API tools faq
paste
Advertisement
drpanwe

/etc/crio/crio.conf

drpanwe
Jan 18th, 2019
208
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 9.51 KB | None | 0 0
raw download clone embed print report
  1. # The "crio" table contains all of the server options.
  2. [crio]
  3.  
  4. # CRI-O reads its storage defaults from the containers/storage configuration
  5. # file, /etc/containers/storage.conf. Modify storage.conf if you want to
  6. # change default storage for all tools that use containers/storage. If you
  7. # want to modify just crio, you can change the storage configuration in this
  8. # file.
  9.  
  10. # root is a path to the "root directory". CRIO stores all of its data,
  11. # including container images, in this directory.
  12. #root = "/var/lib/containers/storage"
  13.  
  14. # run is a path to the "run directory". CRIO stores all of its state
  15. # in this directory.
  16. #runroot = "/var/run/containers/storage"
  17.  
  18. # storage_driver select which storage driver is used to manage storage
  19. # of images and containers.
  20. storage_driver = "btrfs"
  21.  
  22. # storage_option is used to pass an option to the storage driver.
  23. #storage_option = [
  24. #]
  25.  
  26. # file_locking is whether file-based locking will be used instead of
  27. # in-memory locking
  28. file_locking = true
  29.  
  30. # file_locking_path is the file used for file-based locking
  31. file_locking_path = "/run/crio.lock"
  32.  
  33. # The "crio.api" table contains settings for the kubelet/gRPC interface.
  34. [crio.api]
  35.  
  36. # listen is the path to the AF_LOCAL socket on which crio will listen.
  37. listen = "/var/run/crio/crio.sock"
  38.  
  39. # stream_address is the IP address on which the stream server will listen
  40. stream_address = ""
  41.  
  42. # stream_port is the port on which the stream server will listen
  43. stream_port = "10010"
  44.  
  45. # stream_enable_tls enables encrypted tls transport of the stream server
  46. stream_enable_tls = false
  47.  
  48. # stream_tls_cert is the x509 certificate file path used to serve the encrypted stream.
  49. # This file can change, and CRIO will automatically pick up the changes within 5 minutes.
  50. stream_tls_cert = ""
  51.  
  52. # stream_tls_key is the key file path used to serve the encrypted stream.
  53. # This file can change, and CRIO will automatically pick up the changes within 5 minutes.
  54. stream_tls_key = ""
  55.  
  56. # stream_tls_ca is the x509 CA(s) file used to verify and authenticate client
  57. # communication with the tls encrypted stream.
  58. # This file can change, and CRIO will automatically pick up the changes within 5 minutes.
  59. stream_tls_ca = ""
  60.  
  61. # The "crio.runtime" table contains settings pertaining to the OCI
  62. # runtime used and options for how to set up and manage the OCI runtime.
  63. [crio.runtime]
  64.  
  65. # runtime is the OCI compatible runtime used for trusted container workloads.
  66. # This is a mandatory setting as this runtime will be the default one
  67. # and will also be used for untrusted container workloads if
  68. # runtime_untrusted_workload is not set.
  69. runtime = "/usr/sbin/runc"
  70.  
  71. # runtime_untrusted_workload is the OCI compatible runtime used for untrusted
  72. # container workloads. This is an optional setting, except if
  73. # default_container_trust is set to "untrusted".
  74. runtime_untrusted_workload = ""
  75.  
  76. # default_workload_trust is the default level of trust crio puts in container
  77. # workloads. It can either be "trusted" or "untrusted", and the default
  78. # is "trusted".
  79. # Containers can be run through different container runtimes, depending on
  80. # the trust hints we receive from kubelet:
  81. # - If kubelet tags a container workload as untrusted, crio will try first to
  82. # run it through the untrusted container workload runtime. If it is not set,
  83. # crio will use the trusted runtime.
  84. # - If kubelet does not provide any information about the container workload trust
  85. # level, the selected runtime will depend on the default_container_trust setting.
  86. # If it is set to "untrusted", then all containers except for the host privileged
  87. # ones, will be run by the runtime_untrusted_workload runtime. Host privileged
  88. # containers are by definition trusted and will always use the trusted container
  89. # runtime. If default_container_trust is set to "trusted", crio will use the trusted
  90. # container runtime for all containers.
  91. default_workload_trust = "trusted"
  92.  
  93. # no_pivot instructs the runtime to not use pivot_root, but instead use MS_MOVE
  94. no_pivot = false
  95.  
  96. # conmon is the path to conmon binary, used for managing the runtime.
  97. conmon = "/usr/lib/crio/bin/conmon"
  98.  
  99. # conmon_env is the environment variable list for conmon process,
  100. # used for passing necessary environment variable to conmon or runtime.
  101. conmon_env = [
  102. "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin",
  103. ]
  104.  
  105. # selinux indicates whether or not SELinux will be used for pod
  106. # separation on the host. If you enable this flag, SELinux must be running
  107. # on the host.
  108. selinux = false
  109.  
  110. # seccomp_profile is the seccomp json profile path which is used as the
  111. # default for the runtime.
  112. seccomp_profile = "/etc/crio/seccomp.json"
  113.  
  114. # apparmor_profile is the apparmor profile name which is used as the
  115. # default for the runtime.
  116. # apparmor_profile = "crio-default"
  117.  
