richard
/
kubespray
mirror of https://github.com/kubernetes-sigs/kubespray.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
7975 Commits
29 Branches
81 Tags
150 MiB
Tree: b8541962f3
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from 'b8541962f3'
${ noResults }
kubespray/roles/container-engine/cri-o/defaults/main.yml

101 lines
2.8 KiB
Raw Normal View History

Add cri-o role.
6 years ago
Cleanup fedora coreos with crio container (#5887) * fix upgrade of crio on fcos - update documents * install conntrack required by kube-proxy - like commit 48c41bcbe7a428584f4919f4404d09a0b7381a53 * enable fedora modular repo for crio * allow to override crio configuration - set cgroup manager same to kubelet_cgroup_driver if defined - path of seccomp_profile depends on distribution * allow to override crio configuration - fix path for ubuntu * allow to override crio configuration - fix cni path for fcos
4 years ago
crio: align template crio.conf with upstream (#6432) * log level by default increased to 'info' * cgroup manager by default set to 'systemd' * stream port (used by kubelet) bound to 127.0.0.1 for security reasons * metrics can be enabled and port specified
4 years ago
use cri-o from upstream instead of kubic/OBS (#9374) * [cri-o] use cri-o from upstream instead of kubic/OBS * [cri-o] add proper molecule coverage * [skopeo] download skopeo from upstream build * [cri-o] clean up legacy deployments * disable cri-o per-distribution variables
2 years ago
Feat: make CRI-O's default runtime configurable Signed-off-by: ChengHao Yang <17496418+tico88612@users.noreply.github.com>
1 month ago
cri-o Switch to libexecdir (#11584) Signed-off-by: Kay Yan <kay.yan@daocloud.io>
1 month ago
crio: align template crio.conf with upstream (#6432) * log level by default increased to 'info' * cgroup manager by default set to 'systemd' * stream port (used by kubelet) bound to 127.0.0.1 for security reasons * metrics can be enabled and port specified
4 years ago
cri-o: add variable to configure unsecure pull (#6568) By default do not allow "unqualified" (without a registry) images because it is considered unsecure and subject to mitm attacks. To enable insecure pull configure for example: crio_registries: - "docker.io" - "quay.io"
4 years ago
Update configuration of registries in cri-o (#7852) * Update configuration of registries in cri-o * Update docs to match new registry configuration
2 years ago
cri-o: add variable to configure unsecure pull (#6568) By default do not allow "unqualified" (without a registry) images because it is considered unsecure and subject to mitm attacks. To enable insecure pull configure for example: crio_registries: - "docker.io" - "quay.io"
4 years ago
add crio registry mirror support (#6977) * add crio registry mirror support * mdlint fix
4 years ago
Update configuration of registries in cri-o (#7852) * Update configuration of registries in cri-o * Update docs to match new registry configuration
2 years ago
add crio registry mirror support (#6977) * add crio registry mirror support * mdlint fix
4 years ago
Update configuration of registries in cri-o (#7852) * Update configuration of registries in cri-o * Update docs to match new registry configuration
2 years ago
crio: align template crio.conf with upstream (#6432) * log level by default increased to 'info' * cgroup manager by default set to 'systemd' * stream port (used by kubelet) bound to 127.0.0.1 for security reasons * metrics can be enabled and port specified
4 years ago
project: fix var-spacing ansible rule (#10266) * project: fix var-spacing ansible rule Signed-off-by: Arthur Outhenin-Chalandre <arthur.outhenin-chalandre@proton.ch> * project: fix spacing on the beginning/end of jinja template Signed-off-by: Arthur Outhenin-Chalandre <arthur.outhenin-chalandre@proton.ch> * project: fix spacing of default filter Signed-off-by: Arthur Outhenin-Chalandre <arthur.outhenin-chalandre@proton.ch> * project: fix spacing between filter arguments Signed-off-by: Arthur Outhenin-Chalandre <arthur.outhenin-chalandre@proton.ch> * project: fix double space at beginning/end of jinja Signed-off-by: Arthur Outhenin-Chalandre <arthur.outhenin-chalandre@proton.ch> * project: fix remaining jinja[spacing] ansible-lint warning Signed-off-by: Arthur Outhenin-Chalandre <arthur.outhenin-chalandre@proton.ch> --------- Signed-off-by: Arthur Outhenin-Chalandre <arthur.outhenin-chalandre@proton.ch>
1 year ago
crio: align template crio.conf with upstream (#6432) * log level by default increased to 'info' * cgroup manager by default set to 'systemd' * stream port (used by kubelet) bound to 127.0.0.1 for security reasons * metrics can be enabled and port specified
4 years ago
crio: use system default for storage driver by default (#6637) After host reboot kubelet and crio goes into a loop and no container is started. storage_driver in crio.conf overrides system defaults in etc/containers/storage.conf /etc/containers/storage.conf is installed by package containers-common dependency installed from cri-o (centos7) and contains "overlay". Hosts already configured with overlay2 should be reconfigured and the /var/lib/containers content removed.
4 years ago
crio: align template crio.conf with upstream (#6432) * log level by default increased to 'info' * cgroup manager by default set to 'systemd' * stream port (used by kubelet) bound to 127.0.0.1 for security reasons * metrics can be enabled and port specified
4 years ago
Centos, debian and fedora CRI-O repo (#6008) * replace removed repo with kubic repository for centos 7 * add crio configuration for centos8 * add crio configurations for debian * use correct crio version for fedora * simplify calulation of required crio version - gives possibility to overwrite * change default path for runc * change default for seccomp path * change default for conmon
4 years ago
Add a new crio_root variable in order to store CRI-O data on something else than /var/lib (#11692)
3 weeks ago
Add Kata Containers support to CRI-O runtime (#6830) * Enable Kata Containers for CRI-O runtime Kata Containers is an OCI runtime where containers are run inside lightweight VMs. This runtime has been enabled for containerd runtime thru the kata_containers_enabled variable. This change enables Kata Containers to CRI-O container runtime. Signed-off-by: Victor Morales <v.morales@samsung.com> * Set appropiate conmon_cgroup when crio_cgroup_manager is 'cgroupfs' * Set manage_ns_lifecycle=true when KataContainers is enabed * Add preinstall check for katacontainers Signed-off-by: Victor Morales <v.morales@samsung.com> Co-authored-by: Pasquale Toscano <pasqualetoscano90@gmail.com>
4 years ago
Feat: change cri-o default runtime to crun Signed-off-by: ChengHao Yang <17496418+tico88612@users.noreply.github.com>
1 month ago
Add Kata Containers support to CRI-O runtime (#6830) * Enable Kata Containers for CRI-O runtime Kata Containers is an OCI runtime where containers are run inside lightweight VMs. This runtime has been enabled for containerd runtime thru the kata_containers_enabled variable. This change enables Kata Containers to CRI-O container runtime. Signed-off-by: Victor Morales <v.morales@samsung.com> * Set appropiate conmon_cgroup when crio_cgroup_manager is 'cgroupfs' * Set manage_ns_lifecycle=true when KataContainers is enabed * Add preinstall check for katacontainers Signed-off-by: Victor Morales <v.morales@samsung.com> Co-authored-by: Pasquale Toscano <pasqualetoscano90@gmail.com>
4 years ago
Feat: change cri-o default runtime to crun Signed-off-by: ChengHao Yang <17496418+tico88612@users.noreply.github.com>
1 month ago
Add Kata Containers support to CRI-O runtime (#6830) * Enable Kata Containers for CRI-O runtime Kata Containers is an OCI runtime where containers are run inside lightweight VMs. This runtime has been enabled for containerd runtime thru the kata_containers_enabled variable. This change enables Kata Containers to CRI-O container runtime. Signed-off-by: Victor Morales <v.morales@samsung.com> * Set appropiate conmon_cgroup when crio_cgroup_manager is 'cgroupfs' * Set manage_ns_lifecycle=true when KataContainers is enabed * Add preinstall check for katacontainers Signed-off-by: Victor Morales <v.morales@samsung.com> Co-authored-by: Pasquale Toscano <pasqualetoscano90@gmail.com>
4 years ago
Update Kata Containers runtime (#8797) * Update Kata containers binary to 2.4.1 version * Update overhead kata runtime values * Fix kata-qemu default values in CRI-O
2 years ago
Add Kata Containers support to CRI-O runtime (#6830) * Enable Kata Containers for CRI-O runtime Kata Containers is an OCI runtime where containers are run inside lightweight VMs. This runtime has been enabled for containerd runtime thru the kata_containers_enabled variable. This change enables Kata Containers to CRI-O container runtime. Signed-off-by: Victor Morales <v.morales@samsung.com> * Set appropiate conmon_cgroup when crio_cgroup_manager is 'cgroupfs' * Set manage_ns_lifecycle=true when KataContainers is enabed * Add preinstall check for katacontainers Signed-off-by: Victor Morales <v.morales@samsung.com> Co-authored-by: Pasquale Toscano <pasqualetoscano90@gmail.com>
4 years ago
Update Kata Containers runtime (#8797) * Update Kata containers binary to 2.4.1 version * Update overhead kata runtime values * Fix kata-qemu default values in CRI-O
2 years ago
Allow airgapped CRI-O installation (#6927)
