kubespray/roles/container-engine/cri-o/defaults/main.yml

---

crio_cgroup_manager: "{{ kubelet_cgroup_driver | default('systemd') }}"
crio_conmon: "/usr/bin/conmon"
crio_enable_metrics: false
crio_log_level: "info"
crio_metrics_port: "9090"
crio_pause_image: "{{ pod_infra_image_repo }}:{{ pod_infra_version }}"

# Trusted registries to pull unqualified images (e.g. alpine:latest) from
# By default unqualified images are not allowed for security reasons
crio_registries: []

crio_seccomp_profile: ""
crio_selinux: "{{ (preinstall_selinux_state == 'enforcing')|lower }}"
crio_signature_policy: "{% if ansible_os_family == 'ClearLinux' %}/usr/share/defaults/crio/policy.json{% endif %}"

# Override system default for storage driver
# crio_storage_driver: "overlay"

crio_stream_port: "10010"

crio_required_version: "{{ kube_version | regex_replace('^v(?P<major>\\d+).(?P<minor>\\d+).(?P<patch>\\d+)$', '\\g<major>.\\g<minor>') }}"

crio_kubernetes_version_matrix:
  "1.19": "1.19"
  "1.18": "1.18"
  "1.17": "1.17"

crio_version: "{{ crio_kubernetes_version_matrix[crio_required_version] | default('1.19') }}"

# The crio_runtimes variable defines a list of OCI compatible runtimes.
crio_runtimes:
  - name: runc
    path: /usr/bin/runc
    type: oci
    root: /run/runc

# Kata Containers is an OCI runtime, where containers are run inside lightweight
# VMs. Kata provides additional isolation towards the host, minimizing the host attack
# surface and mitigating the consequences of containers breakout.
kata_runtimes:
  # Kata Containers with the default configured VMM
  - name: kata-runtime
    path: /opt/kata/bin/kata-runtime
    type: oci
    root: /run/kata-containers
  # Kata Containers with the QEMU VMM
  - name: kata-qemu
    path: /opt/kata/bin/kata-qemu
    type: oci
    root: /run/kata-containers
Add cri-o role. 2018-08-10 01:53:11 +08:00			`---`
Cleanup fedora coreos with crio container (#5887) * fix upgrade of crio on fcos - update documents * install conntrack required by kube-proxy - like commit 48c41bcbe7a428584f4919f4404d09a0b7381a53 * enable fedora modular repo for crio * allow to override crio configuration - set cgroup manager same to kubelet_cgroup_driver if defined - path of seccomp_profile depends on distribution * allow to override crio configuration - fix path for ubuntu * allow to override crio configuration - fix cni path for fcos 2020-04-11 14:51:47 +08:00
crio: align template crio.conf with upstream (#6432) * log level by default increased to 'info' * cgroup manager by default set to 'systemd' * stream port (used by kubelet) bound to 127.0.0.1 for security reasons * metrics can be enabled and port specified 2020-08-01 15:33:48 +08:00			`crio_cgroup_manager: "{{ kubelet_cgroup_driver \| default('systemd') }}"`
Centos, debian and fedora CRI-O repo (#6008) * replace removed repo with kubic repository for centos 7 * add crio configuration for centos8 * add crio configurations for debian * use correct crio version for fedora * simplify calulation of required crio version - gives possibility to overwrite * change default path for runc * change default for seccomp path * change default for conmon 2020-04-24 16:18:07 +08:00			`crio_conmon: "/usr/bin/conmon"`
crio: align template crio.conf with upstream (#6432) * log level by default increased to 'info' * cgroup manager by default set to 'systemd' * stream port (used by kubelet) bound to 127.0.0.1 for security reasons * metrics can be enabled and port specified 2020-08-01 15:33:48 +08:00			`crio_enable_metrics: false`
			`crio_log_level: "info"`
			`crio_metrics_port: "9090"`
			`crio_pause_image: "{{ pod_infra_image_repo }}:{{ pod_infra_version }}"`
cri-o: add variable to configure unsecure pull (#6568) By default do not allow "unqualified" (without a registry) images because it is considered unsecure and subject to mitm attacks. To enable insecure pull configure for example: crio_registries: - "docker.io" - "quay.io" 2020-08-28 00:09:53 +08:00
			`# Trusted registries to pull unqualified images (e.g. alpine:latest) from`
			`# By default unqualified images are not allowed for security reasons`
			`crio_registries: []`

