https://rancher.com/ logo
Title
q

quiet-memory-19288

06/16/2022, 3:34 PM
Good morning. Hey, I need to set
disable_apparmor
for containerd on an embedded project I am working on. Can anyone tell me how to do it, so k3s keeps my change?
[plugins.cri]
...
  disable_apparmor = true
/var/lib/rancher/k3s/agent/etc/containerd# ls config.toml config.toml.tmpl I know I need to make a tmpl file in that folder, but if I do, it seems to break the resulting config.toml. With like the GUID k3s install path and such…. I see the GO template https://github.com/k3s-io/k3s/blob/master/pkg/agent/templates/templates_linux.go
but I am not certain how to take that info and apply it in reality 🙂.
or if there is a better way? I was dreaming this would work
curl -sfL <https://get.k3s.io> | sh -s - --disable=traefik --disable=apparmor
But then I woke up 😉
or does everyone just copy /var/lib/rancher/k3s/agent/etc/containerd/config.toml to /var/lib/rancher/k3s/agent/etc/containerd/config.toml.tmpl ? and then add your stuff and boucne the server? It would be nice to have this before k3s installs, so no entries get added to apparmor at all.
I dont want this stuff:
/var/lib/rancher/k3s/agent/etc/containerd# apparmor_status | grep containerd
   cri-containerd.apparmor.d
   /usr/bin/local-path-provisioner (24414) cri-containerd.apparmor.d
   /coredns (24479) cri-containerd.apparmor.d
   /metrics-server (24518) cri-containerd.apparmor.d
c

creamy-pencil-82913

06/16/2022, 6:21 PM
Copy the go template from the source code into the template file on the node, modify it as necessary, restart k3s.
You can create the file before k3s starts the first time, you just need to also create the directory manually
q

quiet-memory-19288

06/17/2022, 6:28 PM
ok, ty! Yeah, I also had the wrong version of the go template. The current version doesnt work in the ‘release’ version of k3s.
this
SystemdCgroup
doesnt exist yet. It kinda worries me a little in keeping in sync with you guys in our CI cycle. I’ll need some way to diff that file and pull down/test changes. It would be nice if you guys exposed the variables in your main k3s config, so we could
curl -sfL <https://get.k3s.io> | INSTALL_K3S_SKIP_START=true sh -s - --disable=traefik --containerD_<var>=false?
Or something like that? So we dont need to be so close with your integration.
c

creamy-pencil-82913

06/17/2022, 7:27 PM
Just pull the template from the same git tag as the release you're running.
If you use the template from the wrong branch yeah you're probably gonna have a bad time
✔️ 1
q

quiet-memory-19288

06/22/2022, 4:57 PM
Hi again @creamy-pencil-82913, so I tested a few versions of k3s and yeah, I do see that in the last 3 versions I tested you guys changed that Go template and it breaks if I give it the wrong one every time. This kind of breaks CI/CD for me and will require a code change, every single time you guys modify anything on the containerD side. For me, part of the beauty and simplicity of k3s, is the ability to config what you need directly in the installer. That way the underlying implementation you choose will never effect my code. Any chance this can be a feature request:
curl -sfL <https://get.k3s.io> | INSTALL_K3S_SKIP_START=true sh -s - --disable=traefik --containerD_<var>=<value>
Or can you tell me how to submit it?
or maybe it can be even more generic…. so even the flavor of container doesn’t matter? Let say for old docker only setups?
In the k3s installer code, it would simply swap out variable defaults if they are found? Just an idea?
c

creamy-pencil-82913

06/22/2022, 5:37 PM
The template is only used with the embedded containerd. If you use your own containerd, or docker, the template is unused because we don't manage the configuration.
q

quiet-memory-19288

06/22/2022, 5:48 PM
oh ok! I didnt think of that. So I could install my own containerd then and not use your version. I guess that would be a good work around as long as I am using the same version you guys test against? Hmmm, I kinda wanted to do a pure air gap install with just your stuff in a tar file, but I could break it out…. 🤔