CRI - Container Runtime Interface(容器运行时接口)

CRI中定义了容器镜像的服务的接口,因为容器运行时与镜像的生命周期是彼此隔离的,因此需要定义两个服务。该接口使用Protocol Buffer,基于gRPC,在kubernetes v1.7+版本中是在pkg/kubelet/apis/cri/v1alpha1/runtimeapi.proto中定义的。

CRI架构

Container Runtime实现了CRI gRPC Server,包括RuntimeServiceImageService。该gRPC Server需要监听本地的Unix socket,而kubelet则作为gRPC Client运行。

CRI架构-图片来自kubernetes blog

启用CRI

除非集成了rktnetes,否则CRI都是被默认启用了,kubernetes1.7版本开始旧的预集成的docker CRI已经被移除。

要想启用CRI只需要在kubelet的启动参数重传入此参数:--container-runtime-endpoint远程运行时服务的端点。当前Linux上支持unix socket,windows上支持tcp。例如:unix:///var/run/dockershim.socktcp://localhost:373,默认是unix:///var/run/dockershim.sock,即默认使用本地的docker作为容器运行时。

关于CRI的详细进展请参考CRI: the Container Runtime Interface

CRI接口

Kubernetes1.9中的CRI接口在api.proto中的定义如下:

  1. // Runtime service defines the public APIs for remote container runtimes
  2. service RuntimeService {
  3.     // Version returns the runtime name, runtime version, and runtime API version.
  4.     rpc Version(VersionRequest) returns (VersionResponse) {}
  6.     // RunPodSandbox creates and starts a pod-level sandbox. Runtimes must ensure
  7.     // the sandbox is in the ready state on success.
  8.     rpc RunPodSandbox(RunPodSandboxRequest) returns (RunPodSandboxResponse) {}
  9.     // StopPodSandbox stops any running process that is part of the sandbox and
  10.     // reclaims network resources (e.g., IP addresses) allocated to the sandbox.
  11.     // If there are any running containers in the sandbox, they must be forcibly
  12.     // terminated.
  13.     // This call is idempotent, and must not return an error if all relevant
  14.     // resources have already been reclaimed. kubelet will call StopPodSandbox
  15.     // at least once before calling RemovePodSandbox. It will also attempt to
  16.     // reclaim resources eagerly, as soon as a sandbox is not needed. Hence,
  17.     // multiple StopPodSandbox calls are expected.
  18.     rpc StopPodSandbox(StopPodSandboxRequest) returns (StopPodSandboxResponse) {}
  19.     // RemovePodSandbox removes the sandbox. If there are any running containers
  20.     // in the sandbox, they must be forcibly terminated and removed.
  21.     // This call is idempotent, and must not return an error if the sandbox has
  22.     // already been removed.
  23.     rpc RemovePodSandbox(RemovePodSandboxRequest) returns (RemovePodSandboxResponse) {}
  24.     // PodSandboxStatus returns the status of the PodSandbox. If the PodSandbox is not
  25.     // present, returns an error.
  26.     rpc PodSandboxStatus(PodSandboxStatusRequest) returns (PodSandboxStatusResponse) {}
  27.     // ListPodSandbox returns a list of PodSandboxes.
  28.     rpc ListPodSandbox(ListPodSandboxRequest) returns (ListPodSandboxResponse) {}
  30.     // CreateContainer creates a new container in specified PodSandbox
  31.     rpc CreateContainer(CreateContainerRequest) returns (CreateContainerResponse) {}
  32.     // StartContainer starts the container.
  33.     rpc StartContainer(StartContainerRequest) returns (StartContainerResponse) {}
  34.     // StopContainer stops a running container with a grace period (i.e., timeout).
  35.     // This call is idempotent, and must not return an error if the container has
  36.     // already been stopped.
  37.     // TODO: what must the runtime do after the grace period is reached?
  38.     rpc StopContainer(StopContainerRequest) returns (StopContainerResponse) {}
  39.     // RemoveContainer removes the container. If the container is running, the
  40.     // container must be forcibly removed.
  41.     // This call is idempotent, and must not return an error if the container has
