Enable CRI plugin in containerd

[dongsupark]

Recent discussions in Lokomotive remind me of the complicated history of containerd/cri in Flatcar.
By default, upstream containerd disables the CRI plugin. Its reasons: conflicts with listening ports moby/moby#37507 . However, at the moment, I am not sure if the issue would be still valid.
As a result a vanilla containerd installation results in disabled_plugins = ["cri"].

In Flatcar Stable-Alpha, to be able to directly communicate to containerd, users need to change the config /etc/containerd/config.toml to disabled_plugins = []. Then the CRI plugin gets enabled.
On the other hand, Edge already enables the CRI plugin. A rough plan was to experiment the new config, and later to move the change to Alpha. However that has never happend.
That is why nowadays users still need to manually configure containerd for CRI purpose.
We should consider enabling the CRI plugin in containerd, for Alpha, Beta, and Stable.

[invidian]

I just tested in on beta channel:

core@controller01 ~ $ cat /etc/os-release
NAME="Flatcar Container Linux by Kinvolk"
ID=flatcar
ID_LIKE=coreos
VERSION=2705.1.0
VERSION_ID=2705.1.0
BUILD_ID=2020-11-30-1851
PRETTY_NAME="Flatcar Container Linux by Kinvolk 2705.1.0 (Oklo)"
ANSI_COLOR="38;5;75"
HOME_URL="https://flatcar-linux.org/"
BUG_REPORT_URL="https://issues.flatcar-linux.org"
FLATCAR_BOARD="amd64-usr"
core@controller01 ~ $ cat /etc/flatcar/update.conf
GROUP=beta

And with the following configuration applied, nothing is listening for me neither on all IPs or on port 10010:

# persistent data location
root = "/var/lib/containerd"
# runtime state information
state = "/run/docker/libcontainerd/containerd"
# set containerd as a subreaper on linux when it is not running as PID 1
subreaper = true
# set containerd's OOM score
oom_score = -999
# CRI plugin listens on a TCP port by default
disabled_plugins = []

# grpc configuration
[grpc]
address = "/run/docker/libcontainerd/docker-containerd.sock"
# socket uid
uid = 0
# socket gid
gid = 0

[plugins.linux]
# shim binary name/path
shim = "containerd-shim"
# runtime binary name/path
runtime = "runc"
# do not use a shim when starting containers, saves on memory but
# live restore is not supported
no_shim = false
# display shim logs in the containerd daemon's log output
shim_debug = true

Diff from base config:

diff --git a/run/torcx/unpack/docker/usr/share/containerd/config.toml b/etc/containerd/config.toml
index 2b37f3c..54969bd 100644
--- a/run/torcx/unpack/docker/usr/share/containerd/config.toml
+++ b/etc/containerd/config.toml
@@ -7,7 +7,7 @@ subreaper = true
 # set containerd's OOM score
 oom_score = -999
 # CRI plugin listens on a TCP port by default
-disabled_plugins = ["cri"]
+disabled_plugins = []

 # grpc configuration
 [grpc]

Output from ss:

Netid State  Recv-Q Send-Q     Local Address:Port  Peer Address:PortProcess
udp   UNCONN 0      0      192.168.50.2%eth0:68         0.0.0.0:*    users:(("systemd-network",pid=720,fd=18))
tcp   LISTEN 0      4096           127.0.0.1:40043      0.0.0.0:*    users:(("containerd",pid=797,fd=12))
tcp   LISTEN 0      4096                   *:22               *:*    users:(("systemd",pid=1,fd=53))

Looks to me that CRI can be enabled without major side-effects 🎉

[pothos]

Docs to enable CRI manually are published under https://kinvolk.io/docs/flatcar-container-linux/latest/container-runtimes/switching-from-docker-to-containerd-for-kubernetes/