Added support for host-process container installation (#1099)

* Added support for host-process container installation * Added Powershell script to build image on Windows node * Minor fix * Updated doc * Fix markdown * Minor fix * Update docs/InstallEbpf.md Co-authored-by: Dave Thaler <dthaler@microsoft.com> * Update docs/InstallEbpf.md Co-authored-by: Dave Thaler <dthaler@microsoft.com> * Update docs/InstallEbpf.md Co-authored-by: Dave Thaler <dthaler@microsoft.com> * Update docs/InstallEbpf.md Co-authored-by: Dave Thaler <dthaler@microsoft.com> * Update docs/InstallEbpf.md Co-authored-by: Dave Thaler <dthaler@microsoft.com> * Update images/build-images.ps1 Co-authored-by: Dave Thaler <dthaler@microsoft.com> * Update docs/InstallEbpf.md Co-authored-by: Dave Thaler <dthaler@microsoft.com> * Update images/build-images.ps1 Co-authored-by: Dave Thaler <dthaler@microsoft.com> * Update docs/InstallEbpf.md Co-authored-by: Dave Thaler <dthaler@microsoft.com> * Fix image path * Fix Dockerfile Co-authored-by: Dave Thaler <dthaler@microsoft.com> Co-authored-by: saxena-anurag <43585259+saxena-anurag@users.noreply.github.com>
2022-05-31 16:42:53 +00:00 · 2022-05-31 16:42:53 +00:00 · e822f72c30
--- a/docs/InstallEbpf.md
+++ b/docs/InstallEbpf.md
@ -1,11 +1,11 @@
-# Installing eBPF into a Test VM
+## Installing eBPF into a Test VM

 Follow the [VM Installation Instructions](vm-setup.md) for one-time setup of a test VM.
 Once the one-time setup has been completed, the following steps will
 install or update the eBPF installation in the VM, from a machine that
 has already built the binaries for x64/Debug or x64/Release.

-## Method 1
+### Method 1
 1. Deploy the binaries to `C:\Temp` in your VM, as follows:
    a. If you built the binaries from inside the VM, then from your ebpf-for-windows directory in the VM, do `.\scripts\deploy-ebpf -l`.  Otherwise,
    b. If you built the binaries on the host machine, then from your ebpf-for-windows directory on the host machine, start an admin Powershell on the host machine and do `.\scripts\deploy-ebpf`, or to also copy files needed to run various tests, do `.\scripts\deploy-ebpf -t`.
@ -15,7 +15,7 @@ has already built the binaries for x64/Debug or x64/Release.
    2. Do 'cd C:\temp'.
    3. Do 'install-ebpf.bat'.

