1. CRI-O简介与版本说明
CRI-O是Kubernetes原生的容器运行时,专为Kubernetes设计,实现了Kubernetes容器运行时接口(CRI)。CRI-O允许Kubernetes使用任何符合OCI标准的容器运行时作为底层运行时。更多学习教程www.fgedu.net.cn
最新版本信息:
CRI-O 1.30.x – 支持Kubernetes 1.30
CRI-O 1.29.x – 支持Kubernetes 1.29
CRI-O 1.28.x – 支持Kubernetes 1.28
CRI-O 1.27.x – 支持Kubernetes 1.27
2. CRI-O下载方式
CRI-O提供多种下载方式,包括二进制包下载、源码编译安装和包管理器安装。学习交流加群风哥微信: itpux-com
方式一:官方二进制包下载
# https://github.com/cri-o/cri-o/releases
# 下载CRI-O 1.29.1版本
$ wget https://github.com/cri-o/cri-o/releases/download/v1.29.1/cri-o.amd64.v1.29.1.tar.gz
# 下载校验和文件
$ wget https://github.com/cri-o/cri-o/releases/download/v1.29.1/cri-o.amd64.v1.29.1.tar.gz.sha256sum
# 验证下载文件完整性
$ sha256sum -c cri-o.amd64.v1.29.1.tar.gz.sha256sum
输出示例如下:
cri-o.amd64.v1.29.1.tar.gz: OK
# 解压安装包
$ tar -xzf cri-o.amd64.v1.29.1.tar.gz
# 查看解压内容
$ ls -la cri-o
输出示例如下:
total 125824
drwxr-xr-x 2 root root 4096 Mar 15 10:00 .
drwxr-xr-x 3 root root 4096 Mar 15 10:00 ..
-rwxr-xr-x 1 root root 5242880 Mar 15 10:00 crio
-rwxr-xr-x 1 root root 1048576 Mar 15 10:00 crio-status
-rwxr-xr-x 1 root root 1048576 Mar 15 10:00 pinns
方式二:源码编译安装
# yum install -y go git make gcc glibc-devel glibc-static \
libseccomp-devel libgpgme-devel device-mapper-devel \
btrfs-progs-devel
# 克隆CRI-O源码
$ git clone https://github.com/cri-o/cri-o.git
$ cd cri-o
$ git checkout v1.29.1
# 编译安装
$ make
$ sudo make install
输出示例如下:
GO111MODULE=on go build -ldflags ‘-s -w -X main.gitCommit=abc123 -X main.buildDate=2026-03-15’ -o bin/crio
GO111MODULE=on go build -ldflags ‘-s -w -X main.gitCommit=abc123 -X main.buildDate=2026-03-15’ -o bin/crio-status
install -D -m 755 bin/crio /usr/local/bin/crio
install -D -m 755 bin/crio-status /usr/local/bin/crio-status
# 安装配置文件
$ sudo make install.config
输出示例如下:
install -D -m 644 crio.conf /etc/crio/crio.conf
install -D -m 644 crio-umount.conf /etc/crio/crio-umount.conf
方式三:包管理器安装
$ sudo curl -L -o /etc/yum.repos.d/devel:kubic:libcontainers:stable.repo \
https://download.opensuse.org/repositories/devel:kubic:libcontainers:stable/CentOS_9_Stream/devel:kubic:libcontainers:stable.repo
$ sudo curl -L -o /etc/yum.repos.d/devel:kubic:libcontainers:stable:cri-o:1.29.repo \
https://download.opensuse.org/repositories/devel:kubic:libcontainers:stable:cri-o:1.29/CentOS_9_Stream/devel:kubic:libcontainers:stable:cri-o:1.29.repo
# 安装CRI-O
$ sudo yum install -y cri-o
输出示例如下:
Dependencies resolved.
