richard
/
kubespray
mirror of https://github.com/kubernetes-sigs/kubespray.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
4355 Commits
29 Branches
81 Tags
150 MiB
Tree: 4a10dca7d4
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from '4a10dca7d4'
${ noResults }
kubespray/roles/container-engine/cri-o/templates/crio.conf.j2

246 lines
9.2 KiB
Raw Normal View History

Add cri-o role.
6 years ago
Fix runc absolute path (#4542) The BINDIR variable defined on the runc's Makefile[1] defines installation path is on $(PREFIX)/sbin which used for most of the Linux distributions. This change fixes the absolute path used for non-ClearLinux distributions (CentOS, Ubuntu). [1] https://github.com/opencontainers/runc/blob/master/Makefile#L10
5 years ago
Add cri-o role.
6 years ago
Fix runc absolute path (#4542) The BINDIR variable defined on the runc's Makefile[1] defines installation path is on $(PREFIX)/sbin which used for most of the Linux distributions. This change fixes the absolute path used for non-ClearLinux distributions (CentOS, Ubuntu). [1] https://github.com/opencontainers/runc/blob/master/Makefile#L10
5 years ago
Add cri-o role.
6 years ago
Enable ClearLinux as a distro in kubespray (#3855) Signed-off-by: Ganesh Maharaj Mahalingam <ganesh.mahalingam@intel.com>
6 years ago
Add cri-o role.
6 years ago
Enable ClearLinux as a distro in kubespray (#3855) Signed-off-by: Ganesh Maharaj Mahalingam <ganesh.mahalingam@intel.com>
6 years ago
Add cri-o role.
6 years ago
Enable ClearLinux as a distro in kubespray (#3855) Signed-off-by: Ganesh Maharaj Mahalingam <ganesh.mahalingam@intel.com>
6 years ago
Add cri-o role.
6 years ago
Enable ClearLinux as a distro in kubespray (#3855) Signed-off-by: Ganesh Maharaj Mahalingam <ganesh.mahalingam@intel.com>
6 years ago
Add cri-o role.
6 years ago
fix typo: remove repeated words(is) (#3419)
6 years ago
Add cri-o role.
6 years ago
fix typo: remove repeated words(is) (#3419)
6 years ago
Add cri-o role.
6 years ago
  2. # The "crio" table contains all of the server options.
  3. [crio]
  5. # CRI-O reads its storage defaults from the containers/storage configuration
  6. # file, /etc/containers/storage.conf. Modify storage.conf if you want to
  7. # change default storage for all tools that use containers/storage. If you
  8. # want to modify just crio, you can change the storage configuration in this
  9. # file.
  11. # root is a path to the "root directory". CRIO stores all of its data,
  12. # including container images, in this directory.
  13. #root = "/var/lib/containers/storage"
  15. # run is a path to the "run directory". CRIO stores all of its state
  16. # in this directory.
  17. #runroot = "/var/run/containers/storage"
  19. # storage_driver select which storage driver is used to manage storage
  20. # of images and containers.
  21. storage_driver = "overlay2"
  23. # storage_option is used to pass an option to the storage driver.
  24. #storage_option = [
  25. #]
  27. # The "crio.api" table contains settings for the kubelet/gRPC interface.
  28. [crio.api]
  30. # listen is the path to the AF_LOCAL socket on which crio will listen.
  31. listen = "/var/run/crio/crio.sock"
  33. # stream_address is the IP address on which the stream server will listen
  34. stream_address = ""
  36. # stream_port is the port on which the stream server will listen
  37. stream_port = "10010"
  39. # stream_enable_tls enables encrypted tls transport of the stream server
  40. stream_enable_tls = false
  42. # stream_tls_cert is the x509 certificate file path used to serve the encrypted stream.
  43. # This file can change, and CRIO will automatically pick up the changes within 5 minutes.
  44. stream_tls_cert = ""
  46. # stream_tls_key is the key file path used to serve the encrypted stream.
  47. # This file can change, and CRIO will automatically pick up the changes within 5 minutes.
  48. stream_tls_key = ""
  50. # stream_tls_ca is the x509 CA(s) file used to verify and authenticate client
  51. # communication with the tls encrypted stream.
  52. # This file can change, and CRIO will automatically pick up the changes within 5 minutes.
  53. stream_tls_ca = ""
  55. # file_locking is whether file-based locking will be used instead of
  56. # in-memory locking
  57. file_locking = true
  59. # The "crio.runtime" table contains settings pertaining to the OCI
  60. # runtime used and options for how to set up and manage the OCI runtime.
  61. [crio.runtime]
  63. # runtime is the OCI compatible runtime used for trusted container workloads.
  64. # This is a mandatory setting as this runtime will be the default one
  65. # and will also be used for untrusted container workloads if
  66. # runtime_untrusted_workload is not set.
  67. {% if ansible_os_family == "ClearLinux" %}
  68. runtime = "/usr/bin/runc"
  69. {% else %}
  70. runtime = "/usr/sbin/runc"
  71. {% endif %}
  73. # runtime_untrusted_workload is the OCI compatible runtime used for untrusted
  74. # container workloads. This is an optional setting, except if
  75. # default_container_trust is set to "untrusted".
  76. runtime_untrusted_workload = ""
  78. # default_workload_trust is the default level of trust crio puts in container
  79. # workloads. It can either be "trusted" or "untrusted", and the default
  80. # is "trusted".
  81. # Containers can be run through different container runtimes, depending on
  82. # the trust hints we receive from kubelet:
  83. # - If kubelet tags a container workload as untrusted, crio will try first to
  84. # run it through the untrusted container workload runtime. If it is not set,
  85. # crio will use the trusted runtime.
  86. # - If kubelet does not provide any information about the container workload trust
  87. # level, the selected runtime will depend on the default_container_trust setting.
  88. # If it is set to "untrusted", then all containers except for the host privileged
  89. # ones, will be run by the runtime_untrusted_workload runtime. Host privileged
  90. # containers are by definition trusted and will always use the trusted container
  91. # runtime. If default_container_trust is set to "trusted", crio will use the trusted
  92. # container runtime for all containers.
  93. default_workload_trust = "trusted"
  95. # no_pivot instructs the runtime to not use pivot_root, but instead use MS_MOVE
  96. no_pivot = false
  98. # conmon is the path to conmon binary, used for managing the runtime.
  99. conmon = "/usr/libexec/crio/conmon"
  101. # conmon_env is the environment variable list for conmon process,
  102. # used for passing necessary environment variable to conmon or runtime.
  103. conmon_env = [
  104. "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin",
  105. ]
  107. # selinux indicates whether or not SELinux will be used for pod
  108. # separation on the host. If you enable this flag, SELinux must be running
  109. # on the host.
  110. selinux = {{ (preinstall_selinux_state == 'enforcing')|lower }}
  112. # seccomp_profile is the seccomp json profile path which is used as the
  113. # default for the runtime.
  114. {% if ansible_os_family == "ClearLinux" %}
  115. seccomp_profile = "/usr/share/defaults/crio/seccomp.json"
  116. {% else %}
  117. seccomp_profile = "/etc/crio/seccomp.json"
  118. {% endif %}
  120. # apparmor_profile is the apparmor profile name which is used as the
  121. # default for the runtime.
  122. apparmor_profile = "crio-default"
  124. # cgroup_manager is the cgroup management implementation to be used
  125. # for the runtime.
  126. cgroup_manager = "cgroupfs"
  128. # default_capabilities is the list of capabilities to add and can be modified here.
  129. # If capabilities below is commented out, the default list of capabilities defined in the
  130. # spec will be added.
  131. # If capabilities is empty below, only the capabilities defined in the container json
  132. # file by the user/kube will be added.
