From dbcda4a8ca2c281ec83ba7e8d641611a77c72cd3 Mon Sep 17 00:00:00 2001 From: "Dustin C. Hatch" Date: Sun, 3 Nov 2024 12:21:01 -0600 Subject: [PATCH] tf/userdata: Configure CRI-O to use crun By default, CRI-O uses `runc` as the container runtime. `runc` does not support user namespaces, though, so we have to use `crun`, which does. --- terraform/terraform.tfstate | 12 ++++++------ terraform/userdata.yml | 10 ++++++++++ 2 files changed, 16 insertions(+), 6 deletions(-) diff --git a/terraform/terraform.tfstate b/terraform/terraform.tfstate index 328a4e1..3c6c8db 100644 --- a/terraform/terraform.tfstate +++ b/terraform/terraform.tfstate @@ -1,7 +1,7 @@ { "version": 4, "terraform_version": "1.6.2", - "serial": 112, + "serial": 114, "lineage": "a100be74-c98e-0769-2d6a-bf6a2c5f3ebf", "outputs": {}, "resources": [ @@ -107,9 +107,9 @@ "schema_version": 0, "attributes": { "account_id": "566967686773", - "arn": "arn:aws:sts::566967686773:assumed-role/dynk8s-terraform/aws-go-sdk-1730658679873394534", + "arn": "arn:aws:sts::566967686773:assumed-role/dynk8s-terraform/aws-go-sdk-1730658692504527073", "id": "566967686773", - "user_id": "AROAYIAPIKZ25DFDOYZHT:aws-go-sdk-1730658679873394534" + "user_id": "AROAYIAPIKZ25DFDOYZHT:aws-go-sdk-1730658692504527073" }, "sensitive_attributes": [] } @@ -380,7 +380,7 @@ "capacity_reservation_specification": [], "cpu_options": [], "credit_specification": [], - "default_version": 31, + "default_version": 32, "description": "", "disable_api_stop": false, "disable_api_termination": false, @@ -403,7 +403,7 @@ "instance_type": "c7gd.xlarge", "kernel_id": "", "key_name": "dustin@rosalina", - "latest_version": 31, + "latest_version": 32, "license_specification": [], "maintenance_options": [], "metadata_options": [], @@ -427,7 +427,7 @@ "tags": {}, "tags_all": {}, "update_default_version": true, - "user_data": "I2Nsb3VkLWNvbmZpZwpib290Y21kOgotIFsgbG4sIC1zZiwgL3J1bi9zeXN0ZW1kL3Jlc29sdmUvc3R1Yi1yZXNvbHYuY29uZiwgL2V0Yy9yZXNvbHYuY29uZiBdCgpwYWNrYWdlczoKLSBjcmktbwotIGNyaS10b29scwotIGV0aHRvb2wKLSBpcHRhYmxlcy1uZnQKLSBpc2NzaS1pbml0aWF0b3ItdXRpbHMKLSBrdWJlcm5ldGVzLWt1YmVhZG0KLSBrdWJlcm5ldGVzLW5vZGUKLSBydW5jCi0gd2lyZWd1YXJkLXRvb2xzCgp3cml0ZV9maWxlczoKLSBwYXRoOiAvZXRjL2RuZi9kbmYuY29uZgogIGNvbnRlbnQ6IHwrCiAgICBpbnN0YWxsX3dlYWtfZGVwcz1GYWxzZQogIGFwcGVuZDogdHJ1ZQotIHBhdGg6IC9ldGMvbW9kdWxlcy1sb2FkLmQvazhzLmNvbmYKICBjb250ZW50OiB8KwogICAgYnJfbmV0ZmlsdGVyCi0gcGF0aDogL2V0Yy9zeXNjdGwuZC9rOHMuY29uZgogIGNvbnRlbnQ6IHwrCiAgICBuZXQuYnJpZGdlLmJyaWRnZS1uZi1jYWxsLWlwdGFibGVzID0gMQogICAgbmV0LmJyaWRnZS5icmlkZ2UtbmYtY2FsbC1pcDZ0YWJsZXMgPSAxCiAgICBuZXQuaXB2NC5pcF9mb3J3YXJkID0gMQotIHBhdGg6IC92YXIvbGliL2Nsb3VkL3NjcmlwdHMvcGVyLWluc3RhbmNlL2t1YmVhZG0tam9pbgogIHBlcm1pc3Npb25zOiAnMDc1NScKICBjb250ZW50OiB8KwogICAgIyEvYmluL3NoCgogICAgQkFTRV9VUkw9aHR0cHM6Ly9keW5rOHMtcHJvdmlzaW9uZXIucHlyb2N1ZmZsaW5rLm5ldAoKICAgIGltZHNfdG9rZW49JChjdXJsIDE2OS4yNTQuMTY5LjI1NC9sYXRlc3QvYXBpL3Rva2VuIFwKICAgICAgLVggUFVUIFwKICAgICAgLUggJ1gtYXdzLWVjMi1tZXRhZGF0YS10b2tlbi10dGwtc2Vjb25kczogMzYwMCcKICAgICkKICAgIGluc3RhbmNlX2lkPSQoY3VybCAtcyAxNjkuMjU0LjE2OS4yNTQvbGF0ZXN0L21ldGEtZGF0YS9pbnN0YW5jZS1pZCBcCiAgICAgIC1IICJYLWF3cy1lYzItbWV0YWRhdGEtdG9rZW46ICR7aW1kc190b2tlbn0iCiAgICApCiAgICBhej0kKGN1cmwgLXMgMTY5LjI1NC4xNjkuMjU0L2xhdGVzdC9tZXRhLWRhdGEvcGxhY2VtZW50L2F2YWlsYWJpbGl0eS16b25lIFwKICAgICAgLUggIlgtYXdzLWVjMi1tZXRhZGF0YS10b2tlbjogJHtpbWRzX3Rva2VufSIKICAgICkKCiAgICBjdXJsIC1mcyAiJHtCQVNFX1VSTH0iL3dpcmVndWFyZC9jb25maWcvJHtpbnN0YW5jZV9pZH0gXAogICAgICAgIC1vIC9ldGMvd2lyZWd1YXJkL3dnMC5jb25mIHx8IGV4aXQKICAgIHN5c3RlbWN0bCBlbmFibGUgLS1ub3cgd2ctcXVpY2tAd2cwIHx8IGV4aXQKCiAgICByZXNvbHZlY3RsIHJldmVydCBldGgwCgogICAgbW9kcHJvYmUgYnJfbmV0ZmlsdGVyIHx8IGV4aXQKICAgIHN5c2N0bCAtdyAtZiAvZXRjL3N5c2N0bC5kL2s4cy5jb25mIHx8IGV4aXQKCiAgICBzd2Fwb2ZmIC1hIHx8IGV4aXQKICAgIHRvdWNoIC9ldGMvc3lzdGVtZC96cmFtLWdlbmVyYXRvci5jb25mIHx8IGV4aXQKICAgIHN5c3RlbWN0bCBkYWVtb24tcmVsb2FkIHx8IGV4aXQKICAgIHN5c3RlbWN0bCBzdG9wICdzeXN0ZW1kLXpyYW0tc2V0dXBAKicgfHwgZXhpdAoKICAgIGlmIFsgLWIgL2Rldi9udm1lMW4xIF07IHRoZW4KICAgICAgcHJpbnRmICclcyAlcyAlcyAlcyAwIDBcbicgXAogICAgICAgIC9kZXYvbnZtZTFuMSBcCiAgICAgICAgL3Zhci9saWIva3ViZWxldCBcCiAgICAgICAgZXh0NCBcCiAgICAgICAgbm9hdGltZSx4LXN5c3RlbWQubWFrZWZzLG5vZmFpbCBcCiAgICAgICAgPj4gL2V0Yy9mc3RhYgogICAgICBzeXN0ZW1jdGwgZGFlbW9uLXJlbG9hZAogICAgICBzeXN0ZW1jdGwgc3RhcnQgdmFyLWxpYi1rdWJlbGV0Lm1vdW50CiAgICBmaQoKICAgIHN5c3RlbWN0bCBlbmFibGUgY3JpbyBpc2NzaWQga3ViZWxldCB8fCBleGl0CiAgICBzeXN0ZW1jdGwgc3RhcnQgY3JpbyBpc2NzaWQgfHwgZXhpdAoKICAgIGludGVybmFsX2lwPSQoCiAgICAgIGlwIGFkZHJlc3Mgc2hvdyBkZXYgd2cwIHByaW1hcnkgfCBcCiAgICAgIHNlZCAtcm4gJ3MvLippbmV0IChbMC05Ll0rKS4qL1wxL3AnCiAgICApCgogICAgY2F0ID4gbG9uZ2hvcm4taXNzdWU0OTg4LmNpbCA8PEVPRgogICAgKGFsbG93IGlzY3NpZF90IHNlbGYgKGNhcGFiaWxpdHkgKGRhY19vdmVycmlkZSkpKQogICAgRU9GCiAgICBzZW1vZHVsZSAtaSBsb25naG9ybi1pc3N1ZTQ5ODguY2lsCgogICAgcm0gLWYgL2V0Yy9jbmkvbmV0LmQvMTAwLWNyaW8tYnJpZGdlLmNvbmZsaXN0CgogICAgY2F0ID4gL3J1bi9qb2luY29uZmlndXJhdGlvbiA8PEVPRgogICAgYXBpVmVyc2lvbjoga3ViZWFkbS5rOHMuaW8vdjFiZXRhMwogICAga2luZDogSm9pbkNvbmZpZ3VyYXRpb24KICAgIG5vZGVSZWdpc3RyYXRpb246CiAgICAgIHRhaW50czoKICAgICAgLSBrZXk6IGR1NXQxbi5tZS9qZW5raW5zCiAgICAgICAgZWZmZWN0OiBOb1NjaGVkdWxlCiAgICAgIGt1YmVsZXRFeHRyYUFyZ3M6CiAgICAgICAgcHJvdmlkZXItaWQ6IGF3czovLy8ke2F6fS8ke2luc3RhbmNlX2lkfQogICAgICAgIG5vZGUtaXA6ICR7aW50ZXJuYWxfaXB9CiAgICAgICAgY29uZmlnOiAvdmFyL2xpYi9rdWJlbGV0L2NvbmZpZy55YW1sCiAgICBkaXNjb3Zlcnk6CiAgICAgIGZpbGU6CiAgICAgICAga3ViZUNvbmZpZ1BhdGg6ICR7QkFTRV9VUkx9L2t1YmVhZG0va3ViZWNvbmZpZy8ke2luc3RhbmNlX2lkfQogICAgRU9GCiAgICBrdWJlYWRtIGpvaW4gLS1jb25maWc9L3J1bi9qb2luY29uZmlndXJhdGlvbgoKcnVuY21kOgotIFsgZG5mLCByZW1vdmUsIC15LCB6cmFtLWdlbmVyYXRvciBdCg==", + "user_data": "I2Nsb3VkLWNvbmZpZwpib290Y21kOgotIFsgbG4sIC1zZiwgL3J1bi9zeXN0ZW1kL3Jlc29sdmUvc3R1Yi1yZXNvbHYuY29uZiwgL2V0Yy9yZXNvbHYuY29uZiBdCgpwYWNrYWdlczoKLSBjcmktbwotIGNyaS10b29scwotIGNydW4KLSBldGh0b29sCi0gaXB0YWJsZXMtbmZ0Ci0gaXNjc2ktaW5pdGlhdG9yLXV0aWxzCi0ga3ViZXJuZXRlcy1rdWJlYWRtCi0ga3ViZXJuZXRlcy1ub2RlCi0gcnVuYwotIHdpcmVndWFyZC10b29scwoKd3JpdGVfZmlsZXM6Ci0gcGF0aDogL2V0Yy9kbmYvZG5mLmNvbmYKICBjb250ZW50OiB8KwogICAgaW5zdGFsbF93ZWFrX2RlcHM9RmFsc2UKICBhcHBlbmQ6IHRydWUKLSBwYXRoOiAvZXRjL21vZHVsZXMtbG9hZC5kL2s4cy5jb25mCiAgY29udGVudDogfCsKICAgIGJyX25ldGZpbHRlcgotIHBhdGg6IC9ldGMvc3lzY3RsLmQvazhzLmNvbmYKICBjb250ZW50OiB8KwogICAgbmV0LmJyaWRnZS5icmlkZ2UtbmYtY2FsbC1pcHRhYmxlcyA9IDEKICAgIG5ldC5icmlkZ2UuYnJpZGdlLW5mLWNhbGwtaXA2dGFibGVzID0gMQogICAgbmV0LmlwdjQuaXBfZm9yd2FyZCA9IDEKLSBwYXRoOiAvZXRjL2NyaW8vY3Jpby5jb25mLmQvMTAtY3Jpby1jcnVuLmNvbmYKICBjb250ZW50OiB8KwogICAgW2NyaW8ucnVudGltZV0KICAgIGRlZmF1bHRfcnVudGltZSA9ICJjcnVuIgoKICAgIFtjcmlvLnJ1bnRpbWUucnVudGltZXMuY3J1bl0KICAgIHJ1bnRpbWVfcGF0aCA9ICIvdXNyL2Jpbi9jcnVuIgogICAgcnVudGltZV90eXBlID0gIm9jaSIKICAgIHJ1bnRpbWVfcm9vdCA9ICIvcnVuL2NydW4iCi0gcGF0aDogL3Zhci9saWIvY2xvdWQvc2NyaXB0cy9wZXItaW5zdGFuY2Uva3ViZWFkbS1qb2luCiAgcGVybWlzc2lvbnM6ICcwNzU1JwogIGNvbnRlbnQ6IHwrCiAgICAjIS9iaW4vc2gKCiAgICBCQVNFX1VSTD1odHRwczovL2R5bms4cy1wcm92aXNpb25lci5weXJvY3VmZmxpbmsubmV0CgogICAgaW1kc190b2tlbj0kKGN1cmwgMTY5LjI1NC4xNjkuMjU0L2xhdGVzdC9hcGkvdG9rZW4gXAogICAgICAtWCBQVVQgXAogICAgICAtSCAnWC1hd3MtZWMyLW1ldGFkYXRhLXRva2VuLXR0bC1zZWNvbmRzOiAzNjAwJwogICAgKQogICAgaW5zdGFuY2VfaWQ9JChjdXJsIC1zIDE2OS4yNTQuMTY5LjI1NC9sYXRlc3QvbWV0YS1kYXRhL2luc3RhbmNlLWlkIFwKICAgICAgLUggIlgtYXdzLWVjMi1tZXRhZGF0YS10b2tlbjogJHtpbWRzX3Rva2VufSIKICAgICkKICAgIGF6PSQoY3VybCAtcyAxNjkuMjU0LjE2OS4yNTQvbGF0ZXN0L21ldGEtZGF0YS9wbGFjZW1lbnQvYXZhaWxhYmlsaXR5LXpvbmUgXAogICAgICAtSCAiWC1hd3MtZWMyLW1ldGFkYXRhLXRva2VuOiAke2ltZHNfdG9rZW59IgogICAgKQoKICAgIGN1cmwgLWZzICIke0JBU0VfVVJMfSIvd2lyZWd1YXJkL2NvbmZpZy8ke2luc3RhbmNlX2lkfSBcCiAgICAgICAgLW8gL2V0Yy93aXJlZ3VhcmQvd2cwLmNvbmYgfHwgZXhpdAogICAgc3lzdGVtY3RsIGVuYWJsZSAtLW5vdyB3Zy1xdWlja0B3ZzAgfHwgZXhpdAoKICAgIHJlc29sdmVjdGwgcmV2ZXJ0IGV0aDAKCiAgICBtb2Rwcm9iZSBicl9uZXRmaWx0ZXIgfHwgZXhpdAogICAgc3lzY3RsIC13IC1mIC9ldGMvc3lzY3RsLmQvazhzLmNvbmYgfHwgZXhpdAoKICAgIHN3YXBvZmYgLWEgfHwgZXhpdAogICAgdG91Y2ggL2V0Yy9zeXN0ZW1kL3pyYW0tZ2VuZXJhdG9yLmNvbmYgfHwgZXhpdAogICAgc3lzdGVtY3RsIGRhZW1vbi1yZWxvYWQgfHwgZXhpdAogICAgc3lzdGVtY3RsIHN0b3AgJ3N5c3RlbWQtenJhbS1zZXR1cEAqJyB8fCBleGl0CgogICAgaWYgWyAtYiAvZGV2L252bWUxbjEgXTsgdGhlbgogICAgICBwcmludGYgJyVzICVzICVzICVzIDAgMFxuJyBcCiAgICAgICAgL2Rldi9udm1lMW4xIFwKICAgICAgICAvdmFyL2xpYi9rdWJlbGV0IFwKICAgICAgICBleHQ0IFwKICAgICAgICBub2F0aW1lLHgtc3lzdGVtZC5tYWtlZnMsbm9mYWlsIFwKICAgICAgICA+PiAvZXRjL2ZzdGFiCiAgICAgIHN5c3RlbWN0bCBkYWVtb24tcmVsb2FkCiAgICAgIHN5c3RlbWN0bCBzdGFydCB2YXItbGliLWt1YmVsZXQubW91bnQKICAgIGZpCgogICAgc3lzdGVtY3RsIGVuYWJsZSBjcmlvIGlzY3NpZCBrdWJlbGV0IHx8IGV4aXQKICAgIHN5c3RlbWN0bCBzdGFydCBjcmlvIGlzY3NpZCB8fCBleGl0CgogICAgaW50ZXJuYWxfaXA9JCgKICAgICAgaXAgYWRkcmVzcyBzaG93IGRldiB3ZzAgcHJpbWFyeSB8IFwKICAgICAgc2VkIC1ybiAncy8uKmluZXQgKFswLTkuXSspLiovXDEvcCcKICAgICkKCiAgICBjYXQgPiBsb25naG9ybi1pc3N1ZTQ5ODguY2lsIDw8RU9GCiAgICAoYWxsb3cgaXNjc2lkX3Qgc2VsZiAoY2FwYWJpbGl0eSAoZGFjX292ZXJyaWRlKSkpCiAgICBFT0YKICAgIHNlbW9kdWxlIC1pIGxvbmdob3JuLWlzc3VlNDk4OC5jaWwKCiAgICBybSAtZiAvZXRjL2NuaS9uZXQuZC8xMDAtY3Jpby1icmlkZ2UuY29uZmxpc3QKCiAgICBjYXQgPiAvcnVuL2pvaW5jb25maWd1cmF0aW9uIDw8RU9GCiAgICBhcGlWZXJzaW9uOiBrdWJlYWRtLms4cy5pby92MWJldGEzCiAgICBraW5kOiBKb2luQ29uZmlndXJhdGlvbgogICAgbm9kZVJlZ2lzdHJhdGlvbjoKICAgICAgdGFpbnRzOgogICAgICAtIGtleTogZHU1dDFuLm1lL2plbmtpbnMKICAgICAgICBlZmZlY3Q6IE5vU2NoZWR1bGUKICAgICAga3ViZWxldEV4dHJhQXJnczoKICAgICAgICBwcm92aWRlci1pZDogYXdzOi8vLyR7YXp9LyR7aW5zdGFuY2VfaWR9CiAgICAgICAgbm9kZS1pcDogJHtpbnRlcm5hbF9pcH0KICAgICAgICBjb25maWc6IC92YXIvbGliL2t1YmVsZXQvY29uZmlnLnlhbWwKICAgIGRpc2NvdmVyeToKICAgICAgZmlsZToKICAgICAgICBrdWJlQ29uZmlnUGF0aDogJHtCQVNFX1VSTH0va3ViZWFkbS9rdWJlY29uZmlnLyR7aW5zdGFuY2VfaWR9CiAgICBFT0YKICAgIGt1YmVhZG0gam9pbiAtLWNvbmZpZz0vcnVuL2pvaW5jb25maWd1cmF0aW9uCgpydW5jbWQ6Ci0gWyBkbmYsIHJlbW92ZSwgLXksIHpyYW0tZ2VuZXJhdG9yIF0K", "vpc_security_group_ids": [] }, "sensitive_attributes": [], diff --git a/terraform/userdata.yml b/terraform/userdata.yml index 55035b5..05a2370 100644 --- a/terraform/userdata.yml +++ b/terraform/userdata.yml @@ -5,6 +5,7 @@ bootcmd: packages: - cri-o - cri-tools +- crun - ethtool - iptables-nft - iscsi-initiator-utils @@ -26,6 +27,15 @@ write_files: net.bridge.bridge-nf-call-iptables = 1 net.bridge.bridge-nf-call-ip6tables = 1 net.ipv4.ip_forward = 1 +- path: /etc/crio/crio.conf.d/10-crio-crun.conf + content: |+ + [crio.runtime] + default_runtime = "crun" + + [crio.runtime.runtimes.crun] + runtime_path = "/usr/bin/crun" + runtime_type = "oci" + runtime_root = "/run/crun" - path: /var/lib/cloud/scripts/per-instance/kubeadm-join permissions: '0755' content: |+