root@ubuntu:~# netstat -aux | grep containerd.sock unix 2 [ ACC ] STREAM LISTENING 2959473 /run/containerd/containerd.sock unix 2 [ ACC ] STREAM LISTENING 2959472 /run/containerd/containerd.sock.ttrpc unix 3 [ ] STREAM CONNECTED 3037344 /run/containerd/containerd.sock unix 3 [ ] STREAM CONNECTED 3037345 /run/containerd/containerd.sock unix 3 [ ] STREAM CONNECTED 2951600 /run/containerd/containerd.sock unix 3 [ ] STREAM CONNECTED 3009712 /run/containerd/containerd.sock unix 3 [ ] STREAM CONNECTED 2968154 /run/containerd/containerd.sock root@ubuntu:~#
version = 2 root = "/var/lib/containerd" state = "/run/containerd" plugin_dir = "" disabled_plugins = [] required_plugins = [] oom_score = 0 [grpc] address = "/run/containerd/containerd.sock" tcp_address = "" tcp_tls_cert = "" tcp_tls_key = "" uid = 0 gid = 0 max_recv_message_size = 16777216 max_send_message_size = 16777216 [ttrpc] address = "" uid = 0 gid = 0 [debug] address = "" uid = 0 gid = 0 level = "" [metrics] address = "" grpc_histogram = false [cgroup] path = "" [timeouts] "io.containerd.timeout.shim.cleanup" = "5s" "io.containerd.timeout.shim.load" = "5s" "io.containerd.timeout.shim.shutdown" = "3s" "io.containerd.timeout.task.state" = "2s" [plugins] [plugins."io.containerd.gc.v1.scheduler"] pause_threshold = 0.02 deletion_threshold = 0 mutation_threshold = 100 schedule_delay = "0s" startup_delay = "100ms" [plugins."io.containerd.grpc.v1.cri"] disable_tcp_service = true stream_server_address = "127.0.0.1" stream_server_port = "0" stream_idle_timeout = "4h0m0s" enable_selinux = false sandbox_image = "k8s.gcr.io/pause:3.1" stats_collect_period = 10 systemd_cgroup = false enable_tls_streaming = false max_container_log_line_size = 16384 disable_cgroup = false disable_apparmor = false restrict_oom_score_adj = false max_concurrent_downloads = 3 disable_proc_mount = false [plugins."io.containerd.grpc.v1.cri".containerd] snapshotter = "overlayfs" default_runtime_name = "runc" no_pivot = false [plugins."io.containerd.grpc.v1.cri".containerd.default_runtime] runtime_type = "" runtime_engine = "" runtime_root = "" privileged_without_host_devices = false [plugins."io.containerd.grpc.v1.cri".containerd.untrusted_workload_runtime] runtime_type = "io.containerd.kata.v2" runtime_engine = "" runtime_root = "" privileged_without_host_devices = false [plugins."io.containerd.grpc.v1.cri".containerd.runtimes] [plugins."io.containerd.grpc.v1.cri".containerd.runtimes.runc] runtime_type = "io.containerd.runc.v1" runtime_engine = "" runtime_root = "" privileged_without_host_devices = false [plugins."io.containerd.grpc.v1.cri".containerd.runtimes.kata] runtime_type = "io.containerd.kata.v2" [plugins."io.containerd.grpc.v1.cri".containerd.runtimes.kata.options] ConfigPath = "/etc/kata-containers/config.toml" [plugins."io.containerd.grpc.v1.cri".containerd.runtimes.katacli] runtime_type = "io.containerd.runc.v1" [plugins."io.containerd.grpc.v1.cri".containerd.runtimes.katacli.options] NoPivotRoot = false NoNewKeyring = false ShimCgroup = "" IoUid = 0 IoGid = 0 BinaryName = "/usr/bin/kata-runtime" Root = "" CriuPath = "" SystemdCgroup = false [plugins."io.containerd.grpc.v1.cri".cni] bin_dir = "/opt/cni/bin" conf_dir = "/etc/cni/net.d" max_conf_num = 1 conf_template = "" [plugins."io.containerd.grpc.v1.cri".registry] [plugins."io.containerd.grpc.v1.cri".registry.mirrors] [plugins."io.containerd.grpc.v1.cri".registry.mirrors."docker.io"] endpoint = ["https://registry-1.docker.io"] [plugins."io.containerd.grpc.v1.cri".x509_key_pair_streaming] tls_cert_file = "" tls_key_file = "" [plugins."io.containerd.internal.v1.opt"] path = "/opt/containerd" [plugins."io.containerd.internal.v1.restart"] interval = "10s" [plugins."io.containerd.metadata.v1.bolt"] content_sharing_policy = "shared" [plugins."io.containerd.monitor.v1.cgroups"] no_prometheus = false [plugins."io.containerd.runtime.v1.linux"] shim = "containerd-shim" runtime = "runc" runtime_root = "" no_shim = false shim_debug = false [plugins."io.containerd.runtime.v2.task"] platforms = ["linux/amd64"] [plugins."io.containerd.service.v1.diff-service"] default = ["walking"] [plugins."io.containerd.snapshotter.v1.devmapper"] root_path = "" pool_name = "" base_image_size = ""
Setting Runtime Classes
You can create Kubernetes runtime classes to specify whether containers should be run as the default runtime, runc, or using kata-runtime. The examples in this book use the name native to specify the use of runc, and the name kata-containers to specify the use of kata-runtime. You can use any name you like.
To create a runtime class:
-
Create a file for a runtime class for Kata Containers named
kata-runtime.yamlwith the following contents:kind: RuntimeClass apiVersion: node.k8s.io/v1beta1 metadata: name: kata-containers handler: kataLoad the runtime class to the Kubernetes deployment:
$
kubectl apply -f kata-runtime.yamlThe runtime class
kata-containerscan now be used in pod configuration files to specify a container should be run as a Kata container, using thekata-containersruntime. For examples of creating pods using this runtime class, see Section 3.3, “Creating Kata Containers”. -
(Optional) If you want to specify a runtime for
runc, you can do this in a similar way. This is an optional configuration step. Asruncis the default runtime, pods automatically run usingruncunless you specify otherwise. This file is namedrunc-runtime.yaml:kind: RuntimeClass apiVersion: node.k8s.io/v1beta1 metadata: name: native handler: runcLoad the runtime class to the Kubernetes deployment:
$
kubectl apply -f runc-runtime.yamlThe runtime class
nativecan be used in pod configuration files to specify a container should be run as a runC container, using theruncruntime. -
You can see a list of the available runtime classes for a Kubernetes cluster using the kubectl get runtimeclass. For example:
$
kubectl get runtimeclassNAME CREATED AT kata-containers 2019-09-11T06:48:12Z native 2019-09-11T07:08:56Z
root@ubuntu:~# cat kata-runtime.yaml kind: RuntimeClass apiVersion: node.k8s.io/v1beta1 metadata: name: kata-containers handler: kata root@ubuntu:~# cat kata-nginx.yaml apiVersion: v1 kind: Pod metadata: name: kata-nginx spec: runtimeClassName: kata-containers containers: - name: nginx image: nginx ports: - containerPort: 80 root@ubuntu:~#
root@ubuntu:~# kubectl apply -f kata-runtime.yaml runtimeclass.node.k8s.io/kata-containers created root@ubuntu:~# kubectl get runtimeclass NAME HANDLER AGE kata-containers kata 9s root@ubuntu:~#
root@ubuntu:~# kubectl apply -f kata-nginx.yaml pod/kata-nginx created root@ubuntu:~# kubectl apply -f kata-nginx.yaml pod/kata-nginx created
root@ubuntu:~# kubectl get pods NAME READY STATUS RESTARTS AGE kata-nginx 0/1 ContainerCreating 0 107s root@ubuntu:~#