github.com/stackdocker/rkt@v0.10.1-0.20151109095037-1aa827478248/Documentation/running-lkvm-stage1.md

github.com/stackdocker/rkt@v0.10.1-0.20151109095037-1aa827478248/Documentation/running-lkvm-stage1.md (about)

     1  # Running rkt with an LKVM stage1
     2  
     3  rkt has experimental support for running with an [LKVM](https://kernel.googlesource.com/pub/scm/linux/kernel/git/will/kvmtool/+/master/README) stage1.
     4  That is, rkt will start a virtual machine with full hypervisor isolation instead of creating a container using Linux cgroups and namespaces.
     5  
     6  ## Getting started
     7  
     8  You can either use `stage1-kvm.aci` (or `stage1-lkvm.aci`) from the official release, or build rkt yourself with the right options:
     9  
    10  ```
    11  $ ./autogen.sh && ./configure --with-stage1-flavors=kvm && make
    12  ```
    13  
    14  This will build the rkt binary and the LKVM stage1.aci in `build-rkt-0.10.0+git/bin/`.
    15  
    16  Provided you have hardware virtualization support and the [kernel KVM module](http://www.linux-kvm.org/page/Getting_the_kvm_kernel_modules) loaded (refer to your distribution for instructions), you can then run an image like you would normally do with rkt:
    17  
    18  ```
    19  # rkt trust --prefix coreos.com/etcd
    20  prefix: "coreos.com/etcd"
    21  key: "https://coreos.com/dist/pubkeys/aci-pubkeys.gpg"
    22  gpg key fingerprint is: 8B86 DE38 890D DB72 9186  7B02 5210 BD88 8818 2190
    23  	CoreOS ACI Builder <release@coreos.com>
    24  Trusting "https://coreos.com/dist/pubkeys/aci-pubkeys.gpg" for prefix "coreos.com/etcd" without fingerprint review.
    25  Added key for prefix "coreos.com/etcd" at "/etc/rkt/trustedkeys/prefix.d/coreos.com/etcd/8b86de38890ddb7291867b025210bd8888182190"
    26  # rkt run coreos.com/etcd:v2.0.9
    27  rkt: searching for app image coreos.com/etcd:v2.0.9
    28  prefix: "coreos.com/etcd"
    29  key: "https://coreos.com/dist/pubkeys/aci-pubkeys.gpg"
    30  gpg key fingerprint is: 8B86 DE38 890D DB72 9186  7B02 5210 BD88 8818 2190
    31  	CoreOS ACI Builder <release@coreos.com>
    32  Key "https://coreos.com/dist/pubkeys/aci-pubkeys.gpg" already in the keystore
    33  Downloading signature from https://github.com/coreos/etcd/releases/download/v2.0.9/etcd-v2.0.9-linux-amd64.aci.asc
    34  Downloading signature: [=======================================] 819 B/819 B
    35  Downloading ACI: [=============================================] 3.79 MB/3.79 MB
    36  rkt: signature verified:
    37    CoreOS ACI Builder <release@coreos.com>
    38  [188748.162493] etcd[4]: 2015/08/18 14:10:08 etcd: no data-dir provided, using default data-dir ./default.etcd
    39  [188748.163213] etcd[4]: 2015/08/18 14:10:08 etcd: listening for peers on http://localhost:2380
    40  [188748.163674] etcd[4]: 2015/08/18 14:10:08 etcd: listening for peers on http://localhost:7001
    41  [188748.164143] etcd[4]: 2015/08/18 14:10:08 etcd: listening for client requests on http://localhost:2379
    42  [188748.164603] etcd[4]: 2015/08/18 14:10:08 etcd: listening for client requests on http://localhost:4001
    43  [188748.165044] etcd[4]: 2015/08/18 14:10:08 etcdserver: datadir is valid for the 2.0.1 format
    44  [188748.165541] etcd[4]: 2015/08/18 14:10:08 etcdserver: name = default
    45  [188748.166236] etcd[4]: 2015/08/18 14:10:08 etcdserver: data dir = default.etcd
    46  [188748.166719] etcd[4]: 2015/08/18 14:10:08 etcdserver: member dir = default.etcd/member
    47  [188748.167251] etcd[4]: 2015/08/18 14:10:08 etcdserver: heartbeat = 100ms
    48  [188748.167685] etcd[4]: 2015/08/18 14:10:08 etcdserver: election = 1000ms
    49  [188748.168322] etcd[4]: 2015/08/18 14:10:08 etcdserver: snapshot count = 10000
