From 74cc6b49a7b32e0b7f92321a3205d295b049ea9a Mon Sep 17 00:00:00 2001 From: Sun-ZhenXing <1006925066@qq.com> Date: Mon, 29 Dec 2025 00:25:53 +0800 Subject: [PATCH] feat: add more DinD --- builds/debian-dind/.env.example | 29 ++++ builds/debian-dind/Dockerfile | 62 +++++++++ builds/debian-dind/README.md | 126 ++++++++++++++++++ builds/debian-dind/README.zh.md | 126 ++++++++++++++++++ builds/debian-dind/docker-compose.yaml | 90 +++++++++++++ builds/debian-dind/dockerd-entrypoint.sh | 58 ++++++++ builds/kata-inside-dind/.env.example | 36 +++++ builds/kata-inside-dind/Dockerfile | 71 ++++++++++ builds/kata-inside-dind/README.md | 112 ++++++++++++++++ builds/kata-inside-dind/README.zh.md | 112 ++++++++++++++++ builds/kata-inside-dind/docker-compose.yaml | 55 ++++++++ builds/kata-inside-dind/dockerd-entrypoint.sh | 111 +++++++++++++++ 12 files changed, 988 insertions(+) create mode 100644 builds/debian-dind/.env.example create mode 100644 builds/debian-dind/Dockerfile create mode 100644 builds/debian-dind/README.md create mode 100644 builds/debian-dind/README.zh.md create mode 100644 builds/debian-dind/docker-compose.yaml create mode 100644 builds/debian-dind/dockerd-entrypoint.sh create mode 100644 builds/kata-inside-dind/.env.example create mode 100644 builds/kata-inside-dind/Dockerfile create mode 100644 builds/kata-inside-dind/README.md create mode 100644 builds/kata-inside-dind/README.zh.md create mode 100644 builds/kata-inside-dind/docker-compose.yaml create mode 100644 builds/kata-inside-dind/dockerd-entrypoint.sh diff --git a/builds/debian-dind/.env.example b/builds/debian-dind/.env.example new file mode 100644 index 0000000..2d4e62b --- /dev/null +++ b/builds/debian-dind/.env.example @@ -0,0 +1,29 @@ +# Debian DinD Configuration + +# Timezone (default: UTC) +TZ=UTC + +# Debian version (default: 13.2) +DEBIAN_VERSION=13.2 + +# Docker port override (default: 2375) +DIND_PORT_OVERRIDE=2375 + +# Install NVIDIA Container Toolkit for GPU support (default: false) +INSTALL_NVIDIA_TOOLKIT=false + +# Enable GPU profile (set to --profile gpu when needed) +# COMPOSE_PROFILES=gpu + +# Resource limits +DIND_CPU_LIMIT=2.0 +DIND_MEMORY_LIMIT=4G +DIND_CPU_RESERVATION=1.0 +DIND_MEMORY_RESERVATION=2G + +# Docker daemon options +# Disable TLS for simplicity (not recommended for production) +DOCKER_TLS_CERTDIR= + +# Data directory for named volume +# DATA_DIR=./data diff --git a/builds/debian-dind/Dockerfile b/builds/debian-dind/Dockerfile new file mode 100644 index 0000000..13fce9c --- /dev/null +++ b/builds/debian-dind/Dockerfile @@ -0,0 +1,62 @@ +ARG DEBIAN_VERSION=13.2 +FROM debian:${DEBIAN_VERSION} + +# Install dependencies +# ca-certificates, curl, gnupg: for downloading Docker repo key +# iptables: required for Docker networking +# procps: for ps command +# xz-utils, pigz: for compression +RUN apt-get update && apt-get install -y --no-install-recommends \ + ca-certificates \ + curl \ + gnupg \ + iptables \ + procps \ + e2fsprogs \ + xfsprogs \ + xz-utils \ + pigz \ + && rm -rf /var/lib/apt/lists/* + +# Install Docker +# We use the official Docker repository for Debian +RUN install -m 0755 -d /etc/apt/keyrings \ + && curl -fsSL https://download.docker.com/linux/debian/gpg | gpg --dearmor -o /etc/apt/keyrings/docker.gpg \ + && chmod a+r /etc/apt/keyrings/docker.gpg \ + && echo \ + "deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/docker.gpg] https://download.docker.com/linux/debian \ + $(. /etc/os-release && echo "$VERSION_CODENAME") stable" | \ + tee /etc/apt/sources.list.d/docker.list > /dev/null \ + && apt-get update \ + && apt-get install -y --no-install-recommends \ + docker-ce \ + docker-ce-cli \ + containerd.io \ + docker-buildx-plugin \ + docker-compose-plugin \ + && rm -rf /var/lib/apt/lists/* + +# Install NVIDIA Container Toolkit (Optional) +ARG INSTALL_NVIDIA_TOOLKIT=false +RUN if [ "$INSTALL_NVIDIA_TOOLKIT" = "true" ]; then \ + curl -fsSL https://nvidia.github.io/libnvidia-container/gpgkey | gpg --dearmor -o /usr/share/keyrings/nvidia-container-toolkit-keyring.gpg \ + && curl -s -L https://nvidia.github.io/libnvidia-container/stable/deb/nvidia-container-toolkit.list | \ + sed 's#deb https://#deb [signed-by=/usr/share/keyrings/nvidia-container-toolkit-keyring.gpg] https://#g' | \ + tee /etc/apt/sources.list.d/nvidia-container-toolkit.list \ + && apt-get update \ + && apt-get install -y nvidia-container-toolkit \ + && nvidia-ctk runtime configure --runtime=docker \ + && rm -rf /var/lib/apt/lists/*; \ + fi + +# Set up dind +# Docker needs a place to store data +VOLUME /var/lib/docker + +# Copy entrypoint script +COPY dockerd-entrypoint.sh /usr/local/bin/ +RUN chmod +x /usr/local/bin/dockerd-entrypoint.sh + +# Define entrypoint and default command +ENTRYPOINT ["dockerd-entrypoint.sh"] +CMD ["dockerd"] diff --git a/builds/debian-dind/README.md b/builds/debian-dind/README.md new file mode 100644 index 0000000..e33c96e --- /dev/null +++ b/builds/debian-dind/README.md @@ -0,0 +1,126 @@ +# Debian DinD + +A Docker-in-Docker (DinD) service based on Debian, allowing you to run Docker inside a Docker container. Useful for CI/CD pipelines, development environments, and containerized build systems. + +## Features + +- Based on latest stable Debian (13.2) +- Out-of-the-box Docker daemon +- Optional NVIDIA Container Toolkit for GPU support +- Resource limits configured +- Healthcheck included +- Customizable via environment variables + +## Quick Start + +1. Copy the example environment file: + + ```bash + cp .env.example .env + ``` + +2. Start the service: + + ```bash + docker compose up -d + ``` + +3. Verify Docker is running inside the container: + + ```bash + docker compose exec dind docker info + docker compose exec dind docker run hello-world + ``` + +## Configuration + +Key environment variables (see `.env.example` for all options): + +| Variable | Description | Default | +| ------------------------ | ----------------------------------- | ------- | +| `DEBIAN_VERSION` | Debian base image version | `13.2` | +| `DIND_PORT_OVERRIDE` | Host port for Docker daemon | `2375` | +| `INSTALL_NVIDIA_TOOLKIT` | Install NVIDIA toolkit during build | `false` | +| `TZ` | Timezone | `UTC` | +| `DIND_CPU_LIMIT` | CPU limit | `2.0` | +| `DIND_MEMORY_LIMIT` | Memory limit | `4G` | + +## GPU Support + +To use DinD with GPU support: + +1. Set `INSTALL_NVIDIA_TOOLKIT=true` in `.env` +2. Use the `gpu` profile: + + ```bash + docker compose --profile gpu up -d + ``` + +Or use the dedicated GPU service: + +```bash +docker compose up -d dind-gpu +``` + +## Security Considerations + +⚠️ **Important**: This service runs in privileged mode, which grants the container extensive access to the host system. Only use this in trusted environments. + +- Privileged mode is required for DinD to function +- Docker daemon exposed on port 2375 without TLS (development only) +- For production, enable TLS by setting `DOCKER_TLS_CERTDIR=/certs` + +## Volume + +- `dind-data`: Stores Docker daemon data (images, containers, volumes) +- `dind-gpu-data`: Separate volume for GPU-enabled service + +## Resource Limits + +Default resource limits: + +- CPU: 2.0 cores (limit), 1.0 core (reservation) +- Memory: 4GB (limit), 2GB (reservation) + +Adjust these in `.env` based on your workload. + +## Advanced Usage + +### Connect from host + +You can connect to the Docker daemon from your host machine: + +```bash +export DOCKER_HOST=tcp://localhost:2375 +docker info +``` + +### Use in CI/CD + +Example GitLab CI configuration: + +```yaml +services: + - name: your-registry/debian-dind:latest + alias: docker + +variables: + DOCKER_HOST: tcp://docker:2375 +``` + +## Build Arguments + +When building the image manually: + +- `DEBIAN_VERSION`: Debian base version (default: `13.2`) +- `INSTALL_NVIDIA_TOOLKIT`: Install NVIDIA toolkit (default: `false`) + +Example: + +```bash +docker build --build-arg DEBIAN_VERSION=13.2 --build-arg INSTALL_NVIDIA_TOOLKIT=true -t debian-dind-gpu . +``` + +## License + +This configuration is provided as-is for use with the Compose Anything project. diff --git a/builds/debian-dind/README.zh.md b/builds/debian-dind/README.zh.md new file mode 100644 index 0000000..9d5a064 --- /dev/null +++ b/builds/debian-dind/README.zh.md @@ -0,0 +1,126 @@ +# Debian DinD + +基于 Debian 的 Docker-in-Docker(DinD)服务,允许你在 Docker 容器内运行 Docker。适用于 CI/CD 流水线、开发环境和容器化构建系统。 + +## 特性 + +- 基于最新稳定版 Debian(13.2) +- 开箱即用的 Docker 守护进程 +- 可选的 NVIDIA Container Toolkit,支持 GPU +- 配置了资源限制 +- 包含健康检查 +- 通过环境变量自定义配置 + +## 快速开始 + +1. 复制示例环境文件: + + ```bash + cp .env.example .env + ``` + +2. 启动服务: + + ```bash + docker compose up -d + ``` + +3. 验证 Docker 是否在容器内运行: + + ```bash + docker compose exec dind docker info + docker compose exec dind docker run hello-world + ``` + +## 配置说明 + +主要环境变量(查看 `.env.example` 了解所有选项): + +| 变量 | 说明 | 默认值 | +| ------------------------ | ------------------------- | ------- | +| `DEBIAN_VERSION` | Debian 基础镜像版本 | `13.2` | +| `DIND_PORT_OVERRIDE` | Docker 守护进程的主机端口 | `2375` | +| `INSTALL_NVIDIA_TOOLKIT` | 构建时安装 NVIDIA 工具包 | `false` | +| `TZ` | 时区 | `UTC` | +| `DIND_CPU_LIMIT` | CPU 限制 | `2.0` | +| `DIND_MEMORY_LIMIT` | 内存限制 | `4G` | + +## GPU 支持 + +使用 GPU 支持的 DinD: + +1. 在 `.env` 中设置 `INSTALL_NVIDIA_TOOLKIT=true` +2. 使用 `gpu` profile: + + ```bash + docker compose --profile gpu up -d + ``` + +或使用专用的 GPU 服务: + +```bash +docker compose up -d dind-gpu +``` + +## 安全注意事项 + +⚠️ **重要**:此服务以特权模式运行,这会授予容器对主机系统的广泛访问权限。仅在可信环境中使用。 + +- DinD 运行需要特权模式 +- Docker 守护进程在端口 2375 上暴露,未启用 TLS(仅用于开发) +- 生产环境请通过设置 `DOCKER_TLS_CERTDIR=/certs` 启用 TLS + +## 数据卷 + +- `dind-data`:存储 Docker 守护进程数据(镜像、容器、卷) +- `dind-gpu-data`:GPU 服务的独立数据卷 + +## 资源限制 + +默认资源限制: + +- CPU:2.0 核心(限制),1.0 核心(预留) +- 内存:4GB(限制),2GB(预留) + +根据你的工作负载在 `.env` 中调整这些值。 + +## 高级用法 + +### 从主机连接 + +你可以从主机连接到 Docker 守护进程: + +```bash +export DOCKER_HOST=tcp://localhost:2375 +docker info +``` + +### 在 CI/CD 中使用 + +GitLab CI 配置示例: + +```yaml +services: + - name: your-registry/debian-dind:latest + alias: docker + +variables: + DOCKER_HOST: tcp://docker:2375 +``` + +## 构建参数 + +手动构建镜像时: + +- `DEBIAN_VERSION`:Debian 基础版本(默认:`13.2`) +- `INSTALL_NVIDIA_TOOLKIT`:安装 NVIDIA 工具包(默认:`false`) + +示例: + +```bash +docker build --build-arg DEBIAN_VERSION=13.2 --build-arg INSTALL_NVIDIA_TOOLKIT=true -t debian-dind-gpu . +``` + +## 许可证 + +此配置按原样提供,用于 Compose Anything 项目。 diff --git a/builds/debian-dind/docker-compose.yaml b/builds/debian-dind/docker-compose.yaml new file mode 100644 index 0000000..3695ca7 --- /dev/null +++ b/builds/debian-dind/docker-compose.yaml @@ -0,0 +1,90 @@ +# Docker-in-Docker (DinD) service based on Debian +# This allows running Docker inside a Docker container + +x-defaults: &defaults + restart: unless-stopped + logging: + driver: json-file + options: + max-size: 100m + max-file: "3" + +services: + dind: + <<: *defaults + image: ${GLOBAL_REGISTRY:-}alexsuntop/debian-dind:${DEBIAN_DIND_VERSION:-0.1.0} + build: + context: . + dockerfile: Dockerfile + args: + - DEBIAN_VERSION=${DEBIAN_VERSION:-13.2} + - INSTALL_NVIDIA_TOOLKIT=${INSTALL_NVIDIA_TOOLKIT:-false} + privileged: true + ports: + - "${DIND_PORT_OVERRIDE:-2375}:2375" + volumes: + - dind-data:/var/lib/docker + environment: + - TZ=${TZ:-UTC} + - DOCKER_TLS_CERTDIR=${DOCKER_TLS_CERTDIR:-} + healthcheck: + test: ["CMD", "docker", "info"] + interval: 30s + timeout: 10s + retries: 3 + start_period: 30s + deploy: + resources: + limits: + cpus: ${DIND_CPU_LIMIT:-2.0} + memory: ${DIND_MEMORY_LIMIT:-4G} + reservations: + cpus: ${DIND_CPU_RESERVATION:-1.0} + memory: ${DIND_MEMORY_RESERVATION:-2G} + profiles: + - ${COMPOSE_PROFILES:-} + + # GPU-enabled DinD (optional) + dind-gpu: + <<: *defaults + image: ${GLOBAL_REGISTRY:-}alexsuntop/debian-dind:${DEBIAN_DIND_GPU_VERSION:-0.1.0-gpu} + build: + context: . + dockerfile: Dockerfile + args: + - DEBIAN_VERSION=${DEBIAN_VERSION:-13.2} + - INSTALL_NVIDIA_TOOLKIT=true + privileged: true + ports: + - "${DIND_PORT_OVERRIDE:-2375}:2375" + volumes: + - dind-gpu-data:/var/lib/docker + environment: + - TZ=${TZ:-UTC} + - DOCKER_TLS_CERTDIR=${DOCKER_TLS_CERTDIR:-} + - NVIDIA_VISIBLE_DEVICES=all + - NVIDIA_DRIVER_CAPABILITIES=compute,utility + healthcheck: + test: ["CMD", "docker", "info"] + interval: 30s + timeout: 10s + retries: 3 + start_period: 30s + deploy: + resources: + limits: + cpus: ${DIND_CPU_LIMIT:-2.0} + memory: ${DIND_MEMORY_LIMIT:-4G} + reservations: + cpus: ${DIND_CPU_RESERVATION:-1.0} + memory: ${DIND_MEMORY_RESERVATION:-2G} + devices: + - driver: nvidia + count: 1 + capabilities: [gpu] + profiles: + - gpu + +volumes: + dind-data: + dind-gpu-data: diff --git a/builds/debian-dind/dockerd-entrypoint.sh b/builds/debian-dind/dockerd-entrypoint.sh new file mode 100644 index 0000000..e0fc9c1 --- /dev/null +++ b/builds/debian-dind/dockerd-entrypoint.sh @@ -0,0 +1,58 @@ +#!/bin/sh +set -e + +# Adapted from official docker-library/docker dind entrypoint +# https://github.com/docker-library/docker/blob/master/24/dind/dockerd-entrypoint.sh + +if [ -z "$DOCKER_HOST" ]; then + case "$1" in + dockerd*) + # If we're running dockerd, we need to make sure we have cgroups mounted + if [ ! -d /sys/fs/cgroup ]; then + mkdir -p /sys/fs/cgroup + fi + if ! mountpoint -q /sys/fs/cgroup; then + mount -t tmpfs -o uid=0,gid=0,mode=0755 cgroup /sys/fs/cgroup + fi + + # Mount cgroup v2 if available and not mounted + if [ -e /sys/fs/cgroup/cgroup.controllers ] && ! mountpoint -q /sys/fs/cgroup; then + mount -t cgroup2 -o nsdelegate cgroup2 /sys/fs/cgroup + fi + + # If /sys/fs/cgroup is not a cgroup2 mount, we might need to mount cgroup v1 hierarchies + if ! mountpoint -q /sys/fs/cgroup || [ "$(stat -f -c %T /sys/fs/cgroup)" != "cgroup2fs" ]; then + if [ -d /sys/fs/cgroup/cgroup.controllers ]; then + # It is cgroup2 but maybe not mounted as such? + # Actually if it exists, it's likely v2. + : + else + # cgroup v1 + for subsystem in $(awk '/^[^#]/ { print $1 }' /proc/cgroups); do + mkdir -p "/sys/fs/cgroup/$subsystem" + if ! mountpoint -q "/sys/fs/cgroup/$subsystem"; then + mount -t cgroup -o "$subsystem" cgroup "/sys/fs/cgroup/$subsystem" + fi + done + fi + fi + ;; + esac +fi + +if [ "$1" = 'dockerd' ] || [ "${1#-}" != "$1" ]; then + # if the first argument is "dockerd" or a flag (starts with -) + if [ "${1#-}" != "$1" ]; then + set -- dockerd "$@" + fi + + # Explicitly use iptables-legacy if available, as it is often more stable for DinD + if command -v update-alternatives >/dev/null; then + if update-alternatives --query iptables | grep -q "iptables-legacy"; then + update-alternatives --set iptables /usr/sbin/iptables-legacy || true + update-alternatives --set ip6tables /usr/sbin/ip6tables-legacy || true + fi + fi +fi + +exec "$@" diff --git a/builds/kata-inside-dind/.env.example