Add Kata Containers support to CRI-O runtime (#6830)

* Enable Kata Containers for CRI-O runtime Kata Containers is an OCI runtime where containers are run inside lightweight VMs. This runtime has been enabled for containerd runtime thru the kata_containers_enabled variable. This change enables Kata Containers to CRI-O container runtime. Signed-off-by: Victor Morales <v.morales@samsung.com> * Set appropiate conmon_cgroup when crio_cgroup_manager is 'cgroupfs' * Set manage_ns_lifecycle=true when KataContainers is enabed * Add preinstall check for katacontainers Signed-off-by: Victor Morales <v.morales@samsung.com> Co-authored-by: Pasquale Toscano <pasqualetoscano90@gmail.com>
2026-03-10 04:08:02 +03:00 · 2020-10-23 03:07:46 -07:00
parent 91f1edbdd4
commit e03e3c4582
7 changed files with 61 additions and 20 deletions
--- a/roles/container-engine/cri-o/templates/crio.conf.j2
+++ b/roles/container-engine/cri-o/templates/crio.conf.j2
@@ -110,7 +110,11 @@ decryption_keys_path = "/etc/crio/keys/"
 conmon = "{{ crio_conmon }}"

 # Cgroup setting for conmon
+{% if crio_cgroup_manager == "cgroupfs" %}
+conmon_cgroup = "pod"
+{% else %}
 conmon_cgroup = "system.slice"
+{% endif %}

 # Environment variable list for the conmon process, used for passing necessary
 # environment variables to conmon or the runtime.
@@ -250,7 +254,11 @@ ctr_stop_timeout = 30

 # manage_ns_lifecycle determines whether we pin and remove namespaces
 # and manage their lifecycle
+{% if kata_containers_enabled %}
+manage_ns_lifecycle = true
+{% else %}
 manage_ns_lifecycle = false
+{% endif %}

 # The directory where the state of the managed namespaces gets tracked.
 # Only used when manage_ns_lifecycle is true.
@@ -280,22 +288,12 @@ pinns_path = ""
 # - runtime_root (optional, string): root directory for storage of containers
 #   state.

-
-[crio.runtime.runtimes.runc]
-runtime_path = "{{ crio_runc_path }}"
-runtime_type = "oci"
-runtime_root = "/run/runc"
-
-
-# Kata Containers is an OCI runtime, where containers are run inside lightweight
-# VMs. Kata provides additional isolation towards the host, minimizing the host attack
-# surface and mitigating the consequences of containers breakout.
-
-# Kata Containers with the default configured VMM
-#[crio.runtime.runtimes.kata-runtime]
-
-# Kata Containers with the QEMU VMM
-#[crio.runtime.runtimes.kata-qemu]
+{% for runtime in crio_runtimes %}
+[crio.runtime.runtimes.{{ runtime.name }}]
+runtime_path = "{{ runtime.path }}"
+runtime_type = "{{ runtime.type }}"
+runtime_root = "{{ runtime.root }}"
+{% endfor %}

 # Kata Containers with the Firecracker VMM
 #[crio.runtime.runtimes.kata-fc]