This guide will walk you through the installation of CRI-O, an Open Container Initiative-based implementation of the Kubernetes Container Runtime Interface. It is assumed you are running a Linux machine.
- CRI-O Installation Instructions
- Table of Contents
- Install packaged versions of CRI-O
- Build and install CRI-O from source
- Runtime dependencies
- Build and Run Dependencies
- Get Source Code
- Build
- Static builds
- Download conmon
- Setup CNI networking
- CRI-O configuration
- Validate registries in registries.conf
- Starting CRI-O
- Using CRI-O
- Updating CRI-O
- openSUSE
- Fedora 31 or later
- Other yum based operating systems
- APT based operating systems
CRI-O builds for native package managers using openSUSE's OBS
CRI-O follows the Kubernetes support cycle of three minor releases. CRI-O also attempts to package for the following operating systems:
Fedora 31+
openSUSE
CentOS 8
CentOS 8 Stream
CentOS 7
Debian Unstable
Debian Testing
Debian 10
Debian 11
Rasbian 10
xUbuntu 22.04
xUbuntu 21.10
xUbuntu 20.04
xUbuntu 18.04
To install, choose a supported version for your operating system, and export it
as a variable, like so: export VERSION=1.19
We also save releases as subprojects. If you'd, for instance, like to use 1.19.1
you can set export VERSION=1.19:1.19.1
Packaging for CRI-O is done best-effort, and is largely driven by requests. If there's a version or operating system that is missing, please open an issue.
sudo zypper install cri-o
sudo dnf module enable cri-o:$VERSION
sudo dnf install cri-o
For Fedora, we only support setting minor versions. i.e: VERSION=1.18
,
and do not support pinning patch versions: VERSION=1.18.3
Note: as of 1.24.0, the cri-o
package no longer depends on
containernetworking-plugins
package.
Removing this dependency allows users to install their own CNI plugins without
having to remove files first.
If users want to use the previously provided CNI plugins, they should also run:
sudo dnf install containernetworking-plugins
To install on the following operating systems, set the environment variable $OS
to the appropriate value from the following table:
Operating system | $OS |
---|---|
Centos 8 | CentOS_8 |
Centos 8 Stream | CentOS_8_Stream |
Centos 7 | CentOS_7 |
And then run the following as root:
curl -L -o /etc/yum.repos.d/devel:kubic:libcontainers:stable.repo https://download.opensuse.org/repositories/devel:/kubic:/libcontainers:/stable/$OS/devel:kubic:libcontainers:stable.repo
curl -L -o /etc/yum.repos.d/devel:kubic:libcontainers:stable:cri-o:$VERSION.repo https://download.opensuse.org/repositories/devel:kubic:libcontainers:stable:cri-o:$VERSION/$OS/devel:kubic:libcontainers:stable:cri-o:$VERSION.repo
yum install cri-o
Note: as of 1.24.0, the cri-o
package no longer depends on
containernetworking-plugins
package.
Removing this dependency allows users to install their own CNI plugins without
having to remove files first.
If users want to use the previously provided CNI plugins, they should also run:
yum install containernetworking-plugins
Note: this tutorial assumes you have curl and gnupg installed
To install on the following operating systems, set the environment variable $OS
to the appropriate value from the following table:
Operating system | $OS |
---|---|
Debian Unstable | Debian_Unstable |
Debian Testing | Debian_Testing |
Debian 11 | Debian_11 |
Debian 10 | Debian_10 |
Raspberry Pi OS | Raspbian_10 |
Ubuntu 22.04 | xUbuntu_22.04 |
Ubuntu 21.10 | xUbuntu_21.10 |
Ubuntu 21.04 | xUbuntu_21.04 |
Ubuntu 20.10 | xUbuntu_20.10 |
Ubuntu 20.04 | xUbuntu_20.04 |
Ubuntu 18.04 | xUbuntu_18.04 |
If installing cri-o-runc (recommended), you'll need to install libseccomp >= 2.4.1. NOTE: This is not available in distros based on Debian 10(buster) or below, so buster backports will need to be enabled:
echo 'deb http://deb.debian.org/debian buster-backports main' > /etc/apt/sources.list.d/backports.list
apt update
apt install -y -t buster-backports libseccomp2 || apt update -y -t buster-backports libseccomp2
And then run the following as root:
echo "deb [signed-by=/usr/share/keyrings/libcontainers-archive-keyring.gpg] https://download.opensuse.org/repositories/devel:/kubic:/libcontainers:/stable/$OS/ /" > /etc/apt/sources.list.d/devel:kubic:libcontainers:stable.list
echo "deb [signed-by=/usr/share/keyrings/libcontainers-crio-archive-keyring.gpg] https://download.opensuse.org/repositories/devel:/kubic:/libcontainers:/stable:/cri-o:/$VERSION/$OS/ /" > /etc/apt/sources.list.d/devel:kubic:libcontainers:stable:cri-o:$VERSION.list
mkdir -p /usr/share/keyrings
curl -L https://download.opensuse.org/repositories/devel:/kubic:/libcontainers:/stable/$OS/Release.key | gpg --dearmor -o /usr/share/keyrings/libcontainers-archive-keyring.gpg
curl -L https://download.opensuse.org/repositories/devel:/kubic:/libcontainers:/stable:/cri-o:/$VERSION/$OS/Release.key | gpg --dearmor -o /usr/share/keyrings/libcontainers-crio-archive-keyring.gpg
apt-get update
apt-get install cri-o cri-o-runc
Note: We include cri-o-runc because Ubuntu and Debian include their own packaged version of runc. While this version should work with CRI-O, keeping the packaged versions of CRI-O and runc in sync ensures they work together. If you'd like to use the distribution's runc, you'll have to add the file:
[crio.runtime.runtimes.runc]
runtime_path = ""
runtime_type = "oci"
runtime_root = "/run/runc"
to /etc/crio/crio.conf.d/
Note: as of 1.24.0, the cri-o
package no longer depends on
containernetworking-plugins
package.
Removing this dependency allows users to install their own CNI plugins without
having to remove files first.
If users want to use the previously provided CNI plugins, they should also run:
apt-get install containernetworking-plugins
- runc, Clear Containers runtime, or any other OCI compatible runtime
- iproute
- iptables
Latest version of runc
is expected to be installed on the system. It is picked
up as the default runtime by CRI-O.
Fedora, RHEL 7, CentOS and related distributions:
yum install -y \
containers-common \
device-mapper-devel \
git \
glib2-devel \
glibc-devel \
glibc-static \
go \
gpgme-devel \
libassuan-devel \
libgpg-error-devel \
libseccomp-devel \
libselinux-devel \
pkgconfig \
make \
runc
Please note:
CentOS 8
(or higher):pkgconfig
package is replaced bypkgconf-pkg-config
- By default btrfs is not enabled. To add the btrfs support, install the
following package:
btrfs-progs-devel
- It is possible the distribution packaged version of runc is out of date.
- If you'd like to get the latest and greatest runc, consider using the one found in devel:kubic:libcontainers:stable
For RHEL 8 distributions (tested on RHEL 8.5).
Make sure you are subscribed to the following repositories:
- BaseOS/x86_64
- Appstream/x86_64
- CodeReady Linux Builder for x86_64
subscription-manager repos --enable=rhel-8-for-x86_64-baseos-rpms
subscription-manager repos --enable=rhel-8-for-x86_64-appstream-rpms
subscription-manager repos --enable=codeready-builder-for-rhel-8-x86_64-rpms
Follow this guide to subscribe to the repositories if not already subscribed.
