From 24e115c8b9c90cdff5622a3c56d30d31e0e2897b Mon Sep 17 00:00:00 2001
From: ChengHao Yang <17496418+tico88612@users.noreply.github.com>
Date: Mon, 7 Oct 2024 00:43:30 +0800
Subject: [PATCH 1/6] Feat: change cri-o default runtime to crun

Signed-off-by: ChengHao Yang <17496418+tico88612@users.noreply.github.com>
---
 roles/container-engine/cri-o/defaults/main.yml      | 12 +++++++++---
 roles/container-engine/cri-o/meta/main.yml          |  2 +-
 roles/container-engine/cri-o/tasks/main.yaml        | 13 ++++++++++---
 roles/container-engine/cri-o/templates/crio.conf.j2 |  2 +-
 roles/kubespray-defaults/defaults/main/main.yml     |  4 ++++
 5 files changed, 25 insertions(+), 8 deletions(-)

diff --git a/roles/container-engine/cri-o/defaults/main.yml b/roles/container-engine/cri-o/defaults/main.yml
index ffbb0cfb2..2502c535e 100644
--- a/roles/container-engine/cri-o/defaults/main.yml
+++ b/roles/container-engine/cri-o/defaults/main.yml
@@ -40,10 +40,10 @@ crio_required_version: "{{ kube_version | regex_replace('^v(?P<major>\\d+).(?P<m
 
 # The crio_runtimes variable defines a list of OCI compatible runtimes.
 crio_runtimes:
-  - name: runc
-    path: "{{ crio_runtime_bin_dir }}/runc"
+  - name: crun
+    path: "{{ crio_runtime_bin_dir }}/crun"
     type: oci
-    root: /run/runc
+    root: /run/crun
 
 # Kata Containers is an OCI runtime, where containers are run inside lightweight
 # VMs. Kata provides additional isolation towards the host, minimizing the host attack
@@ -56,6 +56,12 @@ kata_runtimes:
     root: /run/kata-containers
     privileged_without_host_devices: true
 
+runc_runtime:
+  name: runc
+  path: "{{ crio_runtime_bin_dir }}/runc"
+  type: oci
+  root: /run/runc
+
 # crun is a fast and low-memory footprint OCI Container Runtime fully written in C.
 crun_runtime:
   name: crun
diff --git a/roles/container-engine/cri-o/meta/main.yml b/roles/container-engine/cri-o/meta/main.yml
index 7259b4663..99e803a51 100644
--- a/roles/container-engine/cri-o/meta/main.yml
+++ b/roles/container-engine/cri-o/meta/main.yml
@@ -1,5 +1,5 @@
 ---
 dependencies:
-  - role: container-engine/runc
+  - role: container-engine/crun
   - role: container-engine/crictl
   - role: container-engine/skopeo
diff --git a/roles/container-engine/cri-o/tasks/main.yaml b/roles/container-engine/cri-o/tasks/main.yaml
index cdcd1f419..0e66934cc 100644
--- a/roles/container-engine/cri-o/tasks/main.yaml
+++ b/roles/container-engine/cri-o/tasks/main.yaml
@@ -36,11 +36,18 @@
   when:
     - kata_containers_enabled
 
-- name: Cri-o | build a list of crio runtimes with crun runtime
+## After CRI-O v1.31, crun is default runtime.
+# - name: Cri-o | build a list of crio runtimes with crun runtime
+#   set_fact:
+#     crio_runtimes: "{{ crio_runtimes + [crun_runtime] }}"
+#   when:
+#     - crun_enabled
+
+- name: Cri-o | build a list of crio runtimes with runc runtime
   set_fact:
-    crio_runtimes: "{{ crio_runtimes + [crun_runtime] }}"
+    crio_runtimes: "{{ crio_runtimes + [runc_runtime] }}"
   when:
-    - crun_enabled
+    - runc_enabled
 
