Skip to content

Commit

Permalink
Add bare-metal GPU runtime class
Browse files Browse the repository at this point in the history 
This adds a runtime class for the local just-based deployments as well
as the release artifacts that corresponds to the GPU-enabled runtime for
Contrast on bare-metal platforms.
  • Loading branch information
@msanft
msanft committed Jan 13, 2025
1 parent df4e08e commit fa64242
Show file tree
Hide file tree
Showing 7 changed files with 136 additions and 94 deletions.
4 changes: 4 additions & 0 deletions .github/workflows/release.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -247,6 +247,7 @@ jobs:
coordinatorImg=$(nix run .#containers.push-coordinator -- "$container_registry/contrast/coordinator")
nodeInstallerMsftImg=$(nix run .#containers.push-node-installer-microsoft -- "$container_registry/contrast/node-installer-microsoft")
nodeInstallerKataImg=$(nix run .#containers.push-node-installer-kata -- "$container_registry/contrast/node-installer-kata")
nodeInstallerKataGPUImg=$(nix run .#containers.push-node-installer-kata-gpu -- "$container_registry/contrast/node-installer-kata")
initializerImg=$(nix run .#containers.push-initializer -- "$container_registry/contrast/initializer")
serviceMeshImg=$(nix run .#containers.push-service-mesh-proxy -- "$container_registry/contrast/service-mesh-proxy")
tardevSnapshotterImg=$(nix run .#containers.push-tardev-snapshotter -- "$container_registry/contrast/tardev-snapshotter")
Expand All @@ -255,6 +256,7 @@ jobs:
echo "coordinatorImg=$coordinatorImg" | tee -a "$GITHUB_ENV"
echo "nodeInstallerMsftImg=$nodeInstallerMsftImg" | tee -a "$GITHUB_ENV"
echo "nodeInstallerKataImg=$nodeInstallerKataImg" | tee -a "$GITHUB_ENV"
echo "nodeInstallerKataGPUImg=$nodeInstallerKataGPUImg" | tee -a "$GITHUB_ENV"
echo "initializerImg=$initializerImg" | tee -a "$GITHUB_ENV"
echo "serviceMeshImg=$serviceMeshImg" | tee -a "$GITHUB_ENV"
echo "tardevSnapshotterImg=$tardevSnapshotterImg" | tee -a "$GITHUB_ENV"
Expand All @@ -270,6 +272,7 @@ jobs:
echo "coordinatorImgTagged=$(tag "$coordinatorImg")" | tee -a "$GITHUB_ENV"
echo "nodeInstallerMsftImgTagged=$(tag "$nodeInstallerMsftImg")" | tee -a "$GITHUB_ENV"
echo "nodeInstallerKataImgTagged=$(tag "$nodeInstallerKataImg")" | tee -a "$GITHUB_ENV"
echo "nodeInstallerKataGPUImgTagged=$(tag "$nodeInstallerKataGPUImg")" | tee -a "$GITHUB_ENV"
echo "initializerImgTagged=$(tag "$initializerImg")" | tee -a "$GITHUB_ENV"
echo "serviceMeshImgTagged=$(tag "$serviceMeshImg")" | tee -a "$GITHUB_ENV"
echo "cryptsetupImgTagged=$(tag "$cryptsetupImg")" | tee -a "$GITHUB_ENV"
Expand All @@ -291,6 +294,7 @@ jobs:
echo "ghcr.io/edgelesssys/contrast/service-mesh-proxy:latest=$serviceMeshImgTagged"
echo "ghcr.io/edgelesssys/contrast/node-installer-microsoft:latest=$nodeInstallerMsftImgTagged"
echo "ghcr.io/edgelesssys/contrast/node-installer-kata:latest=$nodeInstallerKataImgTagged"
echo "ghcr.io/edgelesssys/contrast/node-installer-kata-gpu:latest=$nodeInstallerKataGPUImgTagged"
echo "ghcr.io/edgelesssys/contrast/tardev-snapshotter:latest=$tardevSnapshotterImgTagged"
echo "ghcr.io/edgelesssys/contrast/nydus-snapshotter:latest=$nydusSnapshotterImgTagged"
echo "ghcr.io/edgelesssys/contrast/cryptsetup:latest=$cryptsetupImgTagged"
Expand Down
6 changes: 6 additions & 0 deletions internal/kuberesource/parts.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -128,6 +128,9 @@ func NodeInstaller(namespace string, platform platforms.Platform) (*NodeInstalle
snapshotterVolumes = tardevSnapshotterVolumes
case platforms.MetalQEMUSNP, platforms.MetalQEMUTDX, platforms.MetalQEMUSNPGPU:
nodeInstallerImageURL = "ghcr.io/edgelesssys/contrast/node-installer-kata:latest"
if platform == platforms.MetalQEMUSNPGPU {
nodeInstallerImageURL = "ghcr.io/edgelesssys/contrast/node-installer-kata-gpu:latest"
}
snapshotter = nydusSnapshotter
nydusSnapshotterVolumes = append(nydusSnapshotterVolumes, Volume().
WithName("var-lib-containerd").
Expand All @@ -138,6 +141,9 @@ func NodeInstaller(namespace string, platform platforms.Platform) (*NodeInstalle
snapshotterVolumes = nydusSnapshotterVolumes
case platforms.K3sQEMUTDX, platforms.K3sQEMUSNP, platforms.K3sQEMUSNPGPU, platforms.RKE2QEMUTDX:
nodeInstallerImageURL = "ghcr.io/edgelesssys/contrast/node-installer-kata:latest"
if platform == platforms.K3sQEMUSNPGPU {
nodeInstallerImageURL = "ghcr.io/edgelesssys/contrast/node-installer-kata-gpu:latest"
}
snapshotter = nydusSnapshotter
nydusSnapshotterVolumes = append(nydusSnapshotterVolumes, Volume().
WithName("var-lib-containerd").
Expand Down
6 changes: 5 additions & 1 deletion justfile
View file
Original file line number Diff line number Diff line change
Expand Up @@ -47,10 +47,14 @@ node-installer platform=default_platform:
just push "tardev-snapshotter"
just push "node-installer-microsoft"
;;
"Metal-QEMU-SNP"|"Metal-QEMU-TDX"|"Metal-QEMU-SNP-GPU"|"K3s-QEMU-SNP"|"K3s-QEMU-SNP-GPU"|"K3s-QEMU-TDX"|"RKE2-QEMU-TDX")
"Metal-QEMU-SNP"|"Metal-QEMU-TDX"|"K3s-QEMU-SNP"|"K3s-QEMU-TDX"|"RKE2-QEMU-TDX")
just push "nydus-snapshotter"
just push "node-installer-kata"
;;
"Metal-QEMU-SNP-GPU"|"K3s-QEMU-SNP-GPU")
just push "nydus-snapshotter"
just push "node-installer-kata-gpu"
;;
"AKS-PEER-SNP")
nix run -L .#scripts.deploy-caa -- \
--kustomization=./infra/azure-peerpods/kustomization.yaml \
Expand Down
191 changes: 104 additions & 87 deletions packages/by-name/kata/contrast-node-installer-image/package.nix
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2,6 +2,7 @@
# SPDX-License-Identifier: AGPL-3.0-only

