Note: The standalone
cri-containerd binary is end-of-life.
transitioning from a standalone binary that talks to containerd to a plugin within
containerd. This github branch is for the
cri plugin. See
for information about the standalone version of
Note: You need to drain your node before upgrading from standalone
cri-containerd to containerd with
cri is a native plugin of containerd 1.1 and above. It is built into containerd and enabled by default.
cri is in GA:
- It is feature complete.
- It (the GA version) works with Kubernetes 1.10 and above.
- It has passed all CRI validation tests.
- It has passed all node e2e tests.
- It has passed all e2e tests.
See test dashboard
|CRI-Containerd Version||Containerd Version||Kubernetes Version||CRI Version|
Production Quality Cluster on GCE
For a production quality cluster on GCE brought up with
kube-up.sh refer here.
Installing with Ansible and Kubeadm
For a multi node cluster installer and bring up steps using ansible and kubeadm refer here.
For non ansible users, you can download the
cri-containerd release tarball and deploy
kubernetes cluster using kubeadm as described here.
Getting Started for Developers
Binary Dependencies and Specifications
The current release of the
cri plugin has the following dependencies:
See versions of these dependencies
cri is tested with.
As containerd and runc move to their respective general availability releases,
we will do our best to rebase/retest
cri with these releases on a
weekly/monthly basis. Similarly, given that
cri uses the Open
Container Initiative (OCI) image
and runtime specifications, we
will also do our best to update
cri to the latest releases of these
specifications as appropriate.
- Install development libraries:
- libseccomp development library. Required by
criand runc seccomp support.
libseccomp-dev(Ubuntu, Debian) /
libseccomp-devel(Fedora, CentOS, RHEL). On releases of Ubuntu <=Trusty and Debian <=jessie a backport version of
libseccomp-devis required. See travis.yml for an example on trusty.
- btrfs development library. Required by containerd btrfs support.
btrfs-tools(Ubuntu, Debian) /
btrfs-progs-devel(Fedora, CentOS, RHEL)
socat(required by portforward).
- Install and setup a go 1.10 development environment.
- Make a local clone of this repository.
- Install binary dependencies by running the following command from your cloned
# Note: install.deps installs the above mentioned runc, containerd, and CNI # binary dependencies. install.deps is only provided for general use and ease of # testing. To customize `runc` and `containerd` build tags and/or to configure # `cni`, please follow instructions in their documents. make install.deps
Build and Install
To build and install a version of containerd with the
cri plugin, enter the
following commands from your
cri project directory:
make sudo make install
NOTE: The version of containerd built and installed from the
Makefile is only for
testing purposes. The version tag carries the suffix "-TEST".
cri supports optional build tags for compiling support of various features.
To add build tags to the make option the
BUILD_TAGS variable must be set.
make BUILD_TAGS='seccomp apparmor'
|seccomp||syscall filtering||libseccomp development library|
|selinux||selinux process and mount labeling|
|apparmor||apparmor profile support|
A Kubernetes incubator project called cri-tools
includes programs for exercising CRI implementations such as the
More importantly, cri-tools includes the program
critest which is used for running
CRI Validation Testing.
Run the CRI Validation test to validate your installation of
cri built in:
Running a Kubernetes local cluster
If you already have a working development environment for supported Kubernetes
version, you can try
cri in a local cluster:
- Start the version of
criplugin that you built and installed above as root in a first terminal:
- From the Kubernetes project directory startup a local cluster using
CONTAINER_RUNTIME=remote CONTAINER_RUNTIME_ENDPOINT='unix:///run/containerd/containerd.sock' ./hack/local-up-cluster.sh
See here for information about test.
See here for information about using
crictl to debug
pods, containers, and images.
See here for additional documentation.
Interested in contributing? Check out the documentation.
This project was originally established in April of 2017 in the Kubernetes Incubator program. After reaching the Beta stage, In January of 2018, the project was merged into containerd.
For async communication and long running discussions please use issues and pull requests on this github repo. This will be the best place to discuss design and implementation.
For sync communication we have a community slack with a #containerd channel that everyone is welcome to join and chat about development.
As this project is tightly coupled to CRI and CRI-Tools and they are Kubernetes
projects, some of our project communications take place in the Kubernetes' SIG:
For more information about
CRI, and the
- sig-node community site
#sig-nodechannel in Kubernetes (kubernetes.slack.com)
- Mailing List: https://groups.google.com/forum/#!forum/kubernetes-sig-node
Reporting Security Issues
If you are reporting a security issue, please reach out discreetly at firstname.lastname@example.org.
The containerd codebase is released under the Apache 2.0 license. The README.md file, and files in the "docs" folder are licensed under the Creative Commons Attribution 4.0 International License under the terms and conditions set forth in the file "LICENSE.docs". You may obtain a duplicate copy of the same license, titled CC-BY-4.0, at http://creativecommons.org/licenses/by/4.0/.
Code of Conduct
This project follows the CNCF Code of Conduct.