 - name: Cri-o | build a list of crio runtimes with youki runtime
   set_fact:
diff --git a/roles/container-engine/cri-o/templates/crio.conf.j2 b/roles/container-engine/cri-o/templates/crio.conf.j2
index 6f9b84f14..187470a23 100644
--- a/roles/container-engine/cri-o/templates/crio.conf.j2
+++ b/roles/container-engine/cri-o/templates/crio.conf.j2
@@ -97,7 +97,7 @@ grpc_max_recv_msg_size = 16777216
 
 # default_runtime is the _name_ of the OCI runtime to be used as the default.
 # The name is matched against the runtimes map below.
-default_runtime = "runc"
+default_runtime = "crun"
 
 # If true, the runtime will not use pivot_root, but instead use MS_MOVE.
 no_pivot = false
diff --git a/roles/kubespray-defaults/defaults/main/main.yml b/roles/kubespray-defaults/defaults/main/main.yml
index 55dce775d..d5761accc 100644
--- a/roles/kubespray-defaults/defaults/main/main.yml
+++ b/roles/kubespray-defaults/defaults/main/main.yml
@@ -293,6 +293,10 @@ kata_containers_enabled: false
 # gVisor is only supported with container_manager Docker or containerd
 gvisor_enabled: false
 
+# Enable runc as additional container runtime
+# When enabled, it requires container_manager=crio
+runc_enabled: false
+
 # Enable crun as additional container runtime
 # When enabled, it requires container_manager=crio
 crun_enabled: false

From 461a480887a1418c44f3e242d0b4918eb800f7ce Mon Sep 17 00:00:00 2001
From: ChengHao Yang <17496418+tico88612@users.noreply.github.com>
Date: Mon, 7 Oct 2024 00:45:08 +0800
Subject: [PATCH 2/6] Feat: complete the missing hash crun ppc64le

Signed-off-by: ChengHao Yang <17496418+tico88612@users.noreply.github.com>
---
 .../kubespray-defaults/defaults/main/checksums.yml | 14 +++++++-------
 1 file changed, 7 insertions(+), 7 deletions(-)

diff --git a/roles/kubespray-defaults/defaults/main/checksums.yml b/roles/kubespray-defaults/defaults/main/checksums.yml
index 41cf204be..dd5a73dcb 100644
--- a/roles/kubespray-defaults/defaults/main/checksums.yml
+++ b/roles/kubespray-defaults/defaults/main/checksums.yml
@@ -891,13 +891,13 @@ crun_checksums:
     1.11.1: ca8c9cef23f4a3f7a635ee58a3d9fa35e768581fda89dc3b6baed219cc407a02
     1.9.2: 2bb60bcd5652cb17e44f66f0b8ae48195434bd1d66593db97fba85c7778eac53
   ppc64le:
-    1.14.4: 0
-    1.14.3: 0
-    1.14.2: 0
-    1.14.1: 0
-    1.11.2: 0
-    1.11.1: 0
-    1.9.2: 0
+    1.14.4: aa7263d3c54e478158ed5a70a435208096e434e58ccbc2a334ecbbbc384eff09
+    1.14.3: b3304ce1a983e4e1abd4b2bc59eedaa188299be838bdcd8b376f1f8d489bdc94
+    1.14.2: 1cf8f3296d1f6ab4189da565d2ac3552059e8e455cc665b913f4b5f3e484bdd7
+    1.14.1: a1935fd9a76f0d68a3393927f45cf5627c20915046a254d4fd27531865617b91
+    1.11.2: 467f2c1e95f3dc4161d0c0dd1d76601ab3de6d84460d17e1a6647474e948f264
+    1.11.1: 723528913c24fac8fc7c4418b9780090eba74ac2d82435c673dedc3af39d5abe
+    1.9.2: 42813b5bea2137bf9abcd1bcaa098a7d61fbbffd2a35d9c9f0f1ba79fb74eb5b
 youki_checksums:
   arm:
     0.4.1: 0

