CRI-O Introduction David Ko Engineering Manager 2019/8/17 COSCUP 2019 

2 Outline What is OCI (Open Containers Initiative) ? What is OCI Compatible Runtime? What is K8s CRI (Container Runtime Interface)? What is CRI-O? How K8s CRI + CRi-O work? 

3 What is OCI (Open Containers Initiative) ? The Open Container Initiative (OCI) is a lightweight, open governance structure (project), for the express purpose of creating open industry standards around container formats and runtime. The OCI currently contains two specifications: ● Runtime Specification (runtime-spec) ● Image Specification (image-spec). OCI Image (OCI image spec) OCI Runtime FS Bundle (OCI runtime spec: how to run) OCI Runtime Instance (OCI runtime) 

4 What is OCI Compatible Runtime? A runtime for running containers according to the OCI specification. ● runc ○ https://github.com/opencontainers/runc ● runsc ○ https://github.com/google/gvisor ● runv ○ Hypervisor-based Runtime for OCI ○ https://github.com/hyperhq/runv ● runhcs ○ Use the Windows Host Compute Service (HCS) to launch and manage Windows Containers. ○ https://github.com/microsoft/hcsshim/tree/master/cmd/runhcs ● kata-runtime ○ Run secure container runtime with lightweight virtual machines ○ https://github.com/kata-containers/runtime 

5 What is K8s CRI (Container Runtime Interface)? Container Runtime Interface (CRI) is a plugin interface which enables kubelet to use a wide variety of container runtimes without the need to recompile. CRI consists of a protocol buffers and gRPC API. https://github.com/kubernetes/cri-api // Runtime service defines the public APIs for remote container runtimes service RuntimeService { ... } // ImageService defines the public APIs for managing images. service ImageService { ... } 

6 CRI: RuntimeService & ImageService k8s.io/cri-api/pkg/apis/runtime/v1alpha2 

7 What is CRI-O? CRI-O is an implementation of the Kubernetes CRI (Container Runtime Interface) to enable using OCI (Open Container Initiative) compatible runtimes. It is a lightweight alternative to using Docker as the runtime for kubernetes. It allows Kubernetes to use any OCI-compliant runtime as the container runtime for running pods. Today it supports runc and Kata container runtimes but any OCI-conformant runtime can be plugged in principle. 

8 CRI-O Architecture 

9 K8s Container Runtime Engine/Manager kubelet OCI Runtime frakti hyperd ● runc ● runsc ● runv ● runhcs ● kata-runtime Container Runtime Engine/Manager Container Runtime dockershim 

10 How K8s CRI + CRI-O work? 

11 Kublet: Step 1: start kubelet with container runtime k8s.io/kubernetes/pkg/kubelet::NewMainKubelet() 

12 Kublet: Step 2.1: get gRPC runtime & image services k8s.io/kubernetes/pkg/kubelet/remote or dockershim 

13 Kublet: Step 2.2: create gRPC runtime & image services k8s.io/kubernetes/pkg/kubelet/remote 

14 CRI-O: Step 1: create gRPC server exposing runtime & image services 

15 CRI-O: Step 2: use containers/storage & image lib for OCI image and runtime operation Major dependent libraries for OCI runtime & image: ● github.com/containers/storage ● github.com/containers/image ● github.com/containers/conmon cri-o/internal/pkg/storage/runtime.go cri-o/internal/pkg/storage/image.go 

No content