2020-12-18 16:34:24 +08:00
# containerd
2020-11-30 16:22:49 +08:00
[containerd] An industry-standard container runtime with an emphasis on simplicity, robustness and portability
Kubespray supports basic functionality for using containerd as the default container runtime in a cluster.
_To use the containerd container runtime set the following variables:_
2021-04-29 20:20:50 +08:00
## k8s_cluster.yml
2020-11-30 16:22:49 +08:00
2022-01-05 16:32:33 +08:00
When kube_node contains etcd, you define your etcd cluster to be as well schedulable for Kubernetes workloads. Thus containerd and dockerd can not run at same time, must be set to bellow for running etcd cluster with only containerd.
2022-01-05 06:29:20 +08:00
2020-11-30 16:22:49 +08:00
```yaml
container_manager: containerd
```
2021-01-11 22:39:08 +08:00
## etcd.yml
```yaml
etcd_deployment_type: host
```
2020-11-30 16:22:49 +08:00
## Containerd config
Example: define registry mirror for docker hub
```yaml
2023-08-16 20:18:27 +08:00
containerd_registries_mirrors:
- prefix: docker.io
mirrors:
- host: https://mirror.gcr.io
capabilities: ["pull", "resolve"]
skip_verify: false
- host: https://registry-1.docker.io
capabilities: ["pull", "resolve"]
skip_verify: false
2020-11-30 16:22:49 +08:00
```
2023-08-16 20:18:27 +08:00
`containerd_registries_mirrors` is ignored for pulling images when `image_command_tool=nerdctl`
2022-01-12 07:35:24 +08:00
(the default for `container_manager=containerd` ). Use `crictl` instead, it supports
2023-08-16 20:18:27 +08:00
`containerd_registries_mirrors` but lacks proper multi-arch support (see
2022-01-12 07:35:24 +08:00
[#8375 ](https://github.com/kubernetes-sigs/kubespray/issues/8375 )):
```yaml
image_command_tool: crictl
```
2022-09-24 01:38:27 +08:00
### Containerd Runtimes
Containerd supports multiple runtime configurations that can be used with
[RuntimeClass] Kubernetes feature. See [runtime classes in containerd] for the
details of containerd configuration.
In kubespray, the default runtime name is "runc", and it can be configured with the `containerd_runc_runtime` dictionary:
```yaml
containerd_runc_runtime:
name: runc
type: "io.containerd.runc.v2"
engine: ""
root: ""
options:
systemdCgroup: "false"
binaryName: /usr/local/bin/my-runc
base_runtime_spec: cri-base.json
```
Further runtimes can be configured with `containerd_additional_runtimes` , which
is a list of such dictionaries.
Default runtime can be changed by setting `containerd_default_runtime` .
2022-11-08 22:44:32 +08:00
#### Base runtime specs and limiting number of open files
`base_runtime_spec` key in a runtime dictionary is used to explicitly
specify a runtime spec json file. `runc` runtime has it set to `cri-base.json` ,
which is generated with `ctr oci spec > /etc/containerd/cri-base.json` and
updated to include a custom setting for maximum number of file descriptors per
container.
You can change maximum number of file descriptors per container for the default
`runc` runtime by setting the `containerd_base_runtime_spec_rlimit_nofile`
variable.
2022-09-24 01:38:27 +08:00
You can tune many more [settings][runtime-spec] by supplying your own file name and content with `containerd_base_runtime_specs` :
```yaml
containerd_base_runtime_specs:
cri-spec-custom.json: |
{
"ociVersion": "1.0.2-dev",
"process": {
"user": {
"uid": 0,
...
```
The files in this dict will be placed in containerd config directory,
`/etc/containerd` by default. The files can then be referenced by filename in a
runtime:
```yaml
containerd_runc_runtime:
name: runc
base_runtime_spec: cri-spec-custom.json
...
```
2023-01-31 19:18:50 +08:00
Config insecure-registry access to self hosted registries.
```yaml
2023-08-16 20:18:27 +08:00
containerd_registries_mirrors:
- prefix: test.registry.io
mirrors:
- host: http://test.registry.io
capabilities: ["pull", "resolve"]
skip_verify: true
- prefix: 172.19.16.11:5000
mirrors:
- host: http://172.19.16.11:5000
capabilities: ["pull", "resolve"]
skip_verify: true
- prefix: repo:5000
mirrors:
- host: http://repo:5000
capabilities: ["pull", "resolve"]
skip_verify: true
2023-01-31 19:18:50 +08:00
```
2020-11-30 16:22:49 +08:00
[containerd]: https://containerd.io/
2022-09-24 01:38:27 +08:00
[RuntimeClass]: https://kubernetes.io/docs/concepts/containers/runtime-class/
[runtime classes in containerd]: https://github.com/containerd/containerd/blob/main/docs/cri/config.md#runtime-classes
[runtime-spec]: https://github.com/opencontainers/runtime-spec
Refactor NRI activation for containerd and CRI-O (#10470)
Refactor NRI (Node Resource Interface) activation in CRI-O and
containerd. Introduce a shared variable, nri_enabled, to streamline
the process. Currently, enabling NRI requires a separate update of
defaults for each container runtime independently, without any
verification of NRI support for the specific version of containerd
or CRI-O in use.
With this commit, the previous approach is replaced. Now, a single
variable, nri_enabled, handles this functionality. Also, this commit
separates the responsibility of verifying NRI supported versions of
containerd and CRI-O from cluster administrators, and leaves it to
Ansible.
Signed-off-by: Feruzjon Muyassarov <feruzjon.muyassarov@intel.com>
(cherry picked from commit 1fd31ccc282741c6dc2cfe825e35353e81830215)
2023-09-26 23:05:25 +08:00
### Optional : NRI
[Node Resource Interface ](https://github.com/containerd/nri ) (NRI) is disabled by default for the containerd. If you
are using contained version v1.7.0 or above, then you can enable it with the
following configuration:
```yaml
nri_enabled: true
```