diff --git a/roles/container-engine/cri-o/defaults/main.yml b/roles/container-engine/cri-o/defaults/main.yml index ffbb0cfb26b280c3f9cd072aa2a5dad4651a48b7..2502c535ec7959056cdb56782bcb5509cc6553ab 100644 --- a/roles/container-engine/cri-o/defaults/main.yml +++ b/roles/container-engine/cri-o/defaults/main.yml @@ -40,10 +40,10 @@ crio_required_version: "{{ kube_version | regex_replace('^v(?P<major>\\d+).(?P<m # The crio_runtimes variable defines a list of OCI compatible runtimes. crio_runtimes: - - name: runc - path: "{{ crio_runtime_bin_dir }}/runc" + - name: crun + path: "{{ crio_runtime_bin_dir }}/crun" type: oci - root: /run/runc + root: /run/crun # Kata Containers is an OCI runtime, where containers are run inside lightweight # VMs. Kata provides additional isolation towards the host, minimizing the host attack @@ -56,6 +56,12 @@ kata_runtimes: root: /run/kata-containers privileged_without_host_devices: true +runc_runtime: + name: runc + path: "{{ crio_runtime_bin_dir }}/runc" + type: oci + root: /run/runc + # crun is a fast and low-memory footprint OCI Container Runtime fully written in C. crun_runtime: name: crun diff --git a/roles/container-engine/cri-o/meta/main.yml b/roles/container-engine/cri-o/meta/main.yml index 7259b4663eb80cb2533ad2ea4b8429c336470051..99e803a5170f45e918f57923ea002fe2065777ea 100644 --- a/roles/container-engine/cri-o/meta/main.yml +++ b/roles/container-engine/cri-o/meta/main.yml @@ -1,5 +1,5 @@ --- dependencies: - - role: container-engine/runc + - role: container-engine/crun - role: container-engine/crictl - role: container-engine/skopeo diff --git a/roles/container-engine/cri-o/tasks/main.yaml b/roles/container-engine/cri-o/tasks/main.yaml index cdcd1f41954e42e8dcb7ce94848c58ab684b9e8c..0e66934cc08715bfcb72f40e38a80f65bc505291 100644 --- a/roles/container-engine/cri-o/tasks/main.yaml +++ b/roles/container-engine/cri-o/tasks/main.yaml @@ -36,11 +36,18 @@ when: - kata_containers_enabled -- name: Cri-o | build a list of crio runtimes with crun runtime +## After CRI-O v1.31, crun is default runtime. +# - name: Cri-o | build a list of crio runtimes with crun runtime +# set_fact: +# crio_runtimes: "{{ crio_runtimes + [crun_runtime] }}" +# when: +# - crun_enabled + +- name: Cri-o | build a list of crio runtimes with runc runtime set_fact: - crio_runtimes: "{{ crio_runtimes + [crun_runtime] }}" + crio_runtimes: "{{ crio_runtimes + [runc_runtime] }}" when: - - crun_enabled + - runc_enabled - name: Cri-o | build a list of crio runtimes with youki runtime set_fact: diff --git a/roles/container-engine/cri-o/templates/crio.conf.j2 b/roles/container-engine/cri-o/templates/crio.conf.j2 index 6f9b84f14eb80b48764eef22c68e436340674210..187470a23bf6237abd8b747dd4a5bbeeac14a868 100644 --- a/roles/container-engine/cri-o/templates/crio.conf.j2 +++ b/roles/container-engine/cri-o/templates/crio.conf.j2 @@ -97,7 +97,7 @@ grpc_max_recv_msg_size = 16777216 # default_runtime is the _name_ of the OCI runtime to be used as the default. # The name is matched against the runtimes map below. -default_runtime = "runc" +default_runtime = "crun" # If true, the runtime will not use pivot_root, but instead use MS_MOVE. no_pivot = false diff --git a/roles/kubespray-defaults/defaults/main/main.yml b/roles/kubespray-defaults/defaults/main/main.yml index 55dce775d5effb3684deccf8bbeb374d1c00158d..d5761accc4c3fb1a00cce694e5038375ce1e0d27 100644 --- a/roles/kubespray-defaults/defaults/main/main.yml +++ b/roles/kubespray-defaults/defaults/main/main.yml @@ -293,6 +293,10 @@ kata_containers_enabled: false # gVisor is only supported with container_manager Docker or containerd gvisor_enabled: false +# Enable runc as additional container runtime +# When enabled, it requires container_manager=crio +runc_enabled: false + # Enable crun as additional container runtime # When enabled, it requires container_manager=crio crun_enabled: false