背景

由于kubernetes在1.20版本对docker支持力度比较少, 1.24彻底抛弃docker,需要寻找其他容器运行时替换docker,由于这些运行时提供标准ORI接口,使用上和k8s相同,先创建pod,再创建容器。

安装crio

安装相关

  1. $ export VERSION=1.22
  2. $ sudo curl -L -o /etc/yum.repos.d/devel:kubic:libcontainers:stable.repo https://download.opensuse.org/repositories/devel:kubic:libcontainers:stable/CentOS_7/devel:kubic:libcontainers:stable.repo
  3. $ sudo curl -L -o /etc/yum.repos.d/devel:kubic:libcontainers:stable:cri-o:${VERSION}.repo https://download.opensuse.org/repositories/devel:kubic:libcontainers:stable:cri-o:${VERSION}/CentOS_7/devel:kubic:libcontainers:stable:cri-o:${VERSION}.repo
  5. $ yum install cri-o cri-tools

启动相关

  1. $ systemctl start crio

配置私有仓库自签名证书

以前docker自签名证书存放在/etc/docker/certs.d/, cri-o存放在/etc/containers/certs.d/。如果证书域名在CN,可能需要加下面环境变量:

创建目录

  1. $ sudo mkdir /usr/lib/systemd/system/crio.service.d
  2. $ sudo touch /usr/lib/systemd/system/crio.service.d/x509.conf

x509.conf 填入

  1. [Service]
  2. # 添加此项支持x509CN的证书
  3. Environment="GODEBUG=x509ignoreCN=0"

安装Nvidia容器运行时

安装容器运行时, 不用安装nvidia-docker2

  1. $ sudo curl -s -L https://nvidia.github.io/nvidia-container-runtime/centos7/x86_64/nvidia-container-runtime.repo | sudo tee /etc/yum.repos.d/nvidia-container-runtime.repo
  3. $ sudo yum -y install nvidia-container-toolkit

安装容器运行时/usr/share/containers/oci/hooks.d/oci-nvidia-hook.json在目录有nvidia-hook钩子, 所以除docker以外所用容器运行时都通用的,例如containerd, cri-o都是通过这个钩子。只要环境变量包含环境变量NVIDIA_VISIBLE_DEVICES, 根据环境变量,如果把驱动,以及对应的显卡映射到容器里面。

测试创建容器

cri-o 只是容器运行时服务,控制台使用crictl-tools 进行控制。crictl和k8s类似,需要先创建POD,再创建容器的

创建POD

为了测试方便,使用hostnetwork, sandbox-config.json 配置如下: 

  1. {
  2.     "metadata": {
  3.         "name": "busybox-sandbox",
  4.         "namespace": "default",
  5.         "attempt": 1,
  6.         "uid": "hdishd83djaidwnduwk28bcsb"
  7.     },
  8.     "linux": {
  9.        "security_context": {
  10.          "namespace_options": {
  11.            "network": 2
  12.          }
  13.        }
  14.     }
  15. }

提交配置

  1. $ crictl runp sandbox-config.json
  2. $ crictl pods    
  3. POD ID              CREATED             STATE               NAME                NAMESPACE           ATTEMPT             RUNTIME
  4. 4cb8955f9356d       16 hours ago        Ready               busybox-sandbox       default             1                   (default)

创建container

使用nvidia/cuda 镜像因为里面包含ENV NVIDIA_VISIBLE_DEVICES=all所以在容器可以显示所有显卡. container-config.yaml 如下:

  1. metadata:
  2.   name: busybox
  3. image:
  4.   image: nvidia/cuda:11.4.0-base-centos7
  5. command:
  6. - sleep
  7. args:
  8. - 600
  9. log_path: busybox.0.log
  1. $ circtl create

存储路径

ciro 存储路径分别有两个部分组成: 容器存储路径和容器运行时候路径

容器存储配置

建议在这两个默认路径挂载大磁盘,支持容器运行

  1. [crio]
  2. # CRI-O stores all of its data, including containers images, in this directory.
  3. # root="/var/lib/containers/storage"
  5. # Path to the "run directory". CRI-O stores all of its state in this directory.
  6. #runroot = "/var/run/containers/storage"

日志配置

日志配置,新的容器运行时都是通过kubelet的参数进行配置, 通过kubespray可以通过下面两个变量进行配置

  1. # Maximum number of container log files that can be present for a container.
  2. # 保留最近文件数目: default 5
  3. kubelet_logfiles_max_nr: 5
  5. # Maximum size of the container log file before it is rotated
  6. # 每个文件最大尺寸
  7. kubelet_logfiles_max_size: 10Mi

参考