Install CRI-O Container Runtime on Debian 11 / Debian 10

In the year 2017, the Kubernetes project introduced to the public its Container Runtime Interface (CRI). CRI is a plugin interface designed to give kubelet (an agent used to start containers and create pods in Kubernetes cluster) the ability to use different OCI-compliant container runtimes, without modifications on Kubernetes code. The CRI-O project, build from the work of Kubernetes CRI, is a lightweight runtime for Kubernetes.

This short guide has only one intention, to enable you install and use CRI-O Container Runtime on Debian 11 / Debian 10. With CRI-O, you can run containers directly from Kubernetes without a need for any tooling. Provided the container is OCI-compliant, CRI-O will be able to run it. The introduction of CRI significantly reduced the maintenance overhead for the upstream Kubernetes community and all the vendors building solutions on top of the Kubernetes orchestration platform.

Here is an overview picture on how CRI-O works in Kubernetes ecosystem.

Install CRI-O Container Runtime on Debian 11 / Debian 10

Follow the steps provided in this guide to have a working setup ofCRI-O Container Runtime on Debian 11 / Debian 10.

Step 1: Update Debian System

We always start our installations by updating and upgrading the system.

sudo apt update && sudo apt -y upgrade

If the upgrade completes without errors, reboot the system before adding CRI-O APT repository to the system.

sudo reboot

Step 2: Add CRI-O Kubic repository to Debian system

Since the scope for CRI-O is to work with Kubernetes in management and running OCI containers, it is recommended to install the version of CRI-O matching your Kubernetes release. The project provides some user-facing tools for troubleshooting containers on Kubernetes.

The Kubernetes release that will be running on my Debian servers is version 1.23. For this release, we’ll add CRI-O version 1.23. repository.

Adding repo on Debian 11 / Debian 10:

OS=Debian_10
CRIO_VERSION=1.23

echo "deb https://download.opensuse.org/repositories/devel:/kubic:/libcontainers:/stable/$OS/ /"|sudo tee /etc/apt/sources.list.d/devel:kubic:libcontainers:stable.list
echo "deb http://download.opensuse.org/repositories/devel:/kubic:/libcontainers:/stable:/cri-o:/$CRIO_VERSION/$OS/ /"|sudo tee /etc/apt/sources.list.d/devel:kubic:libcontainers:stable:cri-o:$CRIO_VERSION.list

Import GPG key used in packages signing after repository has been added to the system.

curl -L https://download.opensuse.org/repositories/devel:kubic:libcontainers:stable:cri-o:$CRIO_VERSION/$OS/Release.key | sudo apt-key add -
curl -L https://download.opensuse.org/repositories/devel:/kubic:/libcontainers:/stable/$OS/Release.key | sudo apt-key add -

Test if repo is working

$ sudo apt update
Hit:1 http://security.debian.org/debian-security bullseye-security InRelease
Hit:2 http://deb.debian.org/debian bullseye InRelease
Hit:3 http://deb.debian.org/debian bullseye-updates InRelease
Get:4 http://download.opensuse.org/repositories/devel:/kubic:/libcontainers:/stable:/cri-o:/1.22/Debian_10  InRelease [1604 B]
Hit:5 http://deb.debian.org/debian bullseye-backports InRelease
Get:6 https://download.opensuse.org/repositories/devel:/kubic:/libcontainers:/stable/Debian_10  InRelease [1629 B]
Get:7 http://download.opensuse.org/repositories/devel:/kubic:/libcontainers:/stable:/cri-o:/1.22/Debian_10  Packages [1659 B]
Get:8 https://downloadcontent.opensuse.org/repositories/devel:/kubic:/libcontainers:/stable/Debian_10  Packages [30.6 kB]
Fetched 35.5 kB in 2s (17.2 kB/s)
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
3 packages can be upgraded. Run 'apt list --upgradable' to see them.

Step 3: Install CRI-O onDebian 11 / Debian 10

Perform update before installingCRI-O onDebian 11 / Debian 10:

sudo apt update
sudo apt upgrade

InstallCRI-O onDebian 11 / Debian 10 using the commands:

sudo apt install cri-o cri-o-runc

Accept installation prompt with y key.

eading package lists... Done
Building dependency tree... Done
Reading state information... Done
The following additional packages will be installed:
  conmon containers-common
Suggested packages:
  containernetworking-plugins
The following NEW packages will be installed:
  conmon containers-common cri-o cri-o-runc
0 upgraded, 4 newly installed, 0 to remove and 0 not upgraded.
Need to get 23.2 MB of archives.
After this operation, 112 MB of additional disk space will be used.
Do you want to continue? [Y/n] y

Confirm version installed:

$ apt show cri-o
Package: cri-o
Version: 1.23.0~0
Priority: optional
Section: devel
Maintainer: Peter Hunt <[email protected]>
Installed-Size: 98.3 MB
Depends: libgpgme11, libseccomp2, conmon, containers-common (>= 0.1.27), tzdata
Suggests: cri-o-runc | runc (>= 1.0.0), containernetworking-plugins
Replaces: cri-o-1.19, cri-o-1.20, cri-o-1.21
Homepage: https://github.com/cri-o/cri-o

Now that CRI-O is installed on our Debian system, let’s proceed to start the daemon service.

sudo systemctl start crio.service

Service has to be enabled for automatic start when the system is rebooted.

$ sudo systemctl enable crio.service
Created symlink /etc/systemd/system/cri-o.service → /lib/systemd/system/crio.service.
Created symlink /etc/systemd/system/multi-user.target.wants/crio.service → /lib/systemd/system/crio.service.

Service status checking:

$ systemctl status crio
● crio.service - Container Runtime Interface for OCI (CRI-O)
     Loaded: loaded (/lib/systemd/system/crio.service; enabled; vendor preset: enabled)
     Active: active (running) since Thu 2021-12-09 11:51:30 UTC; 49s ago
       Docs: https://github.com/cri-o/cri-o
   Main PID: 56978 (crio)
      Tasks: 9
     Memory: 13.8M
        CPU: 151ms
     CGroup: /system.slice/crio.service
             └─56978 /usr/bin/crio

Dec 09 11:51:30 debian-bullseye-01 crio[56978]: time="2021-12-09 11:51:30.286809913Z" level=info msg="Installing default AppArmor profile: crio-default"
Dec 09 11:51:30 debian-bullseye-01 crio[56978]: time="2021-12-09 11:51:30.345230742Z" level=info msg="No blockio config file specified, blockio not configured"
Dec 09 11:51:30 debian-bullseye-01 crio[56978]: time="2021-12-09 11:51:30.345278849Z" level=info msg="RDT not available in the host system"
Dec 09 11:51:30 debian-bullseye-01 crio[56978]: time="2021-12-09 11:51:30.345831790Z" level=warning msg="Error validating CNI config file /etc/cni/net.d/100-crio-bridge.conf: [failed to find plugin>
Dec 09 11:51:30 debian-bullseye-01 crio[56978]: time="2021-12-09 11:51:30.345957038Z" level=warning msg="Error validating CNI config file /etc/cni/net.d/200-loopback.conf: [failed to find plugin \">
Dec 09 11:51:30 debian-bullseye-01 crio[56978]: time="2021-12-09 11:51:30.345993539Z" level=info msg="Updated default CNI network name to "
Dec 09 11:51:30 debian-bullseye-01 crio[56978]: time="2021-12-09 11:51:30.379659259Z" level=warning msg="The binary conntrack is not installed, this can cause failures in network connection cleanup"
Dec 09 11:51:30 debian-bullseye-01 crio[56978]: time="2021-12-09 11:51:30.383083211Z" level=warning msg="The binary conntrack is not installed, this can cause failures in network connection cleanup"
Dec 09 11:51:30 debian-bullseye-01 crio[56978]: time="2021-12-09 11:51:30.383383082Z" level=warning msg="Error encountered when checking whether cri-o should wipe images: version file /var/lib/crio>
Dec 09 11:51:30 debian-bullseye-01 systemd[1]: Started Container Runtime Interface for OCI (CRI-O).

Step 4: Using CRI-O on Debian 11 / Debian

As stated earlier, CRI-O is intended for use with Kubernetes as container runtime that kubelet speaks to in fulfilling the creation, deletion and general lifecycle management of containers.

However, a command line tool crioctl can be installed from cri-tools package as client facing tool to interact with CRI-O daemon.

sudo apt install cri-tools

Check existence of crictl command:

$ sudo crictl info
{
  "status": {
    "conditions": [
      {
        "type": "RuntimeReady",
        "status": true,
        "reason": "",
        "message": ""
      },
      {
        "type": "NetworkReady",
        "status": false,
        "reason": "NetworkPluginNotReady",
        "message": "Network plugin returns error: Missing CNI default network"
      }
    ]
  }
}

We can pull a test image using crictl command:

$ sudo crictl pull hello-world
Image is up to date for docker.io/library/hello-world@sha256:cc15c5b292d8525effc0f89cb299f1804f3a725c8d05e158653a563f15e4f685


$ sudo crictl pull busybox
Image is up to date for docker.io/library/busybox@sha256:50e44504ea4f19f141118a8a8868e6c5bb9856efa33f2183f5ccea7ac62aacc9

List available images:

$ sudo crictl images
IMAGE                           TAG                 IMAGE ID            SIZE
docker.io/library/busybox       latest              ffe9d497c3241       1.46MB
docker.io/library/hello-world   latest              feb5d9fea6a5e       19.9kB

Your next task is deployment of Kubernetes on Debian 11 / Debian 10 Linux system using CRI-O runtime.

We have more guides on Kubernetes administration, some are shared in the links below:

• Deploy Nginx Ingress Controller on Kubernetes using Helm Chart

For installation of CRI-O on CentOS Linux, refer to:

• Install CRI-O Container Runtime on CentOS Linux
• Install Kubernetes Cluster on Rocky Linux 8 with Kubeadm & CRI-O
• k0s vs k3s vs microk8s Kubernetes Distributions Comparison
• How To Add Multiple Kubernetes Clusters to Jenkins
• Setup Prometheus and Grafana on Kubernetes using prometheus-operator