cri-o (ocid)

cri-o

cri-o基于Kubelet容器运行时接口(CRI)为Kubernetes带来了原生的OCI运行时(目前仅支持runc)。cri-o还在紧张有序的开发中,预计与Kubernetes v1.5一起发布第一个alpha版本。

cri-o原理

主要组成

Pod结构

conmon

编译安装

# CentOS/Fedora
# yum install -y btrfs-progs-devel device-mapper-devel glib2-devel glibc-devel glibc-static gpgme-devel libassuan-devel libgpg-error-devel libseccomp-devel libselinux-devel ostree-devel pkgconfig runc
# Ubuntu
apt-get install -y linux-headers-$(uname -r) build-essential
apt-get install -y btrfs-tools libassuan-dev libdevmapper-dev libglib2.0-dev libc6-dev libgpgme11-dev libgpg-error-dev libseccomp-dev libselinux1-dev pkg-config runc libapparmor-dev
# get and build cri-o
mkdir -p $GOPATH/src/github.com/kubernetes-incubator
cd $_ # or cd $GOPATH/src/github.com/kubernetes-incubator
git clone https://github.com/kubernetes-incubator/cri-o # or your fork
cd cri-o
make install.tools
make
sudo make install
make install.config

安装CNI:

# get cni
go get -d github.com/containernetworking/plugins
cd $GOPATH/src/github.com/containernetworking/plugins
./build.sh
# build and install
sudo mkdir -p /opt/cni/bin
sudo cp bin/* /opt/cni/bin/
# config cni
sudo mkdir -p /etc/cni/net.d
sudo sh -c 'cat >/etc/cni/net.d/10-mynet.conf <<-EOF
{
"cniVersion": "0.2.0",
"name": "mynet",
"type": "bridge",
"bridge": "cni0",
"isGateway": true,
"ipMasq": true,
"ipam": {
"type": "host-local",
"subnet": "10.88.0.0/16",
"routes": [
{ "dst": "0.0.0.0/0" }
]
}
}
EOF'
sudo sh -c 'cat >/etc/cni/net.d/99-loopback.conf <<-EOF
{
"cniVersion": "0.2.0",
"type": "loopback"
}
EOF'

启动cri-o

sudo sh -c 'echo "[Unit]
Description=OCI-based implementation of Kubernetes Container Runtime Interface
Documentation=https://github.com/kubernetes-incubator/cri-o
[Service]
ExecStart=/usr/local/bin/crio --debug
Restart=on-failure
RestartSec=5
[Install]
WantedBy=multi-user.target" > /etc/systemd/system/crio.service'
sudo systemctl daemon-reload
sudo systemctl enable crio
sudo systemctl start crio

cri-o单独使用

cd $GOPATH/src/github.com/kubernetes-incubator/cri-o
# create sandbox
POD_ID=$(sudo crioctl pod run --config test/testdata/sandbox_config.json)
sudo crioctl pod status --id $POD_ID
# create container
sudo crioctl image pull redis:alpine
CONTAINER_ID=$(sudo crioctl ctr create --pod $POD_ID --config test/testdata/container_redis.json)
sudo crioctl ctr start --id $CONTAINER_ID
sudo crioctl ctr status --id $CONTAINER_ID
# stop and remove
sudo crioctl ctr stop --id $CONTAINER_ID
sudo crioctl ctr remove --id $CONTAINER_ID
sudo crioctl pod stop --id $POD_ID
sudo crioctl pod remove --id $POD_ID

启动一个redis容器后的进程关系:

├─crio ExecReload=/bin/kill -s HUP
│ ├─conmon -c default-podsandbox1-0-infra -r /usr/local/sbin/runc
│ │ └─pause
│ ├─conmon -c default-podsandbox1-0-podsandbox1-redis-0 -r /usr/local/sbin/runc
│ │ └─redis-server
│ │ └─2*[{redis-server}]
│ └─9*[{crio}]
├─13009 crio --runtime /usr/sbin/runc --debug
├─13049 /usr/libexec/crio/conmon -c default-podsandbox1-0-infra -r /usr/sbin/runc
├─16081 /usr/libexec/crio/conmon -c default-podsandbox1-0-podsandbox1-redis-0 -r /usr/sbin/runc
├─podsandbox1.slice:container:infra
│ └─13058 /pause
└─default-podsandbox1-0-podsandbox1-redis-0
└─16090 redis-server *:6379

Kubernetes cri-o

CONTAINER_RUNTIME=remote CONTAINER_RUNTIME_ENDPOINT='/var/run/crio.sock --runtime-request-timeout=15m' ./hack/local-up-cluster.sh

Clear Container

Intel Clear Container 是一个OCI标准的容器引擎,它将容器运行在基于Intel VT-x的虚拟机中,并通过KSM内存共享、mini-OS等方法加快启动速度。

Clear Container支持在dockerd中运行,配置方法为

dockerd  -— add-runtime cc-runtime=/usr/bin/cc-runtime - — default-runtime=cc-runtime

它也支持通过cri-o来管理Kubernetes容器,配置时只需要修改crio的配置/etc/crio/crio.conf

runtime_untrusted_workload = "/usr/local/bin/cc-runtime"
default_workload_trust = "untrusted"

参考文档

Feisky wechat
微信公众号订阅