Merge pull request #11601 from tico88612/feat/crio-default-crun

Feat: CRI-O v1.31 change default runtime to crun

roles/container-engine/cri-o/defaults/main.yml

@@ -2,6 +2,7 @@
 
 crio_cgroup_manager: "{{ kubelet_cgroup_driver | default('systemd') }}"
 crio_conmon: "{{ bin_dir }}/conmon"
+crio_default_runtime: "crun"
 crio_libexec_dir: "/usr/libexec/crio"
 crio_enable_metrics: false
 crio_log_level: "info"
@@ -40,10 +41,10 @@ crio_required_version: "{{ kube_version | regex_replace('^v(?P<major>\\d+).(?P<m
 
 # The crio_runtimes variable defines a list of OCI compatible runtimes.
 crio_runtimes:
-  - name: runc
-    path: "{{ crio_runtime_bin_dir }}/runc"
+  - name: crun
+    path: "{{ crio_runtime_bin_dir }}/crun"
     type: oci
-    root: /run/runc
+    root: /run/crun
 
 # Kata Containers is an OCI runtime, where containers are run inside lightweight
 # VMs. Kata provides additional isolation towards the host, minimizing the host attack
@@ -56,6 +57,12 @@ kata_runtimes:
     root: /run/kata-containers
     privileged_without_host_devices: true
 
+runc_runtime:
+  name: runc
+  path: "{{ crio_runtime_bin_dir }}/runc"
+  type: oci
+  root: /run/runc
+
 # crun is a fast and low-memory footprint OCI Container Runtime fully written in C.
 crun_runtime:
   name: crun

roles/container-engine/cri-o/meta/main.yml

@@ -1,5 +1,5 @@
 ---
 dependencies:
-  - role: container-engine/runc
+  - role: container-engine/crun
   - role: container-engine/crictl
   - role: container-engine/skopeo

roles/container-engine/cri-o/molecule/default/tests/test_default.py

@@ -21,7 +21,7 @@ def test_run(host):
     assert "RuntimeName:  cri-o" in cmd.stdout
 
 def test_run_pod(host):
-    runtime = "runc"
+    runtime = "crun"
 
     run_command = "/usr/local/bin/crictl run --with-pull --runtime {} /tmp/container.json /tmp/sandbox.json".format(runtime)
     with host.sudo():

roles/container-engine/cri-o/tasks/main.yaml

@@ -36,11 +36,18 @@
   when:
     - kata_containers_enabled
 
-- name: Cri-o | build a list of crio runtimes with crun runtime
+## After CRI-O v1.31, crun is default runtime.
+# - name: Cri-o | build a list of crio runtimes with crun runtime
+#   set_fact:
+#     crio_runtimes: "{{ crio_runtimes + [crun_runtime] }}"
+#   when:
+#     - crun_enabled
+
+- name: Cri-o | build a list of crio runtimes with runc runtime
   set_fact:
-    crio_runtimes: "{{ crio_runtimes + [crun_runtime] }}"
+    crio_runtimes: "{{ crio_runtimes + [runc_runtime] }}"
   when:
-    - crun_enabled
+    - runc_enabled
 
 - name: Cri-o | build a list of crio runtimes with youki runtime
   set_fact:

roles/container-engine/cri-o/templates/crio.conf.j2

@@ -97,7 +97,7 @@ grpc_max_recv_msg_size = 16777216
 
 # default_runtime is the _name_ of the OCI runtime to be used as the default.
 # The name is matched against the runtimes map below.
-default_runtime = "runc"
+default_runtime = "{{ crio_default_runtime }}"
 