b/builds/kata-inside-dind/.env.example new file mode 100644 index 0000000..0539ab8 --- /dev/null +++ b/builds/kata-inside-dind/.env.example @@ -0,0 +1,36 @@ +# Global Registry (optional) +# GLOBAL_REGISTRY=registry.example.com/ + +# Debian Version +DEBIAN_VERSION=13.2 + +# Kata Containers Version +KATA_VERSION=3.24.0 + +# Firecracker Version +# Version of Firecracker VMM to install +FIRECRACKER_VERSION=1.10.1 + +# Kata DinD Image Version +# Built image version tag +KATA_DIND_VERSION=0.2.0 + +# Timezone +# Set the timezone for the container +TZ=UTC + +# Kata Logging Level +# Options: debug, info, warn, error +KATA_LOGGING_LEVEL=info + +# Resource Limits +# CPU limit (cores) +KATA_DIND_CPU_LIMIT=2.00 +# Memory limit +KATA_DIND_MEMORY_LIMIT=4G + +# Resource Reservations +# CPU reservation (cores) +KATA_DIND_CPU_RESERVATION=0.50 +# Memory reservation +KATA_DIND_MEMORY_RESERVATION=1G diff --git a/builds/kata-inside-dind/Dockerfile b/builds/kata-inside-dind/Dockerfile new file mode 100644 index 0000000..f3de758 --- /dev/null +++ b/builds/kata-inside-dind/Dockerfile @@ -0,0 +1,71 @@ +ARG DEBIAN_VERSION=13.2 +FROM debian:${DEBIAN_VERSION} + +# Install dependencies +RUN apt-get update && apt-get install -y --no-install-recommends \ + ca-certificates \ + curl \ + gnupg \ + iptables \ + procps \ + e2fsprogs \ + xfsprogs \ + xz-utils \ + pigz \ + zstd \ + kmod \ + && rm -rf /var/lib/apt/lists/* + +# Install Docker +RUN install -m 0755 -d /etc/apt/keyrings \ + && curl -fsSL https://download.docker.com/linux/debian/gpg | gpg --dearmor -o /etc/apt/keyrings/docker.gpg \ + && chmod a+r /etc/apt/keyrings/docker.gpg \ + && echo \ + "deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/docker.gpg] https://download.docker.com/linux/debian \ + $(. /etc/os-release && echo "$VERSION_CODENAME") stable" | \ + tee /etc/apt/sources.list.d/docker.list > /dev/null \ + && apt-get update \ + && apt-get install -y --no-install-recommends \ + docker-ce \ + docker-ce-cli \ + containerd.io \ + docker-buildx-plugin \ + docker-compose-plugin \ + && rm -rf /var/lib/apt/lists/* + +# Install Kata Containers (Static Binaries) +ARG KATA_VERSION=3.24.0 +ARG ARCH=amd64 +RUN curl -fsSL https://github.com/kata-containers/kata-containers/releases/download/${KATA_VERSION}/kata-static-${KATA_VERSION}-${ARCH}.tar.zst -o kata-static.tar.zst \ + && tar -I zstd -xvf kata-static.tar.zst -C / \ + && rm kata-static.tar.zst \ + && ln -s /opt/kata/bin/kata-runtime /usr/bin/kata-runtime \ + && ln -s /opt/kata/bin/containerd-shim-kata-v2 /usr/bin/containerd-shim-kata-v2 \ + && ln -s /opt/kata/bin/kata-monitor /usr/bin/kata-monitor \ + && ln -s /opt/kata/bin/kata-collect-data /usr/bin/kata-collect-data \ + && ln -s /opt/kata/bin/qemu-system-x86_64 /usr/bin/qemu-system-x86_64 || true \ + && ln -s /opt/kata/libexec/virtiofsd /usr/bin/virtiofsd || true + +# Configure Kata +RUN mkdir -p /etc/kata-containers \ + && cp /opt/kata/share/defaults/kata-containers/configuration-qemu.toml /etc/kata-containers/ \ + && cp /opt/kata/share/defaults/kata-containers/configuration-fc.toml /etc/kata-containers/ || true + +# Install Firecracker +ARG FIRECRACKER_VERSION=1.14.0 +RUN if [ "${ARCH}" = "amd64" ]; then ARCH="x86_64"; fi \ + && curl -fsSL https://github.com/firecracker-microvm/firecracker/releases/download/v${FIRECRACKER_VERSION}/firecracker-v${FIRECRACKER_VERSION}-${ARCH}.tgz -o firecracker.tgz \ + && tar -xzf firecracker.tgz \ + && mv release-v${FIRECRACKER_VERSION}-${ARCH}/firecracker-v${FIRECRACKER_VERSION}-${ARCH} /usr/local/bin/firecracker \ + && chmod +x /usr/local/bin/firecracker \ + && rm -rf release-v${FIRECRACKER_VERSION}-${ARCH} firecracker.tgz + +# Set