Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Sync the containerd files for Kubernetes #718

Closed
wants to merge 1 commit into from

Conversation

afbjorklund
Copy link
Member

@afbjorklund afbjorklund commented Mar 11, 2022

Comparing with:
https://github.com/containerd/containerd/blob/main/docs/cri/installation.md

Unfortunately the upstream documentation has been deprecated,
and no longer includes the configuration needed for CRI and CNI.

It is also no longer available from the kubernetes documentation,
so it is up to the user to figure out /etc/crictl.yaml and /etc/cni/net.d

https://github.com/containerd/containerd/blob/main/script/setup/install-critools

https://github.com/containerd/containerd/blob/main/script/setup/install-cni

Upstream includes configuration for CRI and CNI,
so make sure that is added to the nerdctl install.
Currently using "flannel" for multi-node and VXLAN,
but template can be edited to use "containerd-net".

The image endpoint defaults to the runtime endpoint,
so use the same configuration file as upstream has.
Currently we use kubernetes-cni which is a slightly
older version so don't bump the cniVersion (yet).


Reviewer note: this is basically a no-op, unless edited

We create the default file, and then we delete it again

Upstream includes configuration for CRI and CNI,
so make sure that is added to the nerdctl install.
Currently using "flannel" for multi-node and VXLAN,
but template can be edited to use "containerd-net".

The image endpoint defaults to the runtime endpoint,
so use the same configuration file as upstream has.
Currently we use kubernetes-cni which is a slightly
older version so don't bump the cni version (yet).

Signed-off-by: Anders F Björklund <[email protected]>
}
EOF
# To use flannel, delete the default CNI network
# To use containerd-net, comment this and below
rm -f /etc/cni/net.d/*.conf*
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This rm -f is confusing

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think I inherited from the installation where we also have podman and cri-o

Perhaps remove the glob and use the above only ? Hope nothing else is there.
Kubernetes only supports having one file in CNI, and uses the first in alphabet.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

In the recent release, the cni conf dir flag has been removed - which broke our workaround

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Anyway, we get a default CNI with the container runtime installation.

It must be deleted, if we want to install our own CNI - like "flannel"

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think we should only support flannel.
Not really useful for single-node cluster, but akin to production env.

Copy link
Member Author

@afbjorklund afbjorklund Apr 21, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Main reason for containerd-net was to not depend on any third-party images

IMAGE                                TAG                 IMAGE ID            SIZE
k8s.gcr.io/coredns/coredns           v1.8.6              a4ca41631cc7a       13.6MB
k8s.gcr.io/etcd                      3.5.1-0             25f8c7f3da61c       98.9MB
k8s.gcr.io/kube-apiserver            v1.23.6             8fa62c12256df       32.6MB
k8s.gcr.io/kube-controller-manager   v1.23.6             df7b72818ad2e       30.2MB
k8s.gcr.io/kube-proxy                v1.23.6             4c03754524064       39.3MB
k8s.gcr.io/kube-scheduler            v1.23.6             595f327f224a4       15.1MB
k8s.gcr.io/pause                     3.6                 6270bb605e12e       302kB
quay.io/coreos/flannel               v0.14.0             8522d622299ca       21.1MB

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The registry changed from k8s.gcr.io to registry.k8s.io and from quay.io to docker.io, but anyway.

IMAGE                                     TAG                 IMAGE ID            SIZE
docker.io/flannel/flannel-cni-plugin      v1.1.2              7a2dcab94698c       3.84MB
docker.io/flannel/flannel                 v0.21.2             7b7f3acab868d       24.2MB
registry.k8s.io/coredns/coredns           v1.9.3              5185b96f0becf       14.8MB
registry.k8s.io/etcd                      3.5.6-0             fce326961ae2d       103MB
registry.k8s.io/kube-apiserver            v1.26.1             deb04688c4a35       35.3MB
registry.k8s.io/kube-controller-manager   v1.26.1             e9c08e11b07f6       32.2MB
registry.k8s.io/kube-proxy                v1.26.1             46a6bb3c77ce0       21.5MB
registry.k8s.io/kube-scheduler            v1.26.1             655493523f607       17.5MB
registry.k8s.io/pause                     3.9                 e6f1816883972       322kB

@afbjorklund

This comment was marked as outdated.

@afbjorklund
Copy link
Member Author

When not using flannel, then the pod-network-cidr should be removed too (to default to 10.88.0.0/16)

Ideally this should have some kind of boolean configuration, but I think that is overkill for a yaml file...

containerd

The default configuration in /etc/cni/net.d/10-containerd-net.conflist works, without modifications.

    systemctl enable --now kubelet
    kubeadm init --cri-socket=/run/containerd/containerd.sock --apiserver-cert-extra-sans 127.0.0.1

flannel

The default bridge CNI must be deleted, and the flannel pod will create one once the cluster is booted.

    rm -f /etc/cni/net.d/*.conf*

    systemctl enable --now kubelet
    # Initializing your control-plane node
    kubeadm init --cri-socket=/run/containerd/containerd.sock --pod-network-cidr=10.244.0.0/16 --apiserver-cert-extra-sans 127.0.0.1
    # Installing a Pod network add-on
    kubectl apply -f https://raw.githubusercontent.com/flannel-io/flannel/v0.14.0/Documentation/kube-flannel.yml

@afbjorklund

This comment was marked as off-topic.

@afbjorklund

This comment was marked as off-topic.

@afbjorklund

This comment was marked as off-topic.

EOF
# cni-plugins
apt-get install -y kubernetes-cni
mkdir -p /etc/cni/net.d
cat << EOF | tee /etc/cni/net.d/10-containerd-net.conflist
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks like we are going to support multi-node example (#1183), so probably we do not need to use non-flannel bridge?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It would have to be versioned, at least. That is, only apply when number of nodes == 1. Otherwise flannel.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is it harmless to use flannel on single-node mode too?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yeah, just overkill. Mostly it was triggered by the kubeadm team not wanting to support flannel anymore.

@afbjorklund
Copy link
Member Author

I guess it can default to using flannel on both Kubernetes distributions, as a Lima feature.

Upstream containerd seems to be deprecating the bundled CNI configuration anyway...

https://github.com/containerd/containerd/blob/main/docs/getting-started.md

The cri-containerd-... archives are deprecated, do not work on old Linux distributions, and will be removed in containerd 2.0.

So in case the bridge network doesn't work anymore then, don't add another copy here.

Will do a new PR, just to remove the redundant (default) line from the CRI configuration...

@@ -62,7 +62,6 @@ provision:
     apt-get install -y cri-tools
     cat  <<EOF | sudo tee /etc/crictl.yaml
     runtime-endpoint: unix:///run/containerd/containerd.sock
-    image-endpoint: unix:///run/containerd/containerd.sock
     EOF
     # cni-plugins
     apt-get install -y kubernetes-cni

@afbjorklund
Copy link
Member Author

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants