cri-o · haircommander · Aug 19, 2024 · Aug 19, 2024 · Aug 21, 2024 · Aug 19, 2024
@@ -258,15 +258,11 @@ jobs:
             test/nri/nri.test
       - run: scripts/github-actions-packages
       - run: scripts/github-actions-setup
-      - name: Switch to crun instead of runc
-        if: ${{ matrix.run.defaultRuntime == 'crun' }}
-        run: |
-          sudo ln -sf $(command -v crun) $(command -v runc)
-          runc --version
       - name: Run the test suite
         run: sudo -E test/test_runner.sh
         env:
           JOBS: ${{ matrix.run.jobs }}
           RUN_CRITEST: ${{ matrix.run.critest }}
           RUNTIME_TYPE: ${{ matrix.run.runtimeType }}
           TEST_USERNS: ${{ matrix.run.userns }}
+          CONTAINER_DEFAULT_RUNTIME: ${{ matrix.run.defaultRuntime }}
@@ -231,6 +231,9 @@ jobs:
         run: |
           make mockgen -j $(nproc)
           hack/tree_status.sh
+      - name: spoof crun on arm64
+        if: ${{ matrix.run.arch == "arm64" }}
+        run: cp $(which runc) /usr/bin/crun
       - name: Run unit tests as root
         if: ${{ matrix.run.type == 'root' }}
         run: |

@@ -65,15 +65,15 @@
     target: install
     chdir: "{{ ansible_env.GOPATH }}/src/github.com/cri-o/cri-o"
 
-- name: use crun
+- name: use runc
   copy:
-    dest: /etc/crio/crio.conf.d/01-crun.conf
+    dest: /etc/crio/crio.conf.d/01-runc.conf
     content: |
       [crio.runtime]
-      default_runtime = "crun"
-      [crio.runtime.runtimes.crun]
-      runtime_root = "/run/crun"
-  when: "build_crun | default(False) | bool"
+      default_runtime = "runc"
+      [crio.runtime.runtimes.runc]
+      runtime_root = "/run/runc"
+  when: "build_runc | default(False) | bool"
 
 - name: use conmon-rs
   copy:

@@ -7,13 +7,13 @@
   become: yes
   blockinfile:
     path: /etc/crio/crio.conf
-    insertbefore: .*crio.runtime.runtimes.runc.*
+    insertbefore: .*crio.runtime.runtimes.crun.*
     backup: yes
     block: |
       [crio.runtime.runtimes.test-handler]
-      runtime_path = "/usr/bin/runc"
+      runtime_path = "/usr/bin/crun"
       runtime_type = "oci"
-      runtime_root = "/run/runc"
+      runtime_root = "/run/crun"
 
 - name: create ssh keys
   shell: ssh-keygen -b 2048 -t rsa -f "{{ ssh_location }}" -q -N ""

@@ -5,8 +5,8 @@ e2e_selinux_enabled: False
 node_e2e_selinux_enabled: False
 manage_ns_lifecycle: True
 
-build_runc: True
-build_crun: False
+build_runc: False
+build_crun: True
 build_kata: False
 cgroupv2: False
 use_conmonrs: "{{ USE_CONMONRS | default(False) | bool }}"
@@ -149,11 +149,6 @@ kata_skip_image_tests:
   - 'test "image pull and list by manifest list tag"'
   - 'test "image pull and list by manifest list and individual digest"'
   - 'test "image pull and list by individual and manifest list digest"'
-  - 'test "run container with memory_limit_in_bytes -1"'
-  - 'test "run container with memory_limit_in_bytes 12.5MiB"'
-  - 'test "run container with container_min_memory 17.5MiB"'
-  - 'test "run container with container_min_memory 5.5MiB"'
-  - 'test "run container with empty container_min_memory"'
 kata_skip_namespaces_tests:
   - 'test "pid namespace mode target test"'
 kata_skip_network_tests:
@@ -169,6 +164,11 @@ kata_skip_pod_tests:
   - 'test "systemd cgroup_parent correctly set"'
   - 'test "kubernetes pod terminationGracePeriod passthru"'
   - 'test "disable crypto.fips_enabled when FIPS_DISABLE is set"'
+  - 'test "run container with memory_limit_in_bytes -1"'
+  - 'test "run container with memory_limit_in_bytes 12.5MiB"'
+  - 'test "run container with container_min_memory 17.5MiB"'
+  - 'test "run container with container_min_memory 5.5MiB"'
+  - 'test "run container with empty container_min_memory"'
 kata_skip_seccomp_oci_artifacts_tests:
   - 'test "seccomp OCI artifact with pod annotation"'
   - 'test "seccomp OCI artifact with container annotation"'

