Skip to content
This repository was archived by the owner on May 6, 2020. It is now read-only.

docs: Add some documentation details for VFIO #1080

Closed
wants to merge 1 commit into from

Conversation

amshinde
Copy link
Contributor

Add explanation regarding how devices passed with VFIO can
be accessed with a container.

Fixes #1079

Signed-off-by: Archana Shinde [email protected]

Add explanation regarding how devices passed with VFIO can
be accessed with a container.

Fixes clearcontainers#1079

Signed-off-by: Archana Shinde <[email protected]>
@amshinde amshinde requested review from klynnrif and egernst March 20, 2018 18:56
@amshinde
Copy link
Contributor Author

@egernst Can you take a look. I am planning to move this Kata eventually.

@amshinde amshinde requested a review from mcastelino March 20, 2018 20:13
Copy link
Contributor

@mcastelino mcastelino left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@amshinde we need to pass -v /dev:/dev so that the VM's /dev is passed into the container /dev right.

Do we filter out any of the /dev entries? Or for that matter just bind mount the /dev corresponding to the device to the container?

@amshinde
Copy link
Contributor Author

@mcastelino yes, we are doing that so that devices created in the VM's /dev appear in the container /dev. We filter out initially by mounting /dev as tmpfs so we have a very limited set of devices to begin with and then use udev events to bind mount all devices that appear after the container has started. We dont have any filtering rules at present for the bind-mounting, these would be any devices that are created after the container has started mostly due to the user interacting on the container command line.

@amshinde
Copy link
Contributor Author

@mcastelino For Kata, plan is to pass some predictable identifiers for the VFIO devices specifically so that we do not need to pass -v /dev. I am looking at things such as vendor-id that can be leveraged to identify the VFIO device passed, so that the corresponding device node can be created inside the container. Still looking at this.

while starting a container as shown below:

```
$ sudo docker run -it -v /dev:/dev --device=/dev/vfio/16 centos/tools bash
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think this should be combined with the initial CLI example, and then perhaps explained as you did above.

There's no usefulness in passing it into the VM, but not the container, after all.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@amshinde per OCI spec, the devices are container specific resources. So this approach will work fine for docker containers. How do we plan to handle this for kubernetes PODs, where the devices may be spread across containers (i.e. each device belongs to a different container for example)

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@mcastelino Containers in a k8 pod should share the same mount namespace eventually.

@egernst egernst closed this Mar 26, 2019
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

None yet

3 participants