vagrant: Deploy Kubernetes with containerd runtime

vadorovsky · vadorovsky · commit ad5d137bc74f · 2021-07-07T17:29:32.000+02:00
This commit brings the following changes to the Vagrant ecosystem:

- memory increased to 8GB
- no restart after provisioning the control plane components
- using upstream kubeadm and upstream containerd runtime
- adding several useful packages

Signed-off-by: Michal Rostecki &lt;mrostecki@opensuse.org&gt;
diff --git a/Vagrantfile b/Vagrantfile
@@ -10,12 +10,12 @@ Vagrant.configure("2") do |config|
     cp.vm.hostname = "control-plane.local"
     cp.vm.provider :libvirt do |libvirt|
       libvirt.cpus = 4
-      libvirt.memory = 4096
+      libvirt.memory = 8192
     end
     cp.vm.provision "shell", path: "contrib/vagrant/vagrant-fix.sh"
     cp.vm.provision "shell", path: "contrib/vagrant/base.sh", reboot: true
     cp.vm.provision "shell", path: "contrib/vagrant/build.sh", privileged: false
-    cp.vm.provision "shell", path: "contrib/vagrant/control-plane-base.sh", reboot: true
+    cp.vm.provision "shell", path: "contrib/vagrant/control-plane-base.sh"
     cp.vm.provision "shell", path: "contrib/vagrant/control-plane.sh"
     cp.vm.provision "shell", path: "contrib/vagrant/kubeconfig.sh", privileged: false
     cp.vm.provision "shell", path: "contrib/vagrant/addons.sh", privileged: false
diff --git a/contrib/vagrant/addons.sh b/contrib/vagrant/addons.sh
diff --git a/contrib/vagrant/base.sh b/contrib/vagrant/base.sh
@@ -7,11 +7,36 @@ zypper install -y \
        bpftool \
        cargo \
        clang \
+       conntrack-tools \
+       containerd \
+       docker \
+       ebtables \
+       ethtool \
        libbpf-devel \
        libopenssl-devel \
        llvm \
+       podman \
+       podman-cni-config \
        rust \
-       rustfmt
+       rustfmt \
+       socat \
+       tmux \
+       wget
+
+## wget -O /etc/systemd/system/containerd.service https://raw.githubusercontent.com/containerd/containerd/main/containerd.service
+## sed -i -e "s|/usr/local/bin/containerd|/sbin/containerd|g" \
+##     /etc/systemd/system/containerd.service
+
+cat <<EOF > /etc/modules-load.d/k8s.conf
+br_netfilter
+EOF
+
+cat <<EOF > /etc/sysctl.d/k8s.conf
+net.bridge.bridge-nf-call-ip6tables = 1
+net.bridge.bridge-nf-call-iptables = 1
+net.ipv4.ip_forward = 1
+net.ipv4.conf.all.forwarding = 1
+EOF
 
 sed -i -e "s/GRUB_CMDLINE_LINUX=.*/GRUB_CMDLINE_LINUX=\"lsm=bpf,integrity\"/" \
     /etc/default/grub
diff --git a/contrib/vagrant/build.sh b/contrib/vagrant/build.sh
@@ -2,6 +2,7 @@
 
 cd /home/vagrant/enclave
 
+export CLANG=/usr/bin/clang-12
 cargo install --path .
 # cargo install --path . --target-dir /usr/local/bin
 
diff --git a/contrib/vagrant/control-plane-base.sh b/contrib/vagrant/control-plane-base.sh
@@ -1,6 +1,161 @@
 #!/bin/bash
 
