Browse Source

Add support for CRI-O user namespaces (#8268)

* add support for cri-o user namespaces

* comply with yamllint rules
pull/8322/head
Nicolas MASSE 2 years ago
committed by GitHub
parent
commit
f01f7c54aa
No known key found for this signature in database GPG Key ID: 4AEE18F83AFDEB23
4 changed files with 45 additions and 0 deletions
  1. 21
      docs/cri-o.md
  2. 9
      roles/container-engine/cri-o/defaults/main.yml
  3. 14
      roles/container-engine/cri-o/tasks/main.yaml
  4. 1
      roles/container-engine/cri-o/templates/crio.conf.j2

21
docs/cri-o.md

@ -60,3 +60,24 @@ crio_pids_limit: 4096
[CRI-O]: https://cri-o.io/
[cri-o#1921]: https://github.com/cri-o/cri-o/issues/1921
## Note about user namespaces
CRI-O has support for user namespaces. This feature is optional and can be enabled by setting the following two variables.
```yaml
crio_runtimes:
- name: runc
path: /usr/bin/runc
type: oci
root: /run/runc
allowed_annotations:
- "io.kubernetes.cri-o.userns-mode"
crio_remap_enable: true
```
The `allowed_annotations` configures `crio.conf` accordingly.
The `crio_remap_enable` configures the `/etc/subuid` and `/etc/subgid` files to add an entry for the **containers** user.
By default, 16M uids and gids are reserved for user namespaces (256 pods * 65536 uids/gids) at the end of the uid/gid space.

9
roles/container-engine/cri-o/defaults/main.yml

@ -97,3 +97,12 @@ skopeo_packages:
# Configure the cri-o pids limit, increase this for heavily multi-threaded workloads
# see https://github.com/cri-o/cri-o/issues/1921
crio_pids_limit: 1024
# Reserve 16M uids and gids for user namespaces (256 pods * 65536 uids/gids)
# at the end of the uid/gid space
crio_remap_enable: false
crio_remap_user: containers
crio_subuid_start: 2130706432
crio_subuid_length: 16777216
crio_subgid_start: 2130706432
crio_subgid_length: 16777216

14
roles/container-engine/cri-o/tasks/main.yaml

@ -182,6 +182,20 @@
notify: restart crio
when: http_proxy is defined or https_proxy is defined
- name: Configure the uid/gid space for user namespaces
lineinfile:
path: '{{ item.path }}'
line: '{{ item.entry }}'
regex: '^\s*{{ crio_remap_user }}:'
state: '{{ "present" if crio_remap_enable | bool else "absent" }}'
loop:
- path: /etc/subuid
entry: '{{ crio_remap_user }}:{{ crio_subuid_start }}:{{ crio_subuid_length }}'
- path: /etc/subgid
entry: '{{ crio_remap_user }}:{{ crio_subgid_start }}:{{ crio_subgid_length }}'
loop_control:
label: '{{ item.path }}'
- name: Ensure crio service is started and enabled
service:
name: crio

1
roles/container-engine/cri-o/templates/crio.conf.j2

@ -294,6 +294,7 @@ runtime_path = "{{ runtime.path }}"
runtime_type = "{{ runtime.type }}"
runtime_root = "{{ runtime.root }}"
privileged_without_host_devices = {{ runtime.privileged_without_host_devices|default(false)|lower }}
allowed_annotations = {{ runtime.allowed_annotations|default([])|to_json }}
{% endfor %}
# Kata Containers with the Firecracker VMM

Loading…
Cancel
Save