Is execution of docker images for foreign architectures supported? #1280
Comments
|
@1138-4eb It isn't a use case that we really had in mind. How would you see end users utilizing this, and in what use-case? |
|
Hi @egernst!, there are two main approaches to build/develop/debug docker images for foreign architectures with QEMU and runc, without requiring any modification to the docker images: full-system emulationThe user must setup the QEMU, install docker (runtime) and then build/run the container inside. On the one hand, I am not sure about specific privileges that the VM might need for docker engine to work inside. On the other hand, although I believe that scripts to automate this do exist, the user is required to be aware of both docker parameters and QEMU parameters. Hence, a docker user who is new to QEMU must learn how to handle images, launch options and communication with the VM (e.g. https://www.ibm.com/developerworks/library/l-qemu-development/index.html). Also, resources from the container need to be bind to the VM and from there to the host. So docker and QEMU parameters must match.
user-mode emulationThe setup is much easier if The question is if kata-containers can fill the gap and provide a seamless transition for docker users changing from user-mode to full-system emulation in order to build/execute images for the foreign architectures listed at https://github.com/docker-library/official-images#architectures-other-than-amd64. I see end users utilizing it mostly to develop/debug docker containers for SBCs and/or SoCs with FPGAs based on armv7 or armv8, such as RPi, PYNQ, 96boards, Pine64, etc. This use case might certainly be out of the scope of kata-containers as a project, because it seems to be focused on workload isolation and security advantages of VMs. Nonetheless, disregarding those very interesting features, kata-runtime is a middleware that allows to use docker as a frontend for QEMU. It would potentially allow to execute Nevertheless, my perspective about executing it on a user laptop or workstation might be quite narrow, so I wouldn't like to limit the idea/concept to this use case. I wonder if such a feature would also fit in the stack of CI providers based on x86-64 (e.g. Travis-CI). EDIT See also https://youtu.be/4MaGnMGPIq0?t=365 |
|
Performance is a big problem. |
Sure. That's why:
Let's word it different. Can kata-runtime be considered a tool to use docker as a frontend for QEMU system-mode emulation? I.e. kata provides some kernels/images that complement docker filesystems and the CLI tools to combine them together. If so, it should be relatively straighforward to replace the kernel/image and the qemu-system binary. However, I am afraid that I might be overlooking several layers of complexity. EDIT Note about why KVM cannot be used for cross-architecture virtualization: https://unix.stackexchange.com/questions/340912/qemu-with-kvm-with-differing-host-guess-architectures. However: https://dl.acm.org/citation.cfm?id=3012405.2996798 |
|
Thanks @1138-4eb -- imo this doesn't clearly align with the goals of the project as is today, but I understand how it'd be useful in your case. Other AC members - wdyt? @jon @gnawux @sameo @WeiZhang555 |
|
This will bring lots of complexicity. Running an I don't think it's a good idea to do this currently, it's my 2 cents. |
|
Thanks for raising this question.
Sure, it's pretty interesting. But I don't think we should add the
complexity just because it is interesting. However, I am still open to this
requirement as long as there are enough use cases.
IMHO, emulation will introduce too much penalty on performance and is not
practical for large scale deployment. This will increase the complexity of
configuration as well.
…On Wed, Mar 20, 2019, 17:30 zhangwei_cs ***@***.***> wrote:
This will bring lots of complexicity. Running an arm64 kata container on
amd64 Host will require (correct me) kata-runtime: amd64 version, qemu:
amd64 version, guest kernel: arm64 version, docker image: arm64 version,
guest agent: arm64 version. Now we need to handle GRPC protocol between
amd64 kata-runtime and arm64 kata-agent, this could be disaster and hard to
maintain in my mind. Though the scenario is interesting.
I don't think it's a good idea to do this currently, it's my 2 cents.
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
<#1280 (comment)>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/AADTbGK-kkJFUbVF_yvskmE6WghI8z5gks5vYf-qgaJpZM4bQkio>
.
|
Thnks for this description. This is the kind of explanation I was expecting to receive. Overall, I see that none of you think this to be a good idea currently, mostly because you are focused on large scale deployment. Still, I'd be glad if we could leave this issue open, just for the record, as it might be revisited in the future. This will allow users with other use cases to add a reference. |
|
@1138-4eb Yep, we can keep this issue open for collecting more scenarios 😄 |
|
@jodh-intel should this be kept in 'To Do' or marked as 'Wontdo', instead of 'Done'? |
Since kata-runtime uses QEMU under-the-hood, I wonder whether it is possible to execute docker images for foreign architectures. E.g., execute an
arm32v7/ubuntucontainer on aamd64host. So, instead of creating a VM for the same architecture as the host, kata would create a VM for the guest architecture.The text was updated successfully, but these errors were encountered: