CRI-O All the Runtime Kubernetes need Antonio Murdaca < - PowerPoint PPT Presentation

CRI-O All the Runtime Kubernetes need Antonio Murdaca < runcom@redhat.com > Senior Software Engineer, Red Hat Inc. @runc0m

Issues... ● Docker ● ...breaks ● rkt ● Pod concept ● Maintenance ● Pluggability

CRI Container Runtime Interface Plug and play ● ● Protocol buffers ● gRPC ● 1.5+ Client - Server ●

Runtime Service Pods lifecycle ● ● Containers lifecycle ● Interactions

Image Service Images lifecycle ● ● FS information

CRI in action

CRI-O Open governance ● ● Open source ● Lean Stable ● Secure ● ● BORING!

Scope ● Tied to the CRI Shaped around Kubernetes ● Only supported user is ● Kubernetes ● No features that can mine stability and performance Versioning is tied to ● Kubernetes ● Support is tied to Kubernetes

Architecture

OCI runtimes

containers/storage overlayfs (default) ● ● Manage layers on COW ● Former “storage drivers”

containers/image Where everything started ● ● Battle tested ● Seamlessly pull any of your images New features ●

OCI runtime tools Generates OCI configurations ● ● OCI runtimes can understand the very same configuration There’s a library!!! ● Run containers ●

CNI - Container Network Interface Pluggable network stack ● ● Flannel ● Weave … ● openshift-sdn ●

conmon Monitoring ● ● Logging ● Handling tty Serving attach clients ● Detecting and reporting OOM ● ● CRI-O restarts

Pod architecture (runc) conmon conmon conmon Infra Container Container A Container B (runc) (runc) Pod (ipc, net, pid namespaces)

Pod architecture (Clear Containers & Kata Containers) Pod conmon cc-shim Container B Agent Container A conmon cc-shim Virtual Machine

...live demo?

Status k8s tests ● ● OpenShift tests ● critest Integration tests ● Performance tests ● ● On every PR ● Tests? Tests?? ● Tests??? ● ● Tests???? ● Tests?????

Status ● CRI at any time is fully implemented Released 1.7 (1.0), 1.8, 1.9, 1.10, 1.11-dev ● Maintainers/contributors from Red Hat, Intel, IBM, ● SUSE, Lyft and many others (80+) ● Kubeadm works for setting up k8s with CRI-O Minikube works ● Support for mixed workloads ● ● Deployed to our OpenShift Online test cluster ● Available in Fedora, Ubuntu, RHEL ...

Kubernetes setup $ minikube start \ --network-plugin=cni \ --container-runtime=cri-o \ --bootstrapper=kubeadm

Local Kubernetes setup $ CONTAINER_RUNTIME=remote \ CONTAINER_RUNTIME_ENDPOINT=' \ /var/run/crio/crio.sock \ --runtime-request-timeout=5m' \ hack/local-up-cluster.sh

OpenShift setup [...] kubeletArguments: [...] container-runtime-endpoint: - "/var/run/crio/crio.sock" container-runtime: - "remote" runtime-request-timeout: - "15m" [...]

Debug ● https://github.com/kubernetes-incubat or/cri-tools crictl ● Upstream community tool ● ● Debugging through the CRI on a node ● Work is ongoing to move the project into Kubernetes core

skopeo Play with container images ● ● No daemon running ● Perfect for pipelines (Jenkins?) Transports ●

buildah Build images ● ● No daemon running ● shell-like syntax Build from Dockerfile(s) ●

podman Running containers ● ● Integrated with CRI-O (soon) ● No daemon running Known CLI ●

Summary CRI ● ● CRI-O ● Ecosystem New tools from legos ●

Roadmap ● Switch to CRI-O as the default in Kube? (trollface) Keep pace with upstream Kubernetes ● Tracking and supporting k8s versions ○ ● Graduating out of incubator ● GA in OpenShift 3.9 (not the default yet) Default container runtime for OpenShift 3.10 (hopefully) ● Deployed to OpenShift Online ●

Get involved! Blog : https://medium.com/cri-o Github : https://github.com/kubernetes-incubater/cri-o IRC : freenode: #cri-o Slack : sig-node Site : https://cri-o.io, https://www.projectatomic.io

Obrigado!