-
Notifications
You must be signed in to change notification settings - Fork 4.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
minikube-iso: add cri-o runtime #1998
Merged
Merged
Changes from all commits
Commits
File filter
Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,17 @@ | ||
config BR2_PACKAGE_CRIO_BIN | ||
bool "crio-bin" | ||
default y | ||
depends on BR2_x86_64 | ||
depends on BR2_PACKAGE_HOST_GO_ARCH_SUPPORTS | ||
depends on BR2_PACKAGE_HOST_GO_CGO_LINKING_SUPPORTS | ||
depends on BR2_TOOLCHAIN_HAS_THREADS | ||
depends on BR2_USE_MMU # lvm2 | ||
depends on !BR2_STATIC_LIBS # lvm2 | ||
depends on !BR2_TOOLCHAIN_USES_MUSL # lvm2 | ||
select BR2_PACKAGE_RUNC_MASTER | ||
select BR2_PACKAGE_BTRFS_PROGS | ||
select BR2_PACKAGE_LIBSECCOMP | ||
select BR2_PACKAGE_LIBGPGME | ||
select BR2_PACKAGE_BTRFS_PROGS | ||
select BR2_PACKAGE_LVM2 | ||
select BR2_PACKAGE_LVM2_APP_LIBRARY |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1 @@ | ||
sha256 94f3e17f466d91dc5080e4507531346f8aee35f4d90f2d2682ccbaf5b8a14a9a 41372dba703fbf960ef21795d29489956155f903.tar.gz |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,74 @@ | ||
################################################################################ | ||
# | ||
# cri-o | ||
# | ||
################################################################################ | ||
|
||
CRIO_BIN_VERSION = 41372dba703fbf960ef21795d29489956155f903 | ||
CRIO_BIN_SITE = https://github.com/kubernetes-incubator/cri-o/archive | ||
CRIO_BIN_SOURCE = $(CRIO_BIN_VERSION).tar.gz | ||
CRIO_BIN_DEPENDENCIES = libgpgme | ||
CRIO_BIN_GOPATH = $(@D)/_output | ||
CRIO_BIN_ENV = \ | ||
GOPATH="$(CRIO_BIN_GOPATH)" \ | ||
PATH=$(CRIO_BIN_GOPATH)/bin:$(BR_PATH) | ||
|
||
|
||
define CRIO_BIN_USERS | ||
- -1 crio-admin -1 - - - - - | ||
- -1 crio -1 - - - - - | ||
endef | ||
|
||
define CRIO_BIN_CONFIGURE_CMDS | ||
mkdir -p $(CRIO_BIN_GOPATH)/src/github.com/kubernetes-incubator | ||
ln -sf $(@D) $(CRIO_BIN_GOPATH)/src/github.com/kubernetes-incubator/cri-o | ||
$(CRIO_BIN_ENV) $(MAKE) $(TARGET_CONFIGURE_OPTS) -C $(@D) install.tools DESTDIR=$(TARGET_DIR) PREFIX=$(TARGET_DIR)/usr | ||
endef | ||
|
||
define CRIO_BIN_BUILD_CMDS | ||
$(CRIO_BIN_ENV) $(MAKE) $(TARGET_CONFIGURE_OPTS) -C $(@D) binaries PREFIX=/usr BUILDTAGS="containers_image_ostree_stub" | ||
endef | ||
|
||
define CRIO_BIN_INSTALL_TARGET_CMDS | ||
mkdir -p $(TARGET_DIR)/usr/share/containers/oci/hooks.d | ||
mkdir -p $(TARGET_DIR)/etc/containers/oci/hooks.d | ||
|
||
$(INSTALL) -Dm755 \ | ||
$(@D)/crio \ | ||
$(TARGET_DIR)/usr/bin/crio | ||
$(INSTALL) -Dm755 \ | ||
$(@D)/crioctl \ | ||
$(TARGET_DIR)/usr/bin/crioctl | ||
$(INSTALL) -Dm755 \ | ||
$(@D)/kpod \ | ||
$(TARGET_DIR)/usr/bin/kpod | ||
$(INSTALL) -Dm755 \ | ||
$(@D)/conmon/conmon \ | ||
$(TARGET_DIR)/usr/libexec/crio/conmon | ||
$(INSTALL) -Dm755 \ | ||
$(@D)/pause/pause \ | ||
$(TARGET_DIR)/usr/libexec/crio/pause | ||
$(INSTALL) -Dm644 \ | ||
$(@D)/seccomp.json \ | ||
$(TARGET_DIR)/etc/crio/seccomp.json | ||
$(INSTALL) -Dm644 \ | ||
$(BR2_EXTERNAL_MINIKUBE_PATH)/package/crio-bin/crio.conf \ | ||
$(TARGET_DIR)/etc/crio/crio.conf | ||
$(INSTALL) -Dm644 \ | ||
$(BR2_EXTERNAL_MINIKUBE_PATH)/package/crio-bin/policy.json \ | ||
$(TARGET_DIR)/etc/containers/policy.json | ||
|
||
mkdir -p $(TARGET_DIR)/etc/sysconfig | ||
echo 'CRIO_OPTIONS="--storage-driver=overlay2 --debug"' > $(TARGET_DIR)/etc/sysconfig/crio | ||
endef | ||
|
||
define CRIO_BIN_INSTALL_INIT_SYSTEMD | ||
$(MAKE) $(TARGET_CONFIGURE_OPTS) -C $(@D) install.systemd DESTDIR=$(TARGET_DIR) PREFIX=$(TARGET_DIR)/usr | ||
$(INSTALL) -Dm755 \ | ||
$(BR2_EXTERNAL_MINIKUBE_PATH)/package/crio-bin/crio.service \ | ||
$(TARGET_DIR)/usr/lib/systemd/system/crio.service | ||
$(call link-service,crio.service) | ||
$(call link-service,crio-shutdown.service) | ||
endef | ||
|
||
$(eval $(generic-package)) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,149 @@ | ||
|
||
# The "crio" table contains all of the server options. | ||
[crio] | ||
|
||
# root is a path to the "root directory". CRIO stores all of its data, | ||
# including container images, in this directory. | ||
root = "/var/lib/containers/storage" | ||