@@ -224,7 +224,7 @@ crio [GLOBAL OPTIONS] command [COMMAND OPTIONS] [ARGUMENTS...]
 
 **--default-mounts-file**="": Path to default mounts file.
 
-**--default-runtime**="": Default OCI runtime from the runtimes config. (default: "runc")
+**--default-runtime**="": Default OCI runtime from the runtimes config. (default: "crun")
 
 **--default-sysctls**="": Sysctls to add to the containers.
 

@@ -113,7 +113,7 @@ Maximum grpc receive message size. If not set or <= 0, then CRI-O will default t
 
 The `crio.runtime` table contains settings pertaining to the OCI runtime used and options for how to set up and manage the OCI runtime.
 
-**default_runtime**="runc"
+**default_runtime**="crun"
 The _name_ of the OCI runtime to be used as the default. This option supports live configuration reload.
 
 **default_ulimits**=[]

@@ -22,9 +22,11 @@ import (
 var _ = t.Describe("ContainerCheckpoint", func() {
 	// Prepare the sut
 	BeforeEach(func() {
+		// setup a config with runc, used for checkpoint/restore tests
+		// as crun doesn't yet support restore.
 		beforeEach()
 		createDummyConfig()
-		mockRuncInLibConfig()
+		mockCrunInLibConfig()
 		if err := criu.CheckForCriu(criu.PodCriuVersion); err != nil {
 			Skip("Check CRIU: " + err.Error())
 		}
@@ -90,7 +92,7 @@ var _ = t.Describe("ContainerCheckpoint", func() {
 	t.Describe("ContainerCheckpoint", func() {
 		It("should fail because runtime failure (/bin/false)", func() {
 			// Given
-			mockRuncToFalseInLibConfig()
+			mockCrunToFalseInLibConfig()
 
 			addContainerAndSandbox()
 			config := &metadata.ContainerConfig{

@@ -27,9 +27,11 @@ import (
 var _ = t.Describe("ContainerRestore", func() {
 	// Prepare the sut
 	BeforeEach(func() {
+		// setup a config with runc, used for checkpoint/restore tests
+		// as crun doesn't yet support restore.
 		beforeEach()
 		createDummyConfig()
-		mockRuncInLibConfigCheckpoint()
+		mockCrunInLibConfigCheckpoint()
 		if err := criu.CheckForCriu(criu.PodCriuVersion); err != nil {
 			Skip("Check CRIU: " + err.Error())
 		}

@@ -196,22 +196,22 @@ func createDummyConfig() {
 	Expect(os.WriteFile("config.json", []byte(`{"linux":{},"process":{}}`), 0o644)).To(Succeed())
 }
 
-func mockRuncInLibConfig() {
-	config.Runtimes["runc"] = &libconfig.RuntimeHandler{
+func mockCrunInLibConfig() {
+	config.Runtimes["crun"] = &libconfig.RuntimeHandler{
 		RuntimePath: "/bin/echo",
 	}
 }
 
-func mockRuncInLibConfigCheckpoint() {
+func mockCrunInLibConfigCheckpoint() {
 	Expect(os.WriteFile("/tmp/fake-runtime", []byte("#!/bin/bash\n\necho flag needs an argument\nexit 0\n"), 0o755)).To(Succeed())
-	config.Runtimes["runc"] = &libconfig.RuntimeHandler{
+	config.Runtimes["crun"] = &libconfig.RuntimeHandler{
 		RuntimePath: "/tmp/fake-runtime",
 		MonitorPath: "/bin/true",
 	}
 }
 
