Is gvisor supported for docker as container_manager in kubernetes

[anvitha haviligi]

Hi All,

I have installed kubernetes 1.21 version with docker as a container manager and installed gvisor(used link https://gvisor.dev/docs/user_guide/install/ to install).

deployed runtimeclass - success

tried to create pod with handler as runsc, observing below issues

 Type     Reason                  Age                   From               Message
  ----     ------                  ----                  ----               -------
  Normal   Scheduled               18m                   default-scheduler  Successfully assigned default/gvisortest to robin75-m1.rma.lan
  Warning  FailedCreatePodSandBox  3m22s (x70 over 18m)  kubelet            Failed to create pod sandbox: rpc error: code = Unknown desc = Exception calling application: ErrorUnknown:StatusCode.UNKNOWN:RuntimeHandler "runsc" not supported

The same thing works with docker.

 docker run --name=testc1 --runtime=runsc -d dockerregistry.com:5000/praqma/network-multitool

please let me know if any configurations need to be applied in Kubernetes.

Note : /etc/docker/daemon.json also configured with runsc.

Regards,

Anvitha

[Ayush Ranjan]

Hi Anvitha,

Can you tell what error `docker run` throws? Also can you show the runsc runtime configured in /etc/docker/daemon.json? Did you reload the docker daemon with `sudo systemctl restart docker`? 

--
You received this message because you are subscribed to the Google Groups "gVisor Users [Public]" group.
To unsubscribe from this group and stop receiving emails from it, send an email to gvisor-users...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/gvisor-users/c4acf6ea-0899-4113-92a1-402ac5aabcd1n%40googlegroups.com.

[Zach Koopmans]

Hi Anvitha,

I'm really only familiar w/ the contained side of things (I'll get to Docker...bear with me), but w/ containerd you need...

1) a RuntimeClass kind registered in your k8s cluster.

2) an entry in your containerd config (the Configure containerd section of the containerd Quickstart Guide)

3) an optional file w/ runsc flags set

Then your pods specs are annotated w/ runtimeClassName: gvisor

The names on all of the above need to be consistent, so the kind, the entry in containerd, and the annotation must be the same.

So for your docker example, I'm guessing what is missing is 2), and that error message looks like that's what's missing. 2) acutally tells the cluster which nodes can handle the runtimeClass.

Are you working w/ "Docker Engine" or how is your system setup? Can you point me to documentation you're looking at for your general setup?

Zach

[Ian Lewis]

Hi Anvitha,

> I have installed kubernetes 1.21 version with docker as a container manager 

Just to clarify, does this mean that you are using dockershim and not containerd? I believe you can check this by checking if dockershim is running, or by checking the value set on the --container-runtime-endpoint kubelet flag on your nodes.

Dockershim was deprecated in Kubernetes 1.20 and was removed in 1.24. You can read more about the deprecation in this blog post: https://kubernetes.io/blog/2020/12/02/dont-panic-kubernetes-and-docker/

...and in this FAQ: https://kubernetes.io/blog/2022/02/17/dockershim-faq/

This article will also help you understand if the upgrade affects you: https://kubernetes.io/docs/tasks/administer-cluster/migrating-from-dockershim/check-if-dockershim-removal-affects-you/

Dockershim was replaced by an API called the Container Runtime Interface (CRI). You'll get the best experience by using containerd w/ gVisor since containerd has the best support for CRI and RuntimeClass.

The easiest way to upgrade is usually to simply upgrade Kubernetes as new versions of Kubernetes use CRI by default.

Regards,

Ian