katacontainers网络文件系统分析

准备sandbox和container启动文件

sandbox:
{"metadata": {"name": "busybox-pod","uid": "busybox-pod","namespace": "test.kata"},"hostname": "busybox_host","log_directory": "","dns_config": {},"port_mappings": [],"resources": {},"labels": {},"annotations": {},"linux": {}
}container:
{"metadata": {"name": "busybox-container","namespace": "test.kata"},"image": {"image": "docker.io/library/busybox:latest"},"command": ["sleep","9999"],"args": [],"working_dir": "/","log_path": "","stdin": false,"stdin_once": false,"tty": false
}

ctr命令启动kata v2

ctr是containerd的客户端命令

下载busybox容器

image="docker.io/library/busybox:latest"
ctr image pull "$image"

ctr使用kata v2部署运行时，并打印sandbox内核版本

ctr run --runtime "io.containerd.kata.v2" --rm -t "$image" test-kata uname -r

当看到返回的内核版本信息后表示运行完成

crictl命令部署kata v2

修改containerd默认runtime为kata v2

/etc/containerd/config.toml
[plugins][plugins.cri][plugins.cri.containerd][plugins.cri.containerd.default_runtime]runtime_type = "io.containerd.kata.v2"[plugins.cri.cni]# conf_dir is the directory in which the admin places a CNI conf.conf_dir = "/etc/cni/net.d"

创建/etc/cni/net.d/10-mynet.conf文件，并添加cni配置

cat /etc/cni/net.d/10-mynet.conf
{"cniVersion": "0.2.0","name": "mynet","type": "bridge","bridge": "cni0","isGateway": true,"ipMasq": true,"ipam": {"type": "host-local","subnet": "172.19.0.0/24","routes": [{ "dst": "0.0.0.0/0" }]}
}

创建sandbox运行环境：crictl runp -r kata sandbox_config.json

抛出如下错误：

WARN[0000] runtime connect using default endpoints: [unix:///var/run/dockershim.sock unix:///run/containerd/containerd.sock unix:///run/crio/crio.sock]. As the default settings are now deprecated, you should set the endpoint instead.
ERRO[0002] connect endpoint 'unix:///var/run/dockershim.sock', make sure you are running as root and the endpoint has been started: context deadline exceeded FATA[0025] run pod sandbox: rpc error: code = Unknown desc = failed to get sandbox image "k8s.gcr.io/pause:3.2": failed to pull image "k8s.gcr.io/pause:3.2": failed to pull and unpack image "k8s.gcr.io/pause:3.2": failed to resolve reference "k8s.gcr.io/pause:3.2": failed to do request: Head "https://k8s.gcr.io/v2/pause/manifests/3.2": dial tcp 108.177.125.82:443: connect: connection refused

第一段错误信息可以看到crictl连接的runtime是docker，并且连接失败

查看containerd启动信息（journalctl -exu containerd），containerd启动完成后监听的unix sock路径是：/run/containerd/containerd.sock。

创建crictl配置文件：/etc/crictl.yaml

修改crictl默认配置，把runtime-endpoint和image-endpoint指向containerd

runtime-endpoint: unix:///run/containerd/containerd.sock
image-endpoint: unix:///run/containerd/containerd.sock
timeout: 2
debug: true
pull-image-on-create: false

第二段错误信息提示下载k8s.gcr.io/pause:3.2容器镜像失败

crictl配置好image-endpoint后crictl使用containerd管理镜像，并且默认使用k8s.io命令空间，使用crictl pull命令拉取国内pause镜像再修改tag

crictl pull registry.cn-hangzhou.aliyuncs.com/google_containers/pause-amd64:3.2
拉取完成后使用crictl images命令可以看到镜像
并且可以通过ctr ns list命令看到containerd多出了k8s.io命名空间，containerd管理的镜像也是使用命名空间进行隔离，如果要看crictl下载的镜像需要带上k8s.io明明空间ctr -n k8s.io images ls

因为crictl命令不能修改镜像tag，所以使用ctr命令修改容器tag

ctr -n k8s.io images tag registry.cn-hangzhou.aliyuncs.com/google_containers/pause-amd64:3.2 k8s.gcr.io/pause:3.2

crictl runp sandbox_config.json 执行成功后会返回一组id，并且可以通过crictl pods看到启动成功的pod，当前pod只是kata的sandbox并没有运行容器

POD ID              CREATED             STATE               NAME                NAMESPACE           ATTEMPT             RUNTIME
613962e9064fb       46 seconds ago      Ready               busybox-pod         test.kata           0                   (default)

使用crictl拉取busybox镜像，成功后可以使用crictl看到pause和busybox镜像，同时也可以使用ctr -n k8s.io images ls命令查看镜像

拉取镜像
crictl pull docker.io/library/busybox:latest
查看镜像
crictl images
IMAGE                                                             TAG                 IMAGE ID            SIZE
docker.io/library/busybox                                         latest              a9d583973f65a       769kB
k8s.gcr.io/pause                                                  3.2                 80d28bedfe5de       298kB
registry.cn-hangzhou.aliyuncs.com/google_containers/pause-amd64   3.2                 80d28bedfe5de       298kB

创建kata v2 pod

crictl create 613962e9064fb container_config.json sandbox_config.json

返回一组id，这时候可以通过crictl ps -a看到已经创建成功busybox容器，并且状态为Created

CONTAINER           IMAGE                              CREATED             STATE               NAME                ATTEMPT             POD ID
30917721dccfa       docker.io/library/busybox:latest   54 seconds ago      Created             busybox-container   0                   613962e9064fb

根据POD id启动pod中容器

crictl start 30917721dccfa

查看容器状态变为Running

CONTAINER           IMAGE                              CREATED             STATE               NAME                ATTEMPT             POD ID
30917721dccfa       docker.io/library/busybox:latest   2 minutes ago       Running             busybox-container   0                   613962e9064fb

进入容器命令

crictl exec -it 30917721dccfa sh

进入kata v2 sandbox runtime

kata v2环境中考虑到安全性问题不能直接使用kata-runtime exec进入sandbox虚拟机，并且kata release版本的镜像没有包含登录组件，如果要登录需要重新制作sandbox文件系统，登录sandbox需要通过kata-monitor并且sandbox需要在kata-monitor启动之后再启动才能进行调试工作

启动kata-monitor，有新pod创建时会提示“add sandbox to cache”，如果在kata-monitor启动之前就创建了sandbox，使用kata-runtime进入sandbox时会提示在cache找不到执行sandbox

[root@localhost ~]# kata-monitor -listen-address 0.0.0.0:8090
INFO[0047] add sandbox to cache                          container=72a318251595d1ca8271258e5cc60050b8b163195ef35600eab14c9a3c4a2087 name=kata-monitor pid=6194 source=kata-monitor

修改kata-runtime配置文件/usr/share/defaults/kata-containers/configuration.toml，[agent.kata]打开debug_console_enabled配置，[hypervisor.qemu]修改内核启动参数

[agent.kata]
debug_console_enabled = true[hypervisor.qemu]
sed -i -e 's/^kernel_params = "\(.*\)"/kernel_params = "\1 agent.debug_console"/g' "${kata_configuration_file}"

