docker containerd cri-o 添加 crun runtime

• crun下载地址：

下载 crun

# 下载crun
wget https://github.com/containers/crun/releases/download/1.4.2/crun-1.4.2-linux-amd64
# 可执行权限
chmod +x crun-1.4.2-linux-amd64
# mv 到系统bin目录
mv crun-1.4.2-linux-amd64 /usr/bin/crun

docker 添加 crun 支持

修改配置

cat > /etc/docker/daemon.json <<EOF
  "runtimes": {
    "crun": {
      "path": "/usr/bin/crun"
      }
    }
EOF

重启docker

systemctl restart docker

报错

journalctl -u docker

docker 测试crun

# 查看docker 配置crun 是否加入
docker info|  grep crun
[root@control-plane docker]# docker info|  grep crun
 Runtimes: crun runc
# crun 启动pod
docker  run  -tid --runtime=crun --rm  alpine /bin/sh
[root@control-plane docker]# docker ps
CONTAINER ID        IMAGE               COMMAND             CREATED             STATUS              PORTS               NAMES
147a002c6165        alpine              "/bin/sh"           2 minutes ago       Up 2 minutes                            inspiring_roentgen

crun vs runc 测试

• 运行速度测试

runc 测试

for i in {1..10}; do /usr/bin/time -f%e docker \
    run  --runtime=runc --rm alpine /bin/true; done 2>&1 | sort
# 测试结果
[root@control-plane docker]# for i in {1..10}; do /usr/bin/time -f%e docker \
>     run  --runtime=runc --rm alpine /bin/true; done 2>&1 | sort
0.67
0.70
0.73
0.78
0.81
0.82
0.85
0.85
1.07
1.63

crun 测试

for i in {1..10}; do /usr/bin/time -f%e docker \
    run  --runtime=crun --rm alpine /bin/true; done 2>&1 | sort
[root@control-plane docker]# for i in {1..10}; do /usr/bin/time -f%e docker \
>     run  --runtime=crun --rm alpine /bin/true; done 2>&1 | sort
0.60
0.61
0.62
0.63
0.66
0.84
0.90
0.98
1.16
1.48

• 内存限制测试

runc

docker  run  --runtime=runc --rm --memory 4M  alpine echo it works
[root@control-plane docker]# docker  run  --runtime=runc --rm --memory 4M  alpine echo it works
docker: Error response from daemon: OCI runtime create failed: container_linux.go:380: starting container process caused: process_linux.go:545: container init caused: process_linux.go:508: setting cgroup config for procHooks process caused: unable to set memory limit to 4194304 (current usage: 8003584, peak usage: 8204288): unknown.

crun

docker  run  --runtime=crun --rm --memory 4M  alpine echo it works
[root@control-plane docker]# docker  run  --runtime=crun --rm --memory 4M  alpine echo it works
it works

containerd 加入crun

配置修改config.toml

[plugins.opt]
path = "/apps/containerd"
[plugins.cri]
stream_server_address = "127.0.0.1"
stream_server_port = "10010"
sandbox_image = "docker.io/juestnow/pause:3.5"
max_concurrent_downloads = 20
  [plugins.cri.containerd]
      default_runtime_name = "crun"
      snapshotter = "overlayfs"
      [plugins.cri.containerd.default_runtime]
      runtime_type = ""
      runtime_engine = ""
      runtime_root = ""
    [plugins.cri.containerd.untrusted_workload_runtime]
      runtime_type = ""
      runtime_engine = ""
      runtime_root = ""
    [plugins.cri.containerd.runtimes.runc]
      base_runtime_spec = ""
      container_annotations = []
      pod_annotations = []
      privileged_without_host_devices = false
      runtime_engine = ""
      runtime_root = ""
      runtime_type = "io.containerd.runc.v2"
    [plugins.cri.containerd.runtimes.crun]
      runtime_type = "io.containerd.runtime.v1.linux"
      runtime_engine = "crun"
      runtime_root = ""
    [plugins.cri.containerd.runtimes.runc.options]
      SystemdCgroup = true
    [plugins.cri.containerd.runtimes.crun.options]
      SystemdCgroup = true
  [plugins.cri.cni]
    bin_dir = "/opt/cni/bin"
    conf_dir = "/etc/cni/net.d"
[plugins."io.containerd.runtime.v1.linux"]
  shim = "containerd-shim"
  runtime = "crun"
  runtime_root = ""
  no_shim = false
  shim_debug = false
[plugins."io.containerd.runtime.v2.task"]
  platforms = ["linux/amd64"]

• path = "/apps/containerd"：插件存放路径；
• sandbox_image = "docker.io/juestnow/pause:3.5"：pause 镜像地址；
• default_runtime_name = "crun"： 默认runtime： runc crun；
• [plugins.cri.containerd.runtimes.crun]：定义新runtime
• runtime_engine = "crun" ：crun 二进制文件路径
• [plugins.cri.containerd.runtimes.crun.options]：crun 的其它参数
• SystemdCgroup = true： cgroup 使用systemd false：使用cgroupfs

本地文档启动脚本参考：

/usr/lib/systemd/system/containerd.service
[Unit]
Description=Lightweight Kubernetes
Documentation=https://containerd.io
After=network-online.target

[Service]
Type=notify
Environment=PATH=/apps/containerd/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/root/bin:/root/bin
ExecStartPre=-/sbin/modprobe br_netfilter
ExecStartPre=-/sbin/modprobe overlay
ExecStartPre=-/bin/mkdir -p /run/containerd
ExecStart=/apps/containerd/bin/containerd \
         -c /apps/containerd/conf/config.toml \
         -a /run/containerd/containerd.sock \
         --state /run/containerd \
         --root /var/lib/containerd

KillMode=process
Delegate=yes
OOMScoreAdjust=-999
LimitNOFILE=65535
LimitNPROC=65535
LimitCORE=infinity
TasksMax=infinity
TimeoutStartSec=0
Restart=always
RestartSec=5s

[Install]
WantedBy=multi-user.target

重启containerd

systemctl restart containerd

报错

journalctl -u containerd

cri-o 加入crun

配置修改

# 修改crio.conf
# 修改默认runtime
default_runtime = "crun"
# 添加crun runtime 
[crio.runtime.runtimes.crun]
runtime_path = ""
runtime_type = "oci"
runtime_root = ""
allowed_annotations = [
"io.containers.trace-syscall",
]

• default_runtime = "crun"：修改默认runtime runc crun
• runtime_path：runtime 二进制文件路径
• runtime_root：runtime 运行目录

重启cri-o

systemctl restart crio

报错

journalctl -u crio