CRI-O

基于开放容器倡议的 Kubernetes 容器运行时接口实现。「Open Container Initiative-based implementation of Kubernetes Container Runtime Interface.」

Github星跟蹤圖

CRI-O logo

CRI-O - OCI-based implementation of Kubernetes Container Runtime Interface

Stable Status
codecov
Packages
Release Notes
Dependencies
GoDoc
OpenSSF Best Practices
Go Report Card
FOSSA Status
Mentioned in Awesome CRI-O
Gitpod ready-to-code

Compatibility matrix: CRI-O ⬄ Kubernetes

CRI-O follows the Kubernetes release cycles with respect to its minor versions
(1.x.y). Patch releases (1.x.z) for Kubernetes are not in sync with those from
CRI-O, because they are scheduled for each month, whereas CRI-O provides
them only if necessary. If a Kubernetes release goes End of
Life
,
then the corresponding CRI-O version can be considered in the same way.

This means that CRI-O also follows the Kubernetes n-2 release version skew
policy when it comes to feature graduation, deprecation or removal. This also
applies to features which are independent from Kubernetes. Nevertheless, feature
backports to supported release branches, which are independent from Kubernetes
or other tools like cri-tools, are still possible. This allows CRI-O to decouple
from the Kubernetes release cycle and have enough flexibility when it comes to
implement new features. Every feature to be backported will be a case by case
decision of the community while the overall compatibility matrix should not be
compromised.

For more information visit the Kubernetes Version Skew
Policy
.

CRI-O Kubernetes Maintenance status
main branch master branch Features from the main Kubernetes repository are actively implemented
release-1.x branch (v1.x.y) release-1.x branch (v1.x.z) Maintenance is manual, only bugfixes will be backported.

The release notes for CRI-O are hand-crafted and can be continuously retrieved
from our GitHub pages website.

What is the scope of this project?

CRI-O is meant to provide an integration path between OCI conformant runtimes and
the Kubelet.
Specifically, it implements the Kubelet Container Runtime Interface (CRI)
using OCI conformant runtimes.
The scope of CRI-O is tied to the scope of the CRI.

At a high level, we expect the scope of CRI-O to be restricted to the following functionalities:

  • Support multiple image formats including the existing Docker image format
  • Support for multiple means to download images including trust & image verification
  • Container image management (managing image layers, overlay filesystems, etc)
  • Container process lifecycle management
  • Monitoring and logging required to satisfy the CRI
  • Resource isolation as required by the CRI

What is not in the scope of this project?

  • Building, signing and pushing images to various image storages
  • A CLI utility for interacting with CRI-O. Any CLIs built as part of this project
    are only meant for testing this project and there will be no guarantees on the
    backward compatibility with it.

CRI-O is an implementation of the Kubernetes Container Runtime Interface (CRI)
that will allow Kubernetes to directly launch and manage
Open Container Initiative (OCI) containers.

The plan is to use OCI projects and best of breed libraries for different aspects:

It is currently in active development in the Kubernetes community through the
design proposal.
Questions and issues should be raised in the Kubernetes sig-node Slack channel.

Roadmap

A roadmap that describes the direction of CRI-O can be found here.
The project is tracking all ongoing efforts as part of the Feature Roadmap
GitHub project
.

Commands

Command Description
crio(8) OCI Kubernetes Container Runtime daemon

Examples of commandline tools to interact with CRI-O
(or other CRI compatible runtimes) are Crictl
and Podman.

Configuration

File Description
crio.conf(5) CRI-O Configuration file
policy.json(5) Signature Verification Policy File(s)
registries.conf(5) Registries Configuration file
storage.conf(5) Storage Configuration file

Security

The security process for reporting vulnerabilities is described in SECURITY.md.

OCI Hooks Support

You can configure CRI-O to inject
OCI Hooks when creating containers.

CRI-O Usage Transfer

We provide useful information for operations and development transfer
as it relates to infrastructure that utilizes CRI-O.

Communication

For async communication and long running discussions please use issues
and pull requests on the GitHub repo.
This will be the best place to discuss design and implementation.

For chat communication, we have a channel on the Kubernetes slack
that everyone is welcome to join and chat about development.

Awesome CRI-O

We maintain a curated list of links related to CRI-O. Did you find
something interesting on the web about the project? Awesome, feel free to open
up a PR and add it to the list.

Getting started

Installing CRI-O

To install CRI-O, you can follow our installation guide.
Alternatively, if you'd rather build CRI-O from source, checkout our setup
guide
.
We also provide a way in building
static binaries of CRI-O via nix as part of the
cri-o/packaging repository.
Those binaries are available for every successfully built commit on our
Google Cloud Storage Bucket.
This means that the latest commit can be installed via our convenience script:

> curl https://raw.githubusercontent.com/cri-o/packaging/main/get | bash

The script automatically verifies the uploaded sigstore signatures as well, if
the local system has cosign available in
its $PATH. The same applies to the SPDX based bill of
materials (SBOM), which gets automatically verified if the
bom tool is in $PATH.

