Include an example in the documentation of /etc/systemd/system/cri-docker.service file

[g-ser]

It would make sense to have an example of cri-docker.service file for the users who use the cri-dockered adapter with a network plugin for kubernetes.

If users do not specify the args --network-plugin=cni --cni-bin-dir=/opt/cni/bin --cni-conf-dir=/etc/cni/net.d for the variable ExecStart in cri-docker.service file, what happens is that their pods get IP addresses from the docker network (172.17.0.*) which can cause confusion since they would expect their pods to get the IPs of the clusterCIDR defined in the /var/lib/kube-proxy/config.conf file.

[afbjorklund]

The extra default configuration should not be needed anymore, since #45

So the main requirement is the --network-plugin=cni (and the CNI config file...)

Currently it is a bit tricky to override, since there is no config or environment used.

/etc/systemd/system/cri-docker.service.d/10-cni.conf

[Service]
ExecStart=
ExecStart=/usr/bin/cri-dockerd --container-runtime-endpoint fd:// --network-plugin=cni

Once to remove all previous configuration, and once to set the new configuration.

You don't want to replace the original unit from the packaging, just override it.

[afbjorklund]

• Document how to enable CNI network plugin #43

Probably should ship some default CNI config file, now that --network-plugin=kubenet is not recommended anymore (1.24+).

Similar to the 10-containerd-net.conflist being shipped with containerd:

https://github.com/containerd/containerd/blob/v1.6.6/script/setup/install-cni#L36_L69

[afbjorklund]

Possibly also add configuration, for how to update the pause image now that the kubelet doesn't do it ?

kubernetes/kubernetes@de6544b

--pod-infra-container-image=k8s.gcr.io/pause:3.7

The overrides are getting tricky now, since there is no environment and no config file (like the other CRI)

---

Systemd doesn't allow appending to ExecStart, so the current workaround is to replace/repeat it.

Ideally you would want to have one cni.conf and one pause.conf, but that doesn't really work out...

One workaround is to introduce an environment file, but eventually it might need a "cri-dockerd.conf"

Hacking the original unit (like systemctl edit) doesn't work so great with packaging and automation.

[lamehost]

I have spent the last 3 days trying to figure out broken networking on a new k8s cluster. It was just by random chance that i found it explained on a random forum: https://bytemeta.vip/repo/Mirantis/cri-dockerd/issues/42

I strongly encourage to properly explain to newcomers that you need --network-plugin=cni if you want to use cri-dockerd with k8s.

[afbjorklund]

I think this was the case, also with 1.23 and earlier ?

But then the flag was handled by kubelet instead

---

https://v1-23.docs.kubernetes.io/docs/concepts/extend-kubernetes/compute-storage-net/network-plugins/

The CNI plugin is selected by passing Kubelet the --network-plugin=cni command-line option.