================================================================================
Package Architecture Version Repository Size
================================================================================
Installing:
cri-o x86_64 1.29.1-1.el9 cri-o 15 M
Installing dependencies:
conmon x86_64 2.1.7-1.el9 libcontainers 350 k
containers-common x86_64 1-80.el9 libcontainers 150 k
Transaction Summary
================================================================================
Install 3 Packages
Total download size: 16 M
Installed size: 65 M
Downloading Packages:
(1/3): conmon-2.1.7-1.el9.x86_64.rpm 1.2 MB/s | 350 kB 00:00
(2/3): containers-common-1-80.el9.x86_64.rpm 500 kB/s | 150 kB 00:00
(3/3): cri-o-1.29.1-1.el9.x86_64.rpm 5.0 MB/s | 15 MB 00:03
——————————————————————————–
Total 4.2 MB/s | 16 MB 00:03
Running transaction check
Transaction check succeeded.
Running transaction test
Transaction test succeeded.
Running transaction
Preparing : 1/1
Installing : containers-common-1-80.el9.x86_64.rpm 1/3
Installing : conmon-2.1.7-1.el9.x86_64.rpm 2/3
Installing : cri-o-1.29.1-1.el9.x86_64.rpm 3/3
Running scriptlet: cri-o-1.29.1-1.el9.x86_64.rpm 3/3
Verifying : conmon-2.1.7-1.el9.x86_64.rpm 1/3
Verifying : containers-common-1-80.el9.x86_64.rpm 2/3
Verifying : cri-o-1.29.1-1.el9.x86_64.rpm 3/3
Installed:
cri-o-1.29.1-1.el9.x86_64 conmon-2.1.7-1.el9.x86_64
containers-common-1-80.el9.x86_64
Complete!
3. CRI-O安装配置
完成下载后,需要进行系统配置和CRI-O初始化设置。学习交流加群风哥QQ113257174
步骤1:安装依赖组件
$ sudo yum install -y runc
输出示例如下:
Dependencies resolved.
================================================================================
Package Architecture Version Repository Size
================================================================================
Installing:
runc x86_64 1.1.12-1.el9 appstream 3.1 M
Transaction Summary
================================================================================
Install 1 Package
Total download size: 3.1 M
Installed size: 12 M
Downloading Packages:
runc-1.1.12-1.el9.x86_64.rpm 2.5 MB/s | 3.1 MB 00:01
——————————————————————————–
Total 2.5 MB/s | 3.1 MB 00:01
Running transaction check
Transaction check succeeded.
Running transaction test
Transaction test succeeded.
Running transaction
Preparing : 1/1
Installing : runc-1.1.12-1.el9.x86_64 1/1
Verifying : runc-1.1.12-1.el9.x86_64 1/1
Installed:
runc-1.1.12-1.el9.x86_64
Complete!
# 验证runc版本
$ runc –version
输出示例如下:
runc version 1.1.12
commit: v1.1.12-0-g51d5e946
spec: 1.0.2-dev
go: go1.20.12
libseccomp: 2.5.3
步骤2:配置系统内核模块
$ sudo modprobe overlay
$ sudo modprobe br_netfilter
# 配置内核模块开机自动加载
$ sudo cat > /etc/modules-load.d/crio.conf << EOF
overlay
br_netfilter
EOF
# 配置内核参数
$ sudo cat > /etc/sysctl.d/99-kubernetes-cri.conf << EOF
net.bridge.bridge-nf-call-iptables = 1
net.bridge.bridge-nf-call-ip6tables = 1
net.ipv4.ip_forward = 1
EOF
# 使配置生效
$ sudo sysctl --system
输出示例如下:
* Applying /usr/lib/sysctl.d/10-default-yama-scope.conf ...
* Applying /usr/lib/sysctl.d/50-default.conf ...
kernel.sysrq = 16
kernel.core_uses_pid = 1
net.ipv4.conf.default.rp_filter = 1
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.default.accept_source_route = 0
net.ipv4.conf.all.accept_source_route = 0
net.ipv4.conf.default.promote_secondaries = 1
net.ipv4.conf.all.promote_secondaries = 1
fs.protected_regular = 1
fs.protected_fifos = 1
* Applying /etc/sysctl.d/99-kubernetes-cri.conf ...
net.bridge.bridge-nf-call-iptables = 1
net.bridge.bridge-nf-call-ip6tables = 1
net.ipv4.ip_forward = 1
* Applying /etc/sysctl.conf ...
步骤3:启动CRI-O服务
$ sudo systemctl daemon-reload
$ sudo systemctl enable crio
$ sudo systemctl start crio
# 检查服务状态
$ sudo systemctl status crio
输出示例如下:
● crio.service – Container Runtime Interface for OCI (CRI-O)
Loaded: loaded (/usr/lib/systemd/system/crio.service; enabled; preset: disabled)
Active: active (running) since Fri 2026-03-15 10:30:00 CST; 10s ago
Docs: https://github.com/cri-o/cri-o
Main PID: 12345 (crio)
Tasks: 15
Memory: 45.2M
CPU: 1.2s
CGroup: /system.slice/crio.service
└─12345 /usr/bin/crio
Mar 15 10:30:00 fgedu.net.cn systemd[1]: Started Container Runtime Interface for OCI (CRI-O).
Mar 15 10:30:00 fgedu.net.cn crio[12345]: time=”2026-03-15 10:30:00.000000000+08:00″ level=info msg=”CRI-O started”
4. CRI-O配置文件详解
CRI-O的主配置文件位于/etc/crio/crio.conf,需要根据生产环境进行调整。from:www.itpux.com
配置文件示例
$ cat /etc/crio/crio.conf
输出示例如下:
[crio]
# CRI-O根目录
root = “/var/lib/containers/storage”
runroot = “/run/containers/storage”
# 存储驱动
storage_driver = “overlay”
# 日志目录
log_dir = “/var/log/crio/pods”
# 版本信息
version_file = “/var/lib/crio/version”
[crio.api]
# gRPC API监听地址
listen = “unix:///var/run/crio/crio.sock”
# 流服务地址
stream_address = “127.0.0.1”
stream_port = “0”
[crio.runtime]
# 默认运行时
default_runtime = “runc”
# 沙箱镜像
pause_image = “registry.k8s.io/pause:3.9”
# SELinux支持
selinux = true
# 容器默认ulimit
default_ulimits = [
“nofile=65535:65535”,
]
[crio.image]
# 镜像存储目录
root = “/var/lib/containers/storage”
# 镜像传输类型
transport = “containers-storage”
# 默认镜像仓库
default_transport = “docker://”
# 镜像拉取策略
pause_image = “registry.k8s.io/pause:3.9”
生产环境配置优化
$ sudo vi /etc/crio/crio.conf
# 主要配置项
[crio]
root = “/data/containers/storage”
runroot = “/run/containers/storage”
log_dir = “/var/log/crio/pods”
version_file = “/var/lib/crio/version”
internal_wipe = true
[crio.api]
listen = “unix:///var/run/crio/crio.sock”
stream_address = “0.0.0.0”
stream_port = “10010”
stream_enable_tls = false
[crio.runtime]
default_runtime = “runc”
decryption_keys_path = “/etc/crio/keys/”
conmon = “/usr/bin/conmon”
conmon_env = [
“PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin”,
]
conmon_cgroup = “pod”
seccomp_profile = “”
apparmor_profile = “crio-default”
cgroup_manager = “systemd”
default_capabilities = [
“CHOWN”,
“DAC_OVERRIDE”,
“FSETID”,
“FOWNER”,
“NET_RAW”,
“SETGID”,
“SETUID”,
“SETPCAP”,
“NET_BIND_SERVICE”,
“SYS_CHROOT”,
“KILL”,
]
default_sysctls = [
“net.ipv4.ping_group_range=0 0”,
]
default_ulimits = [
“nofile=65535:65535”,
]
log_level = “info”
log_to_journald = false
pause_image = “registry.aliyuncs.com/k8sxio/pause:3.9”
pause_command = “/pause”
pause_image_auth_file = “”
pids_limit = 4096
[crio.image]
default_transport = “docker://”
global_auth_file = “/var/lib/kubelet/config.json”
pause_image = “registry.aliyuncs.com/k8sxio/pause:3.9”
signature_policy = “”
insecure_registries = [
“192.168.1.51:5000”,
]
registries = [
“docker.io”,
“quay.io”,
]
[crio.network]
# 网络配置
network_dir = “/etc/cni/net.d/”
plugin_dirs = [
“/opt/cni/bin/”,
]
# 重启服务使配置生效
$ sudo systemctl restart crio
5. Kubernetes集成配置
CRI-O是Kubernetes推荐的容器运行时之一,需要正确配置才能与Kubernetes集成。风哥提示:确保kubelet配置指向正确的CRI-O socket。
步骤1:安装crictl工具
$ wget https://github.com/kubernetes-sigs/cri-tools/releases/download/v1.29.0/crictl-v1.29.0-linux-amd64.tar.gz
# 解压安装
$ sudo tar -xzf crictl-v1.29.0-linux-amd64.tar.gz -C /usr/local/bin/
# 验证安装
$ crictl –version
输出示例如下:
crictl version v1.29.0
# 配置crictl连接CRI-O
$ sudo cat > /etc/crictl.yaml << EOF
runtime-endpoint: unix:///var/run/crio/crio.sock
image-endpoint: unix:///var/run/crio/crio.sock
timeout: 10
debug: false
pull-image-on-create: false
EOF
# 测试连接
$ sudo crictl info
输出示例如下:
{
"status": {
"conditions": [
{
"type": "RuntimeReady",
"status": true,
"reason": "",
"message": ""
},
{
"type": "NetworkReady",
"status": true,
"reason": "",
"message": ""
}
]
}
}
步骤2:配置kubelet使用CRI-O
$ sudo vi /etc/kubernetes/kubelet-config.yaml
apiVersion: kubelet.config.k8s.io/v1beta1
kind: KubeletConfiguration
containerRuntimeEndpoint: unix:///var/run/crio/crio.sock
cgroupDriver: systemd
featureGates:
RotateKubeletServerCertificate: true
# 或使用命令行参数启动kubelet
$ kubelet –container-runtime=remote \
–container-runtime-endpoint=unix:///var/run/crio/crio.sock \
–cgroup-driver=systemd \
–config=/etc/kubernetes/kubelet-config.yaml
# 查看kubelet服务状态
$ sudo systemctl status kubelet
输出示例如下:
● kubelet.service – Kubernetes Kubelet Server
Loaded: loaded (/usr/lib/systemd/system/kubelet.service; enabled; preset: disabled)
Active: active (running) since Fri 2026-03-15 10:45:00 CST; 1min ago
Docs: https://kubernetes.io/docs/
Main PID: 23456 (kubelet)
Tasks: 25
Memory: 120.5M
CPU: 3.5s
CGroup: /system.slice/kubelet.service
└─23456 /usr/bin/kubelet –container-runtime=remote –container-runtime-endpoint=unix:///var/run/crio/crio.sock
6. CRI-O验证与测试
完成安装后,需要进行功能验证确保CRI-O正常工作。更多学习教程公众号风哥教程itpux_com
步骤1:测试容器运行
$ sudo crictl pull nginx:alpine
输出示例如下:
Image is up to date for docker.io/library/nginx@sha256:abc123def456
# 查看镜像列表
$ sudo crictl images
输出示例如下:
IMAGE TAG IMAGE ID SIZE
docker.io/library/nginx alpine abc123def456789 9.5MB
# 创建Pod沙箱配置
$ cat > /tmp/sandbox.json << EOF
{
"metadata": {
"name": "nginx-sandbox",
"namespace": "default",
"attempt": 1,
"uid": "hdishd83djaidwnduwk28bcsb"
},
"log_directory": "/tmp",
"linux": {
"security_context": {
"namespace_options": {
"pid": 1
}
}
}
}
EOF
# 创建Pod沙箱
$ sudo crictl runp /tmp/sandbox.json
输出示例如下:
abc123def456789012345678901234567890123456789012345678901234
# 查看Pod列表
$ sudo crictl pods
输出示例如下:
POD ID CREATED STATE NAME NAMESPACE ATTEMPT
