The CRI-O container engine provides a stable, more secure, and performant
platform for running Open Container Initiative (OCI)
You can use the CRI-O container engine to launch containers and pods
by engaging OCI-compliant runtimes like runc, the default OCI runtime, or
CRI-O’s purpose is to be the container engine that implements
the Kubernetes Container Runtime Interface (CRI) for OKD and Kubernetes,
replacing the Docker service.
CRI-O offers a streamlined container engine, while other container features
are implemented as a separate set of innovative, independent commands. This
approach allows container management features to develop at their own pace,
without impeding CRI-O’s primary goal of being
a container engine for Kubernetes-based installations.
CRI-O’s stability comes from the facts that it is developed,
tested, and released in tandem with Kubernetes major and minor releases and that it follows
OCI standards. For
example, CRI-O 1.11 aligns with Kubernetes 1.11. The scope of CRI-O is tied to
the Container Runtime Interface (CRI).
CRI extracted and standardized exactly what a Kubernetes service (kubelet) needed
from its container engine. The CRI team did this to help stabilize Kubernetes container
requirements as multiple container engines began to be developed.
There is little need for direct command-line contact with CRI-O.
However, to provide full access to CRI-O for testing and monitoring, and
to provide features you expect with Docker that CRI-O does not offer,
a set of container-related command-line tools are available. These tools replace and
extend what is available with the
docker command and service. Tools
crictl - For troubleshooting and working directly with CRI-O container
runc - For running container images
podman - For managing pods and container images (run, stop, start, ps,
attach, exec, etc.) outside of the container engine
buildah - For building, pushing and signing container images
skopeo - For copying, inspecting, deleting, and signing images
Some Docker features are included in other tools instead of in CRI-O.
exact command-line compatibility with many
docker command features and
extends those features to managing pods as well. No container engine is
needed to run containers or pods with
Features for building, pushing, and signing container images, which are also
not required in a container engine, are available in the
For more information about these command alternatives to
docker, see Finding, Running and Building Containers without Docker.