# The CRI-O configuration file specifies all of the available configuration # options and command-line flags for the crio(8) OCI Kubernetes Container Runtime # daemon, but in a TOML format that can be more easily modified and versioned. # # Please refer to crio.conf(5) for details of all configuration options. # CRI-O supports partial configuration reload during runtime, which can be # done by sending SIGHUP to the running process. Currently supported options # are explicitly mentioned with: 'This option supports live configuration # reload'. # CRI-O reads its storage defaults from the containers-storage.conf(5) file # located at /etc/containers/storage.conf. Modify this storage configuration if # you want to change the system's defaults. If you want to modify storage just # for CRI-O, you can change the storage configuration options here. [crio] # Path to the "root directory". CRI-O stores all of its data, including # containers images, in this directory. root = "/var/lib/containers/storage" # Path to the "run directory". CRI-O stores all of its state in this directory. # Read from /etc/containers/storage.conf first so unnecessary here # runroot = "/var/run/containers/storage" # Storage driver used to manage the storage of images and containers. Please # refer to containers-storage.conf(5) to see all available storage drivers. {% if crio_storage_driver is defined %} storage_driver = "{{ crio_storage_driver }}" {% endif %} # List to pass options to the storage driver. Please refer to # containers-storage.conf(5) to see all available storage options. #storage_option = [ #] # The default log directory where all logs will go unless directly specified by # the kubelet. The log directory specified must be an absolute directory. log_dir = "/var/log/crio/pods" # Location for CRI-O to lay down the temporary version file. # It is used to check if crio wipe should wipe containers, which should # always happen on a node reboot version_file = "/var/run/crio/version" # Location for CRI-O to lay down the persistent version file. # It is used to check if crio wipe should wipe images, which should # only happen when CRI-O has been upgraded version_file_persist = "/var/lib/crio/version" # The crio.api table contains settings for the kubelet/gRPC interface. [crio.api] # Path to AF_LOCAL socket on which CRI-O will listen. listen = "/var/run/crio/crio.sock" # IP address on which the stream server will listen. stream_address = "127.0.0.1" # The port on which the stream server will listen. If the port is set to "0", then # CRI-O will allocate a random free port number. stream_port = "{{ crio_stream_port }}" # Enable encrypted TLS transport of the stream server. stream_enable_tls = false # Path to the x509 certificate file used to serve the encrypted stream. This # file can change, and CRI-O will automatically pick up the changes within 5 # minutes. stream_tls_cert = "" # Path to the key file used to serve the encrypted stream. This file can # change and CRI-O will automatically pick up the changes within 5 minutes. stream_tls_key = "" # Path to the x509 CA(s) file used to verify and authenticate client # communication with the encrypted stream. This file can change and CRI-O will # automatically pick up the changes within 5 minutes. stream_tls_ca = "" # Maximum grpc send message size in bytes. If not set or <=0, then CRI-O will default to 16 * 1024 * 1024. grpc_max_send_msg_size = 16777216 # Maximum grpc receive message size. If not set or <= 0, then CRI-O will default to 16 * 1024 * 1024. grpc_max_recv_msg_size = 16777216 # The crio.runtime table contains settings pertaining to the OCI runtime used # and options for how to set up and manage the OCI runtime. [crio.runtime] # A list of ulimits to be set in containers by default, specified as # "=:", for example: # "nofile=1024:2048" # If nothing is set here, settings will be inherited from the CRI-O daemon #default_ulimits = [ #] # default_runtime is the _name_ of the OCI runtime to be used as the default. # The name is matched against the runtimes map below. default_runtime = "runc" # If true, the runtime will not use pivot_root, but instead use MS_MOVE. no_pivot = false # decryption_keys_path is the path where the keys required for # image decryption are stored. This option supports live configuration reload. decryption_keys_path = "/etc/crio/keys/" # Path to the conmon binary, used for monitoring the OCI runtime. # Will be searched for using $PATH if empty. conmon = "{{ crio_conmon }}" # Cgroup setting for conmon {% if crio_cgroup_manager == "cgroupfs" %} conmon_cgroup = "pod" {% else %} {% if kube_reserved is defined and kube_reserved|bool %} conmon_cgroup = "{{ kube_reserved_cgroups_for_service_slice }}" {% else %} conmon_cgroup = "system.slice" {% endif %} {% endif %} # Environment variable list for the conmon process, used for passing necessary # environment variables to conmon or the runtime. conmon_env = [ "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin", ] # Additional