aws: updates docs with packer requirement

aws/README.md

@@ -1,9 +1,41 @@
+# Prerequisites
+
+- Install AWS CLI
+Follow the instructions [here](https://docs.aws.amazon.com/cli/latest/userguide/getting-started-install.html) to install the AWS CLI for your platform
+
+- Install packer
+Follow the instructions [here](https://www.packer.io/downloads)
+
+Note: these tools are often outdated when installed by the distribution's package manager
+
 # Setup instructions
 
-- Create a VPC with private and public subnet
-- Create a NAT gateway to provide external connectivity for the instances
+- Export AWS variables
+```
+set +o history
+export AWS_ACCESS_KEY_ID="REPLACE_ME"
+export AWS_SECRET_ACCESS_KEY="REPLACE_ME"
+export REGION="REPLACE_ME"
+export ACCOUNT_ID="REPLACE_ME"
+set -o history
+```
+- Create a VPC with public internet access
+```
+cd image
+. ./create-vpc
+```
 - Create a custom AMI based on Ubuntu 20.04 having kata-agent and other dependencies.
+```
+make build
+```
+export the AMI ID
+```
+export AMI_ID=<ami-id-returned-above>
+```
 - Create an EC2 launch template named "kata". 
+```
+. ./create-lt
+```
 
 
 # Running cloud-api-adaptor

aws/image/.gitignore

@@ -0,0 +1,6 @@
+/skopeo
+/umoci
+/files/usr/local/bin/agent-protocol-forwarder
+/files/usr/local/bin/kata-agent
+/files/usr/bin/skopeo
+/files/usr/local/bin/umoci

aws/image/Makefile

@@ -0,0 +1,85 @@
+#
+# SPDX-License-Identifier: Apache-2.0
+#
+
+.PHONY: build clean
+
+UBUNTU_RELEASE     = focal
+CONTAINERD_VERSION = 1.5.7
+SKOPEO_VERSION     = 1.5.0
+UMOCI_VERSION      = 0.4.7
+
+IMAGE_PREFIX := podvm
+ARCH := $(subst x86_64,amd64,$(shell uname -m))
+
+FILES_DIR := files
+FILES      = $(shell find "$(FILES_DIR)" -type f -o -type l)
+
+ifndef IMAGE_NAME
+COMMIT := $(shell	commit=$$(git describe --match '' --dirty --always) && \
+					if [ -n "$$(git ls-files --other --exclude-per-directory .gitignore "$(FILES_DIR)")" ]; then \
+						commit="$${commit%-dirty}-dirty"; \
+					fi && \
+	                echo "$$commit")
+ifndef COMMIT
+$(error Failed to derive an image name. Explicitly define IMAGE_NAME)
+endif
+IMAGE_NAME := $(IMAGE_PREFIX)-$(COMMIT)-$(ARCH)
+endif
+IMAGE_FILE := $(IMAGE_NAME)
+
+
+
+AGENT_PROTOCOL_FORWARDER = $(FILES_DIR)/usr/local/bin/agent-protocol-forwarder
+KATA_AGENT    = $(FILES_DIR)/usr/local/bin/kata-agent
+SKOPEO        = $(FILES_DIR)/usr/bin/skopeo
+UMOCI         = $(FILES_DIR)/usr/local/bin/umoci
+BINARIES = $(AGENT_PROTOCOL_FORWARDER) $(KATA_AGENT) $(SKOPEO) $(UMOCI)
+
+AGENT_PROTOCOL_FORWARDER_SRC = ../..
+
+KATA_AGENT_SRC = ../../../kata-containers/src/agent
+KATA_AGENT_BUILD_TYPE = release
+
+SKOPEO_SRC  = skopeo
+SKOPEO_REPO = https://github.com/containers/skopeo
+
+UMOCI_SRC   = umoci
+UMOCI_REPO  = https://github.com/opencontainers/umoci
+
+build: $(IMAGE_FILE)
+
+$(IMAGE_FILE): $(BINARIES) $(FILES)
+	packer build -var vpc_id=${VPC_ID} -var subnet_id=${SUBNET_ID} -var account_id=${ACCOUNT_ID} -var region=${REGION} . 
+
+$(AGENT_PROTOCOL_FORWARDER): force
+	cd "$(AGENT_PROTOCOL_FORWARDER_SRC)" && $(MAKE) agent-protocol-forwarder
+	install --compare "$(AGENT_PROTOCOL_FORWARDER_SRC)/agent-protocol-forwarder" "$@"
+
+$(KATA_AGENT): force
+	cd "$(KATA_AGENT_SRC)" && $(MAKE) BUILD_TYPE=$(KATA_AGENT_BUILD_TYPE)
+	mkdir -p "$(@D)"
+	install --compare "$(KATA_AGENT_SRC)/target/$(shell uname -m)-unknown-linux-$(if $(findstring s390x,$(shell uname -m)),gnu,musl)/$(KATA_AGENT_BUILD_TYPE)/$(@F)" "$@"
+
+$(SKOPEO_SRC):
+	git clone -b "v$(SKOPEO_VERSION)" "$(SKOPEO_REPO)" "$(SKOPEO_SRC)"
+
+$(SKOPEO): $(SKOPEO_SRC)
+	cd "$(SKOPEO_SRC)" && make bin/skopeo
+	mkdir -p "$(@D)"
+	install --compare "$(SKOPEO_SRC)/bin/skopeo" "$@"
+
+$(UMOCI_SRC):
+	git clone -b "v$(UMOCI_VERSION)" "$(UMOCI_REPO)" "$(UMOCI_SRC)"
+
+$(UMOCI): $(UMOCI_SRC)
+	cd "$(UMOCI_SRC)" && make
+	mkdir -p "$(@D)"
+	install --compare "$(UMOCI_SRC)/umoci" "$@"
+
+clean:
+	rm -f "$(IMAGE_FILE)" "$(UBUNTU_IMAGE_FILE)" $(BINARIES)
+	rm -fr "$(SKOPEO_SRC)" "$(UMOCI_SRC)"
+
+.PHONY: force
+force:

