Installing / using CRI-O on Fedora CoreOS

Hi

I sucessfully deployed some Fedora CoreOS VMs on VMware.

The FAQs under Fedora CoreOS Frequently Asked Questions :: Fedora Docs state that cri-o is installed by default, however this does not seem to be the case?

 whereis crio
crio: /usr/libexec/crio

Do I need to install it somehow? What would be the best practise of doing so? I read somewhere the layering packages using rpm-ostree is not encouraged. So far I have been installing some binaries in /opt/, like kubelet, kubeadm, crictl, CNI plugins by including them as remote files in my ignition config, because the official kubernetes documentation includes steps to copy these binaries on container linux (Installing kubeadm | Kubernetes).

Thanks!

The CRI-O daemon is a systemd service crio.service. If want to control the service, the tool you use is crictl. You can see how to use it here.

[root@localhost ~]# ls /usr/libexec/crio/
conmon
[root@localhost ~]# systemctl enable crio
Failed to enable unit: Unit file crio.service does not exist.
[root@localhost ~]# whereis crio
crio: /usr/libexec/crio
[root@localhost ~]# ls -ld /usr/libexec/crio
drwxr-xr-x. 2 root root 20 Jan 1 1970 /usr/libexec/crio
[root@localhost ~]# which crictl
/usr/bin/which: no crictl in (/root/.local/bin:/root/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin)
[root@localhost ~]# find / -name crio
find: File system loop detected; ‘/sysroot/ostree/deploy/fedora-coreos/deploy/f480038412cba26ab010d2cd5a09ddec736204a6e9faa8370edaa943cf33c932.0’ is part of the same file system loop as ‘/’.
/usr/libexec/crio
[root@localhost ~]# find / -name cri-o
find: File system loop detected; ‘/sysroot/ostree/deploy/fedora-coreos/deploy/f480038412cba26ab010d2cd5a09ddec736204a6e9faa8370edaa943cf33c932.0’ is part of the same file system loop as ‘/’.
[root@localhost ~]#

crictl and cri-o dose not installed in fedora-coreos-31.20200113.3.1
it’s normal, or bug?

Thanks for your feedback.

There is no systemd unit file:

[root@localhost ~]# systemctl list-unit-files | grep cri
[root@localhost ~]#

And even if there was, there would still be lots of other files missing. If I query the crio package in a fedora container, I get a list of files:

[root@a992f07f4ac1 /]# dnf repoquery -l cri-o
Last metadata expiration check: 0:02:56 ago on Tue Jan 28 10:38:56 2020.
/etc/cni/net.d/100-crio-bridge.conf
/etc/cni/net.d/200-loopback.conf
/etc/crictl.yaml
/etc/crio
/etc/crio/crio.conf
/etc/sysconfig/crio
/etc/sysconfig/crio-metrics
/etc/sysconfig/crio-network
/etc/sysconfig/crio-storage
/usr/bin/crio
/usr/bin/crio-status
/usr/lib/.build-id
/usr/lib/.build-id/2c
/usr/lib/.build-id/2c/a252e694ab3c0405fa34772d9c959cf08d8f16
/usr/lib/.build-id/67
/usr/lib/.build-id/67/eada5dd7983ca265fd8079bc7bf5ad218863c0
/usr/lib/.build-id/da
/usr/lib/.build-id/da/18e00e1188b4cce23519982426d91193ce54d4
/usr/lib/systemd/system/cri-o.service
/usr/lib/systemd/system/crio-shutdown.service
/usr/lib/systemd/system/crio-wipe.service
/usr/lib/systemd/system/crio.service
/usr/libexec/crio
/usr/libexec/crio/pause
/usr/share/bash-completion/completions/crio
/usr/share/bash-completion/completions/crio-status
/usr/share/doc/cri-o
/usr/share/doc/cri-o/README.md
/usr/share/fish/completions/crio-status.fish
/usr/share/fish/completions/crio.fish
/usr/share/licenses/cri-o
/usr/share/licenses/cri-o/LICENSE
/usr/share/man/man5/crio.conf.5.gz
/usr/share/man/man8/crio-status.8.gz
/usr/share/man/man8/crio.8.gz
/usr/share/oci-umount
/usr/share/oci-umount/oci-umount.d
/usr/share/oci-umount/oci-umount.d/crio-umount.conf
/usr/share/zsh/site-functions/_crio
/usr/share/zsh/site-functions/_crio-status
/var/lib/containers
[root@a992f07f4ac1 /]

None of these files exists in Fedora CoreOS 31.20200113.3.1.

Ah, I just read the thread where it’s stated that cri-o was not included in the end, because the crio-version needs to match the kubernetes version:

So what would be the best practice to install cri-o?

You can rpm-ostree install cri-o but that might not be what you want. However you install kubernetes you’ll want your cri-o installation to come from those instructions and be lifecycled with kubernetes itself. We don’t have well defined/published directions for this right now.

Even package layering it is a bit convoluted right now because it’s delivered via a module and not in the default package set in the mirrors. In order to layer it you need to create a file to enable the cri-o stream and also enable the modular repos:

$ sudo su -
# mkdir /etc/dnf/modules.d
# cat <<EOF > /etc/dnf/modules.d/cri-o.module
[cri-o]
name=cri-o
stream=1.16
profiles=
state=enabled
EOF
# sed -i -z s/enabled=0/enabled=1/ /etc/yum.repos.d/fedora-modular.repo
# sed -i -z s/enabled=0/enabled=1/ /etc/yum.repos.d/fedora-updates-modular.repo
# rpm-ostree install cri-o 

NOTE: The -z in the sed command will make it only replace the first occurrence.

Obviously this isn’t ideal.

3 Likes

Hi. Is there a reason not to have the modular repos enabled by default for FCOS ?

https://github.com/coreos/fedora-coreos-config/pull/5

Oh right, so doing this may work but would confuse rpm-ostree a lot. Right, thanks for the answer !