-## Method 2
+### Method 2
 Copy the build output to the host of the test VM and run the following.
 1. `Checkpoint-VM -Name <test-vm-name> -CheckpointName baseline` -- Creates a snapshot of the test VM named **baseline**.
 2. Store the VM administrator credential:
@ -24,3 +24,34 @@ Copy the build output to the host of the test VM and run the following.
 3. Modify `vm_list.json` to specify the name of the test VM under `VMList`.
 4. `Set-ExecutionPolicy unrestricted -Force`
 5. `Setup_ebpf_cicd_tests.ps1`
+
+## Installing eBPF with host-process container 
+
+The following instructions will build an ebpf-for-windows image and deploy a daemonset referencing the image. This is the easiest way
+to install eBPF on all Windows nodes in a Kubernetes cluster. 
+
+1. Deploy the binaries to `C:\Temp` on the machine (Windows Host) where you built the binaries.
+   Start an admin Powershell on the Windows Host and do `.\scripts\deploy-ebpf`.
+   
+2. Build ebpf-for-windows image. 
+     
+    a.  To build the image on the Windows Host, make sure docker is installed. [install docker on Windows Server](https://docs.microsoft.com/en-us/virtualization/windowscontainers/quick-start/set-up-environment?tabs=Windows-Server/).
+Start an admin Powershell on the Windows Host and run `.\images\build-images.ps1` and provide parameters for `repository`, `tag` and `OSVersion`.
+   
+    b.  To build the image on a Linux machine (e.g. Ubuntu), make sure docker is installed. [install docker on Ubuntu](https://docs.docker.com/engine/install/ubuntu/).
+
+    * Run the following Powershell command on the Windows Host to create zip files containing the binaries.
+      ```
+      Compress-Archive -Update -Path C:\temp -DestinationPath ebpf-for-windows-c-temp.zip
+      ```
+      
+   * Copy `images\*` and `ebpf-for-windows-c-temp.zip` from the Windows Host to a directory on the Linux machine (e.g. `$HOME/ebpf-for-windows-image`).
+   
+   * Run `$HOME/ebpf-for-windows-image/build-images.sh` and provide parameters for `repositry`, `tag` and `OSVersion`.
+   
+3. Push the ebpf-for-windows image to your repository.
+
+4. Update `manifests/Kubernetes/ebpf-for-windows-daemonset.yaml` with the container image pointing to your image path. Run the following command:
+```
+kubectl apply -f manifests/Kubernetes/ebpf-for-windows-daemonset.yaml
+```
--- a/images/Dockerfile.install
+++ b/images/Dockerfile.install
@ -0,0 +1,16 @@
+# Copyright (c) Microsoft Corporation
+# SPDX-License-Identifier: MIT
+
+ARG WINDOWS_VERSION=1809
+
+# The files in this image are copied to $env:CONTAINER_SANDBOX_MOUNT_POINT on the host.
+FROM mcr.microsoft.com/windows/nanoserver:${WINDOWS_VERSION}
+
+ENV PATH="C:\Program Files\PowerShell;C:\utils;C:\Windows\system32;C:\Windows;C:\Windows\System32\WindowsPowerShell\v1.0;"
+
+ARG RELEASE_ZIP=ebpf-for-windows-c-temp.zip
+
+COPY ${RELEASE_ZIP} /ebpf-for-windows-c-temp.zip
+COPY install-ebpf-for-windows.ps1 /
+
+ENTRYPOINT ["powershell"]
--- a/images/build-images.ps1
+++ b/images/build-images.ps1
@ -0,0 +1,19 @@
+# Copyright (c) Microsoft Corporation
+# SPDX-License-Identifier: MIT
+
+param ([parameter(Mandatory=$false)][string] $TEMPDir = "c:\temp",
+    [parameter(Mandatory=$true)][string] $Repository = "",
+    [parameter(Mandatory=$true)][string] $Tag = "",
+    [parameter(Mandatory=$true)][string] $OSVersion = "1809")
+
+$svc = Get-Service | where Name -EQ 'docker'
+if ($svc -EQ $null) {
+    throw "Docker service is not installed."
+}
+if ($svc.Status -NE 'Running') {
+    throw "Docker service is not running."
+}
+
+Compress-Archive -Update -Path $TEMPDir -DestinationPath ebpf-for-windows-c-temp.zip
+
+docker build -t $Repository/ebpfwin-install:$Tag  -f .\Dockerfile.install --build-arg WINDOWS_VERSION=$OSVersion .
--- a/images/build-images.sh
+++ b/images/build-images.sh
@ -0,0 +1,10 @@
+# Copyright (c) Microsoft Corporation
+# SPDX-License-Identifier: MIT
+
+# Copy release archive to local directory as ebpf-for-windows-c-temp.zip before running this script.
+
+repository=${repository:-"your repository"}
+tag=${tag:-"your tag"}
+OSVersion=${OSVersion:-"1809"}
+
+docker buildx build --platform windows/amd64 --output=type=registry --pull -f Dockerfile.install -t $repository/ebpfwin-install:$tag --build-arg WINDOWS_VERSION=$OSVersion .
--- a/images/install-ebpf-for-windows.ps1
+++ b/images/install-ebpf-for-windows.ps1
@ -0,0 +1,39 @@
+# Copyright (c) Microsoft Corporation
+# SPDX-License-Identifier: MIT
+
+# Make sure the script is running in a HostProcess container.
+if ($env:CONTAINER_SANDBOX_MOUNT_POINT) {
+    $ns = $env:CONTAINER_SANDBOX_MOUNT_POINT
+    write-host ("Install script is running in a HostProcess container. This sandbox mount point is {0}" -f $ns)
+} else {
+    throw "Install script is NOT running in a HostProcess container."
+}
+
+# Unzip release archive to c:\temp.
+$EbpfWindowsZip = "ebpf-for-windows-c-temp.zip"
+if (!(Test-Path $EbpfWindowsZip))
+{
+    throw "$EbpfWindowsZip not found..."
+}
+Write-Host "Unzip ebpf-for-windows release..."
+Expand-Archive -Force $EbpfWindowsZip c:\
+
+# Run install-ebpf.bat
+cd c:\temp
+Write-Host "Install ebpf-for-windows ..."
+.\install-ebpf.bat
+
+# Make sure netsh ebpf works.
+Write-Host "ebpf-for-windows installation completed. Show program..."
+netsh ebpf show program
+
+# Sleep until the container is required to exit explicitly. This is for dev only.
+# TODO: If this container is running as an init container of a daemonset, 
+# this section is not required.
+$filePath = 'C:\exit-ebpfwin-install-container.txt'
+while (-not (Test-Path -Path $filePath)) {
+    Start-Sleep -Seconds 30
+}
+
+write-host "All done."
+exit 0
--- a/manifests/Kubernetes/ebpf-for-windows-daemonset.yaml
+++ b/manifests/Kubernetes/ebpf-for-windows-daemonset.yaml
@ -0,0 +1,31 @@
+apiVersion: apps/v1
+kind: DaemonSet
+metadata:
+  name: ebpf-for-windows
+  namespace: kube-system
+  labels:
+    k8s-app: ebpf-for-windows
+spec:
+  selector:
+    matchLabels:
+      k8s-app: ebpf-for-windows
+  template:
+    metadata:
+      labels:
+        k8s-app: ebpf-for-windows
+    spec:
+      tolerations:
+      - operator: Exists
+      securityContext:
+        windowsOptions:
+          hostProcess: true
+          runAsUserName: "NT AUTHORITY\\system"
+      hostNetwork: true
+      containers:
+      - name: ebpf-for-windows
+        image: <your ebpf-for-windows image path>
+        imagePullPolicy: Always
+        args:
+        - ".\\install-ebpf-for-windows.ps1"
+      nodeSelector:
+        kubernetes.io/os: windows