Run Qemu VirtualBox for Kuasar #214
Conversation
54行:#禁用 AppArmor 的容器配置,容器运行起来后,执行sudo crictl exec -it container_id sh 可进入容器内 65行: # 影响运行 Signed-off-by: Kairus Zhang <[email protected]>
add 适应Qemu沙箱的 kernel 生成脚本 Signed-off-by: Kairus Zhang <[email protected]>
他应该是一个文件夹 Signed-off-by: Kairus Zhang <[email protected]>
It will create vmlinux.bin for Qemu VirtualBox. Signed-off-by: Kairus Zhang <[email protected]>
![gemini-code-assist[bot]](https://avatars.githubusercontent.com/in/956858?s=60&v=4){kind=small}
There was a problem hiding this comment.
Summary of Changes
Hello @KairusZhang, I'm Gemini Code Assist1! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!
This pull request lays the groundwork for running confidential containers within Kuasar by integrating QEMU virtualization. It provides a robust mechanism for building a custom Linux kernel optimized for QEMU and adjusts the existing example container setup to ensure compatibility and ease of use within this new virtualized environment.
Highlights
- QEMU Virtualization Support: This pull request introduces the necessary components and adjustments to enable Kuasar to run confidential containers using QEMU as the virtualization backend.
- Automated Kernel Building: A new shell script (
vmm/scripts/kernel/qemu/build.sh) has been added to automate the process of cloning, configuring, and compiling a Linux kernel specifically tailored for QEMU, supporting both x86_64 and aarch64 architectures. - Example Container Configuration Updates: The
run_example_container.shscript has been modified to disable AppArmor for the example container and to hardcode thekuasar-vmmruntime, streamlining the setup for QEMU-based execution.
Using Gemini Code Assist
The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.
Invoking Gemini
You can request assistance from Gemini at any point in your pull request via creating an issue comment (i.e. comment on the pull request page) using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands.
| Feature | Command | Description |
|---|---|---|
| Code Review | /gemini review |
Performs a code review for the current pull request in its current state. |
| Pull Request Summary | /gemini summary |
Provides a summary of the current pull request in its current state. |
| Comment | @gemini-code-assist | Responds in comments when explicitly tagged, both in issue comments and review comments. |
| Help | /gemini help |
Displays a list of available commands. |
Customization
To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.
Limitations & Feedback
Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments or fill out our survey to provide feedback.
You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.
Footnotes
-
Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩
There was a problem hiding this comment.
Code Review
This pull request introduces a script to build a QEMU kernel and updates an example script. Several issues were identified, including critical errors in shell scripts that would cause them to fail, and high-severity logical errors. Specific code suggestions have been provided to address these problems, aiming to improve the correctness and robustness of the scripts.
examples/run_example_container.sh
Outdated
| "log_path":"ubuntu.log", | ||
| "linux": { | ||
| "security_context": { | ||
| "apparmor_profile": "unconfined", #禁用 AppArmor 的容器配置,容器运行起来后,执行sudo crictl exec -it container_id sh 可进入容器内 |
There was a problem hiding this comment.
The comment added inside the cat <<EOF block is not valid in a JSON file. This will cause a JSON parsing error when crictl tries to read container.json. Shell comments should be outside the heredoc block.
| "apparmor_profile": "unconfined", #禁用 AppArmor 的容器配置,容器运行起来后,执行sudo crictl exec -it container_id sh 可进入容器内 | |
| "apparmor_profile": "unconfined", |
vmm/scripts/kernel/qemu/build.sh
Outdated
| # 克隆内核源码 | ||
| echo "克隆 Linux 内核源码 (版本: ${version}, 架构: ${arch})..." | ||
| git clone --depth 1 --single-branch -b "v${version}" \ | ||
| https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git"${work_dir}" |
There was a problem hiding this comment.
The git clone command is missing a space between the repository URL and the destination directory. This will cause the command to fail.
| https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git"${work_dir}" | |
| git clone --depth 1 --single-branch -b "v${version}" https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git "${work_dir}" |
examples/run_example_container.sh
Outdated
|
|
||
| # Run a container, default runtime is "kuasar-vmm". | ||
| runtime=${1:-kuasar-vmm} | ||
| runtime=${kuasar-vmm} # 原标志影响运行 |
There was a problem hiding this comment.
The shell parameter expansion runtime=${kuasar-vmm} is likely incorrect. This syntax attempts to expand the variable $kuasar, and if it's unset or null, it defaults to vmm. This is probably not the intended behavior.
If the goal is to hardcode the runtime to kuasar-vmm, it should be assigned as a string. The original code runtime=${1:-kuasar-vmm} allowed overriding the runtime via a command-line argument, which is now lost.
| runtime=${kuasar-vmm} # 原标志影响运行 | |
| runtime="kuasar-vmm" |
vmm/scripts/kernel/qemu/build.sh
Outdated
| x86_64) | ||
| defconfig="x86_64_defconfig" | ||
| kernel_path="arch/x86/boot/compressed/vmlinux.bin" | ||
| ;; | ||
| aarch64) | ||
| defconfig="defconfig" | ||
| kernel_path="arch/arm64/boot/Image" | ||
| ;; | ||
| *) | ||
| echo "错误:不支持的架构 ${arch}" | ||
| exit 1 | ||
| ;; |
There was a problem hiding this comment.
The architecture-specific configuration has a couple of issues:
- The
kernel_pathforx86_64is incorrect. Themake bzImagecommand produces the kernel atarch/x86/boot/bzImage. - The script later uses a hardcoded
make bzImagecommand (line 81), which is only valid forx86_64. A variable for the make target should be defined here for each architecture. - The error message for an unsupported architecture is in Chinese. It's better to use English for consistency with the rest of the script's output.
Here's a suggested change to address these points. Note that you will also need to update the make command on line 81 to use the new make_target variable.
| x86_64) | |
| defconfig="x86_64_defconfig" | |
| kernel_path="arch/x86/boot/compressed/vmlinux.bin" | |
| ;; | |
| aarch64) | |
| defconfig="defconfig" | |
| kernel_path="arch/arm64/boot/Image" | |
| ;; | |
| *) | |
| echo "错误:不支持的架构 ${arch}" | |
| exit 1 | |
| ;; | |
| case "${arch}" in | |
| x86_64) | |
| defconfig="x86_64_defconfig" | |
| kernel_path="arch/x86/boot/bzImage" | |
| make_target="bzImage" | |
| ;; | |
| aarch64) | |
| defconfig="defconfig" | |
| kernel_path="arch/arm64/boot/Image" | |
| make_target="Image" | |
| ;; | |
| *) | |
| echo "Error: Unsupported architecture ${arch}" | |
| exit 1 | |
| ;; | |
| esac |
examples/run_example_container.sh
Outdated
| "log_path":"ubuntu.log", | ||
| "linux": { | ||
| "security_context": { | ||
| "apparmor_profile": "unconfined", #禁用 AppArmor 的容器配置,容器运行起来后,执行sudo crictl exec -it container_id sh 可进入容器内 |
Removed unnecessary echo statements and comments for clarity. Signed-off-by: Kairus Zhang <[email protected]>
Repaired the details of version Signed-off-by: Kairus Zhang <[email protected]>
Signed-off-by: Kairus Zhang <[email protected]>
Co-authored-by: gemini-code-assist[bot] <176961590+gemini-code-assist[bot]@users.noreply.github.com> Signed-off-by: Kairus Zhang <[email protected]>
Signed-off-by: Kairus Zhang <[email protected]>
Signed-off-by: Kairus Zhang <[email protected]>
Add container.json linux->security_context "apparmor_profile":" unconfined" Signed-off-by: Kairus Zhang <[email protected]>
Signed-off-by: Kairus Zhang <[email protected]>
2 participants
This will help Kuasar running for Confidential Container