github.com/stackdocker/rkt@v0.10.1-0.20151109095037-1aa827478248/Documentation/running-lkvm-stage1.md (about) 1 # Running rkt with an LKVM stage1 2 3 rkt has experimental support for running with an [LKVM](https://kernel.googlesource.com/pub/scm/linux/kernel/git/will/kvmtool/+/master/README) stage1. 4 That is, rkt will start a virtual machine with full hypervisor isolation instead of creating a container using Linux cgroups and namespaces. 5 6 ## Getting started 7 8 You can either use `stage1-kvm.aci` (or `stage1-lkvm.aci`) from the official release, or build rkt yourself with the right options: 9 10 ``` 11 $ ./autogen.sh && ./configure --with-stage1-flavors=kvm && make 12 ``` 13 14 This will build the rkt binary and the LKVM stage1.aci in `build-rkt-0.10.0+git/bin/`. 15 16 Provided you have hardware virtualization support and the [kernel KVM module](http://www.linux-kvm.org/page/Getting_the_kvm_kernel_modules) loaded (refer to your distribution for instructions), you can then run an image like you would normally do with rkt: 17 18 ``` 19 # rkt trust --prefix coreos.com/etcd 20 prefix: "coreos.com/etcd" 21 key: "https://coreos.com/dist/pubkeys/aci-pubkeys.gpg" 22 gpg key fingerprint is: 8B86 DE38 890D DB72 9186 7B02 5210 BD88 8818 2190 23 CoreOS ACI Builder <release@coreos.com> 24 Trusting "https://coreos.com/dist/pubkeys/aci-pubkeys.gpg" for prefix "coreos.com/etcd" without fingerprint review. 25 Added key for prefix "coreos.com/etcd" at "/etc/rkt/trustedkeys/prefix.d/coreos.com/etcd/8b86de38890ddb7291867b025210bd8888182190" 26 # rkt run coreos.com/etcd:v2.0.9 27 rkt: searching for app image coreos.com/etcd:v2.0.9 28 prefix: "coreos.com/etcd" 29 key: "https://coreos.com/dist/pubkeys/aci-pubkeys.gpg" 30 gpg key fingerprint is: 8B86 DE38 890D DB72 9186 7B02 5210 BD88 8818 2190 31 CoreOS ACI Builder <release@coreos.com> 32 Key "https://coreos.com/dist/pubkeys/aci-pubkeys.gpg" already in the keystore 33 Downloading signature from https://github.com/coreos/etcd/releases/download/v2.0.9/etcd-v2.0.9-linux-amd64.aci.asc 34 Downloading signature: [=======================================] 819 B/819 B 35 Downloading ACI: [=============================================] 3.79 MB/3.79 MB 36 rkt: signature verified: 37 CoreOS ACI Builder <release@coreos.com> 38 [188748.162493] etcd[4]: 2015/08/18 14:10:08 etcd: no data-dir provided, using default data-dir ./default.etcd 39 [188748.163213] etcd[4]: 2015/08/18 14:10:08 etcd: listening for peers on http://localhost:2380 40 [188748.163674] etcd[4]: 2015/08/18 14:10:08 etcd: listening for peers on http://localhost:7001 41 [188748.164143] etcd[4]: 2015/08/18 14:10:08 etcd: listening for client requests on http://localhost:2379 42 [188748.164603] etcd[4]: 2015/08/18 14:10:08 etcd: listening for client requests on http://localhost:4001 43 [188748.165044] etcd[4]: 2015/08/18 14:10:08 etcdserver: datadir is valid for the 2.0.1 format 44 [188748.165541] etcd[4]: 2015/08/18 14:10:08 etcdserver: name = default 45 [188748.166236] etcd[4]: 2015/08/18 14:10:08 etcdserver: data dir = default.etcd 46 [188748.166719] etcd[4]: 2015/08/18 14:10:08 etcdserver: member dir = default.etcd/member 47 [188748.167251] etcd[4]: 2015/08/18 14:10:08 etcdserver: heartbeat = 100ms 48 [188748.167685] etcd[4]: 2015/08/18 14:10:08 etcdserver: election = 1000ms 49 [188748.168322] etcd[4]: 2015/08/18 14:10:08 etcdserver: snapshot