4 years ago
Feat: change cri-o default runtime to crun Signed-off-by: ChengHao Yang <17496418+tico88612@users.noreply.github.com>
1 month ago
Add crun support (#6864) Signed-off-by: Victor Morales <v.morales@samsung.com>
4 years ago
cri-o Switch to libexecdir (#11584) Signed-off-by: Kay Yan <kay.yan@daocloud.io>
1 month ago
Add crun support (#6864) Signed-off-by: Victor Morales <v.morales@samsung.com>
4 years ago
Add youki runtime support (#8411)
2 years ago
Add support for CRI-O user namespaces (#8268) * add support for cri-o user namespaces * comply with yamllint rules
2 years ago
use cri-o from upstream instead of kubic/OBS (#9374) * [cri-o] use cri-o from upstream instead of kubic/OBS * [cri-o] add proper molecule coverage * [skopeo] download skopeo from upstream build * [cri-o] clean up legacy deployments * disable cri-o per-distribution variables
2 years ago
Add cri-o criu support (#10479) Signed-off-by: tu1h <lihai.tu@daocloud.io>
1 year ago
  1. ---
  3. crio_cgroup_manager: "{{ kubelet_cgroup_driver | default('systemd') }}"
  4. crio_conmon: "{{ bin_dir }}/conmon"
  5. crio_default_runtime: "crun"
  6. crio_libexec_dir: "/usr/libexec/crio"
  7. crio_enable_metrics: false
  8. crio_log_level: "info"
  9. crio_metrics_port: "9090"
  10. crio_pause_image: "{{ pod_infra_image_repo }}:{{ pod_infra_version }}"
  12. # Registries defined within cri-o.
  13. # By default unqualified images are not allowed for security reasons
  14. crio_registries: []
  15. # - prefix: docker.io
  16. # insecure: false
  17. # blocked: false
  18. # location: registry-1.docker.io ## REQUIRED
  19. # unqualified: false
  20. # mirrors:
  21. # - location: 172.20.100.52:5000
  22. # insecure: true
  23. # - location: mirror.gcr.io
  24. # insecure: false
  26. crio_registry_auth: []
  27. # - registry: 10.0.0.2:5000
  28. # username: user
  29. # password: pass
  31. crio_seccomp_profile: ""
  32. crio_selinux: "{{ (preinstall_selinux_state == 'enforcing') | lower }}"
  33. crio_signature_policy: "{% if ansible_os_family == 'ClearLinux' %}/usr/share/defaults/crio/policy.json{% endif %}"
  35. # Override system default for storage driver
  36. # crio_storage_driver: "overlay"
  38. crio_stream_port: "10010"
  40. crio_required_version: "{{ kube_version | regex_replace('^v(?P<major>\\d+).(?P<minor>\\d+).(?P<patch>\\d+)$', '\\g<major>.\\g<minor>') }}"
  42. crio_root: "/var/lib/containers/storage"
  44. # The crio_runtimes variable defines a list of OCI compatible runtimes.
  45. crio_runtimes:
  46. - name: crun
  47. path: "{{ crio_runtime_bin_dir }}/crun"
  48. type: oci
  49. root: /run/crun
  51. # Kata Containers is an OCI runtime, where containers are run inside lightweight
  52. # VMs. Kata provides additional isolation towards the host, minimizing the host attack
  53. # surface and mitigating the consequences of containers breakout.
  54. kata_runtimes:
  55. # Kata Containers with the default configured VMM
  56. - name: kata-qemu
  57. path: /usr/local/bin/containerd-shim-kata-qemu-v2
  58. type: vm
  59. root: /run/kata-containers
  60. privileged_without_host_devices: true
  62. runc_runtime:
  63. name: runc
  64. path: "{{ crio_runtime_bin_dir }}/runc"
  65. type: oci
  66. root: /run/runc
  68. # crun is a fast and low-memory footprint OCI Container Runtime fully written in C.
  69. crun_runtime:
  70. name: crun
  71. path: "{{ crio_runtime_bin_dir }}/crun"
  72. type: oci
  73. root: /run/crun
  75. # youki is an implementation of the OCI runtime-spec in Rust, similar to runc.
  76. youki_runtime:
  77. name: youki
  78. path: "{{ youki_bin_dir }}/youki"
  79. type: oci
  80. root: /run/youki
  82. # Reserve 16M uids and gids for user namespaces (256 pods * 65536 uids/gids)
  83. # at the end of the uid/gid space
  84. crio_remap_enable: false
  85. crio_remap_user: containers
  86. crio_subuid_start: 2130706432
  87. crio_subuid_length: 16777216
  88. crio_subgid_start: 2130706432
  89. crio_subgid_length: 16777216
  91. # cri-o manual files
  92. crio_man_files:
  93. 5:
  94. - crio.conf
  95. - crio.conf.d
  96. 8:
  97. - crio
  98. - crio-status
  100. # If set to true, it will enable the CRIU support in cri-o
  101. crio_criu_support_enabled: false