aws/image/aws-ubuntu.pkr.hcl

@@ -0,0 +1,53 @@
+packer {
+  required_plugins {
+    amazon = {
+      version = ">= 0.0.2"
+      source  = "github.com/hashicorp/amazon"
+    }
+  }
+}
+
+source "amazon-ebs" "ubuntu" {
+  ami_name      = "${var.ami_name}"
+  instance_type = "${var.instance_type}"
+  region        = "${var.region}"
+  vpc_id    =  "${var.vpc_id}"
+  subnet_id = "${var.subnet_id}"
+  source_ami_filter {
+    filters = {
+      name                = "ubuntu/images/*ubuntu*focal*"
+      root-device-type    = "ebs"
+      virtualization-type = "hvm"
+      architecture        = "x86_64"
+    }
+
+    most_recent = true
+    owners      = ["${var.account_id}", "aws-marketplace", "amazon"]
+  }
+  ssh_username = "ubuntu"
+}
+
+build {
+  name = "peer-pods"
+  sources = [
+    "source.amazon-ebs.ubuntu"
+  ]
+
+  provisioner "file" {
+    source      = "./files"
+    destination = "/tmp/"
+  }
+
+  provisioner "file" {
+    source      = "copy-files.sh"
+    destination = "~/copy-files.sh"
+  }
+
+  provisioner "shell" {
+    remote_folder = "~"
+    inline = [
+      "sudo bash ~/copy-files.sh"
+    ]
+  }
+
+}

aws/image/copy-files.sh

@@ -0,0 +1,8 @@
+sudo mkdir -p /etc/containers
+sudo cp -r /tmp/files/etc/containers/* /etc/containers/
+sudo cp -r /tmp/files/etc/systemd/* /etc/systemd/
+
+
+sudo mkdir -p /usr/local/bin
+sudo cp -r /tmp/files/usr/* /usr/
+

aws/image/create-lt

@@ -0,0 +1,8 @@
+#!/usr/bin/env bash
+
+# Create EC2 launch template
+aws ec2 create-launch-template --launch-template-name kata --version-description version1 \
+  --launch-template-data "{\"NetworkInterfaces\":[{\"DeviceIndex\":0,\"AssociatePublicIpAddress\":true,\"Groups\":[\"$SEC_GROUP\"],\"SubnetId\":\"$SUBNET_ID\",\"DeleteOnTermination\":true}],\"ImageId\":\"$AMI_ID\",\"InstanceType\":\"t2.small\"}" --region $REGION
+
+# Delete EC2 launch template
+#aws ec2 delete-launch-template --launch-template-name kata --region $REGION

aws/image/create-vpc

@@ -0,0 +1,38 @@
+#!/usr/bin/env bash
+
+VPC_CIDR="10.0.0.0/16"
+SUBNET_CIDR="10.0.1.0/24"
+
+
+VPC_ID=$(aws ec2 create-vpc --cidr-block $VPC_CIDR --region $REGION --tag-specification ResourceType=vpc,Tags=\[\{Key=Name,Value="peer-pods-vpc"\}\]  --query Vpc.VpcId --output text)
+
+echo "VPC created " $VPC_ID
+export VPC_ID=$VPC_ID
+
+SG_ID=$(aws ec2 describe-security-groups --filters Name=vpc-id,Values=$VPC_ID --query "SecurityGroups[*].GroupId" --region $REGION --output text)
+echo "Security Group ID " $SG_ID
+
+aws ec2 authorize-security-group-ingress --group-id $SG_ID --protocol tcp --port 22 --cidr "0.0.0.0/0" --region $REGION
+
+SUBNET_ID=$(aws ec2 create-subnet --vpc-id $VPC_ID --cidr-block $SUBNET_CIDR --region $REGION --tag-specification ResourceType=subnet,Tags=\[\{Key=Name,Value="peer-pods-subnet"\}\] --query Subnet.SubnetId --output text)
+
+# SUBNET_ID=$(aws ec2 create-subnet --vpc-id $VPC_ID --cidr-block $SUBNET_CIDR --region $REGION --availability-zone "ap-south-1a" --query Subnet.SubnetId --output text)
+
+echo "Subnet created " $SUBNET_ID
+export SUBNET_ID=$SUBNET_ID
+
+IGW_ID=$(aws ec2 create-internet-gateway --region $REGION --tag-specification ResourceType=internet-gateway,Tags=\[\{Key=Name,Value="peer-pods-igw"\}\] --query InternetGateway.InternetGatewayId --output text)
+
+echo "Internet GW created " $IGW_ID
+
+aws ec2 attach-internet-gateway --vpc-id $VPC_ID --internet-gateway-id $IGW_ID --region $REGION
+
+RT_ID=$(aws ec2 create-route-table --vpc-id $VPC_ID --region $REGION --query RouteTable.RouteTableId --output text)
+
+echo "Route table created " $RT_ID
+
+aws ec2 create-route --route-table-id $RT_ID --destination-cidr-block 0.0.0.0/0 --gateway-id $IGW_ID --region $REGION
+
+aws ec2 associate-route-table  --subnet-id $SUBNET_ID --route-table-id $RT_ID --region $REGION
+
+aws ec2 modify-subnet-attribute --subnet-id $SUBNET_ID --map-public-ip-on-launch --region $REGION

aws/image/files/etc/containers/policy.json

@@ -0,0 +1,3 @@
+{
+    "default": [{"type": "insecureAcceptAnything"}]
+}

aws/image/files/etc/systemd/system/agent-protocol-forwarder.service

@@ -0,0 +1,9 @@
+[Unit]
+Description=Agent Protocol Forwarder
+After=network.target
+
+[Service]
+ExecStart=/usr/local/bin/agent-protocol-forwarder -host-interface ens4 -kata-agent-namespace /run/netns/podns -kata-agent-socket @/run/kata-containers/agent.sock
+
+[Install]
+WantedBy=multi-user.target

aws/image/files/etc/systemd/system/fix-resolvconf.service

@@ -0,0 +1,12 @@
+[Unit]
+Description=Make /etc/resolv.conf a regular file
+After=systemd-networkd.service
+
+[Service]
+ExecStart=/bin/bash -c 'rm -f /etc/resolv.conf && cp /run/systemd/resolve/resolv.conf /etc/resolv.conf'
+ExecStop= /bin/bash -c 'rm -f /etc/resolv.conf && ln -s ../run/systemd/resolve/stub-resolv.conf /etc/resolv.conf'
+Type=oneshot
+RemainAfterExit=yes
+
+[Install]
+WantedBy=multi-user.target

