API tools faq
paste
Advertisement
fatherlinux

Untitled

fatherlinux
Apr 3rd, 2019
437
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 23.34 KB | None | 0 0
raw download clone embed print report
  1. alias urldecode='python3 -c "import sys, urllib.parse; print(urllib.parse.unquote(sys.argv[1]))"'
  2.  
  3.  
  4. urldecode "data:,%23%20The%20%22crio%22%20table%20contains%20all%20of%20the%20server%20options.%0A%5Bcrio%5D%0A%0A%23%20CRI-O%20reads%20its%20storage%20defaults%20from%20the%20containers%2Fstorage%20configuration%0A%23%20file%2C%20%2Fetc%2Fcontainers%2Fstorage.conf.%20Modify%20storage.conf%20if%20you%20want%20to%0A%23%20change%20default%20storage%20for%20all%20tools%20that%20use%20containers%2Fstorage.%20%20If%20you%0A%23%20want%20to%20modify%20just%20crio%2C%20you%20can%20change%20the%20storage%20configuration%20in%20this%0A%23%20file.%0A%0A%23%20root%20is%20a%20path%20to%20the%20%22root%20directory%22.%20CRIO%20stores%20all%20of%20its%20data%2C%0A%23%20including%20container%20images%2C%20in%20this%20directory.%0A%23root%20%3D%20%22%2Fvar%2Flib%2Fcontainers%2Fstorage%22%0A%0A%23%20run%20is%20a%20path%20to%20the%20%22run%20directory%22.%20CRIO%20stores%20all%20of%20its%20state%0A%23%20in%20this%20directory.%0A%23runroot%20%3D%20%22%2Fvar%2Frun%2Fcontainers%2Fstorage%22%0A%0A%23%20storage_driver%20select%20which%20storage%20driver%20is%20used%20to%20manage%20storage%0A%23%20of%20images%20and%20containers.%0A%23storage_driver%20%3D%20%22%22%0A%0A%23%20storage_option%20is%20used%20to%20pass%20an%20option%20to%20the%20storage%20driver.%0A%23storage_option%20%3D%20%5B%0A%23%5D%0A%0A%23%20The%20%22crio.api%22%20table%20contains%20settings%20for%20the%20kubelet%2FgRPC%20interface.%0A%5Bcrio.api%5D%0A%0A%23%20listen%20is%20the%20path%20to%20the%20AF_LOCAL%20socket%20on%20which%20crio%20will%20listen.%0Alisten%20%3D%20%22%2Fvar%2Frun%2Fcrio%2Fcrio.sock%22%0A%0A%23%20stream_address%20is%20the%20IP%20address%20on%20which%20the%20stream%20server%20will%20listen%0Astream_address%20%3D%20%22%22%0A%0A%23%20stream_port%20is%20the%20port%20on%20which%20the%20stream%20server%20will%20listen%0Astream_port%20%3D%20%2210010%22%0A%0A%23%20stream_enable_tls%20enables%20encrypted%20tls%20transport%20of%20the%20stream%20server%0Astream_enable_tls%20%3D%20false%0A%0A%23%20stream_tls_cert%20is%20the%20x509%20certificate%20file%20path%20used%20to%20serve%20the%20encrypted%20stream.%0A%23%20This%20file%20can%20change%2C%20and%20CRIO%20will%20automatically%20pick%20up%20the%20changes%20within%205%20minutes.%0Astream_tls_cert%20%3D%20%22%22%0A%0A%23%20stream_tls_key%20is%20the%20key%20file%20path%20used%20to%20serve%20the%20encrypted%20stream.%0A%23%20This%20file%20can%20change%2C%20and%20CRIO%20will%20automatically%20pick%20up%20the%20changes%20within%205%20minutes.%0Astream_tls_key%20%3D%20%22%22%0A%0A%23%20stream_tls_ca%20is%20the%20x509%20CA(s)%20file%20used%20to%20verify%20and%20authenticate%20client%0A%23%20communication%20with%20the%20tls%20encrypted%20stream.%0A%23%20This%20file%20can%20change%2C%20and%20CRIO%20will%20automatically%20pick%20up%20the%20changes%20within%205%20minutes.%0Astream_tls_ca%20%3D%20%22%22%0A%0A%23%20file_locking%20is%20whether%20file-based%20locking%20will%20be%20used%20instead%20of%0A%23%20in-memory%20locking%0Afile_locking%20%3D%20false%0A%0A%23%20The%20%22crio.runtime%22%20table%20contains%20settings%20pertaining%20to%20the%20OCI%0A%23%20runtime%20used%20and%20options%20for%20how%20to%20set%20up%20and%20manage%20the%20OCI%20runtime.%0A%5Bcrio.runtime%5D%0A%0A%23%20runtime%20is%20the%20OCI%20compatible%20runtime%20used%20for%20trusted%20container%20workloads.%0A%23%20This%20is%20a%20mandatory%20setting%20as%20this%20runtime%20will%20be%20the%20default%20one%0A%23%20and%20will%20also%20be%20used%20for%20untrusted%20container%20workloads%20if%0A%23%20runtime_untrusted_workload%20is%20not%20set.%0Aruntime%20%3D%20%22%2Fusr%2Fbin%2Frunc%22%0A%0A%23%20runtime_untrusted_workload%20is%20the%20OCI%20compatible%20runtime%20used%20for%20untrusted%0A%23%20container%20workloads.%20This%20is%20an%20optional%20setting%2C%20except%20if%0A%23%20default_container_trust%20is%20set%20to%20%22untrusted%22.%0Aruntime_untrusted_workload%20%3D%20%22%22%0A%0A%23%20default_workload_trust%20is%20the%20default%20level%20of%20trust%20crio%20puts%20in%20container%0A%23%20workloads.%20It%20can%20either%20be%20%22trusted%22%20or%20%22untrusted%22%2C%20and%20the%20default%0A%23%20is%20%22trusted%22.%0A%23%20Containers%20can%20be%20run%20through%20different%20container%20runtimes%2C%20depending%20on%0A%23%20the%20trust%20hints%20we%20receive%20from%20kubelet%3A%0A%23%20-%20If%20kubelet%20tags%20a%20container%20workload%20as%20untrusted%2C%20crio%20will%20try%20first%20to%0A%23%20run%20it%20through%20the%20untrusted%20container%20workload%20runtime.%20If%20it%20is%20not%20set%2C%0A%23%20crio%20will%20use%20the%20trusted%20runtime.%0A%23%20-%20If%20kubelet%20does%20not%20provide%20any%20information%20about%20the%20container%20workload%20trust%0A%23%20level%2C%20the%20selected%20runtime%20will%20depend%20on%20the%20default_container_trust%20setting.%0A%23%20If%20it%20is%20set%20to%20%22untrusted%22%2C%20then%20all%20containers%20except%20for%20the%20host%20privileged%0A%23%20ones%2C%20will%20be%20run%20by%20the%20runtime_untrusted_workload%20runtime.%20Host%20privileged%0A%23%20containers%20are%20by%20definition%20trusted%20and%20will%20always%20use%20the%20trusted%20container%0A%23%20runtime.%20If%20default_container_trust%20is%20set%20to%20%22trusted%22%2C%20crio%20will%20use%20the%20trusted%0A%23%20container%20runtime%20for%20all%20containers.%0Adefault_workload_trust%20%3D%20%22trusted%22%0A%0A%23%20no_pivot%20instructs%20the%20runtime%20to%20not%20use%20pivot_root%2C%20but%20instead%20use%20MS_MOVE%0Ano_pivot%20%3D%20false%0A%0A%23%20conmon%20is%20the%20path%20to%20conmon%20binary%2C%20used%20for%20managing%20the%20runtime.%0Aconmon%20%3D%20%22%2Fusr%2Flibexec%2Fcrio%2Fconmon%22%0A%0A%23%20conmon_env%20is%20the%20environment%20variable%20list%20for%20conmon%20process%2C%0A%23%20used%20for%20passing%20necessary%20environment%20variable%20to%20conmon%20or%20runtime.%0Aconmon_env%20%3D%20%5B%0A%20%20%22PATH%3D%2Fusr%2Flocal%2Fsbin%3A%2Fusr%2Flocal%2Fbin%3A%2Fusr%2Fsbin%3A%2Fusr%2Fbin%3A%2Fsbin%3A%2Fbin%22%2C%0A%5D%0A%0A%23%20selinux%20indicates%20whether%20or%20not%20SELinux%20will%20be%20used%20for%20pod%0A%23%20separation%20on%20the%20host.%20If%20you%20enable%20this%20flag%2C%20SELinux%20must%20be%20running%0A%23%20on%20the%20host.