This guide will walk you through the installation of CRI-O, an Open Container Initiative-based implementation of the Kubernetes Container Runtime Interface. It is assumed you are running a Linux machine.
- Install packaged versions of CRI-O
- Install CRI-O on Flatcar with Sysexts
- Build and install CRI-O from source
- Setup CNI networking
- CRI-O configuration
- Starting CRI-O
- Using CRI-O
- Updating CRI-O
CRI-O follows the Kubernetes support cycle of three minor releases. CRI-O also attempts to package generically for Debian (deb) and Red Hat (RPM) based distributions and package managers.
If there's a version or operating system that is missing, please open an issue.
For more information, please follow the instructions in the CRI-O packaging repository.
Installing CRI-O on Flatcar Container Linux with support for systemd extensions (sysexts), enabling a supported installation method for environments that utilize Flatcar.
- Flatcar Container Linux installed on your machine. (Flatcar Installation guide)
- Systemd extensions (sysexts) enabled on Flatcar Container Linux. (Enable Sysext in Flatcar)
curlorwgetfor downloading files.tarfor extracting the CRI-O binaries.sedfor editing files in-place.- Sufficient privileges (using sudo if necessary).
Please make sure you have Flatcar Container Linux installed and sysexts enabled before proceeding with the installation of CRI-O.
To install CRI-O on Flatcar Container Linux with sysexts, follow these steps:
-
Step 1: Download the installation script:
Sample extension script for installing CRI-O using sysext is here.
-
Using curl:
curl -L \ https://github.com/flatcar/sysext-bakery/blob/main/create_crio_sysext.sh \ -o create_crio_sysext.sh
-
Using wget:
wget \ https://github.com/flatcar/sysext-bakery/blob/main/create_crio_sysext.sh \ -O create_crio_sysext.sh
-
Make the script executable.
chmod +x create_crio_sysext.sh-
Step 2: Run the installation script:
Execute the script with the required arguments:
- The version of CRI-O you wish to install. (Find a specific version of CRI-O here)
- The name you wish to give to the sysext image.
- Optionally, set the
ARCHenvironment variable if you need a specific architecture.
./create_crio_sysext.sh VERSION SYSEXTNAME
Example:
./create_crio_sysext.sh 1.28.4 crio-sysext
-
Step 3: Deploy the system extension:
- Once the script completes, you will have a
.rawsysext image file named as per yourSYSEXTNAMEargument. - To deploy the system extension, move the
.rawfile to the/var/lib/extensionsdirectory on your Flatcar Container Linux system and enable it with thesystemctlcommand.
sudo mv SYSEXTNAME.raw /var/lib/extensions/ sudo systemctl enable extensions-SYSEXTNAME.slice sudo systemctl start extensions-SYSEXTNAME.slice - Once the script completes, you will have a
-
Step 4: Verify the installation:
-
Verify that the CRI-O service is running correctly.
systemctl status crio
-
Ensure that the CRI-O binaries are correctly placed and that the system recognizes the new systemd sysext image.
-
-
The script will create a temporary directory for its operations, which will be cleaned up after the sysext image is created.
-
All files within the sysext image will be owned by root.The guide assumes the default architecture is
x86-64. For ARM64 systems, passARCH=arm64as an environment variable when running the script.
- runc, crun or any other OCI compatible runtime
- iproute
- iptables
Latest version of runc is expected to be installed on the system. It is picked
up as the default runtime by CRI-O.
Fedora, RHEL 7, CentOS and related distributions:
yum install -y \
containers-common \
git \
glib2-devel \
glibc-devel \
glibc-static \
go \
gpgme-devel \
libassuan-devel \
libgpg-error-devel \
libseccomp-devel \
libselinux-devel \
pkgconfig \
make \
runcPlease note:
CentOS 8(or higher):pkgconfigpackage is replaced bypkgconf-pkg-config- By default btrfs is not enabled. To add the btrfs support, install the
following package:
btrfs-progs-devel CentOS 8:gpgme-develcan be installed with the powertools repo. (yum install -y gpgme-devel --enablerepo=powertools)CentOS 9:gpgme-develcan be installed with the CodeReadyBuilder (crb) repo. (yum install -y gpgme-devel --enablerepo=crb)- It is possible the distribution packaged version of runc is out of date.
- If you'd like to get the latest and greatest runc, consider using the one found in devel:kubic:libcontainers:stable
For RHEL 8 distributions (tested on RHEL 8.5).
Make sure you are subscribed to the following repositories:
- BaseOS/x86_64
- Appstream/x86_64
- CodeReady Linux Builder for x86_64
subscription-manager repos --enable=rhel-8-for-x86_64-baseos-rpms
subscription-manager repos --enable=rhel-8-for-x86_64-appstream-rpms
subscription-manager repos --enable=codeready-builder-for-rhel-8-x86_64-rpmsFollow this guide to subscribe to the repositories if not already subscribed.
This requires Go version 1.18 or greater. Follow these instructions to install Go
Install dependencies:
yum install -y \
containers-common \
git \
make \
glib2-devel \
glibc-devel \
glibc-static \
runcInstall go-md2man:
go get github.com/cpuguy83/go-md2manInstall dependencies:
yum install -y \
libassuan \
libassuan-devel \
libgpg-error \
libseccomp-devel \
libselinux \
pkgconf-pkg-config \
gpgme-devel \
gcc-goOn Debian, Raspbian and Ubuntu distributions, enable the Kubic project
repositories (for containers-common
and cri-o-runc packages) and install the following packages:
apt update -qq && \
# For Debian 10(buster) or below: use "apt install -t buster-backports"
apt install -y \
btrfs-tools \
containers-common \
git \
libassuan-dev \
libglib2.0-dev \
libc6-dev \
libgpgme11-dev \
libgpg-error-dev \
libseccomp-dev \
libsystemd-dev \
libbtrfs-dev \
libselinux1-dev \
pkg-config \
go-md2man \
cri-o-runc \
libudev-dev \
software-properties-common \
gcc \
makeapt-get update -qq && apt-get install -y \
libbtrfs-dev \
containers-common \
git \
libassuan-dev \
libglib2.0-dev \
libc6-dev \
libgpgme-dev \
libgpg-error-dev \
libseccomp-dev \
libsystemd-dev \
libselinux1-dev \
pkg-config \
go-md2man \
cri-o-runc \
libudev-dev \
software-properties-common \
gcc \
makeCaveats and Notes:
If using an older release or a long-term support release, be careful to
double-check that the version of runc is new enough (running runc --version
should produce spec: 1.0.0 or greater), or else build your own.
Be careful to double-check that the version of golang is new enough, version 1.12.x or higher is required. If needed, newer golang versions are available at the official download website.
Clone the source code using:
git clone https://github.com/cri-o/cri-o # or your fork
cd cri-oMake sure your CRI-O and kubernetes versions are of matching major versions.
For instance, if you want to be compatible with the latest kubernetes release,
you'll need to use the latest tagged release of CRI-O on branch release-1.18.
To install with default buildtags using seccomp, use:
make
sudo make installOtherwise, if you do not want to build CRI-O with seccomp support you can add
BUILDTAGS="" when running make.
make BUILDTAGS=""
sudo make installAn Ansible Role is also available to automate the above steps:
sudo su -
mkdir -p ~/.ansible/roles
cd ~/.ansible/roles
git clone https://github.com/alvistack/ansible-role-cri_o.git cri_o
cd ~/.ansible/roles/cri_o
pip3 install --upgrade --ignore-installed --requirement requirements.txt
molecule converge
molecule verifyCRI-O supports optional build tags for compiling support of various features.
