Upgrade to Pro — share decks privately, control downloads, hide ads and more …

CRI-O Features for Fun and Profit

Sohan Kunkerkar
November 20, 2024
Technology
0
2

CRI-O Features for Fun and Profit

Are you a cluster admin looking to be on the cutting edge of Kubernetes features? How about an end-user looking to take full advantage of the capabilities of your cluster? This is the talk for you! Join Sohan Kunkerkar and Peter Hunt as they explore recent features in CRI-O and Kubernetes. They'll cover topics such as native sigstore signature support, running Podman in a Kubernetes pod, using OCI artifacts as a volume, and more. In each, they will highlight potential use cases, pitfalls and common patterns, as well as show how to use each in your cluster. If you're interested in the newest at the intersection of Kubernetes and container runtimes, step right up and learn away!

Sohan Kunkerkar

November 20, 2024
Tweet

More Decks by Sohan Kunkerkar

See All by Sohan Kunkerkar
Navigating the cgroup Transition: Bridging the Gap Between Kubernetes and User Expectations
sohankunkerkar
0
5
CRI-O's WASM Adventure: Challenges, Strategies, and What Lies Ahead
sohankunkerkar
0
42
CRI-O Odyssey: Exploring New Frontiers in Container Runtimes
sohankunkerkar
0
9

Other Decks in Technology

See All in Technology
ドメインの本質を掴む / Get the essence of the domain
sinsoku
2
150
誰も全体を知らない ~ ロールの垣根を超えて引き上げる開発生産性 / Boosting Development Productivity Across Roles
kakehashi
1
220
AWS Lambdaと歩んだ“サーバーレス”と今後 #lambda_10years
yoshidashingo
1
170
開発生産性を上げながらビジネスも30倍成長させてきたチームの姿
kamina_zzz
2
1.7k
スクラム成熟度セルフチェックツールを作って得た学びとその活用法
coincheck_recruit
1
140
New Relicを活用したSREの最初のステップ / NRUG OKINAWA VOL.3
isaoshimizu
2
570
ノーコードデータ分析ツールで体験する時系列データ分析超入門
negi111111
0
410
Exadata Database Service on Dedicated Infrastructure(ExaDB-D) UI スクリーン・キャプチャ集
oracle4engineer
PRO
2
3.2k
第1回 国土交通省 データコンペ参加者向け勉強会③ - Snowflake x estie編 -
estie
0
120
障害対応指揮の意思決定と情報共有における価値観 / Waroom Meetup #2
arthur1
5
470
[CV勉強会@関東 ECCV2024 読み会] オンラインマッピング x トラッキング MapTracker: Tracking with Strided Memory Fusion for Consistent Vector HD Mapping (Chen+, ECCV24)
abemii
0
220
ExaDB-D dbaascli で出来ること
oracle4engineer
PRO
0
3.8k

Featured

See All Featured
Build The Right Thing And Hit Your Dates
maggiecrowley
33
2.4k
Visualizing Your Data: Incorporating Mongo into Loggly Infrastructure
mongodb
42
9.2k
Intergalactic Javascript Robots from Outer Space
tanoku
269
27k
Put a Button on it: Removing Barriers to Going Fast.
kastner
59
3.5k
Measuring & Analyzing Core Web Vitals
bluesmoon
4
120
StorybookのUI Testing Handbookを読んだ
zakiyama
27
5.3k
Testing 201, or: Great Expectations
jmmastey
38
7.1k
Docker and Python
trallard
40
3.1k
Designing Dashboards & Data Visualisations in Web Apps
destraynor
229
52k
Building a Scalable Design System with Sketch
lauravandoore
459
33k
The Psychology of Web Performance [Beyond Tellerrand 2023]
tammyeverts
44
2.2k
Making Projects Easy
brettharned
115
5.9k

Transcript

  1. None

  2. CRI-O Features for Fun and Profit Peter Hunt & Sohan

    Kunkerkar, Red Hat

  3. What’s CRI-O? Supports OCI based container images, runtimes, and registries

    Implementation of the Kubernetes Container Runtime Interface - compliant with the Open Container Initiative Balance stability and features Focus on security Purpose-built for Kubernetes

