docs: Add some documentation details for VFIO

[amshinde]

Add explanation regarding how devices passed with VFIO can
be accessed with a container.

Fixes #1079

Signed-off-by: Archana Shinde [email protected]

[amshinde]

@egernst Can you take a look. I am planning to move this Kata eventually.

[mcastelino]

@amshinde we need to pass -v /dev:/dev so that the VM's /dev is passed into the container /dev right.

Do we filter out any of the /dev entries? Or for that matter just bind mount the /dev corresponding to the device to the container?

[amshinde]

@mcastelino yes, we are doing that so that devices created in the VM's /dev appear in the container /dev. We filter out initially by mounting /dev as tmpfs so we have a very limited set of devices to begin with and then use udev events to bind mount all devices that appear after the container has started. We dont have any filtering rules at present for the bind-mounting, these would be any devices that are created after the container has started mostly due to the user interacting on the container command line.

[amshinde]

@mcastelino For Kata, plan is to pass some predictable identifiers for the VFIO devices specifically so that we do not need to pass -v /dev. I am looking at things such as vendor-id that can be leveraged to identify the VFIO device passed, so that the corresponding device node can be created inside the container. Still looking at this.

[egernst]

I think this should be combined with the initial CLI example, and then perhaps explained as you did above.

There's no usefulness in passing it into the VM, but not the container, after all.

[mcastelino]

@amshinde per OCI spec, the devices are container specific resources. So this approach will work fine for docker containers. How do we plan to handle this for kubernetes PODs, where the devices may be spread across containers (i.e. each device belongs to a different container for example)

[amshinde]

@mcastelino Containers in a k8 pod should share the same mount namespace eventually.