[root@localhost ~]# crictl runp sandbox_config.json
f2a0ddb835b9094c719abd74678875db3c6c3ee0bfa39b07734e1258498c157c
[root@localhost ~]#
[root@localhost ~]# crictl create f2a0ddb835b9094c719abd74678875db3c6c3ee0bfa39b07734e1258498c157c container_config.json sandbox_config.json
b265a772d6ab7d31961c27767b96948a639c4fc56e7b7835b2d2153fce757625
[root@localhost ~]#
[root@localhost ~]# crictl start b265a772d6ab7d31961c27767b96948a639c4fc56e7b7835b2d2153fce757625
b265a772d6ab7d31961c27767b96948a639c4fc56e7b7835b2d2153fce757625
[root@localhost ~]#
[root@localhost ~]# kata-runtime exec f2a0ddb835b9094c719abd74678875db3c6c3ee0bfa39b07734e1258498c157c
bash-4.2# cat /etc/os-release
NAME="CentOS Linux"
VERSION="7 (Core)"
ID="centos"
ID_LIKE="rhel fedora"
VERSION_ID="7"
PRETTY_NAME="CentOS Linux 7 (Core)"
ANSI_COLOR="0;31"
CPE_NAME="cpe:/o:centos:centos:7"
HOME_URL="https://www.centos.org/"
BUG_REPORT_URL="https://bugs.centos.org/"CENTOS_MANTISBT_PROJECT="CentOS-7"
CENTOS_MANTISBT_PROJECT_VERSION="7"
REDHAT_SUPPORT_PRODUCT="centos"
REDHAT_SUPPORT_PRODUCT_VERSION="7"bash-4.2# id
uid=0(root) gid=0(root) groups=0(root)
bash-4.2# ps -ef
UID        PID  PPID  C STIME TTY          TIME CMD
root         1     0  0 11:20 ?        00:00:00 /sbin/init
root         2     0  0 11:20 ?        00:00:00 [kthreadd]
root         3     2  0 11:20 ?        00:00:00 [rcu_gp]
root         4     2  0 11:20 ?        00:00:00 [rcu_par_gp]
root         5     2  0 11:20 ?        00:00:00 [kworker/0:0-vir]
root         6     2  0 11:20 ?        00:00:00 [kworker/0:0H]
root         7     2  0 11:20 ?        00:00:00 [kworker/u4:0-ev]
root         8     2  0 11:20 ?        00:00:00 [mm_percpu_wq]
root         9     2  0 11:20 ?        00:00:00 [ksoftirqd/0]
root        10     2  0 11:20 ?        00:00:00 [rcu_sched]
root        11     2  0 11:20 ?        00:00:00 [migration/0]
root        12     2  0 11:20 ?        00:00:00 [cpuhp/0]
root        13     2  0 11:20 ?        00:00:00 [kdevtmpfs]
root        14     2  0 11:20 ?        00:00:00 [netns]
root        15     2  0 11:20 ?        00:00:00 [oom_reaper]
root        16     2  0 11:20 ?        00:00:00 [writeback]
root        17     2  0 11:20 ?        00:00:00 [kcompactd0]
root        18     2  0 11:20 ?        00:00:00 [kblockd]
root        19     2  0 11:20 ?        00:00:00 [blkcg_punt_bio]
root        20     2  0 11:20 ?        00:00:00 [kworker/0:1-vir]
root        21     2  0 11:20 ?        00:00:00 [kswapd0]
root        22     2  0 11:20 ?        00:00:00 [xfsalloc]
root        23     2  0 11:20 ?        00:00:00 [xfs_mru_cache]
root        24     2  0 11:20 ?        00:00:00 [kthrotld]
root        25     2  0 11:20 ?        00:00:00 [nfit]
root        26     2  0 11:20 ?        00:00:00 [kworker/u4:1-ev]
root        27     2  0 11:20 ?        00:00:00 [khvcd]
root        28     2  0 11:20 ?        00:00:00 [kworker/0:2-cgr]
root        29     2  0 11:20 ?        00:00:00 [hwrng]
root        30     2  0 11:20 ?        00:00:00 [scsi_eh_0]
root        31     2  0 11:20 ?        00:00:00 [scsi_tmf_0]
root        32     2  0 11:20 ?        00:00:00 [ipv6_addrconf]
root        33     2  0 11:20 ?        00:00:00 [jbd2/pmem0p1-8]
root        34     2  0 11:20 ?        00:00:00 [ext4-rsv-conver]
root        50     2  0 11:20 ?        00:00:00 [kworker/0:3-vir]
root        56     2  0 11:20 ?        00:00:00 [kworker/0:4]
root        59     1  0 11:20 ?        00:00:00 /usr/bin/kata-agent
chrony      65     1  0 11:20 ?        00:00:00 /usr/sbin/chronyd
root        82    59  0 11:20 ?        00:00:00 /pause
root        84    59  0 11:21 ?        00:00:00 sleep 9999
root        87    59  0 11:21 pts/0    00:00:00 [bash]
root        92    87  0 11:21 pts/0    00:00:00 ps -ef
bash-4.2#

进入kata v2容器

使用crictl pods查看运行中的pod信息

[root@localhost ~]# crictl runp sandbox_config.json
e5181d052e28b193f5bae7ea68fb7af7f8ed02a3b0672f30f93f669445b57f34
[root@localhost ~]# crictl create e5181d052e28b193f5bae7ea68fb7af7f8ed02a3b0672f30f93f669445b57f34 container_config.json sandbox_config.json
53c7d1a6d80dada9a44558c14b0b0e3358078094133f523abe118c8b9164e633
[root@localhost ~]# crictl start 53
53
[root@localhost ~]# crictl ps
CONTAINER           IMAGE                              CREATED             STATE               NAME                ATTEMPT             POD ID
53c7d1a6d80da       docker.io/library/busybox:latest   12 seconds ago      Running             busybox-container   0                   e5181d052e28b
[root@localhost ~]# crictl exec -it 53 sh
/ # ps -ef
PID   USER     TIME  COMMAND1 root      0:00 /pause2 root      0:00 sleep 99993 root      0:00 sh4 root      0:00 ps -ef
/ #

kata 网络分析

Kata Containers网络由network namespaces、tap和tc打通，创建sandbox之前首先创建网络命名空间，里面有veth-pair和tap两种网络接口，eth0属于veth-pair类型接口，一端接入cni创建的网络命名空间，一端接入宿主机；tap0_kata属于tap类型接口，一端接入cni创建的网络命名空间，一端接入qemu创建的hypervisor，并且在cni创建的网络命名空间使用tc策略打通eth0网络接口和tap0_kata网络接口，相当于把eth0和tap0_kata两个网络接口连城一条线。

Sandbox环境中只有eth0网络接口，这个接口是qemu和tap模拟出的接口，mac、ip、掩码都和宿主机中cni创建的网络命名空间中eth0的配置一样

Container运行在Sandbox环境中，Container采用共享宿主机网络命名空间方式创建容器，所以在container中看到的网络配置和Sandbox一样

网络流量走向：

流量进入宿主机后首先由物理网络通过网桥或者路由接入到网络命名空间，网络命名空间中在使用tc策略牵引流量到tap网络接口，然后再通过tap网络接口把流量送入虚拟化环境中，最后虚拟化环境中的容器共享宿主机网络命名空间后就可以在容器中拿到网络流量

hw:              NIC--->
host:           bridge or router veth peer interface--->
ns:             ns veth peer interface---> tc redict ns tap interface
hypervisor:     qemu tap char device--->
gust host:      tap interface
container:      gust host interface