crio: align template crio.conf with upstream (#6432) * log level by default increased to 'info' * cgroup manager by default set to 'systemd' * stream port (used by kubelet) bound to 127.0.0.1 for security reasons * metrics can be enabled and port specified 2020-08-01 15:33:48 +08:00			`crio_seccomp_profile: ""`
			`crio_selinux: "{{ (preinstall_selinux_state == 'enforcing')\|lower }}"`
			`crio_signature_policy: "{% if ansible_os_family == 'ClearLinux' %}/usr/share/defaults/crio/policy.json{% endif %}"`
crio: use system default for storage driver by default (#6637) After host reboot kubelet and crio goes into a loop and no container is started. storage_driver in crio.conf overrides system defaults in etc/containers/storage.conf /etc/containers/storage.conf is installed by package containers-common dependency installed from cri-o (centos7) and contains "overlay". Hosts already configured with overlay2 should be reconfigured and the /var/lib/containers content removed. 2020-09-10 20:29:45 +08:00
			`# Override system default for storage driver`
			`# crio_storage_driver: "overlay"`

crio: align template crio.conf with upstream (#6432) * log level by default increased to 'info' * cgroup manager by default set to 'systemd' * stream port (used by kubelet) bound to 127.0.0.1 for security reasons * metrics can be enabled and port specified 2020-08-01 15:33:48 +08:00			`crio_stream_port: "10010"`
Centos, debian and fedora CRI-O repo (#6008) * replace removed repo with kubic repository for centos 7 * add crio configuration for centos8 * add crio configurations for debian * use correct crio version for fedora * simplify calulation of required crio version - gives possibility to overwrite * change default path for runc * change default for seccomp path * change default for conmon 2020-04-24 16:18:07 +08:00
			`crio_required_version: "{{ kube_version \| regex_replace('^v(?P<major>\\d+).(?P<minor>\\d+).(?P<patch>\\d+)$', '\\g<major>.\\g<minor>') }}"`

			`crio_kubernetes_version_matrix:`
bump crio version to 1.19 (#6758) * bump crio version to 1.19 * crio package name has changed for debian/ubuntu * crio upgrade does not work, see #6757 * update crio info in docs 2020-10-13 17:08:26 +08:00			`"1.19": "1.19"`
Enable crio 1.18 (#6197) 2020-05-28 15:42:15 +08:00			`"1.18": "1.18"`
Centos, debian and fedora CRI-O repo (#6008) * replace removed repo with kubic repository for centos 7 * add crio configuration for centos8 * add crio configurations for debian * use correct crio version for fedora * simplify calulation of required crio version - gives possibility to overwrite * change default path for runc * change default for seccomp path * change default for conmon 2020-04-24 16:18:07 +08:00			`"1.17": "1.17"`

bump crio version to 1.19 (#6758) * bump crio version to 1.19 * crio package name has changed for debian/ubuntu * crio upgrade does not work, see #6757 * update crio info in docs 2020-10-13 17:08:26 +08:00			`crio_version: "{{ crio_kubernetes_version_matrix[crio_required_version] \| default('1.19') }}"`
Add Kata Containers support to CRI-O runtime (#6830) * Enable Kata Containers for CRI-O runtime Kata Containers is an OCI runtime where containers are run inside lightweight VMs. This runtime has been enabled for containerd runtime thru the kata_containers_enabled variable. This change enables Kata Containers to CRI-O container runtime. Signed-off-by: Victor Morales <v.morales@samsung.com> * Set appropiate conmon_cgroup when crio_cgroup_manager is 'cgroupfs' * Set manage_ns_lifecycle=true when KataContainers is enabed * Add preinstall check for katacontainers Signed-off-by: Victor Morales <v.morales@samsung.com> Co-authored-by: Pasquale Toscano <pasqualetoscano90@gmail.com> 2020-10-23 18:07:46 +08:00
			`# The crio_runtimes variable defines a list of OCI compatible runtimes.`
			`crio_runtimes:`
			`- name: runc`
			`path: /usr/bin/runc`
			`type: oci`
			`root: /run/runc`

			`# Kata Containers is an OCI runtime, where containers are run inside lightweight`
			`# VMs. Kata provides additional isolation towards the host, minimizing the host attack`
			`# surface and mitigating the consequences of containers breakout.`
			`kata_runtimes:`
			`# Kata Containers with the default configured VMM`
			`- name: kata-runtime`
			`path: /opt/kata/bin/kata-runtime`
			`type: oci`
			`root: /run/kata-containers`
			`# Kata Containers with the QEMU VMM`
			`- name: kata-qemu`
			`path: /opt/kata/bin/kata-qemu`
			`type: oci`
			`root: /run/kata-containers`