Upgrade crio.conf to version v1.14.0
Anders F Björklund
parent
1d8b7d6032
commit
8a4b8629dc
|
|
@ -25,7 +25,6 @@ storage_driver = "overlay"
|
|||
# List to pass options to the storage driver. Please refer to
|
||||
# containers-storage.conf(5) to see all available storage options.
|
||||
#storage_option = [
|
||||
# "overlay.override_kernel_check=true",
|
||||
#]
|
||||
|
||||
# If set to false, in-memory locking will be used instead of file-based locking.
|
||||
|
|
@ -64,6 +63,12 @@ stream_tls_key = ""
|
|||
# automatically pick up the changes within 5 minutes.
|
||||
stream_tls_ca = ""
|
||||
|
||||
# Maximum grpc send message size in bytes. If not set or <=0, then CRI-O will default to 16 * 1024 * 1024.
|
||||
grpc_max_send_msg_size = 16777216
|
||||
|
||||
# Maximum grpc receive message size. If not set or <= 0, then CRI-O will default to 16 * 1024 * 1024.
|
||||
grpc_max_recv_msg_size = 16777216
|
||||
|
||||
# The crio.runtime table contains settings pertaining to the OCI runtime used
|
||||
# and options for how to set up and manage the OCI runtime.
|
||||
[crio.runtime]
|
||||
|
|
@ -75,56 +80,10 @@ stream_tls_ca = ""
|
|||
#default_ulimits = [
|
||||
#]
|
||||
|
||||
# Path to the OCI compatible runtime used for trusted container workloads. This
|
||||
# is a mandatory setting as this runtime will be the default and will also be
|
||||
# used for untrusted container workloads if runtime_untrusted_workload is not
|
||||
# set.
|
||||
#
|
||||
# DEPRECATED: use Runtimes instead.
|
||||
#
|
||||
# runtime = ""
|
||||
|
||||
# default_runtime is the _name_ of the OCI runtime to be used as the default.
|
||||
# The name is matched against the runtimes map below.
|
||||
default_runtime = "runc"
|
||||
|
||||
# Path to OCI compatible runtime used for untrusted container workloads. This
|
||||
# is an optional setting, except if default_container_trust is set to
|
||||
# "untrusted".
|
||||
# DEPRECATED: use "crio.runtime.runtimes" instead. If provided, this
|
||||
# runtime is mapped to the runtime handler named 'untrusted'. It is
|
||||
# a configuration error to provide both the (now deprecated)
|
||||
# runtime_untrusted_workload and a handler in the Runtimes handler
|
||||
# map (below) for 'untrusted' workloads at the same time. Please
|
||||
# provide one or the other.
|
||||
# The support of this option will continue through versions 1.12 and 1.13.
|
||||
# By version 1.14, this option will no longer exist.
|
||||
#runtime_untrusted_workload = ""
|
||||
|
||||
# Default level of trust CRI-O puts in container workloads. It can either be
|
||||
# "trusted" or "untrusted", and the default is "trusted". Containers can be run
|
||||
# through different container runtimes, depending on the trust hints we receive
|
||||
# from kubelet:
|
||||
#
|
||||
# - If kubelet tags a container workload as untrusted, CRI-O will try first
|
||||
# to run it through the untrusted container workload runtime. If it is not
|
||||
# set, CRI-O will use the trusted runtime.
|
||||
#
|
||||
# - If kubelet does not provide any information about the container workload
|
||||
# trust level, the selected runtime will depend on the default_container_trust
|
||||
# setting. If it is set to untrusted, then all containers except for the host
|
||||
# privileged ones, will be run by the runtime_untrusted_workload runtime. Host
|
||||
# privileged containers are by definition trusted and will always use the
|
||||
# trusted container runtime. If default_container_trust is set to "trusted",
|
||||
# CRI-O will use the trusted container runtime for all containers.
|
||||
#
|
||||
# DEPRECATED: The runtime handler should provide a key to the map of runtimes,
|
||||
# avoiding the need to rely on the level of trust of the workload to choose
|
||||
# an appropriate runtime.
|
||||
# The support of this option will continue through versions 1.12 and 1.13.
|
||||
# By version 1.14, this option will no longer exist.
|
||||
#default_workload_trust = ""