  118. # cgroup_manager is the cgroup management implementation to be used
  119. # for the runtime.
  120. cgroup_manager = "cgroupfs"
  121.  
  122. # default_capabilities is the list of capabilities to add and can be modified here.
  123. # If capabilities below is commented out, the default list of capabilities defined in the
  124. # spec will be added.
  125. # If capabilities is empty below, only the capabilities defined in the container json
  126. # file by the user/kube will be added.
  127. default_capabilities = [
  128. "CHOWN",
  129. "DAC_OVERRIDE",
  130. "FSETID",
  131. "FOWNER",
  132. "NET_RAW",
  133. "SETGID",
  134. "SETUID",
  135. "SETPCAP",
  136. "NET_BIND_SERVICE",
  137. "SYS_CHROOT",
  138. "KILL",
  139. ]
  140.  
  141. # hooks_dir_path is the oci hooks directory for automatically executed hooks
  142. hooks_dir_path = "/usr/share/containers/oci/hooks.d"
  143.  
  144. # default_mounts is the mounts list to be mounted for the container when created
  145. # deprecated, will be taken out in future versions, add default mounts to either
  146. # /usr/share/containers/mounts.conf or /etc/containers/mounts.conf
  147. default_mounts = [
  148. ]
  149.  
  150. # CRI-O reads its default mounts from the following two files:
  151. # 1) /etc/containers/mounts.conf - this is the override file, where users can
  152. # either add in their own default mounts, or override the default mounts shipped
  153. # with the package.
  154. # 2) /usr/share/containers/mounts.conf - this is the default file read for mounts.
  155. # If you want CRI-O to read from a different, specific mounts file, you can change
  156. # the default_mounts_file path right below. Note, if this is done, CRI-O will only add
  157. # mounts it finds in this file.
  158.  
  159. # default_mounts_file is the file path holding the default mounts to be mounted for the
  160. # container when created.
  161. # default_mounts_file = ""
  162.  
  163. # pids_limit is the number of processes allowed in a container
  164. pids_limit = 1024
  165.  
  166. # log_size_max is the max limit for the container log size in bytes.
  167. # Negative values indicate that no limit is imposed.
  168. log_size_max = -1
  169.  
  170. # container_exits_dir is the directory in which container exit files are
  171. # written to by conmon.
  172. container_exits_dir = "/var/run/crio/exits"
  173.  
  174. # container_attach_socket_dir is the location for container attach sockets.
  175. container_attach_socket_dir = "/var/run/crio"
  176.  
  177. # read-only indicates whether all containers will run in read-only mode
  178. read_only = false
  179.  
  180. # log_level changes the verbosity of the logs printed.
  181. # Options are: error (default), fatal, panic, warn, info, and debug
  182. log_level = "error"
  183.  
  184. # The "crio.image" table contains settings pertaining to the
  185. # management of OCI images.
  186.  
  187. # uid_mappings specifies the UID mappings to have in the user namespace.
  188. # A range is specified in the form containerUID:HostUID:Size. Multiple
  189. # ranges are separed by comma.
  190. uid_mappings = ""
  191.  
  192. # gid_mappings specifies the GID mappings to have in the user namespace.
  193. # A range is specified in the form containerGID:HostGID:Size. Multiple
  194. # ranges are separed by comma.
  195. gid_mappings = ""
  196.  
  197. [crio.image]
  198.  
  199. # default_transport is the prefix we try prepending to an image name if the
  200. # image name as we receive it can't be parsed as a valid source reference
  201. default_transport = "docker://"
  202.  
  203. # pause_image is the image which we use to instantiate infra containers.
  204. pause_image = "kubernetes/pause"
  205.  
  206. # pause_command is the command to run in a pause_image to have a container just
  207. # sit there. If the image contains the necessary information, this value need
  208. # not be specified.
  209. pause_command = "/pause"
  210.  
  211. # signature_policy is the name of the file which decides what sort of policy we
  212. # use when deciding whether or not to trust an image that we've pulled.
  213. # Outside of testing situations, it is strongly advised that this be left
  214. # unspecified so that the default system-wide policy will be used.
  215. signature_policy = ""
  216.  
  217. # image_volumes controls how image volumes are handled.
  218. # The valid values are mkdir and ignore.
  219. image_volumes = "mkdir"
  220.  
  221. # CRI-O reads its configured registries defaults from the containers/image configuration
  222. # file, /etc/containers/registries.conf. Modify registries.conf if you want to
  223. # change default registries for all tools that use containers/image. If you
  224. # want to modify just crio, you can change the registies configuration in this
  225. # file.
  226.  
  227. # insecure_registries is used to skip TLS verification when pulling images.
  228. # insecure_registries = [
  229. # ]
  230.  
  231. # registries is used to specify a comma separated list of registries to be used
  232. # when pulling an unqualified image (e.g. fedora:rawhide).
  233. #registries = [
  234. # "docker.io",
  235. #]
  236.  
  237. # The "crio.network" table contains settings pertaining to the
  238. # management of CNI plugins.
  239. [crio.network]
  240.  
  241. # network_dir is is where CNI network configuration
  242. # files are stored.
  243. network_dir = "/etc/cni/net.d/"
  244.  
  245. # plugin_dir is is where CNI plugin binaries are stored.
  246. plugin_dir = "/var/lib/kubelet/cni/bin"
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!