up dind +VOLUME /var/lib/docker + +# Copy entrypoint script +COPY dockerd-entrypoint.sh /usr/local/bin/ +RUN chmod +x /usr/local/bin/dockerd-entrypoint.sh + +ENTRYPOINT ["dockerd-entrypoint.sh"] +CMD ["dockerd"] diff --git a/builds/kata-inside-dind/README.md b/builds/kata-inside-dind/README.md new file mode 100644 index 0000000..6dadac2 --- /dev/null +++ b/builds/kata-inside-dind/README.md @@ -0,0 +1,112 @@ +# Kata Containers inside Docker-in-Docker + +[中文文档](README.zh.md) + +A VM-based container runtime (Kata Containers with Firecracker VMM) running inside a Docker-in-Docker (DinD) container. This setup provides lightweight virtual machines with strong security isolation while maintaining container-like performance and simplicity. Kata Containers can use multiple hypervisors (QEMU, Firecracker, Cloud Hypervisor), and this image includes Firecracker by default for optimal performance. + +## Features + +- ✅ Complete Kata Containers runtime with official installation +- ✅ Firecracker VMM for lightweight VM isolation +- ✅ QEMU fallback support +- ✅ Docker-in-Docker support for managing containers +- ✅ VM-based container isolation with hardware security +- ✅ Resource limits to prevent system exhaustion +- ✅ Health checks for runtime readiness +- ✅ Persistent storage for Kata and Docker data +- ✅ Configurable logging levels +- ✅ Compatible with Kubernetes via RuntimeClass + +## Prerequisites + +**Critical Requirements:** + +- Docker Engine 20.10+ +- Docker Compose 2.0+ +- **Host machine must support nested virtualization (KVM)** +- `/dev/kvm` device available on the host +- `/lib/modules` available on the host (for kernel module verification) +- At least 2 CPU cores and 4GB RAM available +- Privileged container support required + +### Verify Host Prerequisites + +```bash +# Check if KVM is available +ls -l /dev/kvm + +# For Intel CPUs, verify nested virtualization is enabled +cat /sys/module/kvm_intel/parameters/nested +# Should output 'Y' or '1'. If not: +# sudo modprobe -r kvm_intel +# sudo modprobe kvm_intel nested=1 +``` + +## Quick Start + +1. Copy the environment file: + + ```bash + cp .env.example .env + ``` + +2. (Optional) Customize the configuration in `.env` + +3. Build and start the service: + + ```bash + docker compose up -d --build + ``` + +4. Wait for Kata runtime to be ready: + + ```bash + docker compose logs -f kata-dind + ``` + +5. Access the Docker daemon inside: + + ```bash + # Get the container ID + docker compose ps + + # Execute commands inside the container + docker compose exec kata-dind docker ps + + # Run a container with Kata runtime (Firecracker) + docker compose exec kata-dind docker run --rm --runtime=kata-fc debian:bookworm uname -a + + # Or run with QEMU (fallback) + docker compose exec kata-dind docker run --rm --runtime=kata debian:bookworm uname -a + ``` + +## Configuration + +### Environment Variables + +| Variable | Default | Description | +| ------------------------------ | -------- | --------------------------------------------- | +| `DEBIAN_VERSION` | `13.2` | Base Debian version | +| `KATA_VERSION` | `3.24.0` | Kata Containers version | +| `FIRECRACKER_VERSION` | `1.10.1` | Version of Firecracker VMM to install | +| `KATA_DIND_VERSION` | `0.2.0` | Built image version tag | +| `TZ` | `UTC` | Timezone for the container | +| `KATA_LOGGING_LEVEL` | `info` | Kata logging level (debug, info, warn, error) | +| `KATA_DIND_CPU_LIMIT` | `2.00` | CPU limit in cores | +| `KATA_DIND_MEMORY_LIMIT` | `4G` | Memory limit | +| `KATA_DIND_CPU_RESERVATION` | `0.50` | CPU reservation in cores | +| `KATA_DIND_MEMORY_RESERVATION` | `1G` | Memory reservation | + +## Usage Examples + +### Running