Merge pull request #12900 from AkihiroSuda/rootless-crio

Support CRI-O runtime with Rootless Docker driver (`--driver=docker --container-runtime=cri-o`)
pull/12940/head
Medya Ghazizadeh 2021-11-11 16:05:36 -08:00 committed by GitHub
commit 80b4e238cf
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
3 changed files with 52 additions and 7 deletions

View File

@ -509,9 +509,8 @@ func generateNewConfigFromFlags(cmd *cobra.Command, k8sVersion string, drvName s
exit.Message(reason.Usage, "Ensure your {{.driver_name}} is running and is healthy.", out.V{"driver_name": driver.FullName(drvName)})
}
if si.Rootless {
if cc.KubernetesConfig.ContainerRuntime != "containerd" {
exit.Message(reason.Usage, "Container runtime must be set to \"containerd\" for rootless")
// TODO: support cri-o (https://kubernetes.io/docs/tasks/administer-cluster/kubelet-in-userns/#configuring-cri)
if cc.KubernetesConfig.ContainerRuntime == "docker" {
exit.Message(reason.Usage, "--container-runtime must be set to \"containerd\" or \"cri-o\" for rootless")
}
// KubeletInUserNamespace feature gate is essential for rootless driver.
// See https://kubernetes.io/docs/tasks/administer-cluster/kubelet-in-userns/

View File

@ -22,6 +22,7 @@ import (
"os"
"os/exec"
"path"
"path/filepath"
"strings"
"time"
@ -147,11 +148,50 @@ func enableIPForwarding(cr CommandRunner) error {
return nil
}
// enableRootless enables configurations for running CRI-O in Rootless Docker.
//
// 1. Create /etc/systemd/system/crio.service.d/10-rootless.conf to set _CRIO_ROOTLESS=1
// 2. Create /etc/crio/crio.conf.d/10-fuse-overlayfs.conf to enable fuse-overlayfs
// 3. Reload systemd
//
// See https://kubernetes.io/docs/tasks/administer-cluster/kubelet-in-userns/#configuring-cri
func (r *CRIO) enableRootless() error {
files := map[string]string{
"/etc/systemd/system/crio.service.d/10-rootless.conf": `[Service]
Environment="_CRIO_ROOTLESS=1"
`,
"/etc/crio/crio.conf.d/10-fuse-overlayfs.conf": `[crio]
storage_driver = "overlay"
storage_option = ["overlay.mount_program=/usr/local/bin/fuse-overlayfs"]
`,
}
for target, content := range files {
targetDir := filepath.Dir(target)
c := exec.Command("sudo", "mkdir", "-p", targetDir)
if _, err := r.Runner.RunCmd(c); err != nil {
return errors.Wrapf(err, "failed to create directory %q", targetDir)
}
asset := assets.NewMemoryAssetTarget([]byte(content), target, "0644")
err := r.Runner.Copy(asset)
asset.Close()
if err != nil {
return errors.Wrapf(err, "failed to create %q", target)
}
}
// reload systemd to apply our changes on /etc/systemd
if err := r.Init.Reload("crio"); err != nil {
return err
}
if r.Init.Active("crio") {
if err := r.Init.Restart("crio"); err != nil {
return err
}
}
return nil
}
// Enable idempotently enables CRIO on a host
func (r *CRIO) Enable(disOthers, forceSystemd, inUserNamespace bool) error {
if inUserNamespace {
return errors.New("inUserNamespace must not be true for cri-o (yet)")
}
if disOthers {
if err := disableOthers(r, r.Runner); err != nil {
klog.Warningf("disableOthers: %v", err)
@ -171,6 +211,12 @@ func (r *CRIO) Enable(disOthers, forceSystemd, inUserNamespace bool) error {
return err
}
}
if inUserNamespace {
if err := r.enableRootless(); err != nil {
return err
}
}
// NOTE: before we start crio explicitly here, crio might be already started automatically
return r.Init.Start("crio")
}

View File

@ -32,7 +32,7 @@ docker context use rootless
minikube start --driver=docker --container-runtime=containerd
```
The `--container-runtime` flag must be currently set to "containerd".
The `--container-runtime` flag must be set to "containerd" or "cri-o".
The restrictions of rootless `kind` apply to minikube with rootless docker as well.