CRI - Container Runtime Interface (Interface Runtime container)
CRI defined interfaces and mirroring service container, because the container and the runtime mirror lifecycle are isolated from each other, it is necessary to define two services. The interface uses Protocol Buffer , based GRPC , is in Kubernetes v1.10 + version pkg/kubelet/apis/cri/runtime/v1alpha2of api.protothe definition.
CRI architecture
Container Runtime achieve a CRI gRPC Server, including RuntimeServiceand ImageService. The gRPC Server needs to listen to the local Unix socket, and kubelet as gRPC Client is run.
Enable CRI
Unless integrated rktnetes, or CRI is enabled by default, from Kubernetes1.7 version, the old pre-integrated docker CRI has been removed.
To enable CRI just need to re-pass this parameter in the startup parameters kubelet: --container-runtime-endpointremote runtime service endpoints. Current unix socket on Linux support, support tcp on windows. For example: unix:///var/run/dockershim.sock, , tcp://localhost:373the default is unix:///var/run/dockershim.sockthat the use of a container as the local docker default run time.
CRI Interface
The CRI Kubernetes 1.9 interface api.protois defined as follows:
// Runtime service defines the public APIs for remote container runtimes
service RuntimeService {
// Version returns the runtime name, runtime version, and runtime API version. rpc Version(VersionRequest) returns (VersionResponse) {} // RunPodSandbox creates and starts a pod-level sandbox. Runtimes must ensure // the sandbox is in the ready state on success. rpc RunPodSandbox(RunPodSandboxRequest) returns (RunPodSandboxResponse) {} // StopPodSandbox stops any running process that is part of the sandbox and // reclaims network resources (e.g., IP addresses) allocated to the sandbox. // If there are any running containers in the sandbox, they must be forcibly // terminated. // This call is idempotent, and must not return an error if all relevant // resources have already been reclaimed. kubelet will call StopPodSandbox // at least once before calling RemovePodSandbox. It will also attempt to // reclaim resources eagerly, as soon as a sandbox is not needed. Hence, // multiple StopPodSandbox calls are expected. rpc StopPodSandbox(StopPodSandboxRequest) returns (StopPodSandboxResponse) {} // RemovePodSandbox removes the sandbox. If there are any running containers // in the sandbox, they must be forcibly terminated and removed. // This call is idempotent, and must not return an error if the sandbox has // already been removed. rpc RemovePodSandbox(RemovePodSandboxRequest) returns (RemovePodSandboxResponse) {} // PodSandboxStatus returns the status of the PodSandbox. If the PodSandbox is not // present, returns an error. rpc PodSandboxStatus(PodSandboxStatusRequest) returns (PodSandboxStatusResponse) {} // ListPodSandbox returns a list of PodSandboxes. rpc ListPodSandbox(ListPodSandboxRequest) returns (ListPodSandboxResponse) {} // CreateContainer creates a new container in specified PodSandbox rpc CreateContainer(CreateContainerRequest) returns (CreateContainerResponse) {} // StartContainer starts the container. rpc StartContainer(StartContainerRequest) returns (StartContainerResponse) {} // StopContainer stops a running container with a grace period (i.e., timeout). // This call is idempotent, and must not return an error if the container has // already been stopped. // TODO: what must the runtime do after the grace period is reached? rpc StopContainer(StopContainerRequest) returns (StopContainerResponse) {} // RemoveContainer removes the container. If the container is running, the // container must be forcibly removed. // This call is idempotent, and must not return an error if the container has // already been removed. rpc RemoveContainer(RemoveContainerRequest) returns (RemoveContainerResponse) {} // ListContainers lists all containers by filters. rpc ListContainers(ListContainersRequest) returns (ListContainersResponse) {} // ContainerStatus returns status of the container. If the container is not // present, returns an error. rpc ContainerStatus(ContainerStatusRequest) returns (ContainerStatusResponse) {} // UpdateContainerResources updates ContainerConfig of the container. rpc UpdateContainerResources(UpdateContainerResourcesRequest) returns (UpdateContainerResourcesResponse) {} // ExecSync runs a command in a container synchronously. rpc ExecSync(ExecSyncRequest) returns (ExecSyncResponse) {} // Exec prepares a streaming endpoint to execute a command in the container. rpc Exec(ExecRequest) returns (ExecResponse) {} // Attach prepares a streaming endpoint to attach to a running container. rpc Attach(AttachRequest) returns (AttachResponse) {} // PortForward prepares a streaming endpoint to forward ports from a PodSandbox. rpc PortForward(PortForwardRequest) returns (PortForwardResponse) {} // ContainerStats returns stats of the container. If the container does not // exist, the call returns an error. rpc ContainerStats(ContainerStatsRequest) returns (ContainerStatsResponse) {} // ListContainerStats returns stats of all running containers. rpc ListContainerStats(ListContainerStatsRequest) returns (ListContainerStatsResponse) {} // UpdateRuntimeConfig updates the runtime configuration based on the given request. rpc UpdateRuntimeConfig(UpdateRuntimeConfigRequest) returns (UpdateRuntimeConfigResponse) {} // Status returns the status of the runtime. rpc Status(StatusRequest) returns (StatusResponse) {} } // ImageService defines the public APIs for managing images. service ImageService { // ListImages lists existing images. rpc ListImages(ListImagesRequest) returns (ListImagesResponse) {} // ImageStatus returns the status of the image. If the image is not // present, returns a response with ImageStatusResponse.Image set to // nil. rpc ImageStatus(ImageStatusRequest) returns (ImageStatusResponse) {} // PullImage pulls an image with authentication config. rpc PullImage(PullImageRequest) returns (PullImageResponse) {} // RemoveImage removes the image. // This call is idempotent, and must not return an error if the image has // already been removed. rpc RemoveImage(RemoveImageRequest) returns (RemoveImageResponse) {} // ImageFSInfo returns information of the filesystem that is used to store images. rpc ImageFsInfo(ImageFsInfoRequest) returns (ImageFsInfoResponse) {} }
It contains two gRPC services:- RuntimeService: Management container and Sandbox runtime.
- ImageService: provides a mirror pulled from the warehouse, view, and remove the mirrored RPC.
The current back-end support of CRI
We initially in the use of Kubernetes usually defaults to running as a Docker container when, in fact, has begun to support CRI from the beginning Kubernetes 1.5, is currently in Alpha version, you can specify the backend as Pod other container runtime use by CRI interface currently supports the rear end of CRI are:
- cri-o : CRI cri-o achieve Kubernetes standard, and is allowed Kubernetes OCI compliant container used indirectly operating, cri-o can be used as the intermediate layer Kubernetes OCI runtime compliant container.
- containerd-CRI : Based Containerd realization of Kubernetes CRI
- RKT : CoreOS the main push to compete with docker container runtime
- frakti : hypervisor-based CRI
- Docker : kuberentes first began to support the container runtime, yet to be completely decoupled from kubelet in, docker company also promoted OCI standard
CRI is a SIG-Node to maintain.
The current indirect support through the backend CRI CRI-O
Also there are some currently achieved only OCI standard containers, but they can CRI-O Kubernetes container as runtime. CRI CRI-O is the standard Kubernetes implemented, and allows the use of OCI Kubernetes indirectly compatible runtime container.
- Containers the Clear : Intel launched by the OCI compatible runtime container, can be compatible by CRI CRI-O.
- Containers kata : OCI meet specifications, or by CRI-O Containerd CRI Plugin for compatibility with CRI. .
- gVisor : Google launched a container runtime sandbox (Experimental), can be compatible by CRI CRI-O.