TipsAndTricks/BuildingAndRunningClearContainersonTarget
What & Why
Clear containers (CC) offer a hybrid solution that encompasses the advantages of hypervisor security and container deployment. So, we wanted to see if they could be used in a YP environment. This was done for Clear Containers 2.2 based on YP master around the time of 2.4 RC1/2.
Note: this is a Proof of Concept, done by building on target. The eventual goal would be to create a standard recipe to allow the clear containers to be built in the standard way. Hopefully, this guide will help with that by outlining the parts, dependencies, and configuration steps. This guide assumes you already have docker running on your target by having followed Running Docker on your image . The target example is being done with an Intel Nuc. I have successfully run the same code on a Minnowboard Turbot.
Dependencies you need
Layers
The layers I am using:
meta-openembedded/meta-oe meta-openembedded/meta-python meta-openembedded/meta-networking meta-openembedded/meta-filesystems meta-virtualization meta-clear
All of these layers can be found on layer.openembedded.org except the meta-clear. The meta-clear layer was created with the script yocto-layer. It's only purpose is to turn on CONFIG_VHOST_NET=m for the kernel. Here's a tree of the layer:
├── conf
│ └── layer.conf
├── COPYING.MIT
├── README
└── recipes-kernel
└── linux
├── linux-yocto
│ ├── clear.cfg
│ └── clear.scc
├── linux-yocto_4.10.bbappend
└── linux-yocto_4.9.bbappend
I am using the 4.9 kernel. Here's the linux-yocto_4.9.bbappend:
FILESEXTRAPATHS_prepend := "${THISDIR}/${PN}:"
SRC_URI += "file://clear.scc \
"
KERNEL_MODULE_AUTOLOAD += "vhost-net"
The scc file:
define KFEATURE_DESCRIPTION "Enable clearcon support" define KFEATURE_COMPATIBILITY board kconf non-hardware clear.cfg
And finally the cfg file:
CONFIG_VHOST_NET=m
Conf Changes
This guide presumes you have the setup in your conf file described in Running Docker on your image . In addition, to make on target building easier, I add the following to my conf/local.conf:
EXTRA_IMAGE_FEATURES += " dev-pkgs tools-sdk tools-debug tools-profile "
Additional Dependencies to Bitbake
These are the additional recipes I built in addition to the base I outlined above. They could be added all at once in the local.conf, if you want.
bitbake libcheck mdadm psmisc json-glib libmnl ossp-uuid autoconf-archive python-setuptools libcap-ng tunctl
These are additional packages I built for convenience, but they are not required:
bitbake less zile ntp rsync minicom
Once built these can be installed on the board. Note that we need the dev pkgs as we are mostly completing build requirements for pieces of CC.
dnf install tunctl python-dev python-setuptools-dev libcap-ng-dev libcheck-dev libmnl-dev libjson-glib-1.0-dev autoconf-archive-dev libcap-ng-dev python-setuptools-dev
and the convenient ones:
dnf install zile less ntp rsync minicom
The Image to Build
bitbake core-image--base
The Pieces of CC
Clear Containers are comprised of a set of software and binaries. The main code is a slightly forked (2.9 currently) qemu hypervisor configured to be minimal, a command proxy, a shim, and the oci runtime. The command proxy is written in go. The rest is c/c++. We build the hypervisor itself, but the binaries for the hypervisor are downloaded from the CC site.
The Runtime,Shim & Proxy
This comes from [clear oci runtime]. While getting it to work, I followed the development model outlined in Leveraging Rpm Package Feeds. Here I will list the dependencies to make it shorter.
Which Clear was this?
cc-oci-runtime version: 2.2.0 spec version: 1.0.0-rc1 commit: f92d50ad54003298c139de59777f07588683cdc2
Getting the Source Code
We will pretty much follow the (very good) instructions in the README. Because it is a go project we will follow the go flow...
go get -d github.com/01org/cc-oci-runtime/
If you are behind a proxy, make sure you export http_proxy and https_proxy into your shell.