-func mockRuncToFalseInLibConfig() {
-	config.Runtimes["runc"] = &libconfig.RuntimeHandler{
+func mockCrunToFalseInLibConfig() {
+	config.Runtimes["crun"] = &libconfig.RuntimeHandler{
 		RuntimePath: "/bin/false",
 	}
 }
@@ -965,8 +965,9 @@ killContainer:
 		if _, err := r.runtimeCmd("kill", c.ID(), "KILL"); err != nil {
 			if !errors.Is(err, ErrNotFound) {
 				log.Errorf(ctx, "Killing container %v failed: %v", c.ID(), err)
+			} else {
+				log.Debugf(ctx, "Error while killing container %s: %v", c.ID(), err)
 			}
-			log.Debugf(ctx, "Error while killing container %s: %v", c.ID(), err)
 		}
 
 		if err := c.Living(); err != nil {
@@ -995,6 +996,9 @@ func (r *runtimeOCI) DeleteContainer(ctx context.Context, c *Container) error {
 	}
 
 	_, err := r.runtimeCmd("delete", "--force", c.ID())
+	if errors.Is(err, ErrNotFound) {
+		return nil
+	}
 	return err
 }
 

@@ -53,17 +53,20 @@ import (
 
 // Defaults if none are specified.
 const (
-	defaultGRPCMaxMsgSize      = 80 * 1024 * 1024
-	defaultContainerMinMemory  = 12 * 1024 * 1024 // 12 MiB
-	OCIBufSize                 = 8192
-	RuntimeTypeVM              = "vm"
-	RuntimeTypePod             = "pod"
-	defaultCtrStopTimeout      = 30 // seconds
-	defaultNamespacesDir       = "/var/run"
-	RuntimeTypeVMBinaryPattern = "containerd-shim-([a-zA-Z0-9\\-\\+])+-v2"
-	tasksetBinary              = "taskset"
-	MonitorExecCgroupDefault   = ""
-	MonitorExecCgroupContainer = "container"
+	defaultGRPCMaxMsgSize = 80 * 1024 * 1024
+	// default minimum memory for all other runtimes.
+	defaultContainerMinMemory = 12 * 1024 * 1024 // 12 MiB
+	// minimum memory for crun, the default runtime.
+	defaultContainerMinMemoryCrun = 500 * 1024 // 500 KiB
+	OCIBufSize                    = 8192
+	RuntimeTypeVM                 = "vm"
+	RuntimeTypePod                = "pod"
+	defaultCtrStopTimeout         = 30 // seconds
+	defaultNamespacesDir          = "/var/run"
+	RuntimeTypeVMBinaryPattern    = "containerd-shim-([a-zA-Z0-9\\-\\+])+-v2"
+	tasksetBinary                 = "taskset"
+	MonitorExecCgroupDefault      = ""
+	MonitorExecCgroupContainer    = "container"
 )
 
 // Config represents the entire set of configuration values that can be set for
@@ -1252,9 +1255,9 @@ func (c *RuntimeConfig) ValidateDefaultRuntime() error {
 		return fmt.Errorf("default_runtime set to %q, but no runtime entry table [crio.runtime.runtimes.%s] was found", c.DefaultRuntime, c.DefaultRuntime)
 	}
 
