CRI-O

From ArchWiki
Jump to navigation Jump to search
The printable version is no longer supported and may have rendering errors. Please update your browser bookmarks and please use the default browser print function instead.

CRI-O is an OCI-based implementation of the Kubernetes Container Runtime Interface.

As such it is one of the container runtimes that can be used with a node of a Kubernetes cluster.

Installation

Install the cri-o package.

The package will set the system up to load the overlay and br_netfilter modules and set the following sysctl options:

 net.bridge.bridge-nf-call-iptables = 1
 net.bridge.bridge-nf-call-ip6tables = 1
 net.ipv4.ip_forward = 1

To use CRI-O without a reboot make sure to load the modules and configure the sysctl values accordingly.

Configuration

CRI-O is configured via /etc/crio/crio.conf or via drop-in configuration files in /etc/crio/crio.conf.d/.

Network

CRI-O can make use of container networking as provided by cni-plugins.

Copy one of the examples from /usr/share/doc/cri-o/examples/cni/ to /etc/cni/net.d and modify it as needed.

Warning: The cri-o package installs the 10-crio-bridge.conf and 99-loopback.conf examples to /etc/cni/net.d by default (as 100-crio-bridge.conf and 199-crio-loopback.conf respectively). This may conflict with Kubernetes cluster network fabrics (weave, flannel, calico, etc) and require manual deletion to resolve this (e.g. #2411 #2885).

Storage

By default CRI-O makes use of the overlay driver as its storage_driver for the container storage in /var/lib/containers/storage/. However, it can also be configured to use btrfs or ZFS natively by changing the driver in /etc/containers/storage:

 sed -i 's/driver = ""/driver = "btrfs"/' /etc/containers/storage.conf

Running

Start and enable the crio.service systemd unit.

Testing

Use crio-status like this:

 # crio-status info
 cgroup driver: systemd
 storage driver: vfs
 storage root: /var/lib/containers/storage
 default GID mappings (format <container>:<host>:<size>):
   0:0:4294967295
 default UID mappings (format <container>:<host>:<size>):
   0:0:4294967295

and:

 # crio-status config
 ...

Now Install the crictl package, and see e.g. https://kubernetes.io/docs/tasks/debug-application-cluster/crictl/ or https://github.com/kubernetes-sigs/cri-tools/blob/master/docs/crictl.md, or simply:

 source <(crictl completion bash)
 crictl pull index.docker.io/busybox
 crictl pull quay.io/prometheus/busybox
 crictl images
 curl -O https://raw.githubusercontent.com/kubernetes-sigs/cri-tools/master/docs/examples/podsandbox-config.yaml
 curl -O https://raw.githubusercontent.com/kubernetes-sigs/cri-tools/master/docs/examples/container-config.yaml
 crictl run container-config.yaml podsandbox-config.yaml
 crictl logs $(crictl ps --last 1 --output yaml | yq -r .containers[0].id)
 crictl exec -it $(crictl ps --last 1 --output yaml | yq -r .containers[0].id) /bin/sh
 crictl rm -af
 crictl rmp -af

Note how Docker Hub is not hard-coded, so specify container registry explicitly. (See also https://github.com/kubernetes-sigs/cri-tools/pull/718.)

See also