%0Aselinux%20%3D%20true%0A%0A%23%20seccomp_profile%20is%20the%20seccomp%20json%20profile%20path%20which%20is%20used%20as%20the%0A%23%20default%20for%20the%20runtime.%0Aseccomp_profile%20%3D%20%22%2Fetc%2Fcrio%2Fseccomp.json%22%0A%0A%23%20apparmor_profile%20is%20the%20apparmor%20profile%20name%20which%20is%20used%20as%20the%0A%23%20default%20for%20the%20runtime.%0Aapparmor_profile%20%3D%20%22crio-default%22%0A%0A%23%20cgroup_manager%20is%20the%20cgroup%20management%20implementation%20to%20be%20used%0A%23%20for%20the%20runtime.%0Acgroup_manager%20%3D%20%22systemd%22%0A%0A%23%20default_capabilities%20is%20the%20list%20of%20capabilities%20to%20add%20and%20can%20be%20modified%20here.%0A%23%20If%20capabilities%20below%20is%20commented%20out%2C%20the%20default%20list%20of%20capabilities%20defined%20in%20the%0A%23%20spec%20will%20be%20added.%0A%23%20If%20capabilities%20is%20empty%20below%2C%20only%20the%20capabilities%20defined%20in%20the%20container%20json%0A%23%20file%20by%20the%20user%2Fkube%20will%20be%20added.%0Adefault_capabilities%20%3D%20%5B%0A%20%20%22CHOWN%22%2C%20%0A%20%20%22DAC_OVERRIDE%22%2C%20%0A%20%20%22FSETID%22%2C%20%0A%20%20%22FOWNER%22%2C%20%0A%20%20%22NET_RAW%22%2C%20%0A%20%20%22SETGID%22%2C%20%0A%20%20%22SETUID%22%2C%20%0A%20%20%22SETPCAP%22%2C%20%0A%20%20%22NET_BIND_SERVICE%22%2C%20%0A%20%20%22SYS_CHROOT%22%2C%20%0A%20%20%22KILL%22%2C%20%0A%5D%0A%0A%23%20hooks_dir_path%20is%20the%20oci%20hooks%20directory%20for%20automatically%20executed%20hooks%0Ahooks_dir_path%20%3D%20%22%2Fusr%2Fshare%2Fcontainers%2Foci%2Fhooks.d%22%0A%0A%23%20default_mounts%20is%20the%20mounts%20list%20to%20be%20mounted%20for%20the%20container%20when%20created%0A%23%20deprecated%2C%20will%20be%20taken%20out%20in%20future%20versions%2C%20add%20default%20mounts%20to%20either%0A%23%20%2Fusr%2Fshare%2Fcontainers%2Fmounts.conf%20or%20%2Fetc%2Fcontainers%2Fmounts.conf%0Adefault_mounts%20%3D%20%5B%0A%20%20%22%2Fusr%2Fshare%2Frhel%2Fsecrets%3A%2Frun%2Fsecrets%22%2C%20%0A%5D%0A%0A%23%20Path%20to%20directory%20in%20which%20container%20exit%20files%20are%20written%20to%20by%20conmon.%0Acontainer_exits_dir%20%3D%20%22%2Fvar%2Frun%2Fcrio%2Fexits%22%0A%0A%23%20Path%20to%20directory%20for%20container%20attach%20sockets.%0Acontainer_attach_socket_dir%20%3D%20%22%2Fvar%2Frun%2Fcrio%22%0A%0A%23%20CRI-O%20reads%20its%20default%20mounts%20from%20the%20following%20two%20files%3A%0A%23%201)%20%2Fetc%2Fcontainers%2Fmounts.conf%20-%20this%20is%20the%20override%20file%2C%20where%20users%20can%0A%23%20either%20add%20in%20their%20own%20default%20mounts%2C%20or%20override%20the%20default%20mounts%20shipped%0A%23%20with%20the%20package.%0A%23%202)%20%2Fusr%2Fshare%2Fcontainers%2Fmounts.conf%20-%20this%20is%20the%20default%20file%20read%20for%20mounts.%0A%23%20If%20you%20want%20CRI-O%20to%20read%20from%20a%20different%2C%20specific%20mounts%20file%2C%20you%20can%20change%0A%23%20the%20default_mounts_file%20path%20right%20below.%20Note%2C%20if%20this%20is%20done%2C%20CRI-O%20will%20only%20add%0A%23%20mounts%20it%20finds%20in%20this%20file.%0A%0A%23%20default_mounts_file%20is%20the%20file%20path%20holding%20the%20default%20mounts%20to%20be%20mounted%20for%20the%0A%23%20container%20when%20created.%0A%23%20default_mounts_file%20%3D%20%22%22%0A%0A%23%20pids_limit%20is%20the%20number%20of%20processes%20allowed%20in%20a%20container%0Apids_limit%20%3D%201024%0A%0A%23%20log_size_max%20is%20the%20max%20limit%20for%20the%20container%20log%20size%20in%20bytes.%0A%23%20Negative%20values%20indicate%20that%20no%20limit%20is%20imposed.%0Alog_size_max%20%3D%20-1%0A%0A%23%20read-only%20indicates%20whether%20all%20containers%20will%20run%20in%20read-only%20mode%0Aread_only%20%3D%20false%0A%0A%23%20log_level%20changes%20the%20verbosity%20of%20the%20logs%20printed.%0A%23%20Options%20are%3A%20error%20(default)%2C%20fatal%2C%20panic%2C%20warn%2C%20info%2C%20and%20debug%0Alog_level%20%3D%20%22error%22%0A%0A%23%20The%20%22crio.image%22%20table%20contains%20settings%20pertaining%20to%20the%0A%23%20management%20of%20OCI%20images.%0A%0A%23%20uid_mappings%20specifies%20the%20UID%20mappings%20to%20have%20in%20the%20user%20namespace.%0A%23%20A%20range%20is%20specified%20in%20the%20form%20containerUID%3AHostUID%3ASize.%20%20Multiple%0A%23%20ranges%20are%20separed%20by%20comma.%0Auid_mappings%20%3D%20%22%22%0A%0A%23%20gid_mappings%20specifies%20the%20GID%20mappings%20to%20have%20in%20the%20user%20namespace.%0A%23%20A%20range%20is%20specified%20in%20the%20form%20containerGID%3AHostGID%3ASize.%20%20Multiple%0A%23%20ranges%20are%20separed%20by%20comma.%0Agid_mappings%20%3D%20%22%22%0A%0A%5Bcrio.image%5D%0A%0A%23%20default_transport%20is%20the%20prefix%20we%20try%20prepending%20to%20an%20image%20name%20if%20the%0A%23%20image%20name%20as%20we%20receive%20it%20can't%20be%20parsed%20as%20a%20valid%20source%20reference%0Adefault_transport%20%3D%20%22docker%3A%2F%2F%22%0A%0A%23%20pause_image%20is%20the%20image%20which%20we%20use%20to%20instantiate%20infra%20containers.%0Apause_image%20%3D%20%22quay.io%2Fopenshift-release-dev%2Focp-v4.0-art-dev%40sha256%3A0f4767e691bd6b984691dd48a13313c13fece8442d0bd43756f8e9d0145861d4%22%0A%0A%23%20If%20not%20empty%2C%20the%20path%20to%20a%20docker%2Fconfig.json-like%20file%20containing%20credentials%0A%23%20necessary%20for%20pulling%20the%20image%20specified%20by%20pause_image%C2%A0above.%0Apause_image_auth_file%20%3D%20%22%2Fvar%2Flib%2Fkubelet%2Fconfig.json%22%0A%0A%23%20pause_command%20is%20the%20command%20to%20run%20in%20a%20pause_image%20to%20have%20a%20container%20just%0A%23%20sit%20there.%20%20If%20the%20image%20contains%20the%20necessary%20information%2C%20this%20value%20need%0A%23%20not%20be%20specified.%0Apause_command%20%3D%20%22%2Fusr%2Fbin%2Fpod%22%0A%0A%23%20signature_policy%20is%20the%20name%20of%20the%20file%20which%20decides%20what%20sort%20of%20policy%20we%0A%23%20use%20when%20deciding%20whether%20or%20not%20to%20trust%20an%20image%20that%20we've%20pulled.%0A%23%20Outside%20of%20testing%20situations%2C%20it%20is%20strongly%20advised%20that%20this%20be%20left%0A%23%20unspecified%20so%20that%20the%20default%20system-wide%20policy%20will%20be%20used.%0Asignature_policy%20%3D%20%22%22%0A%0A%23%20image_volumes%20controls%20how%20image%20volumes%20are%20handled.%0A%23%20The%20valid%20values%20are%20mkdir%20and%20ignore.%0Aimage_volumes%20%3D%20%22mkdir%22%0A%0A%23%20CRI-O%20reads%20its%20configured%20registries%20defaults%20from%20the%20containers%2Fimage%20configuration%0A%23%20file%2C%20%2Fetc%2Fcontainers%2Fregistries.conf.%20Modify%20registries.conf%20if%20you%20want%20to%0A%23%20change%20default%20registries%20for%20all%20tools%20that%20use%20containers%2Fimage.%20%20If%20you%0A%23%20want%20to%20modify%20just%20crio%2C%20you%20can%20change%20the%20registies%20configuration%20in%20this%0A%23%20file.%0A%0A%23%20insecure_registries%20is%20used%20to%20skip%20TLS%20verification%20when%20pulling%20images.%0A%23%20insecure_registries%20%3D%20%5B%0A%23%20%5D%0A%0A%23%20registries%20is%20used%20to%20specify%20a%20comma%20separated%20list%20of%20registries%20to%20be%20used%0A%23%20when%20pulling%20an%20unqualified%20image%20(e.g.%20fedora%3Arawhide).%0A%23registries%20%3D%20%5B%0A%23%20%5D%0A%0A%23%20The%20%22crio.network%22%20table%20contains%20settings%20pertaining%20to%20the%0A%23%20management%20of%20CNI%20plugins.%0A%5Bcrio.network%5D%0A%0A%23%20network_dir%20is%20is%20where%20CNI%20network%20configuration%0A%23%20files%20are%20stored.%0Anetwork_dir%20%3D%20%22%2Fetc%2Fcni%2Fnet.d%2F%22%0A%0A%23%20plugin_dir%20is%20is%20where%20CNI%20plugin%20binaries%20are%20stored.%0Aplugin_dir%20%3D%20%22%2Fusr%2Flibexec%2Fcni%22%0A"
  5. data:,# The "crio" table contains all of the server options.
  6. [crio]
  7.  
  8. # CRI-O reads its storage defaults from the containers/storage configuration
  9. # file, /etc/containers/storage.conf. Modify storage.conf if you want to
  10. # change default storage for all tools that use containers/storage. If you
  11. # want to modify just crio, you can change the storage configuration in this
  12. # file.
  13.  
  14. # root is a path to the "root directory". CRIO stores all of its data,
  15. # including container images, in this directory.
  16. #root = "/var/lib/containers/storage"
  17.  
  18. # run is a path to the "run directory". CRIO stores all of its state
  19. # in this directory.
  20. #runroot = "/var/run/containers/storage"
  21.  
  22. # storage_driver select which storage driver is used to manage storage
  23. # of images and containers.
  24. #storage_driver = ""
  25.  
  26. # storage_option is used to pass an option to the storage driver.
  27. #storage_option = [
  28. #]
  29.  
  30. # The "crio.api" table contains settings for the kubelet/gRPC interface.
  31. [crio.api]
  32.  
  33. # listen is the path to the AF_LOCAL socket on which crio will listen.
  34. listen = "/var/run/crio/crio.sock"
  35.  
  36. # stream_address is the IP address on which the stream server will listen
  37. stream_address = ""
  38.  
  39. # stream_port is the port on which the stream server will listen
  40. stream_port = "10010"
  41.  
  42. # stream_enable_tls enables encrypted tls transport of the stream server
  43. stream_enable_tls = false
  44.  
  45. # stream_tls_cert is the x509 certificate file path used to serve the encrypted stream.
  46. # This file can change, and CRIO will automatically pick up the changes within 5 minutes.
  47. stream_tls_cert = ""
  48.  
  49. # stream_tls_key is the key file path used to serve the encrypted stream.
  50. # This file can change, and CRIO will automatically pick up the changes within 5 minutes.
  51. stream_tls_key = ""
  52.  
  53. # stream_tls_ca is the x509 CA(s) file used to verify and authenticate client
  54. # communication with the tls encrypted stream.
  55. # This file can change, and CRIO will automatically pick up the changes within 5 minutes.
  56. stream_tls_ca = ""
  57.  
  58. # file_locking is whether file-based locking will be used instead of
  59. # in-memory locking
  60. file_locking = false
  61.  
  62. # The "crio.runtime" table contains settings pertaining to the OCI
  63. # runtime used and options for how to set up and manage the OCI runtime.
  64. [crio.runtime]
  65.  
  66. # runtime is the OCI compatible runtime used for trusted container workloads.
  67. # This is a mandatory setting as this runtime will be the default one
  68. # and will also be used for untrusted container workloads if
  69. # runtime_untrusted_workload is not set.
  70. runtime = "/usr/bin/runc"
  71.  
  72. # runtime_untrusted_workload is the OCI compatible runtime used for untrusted
  73. # container workloads. This is an optional setting, except if
  74. # default_container_trust is set to "untrusted".
  75. runtime_untrusted_workload = ""
  76.  
  77. # default_workload_trust is the default level of trust crio puts in container
  78. # workloads. It can either be "trusted" or "untrusted", and the default
  79. # is "trusted".
  80. # Containers can be run through different container runtimes, depending on
  81. # the trust hints we receive from kubelet:
  82. # - If kubelet tags a container workload as untrusted, crio will try first to
  83. # run it through the untrusted container workload runtime. If it is not set,
  84. # crio will use the trusted runtime.
  85. # - If kubelet does not provide any information about the container workload trust
  86. # level, the selected runtime will depend on the default_container_trust setting.
  87. # If it is set to "untrusted", then all containers except for the host privileged
  88. # ones, will be run by the runtime_untrusted_workload runtime. Host privileged
  89. # containers are by definition trusted and will always use the trusted container
  90. # runtime. If default_container_trust is set to "trusted", crio will use the trusted
  91. # container runtime for all containers.
  92. default_workload_trust = "trusted"
  93.  
  94. # no_pivot instructs the runtime to not use pivot_root, but instead use MS_MOVE
  95. no_pivot = false
  96.  
  97. # conmon is the path to conmon binary, used for managing the runtime.
  98. conmon = "/usr/libexec/crio/conmon"
  99.  
  100. # conmon_env is the environment variable list for conmon process,
  101. # used for passing necessary environment variable to conmon or runtime.
  102. conmon_env = [
  103. "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin",
  104. ]
  105.  
  106. # selinux indicates whether or not SELinux will be used for pod
  107. # separation on the host. If you enable this flag, SELinux must be running
  108. # on the host.
  109. selinux = true
  110.  
  111. # seccomp_profile is the seccomp json profile path which is used as the
  112. # default for the runtime.
  113. seccomp_profile = "/etc/crio/seccomp.json"
  114.  
  115. # apparmor_profile is the apparmor profile name which is used as the
  116. # default for the runtime.
  117. apparmor_profile = "crio-default"
  118.  
  119. # cgroup_manager is the cgroup management implementation to be used
  120. # for the runtime.
  121. cgroup_manager = "systemd"
  122.  
  123. # default_capabilities is the list of capabilities to add and can be modified here.
  124. # If capabilities below is commented out, the default list of capabilities defined in the
  125. # spec will be added.
  126. # If capabilities is empty below, only the capabilities defined in the container json
  127. # file by the user/kube will be added.
  128. default_capabilities = [
  129. "CHOWN",
  130. "DAC_OVERRIDE",
  131. "FSETID",
  132. "FOWNER",
  133. "NET_RAW",
  134. "SETGID",
  135. "SETUID",
  136. "SETPCAP",
  137. "NET_BIND_SERVICE",
  138. "SYS_CHROOT",
  139. "KILL",
  140. ]
  141.  
  142. # hooks_dir_path is the oci hooks directory for automatically executed hooks
  143. hooks_dir_path = "/usr/share/containers/oci/hooks.d"
  144.  
  145. # default_mounts is the mounts list to be mounted for the container when created
  146. # deprecated, will be taken out in future versions, add default mounts to either
  147. # /usr/share/containers/mounts.conf or /etc/containers/mounts.conf
  148. default_mounts = [
  149. "/usr/share/rhel/secrets:/run/secrets",
  150. ]
  151.  
