Merge pull request #12900 from AkihiroSuda/rootless-crio

Support CRI-O runtime with Rootless Docker driver (`--driver=docker --container-runtime=cri-o`)

cmd/minikube/cmd/start_flags.go

@@ -509,9 +509,8 @@ func generateNewConfigFromFlags(cmd *cobra.Command, k8sVersion string, drvName s
 			exit.Message(reason.Usage, "Ensure your {{.driver_name}} is running and is healthy.", out.V{"driver_name": driver.FullName(drvName)})
 		}
 		if si.Rootless {
-			if cc.KubernetesConfig.ContainerRuntime != "containerd" {
-				exit.Message(reason.Usage, "Container runtime must be set to \"containerd\" for rootless")
-				// TODO: support cri-o (https://kubernetes.io/docs/tasks/administer-cluster/kubelet-in-userns/#configuring-cri)
+			if cc.KubernetesConfig.ContainerRuntime == "docker" {
+				exit.Message(reason.Usage, "--container-runtime must be set to \"containerd\" or \"cri-o\" for rootless")
 			}
 			// KubeletInUserNamespace feature gate is essential for rootless driver.
 			// See https://kubernetes.io/docs/tasks/administer-cluster/kubelet-in-userns/

pkg/minikube/cruntime/crio.go

@@ -22,6 +22,7 @@ import (
 	"os"
 	"os/exec"
 	"path"
+	"path/filepath"
 	"strings"
 	"time"
 
@@ -147,11 +148,50 @@ func enableIPForwarding(cr CommandRunner) error {
 	return nil
 }
 
+// enableRootless enables configurations for running CRI-O in Rootless Docker.
+//
+// 1. Create /etc/systemd/system/crio.service.d/10-rootless.conf to set _CRIO_ROOTLESS=1
+// 2. Create /etc/crio/crio.conf.d/10-fuse-overlayfs.conf to enable fuse-overlayfs
+// 3. Reload systemd
+//
+// See https://kubernetes.io/docs/tasks/administer-cluster/kubelet-in-userns/#configuring-cri
+func (r *CRIO) enableRootless() error {
+	files := map[string]string{
+		"/etc/systemd/system/crio.service.d/10-rootless.conf": `[Service]
+Environment="_CRIO_ROOTLESS=1"
+`,
+		"/etc/crio/crio.conf.d/10-fuse-overlayfs.conf": `[crio]
+storage_driver = "overlay"
+storage_option = ["overlay.mount_program=/usr/local/bin/fuse-overlayfs"]
+`,
+	}
+	for target, content := range files {
+		targetDir := filepath.Dir(target)
+		c := exec.Command("sudo", "mkdir", "-p", targetDir)
+		if _, err := r.Runner.RunCmd(c); err != nil {
+			return errors.Wrapf(err, "failed to create directory %q", targetDir)
+		}
+		asset := assets.NewMemoryAssetTarget([]byte(content), target, "0644")
+		err := r.Runner.Copy(asset)
+		asset.Close()
+		if err != nil {
+			return errors.Wrapf(err, "failed to create %q", target)
+		}
+	}
+	// reload systemd to apply our changes on /etc/systemd
+	if err := r.Init.Reload("crio"); err != nil {
+		return err
+	}
+	if r.Init.Active("crio") {
+		if err := r.Init.Restart("crio"); err != nil {
+			return err
+		}
+	}
+	return nil
+}
+
 // Enable idempotently enables CRIO on a host
 func (r *CRIO) Enable(disOthers, forceSystemd, inUserNamespace bool) error {
-	if inUserNamespace {
-		return errors.New("inUserNamespace must not be true for cri-o (yet)")
-	}
 	if disOthers {
 		if err := disableOthers(r, r.Runner); err != nil {
 			klog.Warningf("disableOthers: %v", err)
@@ -171,6 +211,12 @@ func (r *CRIO) Enable(disOthers, forceSystemd, inUserNamespace bool) error {
 			return err
 		}
 	}
+	if inUserNamespace {
+		if err := r.enableRootless(); err != nil {
+			return err
+		}
+	}
+	// NOTE: before we start crio explicitly here, crio might be already started automatically
 	return r.Init.Start("crio")
 }
 

site/content/en/docs/drivers/includes/docker_usage.inc

@@ -32,7 +32,7 @@ docker context use rootless
 minikube start --driver=docker --container-runtime=containerd
 ```
 
-The `--container-runtime` flag must be currently set to "containerd".
+The `--container-runtime` flag must be set to "containerd" or "cri-o".
 
 The restrictions of rootless `kind` apply to minikube with rootless docker as well.