The goal of this project is to deploy Knative on CoCo and run some baseline benchmarks.
All instructions in this repository assume that you have checked-out the source code, and have activated the python virtual environment:
source ./bin/workon.sh
# List available tasks
inv -lYou will need a recent version of containerd to support host-side features like the Nydus snapshotter. To build and install it from source you may run:
# Fresh containerd install
inv containerd.build containerd.install --clean
# Fresh nydus install
inv nydus.build nydus.install --cleanYou also need all the kubernetes-related tooling: kubectl, kubeadm, and
kubelet:
inv k8s.install [--clean]You may also want to install k9s, a kubernetes monitoring tool:
inv k9s.installLastly, kubeadm may require to disable swap in the host:
sudo swapoff -aDeploy a (single-node) kubernetes cluster using kubeadm:
inv kubeadm.create
export KUBECONFIG=.config/kubeadm_kubeconfigSecond, install both the operator and the CC runtime from the upstream tag.
We currently pin to version v0.9.0 (see the COCO_RELEASE_VERSION variable).
inv operator.install operator.install-cc-runtimeThird, update the initrd file to include our patched kata-agent:
inv kata.build kata.replace-agentYou are ready to run one of the supported apps:
- Hello World! (Py) - simple HTTP server running in Python to test CoCo and Kata.
- Hello World! (Knative) - same app as before, but invoked over Knatvie.
- Hello Attested World! (Knative + Attestation) - same setting as the Knative hello world, but with varying levels of attestation configured.
If your app uses Knative, you will have to install it first:
inv knative.installThe goal of the project is to measure the performance of Knative with CoCo, and compare it to other isolation mechanisms using standarised benchmarks. To This extent, we provide a thorough evaluation in the evaluation directory.
In order to uninstall components for debugging purposes, you may un-install the CoCo runtime, and then the operator as follows:
inv operator.uninstall-cc-runtime
inv operator.uninstallLastly, you can completely remove the k8s cluster by running:
inv kubeadm.destroyFor further documentation, you may want to check these other documents:
- Attestation - attestation particularities of CoCo and SEV(-ES).
- Guest Components - patch
image-rsor other guest components. - K8s - documentation about configuring a single-node Kubernetes cluster.
- Kata - instructions to build our custom Kata fork and
initrdimages. - Key Broker Service - docs on using and patching the KBS.
- Knative - documentation about Knative, our serverless runtime of choice.
- Local Registry - configuring a local registry to store OCI images.
- OVMF - notes on building OVMF and CoCo's OVMF boot process.
- SEV - speicifc documentation to get the project working with AMD SEV machines.
- Troubleshooting - tips to debug when things go sideways.