CRI-O All the Runtime Kubernetes need Antonio Murdaca < - - PowerPoint PPT Presentation

Antonio Murdaca < runcom@redhat.com > Senior Software Engineer, Red Hat Inc. @runc0m

CRI-O

All the Runtime Kubernetes need

Issues...

• Docker
• ...breaks
• rkt
• Pod concept
• Maintenance
• Pluggability

CRI Container Runtime Interface

• Plug and play
• Protocol buffers
• gRPC
• 1.5+
• Client - Server

Runtime Service

• Pods lifecycle
• Containers lifecycle
• Interactions

Image Service

• Images lifecycle
• FS information

CRI in action

• Open governance
• Open source
• Lean
• Stable
• Secure
• BORING!

CRI-O

• Tied to the CRI
• Shaped around Kubernetes
• Only supported user is

Kubernetes

• No features that can mine

stability and performance

• Versioning is tied to

Kubernetes

• Support is tied to Kubernetes

Scope

Architecture

OCI runtimes

containers/storage

• verlayfs (default)
• Manage layers on COW
• Former “storage drivers”

containers/image

• Where everything started
• Battle tested
• Seamlessly pull any of your

images

• New features

OCI runtime tools

• Generates OCI configurations
• OCI runtimes can understand

the very same configuration

• There’s a library!!!
• Run containers

CNI - Container Network Interface

• Pluggable network stack
• Flannel
• Weave
• …
• penshift-sdn

conmon

• Monitoring
• Logging
• Handling tty
• Serving attach clients
• Detecting and reporting OOM
• CRI-O restarts

Pod architecture (runc)

Infra Container

Pod

(ipc, net, pid namespaces) Container A (runc) Container B (runc) conmon conmon conmon

Pod architecture (Clear Containers & Kata Containers)

Pod

conmon

Virtual Machine

Container B Container A conmon cc-shim cc-shim Agent

...live demo?

• k8s tests
• OpenShift tests
• critest
• Integration tests
• Performance tests
• On every PR
• Tests?
• Tests??
• Tests???
• Tests????
• Tests?????

Status

Status

• CRI at any time is fully implemented
• Released 1.7 (1.0), 1.8, 1.9, 1.10, 1.11-dev
• Maintainers/contributors from Red Hat, Intel, IBM,

SUSE, Lyft and many others (80+)

• Kubeadm works for setting up k8s with CRI-O
• Minikube works
• Support for mixed workloads
• Deployed to our OpenShift Online test cluster
• Available in Fedora, Ubuntu, RHEL ...

Kubernetes setup

$ minikube start \

• -network-plugin=cni \
• -container-runtime=cri-o \
• -bootstrapper=kubeadm

Local Kubernetes setup

$ CONTAINER_RUNTIME=remote \ CONTAINER_RUNTIME_ENDPOINT=' \ /var/run/crio/crio.sock \

• -runtime-request-timeout=5m' \

hack/local-up-cluster.sh

OpenShift setup

[...] kubeletArguments: [...] container-runtime-endpoint:

• "/var/run/crio/crio.sock"

container-runtime:

• "remote"

runtime-request-timeout:

• "15m"

[...]

Debug

• https://github.com/kubernetes-incubat
• r/cri-tools
• crictl
• Upstream community tool
• Debugging through the CRI on a node
• Work is ongoing to move the project

into Kubernetes core

skopeo

• Play with container images
• No daemon running
• Perfect for pipelines (Jenkins?)
• Transports

buildah

• Build images
• No daemon running
• shell-like syntax
• Build from Dockerfile(s)

podman

• Running containers
• Integrated with CRI-O (soon)
• No daemon running
• Known CLI

Summary

• CRI
• CRI-O
• Ecosystem
• New tools from legos

Roadmap

• Switch to CRI-O as the default in Kube? (trollface)
• Keep pace with upstream Kubernetes

○ Tracking and supporting k8s versions

• Graduating out of incubator
• GA in OpenShift 3.9 (not the default yet)
• Default container runtime for OpenShift 3.10 (hopefully)
• Deployed to OpenShift Online

Get involved!

Blog: https://medium.com/cri-o Github: https://github.com/kubernetes-incubater/cri-o IRC: freenode: #cri-o Slack: sig-node Site: https://cri-o.io, https://www.projectatomic.io

Obrigado!