# CRI-O — Lightweight Container Runtime for Kubernetes > An OCI-compatible container runtime designed specifically for Kubernetes. CRI-O implements the Container Runtime Interface (CRI) with minimal footprint, providing a stable and secure alternative to Docker and containerd. ## Install Save in your project root: # CRI-O — Lightweight Container Runtime for Kubernetes ## Quick Use ```bash # Install on Fedora/RHEL dnf install cri-o systemctl enable --now crio # Configure kubelet to use CRI-O # /var/lib/kubelet/config.yaml: containerRuntimeEndpoint: unix:///var/run/crio/crio.sock # Verify crictl info ``` ## Introduction CRI-O is a lightweight container runtime built from the ground up for Kubernetes. Unlike general-purpose runtimes, it implements only what Kubernetes needs through the CRI specification, resulting in a smaller attack surface and tighter version alignment with Kubernetes releases. ## What CRI-O Does - Implements the Kubernetes Container Runtime Interface (CRI) for pod lifecycle management - Pulls images from any OCI-compliant registry including Docker Hub, Quay, and private registries - Runs containers using OCI runtimes (runc, crun, Kata Containers, gVisor) - Manages container networking via CNI plugins - Provides container storage through the containers/storage library with overlay and devicemapper support ## Architecture Overview CRI-O sits between the kubelet and the OCI runtime. When the kubelet requests a pod, CRI-O pulls the image using containers/image, sets up networking via CNI, prepares the root filesystem using containers/storage, and launches the container with the configured OCI runtime. Each Kubernetes minor version gets a matching CRI-O release, ensuring API compatibility. ## Self-Hosting & Configuration - Install from packages (RPM/DEB) or build from source with Go 1.21+ - Configure via /etc/crio/crio.conf for runtime, storage, and network settings - Set the default OCI runtime to crun for better performance or kata for VM isolation - Enable metrics endpoint on port 9090 for Prometheus monitoring - Use crio-wipe on upgrades to clean stale container state safely ## Key Features - Version-locked to Kubernetes releases ensuring consistent behavior and no API drift - 40%% lower memory usage compared to dockershim-based setups in Red Hat benchmarks - Supports multiple OCI runtimes simultaneously per workload class (runc, crun, kata) - Conmon process monitor provides container lifecycle management independent of the daemon - Passes 100%% of Kubernetes conformance tests across every supported version ## Comparison with Similar Tools - **containerd** — general-purpose runtime with broader scope; CRI-O is Kubernetes-specific and leaner - **Docker Engine** — full platform with build tools; CRI-O focuses solely on running containers for K8s - **Podman** — daemonless container management for developers; CRI-O is a server runtime for K8s nodes - **Kata Containers** — VM-based isolation runtime; CRI-O can use Kata as a pluggable OCI runtime - **gVisor** — application kernel sandbox; CRI-O supports gVisor (runsc) as an OCI runtime option ## FAQ **Q: Can I use CRI-O to build container images?** A: No. CRI-O only runs containers. Use Buildah or Podman for image builds. **Q: Which Kubernetes distributions ship CRI-O?** A: OpenShift uses CRI-O by default. It also works with kubeadm, kubespray, and most K8s installers. **Q: How does CRI-O handle image pulls?** A: It uses the containers/image library supporting Docker v2, OCI image layouts, and signature verification. **Q: Is CRI-O production-ready?** A: Yes. It powers every OpenShift cluster in production and is a CNCF graduated project. ## Sources - https://github.com/cri-o/cri-o - https://cri-o.io --- Source: https://tokrepo.com/en/workflows/8cc08d53-39d2-11f1-9bc6-00163e2b0d79 Author: AI Open Source