-	// Set the default runtime to "runc" if default_runtime is not set
+	// Set the default runtime to "crun" if default_runtime is not set
 	logrus.Debugf("Defaulting to %q as the runtime since default_runtime is not set", defaultRuntime)
-	// The default config sets runc and its path in the runtimes map, so check for that
+	// The default config sets crun and its path in the runtimes map, so check for that
 	// first. If it does not exist then we add runc + its path to the runtimes map.
 	if _, ok := c.Runtimes[defaultRuntime]; !ok {
 		c.Runtimes[defaultRuntime] = defaultRuntimeHandler()
@@ -1276,7 +1279,7 @@ func defaultRuntimeHandler() *RuntimeHandler {
 		MonitorEnv: []string{
 			"PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin",
 		},
-		ContainerMinMemory: units.BytesSize(defaultContainerMinMemory),
+		ContainerMinMemory: units.BytesSize(defaultContainerMinMemoryCrun),
 		MonitorCgroup:      defaultMonitorCgroup,
 	}
 }
@@ -1316,15 +1319,6 @@ func (c *RuntimeConfig) initializeRuntimeFeatures() {
 		versionString := strings.ReplaceAll(strings.TrimSpace(string(versionOutput)), "\n", ", ")
 		logrus.Infof("Using runtime handler %s", versionString)
 
-		memoryBytes, err := handler.SetContainerMinMemory()
-		if err != nil {
-			logrus.Errorf(
-				"Unable to set minimum container memory for runtime handler %q: %v; default value of %q will be used",
-				name, err, units.BytesSize(float64(memoryBytes)),
-			)
-		}
-		logrus.Debugf("Runtime handler %q container minimum memory set to %d bytes", name, memoryBytes)
-
 		// If this returns an error, we just ignore it and assume the features sub-command is
 		// not supported by the runtime.
 		output, err := cmdrunner.CombinedOutput(handler.RuntimePath, "features")
@@ -1581,6 +1575,10 @@ func (r *RuntimeHandler) Validate(name string) error {
 	if err := r.ValidateRuntimeAllowedAnnotations(); err != nil {
 		return err
 	}
+	if err := r.ValidateContainerMinMemory(name); err != nil {
+		logrus.Errorf("Unable to set minimum container memory for runtime handler %q: %v", name, err)
+	}
+
 	return r.ValidateNoSyncLog()
 }
 
@@ -1675,22 +1673,22 @@ func (r *RuntimeHandler) ValidateNoSyncLog() error {
 	return fmt.Errorf("no_sync_log is only allowed with runtime type 'oci', runtime type is '%s'", r.RuntimeType)
 }
 
-// SetContainerMinMemory sets the minimum container memory for a given runtime.
+// ValidateContainerMinMemory sets the minimum container memory for a given runtime.
 // assigns defaultContainerMinMemory if no container_min_memory provided.
-func (r *RuntimeHandler) SetContainerMinMemory() (int64, error) {
+func (r *RuntimeHandler) ValidateContainerMinMemory(name string) error {
 	if r.ContainerMinMemory == "" {
 		r.ContainerMinMemory = units.BytesSize(defaultContainerMinMemory)
 	}
 
-	memoryBytes, err := units.RAMInBytes(r.ContainerMinMemory)
+	memorySize, err := units.RAMInBytes(r.ContainerMinMemory)
 	if err != nil {
-		err = fmt.Errorf("unable to set runtime memory to %q: %w", r.ContainerMinMemory, err)
+		err = fmt.Errorf("unable to set runtime memory to %q: %w. Setting to %q instead", r.ContainerMinMemory, err, defaultContainerMinMemory)
 		// Fallback to default value if something is wrong with the configured value.
 		r.ContainerMinMemory = units.BytesSize(defaultContainerMinMemory)
-		return int64(defaultContainerMinMemory), err
+		return err
 	}
-
-	return memoryBytes, nil
+	logrus.Debugf("Runtime handler %q container minimum memory set to %d bytes", name, memorySize)
+	return nil
 }
 
 // LoadRuntimeFeatures loads features for a given runtime handler using the "features"

@@ -14,9 +14,9 @@ import (
 
 // Defaults if none are specified.
 const (
-	defaultRuntime       = "runc"
+	defaultRuntime       = "crun"
 	DefaultRuntimeType   = "oci"
-	DefaultRuntimeRoot   = "/run/runc"
+	DefaultRuntimeRoot   = "/run/crun"
 	defaultMonitorCgroup = "system.slice"
 	// ImageVolumesBind option is for using bind mounted volumes.
 	ImageVolumesBind ImageVolumesType = "bind"