aws/image/files/etc/systemd/system/kata-agent.service

@@ -0,0 +1,14 @@
+[Unit]
+Description=Kata Agent
+After=network.target
+
+[Service]
+ExecStart=ip netns exec podns /usr/local/bin/cgroup-exec /usr/local/bin/kata-agent
+ExecStartPre=ip netns add podns
+ExecStartPre=ip netns exec podns ip link set lo up
+ExecStopPost=ip netns delete podns
+Environment="KATA_AGENT_SERVER_ADDR=unix:///run/kata-containers/agent.sock"
+SyslogIdentifier=kata-agent
+
+[Install]
+WantedBy=multi-user.target

aws/image/files/etc/systemd/system/multi-user.target.wants/agent-protocol-forwarder.service

@@ -0,0 +1 @@
+../agent-protocol-forwarder.service

aws/image/files/etc/systemd/system/multi-user.target.wants/fix-resolvconf.service

@@ -0,0 +1 @@
+../fix-resolvconf.service

aws/image/files/etc/systemd/system/multi-user.target.wants/kata-agent.service

@@ -0,0 +1 @@
+../kata-agent.service

aws/image/files/etc/systemd/system/multi-user.target.wants/run-kata\x2dcontainers-shared-containers.mount

@@ -0,0 +1 @@
+../run-kata\x2dcontainers-shared-containers.mount

aws/image/files/etc/systemd/system/multi-user.target.wants/run-kata\x2dcontainers.mount

@@ -0,0 +1 @@
+../run-kata\x2dcontainers.mount

aws/image/files/etc/systemd/system/run-kata\x2dcontainers-shared-containers.mount

@@ -0,0 +1,12 @@
+[Unit]
+Description=Mount unit for /run/kata-containers/shared/containers
+Before=kata-agent.service
+
+[Mount]
+What=tmpfs
+Where=/run/kata-containers/shared/containers
+Type=tmpfs
+Options=mode=755
+
+[Install]
+WantedBy=multi-user.target

aws/image/files/etc/systemd/system/run-kata\x2dcontainers.mount

@@ -0,0 +1,12 @@
+[Unit]
+Description=Mount unit for /run/kata-containers
+Before=kata-agent.service
+
+[Mount]
+What=tmpfs
+Where=/run/kata-containers
+Type=tmpfs
+Options=mode=755
+
+[Install]
+WantedBy=multi-user.target

aws/image/files/usr/local/bin/cgroup-exec

@@ -0,0 +1,57 @@
+#!/bin/bash
+#
+# (C) Copyright IBM Corp. 2022.
+# SPDX-License-Identifier: Apache-2.0
+#
+
+# Mount cgroup filesystem
+
+set -o errexit -o pipefail
+
+if [[ ! -d /sys/fs/cgroup ]]; then
+	echo "/sys/fs/cgroup not found" 1>&2
+	exit 1
+fi
+
+if [[ -z "$(ls -A /sys/fs/cgroup)" ]]; then
+
+	mount -t tmpfs tmpfs /sys/fs/cgroup
+
+	cat /proc/1/mountinfo | awk '{
+
+		idx = index($_, " - ")
+		part1len = split(substr($_, 0, idx), part1)
+		part2len = split(substr($_, idx+3), part2)
+		if (part1len < 6 || part2len < 3) {
+			next
+		}
+
+		mount_point = part1[5]
+		if (mount_point !~ /^\/sys\/fs\/cgroup\//) {
+			next
+		}
+
+		fs_type = part2[1]
+		if (fs_type != "cgroup") {
+			next
+		}
+
+		opts = part1[6]
+		split(part2[3], sbopts, ",")
+		for (i in sbopts) {
+			opt = sbopts[i]
+			if (opt == "rw" || opt == "ro") {
+				continue
+			}
+			opts = opts "," opt
+		}
+
+		print(mount_point, opts)
+
+	}' | while read mount_point opts; do
+		mkdir -p "$mount_point"
+		mount -t cgroup -o "$opts" cgroup "$mount_point"
+	done
+fi
+
+exec "$@"