Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add support for CRI-O user namespaces #8268

Merged
merged 2 commits into from
Dec 20, 2021
Merged

Add support for CRI-O user namespaces #8268

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
0ea64c6
add support for cri-o user namespaces
nmasse-itix Dec 3, 2021
687408c
comply with yamllint rules
nmasse-itix Dec 7, 2021
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
21 changes: 21 additions & 0 deletions docs/cri-o.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -60,3 +60,24 @@ crio_pids_limit: 4096

[CRI-O]: https://cri-o.io/
[cri-o#1921]: https://github.com/cri-o/cri-o/issues/1921

## Note about user namespaces

CRI-O has support for user namespaces. This feature is optional and can be enabled by setting the following two variables.

```yaml
crio_runtimes:
- name: runc
path: /usr/bin/runc
type: oci
root: /run/runc
allowed_annotations:
- "io.kubernetes.cri-o.userns-mode"

crio_remap_enable: true
```

The `allowed_annotations` configures `crio.conf` accordingly.

The `crio_remap_enable` configures the `/etc/subuid` and `/etc/subgid` files to add an entry for the **containers** user.
By default, 16M uids and gids are reserved for user namespaces (256 pods * 65536 uids/gids) at the end of the uid/gid space.
9 changes: 9 additions & 0 deletions roles/container-engine/cri-o/defaults/main.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -97,3 +97,12 @@ skopeo_packages:
# Configure the cri-o pids limit, increase this for heavily multi-threaded workloads
# see https://github.com/cri-o/cri-o/issues/1921
crio_pids_limit: 1024

# Reserve 16M uids and gids for user namespaces (256 pods * 65536 uids/gids)
# at the end of the uid/gid space
crio_remap_enable: false
crio_remap_user: containers
crio_subuid_start: 2130706432
crio_subuid_length: 16777216
crio_subgid_start: 2130706432
crio_subgid_length: 16777216
14 changes: 14 additions & 0 deletions roles/container-engine/cri-o/tasks/main.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -182,6 +182,20 @@
notify: restart crio
when: http_proxy is defined or https_proxy is defined

- name: Configure the uid/gid space for user namespaces
lineinfile:
path: '{{ item.path }}'
line: '{{ item.entry }}'
regex: '^\s*{{ crio_remap_user }}:'
state: '{{ "present" if crio_remap_enable | bool else "absent" }}'
loop:
- path: /etc/subuid
entry: '{{ crio_remap_user }}:{{ crio_subuid_start }}:{{ crio_subuid_length }}'
- path: /etc/subgid
entry: '{{ crio_remap_user }}:{{ crio_subgid_start }}:{{ crio_subgid_length }}'
loop_control:
label: '{{ item.path }}'

- name: Ensure crio service is started and enabled
service:
name: crio
Expand Down
1 change: 1 addition & 0 deletions roles/container-engine/cri-o/templates/crio.conf.j2
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -294,6 +294,7 @@ runtime_path = "{{ runtime.path }}"
runtime_type = "{{ runtime.type }}"
runtime_root = "{{ runtime.root }}"
privileged_without_host_devices = {{ runtime.privileged_without_host_devices|default(false)|lower }}
allowed_annotations = {{ runtime.allowed_annotations|default([])|to_json }}
{% endfor %}

# Kata Containers with the Firecracker VMM
Expand Down