Merge pull request #11601 from tico88612/feat/crio-default-crun

Feat: CRI-O v1.31 change default runtime to crun
2026-02-28 09:39:12 +03:00 · 2024-10-16 02:49:03 +01:00
parent 687fa3dbed faa0816b95
commit daa2144de3
8 changed files with 77 additions and 18 deletions
--- a/roles/container-engine/cri-o/defaults/main.yml
+++ b/roles/container-engine/cri-o/defaults/main.yml
@@ -2,6 +2,7 @@

 crio_cgroup_manager: "{{ kubelet_cgroup_driver | default('systemd') }}"
 crio_conmon: "{{ bin_dir }}/conmon"
+crio_default_runtime: "crun"
 crio_libexec_dir: "/usr/libexec/crio"
 crio_enable_metrics: false
 crio_log_level: "info"
@@ -40,10 +41,10 @@ crio_required_version: "{{ kube_version | regex_replace('^v(?P<major>\\d+).(?P<m

 # The crio_runtimes variable defines a list of OCI compatible runtimes.
 crio_runtimes:
-  - name: runc
-    path: "{{ crio_runtime_bin_dir }}/runc"
+  - name: crun
+    path: "{{ crio_runtime_bin_dir }}/crun"
    type: oci
-    root: /run/runc
+    root: /run/crun

 # Kata Containers is an OCI runtime, where containers are run inside lightweight
 # VMs. Kata provides additional isolation towards the host, minimizing the host attack
@@ -56,6 +57,12 @@ kata_runtimes:
    root: /run/kata-containers
    privileged_without_host_devices: true

+runc_runtime:
+  name: runc
+  path: "{{ crio_runtime_bin_dir }}/runc"
+  type: oci
+  root: /run/runc
+
 # crun is a fast and low-memory footprint OCI Container Runtime fully written in C.
 crun_runtime:
  name: crun
--- a/roles/container-engine/cri-o/meta/main.yml
+++ b/roles/container-engine/cri-o/meta/main.yml
@@ -1,5 +1,5 @@
 ---
 dependencies:
-  - role: container-engine/runc
+  - role: container-engine/crun
  - role: container-engine/crictl
  - role: container-engine/skopeo
--- a/roles/container-engine/cri-o/molecule/default/tests/test_default.py
+++ b/roles/container-engine/cri-o/molecule/default/tests/test_default.py
@@ -21,7 +21,7 @@ def test_run(host):
    assert "RuntimeName:  cri-o" in cmd.stdout

 def test_run_pod(host):
-    runtime = "runc"
+    runtime = "crun"

    run_command = "/usr/local/bin/crictl run --with-pull --runtime {} /tmp/container.json /tmp/sandbox.json".format(runtime)
    with host.sudo():
--- a/roles/container-engine/cri-o/tasks/main.yaml
+++ b/roles/container-engine/cri-o/tasks/main.yaml
@@ -36,11 +36,18 @@
  when:
    - kata_containers_enabled

- name: Cri-o | build a list of crio runtimes with crun runtime
+## After CRI-O v1.31, crun is default runtime.
+# - name: Cri-o | build a list of crio runtimes with crun runtime
+#   set_fact:
+#     crio_runtimes: "{{ crio_runtimes + [crun_runtime] }}"
+#   when:
+#     - crun_enabled
+
+- name: Cri-o | build a list of crio runtimes with runc runtime
  set_fact:
-    crio_runtimes: "{{ crio_runtimes + [crun_runtime] }}"
+    crio_runtimes: "{{ crio_runtimes + [runc_runtime] }}"
  when:
-    - crun_enabled
+    - runc_enabled

 - name: Cri-o | build a list of crio runtimes with youki runtime
  set_fact:
--- a/roles/container-engine/cri-o/templates/crio.conf.j2
+++ b/roles/container-engine/cri-o/templates/crio.conf.j2
@@ -97,7 +97,7 @@ grpc_max_recv_msg_size = 16777216

 # default_runtime is the _name_ of the OCI runtime to be used as the default.
 # The name is matched against the runtimes map below.
-default_runtime = "runc"
+default_runtime = "{{ crio_default_runtime }}"

 # If true, the runtime will not use pivot_root, but instead use MS_MOVE.
 no_pivot = false