|
||
# run is a path to the "run directory". CRIO stores all of its state | ||
# in this directory. | ||
runroot = "/var/run/containers/storage" | ||
|
||
# storage_driver select which storage driver is used to manage storage | ||
# of images and containers. | ||
storage_driver = "" | ||
|
||
# storage_option is used to pass an option to the storage driver. | ||
storage_option = [ | ||
] | ||
|
||
# The "crio.api" table contains settings for the kubelet/gRPC | ||
# interface (which is also used by crioctl). | ||
[crio.api] | ||
|
||
# listen is the path to the AF_LOCAL socket on which crio will listen. | ||
listen = "/var/run/crio.sock" | ||
|
||
# stream_address is the IP address on which the stream server will listen | ||
stream_address = "" | ||
|
||
# stream_port is the port on which the stream server will listen | ||
stream_port = "10010" | ||
|
||
# file_locking is whether file-based locking will be used instead of | ||
# in-memory locking | ||
file_locking = true | ||
|
||
# The "crio.runtime" table contains settings pertaining to the OCI | ||
# runtime used and options for how to set up and manage the OCI runtime. | ||
[crio.runtime] | ||
|
||
# runtime is the OCI compatible runtime used for trusted container workloads. | ||
# This is a mandatory setting as this runtime will be the default one | ||
# and will also be used for untrusted container workloads if | ||
# runtime_untrusted_workload is not set. | ||
runtime = "/usr/bin/runc" | ||
|
||
# runtime_untrusted_workload is the OCI compatible runtime used for untrusted | ||
# container workloads. This is an optional setting, except if | ||
# default_container_trust is set to "untrusted". | ||
runtime_untrusted_workload = "" | ||
|
||
# default_workload_trust is the default level of trust crio puts in container | ||
# workloads. It can either be "trusted" or "untrusted", and the default | ||
# is "trusted". | ||
# Containers can be run through different container runtimes, depending on | ||
# the trust hints we receive from kubelet: | ||
# - If kubelet tags a container workload as untrusted, crio will try first to | ||
# run it through the untrusted container workload runtime. If it is not set, | ||
# crio will use the trusted runtime. | ||
# - If kubelet does not provide any information about the container workload trust | ||
# level, the selected runtime will depend on the default_container_trust setting. | ||
# If it is set to "untrusted", then all containers except for the host privileged | ||
# ones, will be run by the runtime_untrusted_workload runtime. Host privileged | ||
# containers are by definition trusted and will always use the trusted container | ||
# runtime. If default_container_trust is set to "trusted", crio will use the trusted | ||
# container runtime for all containers. | ||
default_workload_trust = "trusted" | ||
|
||
# no_pivot instructs the runtime to not use pivot_root, but instead use MS_MOVE | ||
no_pivot = true | ||
|
||
# conmon is the path to conmon binary, used for managing the runtime. | ||
conmon = "/usr/libexec/crio/conmon" | ||
|
||
# conmon_env is the environment variable list for conmon process, | ||
# used for passing necessary environment variable to conmon or runtime. | ||
conmon_env = [ | ||
"PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin", | ||
] | ||
|
||
# selinux indicates whether or not SELinux will be used for pod | ||
# separation on the host. If you enable this flag, SELinux must be running | ||
# on the host. | ||
selinux = false | ||
|
||
# seccomp_profile is the seccomp json profile path which is used as the | ||
# default for the runtime. | ||
seccomp_profile = "/etc/crio/seccomp.json" | ||
|
||
# apparmor_profile is the apparmor profile name which is used as the | ||
# default for the runtime. | ||
apparmor_profile = "crio-default" | ||
|
||
# cgroup_manager is the cgroup management implementation to be used | ||
# for the runtime. | ||
cgroup_manager = "cgroupfs" | ||
|
||
# hooks_dir_path is the oci hooks directory for automatically executed hooks | ||
hooks_dir_path = "/usr/share/containers/oci/hooks.d" | ||
|
||
# pids_limit is the number of processes allowed in a container | ||
pids_limit = 1024 | ||
|
||
# The "crio.image" table contains settings pertaining to the | ||
# management of OCI images. | ||
[crio.image] | ||
|
||
# default_transport is the prefix we try prepending to an image name if the | ||
# image name as we receive it can't be parsed as a valid source reference | ||
default_transport = "docker://" | ||
|
||
# pause_image is the image which we use to instantiate infra containers. | ||
pause_image = "kubernetes/pause" | ||
|
||
# pause_command is the command to run in a pause_image to have a container just | ||
# sit there. If the image contains the necessary information, this value need | ||
# not be specified. | ||
pause_command = "/pause" | ||
|
||
# signature_policy is the name of the file which decides what sort of policy we | ||
# use when deciding whether or not to trust an image that we've pulled. | ||
# Outside of testing situations, it is strongly advised that this be left | ||
# unspecified so that the default system-wide policy will be used. | ||
signature_policy = "" | ||
|
||
# image_volumes controls how image volumes are handled. | ||
# The valid values are mkdir and ignore. | ||
image_volumes = "mkdir" | ||
|
||
# insecure_registries is used to skip TLS verification when pulling images. | ||
insecure_registries = [ | ||
] | ||
|
||
# registries is used to specify a comma separated list of registries to be used | ||
# when pulling an unqualified image (e.g. fedora:rawhide). | ||
registries = [ | ||
] | ||
|
||
# The "crio.network" table contains settings pertaining to the | ||
# management of CNI plugins. | ||
[crio.network] | ||
|
||
# network_dir is is where CNI network configuration | ||
# files are stored. | ||
network_dir = "/etc/cni/net.d/" | ||
|
||
# plugin_dir is is where CNI plugin binaries are stored. | ||
plugin_dir = "/opt/cni/bin/" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,26 @@ | ||
[Unit] | ||
Description=Open Container Initiative Daemon | ||
Documentation=https://github.com/kubernetes-incubator/cri-o | ||
After=network-online.target minikube-automount.service | ||
Requires=minikube-automount.service | ||
|
||
[Service] | ||
Type=notify | ||
EnvironmentFile=-/etc/sysconfig/crio | ||
EnvironmentFile=/var/run/minikube/env | ||
Environment=GOTRACEBACK=crash | ||
ExecStartPre=/bin/mkdir -p ${PERSISTENT_DIR}/var/lib/containers | ||
ExecStart=/usr/bin/crio \ | ||
$CRIO_OPTIONS \ | ||
--root ${PERSISTENT_DIR}/var/lib/containers | ||
ExecReload=/bin/kill -s HUP $MAINPID | ||
TasksMax=8192 | ||
LimitNOFILE=1048576 | ||
LimitNPROC=1048576 | ||
LimitCORE=infinity | ||
OOMScoreAdjust=-999 | ||
TimeoutStartSec=0 | ||
Restart=on-abnormal | ||
|
||
[Install] | ||
WantedBy=multi-user.target |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,7 @@ | ||
{ | ||
"default": [ | ||
{ | ||
"type": "insecureAcceptAnything" | ||
} | ||
] | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,17 @@ | ||
config BR2_PACKAGE_RUNC_MASTER | ||
bool "runc-master" | ||
depends on BR2_PACKAGE_HOST_GO_ARCH_SUPPORTS | ||
depends on BR2_PACKAGE_HOST_GO_CGO_LINKING_SUPPORTS | ||
depends on BR2_TOOLCHAIN_HAS_THREADS | ||
help | ||
runC is a CLI tool for spawning and running containers | ||
according to the OCP specification. | ||
|
||
This is just a newer build of runc than the buildroot version. | ||
|
||
https://github.com/opencontainers/runc | ||
|
||
comment "runc needs a toolchain w/ threads" | ||
depends on BR2_PACKAGE_HOST_GO_ARCH_SUPPORTS && \ | ||
BR2_PACKAGE_HOST_GO_CGO_LINKING_SUPPORTS | ||
depends on !BR2_TOOLCHAIN_HAS_THREADS |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,2 @@ | ||
# Locally computed | ||
sha256 e9ad8aa5590f65a23326b7e9944d8b9881fa002ccb4a8e2cd40712a89a40ee45 runc-master-593914b8bd5448a93f7c3e4902a03408b6d5c0ce.tar.gz |
Oops, something went wrong.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We might need to write this file dynamically like we do the docker systemd unit to pass through things like insecure registries. I think this is fine for now though.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
once i saw that there were dynamic service files generated, I thought the same thing.