Skip to content

Instantly share code, notes, and snippets.

@alexcpn

alexcpn/gvisor in Kubernetes.md

Last active February 6, 2020 10:40
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save alexcpn/8b0550b01dd69df5e0a8fd1116dbd073 to your computer and use it in GitHub Desktop.
Save alexcpn/8b0550b01dd69df5e0a8fd1116dbd073 to your computer and use it in GitHub Desktop.
Download ZIP
gvisor in Kubernetes
Raw
gvisor in Kubernetes.md

How To

https://gvisor.dev/docs/user_guide/quick_start/kubernetes/ Using Containerd

You can also setup Kubernetes nodes to run pods in gvisor using the containerd CRI runtime and the gvisor-containerd-shim. You can use either the io.kubernetes.cri.untrusted-workloadannotation or RuntimeClass to run Pods with runsc. You can find instructions here.

[centos@azuretest-1 root]$ kubectl get nodes -o wide NAME STATUS ROLES AGE VERSION INTERNAL-IP EXTERNAL-IP OS-IMAGE KERNEL-VERSION CONTAINER-RUNTIME azuretest-1 Ready master 40d v1.17.0 192.168.0.26 CentOS Linux 7 (Core) 3.10.0-957.27.2.el7.x86_64 docker://1.13.1 azuretest-2 Ready 40d v1.17.0 192.168.0.6 CentOS Linux 7 (Core) 3.10.0-957.27.2.el7.x86_64 docker://1.13.1 [ce

Step 1 - Install runsc /gvisor in all Worker nodes

https://gvisor.dev/docs/user_guide/install/ ( set -e URL=https://storage.googleapis.com/gvisor/releases/nightly/latest wget ${URL}/runsc wget ${URL}/runsc.sha512 sha512sum -c runsc.sha512 rm -f runsc.sha512 sudo mv runsc /usr/local/bin sudo chown root:root /usr/local/bin/runsc sudo chmod 0755 /usr/local/bin/runsc )

Step 2

Disable Docker service

Step 3

Containerd Install in all worker nodes (if not already there).

Note Linux Keranl > 3.17 is needed Upgarde centos kernel as Centos ships with 3.10 usually google/gvisor-containerd-shim#45

https://linuxhint.com/upgrade-kernel-centos-7/ https://www.thegeekdiary.com/centos-rhel-7-change-default-kernel-boot-with-old-kernel/

Install https://github.com/containerd/cri/blob/master/docs/installation.md

VERSION=1.3.2 Need to install as a systemd serivce

Create a default configuration; This is used by other examples mkdir -p /etc/containerd [root@azuretest-1 ~]# containerd config default > /etc/containerd/config.toml

containerd config default > /etc/containerd/config.toml

Step 4

Restart kubelet service with Docker service disabled. Check if it starts up succcessfully; If not refere here google/gvisor-containerd-shim#46 (comment)

Step 5

Install gvisor-containerd-shim from binary in all worker nodes

https://github.com/google/gvisor-containerd-shim/blob/master/docs/untrusted-workload-quickstart.md

or

Install go and Build and install gvisor-containerd-shim and containerd-shim-runsc-v1 in all nodes

https://github.com/google/gvisor-containerd-shim/blob/master/docs/runtime-handler-shim-v2-quickstart.md

Step 6

Test via cirtctl

Step 7

Create gvisor Runtimeclass using runsc

Step 8

Try to deploy a pod using Runtimeclass gvisor as per gvisor docs

Step 9 - Check if it works

Warning FailedCreatePodSandBox pod/nginx-gvisor Failed to create pod sandbox: rpc error: code = Unknown desc = RuntimeHandler "runsc" not supported

Check if kubelet is configured to use contaierd socker and containerd is configured with gvisor plugin also refer here and related google/gvisor-containerd-shim#46 (comment)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment