# The "crio" table contains all of the server options.[crio]# root is a path

1. # The "crio" table contains all of the server options.
2. [crio]
3.  
4. # root is a path to the "root directory". CRIO stores all of its data,
5. # including container images, in this directory.
6. root = "/var/lib/containers/storage"
7.  
8. # run is a path to the "run directory". CRIO stores all of its state
9. # in this directory.
10. runroot = "/var/run/containers/storage"
11.  
12. # storage_driver select which storage driver is used to manage storage
13. # of images and containers.
14. storage_driver = "devicemapper"
15.  
16. # storage_option is used to pass an option to the storage driver.
17. storage_option = [
18. ]
19.  
20. # The "crio.api" table contains settings for the kubelet/gRPC interface.
21. [crio.api]
22.  
23. # listen is the path to the AF_LOCAL socket on which crio will listen.
24. listen = "/var/run/crio/crio.sock"
25.  
26. # stream_address is the IP address on which the stream server will listen
27. stream_address = ""
28.  
29. # stream_port is the port on which the stream server will listen
30. stream_port = "10010"
31.  
32. # file_locking is whether file-based locking will be used instead of
33. # in-memory locking
34. file_locking = true
35.  
36. # The "crio.runtime" table contains settings pertaining to the OCI
37. # runtime used and options for how to set up and manage the OCI runtime.
38. [crio.runtime]
39.  
40. # runtime is the OCI compatible runtime used for trusted container workloads.
41. # This is a mandatory setting as this runtime will be the default one
42. # and will also be used for untrusted container workloads if
43. # runtime_untrusted_workload is not set.
44. runtime = "/usr/local/bin/cc-runtime"
45.  
46. # runtime_untrusted_workload is the OCI compatible runtime used for untrusted
47. # container workloads. This is an optional setting, except if
48. # default_container_trust is set to "untrusted".
49. runtime_untrusted_workload = ""
50.  
51. # default_workload_trust is the default level of trust crio puts in container
52. # workloads. It can either be "trusted" or "untrusted", and the default
53. # is "trusted".
54. # Containers can be run through different container runtimes, depending on
55. # the trust hints we receive from kubelet:
56. # - If kubelet tags a container workload as untrusted, crio will try first to
57. # run it through the untrusted container workload runtime. If it is not set,
58. # crio will use the trusted runtime.
59. # - If kubelet does not provide any information about the container workload trust
60. # level, the selected runtime will depend on the default_container_trust setting.
61. # If it is set to "untrusted", then all containers except for the host privileged
62. # ones, will be run by the runtime_untrusted_workload runtime. Host privileged
63. # containers are by definition trusted and will always use the trusted container
64. # runtime. If default_container_trust is set to "trusted", crio will use the trusted
65. # container runtime for all containers.
66. default_workload_trust = "trusted"
67.  
68. # no_pivot instructs the runtime to not use pivot_root, but instead use MS_MOVE
69. no_pivot = false
70.  
71. # conmon is the path to conmon binary, used for managing the runtime.
72. conmon = "/usr/local/libexec/crio/conmon"
73.  
74. # conmon_env is the environment variable list for conmon process,
75. # used for passing necessary environment variable to conmon or runtime.
76. conmon_env = [
77. "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin",
78. ]
79.  
80. # selinux indicates whether or not SELinux will be used for pod
81. # separation on the host. If you enable this flag, SELinux must be running
82. # on the host.
83. selinux = false
84.  
85. # seccomp_profile is the seccomp json profile path which is used as the
86. # default for the runtime.
87. seccomp_profile = "/etc/crio/seccomp.json"
88.  
89. # apparmor_profile is the apparmor profile name which is used as the
90. # default for the runtime.
91. apparmor_profile = "crio-default"
92.  
93. # cgroup_manager is the cgroup management implementation to be used
94. # for the runtime.
95. cgroup_manager = "cgroupfs"
96.  
97. # hooks_dir_path is the oci hooks directory for automatically executed hooks
98. hooks_dir_path = "/usr/share/containers/oci/hooks.d"
99.  
100. # default_mounts is the mounts list to be mounted for the container when created
101. default_mounts = [
102. ]
103.  
104. # pids_limit is the number of processes allowed in a container
105. pids_limit = 1024
106.  
107. # enable using a shared PID namespace for containers in a pod
108. enable_shared_pid_namespace = false
109.  
110. # log_size_max is the max limit for the container log size in bytes.
111. # Negative values indicate that no limit is imposed.
112. log_size_max = -1
113.  
114. # The "crio.image" table contains settings pertaining to the
115. # management of OCI images.
116. [crio.image]
117.  
118. # default_transport is the prefix we try prepending to an image name if the
119. # image name as we receive it can't be parsed as a valid source reference
120. default_transport = "docker://"
121.  
122. # pause_image is the image which we use to instantiate infra containers.
123. pause_image = "kubernetes/pause"
124.  
125. # pause_command is the command to run in a pause_image to have a container just
126. # sit there. If the image contains the necessary information, this value need
127. # not be specified.
128. pause_command = "/pause"
129.  
130. # signature_policy is the name of the file which decides what sort of policy we
131. # use when deciding whether or not to trust an image that we've pulled.
132. # Outside of testing situations, it is strongly advised that this be left
133. # unspecified so that the default system-wide policy will be used.
134. signature_policy = ""
135.  
136. # image_volumes controls how image volumes are handled.
137. # The valid values are mkdir and ignore.
138. image_volumes = "mkdir"
139.  
140. # insecure_registries is used to skip TLS verification when pulling images.
141. insecure_registries = [
142. ]
143.  
144. # registries is used to specify a comma separated list of registries to be used
145. # when pulling an unqualified image (e.g. fedora:rawhide).
146. registries = ['registry.access.redhat.com', 'registry.fedoraproject.org', 'docker.io']
147.  
148. # The "crio.network" table contains settings pertaining to the
149. # management of CNI plugins.
150. [crio.network]
151.  
152. # network_dir is is where CNI network configuration
153. # files are stored.
154. network_dir = "/etc/cni/net.d/"
155.  
156. # plugin_dir is is where CNI plugin binaries are stored.
157. plugin_dir = "/opt/cni/bin/"