Skip to content

Instantly share code, notes, and snippets.

@bgulla
Last active April 12, 2023 01:11
  • Star 1 You must be signed in to star a gist
  • Fork 1 You must be signed in to fork a gist
Star You must be signed in to star a gist
Embed
What would you like to do?
Instructions for running RKE2/K3s with an external CRI/container-runtime

k3s/RKE2 with external CRI/containerd support

While k3s and RKE2 ship with their own statically-compiled containerd binary, sometimes you need to be able to utilize a more standard container socket. Especially if your container-scanner expects a more traditional installation path (i.e. Twistlock/PrismaCloud). This quick guide will show you how to get up and running with an external CRI.

Install containerd

There are better ways to do this, but the most common way of installing containerd is via the docker-ce yum repository.

sudo yum-config-manager \
    --add-repo \
    https://download.docker.com/linux/centos/docker-ce.repo
sudo yum clean all
sudo yum install -y containerd.io

Modify containerd to use external bindings

sed -i 's/disabled_plugins = ["cri"]//' /etc/containerd/containerd.toml # or comment this line out

cat <<EOT >> /etc/containerd/containerd.toml
[plugins.cri.cni]
  bin_dir = "/var/lib/rancher/rke2/data/current/bin"
  conf_dir = "/var/lib/rancher/rke2/agent/etc/cni/net.d"
EOT

NOTE: if you are using k3s, you need to swap rke2 with k3s in the above step.

restart containerd

systemctl restart containerd

Configure k3s/rke2 to use the external containerd

## RKE2 Instructions
mkdir -p /etc/rancher/rke2
echo "container-runtime-endpoint: unix:///run/containerd/containerd.sock" > /etc/rancher/rke2/config.yaml

## K3s Instructions
mkdir -p /etc/rancher/k3s
echo "container-runtime-endpoint: unix:///run/containerd/containerd.sock" > /etc/rancher/k3s/config.yaml

Install RKE2/k3s as normal

## RKE2 Instructions
curl -sfL https://get.rke2.io | sh -
systemctl start rke2-server

## k3s Instructions
curl -sfL https://get.k3s.io | sh -

Profit!

@ncoonrod
Copy link

Commenting out disabled_plugins in /etc/containerd/containerd.toml did not work for me. I had to edit /etc/containerd/config.toml.

Here's what worked for me:

sed -i '/disabled_plugins = ["cri"]/d' /etc/containerd/config.toml # or comment this line out

@ziye-dm
Copy link

ziye-dm commented Jul 14, 2021

Not working for me but question that both following directories are not existing in RKE2 and why configure like that?

  bin_dir = "/var/lib/rancher/rke2/data/current/bin"
  conf_dir = "/var/lib/rancher/rke2/agent/etc/cni/net.d"

On my RKE2, they are "/var/lib/rancher/rke2/bin" and "/etc/cni/net.d".

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment