Support other flavour of CRI

.gitignore

@@ -1,3 +1,5 @@
 .vscode/
 .idea/
 .venv/
+
+**/local-packer-var.json

docs/book/src/SUMMARY.md

@@ -22,6 +22,7 @@
   - [Including ECR Credential Provider](./capi/ecr-credential-provider.md)
   - [Testing the Images](./capi/goss/goss.md)
   - [Using Container Images](./capi/container-image.md)
-  - [Customizing containerd](./capi/containerd/customizing-containerd.md)
   - [Releasing](./capi/releasing.md)
+- [Container Runtime](./capi/cri/cri.md)
+  - [Customizing ContainerD](./capi/cri/customizing-containerd.md)
 - [Glossary](./glossary.md)

docs/book/src/capi/capi.md

@@ -45,6 +45,7 @@ The `images/capi/packer/config` directory includes several JSON files that defin
 | `packer/config/ansible-args.json` | A common set of variables that are sent to the Ansible playbook                                                                                       |
 | `packer/config/cni.json`          | The version of Kubernetes CNI to install                                                                                                              |
 | `packer/config/containerd.json`   | The version of containerd to install and customizations specific to the containerd runtime                                                            |
+| `packer/config/crio.json`         | The version of crio to install and customizations specific to the crio runtime                                                                        |
 | `packer/config/kubernetes.json`   | The version of Kubernetes to install. The default version is kept at n-2. See [Customization](#customization) section below for overriding this value |
 
 Due to OS differences, Windows images has additional configuration in the `packer/config/windows` folder.  See [Windows documentation](./windows/windows.md) for more details.
@@ -55,6 +56,8 @@ Several variables can be used to customize the image build.
 
 | Variable                                                                                                                   | Description                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                | Default                       |
 | -------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | ----------------------------- |
+| `cri_flavour`                                                                                                  | The runtime to install. Defaults to `containerd` for maximum compatibility of operating system and configuration. When using `crio`, `crictl` does not come bundles with the package, refer to `crictl_source_type` config option to install `crictl`| `"containerd"`                     |
+| `crictl_source_type`                                                                                                  |  Specify the source of crictl, you can choose between `http` and `pkg`. The former means that crictl will be explicitaly installed, meanwhile the latter will assume that crictl will be part of the CRI bundle | `"pkg"`                     |
 | `firstboot_custom_roles_pre`<br />`firstboot_custom_roles_post`<br />`node_custom_roles_pre`<br />`node_custom_roles_post` | Each of these four variables allows for giving a space delimited string of custom Ansible roles to run at different times. The "pre" roles run as the very first thing in the playbook (useful for setting up environment specifics like networking changes), and the "post" roles as the very last (useful for undoing those changes, custom additions, etc). Note that the "post" role does run before the "sysprep" role in the "node" playbook, as the "sysprep" role seals the image. If the role is placed in the `ansible/roles` directory, it can be referenced by name. Otherwise, it must be a fully qualified path to the role. | `""`                          |
 | `disable_public_repos`                                                                                                     | If set to `"true"`, this will disable all existing package repositories defined in the OS before doing any package installs. The `extra_repos` variable *must* be set for package installs to succeed.                                                                                                                                                                                                                                                                                                                                                                                                                                     | `"false"`                     |
 | `extra_debs`                                                                                                               | This can be set to a space delimited string containing the names of additional deb packages to install                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                     | `""`                          |

docs/book/src/capi/cri/cri.md

@@ -0,0 +1,36 @@
+# Container Runtime
+
+The image-builder project supports different implementations of CRI, referred to as flavours in this book, as CRI. The preferred option is containerd, but CRI-O is supported for some kind of platforms - depending on cri-o supported operating systems. By default, the built-in CNI provided by CRI-O is disabled. To enable use the following variable:
+
+```json
+{
+  "crio_disable_default_cni": "false",
+}
+```
+
+## crictl
+
+When CRI-O is specified, `crictl` is not provided with the installation package. You need to install it using the `http` source type:
+
+```json
+{
+  "crictl_source_type": "http",
+}
+```
+
+## Running sandboxed containers using gVisor
+
+As of now, gVisor support is implemented but broken. See [gvisor/issue/3283](https://github.com/google/gvisor/issues/3283). Refer to the [relative section](./customizing-containerd.md) keeping in mind that the variables are similar but different:
+
+```json
+{
+    "crio_gvisor_runtime": true,
+    "crio_gvisor_version": "yyyymmdd", // or "latest"
+}
+```
+
+For example, you can build the qcow2 image with gVisor enabled with this command:
+
+```sh
+PACKER_FLAGS="--var 'crio_gvisor_runtime=true'" make build-qemu-ubuntu-2204-crio
+```

docs/book/src/capi/containerd/customizing-containerd.md → docs/book/src/capi/cri/customizing-containerd.md

