Interconnecting with the iSula Secure Container

[[toc]]

Overview

To provide a better isolation environment for containers and improve system security, it is necessary to connect Kata to StratoVirt in the iSula secure container scenario.

Interconnection with an iSula Secure Container

Prerequisites

iSulad and Kata containers have been installed.

Operations

The default path of the Kata configuration file is /usr/share/defaults/kata-containers/configuration.toml.

Compile kata-kernel.
- Download kata-containers/packaging
- Paste the corresponding config file under /kernel/configs/ to the kernel folder and rename .config:
```
cp x86_64_kata_kvm_4.14.x /home/kernel/.config
```
- Enter the kernel/ and execute the command:
```
make -j vmlinux
objcopy -O binary vmlinux vmlinux.bin
```
Compile Kata containers-initrd.img.
- Download kata_integration
- Enter kata_Integration directory and download kata-agent
- In kata_integration/ create the folder build under the integration directory
- Rename the kata-agent directory to agent
- Enter the agent/ folder
- Apply patch:
```
./apply-patches
```
- Enter kata_integration/ directory and compile:
```
make initrd
```
- Enter the build folder and view the compilation results:kata-agent kata-containers-initrd.img

Modify the configuration file to set the hypervisor type of the secure sandbox to stratovirt.

[hypervisor.stratovirt]
path = "/home/stratovirt.sh"
kernel = "/home/kernel/vmlinux.bin"
initrd = "/var/lib/kata/kata-containers-initrd.img"
block_device_driver = "virtio-mmio"
use_vsock = true
enable_netmon = false
internetworking_model="none"
sandbox_cgroup_with_emulator = false
disable_new_netns = false

Set the execution file path of the secure sandbox to the absolute path of stratovirt.sh. The content of the stratovirt.sh script is as follows:
```
#!/bin/bash
export STRATOVIRT_LOG_LEVEL=info  # set log level which includes trace, debug, info, warn and error.
/usr/bin/stratovirt $@
```

Run iSulad to connect Kata to StratoVirt.

$ isula run -tid --runtime=kata-runtime --name test busybox:latest sh

Bug Catching

Buggy Content

Bug Description

Submit As Issue

It's a little complicated....

I'd like to ask someone.

Just a small problem.

I can fix it online!

Bug Type

Specifications and Common Mistakes

● Misspellings or punctuation mistakes;

● Incorrect links, empty cells, or wrong formats;

● Chinese characters in English context;

● Minor inconsistencies between the UI and descriptions;

● Low writing fluency that does not affect understanding;

● Incorrect version numbers, including software package names and version numbers on the UI.

Usability

● Incorrect or missing key steps;

● Missing prerequisites or precautions;

● Ambiguous figures, tables, or texts;

● Unclear logic, such as missing classifications, items, and steps.

Correctness

● Technical principles, function descriptions, or specifications inconsistent with those of the software;

● Incorrect schematic or architecture diagrams;

● Incorrect commands or command parameters;

● Incorrect code;

● Commands inconsistent with the functions;

● Wrong screenshots.

Risk Warnings

● Lack of risk warnings for operations that may damage the system or important data.

Content Compliance

● Contents that may violate applicable laws and regulations or geo-cultural context-sensitive words and expressions;

● Copyright infringement.

We may contact you through email in regard to the bug fixing solution. You will also be notified through email if you win any prize during the activity.