    50  [188748.168787] etcd[4]: 2015/08/18 14:10:08 etcdserver: advertise client URLs = http://localhost:2379,http://localhost:4001
    51  [188748.169342] etcd[4]: 2015/08/18 14:10:08 etcdserver: initial advertise peer URLs = http://localhost:2380,http://localhost:7001
    52  [188748.169862] etcd[4]: 2015/08/18 14:10:08 etcdserver: initial cluster = default=http://localhost:2380,default=http://localhost:7001
    53  [188748.188550] etcd[4]: 2015/08/18 14:10:08 etcdserver: start member ce2a822cea30bfca in cluster 7e27652122e8b2ae
    54  [188748.190202] etcd[4]: 2015/08/18 14:10:08 raft: ce2a822cea30bfca became follower at term 0
    55  [188748.190381] etcd[4]: 2015/08/18 14:10:08 raft: newRaft ce2a822cea30bfca [peers: [], term: 0, commit: 0, applied: 0, lastindex: 0, lastterm: 0]
    56  [188748.190499] etcd[4]: 2015/08/18 14:10:08 raft: ce2a822cea30bfca became follower at term 1
    57  [188748.206523] etcd[4]: 2015/08/18 14:10:08 etcdserver: added local member ce2a822cea30bfca [http://localhost:2380 http://localhost:7001] to cluster 7e27652122e8b2ae
    58  [188749.489184] etcd[4]: 2015/08/18 14:10:10 raft: ce2a822cea30bfca is starting a new election at term 1
    59  [188749.489460] etcd[4]: 2015/08/18 14:10:10 raft: ce2a822cea30bfca became candidate at term 2
    60  [188749.489583] etcd[4]: 2015/08/18 14:10:10 raft: ce2a822cea30bfca received vote from ce2a822cea30bfca at term 2
    61  [188749.489675] etcd[4]: 2015/08/18 14:10:10 raft: ce2a822cea30bfca became leader at term 2
    62  [188749.489760] etcd[4]: 2015/08/18 14:10:10 raft.node: ce2a822cea30bfca elected leader ce2a822cea30bfca at term 2
    63  [188749.523133] etcd[4]: 2015/08/18 14:10:10 etcdserver: published {Name:default ClientURLs:[http://localhost:2379 http://localhost:4001]} to cluster 7e27652122e8b2ae
    64  ```
    65  
    66  This output is the same you'll get if you run a container-based rkt.
    67  If you want to see the kernel and boot messages, run rkt with the `--debug` flag.
    68  
    69  You can exit pressing `<Ctrl-a x>`.
    70  
    71  ### Selecting stage1 at runtime
    72  
    73  If you want to run software that requires hypervisor isolation along with trusted software that only needs container isolation, you can [choose which stage1.aci to use at runtime](https://github.com/coreos/rkt/blob/master/Documentation/commands.md#use-a-custom-stage-1).
    74  
    75  For example, if you have a container stage1 named `stage1.aci` and a lkvm stage1 named `stage1-lkvm.aci` in `/usr/local/rkt/`:
    76  
    77  ```
    78  # rkt run --stage1-image=/usr/local/rkt/stage1.aci coreos.com/etcd:v2.0.9
    79  ...
    80  # rkt run --stage1-image=/usr/local/rkt/stage1-lkvm.aci coreos.com/etcd:v2.0.9
    81  ...
    82  ```
    83  
    84  ## How does it work?
    85  
    86  It leverages the work done by Intel with their [Clear Containers system](https://lwn.net/Articles/644675/).
    87  Stage1 contains a Linux kernel that is executed under LKVM.
    88  This kernel will then start systemd, which in turn will start the applications in the pod.
    89  
    90  A LKVM-based rkt is very similar to a container-based one, it just uses lkvm to execute pods instead of systemd-nspawn.
    91  
    92  Here's a comparison of the components involved between a container-based and a LKVM based rkt.
    93  
    94  Container-based:
    95  
    96  ```
    97  host OS
    98    └─ rkt
    99      └─ systemd-nspawn
   100        └─ systemd
   101          └─ chroot
   102            └─ user-app1
   103  ```
   104  
   105  
   106  LKVM based:
   107  
   108  ```
   109  host OS
   110    └─ rkt
   111      └─ lkvm
   112        └─ kernel
   113          └─ systemd
   114            └─ chroot
   115              └─ user-app1
   116  ```