@@ -13,7 +13,7 @@ flag to `true`. For example, in a packer configuration file:
 
 ```json
 {
-    "containerd_gvisor_runtime": "true",
+    "containerd_gvisor_runtime": true,
     "containerd_gvisor_version": "yyyymmdd",
 }
 ```

images/capi/.ansible-lint-ignore

@@ -139,3 +139,6 @@ ansible/windows/roles/systemprep/defaults/main.yml var-naming[no-role-prefix]
 ansible/windows/roles/systemprep/tasks/main.yml ignore-errors
 ansible/windows/roles/systemprep/tasks/main.yml name[missing]
 ansible/windows/roles/systemprep/tasks/ssh-feature.yml schema[tasks]
+ansible/roles/crio/defaults/main.yml yaml[line-length]
+ansible/roles/crio/tasks/debian.yml yaml[line-length]
+ansible/roles/crio/tasks/redhat.yml yaml[line-length]

images/capi/Makefile

@@ -259,6 +259,7 @@ endif
 COMMON_NODE_VAR_FILES := packer/config/kubernetes.json \
 					packer/config/cni.json \
 					packer/config/containerd.json \
+					packer/config/crio.json \
 					packer/config/wasm-shims.json \
 					packer/config/ansible-args.json \
 					packer/config/goss-args.json \
@@ -308,13 +309,13 @@ PACKER_POWERVS_NODE_FLAGS := $(foreach f,$(abspath $(COMMON_POWERVS_VAR_FILES)),
 ## --------------------------------------
 ## Platform and version combinations
 ## --------------------------------------
-CENTOS_VERSIONS			:=	centos-7
-FLATCAR_VERSIONS		:=	flatcar
-PHOTON_VERSIONS			:=	photon-3 photon-4 photon-5
-RHEL_VERSIONS			:=	rhel-7 rhel-8 rhel-9
+CENTOS_VERSIONS					:=	centos-7
+FLATCAR_VERSIONS				:=	flatcar
+PHOTON_VERSIONS					:=	photon-3 photon-4 photon-5
+RHEL_VERSIONS			  		:=	rhel-7 rhel-8 rhel-9
 ROCKYLINUX_VERSIONS		:=  rockylinux-8 rockylinux-9
-UBUNTU_VERSIONS			:=	ubuntu-2004 ubuntu-2004-efi ubuntu-2204 ubuntu-2204-efi ubuntu-2404 ubuntu-2404-efi
-WINDOWS_VERSIONS		:=	windows-2019 windows-2019-efi windows-2022 windows-2022-efi
+UBUNTU_VERSIONS					:=	ubuntu-2004 ubuntu-2004-efi ubuntu-2204 ubuntu-2204-efi ubuntu-2404 ubuntu-2404-efi
+WINDOWS_VERSIONS				:=	windows-2019 windows-2019-efi windows-2022 windows-2022-efi
 
 # Set Flatcar Container Linux channel and version if not supplied
 FLATCAR_CHANNEL ?= stable
@@ -361,7 +362,7 @@ OPENSTACK_BUILD_NAMES		?=	openstack-ubuntu-2004 openstack-ubuntu-2204 openstack-
 
 OSC_BUILD_NAMES 			?=	osc-ubuntu-2004 osc-ubuntu-2204
 
-QEMU_BUILD_NAMES			?=	qemu-ubuntu-2004 qemu-ubuntu-2204 qemu-ubuntu-2204-cloudimg qemu-ubuntu-2304 qemu-ubuntu-2404 qemu-ubuntu-2204-efi qemu-centos-7 qemu-centos-9 qemu-ubuntu-2004-efi qemu-rhel-8 qemu-rhel-9 qemu-rockylinux-8 qemu-rockylinux-8-cloudimg qemu-rockylinux-9 qemu-rockylinux-9-cloudimg qemu-flatcar
+QEMU_BUILD_NAMES			?=	qemu-ubuntu-2004 qemu-ubuntu-2204 qemu-ubuntu-2204-cloudimg qemu-ubuntu-2304 qemu-ubuntu-2404 qemu-ubuntu-2204-efi qemu-centos-7 qemu-centos-9 qemu-ubuntu-2004-efi qemu-rhel-8 qemu-rhel-9 qemu-rockylinux-8 qemu-rockylinux-8-cloudimg qemu-rockylinux-9 qemu-rockylinux-9-cloudimg qemu-flatcar qemu-ubuntu-2204-crio qemu-centos-9-crio
 
 QEMU_KUBEVIRT_BUILD_NAMES	:= $(addprefix kubevirt-,$(QEMU_BUILD_NAMES))
 