 # If true, the runtime will not use pivot_root, but instead use MS_MOVE.
 no_pivot = false

roles/kubespray-defaults/defaults/main/checksums.yml

@@ -687,6 +687,10 @@ runc_checksums:
     v1.1.8: a816cd654e804249c4f757cc6bf2aa2c128e4b8e6a993067d44c63c891c081ab
 crun_checksums:
   arm:
+    1.17: 0
+    1.16.1: 0
+    1.16: 0
+    1.15: 0
     1.14.4: 0
     1.14.3: 0
     1.14.2: 0
@@ -695,6 +699,10 @@ crun_checksums:
     1.11.1: 0
     1.9.2: 0
   arm64:
+    1.17: 3049017b99208f5ecd15c1366f47a77dace87f42dccf317ad40a07f1a867518c
+    1.16.1: 973817340e6da12c90c751b011c797396940cca965cefa74557bd1c0939f4042
+    1.16: 4595ff16487b16d2158fa8c3452bc0e1ecdc177ab2ace40fc02cd6e49838ff67
+    1.15: 2ed5fe6def4c1d57f219747bac5e71cb22312ef026fe63ed8e3246a4dcfebe13
     1.14.4: 308f8719055de178897f66cbb72d6a02567050ac645dd5eca52f48de347dda6c
     1.14.3: 0486629e1599c3bccded279f6555ff22691958cde56203ceca099af6f2407263
     1.14.2: 409ebdcb4935b004ce0efa8ada4aaf8d4dd63b77cde1d0acdf55664c168acbd9
@@ -703,6 +711,10 @@ crun_checksums:
     1.11.1: c8b0d243f6ac4fb02665c157b5404e5184bdc9240dbdcdde0ccef2db352ce97a
     1.9.2: 1ad8bd3c1aa693f59133c480aa13bbdf6d81e4528e72ce955612c6bae8cb1720
   amd64:
+    1.17: e9512a3e034e781b2396d068fd24eafcd5788e410403da886df9dc8871d504a5
+    1.16.1: 7b6f1791fb9b2c49ec959b9384b3c4e2ec8c69945fd5292a179d23eb62422eb3
+    1.16: 7f53bffd6b0e216f8f6d6472bb73dc4c6c4ea2c2e7342c52d4bee2972798ce68
+    1.15: f02c66dcc38b9d06f19a92dfb5ac831aba9c33ae48dbf4ab92d7680ca1140172
     1.14.4: 4f170aaa10d2ef02560cfb60b67ddfa1a83b1b4f7018227e9cb23a6af3955ec1
     1.14.3: 80c5ab9422d4672f650f2bad3da933568349b64117d055486abc3534517be2af
     1.14.2: 4d3a64961ea9e6a1313ab807f86a17bc6ebcecad2df84a120322fddebff00bcf
@@ -711,13 +723,17 @@ crun_checksums:
     1.11.1: ca8c9cef23f4a3f7a635ee58a3d9fa35e768581fda89dc3b6baed219cc407a02
     1.9.2: 2bb60bcd5652cb17e44f66f0b8ae48195434bd1d66593db97fba85c7778eac53
   ppc64le:
-    1.14.4: 0
-    1.14.3: 0
-    1.14.2: 0
-    1.14.1: 0
-    1.11.2: 0
-    1.11.1: 0
-    1.9.2: 0
+    1.17: ca8ee0fabcac57b61b80f6c234ae20b3b9821433fdf1a6306be5defeac11930e
+    1.16.1: 9590ce79697c5509731f8e58d1733b7051c36f92104925221ca8bda800afee41
+    1.16: fc7199a2faac1ca0e3e58dee4dd369b9065aa0d95f3257d8803e521213f1bd9b
+    1.15: dd0aad6140175ef83792e601c8e89cf66813486e9070aac7f39cac040283d4fd
+    1.14.4: aa7263d3c54e478158ed5a70a435208096e434e58ccbc2a334ecbbbc384eff09
+    1.14.3: b3304ce1a983e4e1abd4b2bc59eedaa188299be838bdcd8b376f1f8d489bdc94
+    1.14.2: 1cf8f3296d1f6ab4189da565d2ac3552059e8e455cc665b913f4b5f3e484bdd7
+    1.14.1: a1935fd9a76f0d68a3393927f45cf5627c20915046a254d4fd27531865617b91
+    1.11.2: 467f2c1e95f3dc4161d0c0dd1d76601ab3de6d84460d17e1a6647474e948f264
+    1.11.1: 723528913c24fac8fc7c4418b9780090eba74ac2d82435c673dedc3af39d5abe
+    1.9.2: 42813b5bea2137bf9abcd1bcaa098a7d61fbbffd2a35d9c9f0f1ba79fb74eb5b
 youki_checksums:
   arm:
     0.4.1: 0
@@ -1078,6 +1094,10 @@ containerd_archive_checksums:
     1.6.14: 73025da0666079fc3bbd48cf185da320955d323c7dc42d8a4ade0e7926d62bb0
 skopeo_binary_checksums:
   arm:
+    v1.16.1: 0
+    v1.16.0: 0
+    v1.15.2: 0
+    v1.15.1: 0
     v1.15.0: 0
     v1.14.2: 0
     v1.14.1: 0
@@ -1086,7 +1106,14 @@ skopeo_binary_checksums:
     v1.13.1: 0
     v1.13.0: 0
   arm64:
+    v1.16.1: 3272f15f469af843d325134ff8a77a069d647c5f247766715c098b8f0622b627
+    v1.16.0: 331b09b3b6e6550c178ea1c2fb2bdc5bdbd90c6f6e8d86a974f1117d6ab2fabe
+    v1.15.2: f81487af3104e37537ff21f1b2527b294f5cc4e7988941a1655ded97c027ac1d
+    v1.15.1: e20e34f96b5545bacd469b0d85ccce811ffbe2809db36248a3becb4638276959
     v1.15.0: bde8cc7e764d246281430d5da07ca906ee0838803199e3a6136a58802b2e0207
+    v1.14.5: 23e157de988c6020f1300b5d73d84d2fed2823ed61dbc6828de3552e9c77a6db
+    v1.14.4: d825f93b28cf7502569fe75c46aa78187bb63b6bc06036621de7b63290b51058
+    v1.14.3: e93a82b88e9bff46cbe4e68f96e265d934026a845b76ce51672c7cce26fba164
     v1.14.2: 364c46085de31edf4b312f13587442f4eade1f181bc5a9ea2ab2ffab5b575916
     v1.14.1: fd4fc0adae14f27788fd52cf0d23be2cfd1963e184c4af689de30185455e29a6
     v1.13.3: 1f7726b020ff9bc931ce16caa13c29999738a231f1414028282cd8f8661eb747
@@ -1094,7 +1121,14 @@ skopeo_binary_checksums:
     v1.13.1: 3b7db2b827fea432aa8a861b5caa250271c05da70bd240aa4045f692eba52e24
     v1.13.0: d23e43323c0a441d1825f9da483b07c7f265f2bd0a4728f7daac4239460600a3
   amd64:
+    v1.16.1: 8813fb7fcd7a723196ac287683dd929d280f6fe7f0782eace452fe1e3ff2b7eb
+    v1.16.0: 7bc31ed810d1366304d2e975c2910cea5e22cbd68f8316f14cacf44f6c0bd1d2
+    v1.15.2: 6b84d1158f29610f692f24c82459a865c2a21911647cc0cdf44027e7a59f73ba
+    v1.15.1: d45a93dab851f072fe5d3f0419f5c8bb3ee48069b588c211cccebd023fd5ae3a
     v1.15.0: 3cdbcde0163abb4c942f62d0302479d5aa4d31c5970d712841cf5d5f76edc594
+    v1.14.5: 180c2d7e8bc00685ba291572db6ddd90acadf03af7595521da17ae1f2c28f4b1
+    v1.14.4: 4c6f8f7c6e5f01675adff8c5bbb542d8d02b9bbdecf0d2abac1e99b8a34a9768
+    v1.14.3: 2db7e036e99ad3b808aaffbafc5267391bd3ba2f45ff03dd0090686eb3eb0f1e
     v1.14.2: 51218f93a2b079e36a36f7fbe2d2d86778be0a6947653031b4f9e254e2469224
     v1.14.1: 6b7776bcdf0c92af5d3f3c91a959d091011b42d839025b90f12b7201a083f308
     v1.13.3: 65707992885b1a4a446af6342874749478a1af7e17ab3f4df8fb89509e8b1966
@@ -1102,7 +1136,14 @@ skopeo_binary_checksums:
     v1.13.1: 8c15c56a6caffeb863c17d73a6361218c04c7763e020fffc8d5d6745cacfa901
     v1.13.0: 8cb477ee25010497fc9df53a6205dbd9fe264dd8a5ea4e934b9ec24d5bdc126c
   ppc64le:
+    v1.16.1: 248f8f601e4c40dd6d603b66ac26246f96d18451cc3642718c59afb6c2403cf7
+    v1.16.0: 24f1266d6146c27143b5002387c5b68086f1355de7db5c9bfe820928e3b8e298
+    v1.15.2: 5b123d38c34024e8b62b3bc94abfeea3007291743260bf7f62b2a1d935f1c3f9
+    v1.15.1: 39a4a6d77daca09a93a0b490285f48cd9040da1ba9c05b1f9709483e4f65c318
     v1.15.0: fb7f390f52f4b81f85d9bdce8715af5e27ee3969eff236b5f3c0f3a0b5a182e1
+    v1.14.5: 4ed476c46fabb3b320aac9b88ddc1b7a2665cb151a93482db7cb98e5768a768f
+    v1.14.4: f1b37ad1b83bd43bada6e49518165cf41d727d0662351dc5fcc9a46f0c3b4482
+    v1.14.3: 9028b7c4aafe235f1ba4efd57435b97ace341e544d3a6807440ac3b0f32d7d73
     v1.14.2: 0
     v1.14.1: 0
     v1.13.3: 0