Besides amd64, we also support the arm64 and ppc64le bit architectures.
This can be selected via the script, too:

curl https://raw.githubusercontent.com/cri-o/packaging/main/get | bash -s -- -a arm64

It is also possible to select a specific git SHA or tag by:

curl https://raw.githubusercontent.com/cri-o/packaging/main/get | bash -s -- -t v1.21.0

The above script resolves to the download URL of the static binary bundle
tarball matching the format:

https://storage.googleapis.com/cri-o/artifacts/cri-o.$ARCH.$REV.tar.gz

Where $ARCH can be amd64 or arm64 or ppc64le and $REV
can be any git SHA or tag.
Please be aware that using the latest main SHA might cause a race, because
the CI has not finished publishing the artifacts yet or failed.

We also provide a Software Bill of Materials (SBOM) in the SPDX
format
for each bundle. The SBOM is available at the same URL
like the bundle itself, but suffixed with .spdx:

https://storage.googleapis.com/cri-o/artifacts/cri-o.$ARCH.$REV.tar.gz.spdx

Running Kubernetes with CRI-O

Before you begin, you'll need to start CRI-O

You can run a local version of Kubernetes with CRI-O using local-up-cluster.sh:

  1. Clone the Kubernetes repository
  2. From the Kubernetes project directory, run:
CGROUP_DRIVER=systemd \
CONTAINER_RUNTIME=remote \
CONTAINER_RUNTIME_ENDPOINT='unix:///var/run/crio/crio.sock' \
./hack/local-up-cluster.sh

For more guidance in running CRI-O, visit our tutorial page

The HTTP status API

CRI-O exposes per default the gRPC API to fulfill the
Container Runtime Interface (CRI) of Kubernetes. Besides this, there exists an
additional HTTP API to retrieve further runtime status information about CRI-O.
Please be aware that this API is not considered to be stable and production
use-cases should not rely on it.

On a running CRI-O instance, we can access the API via an HTTP transfer tool like
curl:

$ sudo curl -v --unix-socket /var/run/crio/crio.sock http://localhost/info | jq
{
  "storage_driver": "btrfs",
  "storage_root": "/var/lib/containers/storage",
  "cgroup_driver": "systemd",
  "default_id_mappings": { ... }
}

The following API entry points are currently supported:

Path Content-Type Description
/info application/json General information about the runtime, like storage_driver and storage_root.
/containers/:id application/json Dedicated container information, like name, pid and image.
/config application/toml The complete TOML configuration (defaults to /etc/crio/crio.conf) used by CRI-O.
/pause/:id application/json Pause a running container.
/unpause/:id application/json Unpause a paused container.

The subcommand crio status can be used to access the API with a dedicated command
line tool. It supports all API endpoints via the dedicated subcommands config,
info and containers, for example:

$ sudo crio status info
cgroup driver: systemd
storage driver: btrfs
storage root: /var/lib/containers/storage
default GID mappings (format <container>:<host>:<size>):
  0:0:4294967295
default UID mappings (format <container>:<host>:<size>):
  0:0:4294967295

Metrics

Please refer to the CRI-O Metrics guide.

Tracing

Please refer to the CRI-O Tracing guide.

Container Runtime Interface special cases

Some aspects of the Container Runtime are worth some additional explanation.
These details are summarized in a dedicated guide.

Debugging tips

Having an issue? There are some tips and tricks for debugging located in
our debugging guide

Adopters

An incomplete list of adopters of CRI-O in production environments can be found here.
If you're a user, please help us complete it by submitting a pull-request!

Weekly Meeting

A weekly meeting is held to discuss CRI-O development. It is open to everyone.
The details to join the meeting are on the wiki.

Governance

For more information on how CRI-O is goverened, take a look at the governance file

License Scan

FOSSA Status

主要指標

概覽
名稱與所有者cri-o/cri-o
主編程語言Go
編程語言Makefile (語言數: 6)
平台Kubernetes, Linux
許可證Apache License 2.0
所有者活动
創建於2016-09-09 19:56:31
推送於2024-10-29 00:11:47
最后一次提交
發布數230
最新版本名稱v1.28.11 (發布於 2024-10-07 08:34:31)
第一版名稱v0.0.0 (發布於 )
用户参与
星數5.2k
關注者數126
派生數1.1k
提交數9.7k
已啟用問題?
問題數1454
打開的問題數62
拉請求數5526
打開的拉請求數34
關閉的拉請求數1647
项目设置
已啟用Wiki?
已存檔?
是復刻?
已鎖定?
是鏡像?
是私有?