@@ -794,10 +795,12 @@ build-qemu-ubuntu-2004-efi: ## Builds Ubuntu 20.04 QEMU image that EFI boots
 build-qemu-ubuntu-2204: ## Builds Ubuntu 22.04 QEMU image
 build-qemu-ubuntu-2204-cloudimg: ## Builds Ubuntu 22.04 QEMU image using cloud image
 build-qemu-ubuntu-2204-efi: ## Builds Ubuntu 22.04 QEMU image that EFI boots
+build-qemu-ubuntu-2204-crio: ## Builds Ubuntu 22.04 QEMU image using CRI-O as CRI
 build-qemu-ubuntu-2304: ## Builds Ubuntu 23.04 QEMU image
 build-qemu-ubuntu-2404: ## Builds Ubuntu 24.04 QEMU image
 build-qemu-centos-7: ## Builds CentOS 7 QEMU image
 build-qemu-centos-9: ## Builds CentOS 9 Stream QEMU image
+build-qemu-centos-9-crio: ## Builds CentOOS 9 Stream image using CRI-O as CRI
 build-qemu-rhel-8: ## Builds RHEL 8 QEMU image
 build-qemu-rhel-9: ## Builds RHEL 9 QEMU image
 build-qemu-rockylinux-8: ## Builds Rocky 8 QEMU image
@@ -972,9 +975,12 @@ validate-qemu-ubuntu-2004-efi: ## Validates Ubuntu 20.04 QEMU EFI image packer c
 validate-qemu-ubuntu-2204: ## Validates Ubuntu 22.04 QEMU image packer config
 validate-qemu-ubuntu-2204-cloudimg: ## Validates Ubuntu 22.04 QEMU image packer config using cloud image
 validate-qemu-ubuntu-2204-efi: ## Validates Ubuntu 22.04 QEMU EFI image packer config
+validate-qemu-ubuntu-2204-crio: ## Validates Ubuntu 22.04 QEMU CRIO image packer config 
 validate-qemu-ubuntu-2304: ## Validates Ubuntu 23.04 QEMU image packer config
 validate-qemu-ubuntu-2404: ## Validates Ubuntu 24.04 QEMU image packer config
 validate-qemu-centos-7: ## Validates CentOS 7 QEMU image packer config
+validate-qemu-centos-9: ## Validates CentOS 7 QEMU image packer config
+validate-qemu-centos-9-crio: ## Validates CentOS 7 QEMU CRIO image packer config 
 validate-qemu-rhel-8: ## Validates RHEL 8 QEMU image
 validate-qemu-rhel-9: ## Validates RHEL 9 QEMU image
 validate-qemu-rockylinux-8: ## Validates Rocky Linux 8 QEMU image packer config

images/capi/ansible/node.yml

@@ -30,8 +30,9 @@
         name: node
     - ansible.builtin.include_role:
         name: providers
-    - ansible.builtin.include_role:
-        name: containerd
+    - name: "Configuring {{ cri_flavour }}"
+      ansible.builtin.include_role:
+        name: "{{ cri_flavour }}"
     - ansible.builtin.include_role:
         name: kubernetes
     - ansible.builtin.include_role:

images/capi/ansible/roles/containerd/tasks/main.yml

@@ -21,6 +21,10 @@
 - ansible.builtin.import_tasks: photon.yml
   when: ansible_os_family == "VMware Photon OS"
 
+- name: Export crisocket
+  ansible.builtin.set_fact:
+    cri_socket: "{{ containerd_cri_socket }}"
+
 # TODO(vincepri): Use deb/rpm packages once available.
 # See https://github.com/containerd/containerd/issues/1508 for context.
 - name: Download containerd
@@ -199,14 +203,14 @@
   loop:
     - runsc
     - containerd-shim-runsc-v1
-  when: containerd_gvisor_runtime
+  when: containerd_gvisor_runtime | bool
 
 - name: Install runsc as a runtime
   ansible.builtin.command:
     cmd: >
       {{ sysusr_prefix }}/bin/runsc install
   register: runsc_install_output
-  when: containerd_gvisor_runtime
+  when: containerd_gvisor_runtime | bool
   changed_when:
     - runsc_install_output.rc == 0
     - runsc_install_output.stderr is search('Successfully added')

images/capi/ansible/roles/containerd/templates/etc/containerd/config.toml

@@ -34,7 +34,7 @@ imports = ["/etc/containerd/conf.d/*.toml"]
   [plugins."io.containerd.grpc.v1.cri".containerd.runtimes.wws]
     runtime_type = "io.containerd.wws.{{ runtime_versions['wws'] }}"
 {% endif %}
-{% if containerd_gvisor_runtime %}
+{% if containerd_gvisor_runtime | bool %}
   [plugins."io.containerd.grpc.v1.cri".containerd.runtimes.gvisor]
     runtime_type = "io.containerd.runsc.v1"
 {% endif %}

