2018-08-10 01:53:11 +08:00
|
|
|
---
|
2020-04-11 14:51:47 +08:00
|
|
|
|
2020-08-01 15:33:48 +08:00
|
|
|
crio_cgroup_manager: "{{ kubelet_cgroup_driver | default('systemd') }}"
|
2022-10-19 20:47:05 +08:00
|
|
|
crio_conmon: "{{ bin_dir }}/conmon"
|
2020-08-01 15:33:48 +08:00
|
|
|
crio_enable_metrics: false
|
|
|
|
crio_log_level: "info"
|
|
|
|
crio_metrics_port: "9090"
|
|
|
|
crio_pause_image: "{{ pod_infra_image_repo }}:{{ pod_infra_version }}"
|
2020-08-28 00:09:53 +08:00
|
|
|
|
2022-01-05 23:36:40 +08:00
|
|
|
# Registries defined within cri-o.
|
2020-08-28 00:09:53 +08:00
|
|
|
# By default unqualified images are not allowed for security reasons
|
|
|
|
crio_registries: []
|
2020-12-04 05:57:25 +08:00
|
|
|
# - prefix: docker.io
|
|
|
|
# insecure: false
|
|
|
|
# blocked: false
|
2022-01-05 23:36:40 +08:00
|
|
|
# location: registry-1.docker.io ## REQUIRED
|
|
|
|
# unqualified: false
|
2020-12-04 05:57:25 +08:00
|
|
|
# mirrors:
|
|
|
|
# - location: 172.20.100.52:5000
|
|
|
|
# insecure: true
|
|
|
|
# - location: mirror.gcr.io
|
|
|
|
# insecure: false
|
|
|
|
|
2022-01-05 23:36:40 +08:00
|
|
|
crio_registry_auth: []
|
|
|
|
# - registry: 10.0.0.2:5000
|
|
|
|
# username: user
|
|
|
|
# password: pass
|
|
|
|
|
2020-08-01 15:33:48 +08:00
|
|
|
crio_seccomp_profile: ""
|
2023-07-05 11:36:54 +08:00
|
|
|
crio_selinux: "{{ (preinstall_selinux_state == 'enforcing') | lower }}"
|
2020-08-01 15:33:48 +08:00
|
|
|
crio_signature_policy: "{% if ansible_os_family == 'ClearLinux' %}/usr/share/defaults/crio/policy.json{% endif %}"
|
2020-09-10 20:29:45 +08:00
|
|
|
|
|
|
|
# Override system default for storage driver
|
|
|
|
# crio_storage_driver: "overlay"
|
|
|
|
|
2020-08-01 15:33:48 +08:00
|
|
|
crio_stream_port: "10010"
|
2020-04-24 16:18:07 +08:00
|
|
|
|
|
|
|
crio_required_version: "{{ kube_version | regex_replace('^v(?P<major>\\d+).(?P<minor>\\d+).(?P<patch>\\d+)$', '\\g<major>.\\g<minor>') }}"
|
|
|
|
|
2020-10-23 18:07:46 +08:00
|
|
|
# The crio_runtimes variable defines a list of OCI compatible runtimes.
|
|
|
|
crio_runtimes:
|
|
|
|
- name: runc
|
2022-10-19 20:47:05 +08:00
|
|
|
path: "{{ bin_dir }}/runc"
|
2020-10-23 18:07:46 +08:00
|
|
|
type: oci
|
|
|
|
root: /run/runc
|
|
|
|
|
|
|
|
# Kata Containers is an OCI runtime, where containers are run inside lightweight
|
|
|
|
# VMs. Kata provides additional isolation towards the host, minimizing the host attack
|
|
|
|
# surface and mitigating the consequences of containers breakout.
|
|
|
|
kata_runtimes:
|
|
|
|
# Kata Containers with the default configured VMM
|
|
|
|
- name: kata-qemu
|
2022-05-09 08:01:18 +08:00
|
|
|
path: /usr/local/bin/containerd-shim-kata-qemu-v2
|
|
|
|
type: vm
|
2020-10-23 18:07:46 +08:00
|
|
|
root: /run/kata-containers
|
2022-05-09 08:01:18 +08:00
|
|
|
privileged_without_host_devices: true
|
2020-11-29 00:38:47 +08:00
|
|
|
|
2020-12-02 03:00:50 +08:00
|
|
|
# crun is a fast and low-memory footprint OCI Container Runtime fully written in C.
|
|
|
|
crun_runtime:
|
|
|
|
name: crun
|
2022-10-19 20:47:05 +08:00
|
|
|
path: "{{ bin_dir }}/crun"
|
2020-12-02 03:00:50 +08:00
|
|
|
type: oci
|
|
|
|
root: /run/crun
|
|
|
|
|
2022-01-22 06:01:07 +08:00
|
|
|
# youki is an implementation of the OCI runtime-spec in Rust, similar to runc.
|
|
|
|
youki_runtime:
|
|
|
|
name: youki
|
|
|
|
path: "{{ youki_bin_dir }}/youki"
|
|
|
|
type: oci
|
|
|
|
root: /run/youki
|
|
|
|
|
2021-12-20 22:37:25 +08:00
|
|
|
# Reserve 16M uids and gids for user namespaces (256 pods * 65536 uids/gids)
|
|
|
|
# at the end of the uid/gid space
|
|
|
|
crio_remap_enable: false
|
|
|
|
crio_remap_user: containers
|
|
|
|
crio_subuid_start: 2130706432
|
|
|
|
crio_subuid_length: 16777216
|
|
|
|
crio_subgid_start: 2130706432
|
|
|
|
crio_subgid_length: 16777216
|
2022-10-19 20:47:05 +08:00
|
|
|
|
|
|
|
# cri-o manual files
|
|
|
|
crio_man_files:
|
|
|
|
5:
|
|
|
|
- crio.conf
|
|
|
|
- crio.conf.d
|
|
|
|
8:
|
|
|
|
- crio
|
|
|
|
- crio-status
|
2023-11-08 23:57:32 +08:00
|
|
|
|
|
|
|
# If set to true, it will enable the CRIU support in cri-o
|
|
|
|
crio_criu_support_enabled: false
|