OKD-294: Migrate runtime from runc to crun on an upgrade for OKD

Prashanth684 · Prashanth684 · commit 2c633718de5b · 2025-11-03T15:51:31.000-08:00
Centos stream 10 dopped the runc package. For now OKD users are
following the workaround to edit the MC to point to crun before the
upgrade, but this should help with the migration rather than having to
intervene manually.

This PR:
- checks for presence of the configmap
- if MCO is built for OKD, edit the MC so the runtime is crun.
- deletes the configmap
diff --git a/pkg/controller/container-runtime-config/container_runtime_config_controller.go b/pkg/controller/container-runtime-config/container_runtime_config_controller.go
@@ -60,7 +60,8 @@ const (
 	// 5ms, 10ms, 20ms, 40ms, 80ms, 160ms, 320ms, 640ms, 1.3s, 2.6s, 5.1s, 10.2s, 20.4s, 41s, 82s
 	maxRetries = 15
 
-	builtInLabelKey = "machineconfiguration.openshift.io/mco-built-in"
+	builtInLabelKey    = "machineconfiguration.openshift.io/mco-built-in"
+	forceSyncOnUpgrade = "force-sync-on-upgrade"
 )
 
 var (
@@ -79,6 +80,7 @@ type Controller struct {
 	templatesDir string
 
 	client        mcfgclientset.Interface
+	kubeClient    clientset.Interface
 	configClient  configclientset.Interface
 	eventRecorder record.EventRecorder
 
@@ -148,6 +150,7 @@ func New(
 	ctrl := &Controller{
 		templatesDir:  templatesDir,
 		client:        mcfgClient,
+		kubeClient:    kubeClient,
 		configClient:  configClient,
 		eventRecorder: ctrlcommon.NamespacedEventRecorder(eventBroadcaster.NewRecorder(scheme.Scheme, corev1.EventSource{Component: "machineconfigcontroller-containerruntimeconfigcontroller"})),
 		queue: workqueue.NewTypedRateLimitingQueueWithConfig(
@@ -213,6 +216,7 @@ func New(
 
 	ctrl.clusterVersionLister = clusterVersionInformer.Lister()
 	ctrl.clusterVersionListerSynced = clusterVersionInformer.Informer().HasSynced
+	ctrl.queue.Add(forceSyncOnUpgrade)
 
 	ctrl.fgHandler = fgHandler
 
@@ -596,6 +600,84 @@ func (ctrl *Controller) addAnnotation(cfg *mcfgv1.ContainerRuntimeConfig, annota
 	return annotationUpdateErr
 }
 
+// migrateRuncToCrun performs the upgrade migration from runc to crun as the default container runtime.
+// This function checks for the existence of the crio-default-container-runtime ConfigMap. If it exists,
+// it updates the MachineConfigs for master and worker pools to use crun instead of runc, then deletes
+// the ConfigMap to prevent re-running the migration.
+func (ctrl *Controller) migrateRuncToCrun() error {
+	// Check if the migration ConfigMap exists
+	_, err := ctrl.kubeClient.CoreV1().ConfigMaps(ctrlcommon.MCONamespace).Get(context.TODO(), "crio-default-container-runtime", metav1.GetOptions{})
+	if errors.IsNotFound(err) {
+		// ConfigMap doesn't exist, no migration needed
+		return nil
+	}
+	if err != nil {
+		return fmt.Errorf("error checking for crio-default-container-runtime configmap: %w", err)
+	}
+
+	klog.Info("Found crio-default-container-runtime ConfigMap, starting migration from runc to crun")
+
+	// Get all MachineConfigPools
+	pools, err := ctrl.mcpLister.List(labels.Everything())
+	if err != nil {
+		return fmt.Errorf("error listing MachineConfigPools: %w", err)
+	}
+
+	// Only process master and worker pools for the migration
+	for _, pool := range pools {
+		if pool.Name != "master" && pool.Name != "worker" {
+			continue
+		}
+
+		// Get the MachineConfig name for this pool
+		mcName := fmt.Sprintf("00-override-%s-generated-crio-default-container-runtime", pool.Name)
+
+		// Get the existing MachineConfig
+		mc, err := ctrl.client.MachineconfigurationV1().MachineConfigs().Get(context.TODO(), mcName, metav1.GetOptions{})
+		if errors.IsNotFound(err) {
+			klog.Infof("MachineConfig %s not found, skipping migration for pool %s", mcName, pool.Name)
+			continue
+		}
+		if err != nil {
+			return fmt.Errorf("error getting MachineConfig %s: %w", mcName, err)
+		}
+
+		// Create the new crun configuration file
+		configFileList := createDefaultContainerRuntimeFile()
+
+		// Create the new Ignition config
+		ctrRuntimeConfigIgn := createNewIgnition(configFileList)
+		rawCtrRuntimeConfigIgn, err := json.Marshal(ctrRuntimeConfigIgn)
+		if err != nil {
+			return fmt.Errorf("error marshalling container runtime config Ignition: %w", err)
+		}
+
+		// Update the MachineConfig with the new crun configuration
+		mc.Spec.Config.Raw = rawCtrRuntimeConfigIgn
+		mc.SetAnnotations(map[string]string{
+			ctrlcommon.GeneratedByControllerVersionAnnotationKey: version.Hash,
+		})
+
+		// Update the MachineConfig
+		if err := retry.RetryOnConflict(updateBackoff, func() error {
+			_, err = ctrl.client.MachineconfigurationV1().MachineConfigs().Update(context.TODO(), mc, metav1.UpdateOptions{})
+			return err
+		}); err != nil {
+			return fmt.Errorf("error updating MachineConfig %s: %w", mcName, err)
+		}
+
+		klog.Infof("Successfully migrated MachineConfig %s to use crun", mcName)
+	}
+
+	// Delete the ConfigMap after successful migration
+	if err := ctrl.kubeClient.CoreV1().ConfigMaps(ctrlcommon.MCONamespace).Delete(context.TODO(), "crio-default-container-runtime", metav1.DeleteOptions{}); err != nil && !errors.IsNotFound(err) {
+		return fmt.Errorf("error deleting crio-default-container-runtime configmap: %w", err)
+	}
+
+	klog.Info("Successfully completed migration from runc to crun and deleted migration ConfigMap")
+	return nil
+}
+
 // syncContainerRuntimeConfig will sync the ContainerRuntimeconfig with the given key.
 // This function is not meant to be invoked concurrently with the same key.
 // nolint: gocyclo
@@ -606,6 +688,17 @@ func (ctrl *Controller) syncContainerRuntimeConfig(key string) error {
 		klog.V(4).Infof("Finished syncing ContainerRuntimeconfig %q (%v)", key, time.Since(startTime))
 	}()
 
+	// OKD only: Run the migration function at the start of sync
+	if version.IsSCOS() {
+		if err := ctrl.migrateRuncToCrun(); err != nil {
+			return fmt.Errorf("Error during runc to crun migration: %w", err)
+		}
+	}
+
+	if key == forceSyncOnUpgrade {
+		return nil
+	}
+
 	_, name, err := cache.SplitMetaNamespaceKey(key)
 	if err != nil {
 		return err
@@ -709,7 +802,7 @@ func (ctrl *Controller) syncContainerRuntimeConfig(key string) error {
 		}
 		_, ok := cfg.GetAnnotations()[ctrlcommon.MCNameSuffixAnnotationKey]
 		arr := strings.Split(managedKey, "-")
-		// the first managed key value 99-poolname-generated-containerruntime does not have a suffix
+		// the first managed key value 00-override-poolname-generated-containerruntime does not have a suffix
 		// set "" as suffix annotation to the containerruntime config object
 		if _, err := strconv.Atoi(arr[len(arr)-1]); err != nil && !ok {
 			if err := ctrl.addAnnotation(cfg, ctrlcommon.MCNameSuffixAnnotationKey, ""); err != nil {
diff --git a/pkg/controller/container-runtime-config/helpers.go b/pkg/controller/container-runtime-config/helpers.go
@@ -49,12 +49,13 @@ const (
 	policyConfigPath                       = "/etc/containers/policy.json"
 	// CRIODropInFilePathLogLevel is the path at which changes to the crio config for log-level
 	// will be dropped in this is exported so that we can use it in the e2e-tests
-	CRIODropInFilePathLogLevel       = "/etc/crio/crio.conf.d/01-ctrcfg-logLevel"
-	crioDropInFilePathPidsLimit      = "/etc/crio/crio.conf.d/01-ctrcfg-pidsLimit"
-	crioDropInFilePathLogSizeMax     = "/etc/crio/crio.conf.d/01-ctrcfg-logSizeMax"
-	CRIODropInFilePathDefaultRuntime = "/etc/crio/crio.conf.d/01-ctrcfg-defaultRuntime"
-	imagepolicyType                  = "sigstoreSigned"
-	sigstoreRegistriesConfigFilePath = "/etc/containers/registries.d/sigstore-registries.yaml"
+	CRIODropInFilePathLogLevel                    = "/etc/crio/crio.conf.d/01-ctrcfg-logLevel"
+	crioDropInFilePathPidsLimit                   = "/etc/crio/crio.conf.d/01-ctrcfg-pidsLimit"
+	crioDropInFilePathLogSizeMax                  = "/etc/crio/crio.conf.d/01-ctrcfg-logSizeMax"
+	CRIODropInFilePathDefaultRuntime              = "/etc/crio/crio.conf.d/01-ctrcfg-defaultRuntime"
+	CRIODropInFilePathDefaultContainerRuntimeCrun = "/etc/crio/crio.conf.d/01-mc-defaultContainerRuntimeCrun"
+	imagepolicyType                               = "sigstoreSigned"
+	sigstoreRegistriesConfigFilePath              = "/etc/containers/registries.d/sigstore-registries.yaml"
 )
 
 var (
@@ -1211,3 +1212,15 @@ func imagePolicyConfigFileList(namespaceJSONs map[string][]byte) []generatedConf
 	}
 	return namespacedPolicyConfigFileList
 }
+
+// createDefaultContainerRuntimeFile creates a TOML config file for crun as the default container runtime
+func createDefaultContainerRuntimeFile() []generatedConfigFile {
+	generatedConfigFileList := make([]generatedConfigFile, 0)
+	tomlConf := tomlConfigCRIODefaultRuntime{}
+	tomlConf.Crio.Runtime.DefaultRuntime = string(mcfgv1.ContainerRuntimeDefaultRuntimeCrun)
+	generatedConfigFileList, err := addTOMLgeneratedConfigFile(generatedConfigFileList, CRIODropInFilePathDefaultContainerRuntimeCrun, tomlConf)
+	if err != nil {
+		klog.V(2).Infof("error setting default-container-runtime to crio.conf.d: %v", err)
+	}
+	return generatedConfigFileList
+}