Host Network Namespaces：
[root@localhost opt]# ip netns
cni-eeefa566-f128-03d7-0d4f-dec535aeaedd (id: 0)
[root@localhost opt]# ip netns exec cni-eeefa566-f128-03d7-0d4f-dec535aeaedd ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00inet 127.0.0.1/8 scope host lovalid_lft forever preferred_lft foreverinet6 ::1/128 scope host valid_lft forever preferred_lft forever
3: eth0@if10: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000link/ether 0e:09:b4:1f:d6:2f brd ff:ff:ff:ff:ff:ff link-netnsid 0inet 172.19.0.52/24 brd 172.19.0.255 scope global eth0valid_lft forever preferred_lft foreverinet6 fe80::c09:b4ff:fe1f:d62f/64 scope link valid_lft forever preferred_lft forever
4: tap0_kata: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UNKNOWN group default qlen 1000link/ether ba:fd:97:4f:5a:12 brd ff:ff:ff:ff:ff:ffinet6 fe80::b8fd:97ff:fe4f:5a12/64 scope link valid_lft forever preferred_lft forever
[root@localhost opt]# ip netns exec cni-eeefa566-f128-03d7-0d4f-dec535aeaedd tc -s qdisc
qdisc noqueue 0: dev lo root refcnt 2 Sent 0 bytes 0 pkt (dropped 0, overlimits 0 requeues 0) backlog 0b 0p requeues 0
qdisc noqueue 0: dev eth0 root refcnt 2 Sent 0 bytes 0 pkt (dropped 0, overlimits 0 requeues 0) backlog 0b 0p requeues 0
qdisc ingress ffff: dev eth0 parent ffff:fff1 ---------------- Sent 3458 bytes 37 pkt (dropped 0, overlimits 0 requeues 0) backlog 0b 0p requeues 0
qdisc mq 0: dev tap0_kata root Sent 4982 bytes 50 pkt (dropped 0, overlimits 0 requeues 0) backlog 0b 0p requeues 0
qdisc fq_codel 0: dev tap0_kata parent :1 limit 10240p flows 1024 quantum 1514 target 5.0ms interval 100.0ms memory_limit 32Mb ecn Sent 4982 bytes 50 pkt (dropped 0, overlimits 0 requeues 0) backlog 0b 0p requeues 0maxpacket 0 drop_overlimit 0 new_flow_count 0 ecn_mark 0new_flows_len 0 old_flows_len 0
qdisc ingress ffff: dev tap0_kata parent ffff:fff1 ---------------- Sent 2644 bytes 38 pkt (dropped 0, overlimits 0 requeues 0) backlog 0b 0p requeues 0
[root@localhost opt]# Sandbox：
bash-4.2# ./ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue qlen 1000link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00inet 127.0.0.1/8 scope host lovalid_lft forever preferred_lft foreverinet6 ::1/128 scope host valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast qlen 1000link/ether 0e:09:b4:1f:d6:2f brd ff:ff:ff:ff:ff:ffinet 172.19.0.52/24 scope global eth0valid_lft forever preferred_lft foreverinet6 fe80::c09:b4ff:fe1f:d62f/64 scope link valid_lft forever preferred_lft forever
bash-4.2# Container：
/ # ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue qlen 1000link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00inet 127.0.0.1/8 scope host lovalid_lft forever preferred_lft foreverinet6 ::1/128 scope host valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast qlen 1000link/ether 0e:09:b4:1f:d6:2f brd ff:ff:ff:ff:ff:ffinet 172.19.0.52/24 scope global eth0valid_lft forever preferred_lft foreverinet6 fe80::c09:b4ff:fe1f:d62f/64 scope link valid_lft forever preferred_lft forever