{
lib,
ociLayerTar,
ociImageManifest,
ociImageLayout,
Expand All @@ -17,10 +18,16 @@
OVMF-SNP,
OVMF-TDX,

debugRuntime ? false,
debugRuntime ? true,
withGPU ? false,
}:

let
os-image = kata.kata-image.override {
inherit withGPU;
withDebug = debugRuntime;
};

node-installer = ociLayerTar {
files = [
{
Expand All @@ -38,79 +45,82 @@ let
files = [
{
source = writers.writeJSON "contrast-node-install.json" {
files = [
{
url = "file:///opt/edgeless/share/kata-containers.img";
path = "/opt/edgeless/@@runtimeName@@/share/kata-containers.img";
}
{
url = "file:///opt/edgeless/share/kata-kernel";
path = "/opt/edgeless/@@runtimeName@@/share/kata-kernel";
}
{
url = "file:///opt/edgeless/share/kata-initrd.zst";
path = "/opt/edgeless/@@runtimeName@@/share/kata-initrd.zst";
}
{
url = "file:///opt/edgeless/snp/bin/qemu-system-x86_64";
path = "/opt/edgeless/@@runtimeName@@/snp/bin/qemu-system-x86_64";
executable = true;
}
{
url = "file:///opt/edgeless/tdx/bin/qemu-system-x86_64";
path = "/opt/edgeless/@@runtimeName@@/tdx/bin/qemu-system-x86_64";
executable = true;
}
{
url = "file:///opt/edgeless/snp/share/OVMF.fd";
path = "/opt/edgeless/@@runtimeName@@/snp/share/OVMF.fd";
}
{
url = "file:///opt/edgeless/tdx/share/OVMF.fd";
path = "/opt/edgeless/@@runtimeName@@/tdx/share/OVMF.fd";
}
{
url = "file:///opt/edgeless/bin/containerd-shim-contrast-cc-v2";
path = "/opt/edgeless/@@runtimeName@@/bin/containerd-shim-contrast-cc-v2";
executable = true;
}
{
url = "file:///opt/edgeless/bin/kata-runtime";
path = "/opt/edgeless/@@runtimeName@@/bin/kata-runtime";
executable = true;
}
{
url = "file:///opt/edgeless/snp/share/qemu/kvmvapic.bin";
path = "/opt/edgeless/@@runtimeName@@/snp/share/qemu/kvmvapic.bin";
}
{
url = "file:///opt/edgeless/snp/share/qemu/linuxboot_dma.bin";
path = "/opt/edgeless/@@runtimeName@@/snp/share/qemu/linuxboot_dma.bin";
}
{
url = "file:///opt/edgeless/snp/share/qemu/efi-virtio.rom";
path = "/opt/edgeless/@@runtimeName@@/snp/share/qemu/efi-virtio.rom";
}
{
url = "file:///opt/edgeless/tdx/share/qemu/kvmvapic.bin";
path = "/opt/edgeless/@@runtimeName@@/tdx/share/qemu/kvmvapic.bin";
}
{
url = "file:///opt/edgeless/tdx/share/qemu/linuxboot_dma.bin";
path = "/opt/edgeless/@@runtimeName@@/tdx/share/qemu/linuxboot_dma.bin";
}
{
url = "file:///opt/edgeless/tdx/share/qemu/efi-virtio.rom";
path = "/opt/edgeless/@@runtimeName@@/tdx/share/qemu/efi-virtio.rom";
}
{
url = "file:///bin/nydus-overlayfs";
path = "/opt/edgeless/@@runtimeName@@/bin/nydus-overlayfs";
executable = true;
}
];
files =
[
{
url = "file:///opt/edgeless/share/kata-containers.img";
path = "/opt/edgeless/@@runtimeName@@/share/kata-containers.img";
}
{
url = "file:///opt/edgeless/share/kata-kernel";
