CRI-O Introduction

Transcript

1. CRI-O Introduction David Ko Engineering Manager 2019/8/17 COSCUP 2019

2. 2 Outline What is OCI (Open Containers Initiative) ? What

   is OCI Compatible Runtime? What is K8s CRI (Container Runtime Interface)? What is CRI-O? How K8s CRI + CRi-O work?

3. 3 What is OCI (Open Containers Initiative) ? The Open

   Container Initiative (OCI) is a lightweight, open governance structure (project), for the express purpose of creating open industry standards around container formats and runtime. The OCI currently contains two specifications: • Runtime Specification (runtime-spec) • Image Specification (image-spec). OCI Image (OCI image spec) OCI Runtime FS Bundle (OCI runtime spec: how to run) OCI Runtime Instance (OCI runtime)

4. 4 What is OCI Compatible Runtime? A runtime for running

   containers according to the OCI specification. • runc ◦ https://github.com/opencontainers/runc • runsc ◦ https://github.com/google/gvisor • runv ◦ Hypervisor-based Runtime for OCI ◦ https://github.com/hyperhq/runv • runhcs ◦ Use the Windows Host Compute Service (HCS) to launch and manage Windows Containers. ◦ https://github.com/microsoft/hcsshim/tree/master/cmd/runhcs • kata-runtime ◦ Run secure container runtime with lightweight virtual machines ◦ https://github.com/kata-containers/runtime

5. 5 What is K8s CRI (Container Runtime Interface)? Container Runtime

   Interface (CRI) is a plugin interface which enables kubelet to use a wide variety of container runtimes without the need to recompile. CRI consists of a protocol buffers and gRPC API. https://github.com/kubernetes/cri-api // Runtime service defines the public APIs for remote container runtimes service RuntimeService { ... } // ImageService defines the public APIs for managing images. service ImageService { ... }

6. 6 CRI: RuntimeService & ImageService k8s.io/cri-api/pkg/apis/runtime/v1alpha2

7. 7 What is CRI-O? CRI-O is an implementation of the

   Kubernetes CRI (Container Runtime Interface) to enable using OCI (Open Container Initiative) compatible runtimes. It is a lightweight alternative to using Docker as the runtime for kubernetes. It allows Kubernetes to use any OCI-compliant runtime as the container runtime for running pods. Today it supports runc and Kata container runtimes but any OCI-conformant runtime can be plugged in principle.

8. 8 CRI-O Architecture

9. 9 K8s Container Runtime Engine/Manager kubelet OCI Runtime frakti hyperd

   • runc • runsc • runv • runhcs • kata-runtime Container Runtime Engine/Manager Container Runtime dockershim

10. 10 How K8s CRI + CRI-O work?

11. 11 Kublet: Step 1: start kubelet with container runtime k8s.io/kubernetes/pkg/kubelet::NewMainKubelet()

12. 12 Kublet: Step 2.1: get gRPC runtime & image services

    k8s.io/kubernetes/pkg/kubelet/remote or dockershim

13. 13 Kublet: Step 2.2: create gRPC runtime & image services

    k8s.io/kubernetes/pkg/kubelet/remote

14. 14 CRI-O: Step 1: create gRPC server exposing runtime &

    image services

15. 15 CRI-O: Step 2: use containers/storage & image lib for

    OCI image and runtime operation Major dependent libraries for OCI runtime & image: • github.com/containers/storage • github.com/containers/image • github.com/containers/conmon cri-o/internal/pkg/storage/runtime.go cri-o/internal/pkg/storage/image.go
16. None