Skip to content

Instantly share code, notes, and snippets.

Last active February 22, 2024 08:26
Show Gist options
  • Save bgulla/3b725f0eea54fdd49f4d7066e16b1d89 to your computer and use it in GitHub Desktop.
Save bgulla/3b725f0eea54fdd49f4d7066e16b1d89 to your computer and use it in GitHub Desktop.
Instructions for running RKE2/K3s with an external CRI/container-runtime

k3s/RKE2 with external CRI/containerd support

While k3s and RKE2 ship with their own statically-compiled containerd binary, sometimes you need to be able to utilize a more standard container socket. Especially if your container-scanner expects a more traditional installation path (i.e. Twistlock/PrismaCloud). This quick guide will show you how to get up and running with an external CRI.

Install containerd

There are better ways to do this, but the most common way of installing containerd is via the docker-ce yum repository.

sudo yum-config-manager \
    --add-repo \
sudo yum clean all
sudo yum install -y

Modify containerd to use external bindings

sed -i 's/disabled_plugins = ["cri"]//' /etc/containerd/containerd.toml # or comment this line out

cat <<EOT >> /etc/containerd/containerd.toml
  bin_dir = "/var/lib/rancher/rke2/data/current/bin"
  conf_dir = "/var/lib/rancher/rke2/agent/etc/cni/net.d"

NOTE: if you are using k3s, you need to swap rke2 with k3s in the above step.

restart containerd

systemctl restart containerd

Configure k3s/rke2 to use the external containerd

## RKE2 Instructions
mkdir -p /etc/rancher/rke2
echo "container-runtime-endpoint: unix:///run/containerd/containerd.sock" > /etc/rancher/rke2/config.yaml

## K3s Instructions
mkdir -p /etc/rancher/k3s
echo "container-runtime-endpoint: unix:///run/containerd/containerd.sock" > /etc/rancher/k3s/config.yaml

Install RKE2/k3s as normal

## RKE2 Instructions
curl -sfL | sh -
systemctl start rke2-server

## k3s Instructions
curl -sfL | sh -


Copy link

Commenting out disabled_plugins in /etc/containerd/containerd.toml did not work for me. I had to edit /etc/containerd/config.toml.

Here's what worked for me:

sed -i '/disabled_plugins = ["cri"]/d' /etc/containerd/config.toml # or comment this line out

Copy link

ziye-dm commented Jul 14, 2021

Not working for me but question that both following directories are not existing in RKE2 and why configure like that?

  bin_dir = "/var/lib/rancher/rke2/data/current/bin"
  conf_dir = "/var/lib/rancher/rke2/agent/etc/cni/net.d"

On my RKE2, they are "/var/lib/rancher/rke2/bin" and "/etc/cni/net.d".

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment