Announcing the first CRI-O Release Candidate

The CRI-O team is pleased to announce the first CRI-O Release Candidate, with lots of bug fixes, performance and general improvements and better Kubernetes integration and test coverage. You can see the complete list of changes on GitHub, but let’s take a look at some of the new changes.

Kubernetes 1.7

The whole CRI-O project moved from Kubernetes 1.6 to Kubernetes 1.7. For anyone interested, we created a release-1.6 on GitHub but it will not be maintained.
The move to Kubernetes 1.7 brings additions to the CRI interface as well as improvements to the overall code we use from Kubernetes.
Given Kubernetes 1.8 is still in beta phase, our current plan is to release the first CRI-O release (1.0) based on Kubernetes 1.7. We will then create a 1.7 branch for fixes and for the 1.0 point releases. At that point we will move the master branch to Kubernetes 1.8. As soon as Kubernetes 1.8 goes GA, we’ll release CRI-O 1.8 to match Kubernetes versioning.
Remember, we take upstream seriously and won’t move ahead if we aren’t 100% sure the next CRI-O release is fully Kubernetes-compatible (more on this in the next paragrah).

Upstream first

CRI-O directly implements the Kubernetes Container Runtime Interface and the only supported runtime is Kubernetes. CRI-O is entirely shaped around Kubernetes so no feature is added if it isn’t strictly necessary for Kubernetes.
We’re pleased to announce that we switched from running Kubernetes node-e2e to run e2e tests. You can read the official Kubernetes documentation here and here to understand the difference between the two kind of testing.
Running e2e, a super-set of the node-e2e, gives maintainers greater confidence when merging Pull Requests, ensuring Kubernetes still works with a given CRI-O PR.

cAdvisor

If you tested CRI-O, you must have noticed an error like this in the kubelet:

Failed to check if disk space is available for the runtime: failed to get fs info for "runtime": ImagesFsInfo: unknown runtime: remote

The kubelet failed to use cAdvisor to gather statistics for the CRI-O runtime.
cAdvisor is used in the kubelet for things like scaling, detecting system pressure in terms of disk space, memory, CPU and so on.
We worked with the Kubernetes upstream community in order to implement a cAdvisor CRI-O handler to fix the error above.
We went through many fixes to enable the cAdvisor integration in CRI-O and we’re pleased to say that everything went well.

A small demonstration of the integration is available here:

cAdvisor stats

Performance

The first CRI-O RC1 brings to the table many performance fixes. We take performance seriously as we understand the cost gain in using less system resources. We do run performance testing at every release, ensuring everything remains stable.
CRI-O is made of little pieces, ensuring less overhead when running lots and lots of containers.
If I could say something, we’ve worked hard to ensure CRI-O performs really well.

Bugs and stability

The RC1 release contains many bug fixes in terms of stability and security. As said above, CRI-O is made of little pieces. The ones you’ll see on your host will be: the CRI-O server and a small shim called conmon. We do not ship other binaries. All other binaries come from different projects, all glued together to give you the best container runtime for Kubernetes. Lean means our codebase is small and what that really means is that it’s easily auditable for bugs as well as providing a small attack surface.
Our focus for the first CRI-O GA release will be spotting and fixing potential bugs. We won’t add any feature which could potentially break Kubernetes or introduce regressions in terms of stability and performance.

kpod

We continue working on the kpod tool. In case you’ve never heard about it, take a look at this great article from Dan Walsh.
Briefly, kpod is a CLI for managing containers and container storage on nodes, it allows you to examine what is going on in a CRI-O environemnt and can be used by administrators to debug and cleanup their CRI-O environments.
This CRI-O release adds many new commands to the kpod tool. A full list is available in the GitHub release notes.
Note: While kpod ships with CRI-O it is not as advanced towards release as the rest of CRI-O, we plan to continue to add tools in each release.

Packages

We have built packages for Fedora, Ubuntu and CentOS:

• https://bodhi.fedoraproject.org/updates/FEDORA-2017-a7fcc026f1
• https://launchpad.net/~projectatomic/+archive/ubuntu/ppa
• https://cbs.centos.org/koji/packages?tagID=1265

Simple dnf update, yum updateor apt-get update your system to get the new CRI-O release.

If it’s your first time installing CRI-O:

• on Fedora: dnf install cri-o
• on Ubuntu: add-apt-repository ppa:projectatomic/ppa && apt-get update && apt-get install cri-o
• on CentOS: yum install http://cbs.centos.org/kojifiles/packages/centos-release-container/1/6.el7.centos/noarch/centos-release-container-1-6.el7.centos.noarch.rpm && yum install cri-o

Note CRI-O requires the latest version of runc available (runc-1.0.0–10.rc4.gitaea4f21.fc26 on Fedora 26 for instance) as of now, hopefully runc will finalize 1.0 soon, and CRI-O can be more specific on the version.

Please test the new version and send feedback or suggestions. Don’t be shy. Reach out to us on Github, Freenode #cri-o, or directly tweet me :)
Grazie mille!