/ # kata container中走出的流量mac地址和宿主机veth网络接口地址mac一致，因为宿主机的veth接口mac地址和容器中网络接口的mac地址一样
container:
/ # ping 8.8.8.8
PING 8.8.8.8 (8.8.8.8): 56 data bytes
64 bytes from 8.8.8.8: seq=0 ttl=127 time=65.917 ms
64 bytes from 8.8.8.8: seq=1 ttl=127 time=65.852 ms
64 bytes from 8.8.8.8: seq=2 ttl=127 time=97.151 ms
^C
--- 8.8.8.8 ping statistics ---
3 packets transmitted, 3 packets received, 0% packet loss
round-trip min/avg/max = 65.852/76.306/97.151 ms
/ # host:
[root@localhost opt]# tcpdump -i vethbf44c9e2 -e
dropped privs to tcpdump
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on vethbf44c9e2, link-type EN10MB (Ethernet), capture size 262144 bytes
10:43:22.839544 0e:09:b4:1f:d6:2f (oui Unknown) > ca:16:9b:4d:99:92 (oui Unknown), ethertype IPv4 (0x0800), length 98: 172.19.0.52 > dns.google: ICMP echo request, id 3840, seq 0, length 64
10:43:22.905210 ca:16:9b:4d:99:92 (oui Unknown) > 0e:09:b4:1f:d6:2f (oui Unknown), ethertype IPv4 (0x0800), length 98: dns.google > 172.19.0.52: ICMP echo reply, id 3840, seq 0, length 64
10:43:23.840455 0e:09:b4:1f:d6:2f (oui Unknown) > ca:16:9b:4d:99:92 (oui Unknown), ethertype IPv4 (0x0800), length 98: 172.19.0.52 > dns.google: ICMP echo request, id 3840, seq 1, length 64
10:43:23.905728 ca:16:9b:4d:99:92 (oui Unknown) > 0e:09:b4:1f:d6:2f (oui Unknown), ethertype IPv4 (0x0800), length 98: dns.google > 172.19.0.52: ICMP echo reply, id 3840, seq 1, length 64
10:43:24.840769 0e:09:b4:1f:d6:2f (oui Unknown) > ca:16:9b:4d:99:92 (oui Unknown), ethertype IPv4 (0x0800), length 98: 172.19.0.52 > dns.google: ICMP echo request, id 3840, seq 2, length 64
10:43:24.907717 ca:16:9b:4d:99:92 (oui Unknown) > 0e:09:b4:1f:d6:2f (oui Unknown), ethertype IPv4 (0x0800), length 98: dns.google > 172.19.0.52: ICMP echo reply, id 3840, seq 2, length 64
10:43:28.033051 0e:09:b4:1f:d6:2f (oui Unknown) > ca:16:9b:4d:99:92 (oui Unknown), ethertype ARP (0x0806), length 42: Request who-has localhost.localdomain tell 172.19.0.52, length 28
10:43:28.033105 ca:16:9b:4d:99:92 (oui Unknown) > 0e:09:b4:1f:d6:2f (oui Unknown), ethertype ARP (0x0806), length 42: Reply localhost.localdomain is-at ca:16:9b:4d:99:92 (oui Unknown), length 28
10:43:28.153723 ca:16:9b:4d:99:92 (oui Unknown) > 0e:09:b4:1f:d6:2f (oui Unknown), ethertype ARP (0x0806), length 42: Request who-has 172.19.0.52 tell localhost.localdomain, length 28
10:43:28.154306 0e:09:b4:1f:d6:2f (oui Unknown) > ca:16:9b:4d:99:92 (oui Unknown), ethertype ARP (0x0806), length 42: Reply 172.19.0.52 is-at 0e:09:b4:1f:d6:2f (oui Unknown), length 28
^C
10 packets captured
10 packets received by filter
0 packets dropped by kernel
[root@localhost opt]#

