Cette page est affichée en anglais. Une traduction française est en cours.

SkillsApr 16, 2026·3 min de lecture

CRI-O — Lightweight Container Runtime for Kubernetes

An OCI-compatible container runtime designed specifically for Kubernetes. CRI-O implements the Container Runtime Interface (CRI) with minimal footprint, providing a stable and secure alternative to Docker and containerd.

AI Open Source · Community

Prêt pour agents

Installation avec revue préalable

Cet actif nécessite une revue. Le prompt copié demande un dry-run, affiche les écritures, puis continue seulement après confirmation.

Needs Confirmation · 64/100Policy : confirmer

Surface agent

Tout agent MCP/CLI

Type

Skill

Installation

Single

Confiance

Confiance : Established

Point d'entrée

CRI-O Overview

Commande avec revue préalable

npx -y tokrepo@latest install 8cc08d53-39d2-11f1-9bc6-00163e2b0d79 --target codex

Dry-run d'abord, confirmez les écritures, puis lancez cette commande.

TL;DR

CRI-O is a lightweight OCI container runtime built specifically for Kubernetes CRI.

§01

What it is

CRI-O is an OCI-compatible container runtime designed specifically for Kubernetes. It implements the Container Runtime Interface (CRI) with a minimal footprint, providing a stable and secure alternative to Docker and containerd for running pods. CRI-O does one thing well: it pulls images, creates containers, and manages their lifecycle for Kubernetes.

CRI-O targets platform engineers and cluster operators who want a purpose-built runtime without the extra features of Docker that Kubernetes does not use.

§02

How it saves time or tokens

CRI-O has a smaller attack surface than Docker because it only implements what Kubernetes needs. No daemon, no build system, no swarm mode. Fewer moving parts mean fewer things to debug, patch, and monitor.

CRI-O versions are locked to Kubernetes versions (CRI-O 1.29 for Kubernetes 1.29), so compatibility is guaranteed and upgrade planning is straightforward.

§03

How to use

Install CRI-O from the package repository for your distribution
Configure kubelet to use CRI-O as the container runtime
Start the CRI-O service: systemctl enable --now crio
Deploy Kubernetes with kubeadm or your preferred installer

§04

Example

# Install CRI-O on Ubuntu/Debian
OS=xUbuntu_22.04
VERSION=1.29

curl -fsSL https://pkgs.k8s.io/addons:/cri-o:/stable:/v$VERSION/deb/Release.key |
  gpg --dearmor -o /etc/apt/keyrings/cri-o-apt-keyring.gpg

echo "deb [signed-by=/etc/apt/keyrings/cri-o-apt-keyring.gpg] https://pkgs.k8s.io/addons:/cri-o:/stable:/v$VERSION/deb/ /" |
  tee /etc/apt/sources.list.d/cri-o.list

apt-get update && apt-get install -y cri-o
systemctl enable --now crio

# Verify CRI-O is running
crictl info

§05

Related on TokRepo

DevOps tools -- Container and Kubernetes tools
Security tools -- Container security and hardening

§06

Common pitfalls

CRI-O cannot build images; you need a separate tool like Buildah, Podman, or Kaniko for image builds
CRI-O version must match your Kubernetes version; mixing versions causes incompatibilities
Debugging is done with crictl instead of docker commands; operators need to learn the CRI CLI

Questions fréquentes

How does CRI-O compare to containerd?+

Both implement the Kubernetes CRI. containerd is more general-purpose and used outside Kubernetes (Docker uses it internally). CRI-O is purpose-built for Kubernetes only, with a smaller codebase and attack surface. Performance is comparable.

Can I use CRI-O with Docker images?+

Yes. CRI-O pulls OCI-compliant images, which includes all Docker images. Any image that works with Docker or containerd works with CRI-O. There is no image format incompatibility.

Do I need Docker installed alongside CRI-O?+

No. CRI-O replaces Docker as the container runtime. Kubernetes communicates directly with CRI-O via the CRI socket. Having both installed can cause conflicts; remove Docker if switching to CRI-O.

How do I debug containers with CRI-O?+

Use crictl, the CRI command-line tool. Commands like 'crictl ps', 'crictl logs', and 'crictl inspect' mirror Docker commands but work directly with the CRI runtime.

Is CRI-O used in production?+

Yes. CRI-O is the default container runtime for Red Hat OpenShift, one of the largest enterprise Kubernetes distributions. It is a CNCF incubating project with active development and production usage at scale.

Sources citées (3)

CRI-O GitHub— CRI-O implements the Kubernetes Container Runtime Interface
Red Hat Docs— CRI-O is the default runtime for Red Hat OpenShift
Kubernetes Docs— Kubernetes Container Runtime Interface specification

En lien sur TokRepo

DevOps tools Security tools Featured workflows

Fil de discussion

Connectez-vous pour rejoindre la discussion.

Aucun commentaire pour l'instant. Soyez le premier à partager votre avis.

Actifs similaires

Youki — Container Runtime Written in Rust

Youki is an OCI-compliant container runtime written in Rust, designed as a safer and faster alternative to runc. It implements the OCI runtime specification for spawning and managing containers, integrates with containerd and Podman, and leverages Rust's memory safety guarantees to reduce runtime vulnerabilities.

Skills

AI Open Source

Uncloud — Lightweight Container Orchestration Across Docker Hosts

A lightweight tool for deploying and managing containerized applications across a network of Docker hosts. Bridges the gap between Docker Compose and Kubernetes, providing multi-host orchestration without the complexity.

Skills

AI Open Source

runc — Industry-Standard OCI Container Runtime

The reference implementation of the OCI runtime specification, runc spawns and manages containers at the lowest level for Docker, containerd, Podman, and CRI-O.

Skills

Script Depot

Kata Containers — Lightweight VMs for Secure Container Runtime

Run containers inside lightweight virtual machines that provide hardware-level isolation with near-native performance, combining the security of VMs with the speed of containers.

Skills

Script Depot