-zypper install -y -t pattern kubic_admin
-install -D -m 0644 /home/vagrant/enclave/contrib/crio/00-default.conf /etc/crio/crio.conf.d/00-default.conf
-systemctl restart crio
-systemctl enable kubelet.service
+# # zypper install -y -t pattern kubic_admin
+# zypper install -y cri-o
+# # # install -D -m 0644 /home/vagrant/enclave/contrib/crio/00-default.conf /etc/crio/crio.conf.d/00-default.conf
+# mv /etc/crio/crio.conf.d/00-default.conf /etc/crio/crio.conf
+# systemctl enable crio
+# systemctl start crio
+# # systemctl restart crio
+# # systemctl enable kubelet.service
+
+cat <<EOF > /etc/containerd/config.toml
+root = "/var/lib/containerd"
+state = "/run/containerd"
+oom_score = 0
+
+[grpc]
+  address = "/run/containerd/containerd.sock"
+  uid = 0
+  gid = 0
+  max_recv_message_size = 16777216
+  max_send_message_size = 16777216
+
+[debug]
+  address = ""
+  uid = 0
+  gid = 0
+  level = ""
+
+[metrics]
+  address = ""
+  grpc_histogram = false
+
+[cgroup]
+  path = ""
+
+[plugins]
+  [plugins.cgroups]
+    no_prometheus = false
+  [plugins.cri]
+    stream_server_address = ""
+    stream_server_port = "10010"
+    enable_selinux = false
+    sandbox_image = "k8s.gcr.io/pause:3.2"
+    stats_collect_period = 10
+    systemd_cgroup = true
+    enable_tls_streaming = false
+    max_container_log_line_size = 16384
+    [plugins.cri.containerd]
+      snapshotter = "overlayfs"
+      no_pivot = true
+      [plugins.cri.containerd.default_runtime]
+        runtime_type = "io.containerd.runtime.v1.linux"
+        runtime_engine = ""
+        runtime_root = ""
+      [plugins.cri.containerd.untrusted_workload_runtime]
+        runtime_type = ""
+        runtime_engine = ""
+        runtime_root = ""
+    [plugins.cri.cni]
+      bin_dir = "/opt/cni/bin"
+      conf_dir = "/etc/cni/net.d"
+      conf_template = ""
+    [plugins.cri.registry]
+      [plugins.cri.registry.mirrors]
+        [plugins.cri.registry.mirrors."docker.io"]
+          endpoint = ["https://registry-1.docker.io"]
+        [plugins.diff-service]
+    default = ["walking"]
+  [plugins.linux]
+    shim = "containerd-shim"
+    runtime = "/home/vagrant/.cargo/bin/enclave-runc-wrapper"
+    runtime_root = ""
+    no_shim = false
+    shim_debug = false
+  [plugins.scheduler]
+    pause_threshold = 0.02
+    deletion_threshold = 0
+    mutation_threshold = 100
+    schedule_delay = "0s"
+    startup_delay = "100ms"
+EOF
+
+cat <<EOF > /etc/docker/daemon.json
+{
+  "log-level": "warn",
+  "log-driver": "json-file",
+  "log-opts": {
+    "max-size": "10m",
+    "max-file": "5"
+  },
+  "default-runtime": "runc-enclave",
+  "runtimes": {
+    "runc-enclave": {
+      "path": "/home/vagrant/.cargo/bin/enclave-runc-wrapper"
+    }
+  }
+}
+EOF
+
+cat <<EOF > /etc/systemd/system/containerd.service
+[Unit]
+Description=containerd container runtime
+Documentation=https://containerd.io
+After=network.target local-fs.target
+
+[Service]
+ExecStartPre=-/sbin/modprobe overlay
+ExecStartPre=/usr/bin/mkdir -p /sys/fs/cgroup/systemd