  42.     // already been removed.
  43.     rpc RemoveContainer(RemoveContainerRequest) returns (RemoveContainerResponse) {}
  44.     // ListContainers lists all containers by filters.
  45.     rpc ListContainers(ListContainersRequest) returns (ListContainersResponse) {}
  46.     // ContainerStatus returns status of the container. If the container is not
  47.     // present, returns an error.
  48.     rpc ContainerStatus(ContainerStatusRequest) returns (ContainerStatusResponse) {}
  49.     // UpdateContainerResources updates ContainerConfig of the container.
  50.     rpc UpdateContainerResources(UpdateContainerResourcesRequest) returns (UpdateContainerResourcesResponse) {}
  52.     // ExecSync runs a command in a container synchronously.
  53.     rpc ExecSync(ExecSyncRequest) returns (ExecSyncResponse) {}
  54.     // Exec prepares a streaming endpoint to execute a command in the container.
  55.     rpc Exec(ExecRequest) returns (ExecResponse) {}
  56.     // Attach prepares a streaming endpoint to attach to a running container.
  57.     rpc Attach(AttachRequest) returns (AttachResponse) {}
  58.     // PortForward prepares a streaming endpoint to forward ports from a PodSandbox.
  59.     rpc PortForward(PortForwardRequest) returns (PortForwardResponse) {}
  61.     // ContainerStats returns stats of the container. If the container does not
  62.     // exist, the call returns an error.
  63.     rpc ContainerStats(ContainerStatsRequest) returns (ContainerStatsResponse) {}
  64.     // ListContainerStats returns stats of all running containers.
  65.     rpc ListContainerStats(ListContainerStatsRequest) returns (ListContainerStatsResponse) {}
  67.     // UpdateRuntimeConfig updates the runtime configuration based on the given request.
  68.     rpc UpdateRuntimeConfig(UpdateRuntimeConfigRequest) returns (UpdateRuntimeConfigResponse) {}
  70.     // Status returns the status of the runtime.
  71.     rpc Status(StatusRequest) returns (StatusResponse) {}
  72. }
  74. // ImageService defines the public APIs for managing images.
  75. service ImageService {
  76.     // ListImages lists existing images.
  77.     rpc ListImages(ListImagesRequest) returns (ListImagesResponse) {}
  78.     // ImageStatus returns the status of the image. If the image is not
  79.     // present, returns a response with ImageStatusResponse.Image set to
  80.     // nil.
  81.     rpc ImageStatus(ImageStatusRequest) returns (ImageStatusResponse) {}
  82.     // PullImage pulls an image with authentication config.
  83.     rpc PullImage(PullImageRequest) returns (PullImageResponse) {}
  84.     // RemoveImage removes the image.
  85.     // This call is idempotent, and must not return an error if the image has
  86.     // already been removed.
  87.     rpc RemoveImage(RemoveImageRequest) returns (RemoveImageResponse) {}
  88.     // ImageFSInfo returns information of the filesystem that is used to store images.
  89.     rpc ImageFsInfo(ImageFsInfoRequest) returns (ImageFsInfoResponse) {}
  90. }

这其中包含了两个gRPC服务:

  • RuntimeService:容器和Sandbox运行时管理
  • ImageService:提供了从镜像仓库拉取、查看、和移除镜像的RPC。

当前支持的CRI后端

我们最初在使用Kubernetes时通常会默认使用Docker作为容器运行时,其实从Kubernetes1.5开始已经开始支持CRI,目前是处于Alpha版本,通过CRI接口可以指定使用其它容器运行时作为Pod的后端,目前支持CNI的后端有:

  • cri-o:同时兼容OCI和CRI的容器运行时
  • cri-containerd:基于Containerd的Kubernetes CNI实现
  • rkt:由于CoreOS主推的用来跟docker抗衡的容器运行时
  • frakti:基于hypervisor的CRI
  • docker:kuberentes最初就开始支持的容器运行时,目前还没完全从kubelet中解耦,docker公司同时推广了OCI标准
  • clear-containers:由Intel推出的同时兼容OCI和CRI的容器运行时
  • kata-containers:符合OCI规范同时兼容CRI

CRI是由SIG-Node来维护的。

参考