How to migrate away from Dockershim in Kubernetes v1.24 and later


Kubernetes logo

Kubernetes v1.24 The ship was later released without Dockershim yet depreciate it In the December 2020 release v1.20. Dockershim is no longer available as a built-in container runtime. You need to use a file Supported playback time Instead, like containersor CRI-O or Docker Engine with the cri-dockerd Electric switch.

In this article, we will explain how to check if you are affected or not and then explain how you can go to a different uptime. You must take these steps Before You are upgrading to Kubernetes v1.24 or later so that your cluster workloads are not affected.

What was Dockershim?

Dockershim was developed as a necessary component so that Kubernetes could support more container runtimes. At the beginning of the project, Kubernetes only worked with the Docker Engine. This limitation has been removed by entering CRI . Standard. Any CRI-compliant runtime can now be used with Kubernetes, including containerd and CRI-OAnd the OCI Implementation of the standard.

While CRI brought new flexibility to Kubernetes, it posed a problem for existing clusters. Docker lacked support for the CRI standard, so Dockershim was designed to allow compatibility of the Kubernetes team layer on top. Dockershim was a direct integration with the Docker Engine that was always intended to be a temporary measure.

Container traffic is now much more than Docker, as Kubernetes’ original push to CRI demonstrates. Docker itself has been split into individual components with the runtime extracted as containersHe is a graduate of the Cloud Native Computing Foundation (CNCF).

The containerd is fully supported by Kubernetes and is more suitable for standalone use in cloud environments. Kubernetes Docker does not require the CLI and its feature set to run Pods; All you need is the ability to start and run containers at a relatively low level. Dockershim was removed because it was difficult to maintain. create its use fragile code which was tightly coupled to the Docker Engine implementation.

Check if you are using Dockershim

Groups created recently on modern platforms are unlikely to use Dockershim. This includes groups operated by popular cloud providers such as Amazon EKS, Azure AKS, Google GKE, and DigitalOcean DOKS.

You will likely need to take action if you keep your own group and first set it up several years ago. You can check if you are using Dockershim as a runtime for any of your nodes by running this Kubectl command:

$ kubectl get nodes -o wide
NAME    STATUS  VERSION     CONTAINER-RUNTIME
node-1  Ready   v1.22.8     docker://19.3.1
node-2  Ready   v1.22.8     containerd://1.4.13

In this example one of the nodes is using containerd and can be left as is. The other node is configured with Docker and can be affected by Dockershim removal. You can check by running this command on node:

$ tr \\0 ' ' < /proc/"$(pgrep kubelet)"/cmdline | grep "\-\-container\-runtime"

Your Node is using Dockershim to run containers if no output is shown. If you get some output, check the show --container-runtime-endpoint Flag value to determine if Dockershim is active. Runtime endpoint unix:///run/containerd/containerd.sock The flags container is used, so there is no need to migrate.

Change node runtime

Nodes using Dockershim must be updated to Use a different runtime. First drain your Node workloads with Kubectl, so your Pods are rescheduled to other Nodes in your group. You must also surround the node to stop any new Pods from being scheduled.

$ kubectl cordon node-1
$ kubectl drain node-1 --ignore-daemonsets

Next, run the following commands on the same node. Start by stopping the Docker daemon and Node’s Kubelet running process:

$ systemctl stop kubelet
$ systemctl disable docker.service --now

Now you can install your new runtime.

Container use d

The container is generally considered to be the preferred solution for existing collections. You should be able to migrate to containerd if you don’t rely on specific features of the Docker engine. If you are, head to the next section and install cri-dockerd While that.

Add a Docker repository to your system if your package lists don’t already include it. containerd is distributed in a Docker repository.

$ sudo apt-get update
$ sudo apt-get install ca-certificates curl gnupg lsb-release
$ curl -fsSL https://download.docker.com/linux/debian/gpg | sudo gpg --dearmor -o /usr/share/keyrings/docker-archive-keyring.gpg
$ echo \
  "deb [arch=$(dpkg --print-architecture) signed-by=/usr/share/keyrings/docker-archive-keyring.gpg] https://download.docker.com/linux/debian \
  $(lsb_release -cs) stable" | sudo tee /etc/apt/sources.list.d/docker.list > /dev/null

Container install:

$ sudo apt update
$ sudo apt install containerd

Now update the node’s Kubelet configuration file to use the new runtime. to open /var/lib/kubelet/kubeadm-flags.env. Find or add a file --container-runtime And the --container-runtime-endpoint tags with the following values:

  • --container-runtime=remote
  • --container-runtime-endpoint=unix:///run/containerd/containerd.sock

Next, change the annotation of the saved socket against the node object in the Kubernetes control plane:

$ kubectl edit node node-1

In the file that opens, find a file kubeadm.alpha.kubernetes.io/cri-socket Annotation and change it to unix:///run/containerd/containerd.sock. Save and close the file to update the node object.

