From 86a2467ce1ec3488d84f06176d2236804fd6dc96 Mon Sep 17 00:00:00 2001 From: Tom Dohrmann Date: Mon, 2 Sep 2024 10:33:15 +0200 Subject: [PATCH] docs: update runtime page --- docs/docs/components/runtime.md | 24 ++++++++++++++++-------- 1 file changed, 16 insertions(+), 8 deletions(-) diff --git a/docs/docs/components/runtime.md b/docs/docs/components/runtime.md index 62c072ff4..3a5636bb1 100644 --- a/docs/docs/components/runtime.md +++ b/docs/docs/components/runtime.md @@ -42,17 +42,25 @@ The `handler` field in the Kubernetes `RuntimeClass` instructs containerd not to Instead, containerd invokes a custom plugin called `containerd-shim-contrast-cc-v2`. This shim is described in more detail in the [upstream source repository](https://github.com/kata-containers/kata-containers/tree/3.4.0/src/runtime) and in the [containerd documentation](https://github.com/containerd/containerd/blob/main/core/runtime/v2/README.md). -### `cloud-hypervisor` virtual machine manager (VMM) +### virtual machine manager (VMM) -The `containerd` shim uses [`cloud-hypervisor`](https://www.cloudhypervisor.org) to create a confidential virtual machine for every pod. -This requires the `cloud-hypervisor` binary to be installed on every node (responsibility of the [`node-installer`](#node-installer-daemonset)). +The `containerd` shim uses a virtual machine monitor to create a confidential virtual machine for every pod. +On AKS, `containerd` uses [`cloud-hypervisor`](https://www.cloudhypervisor.org). +On bare metal, `containerd` uses [`QEMU`](https://www.qemu.org/). +The appropriate files need to be installed on every node (responsibility of the [`node-installer`](#node-installer-daemonset)). -### `Tardev snapshotter` +### snapshotters -Contrast uses a special [`containerd` snapshotter](https://github.com/containerd/containerd/tree/v1.7.16/docs/snapshotters/README.md) ([`tardev`](https://github.com/kata-containers/tardev-snapshotter)) to provide container images as block devices to the pod-VM. This snapshotter consists of a host component that pulls container images and a guest component (kernel module) used to mount container images. +Contrast uses special [`containerd` snapshotters](https://github.com/containerd/containerd/tree/v1.7.16/docs/snapshotters/README.md) to provide container images to the pod-VM. +Each snapshotter consists of a host component that pulls container images and a guest component used to mount/pull container images. + +On AKS, Contrast uses the [`tardev`](https://github.com/kata-containers/tardev-snapshotter) snapshotter to provide container images as block devices to the pod-VM. The `tardev` snapshotter uses [`dm-verity`](https://docs.kernel.org/admin-guide/device-mapper/verity.html) to protect the integrity of container images. Expected `dm-verity` container image hashes are part of Contrast runtime policies and are enforced by the kata-agent. -This enables workload attestation by specifying the allowed container image as part of the policy. Read [the chapter on policies](policies.md) for more information. + +On bare metal, Contrast uses the [`nydus`](https://nydus.dev/) snapshotter to allow the guest to pull container images securely. + +In all cases, hashes of the container images are stored in the Contrast runtime policies to enable workload attestation. Read [the chapter on policies](policies.md) for more information. ### Pod-VM image @@ -77,8 +85,8 @@ The node-level installation is carried out by the Contrast node-installer After deploying the installer, it performs the following steps on each node: - Install the Contrast containerd shim (`containerd-shim-contrast-cc-v2`) -- Install `cloud-hypervisor` as the virtual machine manager (VMM) -- Install an IGVM file for pod-VMs of this class +- Install `cloud-hypervisor` or `QEMU` as the virtual machine manager (VMM) +- Install an IGVM file or separate firmware and kernel files for pod-VMs of this class - Install a read only root filesystem disk image for the pod-VMs of this class - Reconfigure `containerd` by adding a runtime plugin that corresponds to the `handler` field of the Kubernetes `RuntimeClass` - Restart `containerd` to make it aware of the new plugin