Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Support running a workspace in kata containers #21105

Closed
l0rd opened this issue Feb 1, 2022 · 5 comments
Closed

Support running a workspace in kata containers #21105

l0rd opened this issue Feb 1, 2022 · 5 comments
Labels
area/dashboard area/devworkspace-operator kind/enhancement A feature request - must adhere to the feature request template. lifecycle/frozen Indicates that an issue or PR should not be auto-closed due to staleness. severity/P1 Has a major impact to usage or development of the system.

Comments

@l0rd
Copy link
Contributor

l0rd commented Feb 1, 2022
edited
Loading

Is your enhancement related to a problem? Please describe

Kata containers allow running pod in dedicated VMs. That makes it possible to run a container as root without any security exposure (and run apt-get/yum install or buildah).

To run a Che workspace in a kata container the workspace Pod should specify runtimeClassName: kata:

apiVersion: v1
kind: Pod
metadata:
  ...
spec:
  runtimeClassName: kata
  containers:
  ...

But that's not currently possible.

Describe the solution you'd like

To implement we should:

  1. Add spec.runtimeClassName field in DevWorkspace CRD that, if set and if the user has the necessary privileges, will be propagated to all the workspace Pods.
  2. Add a new Che URL parameter runtime-class-name: https://<che-host>#<repository_url>?<runtimeClassName>. If set the resulting DevWorkspace should include the runtimeClassName

Additional context

Here I have described how to setup an OpenShift cluster with kata containers and run buildah in it.
@l0rd l0rd added kind/enhancement A feature request - must adhere to the feature request template. area/devworkspace-operator area/dashboard labels Feb 1, 2022
@che-bot che-bot added the status/need-triage An issue that needs to be prioritized by the curator responsible for the triage. See https://github. label Feb 1, 2022
@l0rd l0rd added severity/P1 Has a major impact to usage or development of the system. and removed status/need-triage An issue that needs to be prioritized by the curator responsible for the triage. See https://github. labels Feb 1, 2022
@amisevsk
Copy link
Contributor

amisevsk commented Mar 1, 2022

We can support this via an attribute in the DevWorkspace Operator, or by adding the relevant field to the DevWorkspace CRD -- which is preferable here?

It would be very straightforward to define e.g. controller.devfile.io/runtimeClassName as an attribute and propagate that to the pod created for that workspace. This also has the benefit of not adding more explicit fields to the DevWorkspace API and also being "upgradeable" to an explicit CRD field in the future.

@l0rd
Copy link
Contributor Author

l0rd commented Mar 2, 2022

We can support this via an attribute in the DevWorkspace Operator, or by adding the relevant field to the DevWorkspace CRD -- which is preferable here?

I want to let the developers to choose if the workspace will run in a Kata container or not. In other words, on the same OpenShift cluster, a developer can:

  • specify the factory URL parameter runtime-class-name=kata and the workspace will be started using kata containers
  • omit the factory URL parameter runtime-class-name and the workspace will be started using a regular Pod.

So if the attribute your are thinking about is at the DevWorkspace CR level than 👍

This was referenced Mar 2, 2022
Closed
Merged
@l0rd l0rd mentioned this issue Jun 2, 2022
Closed
@che-bot
Copy link
Contributor

che-bot commented Aug 29, 2022

Issues go stale after 180 days of inactivity. lifecycle/stale issues rot after an additional 7 days of inactivity and eventually close.

Mark the issue as fresh with /remove-lifecycle stale in a new comment.

If this issue is safe to close now please do so.

Moderators: Add lifecycle/frozen label to avoid stale mode.

@che-bot che-bot added the lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. label Aug 29, 2022
@amisevsk
Copy link
Contributor

/remove-lifecycle stale

@amisevsk amisevsk added the lifecycle/frozen Indicates that an issue or PR should not be auto-closed due to staleness. label Aug 29, 2022
@che-bot che-bot removed the lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. label Aug 29, 2022
@l0rd
Copy link
Contributor Author

l0rd commented Oct 20, 2022

This is now possible using devfile attributes as describe in the PR

@l0rd l0rd closed this as completed Oct 20, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
area/dashboard area/devworkspace-operator kind/enhancement A feature request - must adhere to the feature request template. lifecycle/frozen Indicates that an issue or PR should not be auto-closed due to staleness. severity/P1 Has a major impact to usage or development of the system.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@l0rd @amisevsk @che-bot