abc123def45678901 10 seconds ago Ready nginx-sandbox default 1
步骤2:创建容器测试
$ cat > /tmp/container.json << EOF { "metadata": { "name": "nginx" }, "image":{ "image": "nginx:alpine" }, "log_path":"nginx.log", "linux": { "security_context": { "namespace_options": { "pid": 1 } } } } EOF # 创建容器 $ sudo crictl create abc123def45678901 /tmp/container.json /tmp/sandbox.json 输出示例如下: def456ghi789012345678901234567890123456789012345678901234567 # 启动容器 $ sudo crictl start def456ghi789012345678901234567890123456789012345678901234567 输出示例如下: def456ghi789012345678901234567890123456789012345678901234567 # 查看容器列表 $ sudo crictl ps 输出示例如下: CONTAINER ID IMAGE CREATED STATE NAME ATTEMPT def456ghi78901 nginx:alpine 30 seconds ago Running nginx 0 # 查看容器日志 $ sudo crictl logs def456ghi78901 输出示例如下: 192.168.1.51 - - [15/Mar/2026:10:50:00 +0800] "GET / HTTP/1.1" 200 615 "-" "curl/7.76.1"
7. 存储驱动配置
CRI-O支持多种存储驱动,生产环境推荐使用overlay2驱动。from:www.itpux.com
存储驱动配置
$ sudo crictl info | grep storageDriver
输出示例如下:
“storageDriver”: “overlay”,
# 配置存储驱动(编辑crio.conf)
$ sudo vi /etc/crio/crio.conf
[crio]
root = “/data/containers/storage”
runroot = “/run/containers/storage”
storage_driver = “overlay”
storage_option = [
“overlay.mountopt=nodev,metacopy=on”,
]
# 创建存储目录
$ sudo mkdir -p /data/containers/storage
$ sudo chown -R root:root /data/containers/storage
# 重启CRI-O
$ sudo systemctl restart crio
# 验证存储配置
$ sudo crictl info
输出示例如下:
{
“status”: {
“conditions”: [
{
“type”: “RuntimeReady”,
“status”: true
},
{
“type”: “NetworkReady”,
“status”: true
}
]
},
“config”: {
“containerd”: {
“snapshotter”: “overlay”
}
}
}
8. 网络配置
CRI-O使用CNI插件进行网络配置,需要正确安装和配置CNI插件。
步骤1:安装CNI插件
$ wget https://github.com/containernetworking/plugins/releases/download/v1.4.0/cni-plugins-linux-amd64-v1.4.0.tgz
# 创建CNI目录
$ sudo mkdir -p /opt/cni/bin
# 解压安装
$ sudo tar -xzf cni-plugins-linux-amd64-v1.4.0.tgz -C /opt/cni/bin/
# 查看安装的插件
$ ls /opt/cni/bin/
输出示例如下:
bandwidth bridge dhcp dummy firewall host-device host-local ipvlan loopback macvlan portmap ptp sbr static tuning vlan vrf
# 创建CNI配置目录
$ sudo mkdir -p /etc/cni/net.d
步骤2:配置CNI网络
$ sudo cat > /etc/cni/net.d/10-crio-bridge.conf << EOF { "cniVersion": "1.0.0", "name": "crio", "type": "bridge", "bridge": "cni0", "isGateway": true, "ipMasq": true, "hairpinMode": true, "ipam": { "type": "host-local", "routes": [ { "dst": "0.0.0.0/0" } ], "ranges": [ [{ "subnet": "10.85.0.0/16", "gateway": "10.85.0.1" }] ] } } EOF # 验证网络配置 $ sudo crictl info | grep network 输出示例: "network": { "cni": { "pluginDirs": [ "/opt/cni/bin" ], "pluginConfDir": "/etc/cni/net.d" } } # 重启CRI-O使配置生效 $ sudo systemctl restart crio # 验证网络就绪 $ sudo crictl info | grep NetworkReady 输出示例如下: "type": "NetworkReady", "status": true, "message": ""
本文由风哥教程整理发布,仅用于学习测试使用,转载注明出处:http://www.fgedu.net.cn/10327.html
