From 24e115c8b9c90cdff5622a3c56d30d31e0e2897b Mon Sep 17 00:00:00 2001
From: ChengHao Yang <17496418+tico88612@users.noreply.github.com>
Date: Mon, 7 Oct 2024 00:43:30 +0800
Subject: [PATCH] Feat: change cri-o default runtime to crun

Signed-off-by: ChengHao Yang <17496418+tico88612@users.noreply.github.com>
---
 roles/container-engine/cri-o/defaults/main.yml      | 12 +++++++++---
 roles/container-engine/cri-o/meta/main.yml          |  2 +-
 roles/container-engine/cri-o/tasks/main.yaml        | 13 ++++++++++---
 roles/container-engine/cri-o/templates/crio.conf.j2 |  2 +-
 roles/kubespray-defaults/defaults/main/main.yml     |  4 ++++
 5 files changed, 25 insertions(+), 8 deletions(-)

diff --git a/roles/container-engine/cri-o/defaults/main.yml b/roles/container-engine/cri-o/defaults/main.yml
index ffbb0cfb2..2502c535e 100644
--- a/roles/container-engine/cri-o/defaults/main.yml
+++ b/roles/container-engine/cri-o/defaults/main.yml
@@ -40,10 +40,10 @@ crio_required_version: "{{ kube_version | regex_replace('^v(?P<major>\\d+).(?P<m
 
 # The crio_runtimes variable defines a list of OCI compatible runtimes.
 crio_runtimes:
-  - name: runc
-    path: "{{ crio_runtime_bin_dir }}/runc"
+  - name: crun
+    path: "{{ crio_runtime_bin_dir }}/crun"
     type: oci
-    root: /run/runc
+    root: /run/crun
 
 # Kata Containers is an OCI runtime, where containers are run inside lightweight
 # VMs. Kata provides additional isolation towards the host, minimizing the host attack
@@ -56,6 +56,12 @@ kata_runtimes:
     root: /run/kata-containers
     privileged_without_host_devices: true
 
+runc_runtime:
+  name: runc
+  path: "{{ crio_runtime_bin_dir }}/runc"
+  type: oci
+  root: /run/runc
+
 # crun is a fast and low-memory footprint OCI Container Runtime fully written in C.
 crun_runtime:
   name: crun
diff --git a/roles/container-engine/cri-o/meta/main.yml b/roles/container-engine/cri-o/meta/main.yml
index 7259b4663..99e803a51 100644
--- a/roles/container-engine/cri-o/meta/main.yml
+++ b/roles/container-engine/cri-o/meta/main.yml
@@ -1,5 +1,5 @@
 ---
 dependencies:
-  - role: container-engine/runc
+  - role: container-engine/crun
   - role: container-engine/crictl
   - role: container-engine/skopeo
diff --git a/roles/container-engine/cri-o/tasks/main.yaml b/roles/container-engine/cri-o/tasks/main.yaml
index cdcd1f419..0e66934cc 100644
--- a/roles/container-engine/cri-o/tasks/main.yaml
+++ b/roles/container-engine/cri-o/tasks/main.yaml
@@ -36,11 +36,18 @@
   when:
     - kata_containers_enabled
 
-- name: Cri-o | build a list of crio runtimes with crun runtime
+## After CRI-O v1.31, crun is default runtime.
+# - name: Cri-o | build a list of crio runtimes with crun runtime
+#   set_fact:
+#     crio_runtimes: "{{ crio_runtimes + [crun_runtime] }}"
+#   when:
+#     - crun_enabled
+
+- name: Cri-o | build a list of crio runtimes with runc runtime
   set_fact:
-    crio_runtimes: "{{ crio_runtimes + [crun_runtime] }}"
+    crio_runtimes: "{{ crio_runtimes + [runc_runtime] }}"
   when:
-    - crun_enabled
+    - runc_enabled
 
 - name: Cri-o | build a list of crio runtimes with youki runtime
   set_fact:
diff --git a/roles/container-engine/cri-o/templates/crio.conf.j2 b/roles/container-engine/cri-o/templates/crio.conf.j2
index 6f9b84f14..187470a23 100644
--- a/roles/container-engine/cri-o/templates/crio.conf.j2
+++ b/roles/container-engine/cri-o/templates/crio.conf.j2
@@ -97,7 +97,7 @@ grpc_max_recv_msg_size = 16777216
 
 # default_runtime is the _name_ of the OCI runtime to be used as the default.
 # The name is matched against the runtimes map below.
-default_runtime = "runc"
+default_runtime = "crun"
 
 # If true, the runtime will not use pivot_root, but instead use MS_MOVE.
 no_pivot = false
diff --git a/roles/kubespray-defaults/defaults/main/main.yml b/roles/kubespray-defaults/defaults/main/main.yml
index 55dce775d..d5761accc 100644
--- a/roles/kubespray-defaults/defaults/main/main.yml
+++ b/roles/kubespray-defaults/defaults/main/main.yml
@@ -293,6 +293,10 @@ kata_containers_enabled: false
 # gVisor is only supported with container_manager Docker or containerd
 gvisor_enabled: false
 
+# Enable runc as additional container runtime
+# When enabled, it requires container_manager=crio
+runc_enabled: false
+
 # Enable crun as additional container runtime
 # When enabled, it requires container_manager=crio
 crun_enabled: false
-- 
GitLab