-proxy   ...    bb0de1bff1cdf

Note the Container ID is a shortened version of the Container ID shown in the pod description.

To get detailed information about a container, use the crictl inspectp command using the POD ID. For example:

sudo crictl inspectp 03564d1e87df9

The output looks similar to:

{
  "status": {
    "id": "03564d1e87df9d7330e949e67e18252d2a02b0fac585293667d7dd7b92857b9b",
    "metadata": {
      "attempt": 0,
      "name": "kata-nginx",
      "namespace": "default",
      "uid": "bfda5be6-d4f7-11e9-8ad8-52540037f605"
    },
    "state": "SANDBOX_READY",
    "createdAt": "<date>",
    "network": {
      "ip": "10.244.3.3"
...

To confirm the container is running using kata-runtime, use the kata-runtime list command. For example:

sudo kata-runtime list

The output looks similar to:

ID                                  PID         STATUS      BUNDLE                  ...
03564d1e87df9d7330e949e67e1825...   20140       running     /run/containers/storage/...
8f7d91a1893638498b3bbf74271e4b...   20191       running     /run/containers/storage...

Note the ID is the same as the Container ID shown in the pod description.

You can delete the pod using the kubectl delete command on the control plane node:
```
kubectl delete pod kata-nginx
```