Install CRI-O Container Runtime on Debian 12/11/10

In the year 2017, the Kubernetes project introduced to the public its Container Runtime Interface (CRI). CRI is a plugin interface designed to give kubelet (an agent used to start containers and create pods in Kubernetes cluster) the ability to use different OCI-compliant container runtimes, without modifications on Kubernetes code. The CRI-O project, build from the work of Kubernetes CRI, is a lightweight runtime for Kubernetes.

This short guide has only one intention, to enable you install and use CRI-O Container Runtime on Debian. With CRI-O, you can run containers directly from Kubernetes without a need for any tooling. Provided the container is OCI-compliant, CRI-O will be able to run it. The introduction of CRI significantly reduced the maintenance overhead for the upstream Kubernetes community and all the vendors building solutions on top of the Kubernetes orchestration platform.

Here is an overview picture on how CRI-O works in Kubernetes ecosystem.

Install CRI-O Container Runtime on Debian

Follow the steps provided in this guide to have a working setup of CRI-O Container Runtime on Debian Linux.

Step 1: Update Debian System

We always start our installations by updating and upgrading the system.

sudo apt update && sudo apt -y upgrade

If the upgrade completes without errors, reboot the system before adding CRI-O APT repository to the system.

sudo reboot

Step 2: Add CRI-O repository

Since the scope for CRI-O is to work with Kubernetes in management and running OCI containers, it is recommended to install the version of CRI-O matching your Kubernetes release. The project provides some user-facing tools for troubleshooting containers on Kubernetes.

Check Kubernetes version and change version.

KUBERNETES_VERSION=v1.30
CRIO_VERSION=v1.30

Adding CRI-O repository on Debian:

echo "deb [signed-by=/etc/apt/keyrings/cri-o-apt-keyring.gpg] https://pkgs.k8s.io/addons:/cri-o:/stable:/$CRIO_VERSION/deb/ /" |
    tee /etc/apt/sources.list.d/cri-o.list

Import GPG key used in packages signing after repository has been added to the system.

curl -fsSL https://pkgs.k8s.io/addons:/cri-o:/stable:/$CRIO_VERSION/deb/Release.key |
    gpg --dearmor -o /etc/apt/keyrings/cri-o-apt-keyring.gpg

Test if repo is working

sudo apt update

Step 3: Install CRI-O on Debian

Install CRI-O on Debian using the commands below:

sudo apt install cri-o

Accept installation prompt with y key.

Confirm version installed:

$ apt show cri-o
Package: cri-o
Version: 1.30.3-1.1
Priority: optional
Section: admin
Maintainer: Kubernetes Authors <[email protected]>
Installed-Size: 73.9 MB
Pre-Depends: systemd
Depends: systemd-sysv,systemd,iptables
Recommends: kubernetes-cni
Homepage: https://kubernetes.io
Download-Size: 19.3 MB
APT-Manual-Installed: yes
APT-Sources: https://pkgs.k8s.io/addons:/cri-o:/stable:/v1.30/deb  Packages
..

Now that CRI-O is installed on our Debian system, let’s proceed to start the daemon service.

sudo systemctl start crio.service

Service has to be enabled for automatic start when the system is rebooted.

$ sudo systemctl enable crio.service
Created symlink /etc/systemd/system/cri-o.service → /lib/systemd/system/crio.service.
Created symlink /etc/systemd/system/multi-user.target.wants/crio.service → /lib/systemd/system/crio.service.

Service status checking:

$ systemctl status crio
● crio.service - Container Runtime Interface for OCI (CRI-O)
     Loaded: loaded (/lib/systemd/system/crio.service; enabled; preset: enabled)
     Active: active (running) since Thu 2024-07-11 23:25:39 UTC; 8s ago
       Docs: https://github.com/cri-o/cri-o
   Main PID: 1628 (crio)
      Tasks: 8
     Memory: 14.0M
        CPU: 195ms
     CGroup: /system.slice/crio.service
             └─1628 /usr/bin/crio