path = "/opt/edgeless/@@runtimeName@@/share/kata-kernel";
}
{
url = "file:///opt/edgeless/share/kata-initrd.zst";
path = "/opt/edgeless/@@runtimeName@@/share/kata-initrd.zst";
}
{
url = "file:///opt/edgeless/snp/bin/qemu-system-x86_64";
path = "/opt/edgeless/@@runtimeName@@/snp/bin/qemu-system-x86_64";
executable = true;
}
{
url = "file:///opt/edgeless/snp/share/OVMF.fd";
path = "/opt/edgeless/@@runtimeName@@/snp/share/OVMF.fd";
}
{
url = "file:///opt/edgeless/bin/containerd-shim-contrast-cc-v2";
path = "/opt/edgeless/@@runtimeName@@/bin/containerd-shim-contrast-cc-v2";
executable = true;
}
{
url = "file:///opt/edgeless/bin/kata-runtime";
path = "/opt/edgeless/@@runtimeName@@/bin/kata-runtime";
executable = true;
}
{
url = "file:///opt/edgeless/snp/share/qemu/kvmvapic.bin";
path = "/opt/edgeless/@@runtimeName@@/snp/share/qemu/kvmvapic.bin";
}
{
url = "file:///opt/edgeless/snp/share/qemu/linuxboot_dma.bin";
path = "/opt/edgeless/@@runtimeName@@/snp/share/qemu/linuxboot_dma.bin";
}
{
url = "file:///opt/edgeless/snp/share/qemu/efi-virtio.rom";
path = "/opt/edgeless/@@runtimeName@@/snp/share/qemu/efi-virtio.rom";
}
{
url = "file:///bin/nydus-overlayfs";
path = "/opt/edgeless/@@runtimeName@@/bin/nydus-overlayfs";
executable = true;
}
]
++ lib.optionals (!withGPU) [
{
url = "file:///opt/edgeless/tdx/share/OVMF.fd";
path = "/opt/edgeless/@@runtimeName@@/tdx/share/OVMF.fd";
}
{
url = "file:///opt/edgeless/tdx/bin/qemu-system-x86_64";
path = "/opt/edgeless/@@runtimeName@@/tdx/bin/qemu-system-x86_64";
executable = true;
}
{
url = "file:///opt/edgeless/tdx/share/qemu/kvmvapic.bin";
path = "/opt/edgeless/@@runtimeName@@/tdx/share/qemu/kvmvapic.bin";
}
{
url = "file:///opt/edgeless/tdx/share/qemu/linuxboot_dma.bin";
path = "/opt/edgeless/@@runtimeName@@/tdx/share/qemu/linuxboot_dma.bin";
}
{
url = "file:///opt/edgeless/tdx/share/qemu/efi-virtio.rom";
path = "/opt/edgeless/@@runtimeName@@/tdx/share/qemu/efi-virtio.rom";
}
];
inherit debugRuntime;
qemuExtraKernelParams = kata.kata-image.cmdline;
qemuExtraKernelParams = os-image.cmdline;
};
destination = "/config/contrast-node-install.json";
}
Expand All @@ -120,15 +130,15 @@ let
kata-container-img = ociLayerTar {
files = [
{
source = "${kata.kata-image.image}/${kata.kata-image.imageFileName}";
source = "${os-image.image}/${os-image.imageFileName}";
destination = "/opt/edgeless/share/kata-containers.img";
}
{
source = "${kata.kata-image.kernel}/bzImage";
source = "${os-image.kernel}/bzImage";
destination = "/opt/edgeless/share/kata-kernel";
}
{
source = "${kata.kata-image.initialRamdisk}/initrd";
source = "${os-image.initialRamdisk}/initrd";
destination = "/opt/edgeless/share/kata-initrd.zst";
}
];
Expand Down Expand Up @@ -216,16 +226,19 @@ let
];
};

layers = [
installer-config
kata-container-img
ovmf-snp
ovmf-tdx
qemu-snp
qemu-tdx
kata-runtime
nydus
];
layers =
[
installer-config
kata-container-img
kata-runtime
ovmf-snp
qemu-snp
nydus
]
++ lib.optionals (!withGPU) [
qemu-tdx
ovmf-tdx
];

manifest = ociImageManifest {
layers = layers ++ [ node-installer ];
Expand All @@ -251,10 +264,14 @@ in
ociImageLayout {
manifests = [ manifest ];
passthru = {
inherit debugRuntime;
inherit debugRuntime os-image;
runtimeHash = hashDirs {
dirs = layers; # Layers without node-installer, or we have a circular dependency!
name = "runtime-hash-kata";
};
gpu = kata.contrast-node-installer-image.override {
inherit debugRuntime;
withGPU = true;
};
};
}
11 changes: 6 additions & 5 deletions packages/by-name/kata/snp-launch-digest/package.nix
View file
Original file line number Diff line number Diff line change
Expand Up @@ -4,30 +4,31 @@
{
lib,
stdenvNoCC,
kata,
OVMF-SNP,
python3Packages,
kata,

debug ? false,
os-image ? kata.kata-image,
}:

let
ovmf-snp = "${OVMF-SNP}/FV/OVMF.fd";
kernel = "${kata.kata-image}/bzImage";
initrd = "${kata.kata-image}/initrd";
kernel = "${os-image}/bzImage";
initrd = "${os-image}/initrd";

# Kata uses a base command line and then appends the command line from the kata config (i.e. also our node-installer config).
# Thus, we need to perform the same steps when calculating the digest.
baseCmdline = if debug then kata.kata-runtime.cmdline.debug else kata.kata-runtime.cmdline.default;
cmdline = lib.strings.concatStringsSep " " [
baseCmdline
kata.kata-image.cmdline
os-image.cmdline
];
in

stdenvNoCC.mkDerivation {
name = "snp-launch-digest${lib.optionalString debug "-debug"}";
inherit (kata.kata-image) version;
inherit (os-image) version;

dontUnpack = true;

Expand Down
4 changes: 4 additions & 0 deletions packages/containers.nix
View file
Original file line number Diff line number Diff line change
Expand Up @@ -188,5 +188,9 @@ containers
push-node-installer-kata =
pushOCIDir "push-node-installer-kata" pkgs.kata.contrast-node-installer-image
"v${pkgs.contrast.version}";
push-node-installer-kata-gpu = pushOCIDir "push-node-installer-kata-gpu" (
pkgs.kata.contrast-node-installer-image.override
{ withGPU = true; }
) "v${pkgs.contrast.version}";
}
// (lib.concatMapAttrs (name: container: { "push-${name}" = pushContainer container; }) containers)
8 changes: 7 additions & 1 deletion packages/nixos/kata.nix
View file
Original file line number Diff line number Diff line change
Expand Up @@ -78,7 +78,13 @@ in
};

# Not used directly, but required for kernel-specific driver builds.
boot.kernelPackages = pkgs.recurseIntoAttrs (pkgs.linuxPackagesFor pkgs.kata-kernel-uvm);
boot.kernelPackages = pkgs.recurseIntoAttrs (
pkgs.linuxPackagesFor (
pkgs.kata-kernel-uvm.override {
withGPU = config.contrast.gpu.enable;
}
)
);

boot.initrd = {
# Don't require TPM2 support. (additional modules)
Expand Down

0 comments on commit fa64242

Please sign in to comment.