kata文件系统分析

Kata Containers在文件系统层次上面可以理解为Sandbox文件系统处于第一层，Container容器镜像存放在Sandbox文件系统中，但Container的容器镜像需要和宿主机上的容器镜像同步，这里就涉及到宿主机和虚拟机共享文件的技术。

Kata Containers采用Virtio-fs方案共享宿主机目录到虚拟机中。virtio-fs方案使用FUSE协议在host和guest之间通信。在host端实现一个fuse server操作host上的文件，然后把guest kernel当作fuse client在guest内挂载fuse，server和client之间使用virtio来做传输层来承载FUSE协议。

FUSE协议：相当于在Kernel捕获操作文件系统的系统调用，并且把调用转发到用户空间，实现对接不同文件系统效果

virtio-fs：:https://kernel.taobao.org/2019/11/virtio-fs-intro-and-perf-optimize/

宿主机启动两个virtiofsd进程

[root@localhost ~]# ps -ef | grep 3591
root        3591    3570  0 10:58 ?        00:00:00 /opt/kata/libexec/kata-qemu/virtiofsd --fd=3 -o source=/run/kata-containers/shared/sandboxes/bd570ad1fc1d531d7227425e598d71dd17c6b57209991b733df0083ffc38e2a9/shared -o cache=auto --syslog -o no_posix_lock -f --thread-pool-size=1
root        3604    3591  0 10:58 ?        00:00:00 /opt/kata/libexec/kata-qemu/virtiofsd --fd=3 -o source=/run/kata-containers/shared/sandboxes/bd570ad1fc1d531d7227425e598d71dd17c6b57209991b733df0083ffc38e2a9/shared -o cache=auto --syslog -o no_posix_lock -f --thread-pool-size=1
root        5201    3980  0 11:43 pts/4    00:00:00 grep --color=auto 3591
[root@localhost ~]# ls /run/kata-containers/shared/sandboxes/bd570ad1fc1d531d7227425e598d71dd17c6b57209991b733df0083ffc38e2a9/shared
bd570ad1fc1d531d7227425e598d71dd17c6b57209991b733df0083ffc38e2a9                               dafed18b274865392308b232916608b50c07f8e3da65bc93920201f8a54c8246-216db849e4c85789-hostname
bd570ad1fc1d531d7227425e598d71dd17c6b57209991b733df0083ffc38e2a9-38821f6d7ff9a0a2-resolv.conf  dafed18b274865392308b232916608b50c07f8e3da65bc93920201f8a54c8246-3d94e11ad98423b6-resolv.conf
dafed18b274865392308b232916608b50c07f8e3da65bc93920201f8a54c8246                               dafed18b274865392308b232916608b50c07f8e3da65bc93920201f8a54c8246-ef69b23937321637-hosts
[root@localhost ~]#

kata启动的qemu进程添加了vhost-user-fs-pci类型的设备，用于在Guest Kernel和virtiofsd之间建立起vhost-user连接

添加vhost-user.sock文件：

-chardev socket,id=char-d2eb304b58025a80,path=/run/vc/vm/bd570ad1fc1d531d7227425e598d71dd17c6b57209991b733df0083ffc38e2a9/vhost-fs.sock

