CRI-O Kubernetes 容器运行时教程
CRI-O 是一款专为 Kubernetes 设计的轻量级容器运行时,它实现了 Kubernetes CRI(Container Runtime Interface)规范,提供了运行容器所需的最小功能集。与 Containerd 相比,CRI-O 更加专注于 Kubernetes 场景,不包含构建镜像等非核心功能,因此更加轻量和安全。
一、CRI-O 特点
- 专为 Kubernetes 设计:只实现 CRI 接口,没有多余功能。
- 版本同步:CRI-O 版本与 Kubernetes 版本保持同步。
- OCI 兼容:支持所有符合 OCI 规范的容器镜像和运行时。
- 安全性:支持 SELinux、seccomp、Capabilities 等安全特性。
- 资源占用低:比 Docker + dockershim 方案占用更少资源。
二、安装 CRI-O
2.1 Ubuntu/Debian
# 设置版本(与 Kubernetes 版本对应)
CRIO_VERSION=1.29
OS=xUbuntu_22.04
# 添加仓库
echo "deb https://download.opensuse.org/repositories/devel:/kubic:/libcontainers:/stable/$OS/ /" | tee /etc/apt/sources.list.d/devel:kubic:libcontainers:stable.list
echo "deb https://download.opensuse.org/repositories/devel:/kubic:/libcontainers:/stable:/cri-o:/$CRIO_VERSION/$OS/ /" | tee /etc/apt/sources.list.d/devel:kubic:libcontainers:stable:cri-o:$CRIO_VERSION.list
curl -L https://download.opensuse.org/repositories/devel:/kubic:/libcontainers:/stable/$OS/Release.key | apt-key add -
curl -L https://download.opensuse.org/repositories/devel:/kubic:/libcontainers:/stable:/cri-o:/$CRIO_VERSION/$OS/Release.key | apt-key add -
apt-get update && apt-get install -y cri-o cri-o-runc2.2 CentOS/RHEL
CRIO_VERSION=1.29
OS=CentOS_8
curl -L -o /etc/yum.repos.d/devel:kubic:libcontainers:stable.repo https://download.opensuse.org/repositories/devel:/kubic:/libcontainers:/stable/$OS/devel:kubic:libcontainers:stable.repo
curl -L -o /etc/yum.repos.d/devel:kubic:libcontainers:stable:cri-o:$CRIO_VERSION.repo https://download.opensuse.org/repositories/devel:/kubic:/libcontainers:/stable:/cri-o:/$CRIO_VERSION/$OS/devel:kubic:libcontainers:stable:cri-o:$CRIO_VERSION.repo
yum install -y cri-o2.3 启动服务
systemctl enable --now crio
systemctl status crio
crio --version三、配置 CRI-O
# 主配置文件
cat /etc/crio/crio.conf
# 常用配置调整
cat > /etc/crio/crio.conf.d/01-custom.conf <<'EOF'
[crio.runtime]
default_runtime = "runc"
conmon_cgroup = "pod"
cgroup_manager = "systemd"
[crio.image]
pause_image = "registry.k8s.io/pause:3.9"
[crio.network]
network_dir = "/etc/cni/net.d/"
plugin_dirs = ["/opt/cni/bin/"]
EOF
systemctl restart crio四、使用 crictl 管理
# 配置 crictl 连接 CRI-O
cat > /etc/crictl.yaml <<'EOF'
runtime-endpoint: unix:///var/run/crio/crio.sock
image-endpoint: unix:///var/run/crio/crio.sock
timeout: 10
EOF
# 拉取镜像
crictl pull nginx:latest
# 查看镜像
crictl images
# 查看运行中的容器
crictl ps
# 查看 Pod 列表
crictl pods
# 查看容器日志
crictl logs CONTAINER_ID
# 进入容器
crictl exec -it CONTAINER_ID /bin/sh五、与 kubeadm 集成
# 初始化 Kubernetes 集群时指定 CRI-O
kubeadm init --cri-socket unix:///var/run/crio/crio.sock --pod-network-cidr=10.244.0.0/16
# 加入集群时指定 CRI-O
kubeadm join master:6443 --token xxx --discovery-token-ca-cert-hash sha256:xxx --cri-socket unix:///var/run/crio/crio.sock六、存储和日志配置
# CRI-O 存储配置
cat > /etc/containers/storage.conf <<'EOF'
[storage]
driver = "overlay"
runroot = "/run/containers/storage"
graphroot = "/var/lib/containers/storage"
EOF
# 日志配置
cat > /etc/crio/crio.conf.d/02-logging.conf <<'EOF'
[crio.runtime]
log_level = "info"
log_dir = "/var/log/crio/pods"
log_size_max = 10485760
EOF七、常见问题
CRI-O 无法拉取镜像
# 检查镜像仓库配置
cat /etc/containers/registries.conf
# 添加 Docker Hub 作为非限定搜索仓库
# [registries.search]
# registries = ['docker.io']总结
CRI-O 是为 Kubernetes 量身定制的容器运行时,在搬瓦工 VPS 上部署 K8S 集群时是一个轻量高效的选择。它与 Containerd 是目前 Kubernetes 支持的两大主流运行时。更多 Kubernetes 工具请参考 Kompose 和 Kustomize。选购搬瓦工 VPS 请访问 bwh81.net,购买时使用优惠码 NODESEEK2026 可享受 6.77% 的折扣。