images/capi/ansible/roles/crio/defaults/main.yml

@@ -0,0 +1,17 @@
+# Copyright 2024 The Kubernetes Authors.
+
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+
+# http://www.apache.org/licenses/LICENSE-2.0
+
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+---
+crio_config_file: etc/crio/crio.conf
+crio_gvisor_runtime: false
+crio_gvisor_version: latest

images/capi/ansible/roles/crio/tasks/debian.yml

@@ -0,0 +1,99 @@
+# Copyright 2024 The Kubernetes Authors.
+
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+
+# http://www.apache.org/licenses/LICENSE-2.0
+
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+---
+
+- name: Determine Version
+  block:
+    - name: Set Global CRI-O facts
+      ansible.builtin.set_fact:
+        crio_repo_version: "{{ crio_version.split('.')[:2] | join('.') }}"
+        crio_packaging_version: "stable:/v{{ crio_version.split('.')[:2] | join('.') }}"
+    - name: Set CRI-O facts for Ubuntu
+      ansible.builtin.set_fact:
+        crio_repo_os: "x{{ ansible_distribution }}_{{ ansible_distribution_version }}"
+      when: ansible_distribution == "Ubuntu"
+    - name: Set CRI-O facts for Debian
+      ansible.builtin.set_fact:
+        crio_repo_os: "{{ ansible_distribution }}_{{ ansible_distribution_version }}"
+      when: ansible_distribution == "Debian"
+
+- name: Legacy install
+  when: "crio_version is version_compare('1.28', '<=')"
+  block:
+    - name: Add Debian Buster backports if needed
+      ansible.builtin.apt_repository:
+        repo: http://deb.debian.org/debian buster-backports main
+        state: present
+        filename: backports
+      when: ansible_distribution_major_version | int <= 10 and ansible_distribution == "Debian"
+    - name: Install libseccomp2 package
+      ansible.builtin.apt:
+        name: libseccomp2
+        state: present
+      when: ansible_distribution_major_version | int <= 10 and ansible_distribution == "Debian"
+    - name: Configure repo and import key
+      block:
+        - name: Get gpg sign key
+          ansible.builtin.get_url:
+            url: "https://download.opensuse.org/repositories/devel:/kubic:/libcontainers:/stable/{{ crio_repo_os }}/Release.key"
+            dest: /usr/share/keyrings/libcontainers-archive-keyring.asc
+            mode: "0644"
+        - name: Get gpg sign key
+          ansible.builtin.get_url:
+            url: "https://download.opensuse.org/repositories/devel:/kubic:/libcontainers:/stable:/cri-o:/{{ crio_repo_version }}/{{ crio_repo_os }}/Release.key"
+            dest: /usr/share/keyrings/libcontainers-crio-archive-keyring.asc
+            mode: "0644"
+        - name: Add repository
+          ansible.builtin.apt_repository:
+            repo: "deb [signed-by=/usr/share/keyrings/libcontainers-archive-keyring.asc] https://download.opensuse.org/repositories/devel:/kubic:/libcontainers:/stable/{{ crio_repo_os }}/ /"
+            state: present
+            filename: devel:kubic:libcontainers:stable
+        - name: Add repository
+          ansible.builtin.apt_repository:
+            repo: "deb [signed-by=/usr/share/keyrings/libcontainers-crio-archive-keyring.asc] https://download.opensuse.org/repositories/devel:/kubic:/libcontainers:/stable:/cri-o:/{{ crio_repo_version }}/{{ crio_repo_os }}/ /"
+            state: present
+            filename: "devel:kubic:libcontainers:stable:cri-o:{{ crio_repo_os }}"
+    - name: Install crio
+      ansible.builtin.apt:
+        update_cache: true
+        name: "{{ item }}"
+      with_items:
+        - cri-o
+        - cri-o-runc
+
+- name: Install from Packaging
+  when: "crio_version is version_compare('1.29', '>=')"
+  block:
+    - name: Install needed packages
+      ansible.builtin.apt:
+        update_cache: true
+        name: "{{ item }}"
+      with_items:
+        - software-properties-common
+        - curl
+    - name: Get gpg sign key
+      ansible.builtin.get_url:
+        url: https://pkgs.k8s.io/addons:/cri-o:/{{ crio_packaging_version }}/deb/Release.key
+        dest: /usr/share/keyrings/cri-o-apt-keyring.asc
+        mode: "0644"
+    - name: Add apt repository
+      ansible.builtin.apt_repository:
+        repo: "deb [signed-by=/usr/share/keyrings/cri-o-apt-keyring.asc] https://pkgs.k8s.io/addons:/cri-o:/{{ crio_packaging_version }}/deb/ /"
+        state: present
+    - name: Install crio
+      ansible.builtin.apt:
+        update_cache: true
+        name: "{{ item }}"
+      with_items:
+        - cri-o