Runtime

k0s uses containerd as the default Container Runtime Interface (CRI) and runc as the default low-level runtime. In most cases they don’t require any configuration changes. However, if custom configuration is needed, this page provides some examples.

k0s_runtime

containerd configuration

To make changes to containerd configuration you must first generate a default containerd configuration, with the default values set to /etc/k0s/containerd.toml:

  1. containerd config default > /etc/k0s/containerd.toml

k0s runs containerd with the following default values:

  1. /var/lib/k0s/bin/containerd \
  2.     --root=/var/lib/k0s/containerd \
  3.     --state=/run/k0s/containerd \
  4.     --address=/run/k0s/containerd.sock \
  5.     --config=/etc/k0s/containerd.toml

Next, add the following default values to the configuration file:

  1. version = 2
  2. root = "/var/lib/k0s/containerd"
  3. state = "/run/k0s/containerd"
  4. ...
  6. [grpc]
  7.   address = "/run/k0s/containerd.sock"

Finally, if you want to change CRI look into:

  1.   [plugins."io.containerd.runtime.v1.linux"]
  2.     shim = "containerd-shim"
  3.     runtime = "runc"

Using gVisor

gVisor is an application kernel, written in Go, that implements a substantial portion of the Linux system call interface. It provides an additional layer of isolation between running applications and the host operating system.

  1. Install the needed gVisor binaries into the host.

    1. (
    2.   set -e
    3.   URL=https://storage.googleapis.com/gvisor/releases/release/latest
    4.   wget ${URL}/runsc ${URL}/runsc.sha512 \
    5.     ${URL}/gvisor-containerd-shim ${URL}/gvisor-containerd-shim.sha512 \
    6.     ${URL}/containerd-shim-runsc-v1 ${URL}/containerd-shim-runsc-v1.sha512
    7.   sha512sum -c runsc.sha512 \
    8.     -c gvisor-containerd-shim.sha512 \
    9.     -c containerd-shim-runsc-v1.sha512
    10.   rm -f *.sha512
    11.   chmod a+rx runsc gvisor-containerd-shim containerd-shim-runsc-v1
    12.   sudo mv runsc gvisor-containerd-shim containerd-shim-runsc-v1 /usr/local/bin
    13. )

    Refer to the gVisor install docs for more information.

  2. Prepare the config for k0s managed containerD, to utilize gVisor as additional runtime:

    1. cat <<EOF | sudo tee /etc/k0s/containerd.toml
    2. disabled_plugins = ["restart"]
    3. [plugins.linux]
    4.   shim_debug = true
    5. [plugins.cri.containerd.runtimes.runsc]
    6.   runtime_type = "io.containerd.runsc.v1"
    7. EOF

  3. Start and join the worker into the cluster, as normal:

    1. k0s worker $token

  4. Register containerd to the Kubernetes side to make gVisor runtime usable for workloads (by default, containerd uses normal runc as the runtime):

    1. cat <<EOF | kubectl apply -f -
    2. apiVersion: node.k8s.io/v1beta1
    3. kind: RuntimeClass
    4. metadata:
    5.   name: gvisor
    6. handler: runsc
    7. EOF

    At this point, you can use gVisor runtime for your workloads:

    1. apiVersion: v1
    2. kind: Pod
    3. metadata:
    4.   name: nginx-gvisor
    5. spec:
    6.   runtimeClassName: gvisor
    7.   containers:
    8.   - name: nginx
    9.     image: nginx

  5. (Optional) Verify tht the created nginx pod is running under gVisor runtime:

    1. # kubectl exec nginx-gvisor -- dmesg | grep -i gvisor
    2. [    0.000000] Starting gVisor...

Using nvidia-container-runtime

By default, CRI is set to runC. As such, you must configure Nvidia GPU support by replacing runc with nvidia-container-runtime:

  1. [plugins."io.containerd.grpc.v1.cri".containerd]
  2.     default_runtime_name = "nvidia"
  3. [plugins."io.containerd.grpc.v1.cri".containerd.runtimes.nvidia]
  4.     privileged_without_host_devices = false
  5.     runtime_engine = ""
  6.     runtime_root = ""
  7.     runtime_type = "io.containerd.runc.v1"
  8. [plugins."io.containerd.grpc.v1.cri".containerd.runtimes.nvidia.options]
  9.     BinaryName = "/usr/bin/nvidia-container-runtime"

Note Detailed instruction on how to run nvidia-container-runtime on your node is available here.

After editing the configuration, restart k0s to get containerd using the newly configured runtime.

Using custom CRI runtime

Warning: You can use your own CRI runtime with k0s (for example, docker). However, k0s will not start or manage the runtime, and configuration is solely your responsibility.

Use the option --cri-socket to run a k0s worker with a custom CRI runtime. the option takes input in the form of <type>:<socket_path> (for type, use docker for a pure Docker setup and remote for anything else).

Using dockershim

To run k0s with a pre-existing Dockershim setup, run the worker with k0s worker --cri-socket docker:unix:///var/run/cri-dockerd.sock <token>. A detailed explanation on dockershim and a guide for installing cri-dockerd can be found in our k0s dockershim guide.