From 2717a2e585ea564cd19cd3194c04b3233634ce58 Mon Sep 17 00:00:00 2001
From: ChengHao Yang <17496418+tico88612@users.noreply.github.com>
Date: Mon, 7 Oct 2024 00:46:46 +0800
Subject: [PATCH 3/6] Feat: add crun new version hash & upgrade crun version to
 1.17

Signed-off-by: ChengHao Yang <17496418+tico88612@users.noreply.github.com>
---
 .../defaults/main/checksums.yml                  | 16 ++++++++++++++++
 .../defaults/main/download.yml                   |  2 +-
 2 files changed, 17 insertions(+), 1 deletion(-)

diff --git a/roles/kubespray-defaults/defaults/main/checksums.yml b/roles/kubespray-defaults/defaults/main/checksums.yml
index dd5a73dcb..c4a14ee10 100644
--- a/roles/kubespray-defaults/defaults/main/checksums.yml
+++ b/roles/kubespray-defaults/defaults/main/checksums.yml
@@ -867,6 +867,10 @@ runc_checksums:
     v1.1.8: a816cd654e804249c4f757cc6bf2aa2c128e4b8e6a993067d44c63c891c081ab
 crun_checksums:
   arm:
+    1.17: 0
+    1.16.1: 0
+    1.16: 0
+    1.15: 0
     1.14.4: 0
     1.14.3: 0
     1.14.2: 0
@@ -875,6 +879,10 @@ crun_checksums:
     1.11.1: 0
     1.9.2: 0
   arm64:
+    1.17: 3049017b99208f5ecd15c1366f47a77dace87f42dccf317ad40a07f1a867518c
+    1.16.1: 973817340e6da12c90c751b011c797396940cca965cefa74557bd1c0939f4042
+    1.16: 4595ff16487b16d2158fa8c3452bc0e1ecdc177ab2ace40fc02cd6e49838ff67
+    1.15: 2ed5fe6def4c1d57f219747bac5e71cb22312ef026fe63ed8e3246a4dcfebe13
     1.14.4: 308f8719055de178897f66cbb72d6a02567050ac645dd5eca52f48de347dda6c
     1.14.3: 0486629e1599c3bccded279f6555ff22691958cde56203ceca099af6f2407263
     1.14.2: 409ebdcb4935b004ce0efa8ada4aaf8d4dd63b77cde1d0acdf55664c168acbd9
@@ -883,6 +891,10 @@ crun_checksums:
     1.11.1: c8b0d243f6ac4fb02665c157b5404e5184bdc9240dbdcdde0ccef2db352ce97a
     1.9.2: 1ad8bd3c1aa693f59133c480aa13bbdf6d81e4528e72ce955612c6bae8cb1720
   amd64:
+    1.17: e9512a3e034e781b2396d068fd24eafcd5788e410403da886df9dc8871d504a5
+    1.16.1: 7b6f1791fb9b2c49ec959b9384b3c4e2ec8c69945fd5292a179d23eb62422eb3
+    1.16: 7f53bffd6b0e216f8f6d6472bb73dc4c6c4ea2c2e7342c52d4bee2972798ce68
+    1.15: f02c66dcc38b9d06f19a92dfb5ac831aba9c33ae48dbf4ab92d7680ca1140172
     1.14.4: 4f170aaa10d2ef02560cfb60b67ddfa1a83b1b4f7018227e9cb23a6af3955ec1
     1.14.3: 80c5ab9422d4672f650f2bad3da933568349b64117d055486abc3534517be2af
     1.14.2: 4d3a64961ea9e6a1313ab807f86a17bc6ebcecad2df84a120322fddebff00bcf
@@ -891,6 +903,10 @@ crun_checksums:
     1.11.1: ca8c9cef23f4a3f7a635ee58a3d9fa35e768581fda89dc3b6baed219cc407a02
     1.9.2: 2bb60bcd5652cb17e44f66f0b8ae48195434bd1d66593db97fba85c7778eac53
   ppc64le:
+    1.17: ca8ee0fabcac57b61b80f6c234ae20b3b9821433fdf1a6306be5defeac11930e
+    1.16.1: 9590ce79697c5509731f8e58d1733b7051c36f92104925221ca8bda800afee41
+    1.16: fc7199a2faac1ca0e3e58dee4dd369b9065aa0d95f3257d8803e521213f1bd9b
+    1.15: dd0aad6140175ef83792e601c8e89cf66813486e9070aac7f39cac040283d4fd
     1.14.4: aa7263d3c54e478158ed5a70a435208096e434e58ccbc2a334ecbbbc384eff09
     1.14.3: b3304ce1a983e4e1abd4b2bc59eedaa188299be838bdcd8b376f1f8d489bdc94
     1.14.2: 1cf8f3296d1f6ab4189da565d2ac3552059e8e455cc665b913f4b5f3e484bdd7
diff --git a/roles/kubespray-defaults/defaults/main/download.yml b/roles/kubespray-defaults/defaults/main/download.yml
index b43200473..1a6e7ccdb 100644
--- a/roles/kubespray-defaults/defaults/main/download.yml
+++ b/roles/kubespray-defaults/defaults/main/download.yml
@@ -74,7 +74,7 @@ image_info_command_on_localhost: "{{ lookup('vars', image_command_tool_on_localh
 image_arch: "{{ host_architecture | default('amd64') }}"
 