  152. # Path to directory in which container exit files are written to by conmon.
  153. container_exits_dir = "/var/run/crio/exits"
  154.  
  155. # Path to directory for container attach sockets.
  156. container_attach_socket_dir = "/var/run/crio"
  157.  
  158. # CRI-O reads its default mounts from the following two files:
  159. # 1) /etc/containers/mounts.conf - this is the override file, where users can
  160. # either add in their own default mounts, or override the default mounts shipped
  161. # with the package.
  162. # 2) /usr/share/containers/mounts.conf - this is the default file read for mounts.
  163. # If you want CRI-O to read from a different, specific mounts file, you can change
  164. # the default_mounts_file path right below. Note, if this is done, CRI-O will only add
  165. # mounts it finds in this file.
  166.  
  167. # default_mounts_file is the file path holding the default mounts to be mounted for the
  168. # container when created.
  169. # default_mounts_file = ""
  170.  
  171. # pids_limit is the number of processes allowed in a container
  172. pids_limit = 1024
  173.  
  174. # log_size_max is the max limit for the container log size in bytes.
  175. # Negative values indicate that no limit is imposed.
  176. log_size_max = -1
  177.  
  178. # read-only indicates whether all containers will run in read-only mode
  179. read_only = false
  180.  
  181. # log_level changes the verbosity of the logs printed.
  182. # Options are: error (default), fatal, panic, warn, info, and debug
  183. log_level = "error"
  184.  
  185. # The "crio.image" table contains settings pertaining to the
  186. # management of OCI images.
  187.  
  188. # uid_mappings specifies the UID mappings to have in the user namespace.
  189. # A range is specified in the form containerUID:HostUID:Size. Multiple
  190. # ranges are separed by comma.
  191. uid_mappings = ""
  192.  
  193. # gid_mappings specifies the GID mappings to have in the user namespace.
  194. # A range is specified in the form containerGID:HostGID:Size. Multiple
  195. # ranges are separed by comma.
  196. gid_mappings = ""
  197.  
  198. [crio.image]
  199.  
  200. # default_transport is the prefix we try prepending to an image name if the
  201. # image name as we receive it can't be parsed as a valid source reference
  202. default_transport = "docker://"
  203.  
  204. # pause_image is the image which we use to instantiate infra containers.
  205. pause_image = "quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:0f4767e691bd6b984691dd48a13313c13fece8442d0bd43756f8e9d0145861d4"
  206.  
  207. # If not empty, the path to a docker/config.json-like file containing credentials
  208. # necessary for pulling the image specified by pause_image above.
  209. pause_image_auth_file = "/var/lib/kubelet/config.json"
  210.  
  211. # pause_command is the command to run in a pause_image to have a container just
  212. # sit there. If the image contains the necessary information, this value need
  213. # not be specified.
  214. pause_command = "/usr/bin/pod"
  215.  
  216. # signature_policy is the name of the file which decides what sort of policy we
  217. # use when deciding whether or not to trust an image that we've pulled.
  218. # Outside of testing situations, it is strongly advised that this be left
  219. # unspecified so that the default system-wide policy will be used.
  220. signature_policy = ""
  221.  
  222. # image_volumes controls how image volumes are handled.
  223. # The valid values are mkdir and ignore.
  224. image_volumes = "mkdir"
  225.  
  226. # CRI-O reads its configured registries defaults from the containers/image configuration
  227. # file, /etc/containers/registries.conf. Modify registries.conf if you want to
  228. # change default registries for all tools that use containers/image. If you
  229. # want to modify just crio, you can change the registies configuration in this
  230. # file.
  231.  
  232. # insecure_registries is used to skip TLS verification when pulling images.
  233. # insecure_registries = [
  234. # ]
  235.  
  236. # registries is used to specify a comma separated list of registries to be used
  237. # when pulling an unqualified image (e.g. fedora:rawhide).
  238. #registries = [
  239. # ]
  240.  
  241. # The "crio.network" table contains settings pertaining to the
  242. # management of CNI plugins.
  243. [crio.network]
  244.  
  245. # network_dir is is where CNI network configuration
  246. # files are stored.
  247. network_dir = "/etc/cni/net.d/"
  248.  
  249. # plugin_dir is is where CNI plugin binaries are stored.
  250. plugin_dir = "/usr/libexec/cni"
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!