From 0a19340a93a562fcdec4b8f258eb8b65cdb96a3d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= Date: Mon, 15 Nov 2021 11:11:03 +0100 Subject: [PATCH 1/3] cri-o: Remove outdated documentation MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Although the documentation removed is correct, it's not relevant to the current supported versions of CRI-O. Related: #2498 Signed-off-by: Fabiano FidĂȘncio --- docs/how-to/run-kata-with-k8s.md | 51 -------------------------------- 1 file changed, 51 deletions(-) diff --git a/docs/how-to/run-kata-with-k8s.md b/docs/how-to/run-kata-with-k8s.md index 98da0622fa..88939bb1a9 100644 --- a/docs/how-to/run-kata-with-k8s.md +++ b/docs/how-to/run-kata-with-k8s.md @@ -59,57 +59,6 @@ You can also add multiple entries to specify alternatives hypervisors, e.g.: runtime_type = "oci" ``` -#### Untrusted annotation (until CRI-O v1.12) -The untrusted annotation is used to specify a runtime for __untrusted__ workloads, i.e. -a runtime to be used when the workload cannot be trusted and a higher level of security -is required. An additional flag can be used to let CRI-O know if a workload -should be considered _trusted_ or _untrusted_ by default. -For further details, see the documentation -[here](../design/architecture.md#mixing-vm-based-and-namespace-based-runtimes). - -```toml -# runtime is the OCI compatible runtime used for trusted container workloads. -# This is a mandatory setting as this runtime will be the default one -# and will also be used for untrusted container workloads if -# runtime_untrusted_workload is not set. -runtime = "/usr/bin/runc" - -# runtime_untrusted_workload is the OCI compatible runtime used for untrusted -# container workloads. This is an optional setting, except if -# default_container_trust is set to "untrusted". -runtime_untrusted_workload = "/usr/bin/kata-runtime" - -# default_workload_trust is the default level of trust crio puts in container -# workloads. It can either be "trusted" or "untrusted", and the default -# is "trusted". -# Containers can be run through different container runtimes, depending on -# the trust hints we receive from kubelet: -# - If kubelet tags a container workload as untrusted, crio will try first to -# run it through the untrusted container workload runtime. If it is not set, -# crio will use the trusted runtime. -# - If kubelet does not provide any information about the container workload trust -# level, the selected runtime will depend on the default_container_trust setting. -# If it is set to "untrusted", then all containers except for the host privileged -# ones, will be run by the runtime_untrusted_workload runtime. Host privileged -# containers are by definition trusted and will always use the trusted container -# runtime. If default_container_trust is set to "trusted", crio will use the trusted -# container runtime for all containers. -default_workload_trust = "untrusted" -``` - -#### Network namespace management -To enable networking for the workloads run by Kata, CRI-O needs to be configured to -manage network namespaces, by setting the following key to `true`. - -In CRI-O v1.16: -```toml -manage_network_ns_lifecycle = true -``` -In CRI-O v1.17+: -```toml -manage_ns_lifecycle = true -``` - ### containerd From 92e3a140236f1a9ed3de0f5439a2fbad38340ef0 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= Date: Mon, 15 Nov 2021 11:14:07 +0100 Subject: [PATCH 2/3] cri-o: Update links for the CRI-O github page MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The links are either pointing to the not-used-anymore `master` branch, or to the kubernetes-incubator page. Let's always point to the CRI-O github page, using the `main`branch. Signed-off-by: Fabiano FidĂȘncio --- docs/how-to/run-kata-with-k8s.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/how-to/run-kata-with-k8s.md b/docs/how-to/run-kata-with-k8s.md index 88939bb1a9..37c3614878 100644 --- a/docs/how-to/run-kata-with-k8s.md +++ b/docs/how-to/run-kata-with-k8s.md @@ -20,7 +20,7 @@ required to spawn pods and containers, and this is the preferred way to run Kata An equivalent shim implementation for CRI-O is planned. ### CRI-O -For CRI-O installation instructions, refer to the [CRI-O Tutorial](https://github.com/kubernetes-incubator/cri-o/blob/master/tutorial.md) page. +For CRI-O installation instructions, refer to the [CRI-O Tutorial](https://github.com/cri-o/cri-o/blob/main/tutorial.md) page. The following sections show how to set up the CRI-O configuration file (default path: `/etc/crio/crio.conf`) for Kata. @@ -30,7 +30,7 @@ Unless otherwise stated, all the following settings are specific to the `crio.ru # runtime used and options for how to set up and manage the OCI runtime. [crio.runtime] ``` -A comprehensive documentation of the configuration file can be found [here](https://github.com/cri-o/cri-o/blob/master/docs/crio.conf.5.md). +A comprehensive documentation of the configuration file can be found [here](https://github.com/cri-o/cri-o/blob/main/docs/crio.conf.5.md). > **Note**: After any change to this file, the CRI-O daemon have to be restarted with: >```` From eb11d053d5f05a348d9fc359a1934581703c249d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fabiano=20Fid=C3=AAncio?= Date: Mon, 15 Nov 2021 11:24:02 +0100 Subject: [PATCH 3/3] cri-o: Update deployment documentation MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit CRI-O deployment documentation was quite outdated, giving info from the `1.x` era. Let's update this to reflect what we currently have. Fixes: #2498 Signed-off-by: Fabiano FidĂȘncio --- docs/how-to/run-kata-with-k8s.md | 25 +++++++++---------------- 1 file changed, 9 insertions(+), 16 deletions(-) diff --git a/docs/how-to/run-kata-with-k8s.md b/docs/how-to/run-kata-with-k8s.md index 37c3614878..29d7309876 100644 --- a/docs/how-to/run-kata-with-k8s.md +++ b/docs/how-to/run-kata-with-k8s.md @@ -22,7 +22,7 @@ An equivalent shim implementation for CRI-O is planned. ### CRI-O For CRI-O installation instructions, refer to the [CRI-O Tutorial](https://github.com/cri-o/cri-o/blob/main/tutorial.md) page. -The following sections show how to set up the CRI-O configuration file (default path: `/etc/crio/crio.conf`) for Kata. +The following sections show how to set up the CRI-O snippet configuration file (default path: `/etc/crio/crio.conf`) for Kata. Unless otherwise stated, all the following settings are specific to the `crio.runtime` table: ```toml @@ -40,23 +40,16 @@ A comprehensive documentation of the configuration file can be found [here](http #### Kubernetes Runtime Class (CRI-O v1.12+) The [Kubernetes Runtime Class](https://kubernetes.io/docs/concepts/containers/runtime-class/) is the preferred way of specifying the container runtime configuration to run a Pod's containers. -To use this feature, Kata must added as a runtime handler with: +To use this feature, Kata must added as a runtime handler. This can be done by +dropping a `50-kata` snippet file into `/etc/crio/crio.conf.d`, with the +content shown below: ```toml -[crio.runtime.runtimes.kata-runtime] - runtime_path = "/usr/bin/kata-runtime" - runtime_type = "oci" -``` - -You can also add multiple entries to specify alternatives hypervisors, e.g.: -```toml -[crio.runtime.runtimes.kata-qemu] - runtime_path = "/usr/bin/kata-runtime" - runtime_type = "oci" - -[crio.runtime.runtimes.kata-fc] - runtime_path = "/usr/bin/kata-runtime" - runtime_type = "oci" +[crio.runtime.runtimes.kata] + runtime_path = "/usr/bin/containerd-shim-kata-v2" + runtime_type = "vm" + runtime_root = "/run/vc" + privileged_without_host_devices = true ```