Strato Virt：云原生容器技术探究

发布于 2020-10-29 · 本文总共 4281 字 · 阅读大约需要 13 分钟

StratoVirt

StratoVirt is an opensource VMM(Virtual Machine Manager) which aims to perform next generation virtualization. StratoVirt is based on Rust programming language. StratoVirt is lightweight, efficient and safe.It also has features like Full Sence Support and Modules Flexible Splitting.

历史

2020年9月30日，openEuler 正式发布了 openEuler 20.09 版本；

该版本的 Linux Kernel 使用 4.19.140 版本，修复了自 20.03 版本发布以来发现的 CVE 漏洞；

openEuler 20.09 版本中，新增加了Kernel多核加速、轻量级虚拟机iSula2.0、 云原生容器StratoVirt、BiSheng JDK、Compass CI开源软件持续集成平台、 A-Tune智能调优工具、UKUI桌面、secGear精密计算框架、IMA完整性度量框架等9大新特征；

特性

High isolation based on hardware.

Fast cold boot: Benefit from the minimalist design, StratoVirt could boot a microVM in 50ms. <50ms 的启动性能；

Low memory overhead: StratoVirt works with a memory footprint at 3MB. <3M 的内存底噪；

IO enhancement: StratoVirt offers normal IO ability with minimalist IO device emulation.

OCI compatibility: StratoVirt works with isula and kata container, and can be integrated in Kubernetes ecosystem perfectly.

Multi-platform support: Fully support for Intel and Arm platform.

Expansibility: StratoVirt reserves interface and design for importing more features, even expand to standard virtualization support.

架构

The following figure shows StratoVirt’s core architecture which consist of three layers from top to bottom.

OCI compatibility API: StratoVirt uses the QMP protocol to communicate with external systems and is compatible with OCI. BootLoader: StratoVirt uses a simple BootLoader to load the kernel image, instead of the traditional cumbersome BIOS and Grub boot modes, to achieve fast boot. Lightweight: To improve performance and reduce the attack surface, StratoVirt minimizes the simulation of user-mode devices. KVM simulation devices and paravirtualization devices, such as GIC, serial, RTC and virtio devices, are used.

strato_virt_arch

发展路标

StratoVirt的发展路标为，通过一套架构，支持轻量虚拟机和标准虚拟机两种模式：

轻量虚拟机模式下，单虚机内存底噪小于4MB，启动时间小于50ms，且支持ms级时延的设备极速伸缩能力，当前已经开发完毕， 2020年9月已经在openEuler社区开源；

标准虚拟机模式下，可支持完整的机器模型，启动标准内核镜像，可以达成Qemu的能力，同时在代码规模和安全性上有较大优势；

使用限制

Only the Linux operating system is supported. The recommended kernel version is 4.19. Only Linux is supported as the client operating system, and the recommended kernel version is 4.19. Supports a maximum of 254 CPUs.

实践

环境准备

1.系统要求：x86_64、aarch64

2./dev/kvm目录读写权限：

$ sudo setfacl -m u:${USER}:rw /dev/kvm

StratoVirt依赖安装

1.rust

$ rustc -version
rustc 1.42.0

2.musl-libc

# Add musl rust tool-chain, if installed, skip
$ arch=`uname -m`
$ rustup target add ${arch}-unknown-linux-musl

# Build StratoVirt
$ cargo build --release --target ${arch}-unknown-linux-musl

3.glibc

# Add gnu rust tool-chain, if installed, skip
$ arch=`uname -m`
$ rustup target add ${arch}-unknown-linux-gnu

# Build StratoVirt
$ cargo build --release --target ${arch}-unknown-linux-gnu

准备kernel和rootfs镜像

PE格式的Linux内核镜像

1.下载openEuler内核源码：

$ git clone https://gitee.com/openeuler/kernel
$ cd kernel

2.切换到kernel-4.19版本：

$ git checkout kernel-4.19

3.配置linux kernel

$ make menuconfig

4.编译

$ make -j vmlinux && objcopy -O binary vmlinux vmlinux.bin

EXT4格式的rootfs镜像

1.$ dd if=/dev/zero of=./rootfs.ext4 bs=1G count=20

2.$ mkfs.ext4 ./rootfs.ext4

3.挂载

$ mkdir -p /mnt/rootfs
$ sudo mount ./rootfs.ext4 /mnt/rootfs && cd /mnt/rootfs

4.下载alpine-minirootfs

$ wget http://dl-cdn.alpinelinux.org/alpine/latest-stable/releases/aarch64/alpine-minirootfs-3.12.0-aarch64.tar.gz
$ tar -zxvf alpine-minirootfs-3.12.0-aarch64.tar.gz
$ rm alpine-minirootfs-3.12.0-aarch64.tar.gz

5.添加启动脚本sbin/init

$ rm sbin/init && touch sbin/init && cat > sbin/init <<EOF
#! /bin/sh
mount -t devtmpfs dev /dev
mount -t proc proc /proc
mount -t sysfs sysfs /sys
ip link set up dev lo

exec /sbin/getty -n -l /bin/sh 115200 /dev/ttyS0
poweroff -f
EOF

$ sudo chmod +x sbin/init

6.取消挂载

$ cd ~ && umount /mnt/rootfs

运行StratoVirt

cmdline方式

# Make sure api-channel can be created.
$ rm -f /path/to/socket

# Start StratoVirt
$ ./stratovirt \
    -kernel /path/to/vmlinux.bin \
    -append console=ttyS0 pci=off reboot=k panic=1 root=/dev/vda \
    -drive file=/path/to/rootfs,id=rootfs,readonly=off \
    -api-channel unix:/path/to/socket \
    -serial stdio

配置文件方式

配置样例：https://gitee.com/openeuler/stratovirt/blob/master/docs/default.json

# Json configuration file
$ cat default.json
{
  "boot-source": {
    "kernel_image_path": "/path/to/kernel",
    "boot_args": "console=ttyS0 reboot=k panic=1 pci=off tsc=reliable ipv6.disable=1 root=/dev/vda"
  },
  "machine-config": {
    "vcpu_count": 1,
    "mem_size": 268435456
  },
  "drive": [
    {
      "drive_id": "rootfs",
      "path_on_host": "/path/to/rootfs/image",
      "direct": false,
      "read_only": false
    }
  ],
  "serial": {
    "stdio": true
  }
}

# Start StratoVirt
$ ./stratovirt \
    -config ./default.json \
    -api-channel unix:/path/to/socket

refs

https://zhuanlan.zhihu.com/p/260792316

https://gitee.com/openeuler/stratovirt

https://my.oschina.net/openeuler/blog/4690654