Home Explore Blog CI



kubernetes
4th chunk of `content/en/blog/_posts/2016-12-00-Container-Runtime-Interface-Cri-In-Kubernetes.md`
56c8e1a5e1df74e7f19c55d082ad5c3aa7fb66f51a529e500000000100000e7e
    rpc ExecSync(ExecSyncRequest) returns (ExecSyncResponse) {}  
    // Exec prepares a streaming endpoint to execute a command in the container.  
    rpc Exec(ExecRequest) returns (ExecResponse) {}  
    // Attach prepares a streaming endpoint to attach to a running container.  
    rpc Attach(AttachRequest) returns (AttachResponse) {}  
    // PortForward prepares a streaming endpoint to forward ports from a PodSandbox.  
    rpc PortForward(PortForwardRequest) returns (PortForwardResponse) {}

    ...  
}
 ```



Kubernetes provides features (e.g. kubectl exec/attach/port-forward) for users to interact with a pod and the containers in it. Kubelet today supports these features either by invoking the container runtime’s native method calls or by using the tools available on the node (e.g., nsenter and socat). Using tools on the node is not a portable solution because most tools assume the pod is isolated using Linux namespaces. In CRI, we explicitly define these calls in the API to allow runtime-specific implementations.



Another potential issue with the kubelet implementation today is that kubelet handles the connection of all streaming requests, so it can become a bottleneck for the network traffic on the node. When designing CRI, we incorporated this feedback to allow runtimes to eliminate the middleman. The container runtime can start a separate streaming server upon request (and can potentially account the resource usage to the pod!), and return the location of the server to kubelet. Kubelet then returns this information to the Kubernetes API server, which opens a streaming connection directly to the runtime-provided server and connects it to the client.



There are many other aspects of CRI that are not covered in this blog post. Please see the list of [design docs and proposals](https://github.com/kubernetes/community/blob/master/contributors/devel/sig-node/container-runtime-interface.md#design-docs-and-proposals) for all the details.



**Current status**

Although CRI is still in its early stages, there are already several projects under development to integrate container runtimes using CRI. Below are a few examples:



- [cri-o](https://cri-o.io/): OCI conformant runtimes.
- [rktlet](https://github.com/kubernetes-incubator/rktlet): the rkt container runtime.
- [frakti](https://github.com/kubernetes/frakti): hypervisor-based container runtimes.
- [docker CRI shim](https://github.com/kubernetes/kubernetes/tree/release-1.5/pkg/kubelet/dockershim).



If you are interested in trying these alternative runtimes, you can follow the individual repositories for the latest progress and instructions.




For developers interested in integrating a new container runtime, please see the [developer guide](https://github.com/kubernetes/community/blob/master/contributors/devel/sig-node/container-runtime-interface.md) for the known limitations and issues of the API. We are actively incorporating feedback from early developers to improve the API. Developers should expect occasional API breaking changes (it is Alpha, after all).



**Try the new CRI-Docker integration**



Kubelet does not yet use CRI by default, but we are actively working on making this happen. The first step is to re-integrate Docker with kubelet using CRI. In the 1.5 release, we extended kubelet to support CRI, and also added a built-in CRI shim for Docker. This allows kubelet to start the gRPC server on Docker’s behalf. To try out the new kubelet-CRI-Docker integration, you simply have to start the Kubernetes API server with --feature-gates=StreamingProxyRedirects=true to enable the new streaming redirect feature, and then start the kubelet with --experimental-cri=true.
Title: CRI Implementation Details, Current Status, and Docker Integration
Summary
CRI explicitly defines exec/attach/port-forward calls for runtime-specific implementations. It allows container runtimes to eliminate the kubelet bottleneck for streaming requests by starting a separate streaming server. Several projects are under development to integrate container runtimes using CRI, including cri-o, rktlet, frakti, and a Docker CRI shim. Developers can integrate new runtimes but should expect API changes. Kubelet doesn't use CRI by default, but CRI-Docker integration is available by enabling feature gates and experimental CRI.