NOTE: This documentation is not yet complete and will be updated.
Enable cgroupv2 unified hierarchy manually:
mount -t cgroup2 none /sys/fs/cgroup
or permanent via kernel cmdline params:
systemd.unified_cgroup_hierarchy=1 cgroup_no_v1=all
PREFIX=/usr/local
LXCRI_ROOT=/run/lxcri
# environment for `crio config`
export CONTAINER_CONMON=${PREFIX}/bin/conmon
export CONTAINER_PINNS_PATH=${PREFIX}/bin/pinns
export CONTAINER_DEFAULT_RUNTIME=lxcri
export CONTAINER_RUNTIMES=lxcri:${PREFIX}/bin/lxcri:$LXCRI_ROOT
crio config > /etc/crio/crio.conf
Modify systemd service file to run with full privileges.
This is required for the runtime to set cgroupv2 device controller eBPF.
See cri-o/cri-o#4272
sed -i 's/ExecStart=\//ExecStart=+\//' /usr/local/lib/systemd/system/crio.service
systemctl daemon-reload
systemctl start crio
If you need a HTTP proxy for internet access you may have to set the proxy environment variables in /etc/default/crio
for crio-o to be able to fetch images from remote repositories.
http_proxy="http://myproxy:3128"
https_proxy="http://myproxy:3128"
no_proxy="10.0.0.0/8,172.16.0.0/12,192.168.0.0/16,127.0.0.0/8,127.0.0.1,localhost"
If you're using overlay as storage driver cri-o may complain that it is not using native diff mode.
Update /etc/containers/storage.conf to fix this.
# see https://github.com/containers/storage/blob/v1.20.2/docs/containers-storage.conf.5.md
[storage]
driver = "overlay"
[storage.options.overlay]
# see https://www.kernel.org/doc/Documentation/filesystems/overlayfs.txt, `modinfo overlay`
# [ 8270.526807] overlayfs: conflicting options: metacopy=on,redirect_dir=off
# NOTE: metacopy can only be enabled when redirect_dir is enabled
# NOTE: storage driver name must be set or mountopt are not evaluated,
# even when the driver is the default driver --> BUG ?
mountopt = "nodev,redirect_dir=off,metacopy=off"