Re: [Xen-devel] stage1-xen for Fedora

[Stefano Stabellini <sstabellini@xxxxxxxxxx>]

Sorry for the late reply, I am usually much faster replying to emails,
I have been caught in a personal issue.

On Tue, 8 Aug 2017, Rajiv Ranganath wrote:
> Hi Stefano,
> 
> On Wed, Aug 2, 2017 at 12:15 AM, Stefano Stabellini
> <stefano@xxxxxxxxxxx> wrote:
> 
> [...]
> 
> > The main thing that will be different is the list of dependencies you
> > need to install to build Xen. On Fedora it should be (I am using
> > Raisin[1] as a reference):
> 
> Thank you for the pointer to Raisin.
> 
> I have managed to build stage1-xen on Fedora. This project is very
> interesting. I have some questions regarding stage1-xen and containers
> on Xen.

Thank you, I am glad I could help! :-)


> 1. Is there a roadmap/design doc for containers primitives and container
> standards that Xen community is looking to support?
> 
> The only documentation that I could find were presentations by you.
> [1][2]

Not yet, the project is quite new, but we should definitely have one. On
my roadmap I have better support for all rkt commands, including for
example PoDs with multiple stage2s, and support for all rkt networking
modes.


> 2. Now that OCI 1.0 is out, are there any plans to create a Xen based
> OCI runtime? [3]
> 
> A Xen based OCI runtime that can work with containerd and cri-o would be
> very interesting to us.
> 
> I was wondering if you have thoughts on how xen-stage1 could be evolved
> to support rkt and also also a OCI runtime?

This is a very good question, I am glad you asked :-)

I would love to see more OCI runtimes supported, including containerd. I
started with rkt because it has a very nice and clean interface to the
stage1s. In other words, implementing stage1-xen for rkt is rather easy,
doing the same for Docker is possible but more work. I don't think the
difficulty would be on the stage1-xen side. The issue is that other OCI
runtimes would need more changes to be able to interface with something
like stage1-xen. Of course, I would be happy to see more OCI runtimes
supported and I would be happy to help.

Similarly, growing stage1-xen into its own OCI runtime would pull a
lot of code into the project that today we don't have to worry about.

In other words, I would be happy to take any contributions to stage1-xen
to expand OCI runtime support. However, I think it would be best to
focus on completing rkt support first.


> 3. Are there plans to use PVHv2 guests instead of PV guests?

Yes! I want stage1-xen to default to PVHv2 guests wherever possible
(all machines with VMX support).


> 4. In the presentation I noticed PV Calls for Networking. However when I
> did `rkt run ...`, it seems to use netback with vif-nat. How can I try
> PV calls for networking?
> 
> [...]

It's not yet upstream, but I have all the patches ready on my local
machine. I am just waiting for PVCalls to go upstream in Linux. PVCalls
will be very useful to implement the host networking mode of rkt.


> > Let me know if you find any issues!
> 
> Following are the issues that I ran into -
> 
> 1. `rkt rm ...` fails with `stage1/rootfs/gc` file not found error. I
> think because of this the Xen host gets populated with a lot of
> overlayfs mounts. I tried to manually clean up, but that failed too.

That is strage, I'll give it a look.


> 2. Upstream cni master seems to have reorganized its directory
> structure. So, I had to pin the version to 0.3 to get the build to work.
> I also had to manually get dhcp4 and dhcp4client packages. Perhaps we
> can add a glide.lock file to lock down the dependencies. I can send a
> patch for it.

Good idea, thank you.


> > I would be very happy to take a patch (or pull request) for
> > BUILDING.md to document how to do this on Fedora.
> 
> I have a somewhat "non-standard" setup for xen and qemu for Fedora. I'll
> briefly describe the setup.
> 
> Xen is booted using EFI. This required building a custom binutils
> package [4]. Both Xen and qemu are built with a non-standard prefix
> (/opt/xen-unstable and /opt/qemu-stable), with RPATHs appropriately
> adjusted.
> 
> Lastly I don't use systemd to manage Xen on Fedora. In the buildroot,
> Xen is explicitly configured using --disable-systemd. We have a version
> of runit package that we run under systemd. Runit then launches
> xenstore, xenconsole, dom0 qemu disk backend. We frequently toggle
> between upstart and systemd based distro, so using runit on both has
> been very helpful.
> 
> If this setup is okay you, I can open up the Fedora variant of our tools
> and packages and send patches to BUILDING.md.

I would prefer "standard" instructions for Fedora, but non-standard is
better than no instructions :-)  Please send a patch.


> Please let me know.
> 
> Thank you!
> 
> Best,
> Rajiv
> 
> [1]: 
> https://xendeveloperanddesignsummit2017.sched.com/event/AjGx/keynote-secure-containers-with-xen-and-coreos-rkt-stefano-stabellini-aporeto
> [2]: 
> https://docs.google.com/presentation/d/1dP_7myrUrtwQHnjgDtlMQkAxJNG6Se9SBl0tdaFIAYQ/edit?usp=sharing
> [3]: 
> https://github.com/opencontainers/runtime-spec/blob/master/implementations.md
> [4]: https://wiki.xenproject.org/wiki/Xen_EFI
> 

_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxx
https://lists.xen.org/xen-devel