roles/kubespray-defaults/defaults/main/download.yml

@@ -74,7 +74,7 @@ image_info_command_on_localhost: "{{ lookup('vars', image_command_tool_on_localh
 image_arch: "{{ host_architecture | default('amd64') }}"
 
 # Versions
-crun_version: 1.14.4
+crun_version: 1.17
 runc_version: v1.1.14
 kata_containers_version: 3.1.3
 youki_version: 0.4.1
@@ -126,7 +126,7 @@ multus_version: "v4.1.0"
 helm_version: "v3.15.4"
 nerdctl_version: "1.7.7"
 krew_version: "v0.4.4"
-skopeo_version: "v1.15.0"
+skopeo_version: "v1.16.1"
 
 # Get kubernetes major version (i.e. 1.17.4 => 1.17)
 kube_major_version: "{{ kube_version | regex_replace('^v([0-9])+\\.([0-9]+)\\.[0-9]+', 'v\\1.\\2') }}"

roles/kubespray-defaults/defaults/main/main.yml

@@ -293,6 +293,10 @@ kata_containers_enabled: false
 # gVisor is only supported with container_manager Docker or containerd
 gvisor_enabled: false
 
+# Enable runc as additional container runtime
+# When enabled, it requires container_manager=crio
+runc_enabled: false
+
 # Enable crun as additional container runtime
 # When enabled, it requires container_manager=crio
 crun_enabled: false