From d7e728487c3829e8ebec133fd7e9d69e0a6e61da Mon Sep 17 00:00:00 2001 From: Akihiro Suda Date: Tue, 9 Nov 2021 15:03:43 +0900 Subject: [PATCH] Support CRI-O runtime with Rootless Docker driver Follow-up to PR 12359 (containerd runtime with Rootless Docker driver). Usage (needs cgroup v2): ``` dockerd-rootless-setuptool.sh install docker context use rootless minikube start --driver=docker --container-runtime=cri-o ``` See site/content/en/docs/drivers/includes/docker_usage.inc Signed-off-by: Akihiro Suda --- cmd/minikube/cmd/start_flags.go | 5 +- pkg/minikube/cruntime/crio.go | 52 +++++++++++++++++-- .../en/docs/drivers/includes/docker_usage.inc | 2 +- 3 files changed, 52 insertions(+), 7 deletions(-) diff --git a/cmd/minikube/cmd/start_flags.go b/cmd/minikube/cmd/start_flags.go index 2b9289bc22..5a4ef38919 100644 --- a/cmd/minikube/cmd/start_flags.go +++ b/cmd/minikube/cmd/start_flags.go @@ -509,9 +509,8 @@ func generateNewConfigFromFlags(cmd *cobra.Command, k8sVersion string, drvName s exit.Message(reason.Usage, "Ensure your {{.driver_name}} is running and is healthy.", out.V{"driver_name": driver.FullName(drvName)}) } if si.Rootless { - if cc.KubernetesConfig.ContainerRuntime != "containerd" { - exit.Message(reason.Usage, "Container runtime must be set to \"containerd\" for rootless") - // TODO: support cri-o (https://kubernetes.io/docs/tasks/administer-cluster/kubelet-in-userns/#configuring-cri) + if cc.KubernetesConfig.ContainerRuntime == "docker" { + exit.Message(reason.Usage, "--container-runtime must be set to \"containerd\" or \"cri-o\" for rootless") } // KubeletInUserNamespace feature gate is essential for rootless driver. // See https://kubernetes.io/docs/tasks/administer-cluster/kubelet-in-userns/ diff --git a/pkg/minikube/cruntime/crio.go b/pkg/minikube/cruntime/crio.go index 258bdebb89..1d36e76be4 100644 --- a/pkg/minikube/cruntime/crio.go +++ b/pkg/minikube/cruntime/crio.go @@ -22,6 +22,7 @@ import ( "os" "os/exec" "path" + "path/filepath" "strings" "time" @@ -147,11 +148,50 @@ func enableIPForwarding(cr CommandRunner) error { return nil } +// enableRootless enables configurations for running CRI-O in Rootless Docker. +// +// 1. Create /etc/systemd/system/crio.service.d/10-rootless.conf to set _CRIO_ROOTLESS=1 +// 2. Create /etc/crio/crio.conf.d/10-fuse-overlayfs.conf to enable fuse-overlayfs +// 3. Reload systemd +// +// See https://kubernetes.io/docs/tasks/administer-cluster/kubelet-in-userns/#configuring-cri +func (r *CRIO) enableRootless() error { + files := map[string]string{ + "/etc/systemd/system/crio.service.d/10-rootless.conf": `[Service] +Environment="_CRIO_ROOTLESS=1" +`, + "/etc/crio/crio.conf.d/10-fuse-overlayfs.conf": `[crio] +storage_driver = "overlay" +storage_option = ["overlay.mount_program=/usr/local/bin/fuse-overlayfs"] +`, + } + for target, content := range files { + targetDir := filepath.Dir(target) + c := exec.Command("sudo", "mkdir", "-p", targetDir) + if _, err := r.Runner.RunCmd(c); err != nil { + return errors.Wrapf(err, "failed to create directory %q", targetDir) + } + asset := assets.NewMemoryAssetTarget([]byte(content), target, "0644") + err := r.Runner.Copy(asset) + asset.Close() + if err != nil { + return errors.Wrapf(err, "failed to create %q", target) + } + } + // reload systemd to apply our changes on /etc/systemd + if err := r.Init.Reload("crio"); err != nil { + return err + } + if r.Init.Active("crio") { + if err := r.Init.Restart("crio"); err != nil { + return err + } + } + return nil +} + // Enable idempotently enables CRIO on a host func (r *CRIO) Enable(disOthers, forceSystemd, inUserNamespace bool) error { - if inUserNamespace { - return errors.New("inUserNamespace must not be true for cri-o (yet)") - } if disOthers { if err := disableOthers(r, r.Runner); err != nil { klog.Warningf("disableOthers: %v", err) @@ -171,6 +211,12 @@ func (r *CRIO) Enable(disOthers, forceSystemd, inUserNamespace bool) error { return err } } + if inUserNamespace { + if err := r.enableRootless(); err != nil { + return err + } + } + // NOTE: before we start crio explicitly here, crio might be already started automatically return r.Init.Start("crio") } diff --git a/site/content/en/docs/drivers/includes/docker_usage.inc b/site/content/en/docs/drivers/includes/docker_usage.inc index 63d50ca323..1f757080f4 100644 --- a/site/content/en/docs/drivers/includes/docker_usage.inc +++ b/site/content/en/docs/drivers/includes/docker_usage.inc @@ -32,7 +32,7 @@ docker context use rootless minikube start --driver=docker --container-runtime=containerd ``` -The `--container-runtime` flag must be currently set to "containerd". +The `--container-runtime` flag must be set to "containerd" or "cri-o". The restrictions of rootless `kind` apply to minikube with rootless docker as well.