Feat: CRI-O v1.31 change default runtime to crun

[tico88612]

What type of PR is this?

/kind api-change /kind feature

What this PR does / why we need it:

• CRI-O v1.31 default runtime change to crun; we should follow upstream.

Which issue(s) this PR fixes:

Fixes #11561

Special notes for your reviewer:

• My MacBook Pro M2 Vagrant local test failed due to overlayfs, I need to test on GitLab CI.

Does this PR introduce a user-facing change?:

[action required] If you use CRI-O and want to keep `runc` as your container default runtime when you upgrade cluster, you must set `runc_enable: true` and `crio_default_runtime: "runc"`.
Make CRI-O's default runtime configurable
CRI-O v1.31 default runtime change to crun
Crun upgrade to 1.17
Skopeo upgrade to v1.16.1

[tico88612]

/ok-to-test

[VannTen]

Could you precise in the release note what is the expected action for users ? Also, is there a reason to include the skopeo upgrade in this ? Compat with cri-o / crun ?

[tico88612]

Could you precise in the release note what is the expected action for users ?

This is changing the default value. Should I use “action required”, or maybe not?

Also, is there a reason to include the skopeo upgrade in this ? Compat with cri-o / crun ?

The original reason for updating Skopeo was that I couldn't test CRI-O locally, but no matter how I updated it, it didn't seem to work, but the GitLab CI did pass the test.

[VannTen]

On Mon, Oct 07, 2024 at 03:59:35AM -0700, ChengHao Yang wrote:

Could you precise in the release note what is the expected action for users ?

This is changing the default value. Should I use “action required”, or maybe not?

Depends. If the change of default has the potential to break things if users just run the update, yes (for instance, #6693, you could not just update calico-datastore from etcd to kdd without a particular procedure)

If the change of runtime has no impact, no.

On top of my head, potential problems we should be looking at:

• pods which are not evicted on graceful update (daemonset pods for instance, I think we ignore those) continue to run on the previous runtime. (not sure if that can happen, but that's the kind of thing I'd put an action required notice explaining that).

The original reason for updating Skopeo was that I couldn't test CRI-O locally, but no matter how I updated it, it didn't seem to work, but the GitLab CI did pass the test.

Weird, maybe the CRI-O API wasn't backwards compatible in some part skopeo relies on ?

[tico88612]

Depends. If the change of default has the potential to break things if users just run the update, yes (for instance, #6693, you could not just update calico-datastore from etcd to kdd without a particular procedure)

This is indeed “action required” for those upgrading clusters.

Weird, maybe the CRI-O API wasn't backwards compatible in some part skopeo relies on ?

I think it's my Mac Vagrant that I can't test because my original CRI-O is also untestable, but I don't have a Linux-based host to use right now.

[VannTen]

Ok, in that case, can you either describe the procedure in the release notes, or link to it if it's too long for a note ?

[tico88612]

Ok, in that case, can you either describe the procedure in the release notes, or link to it if it's too long for a note ?

This is my first time writing an action-required release note; any comments are welcome.

[VannTen]

Looks perfectly ok to me :+1:

[tico88612]

/retest-failed

[tico88612]

/retest

[tico88612]

/retest-failed

[tico88612]

tf-validate-aws job failed reason: https://github.com/hashicorp/terraform-provider-aws/issues/39676

[tico88612]

/retest-failed

[tico88612]

/label tide/merge-method-merge

[ant31]

/approve

[k8s-ci-robot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: ant31, tico88612

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files: - ~~[OWNERS](https://github.com/kubernetes-sigs/kubespray/blob/master/OWNERS)~~ [ant31] Approvers can indicate their approval by writing `/approve` in a comment Approvers can cancel approval by writing `/approve cancel` in a comment

[yankay]

Thanks @tico88612 /lgtm