• Debug mode
• Developer mode
• Enable trace support
• Enable debug console
• cpuset cgroup details
• Hotplug Timeout
• Cgroups V2

This project implements an agent called kata-agent that runs inside a virtual machine (VM).

The agent manages container processes inside the VM, on behalf of the runtime running on the host.

To enable agent debug output, add the agent.log=debug option to the guest kernel command line.

See the developer guide for further details.

Add agent.devmode to the guest kernel command line to allow the agent process to coredump (disabled by default). Specifying this option implicitly enables debug mode.

See the tracing guide.

Add agent.debug_console to the guest kernel command line to allow the agent process to start a debug console. Debug console is only available if bash or sh is installed in the rootfs or initrd image. Developers can connect to the virtual machine using the debug console

Firecracker doesn't have a UNIX socket connected to /dev/console, hence the kernel command line option agent.debug_console will not work for firecracker. Fortunately, firecracker supports hybrid vsocks, and they can be used to communicate processes in the guest with processes in the host. The kernel command line option agent.debug_console_vport was added to allow developers specify on which vsock port the debugging console should be connected.

In firecracker, the UNIX socket that is connected to the vsock end is created at /var/lib/vc/firecracker/$CID/root/kata.hvsock, where $CID is the container ID.

Run the following commands to have a debugging console in firecracker.

$ conf="/usr/share/defaults/kata-containers/configuration.toml"
$ sudo sed -i 's/^kernel_params.*/kernel_params="agent.debug_console_vport=1026"/g' "${conf}"
$ sudo su -c 'cd /var/lib/vc/firecracker/08facf/root/ && socat stdin unix-connect:kata.hvsock'
CONNECT 1026

NOTE: Ports 1024 and 1025 are reserved for communication with the agent and gathering of agent logs respectively

See the cpuset cgroup documentation.

When hot plugging devices into the Kata VM, the agent will wait by default for 3 seconds for the device to be plugged in and the corresponding add uevent for the device. If the timeout is reached without the above happening, the hot plug action will fail.

The length of the timeout can be increased by specifying the agent.hotplug_timeout to the guest kernel command line. For example, agent.hotplug_timeout=10s will increase the timeout to 10 seconds. The value of the option is in the Go duration format.

Any invalid values used for agent.hotplug_timeout will fall back to the default of 3 seconds.

Same as systemd, the kata-agent has an option to enable or disable the unified cgroup hierarchy (cgroups v2) in the guest through the kernel command line. Set agent.unified_cgroup_hierarchy to 1 or true to enable cgroups v2. For example, agent.unified_cgroup_hierarchy=true will enable cgroups v2 in the guest. Set agent.unified_cgroup_hierarchy to 0 or false to disable cgroups v2. For example, agent.unified_cgroup_hierarchy=0 will disable cgroups v2 in the guest. By default cgroups v2 is disabled.

The agent will configure a Pipe for stdio (stdout, stderr, stdin) for each container. By default, this will use the OS' defaults in terms of pipe capacity. However, some workloads may require a larger pipe when writing to stdout/stderr in non-blocking mode.

The pipe's capacity for stdout/stderr can be modified by specifying the agent.container_pipe_size flag to the guest kernel command line. For example, agent.container_pipe_size=2097152 will set the stdout and stderr pipes to 2097152 bytes.