 # Versions
-crun_version: 1.14.4
+crun_version: 1.17
 runc_version: v1.1.14
 kata_containers_version: 3.1.3
 youki_version: 0.4.1

From f3d4377a1626cd54b64b8e3a82c05b53ea167dec Mon Sep 17 00:00:00 2001
From: ChengHao Yang <17496418+tico88612@users.noreply.github.com>
Date: Mon, 7 Oct 2024 00:47:23 +0800
Subject: [PATCH 4/6] Feat: add skopeo new version hash & upgrade skopeo
 version to v1.16.1

Signed-off-by: ChengHao Yang <17496418+tico88612@users.noreply.github.com>
---
 .../defaults/main/checksums.yml               | 25 +++++++++++++++++++
 .../defaults/main/download.yml                |  2 +-
 2 files changed, 26 insertions(+), 1 deletion(-)

diff --git a/roles/kubespray-defaults/defaults/main/checksums.yml b/roles/kubespray-defaults/defaults/main/checksums.yml
index c4a14ee10..04f07ba78 100644
--- a/roles/kubespray-defaults/defaults/main/checksums.yml
+++ b/roles/kubespray-defaults/defaults/main/checksums.yml
@@ -1274,6 +1274,10 @@ containerd_archive_checksums:
     1.6.14: 73025da0666079fc3bbd48cf185da320955d323c7dc42d8a4ade0e7926d62bb0
 skopeo_binary_checksums:
   arm:
+    v1.16.1: 0
+    v1.16.0: 0
+    v1.15.2: 0
+    v1.15.1: 0
     v1.15.0: 0
     v1.14.2: 0
     v1.14.1: 0
@@ -1282,7 +1286,14 @@ skopeo_binary_checksums:
     v1.13.1: 0
     v1.13.0: 0
   arm64:
+    v1.16.1: 3272f15f469af843d325134ff8a77a069d647c5f247766715c098b8f0622b627
+    v1.16.0: 331b09b3b6e6550c178ea1c2fb2bdc5bdbd90c6f6e8d86a974f1117d6ab2fabe
+    v1.15.2: f81487af3104e37537ff21f1b2527b294f5cc4e7988941a1655ded97c027ac1d
+    v1.15.1: e20e34f96b5545bacd469b0d85ccce811ffbe2809db36248a3becb4638276959
     v1.15.0: bde8cc7e764d246281430d5da07ca906ee0838803199e3a6136a58802b2e0207
+    v1.14.5: 23e157de988c6020f1300b5d73d84d2fed2823ed61dbc6828de3552e9c77a6db
+    v1.14.4: d825f93b28cf7502569fe75c46aa78187bb63b6bc06036621de7b63290b51058
+    v1.14.3: e93a82b88e9bff46cbe4e68f96e265d934026a845b76ce51672c7cce26fba164
     v1.14.2: 364c46085de31edf4b312f13587442f4eade1f181bc5a9ea2ab2ffab5b575916
     v1.14.1: fd4fc0adae14f27788fd52cf0d23be2cfd1963e184c4af689de30185455e29a6
     v1.13.3: 1f7726b020ff9bc931ce16caa13c29999738a231f1414028282cd8f8661eb747
@@ -1290,7 +1301,14 @@ skopeo_binary_checksums:
     v1.13.1: 3b7db2b827fea432aa8a861b5caa250271c05da70bd240aa4045f692eba52e24
     v1.13.0: d23e43323c0a441d1825f9da483b07c7f265f2bd0a4728f7daac4239460600a3
   amd64:
+    v1.16.1: 8813fb7fcd7a723196ac287683dd929d280f6fe7f0782eace452fe1e3ff2b7eb
+    v1.16.0: 7bc31ed810d1366304d2e975c2910cea5e22cbd68f8316f14cacf44f6c0bd1d2
+    v1.15.2: 6b84d1158f29610f692f24c82459a865c2a21911647cc0cdf44027e7a59f73ba
+    v1.15.1: d45a93dab851f072fe5d3f0419f5c8bb3ee48069b588c211cccebd023fd5ae3a
     v1.15.0: 3cdbcde0163abb4c942f62d0302479d5aa4d31c5970d712841cf5d5f76edc594
+    v1.14.5: 180c2d7e8bc00685ba291572db6ddd90acadf03af7595521da17ae1f2c28f4b1
+    v1.14.4: 4c6f8f7c6e5f01675adff8c5bbb542d8d02b9bbdecf0d2abac1e99b8a34a9768
+    v1.14.3: 2db7e036e99ad3b808aaffbafc5267391bd3ba2f45ff03dd0090686eb3eb0f1e
     v1.14.2: 51218f93a2b079e36a36f7fbe2d2d86778be0a6947653031b4f9e254e2469224
     v1.14.1: 6b7776bcdf0c92af5d3f3c91a959d091011b42d839025b90f12b7201a083f308
     v1.13.3: 65707992885b1a4a446af6342874749478a1af7e17ab3f4df8fb89509e8b1966
@@ -1298,7 +1316,14 @@ skopeo_binary_checksums:
     v1.13.1: 8c15c56a6caffeb863c17d73a6361218c04c7763e020fffc8d5d6745cacfa901
     v1.13.0: 8cb477ee25010497fc9df53a6205dbd9fe264dd8a5ea4e934b9ec24d5bdc126c
   ppc64le:
+    v1.16.1: 248f8f601e4c40dd6d603b66ac26246f96d18451cc3642718c59afb6c2403cf7
+    v1.16.0: 24f1266d6146c27143b5002387c5b68086f1355de7db5c9bfe820928e3b8e298
+    v1.15.2: 5b123d38c34024e8b62b3bc94abfeea3007291743260bf7f62b2a1d935f1c3f9
+    v1.15.1: 39a4a6d77daca09a93a0b490285f48cd9040da1ba9c05b1f9709483e4f65c318
     v1.15.0: fb7f390f52f4b81f85d9bdce8715af5e27ee3969eff236b5f3c0f3a0b5a182e1
+    v1.14.5: 4ed476c46fabb3b320aac9b88ddc1b7a2665cb151a93482db7cb98e5768a768f
+    v1.14.4: f1b37ad1b83bd43bada6e49518165cf41d727d0662351dc5fcc9a46f0c3b4482
+    v1.14.3: 9028b7c4aafe235f1ba4efd57435b97ace341e544d3a6807440ac3b0f32d7d73
     v1.14.2: 0
     v1.14.1: 0
     v1.13.3: 0
diff --git a/roles/kubespray-defaults/defaults/main/download.yml b/roles/kubespray-defaults/defaults/main/download.yml
index 1a6e7ccdb..8772035ce 100644
--- a/roles/kubespray-defaults/defaults/main/download.yml
+++ b/roles/kubespray-defaults/defaults/main/download.yml
@@ -126,7 +126,7 @@ multus_version: "v4.1.0"
 helm_version: "v3.15.4"
 nerdctl_version: "1.7.7"
 krew_version: "v0.4.4"
-skopeo_version: "v1.15.0"
+skopeo_version: "v1.16.1"
 
