Brad Bishop | d7bf8c1 | 2018-02-25 22:55:05 -0500 | [diff] [blame] | 1 | # generated via: crio --config="" config --default |
| 2 | |
| 3 | # The "crio" table contains all of the server options. |
| 4 | [crio] |
| 5 | |
| 6 | # root is a path to the "root directory". CRIO stores all of its data, |
| 7 | # including container images, in this directory. |
| 8 | root = "/var/lib/containers/storage" |
| 9 | |
| 10 | # run is a path to the "run directory". CRIO stores all of its state |
| 11 | # in this directory. |
| 12 | runroot = "/var/run/containers/storage" |
| 13 | |
| 14 | # storage_driver select which storage driver is used to manage storage |
| 15 | # of images and containers. |
| 16 | storage_driver = "" |
| 17 | |
| 18 | # storage_option is used to pass an option to the storage driver. |
| 19 | storage_option = [ |
| 20 | ] |
| 21 | |
| 22 | # The "crio.api" table contains settings for the kubelet/gRPC |
| 23 | # interface (which is also used by crioctl). |
| 24 | [crio.api] |
| 25 | |
| 26 | # listen is the path to the AF_LOCAL socket on which crio will listen. |
| 27 | listen = "/var/run/crio.sock" |
| 28 | |
| 29 | # stream_address is the IP address on which the stream server will listen |
| 30 | stream_address = "" |
| 31 | |
| 32 | # stream_port is the port on which the stream server will listen |
| 33 | stream_port = "10010" |
| 34 | |
| 35 | # file_locking is whether file-based locking will be used instead of |
| 36 | # in-memory locking |
| 37 | file_locking = true |
| 38 | |
| 39 | # The "crio.runtime" table contains settings pertaining to the OCI |
| 40 | # runtime used and options for how to set up and manage the OCI runtime. |
| 41 | [crio.runtime] |
| 42 | |
| 43 | # runtime is the OCI compatible runtime used for trusted container workloads. |
| 44 | # This is a mandatory setting as this runtime will be the default one |
| 45 | # and will also be used for untrusted container workloads if |
| 46 | # runtime_untrusted_workload is not set. |
| 47 | runtime = "/usr/bin/runc" |
| 48 | |
| 49 | # runtime_untrusted_workload is the OCI compatible runtime used for untrusted |
| 50 | # container workloads. This is an optional setting, except if |
| 51 | # default_container_trust is set to "untrusted". |
| 52 | runtime_untrusted_workload = "" |
| 53 | |
| 54 | # default_workload_trust is the default level of trust crio puts in container |
| 55 | # workloads. It can either be "trusted" or "untrusted", and the default |
| 56 | # is "trusted". |
| 57 | # Containers can be run through different container runtimes, depending on |
| 58 | # the trust hints we receive from kubelet: |
| 59 | # - If kubelet tags a container workload as untrusted, crio will try first to |
| 60 | # run it through the untrusted container workload runtime. If it is not set, |
| 61 | # crio will use the trusted runtime. |
| 62 | # - If kubelet does not provide any information about the container workload trust |
| 63 | # level, the selected runtime will depend on the default_container_trust setting. |
| 64 | # If it is set to "untrusted", then all containers except for the host privileged |
| 65 | # ones, will be run by the runtime_untrusted_workload runtime. Host privileged |
| 66 | # containers are by definition trusted and will always use the trusted container |
| 67 | # runtime. If default_container_trust is set to "trusted", crio will use the trusted |
| 68 | # container runtime for all containers. |
| 69 | default_workload_trust = "trusted" |
| 70 | |
| 71 | # conmon is the path to conmon binary, used for managing the runtime. |
| 72 | conmon = "/usr/libexec/crio/conmon" |
| 73 | |
| 74 | # conmon_env is the environment variable list for conmon process, |
| 75 | # used for passing necessary environment variable to conmon or runtime. |
| 76 | conmon_env = [ |
| 77 | "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin", |
| 78 | ] |
| 79 | |
| 80 | # selinux indicates whether or not SELinux will be used for pod |
| 81 | # separation on the host. If you enable this flag, SELinux must be running |
| 82 | # on the host. |
| 83 | selinux = false |
| 84 | |
| 85 | # seccomp_profile is the seccomp json profile path which is used as the |
| 86 | # default for the runtime. |
| 87 | seccomp_profile = "/etc/crio/seccomp.json" |
| 88 | |
| 89 | # apparmor_profile is the apparmor profile name which is used as the |
| 90 | # default for the runtime. |
| 91 | apparmor_profile = "crio-default" |
| 92 | |
| 93 | # cgroup_manager is the cgroup management implementation to be used |
| 94 | # for the runtime. |
| 95 | cgroup_manager = "cgroupfs" |
| 96 | |
| 97 | # hooks_dir_path is the oci hooks directory for automatically executed hooks |
| 98 | hooks_dir_path = "/usr/share/containers/oci/hooks.d" |
| 99 | |
| 100 | # pids_limit is the number of processes allowed in a container |
| 101 | pids_limit = 1024 |
| 102 | |
| 103 | # The "crio.image" table contains settings pertaining to the |
| 104 | # management of OCI images. |
| 105 | [crio.image] |
| 106 | |
| 107 | # default_transport is the prefix we try prepending to an image name if the |
| 108 | # image name as we receive it can't be parsed as a valid source reference |
| 109 | default_transport = "docker://" |
| 110 | |
| 111 | # pause_image is the image which we use to instantiate infra containers. |
| 112 | pause_image = "kubernetes/pause" |
| 113 | |
| 114 | # pause_command is the command to run in a pause_image to have a container just |
| 115 | # sit there. If the image contains the necessary information, this value need |
| 116 | # not be specified. |
| 117 | pause_command = "/pause" |
| 118 | |
| 119 | # signature_policy is the name of the file which decides what sort of policy we |
| 120 | # use when deciding whether or not to trust an image that we've pulled. |
| 121 | # Outside of testing situations, it is strongly advised that this be left |
| 122 | # unspecified so that the default system-wide policy will be used. |
| 123 | signature_policy = "" |
| 124 | |
| 125 | # image_volumes controls how image volumes are handled. |
| 126 | # The valid values are mkdir and ignore. |
| 127 | image_volumes = "mkdir" |
| 128 | |
| 129 | # insecure_registries is used to skip TLS verification when pulling images. |
| 130 | insecure_registries = [ |
| 131 | ] |
| 132 | |
| 133 | # registries is used to specify a comma separated list of registries to be used |
| 134 | # when pulling an unqualified image (e.g. fedora:rawhide). |
| 135 | registries = [ |
| 136 | ] |
| 137 | |
| 138 | # The "crio.network" table contains settings pertaining to the |
| 139 | # management of CNI plugins. |
| 140 | [crio.network] |
| 141 | |
| 142 | # network_dir is is where CNI network configuration |
| 143 | # files are stored. |
| 144 | network_dir = "/etc/cni/net.d/" |
| 145 | |
| 146 | # plugin_dir is is where CNI plugin binaries are stored. |
| 147 | plugin_dir = "/opt/cni/bin/" |