To add build tags to the make option the BUILDTAGS variable must be set.
make BUILDTAGS='seccomp apparmor'| Build Tag | Feature | Dependency |
|---|---|---|
| seccomp | syscall filtering | libseccomp |
| selinux | selinux process and mount labeling | libselinux |
| apparmor | apparmor profile support |
CRI-O manages images with containers/image,
which uses the following buildtags.
| Build Tag | Feature | Dependency |
|---|---|---|
| containers_image_openpgp | use native golang pgp instead of cgo | |
| containers_image_ostree_stub | disable use of ostree as an image transport |
CRI-O also uses containers/storage for managing container storage.
| Build Tag | Feature | Dependency |
|---|---|---|
| exclude_graphdriver_btrfs | exclude btrfs as a storage option | |
| btrfs_noversion | for building btrfs version < 3.16.1 | btrfs |
| exclude_graphdriver_overlay | exclude overlay as a storage option | |
| ostree | build storage using ostree | ostree |
It is possible to build a statically linked binary of CRI-O by using the
officially provided nix package and the derivation of
it within this repository. The builds are completely reproducible and
will create a x86_64/amd64 or aarch64/arm64, ppc64le or s390x
stripped ELF binary for glibc or musl
libc (for s390x). These binaries are integration tested
(for amd64 and arm64) as well and support the following features:
- apparmor
- btrfs
- gpgme
- seccomp
- selinux
To build the binaries locally either install the nix package
manager or use the make build-static
target which relies on the nixos/nix container image.
The overall build process can take a tremendous amount of CPU time depending on the hardware. The resulting binaries should now be available within:
bin/static/crio
To build the binaries without any prepared container and via the already installed nix package manager, simply run the following command from the root directory of this repository:
nix build -f nixThe resulting binaries should be now available in result/bin. To build the arm
variant of the binaries, just run:
nix build -f nix/default-arm64.nixSimilarly, the ppc64le variant of binaries can be built using:
nix build -f nix/default-ppc64le.nixIn the same way, the s390x variant of binaries can be built using:
nix build -f nix/default-s390x.nixconmon is a per-container daemon that
CRI-O uses to monitor container logs and exit information.
conmon needs to be downloaded with CRI-O.
running:
git clone https://github.com/containers/conmon
cd conmon
make
sudo make installwill download conmon to your $PATH.
A proper description of setting up CNI networking is given in the
contrib/cni README. But the gist is that you need to
have some basic network configurations enabled and CNI plugins installed on
your system.
If you are installing for the first time, generate and install configuration files with:
sudo make install.configEdit /etc/containers/registries.conf and verify that the registries option has
valid values in it. For example:
[registries.search]
registries = ['registry.access.redhat.com', 'registry.fedoraproject.org', 'quay.io', 'docker.io']
[registries.insecure]
registries = []
[registries.block]
registries = []
For more information about this file see registries.conf(5).
Users can modify the log_level by specifying an overwrite like
/etc/crio/crio.conf.d/01-log-level.conf to change the verbosity of
the logs. Options are fatal, panic, error, warn, info (default), debug and
trace.
[crio.runtime]
log_level = "info"
By default, CRI-O uses the following capabilities:
default_capabilities = [
"CHOWN",
"DAC_OVERRIDE",
"FSETID",
"FOWNER",
"SETGID",
"SETUID",
"SETPCAP",
"NET_BIND_SERVICE",
"KILL",
]
and no sysctls
default_sysctls = [
]
Users can change either default by adding overwrites to /etc/crio/crio.conf.d.
Running make install will download CRI-O into the folder
/usr/local/bin/crioYou can run it manually there, or you can set up a systemd unit file with:
sudo make install.systemdAnd let systemd take care of running CRI-O:
sudo systemctl daemon-reload
sudo systemctl enable crio
sudo systemctl start crio- Follow this tutorial to quickly get started running simple pods and containers.
- To run a full cluster, see the instructions.
- To run with kubeadm, see kubeadm instructions.
sudo zypper update
sudo zypper update cri-osudo dnf update
sudo dnf update cri-osudo yum update
sudo yum update cri-osudo apt upgrade cri-o