a Secure Container + +```bash +docker compose exec kata-dind docker run -it --rm --runtime=kata-fc alpine sh +``` + +### Checking Runtime Information + +```bash +docker compose exec kata-dind docker info | grep -i runtime +``` diff --git a/builds/kata-inside-dind/README.zh.md b/builds/kata-inside-dind/README.zh.md new file mode 100644 index 0000000..d104540 --- /dev/null +++ b/builds/kata-inside-dind/README.zh.md @@ -0,0 +1,112 @@ +# Kata 容器在 Docker-in-Docker 中运行 + +[English Documentation](README.md) + +一个基于虚拟机的容器运行时(Kata Containers 与 Firecracker VMM)在 Docker-in-Docker(DinD)容器内运行。此设置提供轻量级虚拟机,具有强安全隔离的同时保持容器的性能和简洁性。Kata Containers 支持多种虚拟机管理器(QEMU、Firecracker、Cloud Hypervisor),此镜像默认包含 Firecracker 以获得最佳性能。 + +## 特性 + +- ✅ 使用官方安装脚本的完整 Kata Containers 运行时 +- ✅ Firecracker VMM 提供轻量级 VM 隔离 +- ✅ QEMU 回退支持 +- ✅ Docker-in-Docker 支持容器管理 +- ✅ 基于 VM 的容器隔离和硬件安全性 +- ✅ 资源限制防止系统资源耗尽 +- ✅ 运行时就绪性的健康检查 +- ✅ Kata 和 Docker 数据的持久化存储 +- ✅ 可配置的日志级别 +- ✅ 通过 RuntimeClass 与 Kubernetes 兼容 + +## 前置条件 + +**关键要求:** + +- Docker Engine 20.10+ +- Docker Compose 2.0+ +- **宿主机必须支持嵌套虚拟化(KVM)** +- 宿主机上 `/dev/kvm` 设备可用 +- 宿主机上 `/lib/modules` 可用(用于内核模块验证) +- 至少 2 个 CPU 核心和 4GB RAM +- 需要特权容器支持 + +### 验证宿主机前置条件 + +```bash +# 检查 KVM 是否可用 +ls -l /dev/kvm + +# 对于 Intel CPU,验证嵌套虚拟化是否启用 +cat /sys/module/kvm_intel/parameters/nested +# 应该输出 'Y' 或 '1'。如果不是: +# sudo modprobe -r kvm_intel +# sudo modprobe kvm_intel nested=1 +``` + +## 快速开始 + +1. 复制环境文件: + + ```bash + cp .env.example .env + ``` + +2. (可选)在 `.env` 中自定义配置 + +3. 构建并启动服务: + + ```bash + docker compose up -d --build + ``` + +4. 等待 Kata 运行时就绪: + + ```bash + docker compose logs -f kata-dind + ``` + +5. 访问容器内的 Docker 守护进程: + + ```bash + # 获取容器 ID + docker compose ps + + # 在容器内执行命令 + docker compose exec kata-dind docker ps + + # 使用 Firecracker 运行时运行容器 + docker compose exec kata-dind docker run --rm --runtime=kata-fc debian:bookworm uname -a + + # 或使用 QEMU(回退方案) + docker compose exec kata-dind docker run --rm --runtime=kata debian:bookworm uname -a + ``` + +## 配置 + +### 环境变量 + +| 变量 | 默认值 | 说明 | +| ------------------------------ | -------- | ----------------------------------------- | +| `DEBIAN_VERSION` | `13.2` | 基础 Debian 版本 | +| `KATA_VERSION` | `3.24.0` | Kata Containers 版本 | +| `FIRECRACKER_VERSION` | `1.10.1` | 要安装的 Firecracker VMM 版本 | +| `KATA_DIND_VERSION` | `0.2.0` | 构建的镜像版本标签 | +| `TZ` | `UTC` | 容器的时区 | +| `KATA_LOGGING_LEVEL` | `info` | Kata 日志级别(debug、info、warn、error) | +| `KATA_DIND_CPU_LIMIT` | `2.00` | CPU 限制(核心数) | +| `KATA_DIND_MEMORY_LIMIT` | `4G` | 内存限制 | +| `KATA_DIND_CPU_RESERVATION` | `0.50` | CPU 预留(核心数) | +| `KATA_DIND_MEMORY_RESERVATION` | `1G` | 内存预留 | + +## 使用示例 + +### 运行安全容器 + +```bash +docker compose exec kata-dind docker run -it --rm --runtime=kata-fc alpine sh +``` + +### 检查运行时信息 + +```bash +docker compose exec kata-dind docker info | grep -i runtime +``` diff --git a/builds/kata-inside-dind/docker-compose.yaml b/builds/kata-inside-dind/docker-compose.yaml new file mode 100644 index 0000000..873f131 --- /dev/null +++ b/builds/kata-inside-dind/docker-compose.yaml @@ -0,0 +1,55 @@ +# Kata Containers inside Docker-in-Docker +# A VM-based container runtime running inside a Docker container with Docker daemon +# See README.md for usage instructions + +x-defaults: &defaults + restart: unless-stopped + logging: + driver: json-file + options: + max-size: 100m + max-file: "3" + +services: + kata-dind: + <<: *defaults + image: ${GLOBAL_REGISTRY:-}alexsuntop/kata-inside-dind:${KATA_DIND_VERSION:-0.2.0} + build: + context: . + dockerfile: Dockerfile + args: + DEBIAN_VERSION: ${DEBIAN_VERSION:-13.2} + KATA_VERSION: ${KATA_VERSION:-3.24.0} + FIRECRACKER_VERSION: ${FIRECRACKER_VERSION:-1.14.0} + privileged: true + devices: + - /dev/kvm:/dev/kvm + - /dev/net/tun:/dev/net/tun + - /dev/vhost-net:/dev/vhost-net + - /dev/vhost-vsock:/dev/vhost-vsock + volumes: + - kata_data:/var/lib/kata + - docker_data:/var/lib/docker + - /lib/modules:/lib/modules:ro + environment: + - TZ=${TZ:-UTC} + - DOCKER_TLS_CERTDIR=${DOCKER_TLS_CERTDIR:-} + - KATA_LOGGING_LEVEL=${KATA_LOGGING_LEVEL:-info} + healthcheck: + test: ["CMD", "docker", "info"] + interval: 30s + timeout: 10s + retries: 5 + start_period: 60s + deploy: + resources: + limits: + cpus: ${KATA_DIND_CPU_LIMIT:-2.00} + memory: ${KATA_DIND_MEMORY_LIMIT:-4G} + reservations: + cpus: ${KATA_DIND_CPU_RESERVATION:-0.50} + memory: ${KATA_DIND_MEMORY_RESERVATION:-1G} + +volumes: + kata_data: + docker_data: diff --git a/builds/kata-inside-dind/dockerd-entrypoint.sh b/builds/kata-inside-dind/dockerd-entrypoint.sh new file mode 100644 index 0000000..f1385ee --- /dev/null +++ b/builds/kata-inside-dind/dockerd-entrypoint.sh @@ -0,0 +1,111 @@ +#!/bin/sh +set -e + +# Adapted from official docker-library/docker dind entrypoint +# https://github.com/docker-library/docker/blob/master/24/dind/dockerd-entrypoint.sh + +if [ -z "$DOCKER_HOST" ]; then + case "$1" in + dockerd*) + # If we're running dockerd, we need to make sure we have cgroups mounted + if [ ! -d /sys/fs/cgroup ]; then + mkdir -p /sys/fs/cgroup + fi + if ! mountpoint -q /sys/fs/cgroup; then + mount -t tmpfs -o uid=0,gid=0,mode=0755 cgroup /sys/fs/cgroup + fi + + # Mount cgroup v2 if available and not mounted + if [ -e /sys/fs/cgroup/cgroup.controllers ] && ! mountpoint -q /sys/fs/cgroup; then + mount -t cgroup2 -o nsdelegate cgroup2 /sys/fs/cgroup + fi + + # If /sys/fs/cgroup is not a cgroup2 mount, we might need to mount cgroup v1 hierarchies + if ! mountpoint -q /sys/fs/cgroup || [ "$(stat -f -c %T /sys/fs/cgroup)" != "cgroup2fs" ]; then + if [ -d /sys/fs/cgroup/cgroup.controllers ]; then + # It is cgroup2 but maybe not mounted as such? + # Actually if it exists, it's likely v2. + : + else + # cgroup v1 + for subsystem in $(awk '/^[^#]/ { print $1 }' /proc/cgroups); do + mkdir -p "/sys/fs/cgroup/$subsystem" + if ! mountpoint -q "/sys/fs/cgroup/$subsystem"; then + mount -t cgroup -o "$subsystem" cgroup "/sys/fs/cgroup/$subsystem" + fi + done + fi + fi + ;; + esac +fi + +# Configure Docker daemon with Kata runtime support +mkdir -p /etc/docker +cat > /etc/docker/daemon.json </dev/null; then + if [ -w /etc/kata-containers/configuration-fc.toml ]; then + sed -i 's|path = ".*firecracker"|path = "/usr/local/bin/firecracker"|g' /etc/kata-containers/configuration-fc.toml || true + fi + fi +fi + +# Enable debug logging if requested +if [ "${KATA_LOGGING_LEVEL}" = "debug" ]; then + echo "[INFO] Enabling debug logging for Kata" + for config in /etc/kata-containers/configuration-*.toml; do + if [ -f "$config" ]; then + sed -i 's/enable_debug = false/enable_debug = true/g' "$config" + sed -i 's/#log_path = .*/log_path = "\/var\/log\/kata\/kata.log"/g' "$config" + sed -i 's/level = "info"/level = "debug"/g' "$config" + fi + done + mkdir -p /var/log/kata +fi + +if [ "$1" = 'dockerd' ] || [ "${1#-}" != "$1" ]; then + # if the first argument is "dockerd" or a flag (starts with -) + if [ "${1#-}" != "$1" ]; then + set -- dockerd "$@" + fi + + # Explicitly use iptables-legacy if available, as it is often more stable for DinD + if command -v update-alternatives >/dev/null; then + if update-alternatives --query iptables | grep -q "iptables-legacy"; then + update-alternatives --set iptables /usr/sbin/iptables-legacy || true + update-alternatives --set ip6tables /usr/sbin/ip6tables-legacy || true + fi + fi +fi + +exec "$@"