|
||||
|
||||
# If true, the runtime will not use pivot_root, but instead use MS_MOVE.
|
||||
no_pivot = true
|
||||
|
||||
|
|
@ -213,6 +172,9 @@ pids_limit = 1024
|
|||
# limit is never exceeded.
|
||||
log_size_max = -1
|
||||
|
||||
# Whether container output should be logged to journald in addition to the kuberentes log file
|
||||
log_to_journald = false
|
||||
|
||||
# Path to directory in which container exit files are written to by conmon.
|
||||
container_exits_dir = "/var/run/crio/exits"
|
||||
|
||||
|
|
@ -247,6 +209,7 @@ ctr_stop_timeout = 0
|
|||
|
||||
[crio.runtime.runtimes.runc]
|
||||
runtime_path = "/usr/bin/runc"
|
||||
runtime_type = "oci"
|
||||
|
||||
|
||||
|
||||
|
|
@ -254,7 +217,7 @@ ctr_stop_timeout = 0
|
|||
#
|
||||
# CRI-O reads its configured registries defaults from the system wide
|
||||
# containers-registries.conf(5) located in /etc/containers/registries.conf. If
|
||||
# you want to modify just CRI-O, you can change the registies configuration in
|
||||
# you want to modify just CRI-O, you can change the registries configuration in
|
||||
# this file. Otherwise, leave insecure_registries and registries commented out to
|
||||
# use the system's defaults from /etc/containers/registries.conf.
|
||||
[crio.image]
|
||||
|
|
@ -265,6 +228,10 @@ default_transport = "docker://"
|
|||
# The image used to instantiate infra containers.
|
||||
pause_image = "k8s.gcr.io/pause:3.1"
|
||||
|
||||
# If not empty, the path to a docker/config.json-like file containing credentials
|
||||
# necessary for pulling the image specified by pause_image above.
|
||||
pause_image_auth_file = ""
|
||||
|
||||
# The command to run to have a container stay in the paused state.
|
||||
pause_command = "/pause"
|
||||
|
||||
|
|
@ -296,5 +263,7 @@ registries = [
|
|||
# Path to the directory where CNI configuration files are located.
|
||||
network_dir = "/etc/cni/net.d/"
|
||||
|
||||
# Path to directory where CNI plugin binaries are located.
|
||||
plugin_dir = "/opt/cni/bin/"
|
||||
# Paths to directories where CNI plugin binaries are located.
|
||||
plugin_dir = [
|
||||
"/opt/cni/bin/",
|
||||
]
|
||||
|
|
|
|||
|
|
@ -25,7 +25,6 @@
|
|||
# List to pass options to the storage driver. Please refer to
|
||||
# containers-storage.conf(5) to see all available storage options.
|
||||
#storage_option = [
|
||||
# "overlay.override_kernel_check=true",
|
||||
#]
|
||||
|
||||
# If set to false, in-memory locking will be used instead of file-based locking.
|
||||
|
|
@ -64,6 +63,12 @@ stream_tls_key = ""
|
|||
# automatically pick up the changes within 5 minutes.
|
||||
stream_tls_ca = ""
|
||||
|
||||
# Maximum grpc send message size in bytes. If not set or <=0, then CRI-O will default to 16 * 1024 * 1024.
|
||||
grpc_max_send_msg_size = 16777216
|
||||
|
||||
# Maximum grpc receive message size. If not set or <= 0, then CRI-O will default to 16 * 1024 * 1024.
|
||||
grpc_max_recv_msg_size = 16777216
|
||||
|
||||
# The crio.runtime table contains settings pertaining to the OCI runtime used
|
||||
# and options for how to set up and manage the OCI runtime.
|
||||
[crio.runtime]
|
||||
|
|
@ -75,56 +80,10 @@ stream_tls_ca = ""
|
|||
#default_ulimits = [
|
||||
#]
|
||||
|
||||
# Path to the OCI compatible runtime used for trusted container workloads. This
|
||||
# is a mandatory setting as this runtime will be the default and will also be
|
||||
# used for untrusted container workloads if runtime_untrusted_workload is not
|
||||
# set.
|
||||
#
|
||||
# DEPRECATED: use Runtimes instead.
|
||||
#
|
||||
# runtime = ""
|
||||
|
||||
# default_runtime is the _name_ of the OCI runtime to be used as the default.
|
||||
# The name is matched against the runtimes map below.
|
||||
default_runtime = "runc"
|
||||
|
||||
# Path to OCI compatible runtime used for untrusted container workloads. This
|
||||
# is an optional setting, except if default_container_trust is set to
|
||||
# "untrusted".
|
||||
# DEPRECATED: use "crio.runtime.runtimes" instead. If provided, this
|
||||
# runtime is mapped to the runtime handler named 'untrusted'. It is
|
||||
# a configuration error to provide both the (now deprecated)
|
||||
# runtime_untrusted_workload and a handler in the Runtimes handler
|
||||
# map (below) for 'untrusted' workloads at the same time. Please
|
||||
# provide one or the other.
|
||||
# The support of this option will continue through versions 1.12 and 1.13.
|
||||
# By version 1.14, this option will no longer exist.
|
||||
#runtime_untrusted_workload = ""
|
||||
|
||||
# Default level of trust CRI-O puts in container workloads. It can either be
|
||||
# "trusted" or "untrusted", and the default is "trusted". Containers can be run
|
||||
# through different container runtimes, depending on the trust hints we receive
|
||||
# from kubelet:
|
||||
#
|
||||
# - If kubelet tags a container workload as untrusted, CRI-O will try first
|
||||
# to run it through the untrusted container workload runtime. If it is not
|
||||
# set, CRI-O will use the trusted runtime.
|
||||
#
|
||||
# - If kubelet does not provide any information about the container workload
|
||||
# trust level, the selected runtime will depend on the default_container_trust
|
||||
# setting. If it is set to untrusted, then all containers except for the host
|
||||
# privileged ones, will be run by the runtime_untrusted_workload runtime. Host
|
||||
# privileged containers are by definition trusted and will always use the
|
||||
# trusted container runtime. If default_container_trust is set to "trusted",
|
||||
# CRI-O will use the trusted container runtime for all containers.
|
||||
#
|
||||
# DEPRECATED: The runtime handler should provide a key to the map of runtimes,
|
||||
# avoiding the need to rely on the level of trust of the workload to choose
|
||||
# an appropriate runtime.
|
||||
# The support of this option will continue through versions 1.12 and 1.13.
|
||||
# By version 1.14, this option will no longer exist.
|
||||
#default_workload_trust = ""
|
||||
|
||||
# If true, the runtime will not use pivot_root, but instead use MS_MOVE.
|
||||
no_pivot = false
|
||||
|
||||
|
|
@ -213,6 +172,9 @@ pids_limit = 1024
|
|||
# limit is never exceeded.
|
||||
log_size_max = -1
|
||||
|
||||
# Whether container output should be logged to journald in addition to the kuberentes log file
|
||||
log_to_journald = false
|
||||
|
||||
# Path to directory in which container exit files are written to by conmon.
|
||||
container_exits_dir = "/var/run/crio/exits"
|
||||
|
||||
|
|
@ -247,6 +209,7 @@ ctr_stop_timeout = 0
|
|||
|
||||
[crio.runtime.runtimes.runc]
|
||||
runtime_path = "/usr/bin/runc"
|
||||
runtime_type = "oci"
|
||||
|
||||
|
||||
|
||||
|
|
@ -254,7 +217,7 @@ ctr_stop_timeout = 0
|
|||
#
|
||||
# CRI-O reads its configured registries defaults from the system wide
|
||||
# containers-registries.conf(5) located in /etc/containers/registries.conf. If
|
||||
# you want to modify just CRI-O, you can change the registies configuration in
|
||||
# you want to modify just CRI-O, you can change the registries configuration in
|
||||
# this file. Otherwise, leave insecure_registries and registries commented out to
|
||||
# use the system's defaults from /etc/containers/registries.conf.
|
||||
[crio.image]
|
||||
|
|
@ -265,6 +228,10 @@ default_transport = "docker://"
|
|||
# The image used to instantiate infra containers.
|
||||
pause_image = "k8s.gcr.io/pause:3.1"
|
||||
|
||||
# If not empty, the path to a docker/config.json-like file containing credentials
|
||||
# necessary for pulling the image specified by pause_image above.
|
||||
pause_image_auth_file = ""
|
||||
|
||||
# The command to run to have a container stay in the paused state.
|
||||
pause_command = "/pause"
|
||||
|
||||
|
|
@ -295,5 +262,7 @@ image_volumes = "mkdir"
|
|||
# Path to the directory where CNI configuration files are located.
|
||||
network_dir = "/etc/cni/net.d/"
|
||||
|
||||
# Path to directory where CNI plugin binaries are located.
|
||||
plugin_dir = "/opt/cni/bin/"
|
||||
# Paths to directories where CNI plugin binaries are located.
|
||||
plugin_dir = [
|
||||
"/opt/cni/bin/",
|
||||
]
|
||||
|
|
|
|||
Loading…
Reference in New Issue