alexellis/faasd+kata Secret

## faasd+kata
### Start with clean install of Ubuntu 20.04

### Install dependencies
( sudo apt update && \
sudo apt install git curl qemu-kvm libvirt-daemon-system libvirt-clients bridge-utils golang-go socat -qy
)

### Install faasd
(
git clone https://github.com/openfaas/faasd --depth=1 && \
cd faasd && \
./hack/install.sh
)

cat << EOF | sudo tee /lib/systemd/system/faasd-provider.service
[Unit]
Description=faasd-provider

[Service]
MemoryLimit=500M
Environment="FUNCTION_RUNTIME=io.containerd.run.kata.v2"
Environment="secret_mount_path=/var/lib/faasd/secrets"
Environment="basic_auth=true"
ExecStart=/usr/local/bin/faasd provider
Restart=on-failure
RestartSec=10s
WorkingDirectory=/var/lib/faasd-provider

[Install]
WantedBy=multi-user.target

EOF

(
sudo systemctl stop faasd && sudo systemctl stop faasd-provider && \
curl -LS https://dl.exit.o6s.io/faasd -o /tmp/faasd && \
sudo chmod +x /tmp/faasd && \
sudo mv /tmp/faasd /usr/local/bin/
)

### Install kata
bash -c "$(curl -fsSL https://raw.githubusercontent.com/kata-containers/tests/master/cmd/kata-manager/kata-manager.sh) install-packages"

### Test with ctr
(
sudo ctr image pull docker.io/library/busybox:latest
sudo ctr run -t --rm docker.io/library/busybox:latest hello uname -a # => launches with runc (per `ps`)
sudo ctr run --runtime io.containerd.run.kata.v2 -t --rm docker.io/library/busybox:latest hello uname -a # => launches with kata (per `ps`)
)

### Configure containerd per kata instructions (https://github.com/kata-containers/documentation/blob/master/how-to/containerd-kata.md#install-kata-containers)
sudo mkdir /etc/containerd

cat <<EOF | sudo tee /etc/containerd/config.toml
     [plugins.cri.containerd]
       no_pivot = false
     [plugins.cri.containerd.runtimes]
       [plugins.cri.containerd.runtimes.runc]
          runtime_type = "io.containerd.runc.v1"
          [plugins.cri.containerd.runtimes.runc.options]
            NoPivotRoot = false
            NoNewKeyring = false
            ShimCgroup = ""
            IoUid = 0
            IoGid = 0
            BinaryName = "runc"
            Root = ""
            CriuPath = ""
            SystemdCgroup = false
       [plugins.cri.containerd.runtimes.kata]
          runtime_type = "io.containerd.kata.v2"
       [plugins.cri.containerd.runtimes.katacli]
          runtime_type = "io.containerd.runc.v1"
          [plugins.cri.containerd.runtimes.katacli.options]
            NoPivotRoot = false
            NoNewKeyring = false
            ShimCgroup = ""
            IoUid = 0
            IoGid = 0
            BinaryName = "/usr/bin/kata-runtime"
            Root = ""
            CriuPath = ""
            SystemdCgroup = false
EOF

(
sudo systemctl daemon-reload ;
sudo systemctl restart containerd ;
sudo systemctl restart faasd ;
sudo systemctl restart faasd-provider ;
)

### Deploy faasd function
cat /var/lib/faasd/secrets/basic-auth-password | faas-cli login -u admin --password-stdin
faas-cli deploy --image ghcr.io/openfaas/alpine:latest --fprocess "uname -a" --name uname

ps aux | grep uname # => /usr/local/bin/containerd-shim-runc-v2 -namespace openfaas-fn -id uname -address /run/containerd/containerd.sock
	### Start with clean install of Ubuntu 20.04

	### Install dependencies
	( sudo apt update && \
	sudo apt install git curl qemu-kvm libvirt-daemon-system libvirt-clients bridge-utils golang-go socat -qy
	)

	### Install faasd
	(
	git clone https://github.com/openfaas/faasd --depth=1 && \
	cd faasd && \
	./hack/install.sh
	)

	cat << EOF \| sudo tee /lib/systemd/system/faasd-provider.service
	[Unit]
	Description=faasd-provider

	[Service]
	MemoryLimit=500M
	Environment="FUNCTION_RUNTIME=io.containerd.run.kata.v2"
	Environment="secret_mount_path=/var/lib/faasd/secrets"
	Environment="basic_auth=true"
	ExecStart=/usr/local/bin/faasd provider
	Restart=on-failure
	RestartSec=10s
	WorkingDirectory=/var/lib/faasd-provider

	[Install]
	WantedBy=multi-user.target

	EOF

	(
	sudo systemctl stop faasd && sudo systemctl stop faasd-provider && \
	curl -LS https://dl.exit.o6s.io/faasd -o /tmp/faasd && \
	sudo chmod +x /tmp/faasd && \
	sudo mv /tmp/faasd /usr/local/bin/
	)

	### Install kata
	bash -c "$(curl -fsSL https://raw.githubusercontent.com/kata-containers/tests/master/cmd/kata-manager/kata-manager.sh) install-packages"

	### Test with ctr
	(
	sudo ctr image pull docker.io/library/busybox:latest
	sudo ctr run -t --rm docker.io/library/busybox:latest hello uname -a # => launches with runc (per `ps`)
	sudo ctr run --runtime io.containerd.run.kata.v2 -t --rm docker.io/library/busybox:latest hello uname -a # => launches with kata (per `ps`)
	)

	### Configure containerd per kata instructions (https://github.com/kata-containers/documentation/blob/master/how-to/containerd-kata.md#install-kata-containers)
	sudo mkdir /etc/containerd

	cat <<EOF \| sudo tee /etc/containerd/config.toml
	[plugins.cri.containerd]
	no_pivot = false
	[plugins.cri.containerd.runtimes]
	[plugins.cri.containerd.runtimes.runc]
	runtime_type = "io.containerd.runc.v1"
	[plugins.cri.containerd.runtimes.runc.options]
	NoPivotRoot = false
	NoNewKeyring = false
	ShimCgroup = ""
	IoUid = 0
	IoGid = 0
	BinaryName = "runc"
	Root = ""
	CriuPath = ""
	SystemdCgroup = false
	[plugins.cri.containerd.runtimes.kata]
	runtime_type = "io.containerd.kata.v2"
	[plugins.cri.containerd.runtimes.katacli]
	runtime_type = "io.containerd.runc.v1"
	[plugins.cri.containerd.runtimes.katacli.options]
	NoPivotRoot = false
	NoNewKeyring = false
	ShimCgroup = ""
	IoUid = 0
	IoGid = 0
	BinaryName = "/usr/bin/kata-runtime"
	Root = ""
	CriuPath = ""
	SystemdCgroup = false
	EOF

	(
	sudo systemctl daemon-reload ;
	sudo systemctl restart containerd ;
	sudo systemctl restart faasd ;
	sudo systemctl restart faasd-provider ;
	)

	### Deploy faasd function
	cat /var/lib/faasd/secrets/basic-auth-password \| faas-cli login -u admin --password-stdin
	faas-cli deploy --image ghcr.io/openfaas/alpine:latest --fprocess "uname -a" --name uname

	ps aux \| grep uname # => /usr/local/bin/containerd-shim-runc-v2 -namespace openfaas-fn -id uname -address /run/containerd/containerd.sock