use cri-o to run pod and container when `cgroup_manager=systemd`

cri-o configured with systemd cgroup manager, but did not receive slice as parent
cri-o tutorial
containerd vs docker
cri-o github
cgroup-driver
list of container runtimes
frakti
kubernetes cri

I successfully use cri-o to run pod and container, following the guide and tutorial, whose default cgroup_manager is cgroupfs.

when I tried to set cgroup_manager = "systemd" in /etc/crio/crio.conf and restart crio service.

then, I tried the same steps in tutorial

POD_ID=$(sudo crictl runp test/testdata/sandbox_config.json)

got the error below:

FATA[0000] run pod sandbox failed: rpc error: code = Unknown desc = cri-o configured with systemd cgroup manager, but did not receive slice as parent: /Burstable/pod_123-456

the sandbox_config.json is same as sandbox_config.json

How to use cri-o to start pod and container when cgroup_manager=systemd? Is there a sample?

When you switch the cgroup manager to systemd in /etc/crio/crio.conf, you have to modify the pod yaml/json to give the cgroup_parent a slice instead. So in your sandbox_config.json change

"linux": {
        "cgroup_parent": "/Burstable/pod_123-456",

to something like this

"linux": {
        "cgroup_parent": "podabc.slice",

Try re-creating your pod and it should start up fine now.

Container runtimes, cgroup_manager = "$MANAGER". where $MANAGER is either cgroupfs or systemd. I successfully use cri-o to run pod and container, following  You can use the CRI-O container engine to launch containers and pods by engaging OCI-compliant runtimes like runc, the default OCI runtime, or Kata Containers. CRI-O’s purpose is to be the container engine that implements the Kubernetes Container Runtime Interface (CRI) for OpenShift Container Platform and Kubernetes, replacing the Docker service.

I have found a successful demo in crictl.md.

I think it may be the linux cgroup config in sandbox_config.json above is not suitable for systemd.

$ cat pod-config.json
{
    "metadata": {
        "name": "nginx-sandbox",
        "namespace": "default",
        "attempt": 1,
        "uid": "hdishd83djaidwnduwk28bcsb"
    },
    "log_directory": "/tmp",
    "linux": {
    }
}

$ cat container-config.json
{
  "metadata": {
      "name": "busybox"
  },
  "image":{
      "image": "busybox"
  },
  "command": [
      "top"
  ],
  "log_path":"busybox/0.log",
  "linux": {
  }
}

However, I still don't know how to config the linux.* in sandbox_config.json for systemd.

error: did not receive slice as parent · Issue #896 · cri-o/cri-o · GitHub, kubelet creates the following pod cgroup: there is nothing in the cgroupfs for the container, CRI-O is creating them here: i think crio when running with cgroup manager = systemd should error when given invalid cgroups,  @derekwaynecarr could you verify that if you run kubelet with cgroupsfs and cri-o with systemd, cri-o does the conversion from cgroups to systemd correctly? (you said cri-o needs to convert when it's using systemd and receives a cgroupfs parent in your first comment)

One thing I've had to do is set my cgroup-manager for crictl to systemd: in crictl.yaml:

runtime-endpoint: unix:///var/run/crio/crio.sock
cgroup-manager: systemd

As I understand it, you don't need to specify a cgroup in the pod config (you can, but it's not required). CRI-O and crictl just have to be asking for the same cgroup hierarchy

Incorrect cgroup when using systemd cgroup driver · Issue #842 · cri , You can use the CRI-O container engine to launch containers and pods by engaging apparmor_profile = "crio-default" cgroup_manager = "systemd"  You can use the CRI-O container engine to launch containers and pods by engaging OCI-compliant runtimes like runc, the default OCI runtime, or Kata Containers. CRI-O’s purpose is to be the container engine that implements the Kubernetes Container Runtime Interface (CRI) for OpenShift Container Platform and Kubernetes, replacing the Docker service.

Using the CRI-O Container Engine | CRI-O Runtime, You can use the CRI-O container engine to launch · containers and pods by engaging Kubernetes or OpenShift Container Platform, use podman. To set up a CRI-O container "crio-default" cgroup_manager = "systemd". Note that if you try to run podman stop redis, the container will be restarted by systemd because of to the “Restart=always” policy. The proper way to stop the container is to run sudo service redis stop. An alternative to systemd for controlling containers lifecycle is to use CRI-O but this would be for another blog post :-).

[PDF] OpenShift Container Platform 3.11 CRI-O Runtime, DIY Kubernetes cluster with CRI-O container runtime (Ubuntu Xenial) Modify crio config /etc/crio/crio.conf by changing cgroup_manager from "systemd" to "​cgroupfs" as unqualified images( or else pods with image containing no registry in name Configure and start kubelet using kubeadm (replace the  FEATURE STATE: Kubernetes v1.6 [stable] To run containers in Pods, Kubernetes uses a container runtime. Here are the installation instructions for various runtimes. Caution: A flaw was found in the way runc handled system file descriptors when running containers. A malicious container could use this flaw to overwrite contents of the runc binary and consequently run arbitrary commands on the

DIY Kubernetes cluster with CRI-O container runtime (Ubuntu Xenial), Recently I have switched to working with podman instead of docker on my local machine and Now my plan is to migrate my three-machine kubernetes cluster to cri-o. "/usr/libexec/crio/conmon" -> conmon = "/usr/bin/conmon" cgroup_manager --resolv-conf=/run/systemd/resolve/resolv.conf --container-​runtime=remote  After the rootfs has been created for the container, CRI-O generates an OCI runtime specification json file describing how to run the container using the OCI Generate tools. CRI-O then launches an OCI Compatible Runtime using the specification to run the container proceses. The default OCI Runtime is runc.