 # Get kubernetes major version (i.e. 1.17.4 => 1.17)
 kube_major_version: "{{ kube_version | regex_replace('^v([0-9])+\\.([0-9]+)\\.[0-9]+', 'v\\1.\\2') }}"

From e008e8ee017d95ffd6fb9fcd27ac05ccbe41b541 Mon Sep 17 00:00:00 2001
From: ChengHao Yang <17496418+tico88612@users.noreply.github.com>
Date: Mon, 7 Oct 2024 07:40:35 +0800
Subject: [PATCH 5/6] Test: fix Molecule CRI-O default runtime to crun

Signed-off-by: ChengHao Yang <17496418+tico88612@users.noreply.github.com>
---
 .../cri-o/molecule/default/tests/test_default.py                | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/roles/container-engine/cri-o/molecule/default/tests/test_default.py b/roles/container-engine/cri-o/molecule/default/tests/test_default.py
index 358a1b75a..3e38fa5b2 100644
--- a/roles/container-engine/cri-o/molecule/default/tests/test_default.py
+++ b/roles/container-engine/cri-o/molecule/default/tests/test_default.py
@@ -21,7 +21,7 @@ def test_run(host):
     assert "RuntimeName:  cri-o" in cmd.stdout
 
 def test_run_pod(host):
-    runtime = "runc"
+    runtime = "crun"
 
     run_command = "/usr/local/bin/crictl run --with-pull --runtime {} /tmp/container.json /tmp/sandbox.json".format(runtime)
     with host.sudo():

From faa0816b95d9baefbf46433a55eb64ef4050a449 Mon Sep 17 00:00:00 2001
From: ChengHao Yang <17496418+tico88612@users.noreply.github.com>
Date: Fri, 11 Oct 2024 01:49:16 +0800
Subject: [PATCH 6/6] Feat: make CRI-O's default runtime configurable

Signed-off-by: ChengHao Yang <17496418+tico88612@users.noreply.github.com>
---
 roles/container-engine/cri-o/defaults/main.yml      | 1 +
 roles/container-engine/cri-o/templates/crio.conf.j2 | 2 +-
 2 files changed, 2 insertions(+), 1 deletion(-)

diff --git a/roles/container-engine/cri-o/defaults/main.yml b/roles/container-engine/cri-o/defaults/main.yml
index 2502c535e..5525790d1 100644
--- a/roles/container-engine/cri-o/defaults/main.yml
+++ b/roles/container-engine/cri-o/defaults/main.yml
@@ -2,6 +2,7 @@
 
 crio_cgroup_manager: "{{ kubelet_cgroup_driver | default('systemd') }}"
 crio_conmon: "{{ bin_dir }}/conmon"
+crio_default_runtime: "crun"
 crio_libexec_dir: "/usr/libexec/crio"
 crio_enable_metrics: false
 crio_log_level: "info"
diff --git a/roles/container-engine/cri-o/templates/crio.conf.j2 b/roles/container-engine/cri-o/templates/crio.conf.j2
index 187470a23..d20e14dc8 100644
--- a/roles/container-engine/cri-o/templates/crio.conf.j2
+++ b/roles/container-engine/cri-o/templates/crio.conf.j2
@@ -97,7 +97,7 @@ grpc_max_recv_msg_size = 16777216
 
 # default_runtime is the _name_ of the OCI runtime to be used as the default.
 # The name is matched against the runtimes map below.
-default_runtime = "crun"
+default_runtime = "{{ crio_default_runtime }}"
 
 # If true, the runtime will not use pivot_root, but instead use MS_MOVE.
 no_pivot = false