environment variables to set for all the # containers. These are overridden if set in the # container image spec or in the container runtime configuration. default_env = [ ] # If true, SELinux will be used for pod separation on the host. selinux = {{ crio_selinux }} # Path to the seccomp.json profile which is used as the default seccomp profile # for the runtime. If not specified, then the internal default seccomp profile # will be used. This option supports live configuration reload. seccomp_profile = "{{ crio_seccomp_profile }}" # Used to change the name of the default AppArmor profile of CRI-O. The default # profile name is "crio-default". This profile only takes effect if the user # does not specify a profile via the Kubernetes Pod's metadata annotation. If # the profile is set to "unconfined", then this equals to disabling AppArmor. # This option supports live configuration reload. # apparmor_profile = "crio-default" # Cgroup management implementation used for the runtime. cgroup_manager = "{{ crio_cgroup_manager }}" # List of default capabilities for containers. If it is empty or commented out, # only the capabilities defined in the containers json file by the user/kube # will be added. default_capabilities = [ "CHOWN", "DAC_OVERRIDE", "FSETID", "FOWNER", "NET_RAW", "SETGID", "SETUID", "SETPCAP", "NET_BIND_SERVICE", "SYS_CHROOT", "KILL", ] # List of default sysctls. If it is empty or commented out, only the sysctls # defined in the container json file by the user/kube will be added. default_sysctls = [ ] # List of additional devices. specified as # "::", for example: "--device=/dev/sdc:/dev/xvdc:rwm". #If it is empty or commented out, only the devices # defined in the container json file by the user/kube will be added. additional_devices = [ ] # Path to OCI hooks directories for automatically executed hooks. If one of the # directories does not exist, then CRI-O will automatically skip them. hooks_dir = [ "/usr/share/containers/oci/hooks.d", ] # List of default mounts for each container. **Deprecated:** this option will # be removed in future versions in favor of default_mounts_file. default_mounts = [ ] # Path to the file specifying the defaults mounts for each container. The # format of the config is /SRC:/DST, one mount per line. Notice that CRI-O reads # its default mounts from the following two files: # # 1) /etc/containers/mounts.conf (i.e., default_mounts_file): This is the # override file, where users can either add in their own default mounts, or # override the default mounts shipped with the package. # # 2) /usr/share/containers/mounts.conf: This is the default file read for # mounts. If you want CRI-O to read from a different, specific mounts file, # you can change the default_mounts_file. Note, if this is done, CRI-O will # only add mounts it finds in this file. # #default_mounts_file = "" # Maximum sized allowed for the container log file. Negative numbers indicate # that no size limit is imposed. If it is positive, it must be >= 8192 to # match/exceed conmon's read buffer. The file is truncated and re-opened so the # limit is never exceeded. log_size_max = -1 # Whether container output should be logged to journald in addition to the kuberentes log file log_to_journald = false # Path to directory in which container exit files are written to by conmon. container_exits_dir = "/var/run/crio/exits" # Path to directory for container attach sockets. container_attach_socket_dir = "/var/run/crio" # The prefix to use for the source of the bind mounts. bind_mount_prefix = "" # If set to true, all containers will run in read-only mode. read_only = false # Changes the verbosity of the logs based on the level it is set to. Options # are fatal, panic, error, warn, info, debug and trace. This option supports # live configuration reload. log_level = "{{ crio_log_level }}" # Filter the log messages by the provided regular expression. # This option supports live configuration reload. log_filter = "" # The UID mappings for the user namespace of each container. A range is # specified in the form containerUID:HostUID:Size. Multiple ranges must be # separated by comma. uid_mappings = "" # The GID mappings for the user namespace of each container. A range is # specified in the form containerGID:HostGID:Size. Multiple ranges must be # separated by comma. gid_mappings = "" # The minimal amount of time in seconds to wait before issuing a timeout # regarding the proper termination of the container. The lowest possible # value is 30s, whereas lower values are not considered by CRI-O. ctr_stop_timeout = 30 # **DEPRECATED** this option is being replaced by manage_ns_lifecycle, which is described below. # manage_network_ns_lifecycle = false # manage_ns_lifecycle determines whether we pin and remove namespaces # and manage their lifecycle {% if kata_containers_enabled %} manage_ns_lifecycle = true {% else %} manage_ns_lifecycle = false {% endif %} # The directory