CRI Tools

Pengfei Ni HyperHQ

Overview

• CRI tools is a set of tools for Kubelet Container Runtime Interface (CRI)
• design for all CRI-compatible container runtimes
• help runtime maintainers for validation and debugging
• portable and easy to use
• Components
• critest
• validation test suites
• benchmark test suites
• crictl
• CLI for Kubelet CRI
• Basic sandbox/image/container lifecycle operations
• Handle streaming APIs (exec/attach/port-forward/logs)

Status

• Kubernetes Incubator
• Sponsor: Dawn Chen
• Champion: Yu-Ju Hong
• Expected the first release togather with Kubernetes v1.7

• Contributors (sort by name):
• Harry Zhang (@resouer)
• Lantao Liu (@Random-Liu)
• Luke Chen (@heartlock)
• Mrunal Patel (@mrunalp)
• Pengfei Ni (@feiskyer)
• Xianglin Gao (@xlgao-zju)
• Yu-ju Hong (@yujuhong)
• Yulin Xie (@Helen-Xie)

critest

• Basic sandbox/container operations
• Basic image operations
• networking
• DNS config, port mapping
• streaming
• exec, attach, portforward
• security context
• hostPID, hostIPC, hostNetwork
• runAsUser, readOnlyRootfs, privileged
• execSync/version/status

crictl

• info
• status
• sandbox
• run/stop/status/ls/rm
• container
• create/start/stop/status/ls/rm
• image
• pull/ls/status/rm
• attach/exec/portforward

service RuntimeService {� Version(VersionRequest) � Status(StatusRequest) �� RunPodSandbox(RunPodSandboxRequest) � StopPodSandbox(StopPodSandboxRequest) � RemovePodSandbox(RemovePodSandboxRequest) � PodSandboxStatus(PodSandboxStatusRequest)� ListPodSandbox(ListPodSandboxRequest) �� CreateContainer(CreateContainerRequ� StartContainer(StartContainerRequest) � StopContainer(StopContainerRequest) � RemoveContainer(RemoveContainerRequest)� ListContainers(ListContainersRequest) � ContainerStatus(ContainerStatusRequest) �� Exec(ExecRequest) � ExecSync(ExecSyncRequest) � Attach(AttachRequest) � PortForward(PortForwardRequest) �}��service ImageService {� ListImages(ListImagesRequest) � ImageStatus(ImageStatusRequest) � PullImage(PullImageRequest) r� RemoveImage(RemoveImageRequest) �}

​

sandbox config

# cat sandbox-config.json

{� "metadata": {� "name": "busybox-sandbox",� "namespace": "default",� "attempt": 1,� "uid": "busybox-uid"� },� "linux": {}�}

​

# crictl sandbox run sandbox-config.json

type PodSandboxMetadata struct {

Name string `json:"name,omitempty"`

Uid string `json:"uid,omitempty"`

Namespace string `json:"namespace,omitempty"`

Attempt uint32 `json:"attempt,omitempty"`

}

�

type PodSandboxConfig struct {

Metadata *PodSandboxMetadata `json:"metadata,omitempty"`

Hostname string `json:"hostname,omitempty"`

LogDirectory string `json:"log_directory,omitempty"`

DnsConfig *DNSConfig `json:"dns_config,omitempty"`

PortMappings []*PortMapping `json:"port_mappings,omitempty"`

Labels map[string]string `json:"labels,omitempty"`

Annotations map[string]string `json:"annotations,omitempty"`

Linux *LinuxPodSandboxConfig `json:"linux,omitempty"`

}

​

container config

# cat container-config.json

{� "metadata": {� "name": "busybox"� },� "image": {� "image": "busybox"� },� "command": ["top"],� "linux": {}�}

​

# crictl container create sandboxID container-config.json sandbox-config.json

type ContainerMetadata struct {

Name string `json:"name,omitempty"`

Attempt uint32 `json:"attempt,omitempty"`

}

​

​

type ContainerConfig struct {

Metadata *ContainerMetadata `json:"metadata,omitempty"`

Image *ImageSpec `json:"image,omitempty"`

Command []string `json:"command,omitempty"`

Args []string `json:"args,omitempty"`

WorkingDir string `json:"working_dir,omitempty"`

Envs []*KeyValue `json:"envs,omitempty"`

Mounts []*Mount `json:"mounts,omitempty"`

Devices []*Device `json:"devices,omitempty"`

Labels map[string]string `json:"labels,omitempty"`

Annotations map[string]string `json:"annotations,omitempty"`

LogPath string `json:"log_path,omitempty"`

Stdin bool `json:"stdin,omitempty"`

StdinOnce bool `json:"stdin_once,omitempty"`

Tty bool `json:"tty,omitempty"`

Linux *LinuxContainerConfig `json:"linux,omitempty"`

}

Next

• Logs/UpdateRuntimeConfig subcommand in CLI
• Supporting TLS for streaming operations
• Validation test suites for experimental features
• e.g. SELinux, Apparmor, Seccomp, Devices, Resource Limits
• Benchmark test suites
• Latency
• resource usage (CPU, memory, disk IO, network IO)
• UX improving
• e.g. support more output formats: -o json|yaml
• Debugging

​

DEMO

go get github.com/kubernetes-incubator/cri-tools/cmd/critest

go get github.com/kubernetes-incubator/cri-tools/cmd/crictl

Contributions welcomed

github.com/kubernetes-incubator/cri-tools