Jul 11 23:25:39 deb12 crio[1628]: time="2024-07-11 23:25:39.852658644Z" level=info msg="Restore irqbalance config: failed to get current CPU ban list, ignoring"
Jul 11 23:25:39 deb12 crio[1628]: time="2024-07-11 23:25:39.878133563Z" level=warning msg="Error encountered when checking whether cri-o should wipe containers: open /var/run/crio/version: no such >
Jul 11 23:25:39 deb12 crio[1628]: time="2024-07-11 23:25:39.878800355Z" level=info msg="Registered SIGHUP reload watcher"
Jul 11 23:25:39 deb12 crio[1628]: time="2024-07-11 23:25:39.878843428Z" level=info msg="Starting seccomp notifier watcher"
Jul 11 23:25:39 deb12 crio[1628]: time="2024-07-11 23:25:39.878928453Z" level=info msg="Create NRI interface"
Jul 11 23:25:39 deb12 crio[1628]: time="2024-07-11 23:25:39.879168526Z" level=info msg="runtime interface created"
Jul 11 23:25:39 deb12 crio[1628]: time="2024-07-11 23:25:39.879213717Z" level=info msg="Registered domain \"k8s.io\" with NRI"
Jul 11 23:25:39 deb12 crio[1628]: time="2024-07-11 23:25:39.879235698Z" level=info msg="runtime interface starting up..."
Jul 11 23:25:39 deb12 crio[1628]: time="2024-07-11 23:25:39.879256992Z" level=info msg="starting plugins..."
Jul 11 23:25:39 deb12 systemd[1]: Started crio.service - Container Runtime Interface for OCI (CRI-O).

Install crictl.

VERSION=$(curl -s https://api.github.com/repos/kubernetes-sigs/cri-tools/releases/latest | grep -oP '"tag_name": "\K(.*)(?=")')
curl -L https://github.com/kubernetes-sigs/cri-tools/releases/download/$VERSION/crictl-${VERSION}-linux-amd64.tar.gz --output crictl-${VERSION}-linux-amd64.tar.gz
sudo tar zxvf crictl-$VERSION-linux-amd64.tar.gz -C /usr/local/bin
sudo chmod +x /usr/local/bin/crictl
rm -f crictl-$VERSION-linux-amd64.tar.gz

Step 4: Using CRI-O on Debian

As stated earlier, CRI-O is intended for use with Kubernetes as container runtime that kubelet speaks to in fulfilling the creation, deletion and general lifecycle management of containers.

Check existence of crictl command:

$ sudo crictl info
{
  "status": {
    "conditions": [
      {
        "type": "RuntimeReady",
        "status": true,
        "reason": "",
        "message": ""
      },
      {
        "type": "NetworkReady",
        "status": false,
        "reason": "NetworkPluginNotReady",
        "message": "Network plugin returns error: no CNI configuration file in /etc/cni/net.d/. Has your network provider started?"
      }
    ]
  },
  "runtimeHandlers": [
    {
      "name": "runc",
      "features": {
        "recursive_read_only_mounts": true
      }
    },
    {
      "name": "crun",
      "features": {
        "recursive_read_only_mounts": true,
        "user_namespaces": true
      }
    },
    {
      "features": {
        "recursive_read_only_mounts": true,
        "user_namespaces": true
      }
    }
  ],
  "config": {
    "sandboxImage": "registry.k8s.io/pause:3.9"
  }
}

We can pull a test image using crictl command:

$ sudo crictl pull hello-world
Image is up to date for docker.io/library/hello-world@sha256:1408fec50309afee38f3535383f5b09419e6dc0925bc69891e79d84cc4cdcec6

$ sudo crictl pull busybox
Image is up to date for docker.io/library/busybox@sha256:50e44504ea4f19f141118a8a8868e6c5bb9856efa33f2183f5ccea7ac62aacc9

List available images:

$ sudo crictl images
IMAGE                           TAG                 IMAGE ID            SIZE
docker.io/library/busybox       latest              ffe9d497c3241       1.46MB
docker.io/library/hello-world   latest              feb5d9fea6a5e       19.9kB

Your next task is deployment of Kubernetes on Debian Linux system using CRI-O runtime.

We have more guides on Kubernetes administration, some are shared in the links below:

• Deploy Nginx Ingress Controller on Kubernetes using Helm Chart

For installation of CRI-O on CentOS Linux, refer to:

• Install CRI-O Container Runtime on CentOS Linux
• Install Kubernetes Cluster on Rocky Linux 8 with Kubeadm & CRI-O
• k0s vs k3s vs microk8s Kubernetes Distributions Comparison
• How To Add Multiple Kubernetes Clusters to Jenkins
• Setup Prometheus and Grafana on Kubernetes using prometheus-operator