While k3s
and RKE2
ship with their own statically-compiled containerd binary, sometimes you need to be able to utilize a more standard container socket. Especially if your container-scanner expects a more traditional installation path (i.e. Twistlock/PrismaCloud). This quick guide will show you how to get up and running with an external CRI.
There are better ways to do this, but the most common way of installing containerd is via the docker-ce
yum repository.
sudo yum-config-manager \
--add-repo \
https://download.docker.com/linux/centos/docker-ce.repo
sudo yum clean all
sudo yum install -y containerd.io
sed -i 's/disabled_plugins = ["cri"]//' /etc/containerd/containerd.toml # or comment this line out
cat <<EOT >> /etc/containerd/containerd.toml
[plugins.cri.cni]
bin_dir = "/var/lib/rancher/rke2/data/current/bin"
conf_dir = "/var/lib/rancher/rke2/agent/etc/cni/net.d"
EOT
NOTE: if you are using k3s, you need to swap rke2 with k3s in the above step.
systemctl restart containerd
## RKE2 Instructions
mkdir -p /etc/rancher/rke2
echo "container-runtime-endpoint: unix:///run/containerd/containerd.sock" > /etc/rancher/rke2/config.yaml
## K3s Instructions
mkdir -p /etc/rancher/k3s
echo "container-runtime-endpoint: unix:///run/containerd/containerd.sock" > /etc/rancher/k3s/config.yaml
## RKE2 Instructions
curl -sfL https://get.rke2.io | sh -
systemctl start rke2-server
## k3s Instructions
curl -sfL https://get.k3s.io | sh -
Commenting out
disabled_plugins
in/etc/containerd/containerd.toml
did not work for me. I had to edit/etc/containerd/config.toml
.Here's what worked for me: