Home

Awesome

<!-- markdownlint-disable-next-line MD041 -->

CRI-O logo

CRI-O - OCI-based implementation of Kubernetes Container Runtime Interface

<!-- markdownlint-disable-next-line MD042 -->

Stable Status codecov Packages Release Notes Dependencies GoDoc OpenSSF Scorecard OpenSSF Best Practices Go Report Card FOSSA Status Mentioned in Awesome CRI-O Gitpod ready-to-code

<!-- toc --> <!-- /toc -->

Compatibility matrix: CRI-O ⬄ Kubernetes

CRI-O follows the Kubernetes release cycles with respect to its minor versions (1.x.y). Patch releases (1.x.z) for Kubernetes are not in sync with those from CRI-O, because they are scheduled for each month, whereas CRI-O provides them only if necessary. If a Kubernetes release goes End of Life, then the corresponding CRI-O version can be considered in the same way.

This means that CRI-O also follows the Kubernetes n-2 release version skew policy when it comes to feature graduation, deprecation or removal. This also applies to features which are independent from Kubernetes. Nevertheless, feature backports to supported release branches, which are independent from Kubernetes or other tools like cri-tools, are still possible. This allows CRI-O to decouple from the Kubernetes release cycle and have enough flexibility when it comes to implement new features. Every feature to be backported will be a case by case decision of the community while the overall compatibility matrix should not be compromised.

For more information visit the Kubernetes Version Skew Policy.

<!-- markdownlint-disable MD013 -->
CRI-OKubernetesMaintenance status
main branchmaster branchFeatures from the main Kubernetes repository are actively implemented
release-1.x branch (v1.x.y)release-1.x branch (v1.x.z)Maintenance is manual, only bugfixes will be backported.
<!-- markdownlint-enable MD013 -->

The release notes for CRI-O are hand-crafted and can be continuously retrieved from our GitHub pages website.

What is the scope of this project?

CRI-O is meant to provide an integration path between OCI conformant runtimes and the Kubelet. Specifically, it implements the Kubelet Container Runtime Interface (CRI) using OCI conformant runtimes. The scope of CRI-O is tied to the scope of the CRI.

At a high level, we expect the scope of CRI-O to be restricted to the following functionalities:

What is not in the scope of this project?

CRI-O is an implementation of the Kubernetes Container Runtime Interface (CRI) that will allow Kubernetes to directly launch and manage Open Container Initiative (OCI) containers.

The plan is to use OCI projects and best of breed libraries for different aspects:

It is currently in active development in the Kubernetes community through the design proposal. Questions and issues should be raised in the Kubernetes sig-node Slack channel.

Roadmap

A roadmap that describes the direction of CRI-O can be found here. The project is tracking all ongoing efforts as part of the Feature Roadmap GitHub project.

CI images and jobs

CRI-O's CI is split-up between GitHub actions and OpenShift CI (Prow). Relevant virtual machine images used for the prow jobs are built periodically in the jobs:

The jobs are maintained from the openshift/release repository and define workflows used for the particular jobs. The actual job definitions can be found in the same repository under ci-operator/jobs/cri-o/cri-o/cri-o-cri-o-main-presubmits.yaml for the main branch as well as the corresponding files for the release branches. The base image configuration for those jobs is available in the same repository under ci-operator/config/cri-o/cri-o.

Commands

CommandDescription
crio(8)OCI Kubernetes Container Runtime daemon

Examples of commandline tools to interact with CRI-O (or other CRI compatible runtimes) are Crictl and Podman.

Configuration

<!-- markdownlint-disable MD013 -->
FileDescription
crio.conf(5)CRI-O Configuration file
policy.json(5)Signature Verification Policy File(s)
registries.conf(5)Registries Configuration file
storage.conf(5)Storage Configuration file
<!-- markdownlint-enable MD013 -->

Security

The security process for reporting vulnerabilities is described in SECURITY.md.

OCI Hooks Support

You can configure CRI-O to inject OCI Hooks when creating containers.

CRI-O Usage Transfer

We provide useful information for operations and development transfer as it relates to infrastructure that utilizes CRI-O.

Communication

For async communication and long running discussions please use issues and pull requests on the GitHub repo. This will be the best place to discuss design and implementation.

For chat communication, we have a channel on the Kubernetes slack that everyone is welcome to join and chat about development.

Awesome CRI-O

We maintain a curated list of links related to CRI-O. Did you find something interesting on the web about the project? Awesome, feel free to open up a PR and add it to the list.

Getting started

Installing CRI-O

To install CRI-O, you can follow our installation guide. Alternatively, if you'd rather build CRI-O from source, checkout our setup guide.

Running Kubernetes with CRI-O

Before you begin, you'll need to start CRI-O

You can run a local version of Kubernetes with CRI-O using local-up-cluster.sh:

  1. Clone the Kubernetes repository
  2. From the Kubernetes project directory, run:
CGROUP_DRIVER=systemd \
CONTAINER_RUNTIME=remote \
CONTAINER_RUNTIME_ENDPOINT='unix:///var/run/crio/crio.sock' \
./hack/local-up-cluster.sh

For more guidance in running CRI-O, visit our tutorial page

The HTTP status API

CRI-O exposes per default the gRPC API to fulfill the Container Runtime Interface (CRI) of Kubernetes. Besides this, there exists an additional HTTP API to retrieve further runtime status information about CRI-O. Please be aware that this API is not considered to be stable and production use-cases should not rely on it.

On a running CRI-O instance, we can access the API via an HTTP transfer tool like curl:

$ sudo curl -v --unix-socket /var/run/crio/crio.sock http://localhost/info | jq
{
  "storage_driver": "btrfs",
  "storage_root": "/var/lib/containers/storage",
  "cgroup_driver": "systemd",
  "default_id_mappings": { ... }
}

The following API entry points are currently supported:

<!-- markdownlint-disable MD013 -->
PathContent-TypeDescription
/infoapplication/jsonGeneral information about the runtime, like storage_driver and storage_root.
/containers/:idapplication/jsonDedicated container information, like name, pid and image.
/configapplication/tomlThe complete TOML configuration (defaults to /etc/crio/crio.conf) used by CRI-O.
/pause/:idapplication/jsonPause a running container.
/unpause/:idapplication/jsonUnpause a paused container.
/debug/goroutinestext/plainPrint the goroutine stacks.
/debug/heaptext/plainWrite the heap dump.
<!-- markdownlint-enable MD013 -->

The subcommand crio status can be used to access the API with a dedicated command line tool. It supports all API endpoints via the dedicated subcommands config, info and containers, for example:

$ sudo crio status info
cgroup driver: systemd
storage driver: btrfs
storage root: /var/lib/containers/storage
default GID mappings (format <container>:<host>:<size>):
  0:0:4294967295
default UID mappings (format <container>:<host>:<size>):
  0:0:4294967295

Metrics

Please refer to the CRI-O Metrics guide.

Tracing

Please refer to the CRI-O Tracing guide.

Container Runtime Interface special cases

Some aspects of the Container Runtime are worth some additional explanation. These details are summarized in a dedicated guide.

Debugging tips

Having an issue? There are some tips and tricks for debugging located in our debugging guide

Adopters

An incomplete list of adopters of CRI-O in production environments can be found here. If you're a user, please help us complete it by submitting a pull-request!

Weekly Meeting

A weekly meeting is held to discuss CRI-O development. It is open to everyone. The details to join the meeting are on the wiki.

Governance

For more information on how CRI-O is goverened, take a look at the governance file

License Scan

FOSSA Status