Now restart Kubelet:

$ systemctl start kubelet

Allow the node a few moments to start up and connect to the Kubernetes control plane. You should be able to duplicate a file get nodes command and see that containerd is in use now.

$ kubectl get nodes -o wide
NAME    STATUS  VERSION     CONTAINER-RUNTIME
node-1  Ready   v1.22.8     containerd://1.4.13
node-2  Ready   v1.22.8     containerd://1.4.13

Finally, remove the hoop you placed around the knot so you can start receiving the horns:

$ kubectl uncordon node-1

using cri-dockerd

cri-dockerd It is a runtime jointly developed by Docker and Mirantis. It is a standalone version of Dockershim that is maintained independently. It allows you to keep using familiar functionality without overburdening your Kubernetes project with Dockershim maintenance requirements.

Make sure you’ve already got Docker Engine is installed. Then install cri-dockerd by downloading the latest binary from the GitHub versions:

$ wget https://github.com/Mirantis/cri-dockerd/releases/download/v0.2.0/cri-dockerd-v0.2.0-linux-amd64.tar.gz
$ tar xvf cri-dockerd-v0.2.0-linux-amd64.tar.gz
$ mv cri-dockerd /usr/local/bin/

Next download, install and enable the cri-dockerd system service configurations:

wget https://raw.githubusercontent.com/Mirantis/cri-dockerd/master/packaging/systemd/cri-docker.service
wget https://raw.githubusercontent.com/Mirantis/cri-dockerd/master/packaging/systemd/cri-docker.socket
sudo mv cri-docker.socket cri-docker.service /etc/systemd/system/
sudo sed -i -e 's,/usr/bin/cri-dockerd,/usr/local/bin/cri-dockerd,' /etc/systemd/system/cri-docker.service

sudo systemctl daemon-reload
sudo systemctl enable cri-docker.service
sudo systemctl enable --now cri-docker.socket

You can now modify your Node’s Kubelet configuration to use cri-dockerd. This is similar to configuring node to use containerd.

to open /var/lib/kubelet/kubeadm-flags.env. Find or add a file --container-runtime And the --container-runtime-endpoint tags with the following values:

  • --container-runtime=remote
  • --container-runtime-endpoint=unix:///var/run/cri-dockerd.sock

Then change the annotation of the node object’s socket:

$ kubectl edit node node-1

In the file that opens, find a file kubeadm.alpha.kubernetes.io/cri-socket Annotation and change it to unix:///var/run/cri-dockerd.sock. Save and close the file to update the node object.

Now restart Kubelet:

$ systemctl start kubelet

Wait a few moments and then use Kubectl to verify that the node is up and running. It will still display the Docker runtime but is now based on the standalone cri-dockerd database, rather than the Kubernetes-integrated Dockershim.

$ kubectl get nodes -o wide
NAME    STATUS  VERSION     CONTAINER-RUNTIME
node-1  Ready   v1.22.8     docker://19.3.1
node-2  Ready   v1.22.8     containerd://1.4.13

You can now remove the hoop you placed around the knot. It will start accepting Pod schedule requests again.

$ kubectl uncordon node-1

conclusion

Kubernetes v1.24 removed the Dockershim component that was previously CRI compliant for the Docker engine. While the latest collections will not be affected, you should check if you are using Dockershim before upgrading to the new version.

The runtime to switch to depends on how you are currently using the group. Contained is usually a good choice if you don’t use Docker features. You can use cri-dockerd for Dockershim-like re-integration if you need to maintain compatibility with existing Docker Engine based tools. This helps too If you escalate Docker daemon socket (/var/run/docker.sock) in your container to power docker Workflow.

Removing Dockershim does not affect how container images are created and used. Kubernetes can still play back images created with files docker build It is compatible with all supported runtimes. CRI runtimes work with any OCI format image, as output by Docker and Other photo builders.





Source link

Related Posts

Precaliga