Feat: change cri-o default runtime to crun

Signed-off-by: ChengHao Yang <17496418+tico88612@users.noreply.github.com>

Feat: change cri-o default runtime to crun
24e115c8 · ChengHao Yang · 6b3eaf83 · 24e115c8 · 24e115c8 · 24e115c8
Unverified Commit 24e115c8 authored 7 months ago by ChengHao Yang
--- a/roles/container-engine/cri-o/defaults/main.yml
+++ b/roles/container-engine/cri-o/defaults/main.yml
@@ -40,10 +40,10 @@ crio_required_version: "{{ kube_version | regex_replace('^v(?P<major>\\d+).(?P<m
 # The crio_runtimes variable defines a list of OCI compatible runtimes.
 crio_runtimes:
-  - name: runc
+  - name: crun
-    path: "{{ crio_runtime_bin_dir }}/runc"
+    path: "{{ crio_runtime_bin_dir }}/crun"
    type: oci
-    root: /run/runc
+    root: /run/crun
 # Kata Containers is an OCI runtime, where containers are run inside lightweight
 # VMs. Kata provides additional isolation towards the host, minimizing the host attack
@@ -56,6 +56,12 @@ kata_runtimes:
    root: /run/kata-containers
    privileged_without_host_devices: true
+runc_runtime:
+  name: runc
+  path: "{{ crio_runtime_bin_dir }}/runc"
+  type: oci
+  root: /run/runc
 # crun is a fast and low-memory footprint OCI Container Runtime fully written in C.
 crun_runtime:
  name: crun

--- a/roles/container-engine/cri-o/meta/main.yml
+++ b/roles/container-engine/cri-o/meta/main.yml
 ---
 dependencies:
-  - role: container-engine/runc
+  - role: container-engine/crun
  - role: container-engine/crictl
  - role: container-engine/skopeo
--- a/roles/container-engine/cri-o/tasks/main.yaml
+++ b/roles/container-engine/cri-o/tasks/main.yaml
@@ -36,11 +36,18 @@
  when:
    - kata_containers_enabled
- name: Cri-o | build a list of crio runtimes with crun runtime
+## After CRI-O v1.31, crun is default runtime.
+# - name: Cri-o | build a list of crio runtimes with crun runtime
+#   set_fact:
+#     crio_runtimes: "{{ crio_runtimes + [crun_runtime] }}"
+#   when:
+#     - crun_enabled
+- name: Cri-o | build a list of crio runtimes with runc runtime
  set_fact:
-    crio_runtimes: "{{ crio_runtimes + [crun_runtime] }}"
+    crio_runtimes: "{{ crio_runtimes + [runc_runtime] }}"
  when:
-    - crun_enabled
+    - runc_enabled
 - name: Cri-o | build a list of crio runtimes with youki runtime
  set_fact:

--- a/roles/container-engine/cri-o/templates/crio.conf.j2
+++ b/roles/container-engine/cri-o/templates/crio.conf.j2
@@ -97,7 +97,7 @@ grpc_max_recv_msg_size = 16777216
 # default_runtime is the _name_ of the OCI runtime to be used as the default.
 # The name is matched against the runtimes map below.
-default_runtime = "runc"
+default_runtime = "crun"
 # If true, the runtime will not use pivot_root, but instead use MS_MOVE.
 no_pivot = false

--- a/roles/kubespray-defaults/defaults/main/main.yml
+++ b/roles/kubespray-defaults/defaults/main/main.yml
@@ -293,6 +293,10 @@ kata_containers_enabled: false
 # gVisor is only supported with container_manager Docker or containerd
 gvisor_enabled: false
+# Enable runc as additional container runtime
+# When enabled, it requires container_manager=crio
+runc_enabled: false
 # Enable crun as additional container runtime
 # When enabled, it requires container_manager=crio
 crun_enabled: false