2019-12-04 23:22:57 +08:00
|
|
|
# CRI-O
|
2018-07-30 23:47:13 +08:00
|
|
|
|
2018-12-26 14:55:17 +08:00
|
|
|
[CRI-O] is a lightweight container runtime for Kubernetes.
|
|
|
|
Kubespray supports basic functionality for using CRI-O as the default container runtime in a cluster.
|
2018-07-30 23:47:13 +08:00
|
|
|
|
2018-12-26 14:55:17 +08:00
|
|
|
* Kubernetes supports CRI-O on v1.11.1 or later.
|
2020-11-04 16:20:04 +08:00
|
|
|
* etcd: configure either kubeadm managed etcd or host deployment
|
2018-07-30 23:47:13 +08:00
|
|
|
|
2020-10-13 17:08:26 +08:00
|
|
|
_To use the CRI-O container runtime set the following variables:_
|
2018-07-30 23:47:13 +08:00
|
|
|
|
2020-12-04 05:57:25 +08:00
|
|
|
## all/all.yml
|
2018-07-30 23:47:13 +08:00
|
|
|
|
2018-12-26 14:55:17 +08:00
|
|
|
```yaml
|
2018-07-30 23:47:13 +08:00
|
|
|
download_container: false
|
|
|
|
skip_downloads: false
|
2022-02-23 00:53:16 +08:00
|
|
|
etcd_deployment_type: host # optionally kubeadm
|
2018-07-30 23:47:13 +08:00
|
|
|
```
|
|
|
|
|
2021-04-29 20:20:50 +08:00
|
|
|
## k8s_cluster/k8s_cluster.yml
|
2018-07-30 23:47:13 +08:00
|
|
|
|
2018-12-26 14:55:17 +08:00
|
|
|
```yaml
|
2018-08-28 14:23:38 +08:00
|
|
|
container_manager: crio
|
2018-07-30 23:47:13 +08:00
|
|
|
```
|
2018-12-26 14:55:17 +08:00
|
|
|
|
2020-12-04 05:57:25 +08:00
|
|
|
## all/crio.yml
|
|
|
|
|
|
|
|
Enable docker hub registry mirrors
|
|
|
|
|
|
|
|
```yaml
|
2022-01-05 23:36:40 +08:00
|
|
|
crio_registries:
|
2020-12-04 05:57:25 +08:00
|
|
|
- prefix: docker.io
|
|
|
|
insecure: false
|
|
|
|
blocked: false
|
|
|
|
location: registry-1.docker.io
|
2022-02-05 15:46:50 +08:00
|
|
|
unqualified: false
|
2020-12-04 05:57:25 +08:00
|
|
|
mirrors:
|
|
|
|
- location: 192.168.100.100:5000
|
|
|
|
insecure: true
|
|
|
|
- location: mirror.gcr.io
|
|
|
|
insecure: false
|
|
|
|
```
|
|
|
|
|
2018-12-26 14:55:17 +08:00
|
|
|
[CRI-O]: https://cri-o.io/
|
2021-12-20 22:37:25 +08:00
|
|
|
|
2024-01-16 12:23:09 +08:00
|
|
|
The following is a method to enable insecure registries.
|
|
|
|
|
|
|
|
```yaml
|
|
|
|
crio_insecure_registries:
|
|
|
|
- 10.0.0.2:5000
|
|
|
|
```
|
|
|
|
|
|
|
|
And you can config authentication for these registries after `crio_insecure_registries`.
|
|
|
|
|
|
|
|
```yaml
|
|
|
|
crio_registry_auth:
|
|
|
|
- registry: 10.0.0.2:5000
|
|
|
|
username: user
|
|
|
|
password: pass
|
|
|
|
```
|
|
|
|
|
2021-12-20 22:37:25 +08:00
|
|
|
## Note about user namespaces
|
|
|
|
|
|
|
|
CRI-O has support for user namespaces. This feature is optional and can be enabled by setting the following two variables.
|
|
|
|
|
|
|
|
```yaml
|
|
|
|
crio_runtimes:
|
|
|
|
- name: runc
|
|
|
|
path: /usr/bin/runc
|
|
|
|
type: oci
|
|
|
|
root: /run/runc
|
|
|
|
allowed_annotations:
|
|
|
|
- "io.kubernetes.cri-o.userns-mode"
|
|
|
|
|
|
|
|
crio_remap_enable: true
|
|
|
|
```
|
|
|
|
|
|
|
|
The `allowed_annotations` configures `crio.conf` accordingly.
|
|
|
|
|
|
|
|
The `crio_remap_enable` configures the `/etc/subuid` and `/etc/subgid` files to add an entry for the **containers** user.
|
|
|
|
By default, 16M uids and gids are reserved for user namespaces (256 pods * 65536 uids/gids) at the end of the uid/gid space.
|
Refactor NRI activation for containerd and CRI-O (#10470)
Refactor NRI (Node Resource Interface) activation in CRI-O and
containerd. Introduce a shared variable, nri_enabled, to streamline
the process. Currently, enabling NRI requires a separate update of
defaults for each container runtime independently, without any
verification of NRI support for the specific version of containerd
or CRI-O in use.
With this commit, the previous approach is replaced. Now, a single
variable, nri_enabled, handles this functionality. Also, this commit
separates the responsibility of verifying NRI supported versions of
containerd and CRI-O from cluster administrators, and leaves it to
Ansible.
Signed-off-by: Feruzjon Muyassarov <feruzjon.muyassarov@intel.com>
2023-09-26 23:05:25 +08:00
|
|
|
|
|
|
|
## Optional : NRI
|
|
|
|
|
|
|
|
[Node Resource Interface](https://github.com/containerd/nri) (NRI) is disabled by default for the CRI-O. If you
|
|
|
|
are using CRI-O version v1.26.0 or above, then you can enable it with the
|
|
|
|
following configuration:
|
|
|
|
|
|
|
|
```yaml
|
|
|
|
nri_enabled: true
|
|
|
|
```
|