Kubevirt + Ubuntu Testing

[apoorvemohan]

Has kubevirt-tdx been tested with Ubuntu-based K8 installation?

cc: @mengmeiye

[LeiZhou-97]

hi @apoorvemohan @mengmeiya

I updated the wiki about build section.(kubevirt-tdx doest not provide pre-built images) If mengmei wants to try the kubevirt-tdx, she can follow it.

https://github.com/intel/kubevirt-tdx/wiki/0.-Getting-started

if meet any problems, feel free to pin me.

[mengmeiye]

Thanks @LeiZhou-97
I followed the steps but got the following error by describing the vmi:

  Normal   SuccessfulCreate  5m16s  virtualmachine-controller  Created virtual machine pod virt-launcher-vmi-ubuntu-td-c8zgv
  Warning  SyncFailed        5m11s  virt-handler               server error. command SyncVMI failed: "LibvirtError(Code=1, Domain=10, Message='internal error: QEMU unexpectedly closed the monitor (vm='default_vmi-ubuntu-td'): 2024-05-20T17:52:24.038084Z qemu-kvm: -accel kvm: vm-type tdx not supported by KVM')"
  Normal   Started           5m11s  virt-handler               VirtualMachineInstance started.

Looks like qemu-kvm inside of the pod doesn't support tdx...

The yaml file I'm using is:

---
apiVersion: kubevirt.io/v1
kind: VirtualMachineInstance
metadata:
  labels:
    special: vmi-ubuntu-td
  name: vmi-ubuntu-td
spec:
  domain:
    launchSecurity:
      tdx:
        QGS: vsock:2:4050
    clock:
      timer:
        hpet:
          present: false
    machine:
      type: q35
    cpu:
      model: host-passthrough
      sockets: 1
      cores: 4
    features:
      acpi: {}
      apic: {}
    devices:
      autoattachVSOCK: true
      autoattachGraphicsDevice: false
      disks:
      - disk:
          bus: virtio
        name: containerdisk
    firmware:
      bootloader:
        efi:
          secureBoot: false
    resources:
      requests:
        memory: 16Gi
  terminationGracePeriodSeconds: 10
  volumes:
  - containerDisk:
      image: localhost/guest-ubuntu-tdx:latest
    name: containerdisk

[LeiZhou-97]

Hi @mengmeiye ,

Are you install the TDX host stack in advance ?

[mengmeiye]

@LeiZhou-97: Yes the TDX host stack has been installed.

[LeiZhou-97]

Do you try to launch the traditional TDVM successfully on bare-metal?

The error log points the host stack is not installed. kvm is out-of-scope of kubevirt-tdx.
Please check if TDX is initialized through dmesg.

kvm: vm-type tdx not supported by KVM

[mengmeiye]

Oh I think the error is because qemu-kvm inside of the pod doesn't support tdx. The host is enabled with TDX, and I can successfully launch a TDVM on bare-metal.

[LeiZhou-97]

Oh I think the error is because qemu-kvm inside of the pod doesn't support tdx. The host is enabled with TDX, and I can successfully launch a TDVM on bare-metal.

No, it's qemu call the kvm to do the feature check and find tdx not supported by kvm. If qemu-kvm doesn't support tdx, it will tell you tdx is unrecognized.

And I only provide the tdx-enabled qemu-kvm in the source, it's impossible to install a non-tdx qemu-kvm package.

rpm(
    name = "qemu-kvm-core-17__8.0.0-15.el9s.x86_64",
    sha256 = "3b9f9995b3dfacf78c237952afefad71f495a48d62ffd20cd90ced0e6ed7db70",
    urls = [
        "http://mirror.stream.centos.org/SIGs/9-stream/virt/x86_64/tdx-devel/Packages/q/qemu-kvm-core-8.0.0-15.el9s.x86_64.rpm",
    ],
)

Which host stack are you using? I guess it may be caused by the host stack is not aligning with the guest stack within the pod.

[mengmeiye]

This is the tdx stack I'm using: https://github.com/intel/tdx-tools/tree/2023ww15

[LeiZhou-97]

Currently, the kubevirt-tdx only work with mid-stream stack.

ubuntu: https://github.com/canonical/tdx/tree/mantic-23.10

centos: https://mirror.stream.centos.org/SIGs/9-stream/virt/x86_64/tdx-devel/