添加virtiofs设备：

-device vhost-user-fs-pci,chardev=char-d2eb304b58025a80,tag=kataShared

[root@localhost /]# ps -ef | grep qemu-system-x86_64
root        3597       1  0 10:58 ?        00:00:15 /opt/kata/bin/qemu-system-x86_64 -name sandbox-bd570ad1fc1d531d7227425e598d71dd17c6b57209991b733df0083ffc38e2a9 -uuid cc99a26f-8b24-406b-af3e-7601642fcd3f -machine pc,accel=kvm,kernel_irqchip,nvdimm -cpu host,pmu=off -qmp unix:/run/vc/vm/bd570ad1fc1d531d7227425e598d71dd17c6b57209991b733df0083ffc38e2a9/qmp.sock,server,nowait -m 2048M,slots=10,maxmem=4735M -device pci-bridge,bus=pci.0,id=pci-bridge-0,chassis_nr=1,shpc=on,addr=2,romfile= -device virtio-serial-pci,disable-modern=true,id=serial0,romfile= -device virtconsole,chardev=charconsole0,id=console0 -chardev socket,id=charconsole0,path=/run/vc/vm/bd570ad1fc1d531d7227425e598d71dd17c6b57209991b733df0083ffc38e2a9/console.sock,server,nowait -device nvdimm,id=nv0,memdev=mem0 -object memory-backend-file,id=mem0,mem-path=/opt/kata/share/kata-containers/test-kata-containers.img,size=536870912 -device virtio-scsi-pci,id=scsi0,disable-modern=true,romfile= -object rng-random,id=rng0,filename=/dev/urandom -device virtio-rng-pci,rng=rng0,romfile= -device vhost-vsock-pci,disable-modern=true,vhostfd=3,id=vsock-112570929,guest-cid=112570929,romfile= -chardev socket,id=char-d2eb304b58025a80,path=/run/vc/vm/bd570ad1fc1d531d7227425e598d71dd17c6b57209991b733df0083ffc38e2a9/vhost-fs.sock -device vhost-user-fs-pci,chardev=char-d2eb304b58025a80,tag=kataShared,romfile= -netdev tap,id=network-0,vhost=on,vhostfds=4,fds=5 -device driver=virtio-net-pci,netdev=network-0,mac=26:9c:58:9e:61:55,disable-modern=true,mq=on,vectors=4,romfile= -rtc base=utc,driftfix=slew,clock=host -global kvm-pit.lost_tick_policy=discard -vga none -no-user-config -nodefaults -nographic --no-reboot -daemonize -object memory-backend-file,id=dimm1,size=2048M,mem-path=/dev/shm,share=on -numa node,memdev=dimm1 -kernel /opt/kata/share/kata-containers/test-vmlinux.bin -append tsc=reliable no_timer_check rcupdate.rcu_expedited=1 i8042.direct=1 i8042.dumbkbd=1 i8042.nopnp=1 i8042.noaux=1 noreplace-smp reboot=k console=hvc0 console=hvc1 cryptomgr.notests net.ifnames=0 pci=lastbus=0 root=/dev/pmem0p1 rootflags=dax,data=ordered,errors=remount-ro ro rootfstype=ext4 quiet systemd.show_status=false panic=1 nr_cpus=2 systemd.unit=kata-containers.target systemd.mask=systemd-networkd.service systemd.mask=systemd-networkd.socket scsi_mod.scan=none agent.debug_console agent.debug_console_vport=1026 agent.debug_console -pidfile /run/vc/vm/bd570ad1fc1d531d7227425e598d71dd17c6b57209991b733df0083ffc38e2a9/pid -smp 1,cores=1,threads=1,sockets=2,maxcpus=2

进入Katacontainers的Sandbox查看挂载状态，使用virtiofs tag为kataShared的文件系统挂载目录

bash-4.2# mount | grep kataShared
kataShared on /run/kata-containers/shared/containers type virtiofs (rw,relatime)
kataShared on /run/kata-containers/bd570ad1fc1d531d7227425e598d71dd17c6b57209991b733df0083ffc38e2a9/rootfs type virtiofs (rw,relatime)
kataShared on /run/kata-containers/dafed18b274865392308b232916608b50c07f8e3da65bc93920201f8a54c8246/rootfs type virtiofs (rw,relatime)
bash-4.2#

挂载对应

/run/kata-containers/shared/sandboxes/bd570ad1fc1d531d7227425e598d71dd17c6b57209991b733df0083ffc38e2a9/shared    --->
/run/kata--containers/shared/containers/run/kata-containers/shared/sandboxes/bd570ad1fc1d531d7227425e598d71dd17c6b57209991b733df0083ffc38e2a9/shared/bd570ad1fc1d531d7227425e598d71dd17c6b57209991b733df0083ffc38e2a9   --->
/run/kata-containers/bd570ad1fc1d531d7227425e598d71dd17c6b57209991b733df0083ffc38e2a9/rootfs/run/kata-containers/shared/sandboxes/bd570ad1fc1d531d7227425e598d71dd17c6b57209991b733df0083ffc38e2a9/shared/dafed18b274865392308b232916608b50c07f8e3da65bc93920201f8a54c8246  --->
/run/kata-containers/dafed18b274865392308b232916608b50c07f8e3da65bc93920201f8a54c8246/rootfs