This guide will walk you through the installation of CRI-O, an Open Container Initiative-based implementation of Kubernetes Container Runtime Interface.
It is assumed you are running a Linux machine.
- runc, Clear Containers runtime, or any other OCI compatible runtime
- socat
- iproute
- iptables
Latest version of runc is expected to be installed on the system. It is picked up as the default runtime by CRI-O.
Required
Fedora, CentOS, RHEL, and related distributions:
yum install -y \
btrfs-progs-devel \
containers-common \
device-mapper-devel \
git \
glib2-devel \
glibc-devel \
glibc-static \
go \
golang-github-cpuguy83-go-md2man \
gpgme-devel \
libassuan-devel \
libgpg-error-devel \
libseccomp-devel \
libselinux-devel \
pkgconfig \
runcDebian, Ubuntu, and related distributions:
# Add containers-common and cri-o-runc
apt-add-repository ppa:projectatomic/ppa
apt-get install -y \
btrfs-tools \
containers-common \
git \
golang-go \
libassuan-dev \
libdevmapper-dev \
libglib2.0-dev \
libc6-dev \
libgpgme11-dev \
libgpg-error-dev \
libseccomp-dev \
libsystemd-dev \
libselinux1-dev \
pkg-config \
go-md2man \
cri-o-runcCaveats and Notes:
If using an older release or a long-term support release, be careful to double-check that the version of runc is new enough (running runc --version should produce spec: 1.0.0), or else build your own.
Be careful to double-check that the version of golang is new enough, version 1.8.x or higher is required. If needed, golang kits are available at https://golang.org/dl/
Clone the source code using:
git clone https://github.com/cri-o/cri-o # or your fork
cd cri-oMake sure your CRI-O and kubernetes versions are of matching major versions. For instance, if you want to be compatible with the latest kubernetes release, you'll need to use the latest tagged release of CRI-O on branch release-1.14
To install with default buildtags using seccomp, use:
make
sudo make installOtherwise, if you do not want to build CRI-O with seccomp support you can add BUILDTAGS="" when running make.
make BUILDTAGS=""
sudo make installCRI-O supports optional build tags for compiling support of various features.
To add build tags to the make option the BUILDTAGS variable must be set.
make BUILDTAGS='seccomp apparmor'| Build Tag | Feature | Dependency |
|---|---|---|
| seccomp | syscall filtering | libseccomp |
| selinux | selinux process and mount labeling | libselinux |
| apparmor | apparmor profile support |
CRI-O manages images with (containers/image)[https://github.com/containers/image], which uses the following buildtags.
| Build Tag | Feature | Dependency |
|---|---|---|
| containers_image_openpgp | use native golang pgp instead of cgo | |
| containers_image_ostree_stub | disable use of ostree as an image transport |
CRI-O also uses (containers/storage)[https://github.com/containers/storage/] for managing container storage.
| Build Tag | Feature | Dependency |
|---|---|---|
| exclude_graphdriver_btrfs | exclude btrfs as a storage option | |
| btrfs_noversion | for building btrfs version < 3.16.1 | btrfs |
| exclude_graphdriver_devicemapper | exclude devicemapper as a storage option | |
| libdm_no_deferred_remove | don't compile deferred remove with devicemapper | devicemapper |
| exclude_graphdriver_overlay | exclude overlay as a storage option | |
| ostree | build storage using ostree | ostree |
It is possible to build a statically linked binary of CRI-O by using the
provided nix package within this repository.
The builds are completely reproducible and will create a x86_64/amd64
stripped ELF binary for glibc and musl
libc. These binaries are integration tested as well
and support the following features:
- apparmor
- btrfs
- device mapper
- gpgme
- seccomp
- selinux
To build the binaries locally either install the nix package
manager or setup a new container image
named crionix from the root directory of this repository by executing:
make nix-image
Please note that you can specify the container runtime and image name by specifying:
make nix-image \
CONTAINER_RUNTIME=podman \
NIX_IMAGE=crionix
The overall build process can take a tremendous amount of CPU time depending on the hardware. After the image has been successfully built, it should be possible to build the binaries:
make build-static
Note that the container runtime and nix image can be specified here, too. The resulting binaries should now be available within:
bin/crio-x86_64-static-glibcbin/crio-x86_64-static-musl
To build the binaries without any prepared container and via the already installed nix package manager, simply run the following command from the root directory of this repository:
nix-build nix
The resulting binary should be now available in result-bin/bin and
result-2-bin/bin.
A proper description of setting up CNI networking is given in the
contrib/cni README. But the gist is that you need to
have some basic network configurations enabled and CNI plugins installed on
your system.
If you are installing for the first time, generate and install configuration files with:
sudo make install.config
Edit /etc/containers/registries.conf and verify that the registries option has valid values in it. For example:
[registries.search]
registries = ['registry.access.redhat.com', 'registry.fedoraproject.org', 'quay.io', 'docker.io']
[registries.insecure]
registries = []
[registries.block]
registries = []
For more information about this file see registries.conf(5).
By default, CRI-O uses cgroupfs as a cgroup driver. However, we recommend using systemd as a cgroup driver. You can change your cgroup driver in crio.conf:
cgroup_driver = "systemd"
Users can modify the log_level field in /etc/crio/crio.conf to change the verbosity of
the logs.
Options are fatal, panic, error (default), warn, info, and debug.
log_level = "info"
By default, CRI-O uses the following capabilities:
default_capabilities = [
"CHOWN",
"DAC_OVERRIDE",
"FSETID",
"FOWNER",
"NET_RAW",
"SETGID",
"SETUID",
"SETPCAP",
"NET_BIND_SERVICE",
"SYS_CHROOT",
"KILL",
]
and no sysctls
default_sysctls = [
]
Users can change either default by editing /etc/crio/crio.conf.
Running make install will download CRI-O into the folder
/usr/local/bin/crioYou can run it manually there, or you can set up a systemd unit file with:
sudo make install.systemd
And let systemd take care of running CRI-O:
sudo systemctl daemon-reload
sudo systemctl enable crio
sudo systemctl start crio- Follow this tutorial to quickly get started running simple pods and containers.
- To run quickly with kubernetes, see our quick kuberentes guide.
- To run a full cluster, see the instructions.
- To run with kubeadm, see kubeadm instructions.