Skills2026年4月16日·1 分钟阅读

CRI-O — Lightweight Container Runtime for Kubernetes

An OCI-compatible container runtime designed specifically for Kubernetes. CRI-O implements the Container Runtime Interface (CRI) with minimal footprint, providing a stable and secure alternative to Docker and containerd.

AI Open Source
AI Open Source · Community
Agent 就绪

先审查再安装

这个资产需要先审查。复制的指令会要求 Agent dry-run、列出写入项,确认后再继续。

Needs Confirmation · 64/100策略:需确认
Agent 入口
任意 MCP/CLI Agent
类型
Skill
安装
Single
信任
信任等级:Established
入口
CRI-O Overview
先审查命令
npx -y tokrepo@latest install 8cc08d53-39d2-11f1-9bc6-00163e2b0d79 --target codex

先 dry-run,确认写入项后再运行此命令。

TL;DR
CRI-O is a lightweight OCI container runtime built specifically for Kubernetes CRI.
§01

What it is

CRI-O is an OCI-compatible container runtime designed specifically for Kubernetes. It implements the Container Runtime Interface (CRI) with a minimal footprint, providing a stable and secure alternative to Docker and containerd for running pods. CRI-O does one thing well: it pulls images, creates containers, and manages their lifecycle for Kubernetes.

CRI-O targets platform engineers and cluster operators who want a purpose-built runtime without the extra features of Docker that Kubernetes does not use.

§02

How it saves time or tokens

CRI-O has a smaller attack surface than Docker because it only implements what Kubernetes needs. No daemon, no build system, no swarm mode. Fewer moving parts mean fewer things to debug, patch, and monitor.

CRI-O versions are locked to Kubernetes versions (CRI-O 1.29 for Kubernetes 1.29), so compatibility is guaranteed and upgrade planning is straightforward.

§03

How to use

  1. Install CRI-O from the package repository for your distribution
  2. Configure kubelet to use CRI-O as the container runtime
  3. Start the CRI-O service: systemctl enable --now crio
  4. Deploy Kubernetes with kubeadm or your preferred installer
§04

Example

# Install CRI-O on Ubuntu/Debian
OS=xUbuntu_22.04
VERSION=1.29

curl -fsSL https://pkgs.k8s.io/addons:/cri-o:/stable:/v$VERSION/deb/Release.key |
  gpg --dearmor -o /etc/apt/keyrings/cri-o-apt-keyring.gpg

echo "deb [signed-by=/etc/apt/keyrings/cri-o-apt-keyring.gpg] https://pkgs.k8s.io/addons:/cri-o:/stable:/v$VERSION/deb/ /" |
  tee /etc/apt/sources.list.d/cri-o.list

apt-get update && apt-get install -y cri-o
systemctl enable --now crio

# Verify CRI-O is running
crictl info
§05

Related on TokRepo

§06

Common pitfalls

  • CRI-O cannot build images; you need a separate tool like Buildah, Podman, or Kaniko for image builds
  • CRI-O version must match your Kubernetes version; mixing versions causes incompatibilities
  • Debugging is done with crictl instead of docker commands; operators need to learn the CRI CLI

常见问题

How does CRI-O compare to containerd?+

Both implement the Kubernetes CRI. containerd is more general-purpose and used outside Kubernetes (Docker uses it internally). CRI-O is purpose-built for Kubernetes only, with a smaller codebase and attack surface. Performance is comparable.

Can I use CRI-O with Docker images?+

Yes. CRI-O pulls OCI-compliant images, which includes all Docker images. Any image that works with Docker or containerd works with CRI-O. There is no image format incompatibility.

Do I need Docker installed alongside CRI-O?+

No. CRI-O replaces Docker as the container runtime. Kubernetes communicates directly with CRI-O via the CRI socket. Having both installed can cause conflicts; remove Docker if switching to CRI-O.

How do I debug containers with CRI-O?+

Use crictl, the CRI command-line tool. Commands like 'crictl ps', 'crictl logs', and 'crictl inspect' mirror Docker commands but work directly with the CRI runtime.

Is CRI-O used in production?+

Yes. CRI-O is the default container runtime for Red Hat OpenShift, one of the largest enterprise Kubernetes distributions. It is a CNCF incubating project with active development and production usage at scale.

引用来源 (3)
  • CRI-O GitHub— CRI-O implements the Kubernetes Container Runtime Interface
  • Red Hat Docs— CRI-O is the default runtime for Red Hat OpenShift
  • Kubernetes Docs— Kubernetes Container Runtime Interface specification
TokRepo 相关
DevOps toolsSecurity toolsFeatured workflows

讨论

登录后参与讨论。
还没有评论,来写第一条吧。

相关资产

Youki — Container Runtime Written in Rust

Youki is an OCI-compliant container runtime written in Rust, designed as a safer and faster alternative to runc. It implements the OCI runtime specification for spawning and managing containers, integrates with containerd and Podman, and leverages Rust's memory safety guarantees to reduce runtime vulnerabilities.

Skills
AI Open Source

Uncloud — Lightweight Container Orchestration Across Docker Hosts

A lightweight tool for deploying and managing containerized applications across a network of Docker hosts. Bridges the gap between Docker Compose and Kubernetes, providing multi-host orchestration without the complexity.

Skills
AI Open Source

runc — Industry-Standard OCI Container Runtime

The reference implementation of the OCI runtime specification, runc spawns and manages containers at the lowest level for Docker, containerd, Podman, and CRI-O.

Skills
Script Depot

Kata Containers — Lightweight VMs for Secure Container Runtime

Run containers inside lightweight virtual machines that provide hardware-level isolation with near-native performance, combining the security of VMs with the speed of containers.

Skills
Script Depot
首页🔍搜索👤我的