where the state of the managed namespaces gets tracked. # Only used when manage_ns_lifecycle is true. namespaces_dir = "/var/run" # pinns_path is the path to find the pinns binary, which is needed to manage namespace lifecycle {% if bin_dir == "/usr/local/bin" %} pinns_path = "" {% else %} pinns_path = "{{ bin_dir }}/pinns" {% endif %} {% if crio_criu_support_enabled %} # Enable CRIU integration, requires that the criu binary is available in $PATH. enable_criu_support = true {% endif %} # The "crio.runtime.runtimes" table defines a list of OCI compatible runtimes. # The runtime to use is picked based on the runtime_handler provided by the CRI. # If no runtime_handler is provided, the runtime will be picked based on the level # of trust of the workload. Each entry in the table should follow the format: # #[crio.runtime.runtimes.runtime-handler] # runtime_path = "/path/to/the/executable" # runtime_type = "oci" # runtime_root = "/path/to/the/root" # # Where: # - runtime-handler: name used to identify the runtime # - runtime_path (optional, string): absolute path to the runtime executable in # the host filesystem. If omitted, the runtime-handler identifier should match # the runtime executable name, and the runtime executable should be placed # in $PATH. # - runtime_type (optional, string): type of runtime, one of: "oci", "vm". If # omitted, an "oci" runtime is assumed. # - runtime_root (optional, string): root directory for storage of containers # state. {% for runtime in crio_runtimes %} [crio.runtime.runtimes.{{ runtime.name }}] runtime_path = "{{ runtime.path }}" runtime_type = "{{ runtime.type }}" runtime_root = "{{ runtime.root }}" privileged_without_host_devices = {{ runtime.privileged_without_host_devices|default(false)|lower }} allowed_annotations = {{ runtime.allowed_annotations|default([])|to_json }} {% endfor %} # Kata Containers with the Firecracker VMM #[crio.runtime.runtimes.kata-fc] # The crio.image table contains settings pertaining to the management of OCI images. # # CRI-O reads its configured registries defaults from the system wide # containers-registries.conf(5) located in /etc/containers/registries.conf. If # you want to modify just CRI-O, you can change the registries configuration in # this file. Otherwise, leave insecure_registries and registries commented out to # use the system's defaults from /etc/containers/registries.conf. [crio.image] {% if crio_insecure_registries is defined and crio_insecure_registries|length>0 %} insecure_registries = {{ crio_insecure_registries }} {% endif %} # Default transport for pulling images from a remote container storage. default_transport = "docker://" # The path to a file containing credentials necessary for pulling images from # secure registries. The file is similar to that of /var/lib/kubelet/config.json global_auth_file = "/etc/crio/config.json" # The image used to instantiate infra containers. # This option supports live configuration reload. pause_image = "{{ crio_pause_image }}" # The path to a file containing credentials specific for pulling the pause_image from # above. The file is similar to that of /var/lib/kubelet/config.json # This option supports live configuration reload. pause_image_auth_file = "" # The command to run to have a container stay in the paused state. # When explicitly set to "", it will fallback to the entrypoint and command # specified in the pause image. When commented out, it will fallback to the # default: "/pause". This option supports live configuration reload. pause_command = "/pause" # Path to the file which decides what sort of policy we use when deciding # whether or not to trust an image that we've pulled. It is not recommended that # this option be used, as the default behavior of using the system-wide default # policy (i.e., /etc/containers/policy.json) is most often preferred. Please # refer to containers-policy.json(5) for more details. signature_policy = "{{ crio_signature_policy }}" # Controls how image volumes are handled. The valid values are mkdir, bind and # ignore; the latter will ignore volumes entirely. image_volumes = "mkdir" # The crio.network table containers settings pertaining to the management of # CNI plugins. [crio.network] # The default CNI network name to be selected. If not set or "", then # CRI-O will pick-up the first one found in network_dir. # cni_default_network = "" # Path to the directory where CNI configuration files are located. network_dir = "/etc/cni/net.d/" # Paths to directories where CNI plugin binaries are located. plugin_dirs = [ "/opt/cni/bin", "/usr/libexec/cni", ] # A necessary configuration for Prometheus based metrics retrieval [crio.metrics] # Globally enable or disable metrics support. enable_metrics = {{ crio_enable_metrics | bool | lower }} # The port on which the metrics server will listen. metrics_port = {{ crio_metrics_port }} {% if nri_enabled and crio_version is version('v1.26.0', operator='>=') %} [crio.nri] enable_nri=true {% endif %}