Post on 20-May-2020
Antonio Murdaca < runcom@redhat.com >
Senior Software Engineer, Red Hat Inc.
@runc0m
CRI-OAll the Runtime Kubernetes need
Issues...
● Docker● ...breaks● rkt● Pod concept● Maintenance● Pluggability
CRI Container Runtime Interface
● Plug and play● Protocol buffers● gRPC● 1.5+● Client - Server
Runtime Service
● Pods lifecycle● Containers lifecycle● Interactions
Image Service
● Images lifecycle● FS information
CRI in action
● Open governance● Open source● Lean● Stable● Secure● BORING!
CRI-O
● Tied to the CRI● Shaped around Kubernetes● Only supported user is
Kubernetes● No features that can mine
stability and performance● Versioning is tied to
Kubernetes● Support is tied to Kubernetes
Scope
Architecture
OCI runtimes
containers/storage
● overlayfs (default)● Manage layers on COW● Former “storage drivers”
containers/image
● Where everything started● Battle tested● Seamlessly pull any of your
images● New features
OCI runtime tools
● Generates OCI configurations● OCI runtimes can understand
the very same configuration● There’s a library!!!● Run containers
CNI - Container Network Interface
● Pluggable network stack● Flannel● Weave● …● openshift-sdn
conmon
● Monitoring● Logging● Handling tty● Serving attach clients● Detecting and reporting OOM● CRI-O restarts
Pod architecture (runc)
Infra Container
Pod (ipc, net, pid namespaces)
Container A(runc)
Container B(runc)
conmon conmon conmon
Pod architecture (Clear Containers & Kata Containers)
Pod
conmon
Virtual Machine
Container B
Container A
conmon cc-shim
cc-shim
Agent
...live demo?
● k8s tests● OpenShift tests● critest● Integration tests● Performance tests● On every PR● Tests?● Tests??● Tests??? ● Tests????● Tests?????
Status
Status
● CRI at any time is fully implemented● Released 1.7 (1.0), 1.8, 1.9, 1.10, 1.11-dev● Maintainers/contributors from Red Hat, Intel, IBM,
SUSE, Lyft and many others (80+)● Kubeadm works for setting up k8s with CRI-O● Minikube works● Support for mixed workloads● Deployed to our OpenShift Online test cluster● Available in Fedora, Ubuntu, RHEL ...
Kubernetes setup
$ minikube start \ --network-plugin=cni \ --container-runtime=cri-o \ --bootstrapper=kubeadm
Local Kubernetes setup
$ CONTAINER_RUNTIME=remote \ CONTAINER_RUNTIME_ENDPOINT=' \ /var/run/crio/crio.sock \ --runtime-request-timeout=5m' \ hack/local-up-cluster.sh
OpenShift setup
[...]kubeletArguments: [...] container-runtime-endpoint: - "/var/run/crio/crio.sock" container-runtime: - "remote" runtime-request-timeout: - "15m"[...]
Debug
● https://github.com/kubernetes-incubator/cri-tools
● crictl● Upstream community tool● Debugging through the CRI on a node● Work is ongoing to move the project
into Kubernetes core
skopeo
● Play with container images● No daemon running● Perfect for pipelines (Jenkins?)● Transports
buildah
● Build images● No daemon running● shell-like syntax● Build from Dockerfile(s)
podman
● Running containers● Integrated with CRI-O (soon)● No daemon running● Known CLI
Summary
● CRI● CRI-O● Ecosystem ● New tools from legos
Roadmap
● Switch to CRI-O as the default in Kube? (trollface)● Keep pace with upstream Kubernetes
○ Tracking and supporting k8s versions● Graduating out of incubator● GA in OpenShift 3.9 (not the default yet)● Default container runtime for OpenShift 3.10 (hopefully)● Deployed to OpenShift Online
Get involved!
Blog: https://medium.com/cri-o
Github: https://github.com/kubernetes-incubater/cri-o
IRC: freenode: #cri-o
Slack: sig-node
Site: https://cri-o.io, https://www.projectatomic.io
Obrigado!