Browse Source
Feat: change cri-o default runtime to crun
Signed-off-by: ChengHao Yang <17496418+tico88612@users.noreply.github.com>
pull/11601/head
ChengHao Yang
1 month ago
Failed to extract signature
5 changed files with
25 additions and
8 deletions
-
roles/container-engine/cri-o/defaults/main.yml
-
roles/container-engine/cri-o/meta/main.yml
-
roles/container-engine/cri-o/tasks/main.yaml
-
roles/container-engine/cri-o/templates/crio.conf.j2
-
roles/kubespray-defaults/defaults/main/main.yml
|
|
|
@ -40,10 +40,10 @@ crio_required_version: "{{ kube_version | regex_replace('^v(?P<major>\\d+).(?P<m |
|
|
|
|
|
|
|
# The crio_runtimes variable defines a list of OCI compatible runtimes. |
|
|
|
crio_runtimes: |
|
|
|
- name: runc |
|
|
|
path: "{{ crio_runtime_bin_dir }}/runc" |
|
|
|
- name: crun |
|
|
|
path: "{{ crio_runtime_bin_dir }}/crun" |
|
|
|
type: oci |
|
|
|
root: /run/runc |
|
|
|
root: /run/crun |
|
|
|
|
|
|
|
# Kata Containers is an OCI runtime, where containers are run inside lightweight |
|
|
|
# VMs. Kata provides additional isolation towards the host, minimizing the host attack |
|
|
|
@ -56,6 +56,12 @@ kata_runtimes: |
|
|
|
root: /run/kata-containers |
|
|
|
privileged_without_host_devices: true |
|
|
|
|
|
|
|
runc_runtime: |
|
|
|
name: runc |
|
|
|
path: "{{ crio_runtime_bin_dir }}/runc" |
|
|
|
type: oci |
|
|
|
root: /run/runc |
|
|
|
|
|
|
|
# crun is a fast and low-memory footprint OCI Container Runtime fully written in C. |
|
|
|
crun_runtime: |
|
|
|
name: crun |
|
|
|
|
|
|
|
@ -1,5 +1,5 @@ |
|
|
|
--- |
|
|
|
dependencies: |
|
|
|
- role: container-engine/runc |
|
|
|
- role: container-engine/crun |
|
|
|
- role: container-engine/crictl |
|
|
|
- role: container-engine/skopeo |
|
|
|
@ -36,11 +36,18 @@ |
|
|
|
when: |
|
|
|
- kata_containers_enabled |
|
|
|
|
|
|
|
- name: Cri-o | build a list of crio runtimes with crun runtime |
|
|
|
## After CRI-O v1.31, crun is default runtime. |
|
|
|
# - name: Cri-o | build a list of crio runtimes with crun runtime |
|
|
|
# set_fact: |
|
|
|
# crio_runtimes: "{{ crio_runtimes + [crun_runtime] }}" |
|
|
|
# when: |
|
|
|
# - crun_enabled |
|
|
|
|
|
|
|
- name: Cri-o | build a list of crio runtimes with runc runtime |
|
|
|
set_fact: |
|
|
|
crio_runtimes: "{{ crio_runtimes + [crun_runtime] }}" |
|
|
|
crio_runtimes: "{{ crio_runtimes + [runc_runtime] }}" |
|
|
|
when: |
|
|
|
- crun_enabled |
|
|
|
- runc_enabled |
|
|
|
|
|
|
|
- name: Cri-o | build a list of crio runtimes with youki runtime |
|
|
|
set_fact: |
|
|
|
|
|
|
|
@ -97,7 +97,7 @@ grpc_max_recv_msg_size = 16777216 |
|
|
|
|
|
|
|
# default_runtime is the _name_ of the OCI runtime to be used as the default. |
|
|
|
# The name is matched against the runtimes map below. |
|
|
|
default_runtime = "runc" |
|
|
|
default_runtime = "crun" |
|
|
|
|
|
|
|
# If true, the runtime will not use pivot_root, but instead use MS_MOVE. |
|
|
|
no_pivot = false |
|
|
|
|
|
|
|
@ -293,6 +293,10 @@ kata_containers_enabled: false |
|
|
|
# gVisor is only supported with container_manager Docker or containerd |
|
|
|
gvisor_enabled: false |
|
|
|
|
|
|
|
# Enable runc as additional container runtime |
|
|
|
# When enabled, it requires container_manager=crio |
|
|
|
runc_enabled: false |
|
|
|
|
|
|
|
# Enable crun as additional container runtime |
|
|
|
# When enabled, it requires container_manager=crio |
|
|
|
crun_enabled: false |
|
|
|
|