+ExecStartPre=/usr/bin/mount -t cgroup -o none,name=systemd cgroup /sys/fs/cgroup/systemd
+ExecStart=/sbin/containerd
+
+Type=notify
+Delegate=yes
+KillMode=process
+Restart=always
+RestartSec=5
+# Having non-zero Limit*s causes performance problems due to accounting overhead
+# in the kernel. We recommend using cgroups to do container-local accounting.
+LimitNPROC=infinity
+LimitCORE=infinity
+LimitNOFILE=infinity
+# Comment TasksMax if your systemd version does not supports it.
+# Only systemd 226 and above support this version.
+TasksMax=infinity
+OOMScoreAdjust=-999
+
+[Install]
+WantedBy=multi-user.target
+EOF
+
+systemctl enable containerd
+systemctl start containerd
+systemctl enable docker
+systemctl start docker
+
+# zypper install -y minikube
+
+CNI_VERSION="v0.9.1"
+sudo mkdir -p /opt/cni/bin
+curl -L "https://github.com/containernetworking/plugins/releases/download/${CNI_VERSION}/cni-plugins-linux-amd64-${CNI_VERSION}.tgz" | sudo tar -C /opt/cni/bin -xz
+
+DOWNLOAD_DIR=/usr/local/bin
+sudo mkdir -p $DOWNLOAD_DIR
+
+CRI_TOOLS_VERSION="v1.21.0"
+wget https://github.com/kubernetes-sigs/cri-tools/releases/download/$CRI_TOOLS_VERSION/crictl-$CRI_TOOLS_VERSION-linux-amd64.tar.gz
+sudo tar zxvf crictl-$CRI_TOOLS_VERSION-linux-amd64.tar.gz -C /usr/local/bin
+rm -f crictl-$CRI_TOOLS_VERSION-linux-amd64.tar.gz
+
+RELEASE="$(curl -sSL https://dl.k8s.io/release/stable.txt)"
+cd $DOWNLOAD_DIR
+sudo curl -L --remote-name-all https://storage.googleapis.com/kubernetes-release/release/${RELEASE}/bin/linux/amd64/{kubeadm,kubelet,kubectl}
+sudo chmod +x {kubeadm,kubelet,kubectl}
+
+RELEASE_VERSION="v0.9.0"
+curl -sSL "https://raw.githubusercontent.com/kubernetes/release/${RELEASE_VERSION}/cmd/kubepkg/templates/latest/deb/kubelet/lib/systemd/system/kubelet.service" | sed "s:/usr/bin:${DOWNLOAD_DIR}:g" | sudo tee /etc/systemd/system/kubelet.service
+sudo mkdir -p /etc/systemd/system/kubelet.service.d
+curl -sSL "https://raw.githubusercontent.com/kubernetes/release/${RELEASE_VERSION}/cmd/kubepkg/templates/latest/deb/kubeadm/10-kubeadm.conf" | sed "s:/usr/bin:${DOWNLOAD_DIR}:g" | sudo tee /etc/systemd/system/kubelet.service.d/10-kubeadm.conf
+
+systemctl enable --now kubelet
diff --git a/contrib/vagrant/control-plane.sh b/contrib/vagrant/control-plane.sh
@@ -1,3 +1,3 @@
 #!/bin/bash
 
-kubeadm init --cri-socket /var/run/crio/crio.sock
+kubeadm init --cri-socket /run/containerd/containerd.sock
diff --git a/contrib/vagrant/kubeconfig.sh b/contrib/vagrant/kubeconfig.sh
diff --git a/contrib/vagrant/vagrant-fix.sh b/contrib/vagrant/vagrant-fix.sh
@@ -2,5 +2,8 @@
 
 # Workaround for https://github.com/hashicorp/vagrant/issues/1659
 
-echo "" >> /etc/sudoers
-echo "vagrant ALL=(ALL) NOPASSWD:ALL" >> /etc/sudoers
+cat <<EOF >> /etc/sudoers
+
+vagrant ALL=(ALL) NOPASSWD:ALL
+Defaults:vagrant !requiretty
+EOF

Original file line number	Diff line number	Diff line change
`@@ -1,3 +1,3 @@`
`1`	`1`	`#!/bin/bash`
`2`	`2`
`3`		`-kubeadm init --cri-socket /var/run/crio/crio.sock`
	`3`	`+kubeadm init --cri-socket /run/containerd/containerd.sock`