Installing / using CRI-O on Fedora CoreOS


I sucessfully deployed some Fedora CoreOS VMs on VMware.

The FAQs under state that cri-o is installed by default, however this does not seem to be the case?

 whereis crio
crio: /usr/libexec/crio

Do I need to install it somehow? What would be the best practise of doing so? I read somewhere the layering packages using rpm-ostree is not encouraged. So far I have been installing some binaries in /opt/, like kubelet, kubeadm, crictl, CNI plugins by including them as remote files in my ignition config, because the official kubernetes documentation includes steps to copy these binaries on container linux (


The CRI-O daemon is a systemd service crio.service. If want to control the service, the tool you use is crictl. You can see how to use it here.

[root@localhost ~]# ls /usr/libexec/crio/
[root@localhost ~]# systemctl enable crio
Failed to enable unit: Unit file crio.service does not exist.
[root@localhost ~]# whereis crio
crio: /usr/libexec/crio
[root@localhost ~]# ls -ld /usr/libexec/crio
drwxr-xr-x. 2 root root 20 Jan 1 1970 /usr/libexec/crio
[root@localhost ~]# which crictl
/usr/bin/which: no crictl in (/root/.local/bin:/root/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin)
[root@localhost ~]# find / -name crio
find: File system loop detected; ‘/sysroot/ostree/deploy/fedora-coreos/deploy/f480038412cba26ab010d2cd5a09ddec736204a6e9faa8370edaa943cf33c932.0’ is part of the same file system loop as ‘/’.
[root@localhost ~]# find / -name cri-o
find: File system loop detected; ‘/sysroot/ostree/deploy/fedora-coreos/deploy/f480038412cba26ab010d2cd5a09ddec736204a6e9faa8370edaa943cf33c932.0’ is part of the same file system loop as ‘/’.
[root@localhost ~]#

crictl and cri-o dose not installed in fedora-coreos-31.20200113.3.1
it’s normal, or bug?

Thanks for your feedback.

There is no systemd unit file:

[root@localhost ~]# systemctl list-unit-files | grep cri
[root@localhost ~]#

And even if there was, there would still be lots of other files missing. If I query the crio package in a fedora container, I get a list of files:

[root@a992f07f4ac1 /]# dnf repoquery -l cri-o
Last metadata expiration check: 0:02:56 ago on Tue Jan 28 10:38:56 2020.
[root@a992f07f4ac1 /]

None of these files exists in Fedora CoreOS 31.20200113.3.1.

Ah, I just read the thread where it’s stated that cri-o was not included in the end, because the crio-version needs to match the kubernetes version:

So what would be the best practice to install cri-o?

You can rpm-ostree install cri-o but that might not be what you want. However you install kubernetes you’ll want your cri-o installation to come from those instructions and be lifecycled with kubernetes itself. We don’t have well defined/published directions for this right now.

Even package layering it is a bit convoluted right now because it’s delivered via a module and not in the default package set in the mirrors. In order to layer it you need to create a file to enable the cri-o stream and also enable the modular repos:

$ sudo su -
# mkdir /etc/dnf/modules.d
# cat <<EOF > /etc/dnf/modules.d/cri-o.module
# sed -i -z s/enabled=0/enabled=1/ /etc/yum.repos.d/fedora-modular.repo
# sed -i -z s/enabled=0/enabled=1/ /etc/yum.repos.d/fedora-updates-modular.repo
# rpm-ostree install cri-o 

NOTE: The -z in the sed command will make it only replace the first occurrence.

Obviously this isn’t ideal.