Antonio Murdaca < runcom@redhat.com >

Senior Software Engineer, Red Hat Inc.

@runc0m

CRI-OAll the Runtime Kubernetes need

Issues...

● Docker● ...breaks● rkt● Pod concept● Maintenance● Pluggability

CRI Container Runtime Interface

● Plug and play● Protocol buffers● gRPC● 1.5+● Client - Server

Runtime Service

● Pods lifecycle● Containers lifecycle● Interactions

Image Service

● Images lifecycle● FS information

CRI in action

● Open governance● Open source● Lean● Stable● Secure● BORING!

CRI-O

● Tied to the CRI● Shaped around Kubernetes● Only supported user is

Kubernetes● No features that can mine

stability and performance● Versioning is tied to

Kubernetes● Support is tied to Kubernetes

Scope

Architecture

OCI runtimes

containers/storage

● overlayfs (default)● Manage layers on COW● Former “storage drivers”

containers/image

● Where everything started● Battle tested● Seamlessly pull any of your

images● New features

OCI runtime tools

● Generates OCI configurations● OCI runtimes can understand

the very same configuration● There’s a library!!!● Run containers

CNI - Container Network Interface

● Pluggable network stack● Flannel● Weave● …● openshift-sdn

conmon

● Monitoring● Logging● Handling tty● Serving attach clients● Detecting and reporting OOM● CRI-O restarts

Pod architecture (runc)

Infra Container

Pod (ipc, net, pid namespaces)

Container A(runc)

Container B(runc)

conmon conmon conmon

Pod architecture (Clear Containers & Kata Containers)

Pod

conmon

Virtual Machine

Container B

Container A

conmon cc-shim

cc-shim

Agent

...live demo?

● k8s tests● OpenShift tests● critest● Integration tests● Performance tests● On every PR● Tests?● Tests??● Tests??? ● Tests????● Tests?????

Status

Status

● CRI at any time is fully implemented● Released 1.7 (1.0), 1.8, 1.9, 1.10, 1.11-dev● Maintainers/contributors from Red Hat, Intel, IBM,

SUSE, Lyft and many others (80+)● Kubeadm works for setting up k8s with CRI-O● Minikube works● Support for mixed workloads● Deployed to our OpenShift Online test cluster● Available in Fedora, Ubuntu, RHEL ...

Kubernetes setup

$ minikube start \ --network-plugin=cni \ --container-runtime=cri-o \ --bootstrapper=kubeadm

Local Kubernetes setup

$ CONTAINER_RUNTIME=remote \ CONTAINER_RUNTIME_ENDPOINT=' \ /var/run/crio/crio.sock \ --runtime-request-timeout=5m' \ hack/local-up-cluster.sh

OpenShift setup

[...]kubeletArguments: [...] container-runtime-endpoint: - "/var/run/crio/crio.sock" container-runtime: - "remote" runtime-request-timeout: - "15m"[...]

Debug

● https://github.com/kubernetes-incubator/cri-tools

● crictl● Upstream community tool● Debugging through the CRI on a node● Work is ongoing to move the project

into Kubernetes core

skopeo

● Play with container images● No daemon running● Perfect for pipelines (Jenkins?)● Transports

buildah

● Build images● No daemon running● shell-like syntax● Build from Dockerfile(s)

podman

● Running containers● Integrated with CRI-O (soon)● No daemon running● Known CLI

Summary

● CRI● CRI-O● Ecosystem ● New tools from legos

Roadmap

● Switch to CRI-O as the default in Kube? (trollface)● Keep pace with upstream Kubernetes

○ Tracking and supporting k8s versions● Graduating out of incubator● GA in OpenShift 3.9 (not the default yet)● Default container runtime for OpenShift 3.10 (hopefully)● Deployed to OpenShift Online

Get involved!

Blog: https://medium.com/cri-o

Github: https://github.com/kubernetes-incubater/cri-o

IRC: freenode: #cri-o

Slack: sig-node

Site: https://cri-o.io, https://www.projectatomic.io

Obrigado!