  4. Since 2022, CRI-O has supported verifying signatures of images from

    sigstore Enforced on image pull and container creation Only node level (all containers on the node must be verified with the same policies) Further Securing Image Pulls ❤

  5. Further Securing Image Pulls Example configuration in /etc/containers/policy.json

  6. As of CRI-O 1.31.0, CRI-O now supports namespaced verification on

    a per-namespace basis Further Securing Image Pulls

  7. • Historically, CRI-O has been susceptible to sudden shutdown •

    Image storage corruption • In CRI-O ~1.16, there was code added to cleanup images Unclean Shutdown https://answers.microsoft.com/en-us/windows/forum/all/startup-repair-windows-10/7caf953e-d25a-4814-973c-3029d661d11e

  8. • Do you know what is not a corrupted image

    storage? An empty one! Old Solution: Clear the Storage! https://encrypted-tbn0.gstatic.com/images?q=tbn:ANd9GcT7bD1zwTw1UKUAHJGdcTM525wCB9KBEXCgfQ&s

  9. New API in c/storage library to scan image storage Granularity

    of what is checked available If corruption is found, the corrupted image is removed New Solution: Storage Check/Repair https://i5.walmartimages.com/asr/f45f1fac-29ef-487a-a471-51d068a16e5c.51fafb0189dcac4a1d701fde2abd2db4.jpeg?odnHeight=2000&odnWidth=2000&odnBg=FFFFFF

  10. What does it fix?

  11. LayerContents? https://github.com/containers/composefs

  12. • The runc Challenge: ◦ Recent issue: runc incompatible with

    Go 1.22. ◦ Root cause: Complex interaction between Go, glibc, and system calls. ◦ Impact: Ecosystem-wide disruption and temporary workarounds. Transitioning to crun as Default Runtime

  13. • Written in C, offering efficiency and eliminates Go-specific issues.

    • Leverages C's mature ecosystem and stable ABI. • Optimized for modern workloads, including edge computing, confidential computing and WebAssembly. • Already defaults to cgroup v2 • CRI-O community voted to use crun as the new default runtime. • For most users, this will not be a breaking change. Transitioning to crun as Default Runtime

  14. • crun can be twice as fast as runc for

    container creation. • Memory usage: crun (3752 KB) vs runc (15120 KB) • crun binary size (~500 KB) vs runc (~14 MB) • Resource efficiency: ◦ Can run containers with lower memory limits ◦ Supports running with a single PID, unlike runc (requires min 5). • Use cases: ◦ Ideal for edge computing and IoT due to low resource consumption ◦ Better suited for high-density container deployments crun vs runc - Performance & Resource Usage

  15. • Comprehensive CI Coverage for crun in CRI-O. • Periodic

    Job to test upstream node e2e test-suite to ensure Kubernetes compliance and stability. CI coverage

  16. KEP 4639 - Image Volume Source

  17. • New Alpha feature in Kubernetes v1.31. • Allows using

    OCI images as native volume sources. • Supports AI/ML use cases and extends Kubernetes capabilities. • Enables mounting OCI objects directly into pods. KEP 4639- Image Volume Source

  18. • Use Cases: ◦ Sharing configuration files across containers. ◦

    Mounting ML model weights alongside model servers. ◦ Separating malware signatures from scanner software. • Key Features: ◦ Reuses existing container image pull mechanisms. ◦ Supports various pull policies (Always, Never, IfNotPresent). ◦ Integrates with existing secret management for image pulling. • Limitations: ◦ Sub-path mounts not supported. ◦ fsGroupChangePolicy has no effect. Image Volume Source

  19. https://asciinema.org/a/VOn3FUzrvy3w4ViDIqn2amwBa Demo

  20. Future work Explore and contribute to CRI-O's feature roadmap: https://github.com/orgs/cri-o/projects/1

    Upcoming Highlights: • WASM plugins loaded directly into CRI-O (Instead of NRI) • Handle WASM workloads as container images • Lazy pull image use case

  21. Reach out to us Github Slack

  22. Thanks!

  23. None