Suraj Deshmukh

Blog

containers, programming, golang, hacks, kubernetes, productivity, books

k8s on CRI-O - single node

How to make kubernetes use CRI-O as container runtime

Suraj Deshmukh

2-Minute Read

Here is a single node Kubernetes on CRI-O. This setup is done on Fedora 25.

Installing OS dependencies

dnf -y install \
  go \
  git \
  btrfs-progs-devel \
  device-mapper-devel \
  glib2-devel \
  glibc-devel \
  glibc-static \
  gpgme-devel \
  libassuan-devel \
  libgpg-error-devel \
  libseccomp-devel \
  libselinux-devel \
  pkgconfig \
  wget \
  etcd \
  iptables

Creating go environment

cd ~
mkdir -p ~/go

export GOPATH=~/go
export GOBIN=$GOPATH/bin
export PATH=$PATH:$GOBIN

echo 'GOPATH=~/go' >> ~/.bashrc
echo 'GOBIN=$GOPATH/bin' >> ~/.bashrc
echo 'PATH=$PATH:$GOBIN' >> ~/.bashrc

Pull all the code dependencies

go get -d k8s.io/kubernetes
go get -u github.com/cloudflare/cfssl/cmd/...

Install runc

go get -d github.com/opencontainers/runc
cd $GOPATH/src/github.com/opencontainers/runc
git reset --hard v1.0.0-rc3
make BUILDTAGS='seccomp selinux' && make install

Build cri-o

cd
go get -d github.com/kubernetes-incubator/cri-o
cd $GOPATH/src/github.com/kubernetes-incubator/cri-o
make install.tools
make && make install
make install.config

Set up CNI

go get -d github.com/containernetworking/cni
cd $GOPATH/src/github.com/containernetworking/cni
./build.sh

mkdir -p /opt/cni/bin
cp bin/* /opt/cni/bin/

mkdir -p /etc/cni/net.d/
cat > /etc/cni/net.d/10-ocid-bridge.conf <<EOF
{
    "cniVersion": "0.2.0",
    "name": "ocid-bridge",
    "type": "bridge",
    "bridge": "cni0",
    "isGateway": true,
    "ipMasq": true,
    "ipam": {
        "type": "host-local",
        "subnet": "10.88.0.0/16",
        "routes": [
            { "dst": "0.0.0.0/0" }
        ]
    }
}
EOF

cat > /etc/cni/net.d/99-loopback.conf <<EOF
{
    "cniVersion": "0.2.0",
    "type": "loopback"
}
EOF

Create policy.json

mkdir -p  /etc/containers

cat > /etc/containers/policy.json <<EOF
{
    "default": [
        {
            "type": "insecureAcceptAnything"
        }
    ]
}
EOF

Make SELinux happy

mkdir -p /var/lib/containers/
chcon -Rt svirt_sandbox_file_t /var/lib/containers/

Start ocid service

export PATH=$PATH:/usr/local/bin/
echo 'PATH=$PATH:/usr/local/bin/' >> ~/.bashrc
ocid --runtime /usr/local/sbin/runc --log /root/ocid.log --debug --selinux true

Start k8s cluster with crio

cd $GOPATH/src/k8s.io/kubernetes/
CONTAINER_RUNTIME=remote CONTAINER_RUNTIME_ENDPOINT='/var/run/ocid.sock --runtime-request-timeout=15m' ./hack/local-up-cluster.sh

To use kubectl (in new terminal)

alias kubectl=$GOPATH/src/k8s.io/kubernetes/cluster/kubectl.sh
echo 'alias kubectl=$GOPATH/src/k8s.io/kubernetes/cluster/kubectl.sh'  >> ~/.bashrc

Ref:

comments powered by Disqus

Recent Posts

Categories

About

I am a Senior Software Engineer at Microsoft, working on various tooling around container technology like Docker, Kubernetes, etc.