  133. default_capabilities = [
  134. "CHOWN",
  135. "DAC_OVERRIDE",
  136. "FSETID",
  137. "FOWNER",
  138. "NET_RAW",
  139. "SETGID",
  140. "SETUID",
  141. "SETPCAP",
  142. "NET_BIND_SERVICE",
  143. "SYS_CHROOT",
  144. "KILL",
  145. ]
  147. # hooks_dir_path is the oci hooks directory for automatically executed hooks
  148. hooks_dir_path = "/usr/share/containers/oci/hooks.d"
  150. # default_mounts is the mounts list to be mounted for the container when created
  151. # deprecated, will be taken out in future versions, add default mounts to either
  152. # /usr/share/containers/mounts.conf or /etc/containers/mounts.conf
  153. default_mounts = [
  154. ]
  156. # CRI-O reads its default mounts from the following two files:
  157. # 1) /etc/containers/mounts.conf - this is the override file, where users can
  158. # either add in their own default mounts, or override the default mounts shipped
  159. # with the package.
  160. # 2) /usr/share/containers/mounts.conf - this is the default file read for mounts.
  161. # If you want CRI-O to read from a different, specific mounts file, you can change
  162. # the default_mounts_file path right below. Note, if this is done, CRI-O will only add
  163. # mounts it finds in this file.
  165. # default_mounts_file is the file path holding the default mounts to be mounted for the
  166. # container when created.
  167. # default_mounts_file = ""
  169. # pids_limit is the number of processes allowed in a container
  170. pids_limit = 1024
  172. # log_size_max is the max limit for the container log size in bytes.
  173. # Negative values indicate that no limit is imposed.
  174. log_size_max = -1
  176. # read-only indicates whether all containers will run in read-only mode
  177. read_only = false
  179. # The "crio.image" table contains settings pertaining to the
  180. # management of OCI images.
  182. # uid_mappings specifies the UID mappings to have in the user namespace.
  183. # A range is specified in the form containerUID:HostUID:Size. Multiple
  184. # ranges are separed by comma.
  185. uid_mappings = ""
  187. # gid_mappings specifies the GID mappings to have in the user namespace.
  188. # A range is specified in the form containerGID:HostGID:Size. Multiple
  189. # ranges are separed by comma.
  190. gid_mappings = ""
  192. [crio.image]
  194. # default_transport is the prefix we try prepending to an image name if the
  195. # image name as we receive it can't be parsed as a valid source reference
  196. default_transport = "docker://"
  198. # pause_image is the image which we use to instantiate infra containers.
  199. pause_image = "docker://k8s.gcr.io/pause:3.1"
  201. # pause_command is the command to run in a pause_image to have a container just
  202. # sit there. If the image contains the necessary information, this value need
  203. # not be specified.
  204. pause_command = "/pause"
  206. # signature_policy is the name of the file which decides what sort of policy we
  207. # use when deciding whether or not to trust an image that we've pulled.
  208. # Outside of testing situations, it is strongly advised that this be left
  209. # unspecified so that the default system-wide policy will be used.
  210. {% if ansible_os_family == "ClearLinux" %}
  211. signature_policy = "/usr/share/defaults/crio/policy.json"
  212. {% else %}
  213. signature_policy = ""
  214. {% endif %}
  216. # image_volumes controls how image volumes are handled.
  217. # The valid values are mkdir and ignore.
  218. image_volumes = "mkdir"
  220. # CRI-O reads its configured registries defaults from the containers/image configuration
  221. # file, /etc/containers/registries.conf. Modify registries.conf if you want to
  222. # change default registries for all tools that use containers/image. If you
  223. # want to modify just crio, you can change the registies configuration in this
  224. # file.
  226. # insecure_registries is used to skip TLS verification when pulling images.
  227. insecure_registries = [
  228. "{{ kube_service_addresses }}"
  229. ]
  231. # registries is used to specify a comma separated list of registries to be used
  232. # when pulling an unqualified image (e.g. fedora:rawhide).
  233. registries = [
  234. "docker.io"
  235. ]
  237. # The "crio.network" table contains settings pertaining to the
  238. # management of CNI plugins.
  239. [crio.network]
  241. # network_dir is where CNI network configuration
  242. # files are stored.
  243. network_dir = "/etc/cni/net.d/"
  245. # plugin_dir is where CNI plugin binaries are stored.
  246. plugin_dir = "/opt/cni/bin/"