count = 10000 50 [188748.168787] etcd[4]: 2015/08/18 14:10:08 etcdserver: advertise client URLs = http://localhost:2379,http://localhost:4001 51 [188748.169342] etcd[4]: 2015/08/18 14:10:08 etcdserver: initial advertise peer URLs = http://localhost:2380,http://localhost:7001 52 [188748.169862] etcd[4]: 2015/08/18 14:10:08 etcdserver: initial cluster = default=http://localhost:2380,default=http://localhost:7001 53 [188748.188550] etcd[4]: 2015/08/18 14:10:08 etcdserver: start member ce2a822cea30bfca in cluster 7e27652122e8b2ae 54 [188748.190202] etcd[4]: 2015/08/18 14:10:08 raft: ce2a822cea30bfca became follower at term 0 55 [188748.190381] etcd[4]: 2015/08/18 14:10:08 raft: newRaft ce2a822cea30bfca [peers: [], term: 0, commit: 0, applied: 0, lastindex: 0, lastterm: 0] 56 [188748.190499] etcd[4]: 2015/08/18 14:10:08 raft: ce2a822cea30bfca became follower at term 1 57 [188748.206523] etcd[4]: 2015/08/18 14:10:08 etcdserver: added local member ce2a822cea30bfca [http://localhost:2380 http://localhost:7001] to cluster 7e27652122e8b2ae 58 [188749.489184] etcd[4]: 2015/08/18 14:10:10 raft: ce2a822cea30bfca is starting a new election at term 1 59 [188749.489460] etcd[4]: 2015/08/18 14:10:10 raft: ce2a822cea30bfca became candidate at term 2 60 [188749.489583] etcd[4]: 2015/08/18 14:10:10 raft: ce2a822cea30bfca received vote from ce2a822cea30bfca at term 2 61 [188749.489675] etcd[4]: 2015/08/18 14:10:10 raft: ce2a822cea30bfca became leader at term 2 62 [188749.489760] etcd[4]: 2015/08/18 14:10:10 raft.node: ce2a822cea30bfca elected leader ce2a822cea30bfca at term 2 63 [188749.523133] etcd[4]: 2015/08/18 14:10:10 etcdserver: published {Name:default ClientURLs:[http://localhost:2379 http://localhost:4001]} to cluster 7e27652122e8b2ae 64 ``` 65 66 This output is the same you'll get if you run a container-based rkt. 67 If you want to see the kernel and boot messages, run rkt with the `--debug` flag. 68 69 You can exit pressing `<Ctrl-a x>`. 70 71 ### Selecting stage1 at runtime 72 73 If you want to run software that requires hypervisor isolation along with trusted software that only needs container isolation, you can [choose which stage1.aci to use at runtime](https://github.com/coreos/rkt/blob/master/Documentation/commands.md#use-a-custom-stage-1). 74 75 For example, if you have a container stage1 named `stage1.aci` and a lkvm stage1 named `stage1-lkvm.aci` in `/usr/local/rkt/`: 76 77 ``` 78 # rkt run --stage1-image=/usr/local/rkt/stage1.aci coreos.com/etcd:v2.0.9 79 ... 80 # rkt run --stage1-image=/usr/local/rkt/stage1-lkvm.aci coreos.com/etcd:v2.0.9 81 ... 82 ``` 83 84 ## How does it work? 85 86 It leverages the work done by Intel with their [Clear Containers system](https://lwn.net/Articles/644675/). 87 Stage1 contains a Linux kernel that is executed under LKVM. 88 This kernel will then start systemd, which in turn will start the applications in the pod. 89 90 A LKVM-based rkt is very similar to a container-based one, it just uses lkvm to execute pods instead of systemd-nspawn. 91 92 Here's a comparison of the components involved between a container-based and a LKVM based rkt. 93 94 Container-based: 95 96 ``` 97 host OS 98 └─ rkt 99 └─ systemd-nspawn 100 └─ systemd 101 └─ chroot 102 └─ user-app1 103 ``` 104 105 106 LKVM based: 107 108 ``` 109 host OS 110 └─ rkt 111 └─ lkvm 112 └─ kernel 113 └─ systemd 114 └─ chroot 115 └─ user-app1 116 ```