This requires Go version 1.18 or greater. Follow these instructions to install Go
Install dependencies:
yum install -y \
containers-common \
device-mapper-devel \
git \
make \
glib2-devel \
glibc-devel \
glibc-static \
runc
Install go-md2man:
go get github.com/cpuguy83/go-md2man
Install dependencies:
yum install -y \
libassuan \
libassuan-devel \
libgpg-error \
libseccomp \
libselinux \
pkgconf-pkg-config \
gpgme-devel
On Debian, Raspbian and Ubuntu distributions, enable the Kubic project
repositories (for containers-common
and cri-o-runc
packages) and install the following packages:
apt update -qq && \
# For Debian 10(buster) or below: use "apt install -t buster-backports"
apt install -y \
btrfs-tools \
containers-common \
git \
golang-go \
libassuan-dev \
libdevmapper-dev \
libglib2.0-dev \
libc6-dev \
libgpgme11-dev \
libgpg-error-dev \
libseccomp-dev \
libsystemd-dev \
libbtrfs-dev \
libselinux1-dev \
pkg-config \
go-md2man \
cri-o-runc \
libudev-dev \
software-properties-common \
gcc \
make
apt-get update -qq && apt-get install -y \
libbtrfs-dev \
containers-common \
git \
golang-go \
libassuan-dev \
libdevmapper-dev \
libglib2.0-dev \
libc6-dev \
libgpgme-dev \
libgpg-error-dev \
libseccomp-dev \
libsystemd-dev \
libselinux1-dev \
pkg-config \
go-md2man \
cri-o-runc \
libudev-dev \
software-properties-common \
gcc \
make
Caveats and Notes:
If using an older release or a long-term support release, be careful to
double-check that the version of runc
is new enough (running runc --version
should produce spec: 1.0.0
or greater), or else build your own.
Be careful to double-check that the version of golang is new enough, version 1.12.x or higher is required. If needed, newer golang versions are available at the official download website.
Clone the source code using:
git clone https://github.com/cri-o/cri-o # or your fork
cd cri-o
Make sure your CRI-O
and kubernetes
versions are of matching major versions.
For instance, if you want to be compatible with the latest kubernetes release,
you'll need to use the latest tagged release of CRI-O
on branch release-1.18
.
To install with default buildtags using seccomp, use:
make
sudo make install
Otherwise, if you do not want to build CRI-O
with seccomp support you can add
BUILDTAGS=""
when running make.
make BUILDTAGS=""
sudo make install
An Ansible Role is also available to automate the above steps:
sudo su -
mkdir -p ~/.ansible/roles
cd ~/.ansible/roles
git clone https://github.com/alvistack/ansible-role-cri_o.git cri_o
cd ~/.ansible/roles/cri_o
pip3 install --upgrade --ignore-installed --requirement requirements.txt
molecule converge
molecule verify
CRI-O
supports optional build tags for compiling support of various features.
To add build tags to the make option the BUILDTAGS
variable must be set.
make BUILDTAGS='seccomp apparmor'
Build Tag | Feature | Dependency |
---|---|---|
seccomp | syscall filtering | libseccomp |
selinux | selinux process and mount labeling | libselinux |
apparmor | apparmor profile support |
CRI-O
manages images with containers/image,
which uses the following buildtags.
Build Tag | Feature | Dependency |
---|---|---|
containers_image_openpgp | use native golang pgp instead of cgo | |
containers_image_ostree_stub | disable use of ostree as an image transport |
CRI-O
also uses containers/storage for managing container storage.
Build Tag | Feature | Dependency |
---|---|---|
exclude_graphdriver_btrfs | exclude btrfs as a storage option | |
btrfs_noversion | for building btrfs version < 3.16.1 | btrfs |
exclude_graphdriver_devicemapper | exclude devicemapper as a storage option | |
libdm_no_deferred_remove | don't compile deferred remove with devicemapper | devicemapper |
exclude_graphdriver_overlay | exclude overlay as a storage option | |
ostree | build storage using ostree | ostree |
It is possible to build a statically linked binary of CRI-O by using the
officially provided nix package and the derivation of
it within this repository. The builds are completely reproducible and
will create a x86_64
/amd64
or aarch64
/arm64
or ppc64le
stripped ELF
binary for glibc. These binaries are integration
tested as well and support the following features:
- apparmor
- btrfs
- device mapper
- gpgme
- seccomp
- selinux
To build the binaries locally either install the nix package
manager or use the make build-static
target which relies on the nixos/nix container image.
The overall build process can take a tremendous amount of CPU time depending on the hardware. The resulting binaries should now be available within:
bin/static/crio
To build the binaries without any prepared container and via the already installed nix package manager, simply run the following command from the root directory of this repository:
nix build -f nix
The resulting binaries should be now available in result/bin
. To build the arm
variant of the binaries, just run:
nix build -f nix/default-arm64.nix
Similarly, the ppc64le variant of binaries can be built using:
nix build -f nix/default-ppc64le.nix
A release bundle consists of all static binaries, the man pages and
configuration files like 00-default.conf
. The release-bundle
target can be
used to build a new release archive within the current repository:
make release-bundle
…
Created ./bundle/cri-o.amd64.v1.20.0.tar.gz
conmon is a per-container daemon that
CRI-O
uses to monitor container logs and exit information.
conmon
needs to be downloaded with CRI-O
.
running:
git clone https://github.com/containers/conmon
cd conmon
make
sudo make install
will download conmon to your $PATH.
A proper description of setting up CNI networking is given in the
contrib/cni
README. But the gist is that you need to
have some basic network configurations enabled and CNI plugins installed on
your system.
If you are installing for the first time, generate and install configuration files with:
sudo make install.config
Edit /etc/containers/registries.conf
and verify that the registries option has
valid values in it. For example:
[registries.search]
registries = ['registry.access.redhat.com', 'registry.fedoraproject.org', 'quay.io', 'docker.io']
[registries.insecure]
registries = []
[registries.block]
registries = []
For more information about this file see registries.conf(5).
Users can modify the log_level
by specifying an overwrite like
/etc/crio/crio.conf.d/01-log-level.conf
to change the verbosity of
the logs. Options are fatal, panic, error, warn, info (default), debug and
trace.
[crio.runtime]
log_level = "info"
By default, CRI-O
uses the following capabilities:
default_capabilities = [
"CHOWN",
"DAC_OVERRIDE",
"FSETID",
"FOWNER",
"SETGID",
"SETUID",
"SETPCAP",
"NET_BIND_SERVICE",
"KILL",
]
and no sysctls
default_sysctls = [
]
Users can change either default by adding overwrites to /etc/crio/crio.conf.d
.
Running make install will download CRI-O into the folder
/usr/local/bin/crio
You can run it manually there, or you can set up a systemd unit file with:
sudo make install.systemd
And let systemd take care of running CRI-O:
sudo systemctl daemon-reload
sudo systemctl enable crio
sudo systemctl start crio
- Follow this tutorial to quickly get started running simple pods and containers.
- To run a full cluster, see the instructions.
- To run with kubeadm, see kubeadm instructions.
sudo zypper update
sudo zypper update cri-o
sudo dnf update
sudo dnf update cri-o
sudo yum update
sudo yum update cri-o
If updating to a patch version (for example, VERSION=1.8.3
), run
apt update cri-o cri-o-runc
Otherwise, be sure that the environment variable $OS
is set to the
appropriate value from the following table for your operating system.
To install on the following operating systems, set the environment variable $OS
to the appropriate value from the following table:
Operating system | $OS |
---|---|
Debian Unstable | Debian_Unstable |
Debian Testing | Debian_Testing |
Debian 11 | Debian_11 |
Debian 10 | Debian_10 |
Ubuntu 22.04 | xUbuntu_22.04 |
Ubuntu 21.10 | xUbuntu_21.10 |
Ubuntu 21.04 | xUbuntu_21.04 |
Ubuntu 20.10 | xUbuntu_20.10 |
Ubuntu 20.04 | xUbuntu_20.04 |
Ubuntu 18.04 | xUbuntu_18.04 |
To upgrade, choose a supported version for your operating system,
and export it as a variable, like so:
export VERSION=1.18
, and run the following as root
rm /etc/apt/sources.list.d/devel:kubic:libcontainers:stable:cri-o:$VERSION.list
echo "deb http://download.opensuse.org/repositories/devel:/kubic:/libcontainers:/stable:/cri-o:/$VERSION/$OS/ /" > /etc/apt/sources.list.d/devel:kubic:libcontainers:stable:cri-o:$VERSION.list
curl -L https://download.opensuse.org/repositories/devel:kubic:libcontainers:stable:cri-o:$VERSION/$OS/Release.key | apt-key add -
apt update
apt install cri-o cri-o-runc