Below I will talk a little about the changes in the technological stack for containers that we met while studying the CentOS 8 distribution and what CRI-O is and how to quickly set up an executable environment for Kubernetes with it .
Why Docker is missing from the standard CentOS 8 distribution
After installing the latest major releases of RHEL 8 or CentOS 8, one cannot fail to notice: these distributions and official repositories lack the Docker application , which ideologically and functionally replaces the Podman , Buildah packages (present in the default distribution) and CRI-O . This is due to the practical implementation of standards developed, among other things, by Red Hat as part of the Open Container Initiative (OCI).
The goal of OCI, which is part of The Linux Foundation, is to create open industry standards for container formats and runtimes that address multiple challenges. Firstly, they did not contradict the philosophy of Linux (for example, in the part that each program must perform some one action, and Docker is a kind of all-in-one harvester). Secondly, we could eliminate all the existing flaws in the Docker software . Third, they would be fully compliant with the business requirements of leading commercial platforms for deploying, managing and serving containerized applications (for example, Red Hat OpenShift).
Disadvantages of Dockerand the advantages of the new software have already been described in some detail in this article , and a detailed description of how the entire software stack offered within the OCI project and its architectural features can be found in the official documentation and articles from both Red Hat itself (a good article in the Red Hat blog) and in third-party reviews .
It is important to note what functionality the components of the proposed stack have:
- Podman - direct interaction with containers and image storage through the runC process;
- Buildah - building and loading images into the registry;
- CRI-O is an executable framework for container orchestration systems (such as Kubernetes).
I think that in order to understand the general scheme of interaction between the components of the stack, it is advisable to present here the communication diagram of Kubernetes with runC and low-level libraries using CRI-O :
CRI-O and Kubernetes adhere to the same release and support cycle (the compatibility matrix is very simple: major versions Kubernetes and CRI-O are the same), and this, taking into account the focus on full and comprehensive testing of the work of this stack by developers, gives us the right to expect the maximum achievable stability in work under any use cases (here, the relative lightness of CRI-O is also beneficial in comparison fromDocker due to purposeful limitation of functionality).
When installing Kubernetes in the "right way" way (according to OCI, of course) using CRI-O on CentOS 8, we ran into small difficulties, which, however, were successfully overcome. I will be glad to share with you the installation and configuration instructions, which together will take at most 10 minutes.
How to deploy Kubernetes on CentOS 8 using CRI-O
Prerequisites: at least one host (2 cores, 4 GB RAM, at least 15 GB drive) with CentOS 8 installed (the "Server" installation profile is recommended), as well as an entry for it in the local DNS (as a last resort, you can do in / etc / hosts). And don't forget to disable swap .
We perform all operations on the host as the root user, be careful.
- In the first step, we will configure the OS, install and configure the preliminary dependencies for CRI-O.
- Let's update the OS:
dnf -y update
- SELinux. , . , , , :
firewall-cmd --set-default-zone trusted firewall-cmd --reload
:
systemctl disable --now firewalld
SELinux «permissive»:
setenforce 0 sed -i 's/^SELINUX=enforcing$/SELINUX=permissive/' /etc/selinux/config
- , «br_netfilter» :
modprobe overlay modprobe br_netfilter echo "br_netfilter" >> /etc/modules-load.d/br_netfilter.conf dnf -y install iproute-tc
- :
cat > /etc/sysctl.d/99-kubernetes-cri.conf <<EOF net.bridge.bridge-nf-call-iptables = 1 net.ipv4.ip_forward = 1 net.bridge.bridge-nf-call-ip6tables = 1 EOF
:
sysctl --system
- CRI-O ( CRI-O, , Kubernetes), Kubernetes 1.18:
export REQUIRED_VERSION=1.18
:
dnf -y install 'dnf-command(copr)' dnf -y copr enable rhcontainerbot/container-selinux curl -L -o /etc/yum.repos.d/devel:kubic:libcontainers:stable.repo https://download.opensuse.org/repositories/devel:kubic:libcontainers:stable/CentOS_8/devel:kubic:libcontainers:stable.repo curl -L -o /etc/yum.repos.d/devel:kubic:libcontainers:stable:cri-o:$REQUIRED_VERSION.repo https://download.opensuse.org/repositories/devel:kubic:libcontainers:stable:cri-o:$REQUIRED_VERSION/CentOS_8/devel:kubic:libcontainers:stable:cri-o:$REQUIRED_VERSION.repo
- CRI-O:
dnf -y install cri-o
, : CRI-O , conmon :
sed -i 's/\/usr\/libexec\/crio\/conmon/\/usr\/bin\/conmon/' /etc/crio/crio.conf
CRI-O:
systemctl enable --now crio
:
systemctl status crio
- Let's update the OS:
- Kubernetes.
- :
cat <<EOF > /etc/yum.repos.d/kubernetes.repo [kubernetes] name=Kubernetes baseurl=https://packages.cloud.google.com/yum/repos/kubernetes-el7-\$basearch enabled=1 gpgcheck=1 repo_gpgcheck=1 gpgkey=https://packages.cloud.google.com/yum/doc/yum-key.gpg https://packages.cloud.google.com/yum/doc/rpm-package-key.gpg exclude=kubelet kubeadm kubectl EOF
Kubernetes ( 1.18, ):
dnf install -y kubelet-1.18* kubeadm-1.18* kubectl-1.18* --disableexcludes=kubernetes
- : Docker, CRI-O, Kubernetes /var/lib/kubelet/config.yaml, :
mkdir /var/lib/kubelet cat <<EOF > /var/lib/kubelet/config.yaml apiVersion: kubelet.config.k8s.io/v1beta1 kind: KubeletConfiguration cgroupDriver: systemd EOF
- , : , cgroup, kubelet ( ), , :
cat /dev/null > /etc/sysconfig/kubelet cat <<EOF > /etc/sysconfig/kubelet KUBELET_EXTRA_ARGS=--container-runtime=remote --cgroup-driver=systemd --container-runtime-endpoint='unix:///var/run/crio/crio.sock' EOF
- :
- .
- :
kubeadm init --pod-network-cidr=10.244.0.0/16
«kubeadm join ...», , , , .
- (CNI) Pod network. Calico. , Flannel nftables, Calico — CNI, Kubernetes:
kubectl --kubeconfig /etc/kubernetes/admin.conf apply -f https://docs.projectcalico.org/v3.15/manifests/calico.yaml
- worker 1 2, , «kubeadm init ...», :
kubeadm join $CONTROL_PLANE_ADDRESS:6443 --token $TOKEN \ --discovery-token-ca-cert-hash $TOKEN_HASH
- , :
kubectl --kubeconfig=/etc/kubernetes/admin.conf get pods -A
! K8s . - :
Hope the instructions above helped save you some time and hassle.
The outcome of the processes taking place in the industry often depends on how they are accepted by the majority of end users and developers of other software in the corresponding niche. It is not yet clear what outcome the OCI's initiatives will lead to in a few years, but we will be happy to follow. You can share your opinion right now in the comments.
Stay tuned!
This article comes from the following sources:
- Section about Container runtimes in Kubernetes documentation
- CRI-O project page on the Internet
- Red Hat blog posts: this one , this one, and more