1crio(8) SEPTEMBER 2016 crio(8)
2
6 crio - OCI Kubernetes Container Runtime daemon
7
11 crio
12 [--apparmor-profile=[value]]
15 [--bind-mount-prefix=[value]]
16 [--cgroup-manager=[value]]
17 [--cni-config-dir=[value]]
18 [--cni-plugin-dir=[value]]
19 [--config=[value]]
20 [--conmon=[value]]
21 [--cpu-profile=[value]]
22 [--default-transport=[value]]
23 [--gid-mappings=[value]]
24 [--help|-h]
25 [--insecure-registry=[value]]
26 [--listen=[value]]
27 [--log=[value]]
28 [--log-format value]
29 [--log-level value]
30 [--pause-command=[value]]
31 [--pause-image=[value]]
32 [--read-only]
33 [--registry=[value]]
34 [--root=[value]]
35 [--runroot=[value]]
36 [--runtime=[value]]
37 [--seccomp-profile=[value]]
38 [--selinux]
39 [--signature-policy=[value]]
40 [--storage-driver=[value]]
41 [--storage-opt=[value]]
42 [--uid-mappings=[value]]
43 [--version|-v]
44
49 OCI-based implementation of Kubernetes Container Runtime Interface
50 Daemon
51 crio is meant to provide an integration path between OCI conformant
54 runtimes and the kubelet. Specifically, it implements the Kubelet
55 Container Runtime Interface (CRI) using OCI conformant runtimes. The
56 scope of crio is tied to the scope of the CRI.
57 1. Support multiple image formats including the existing Docker image
59 format.
60 2. Support for multiple means to download images including trust
62 image verification.
63 3. Container image management (managing image layers, overlay
65 filesystems, etc).
66 4. Container process lifecycle management.
68 5. Monitoring and logging required to satisfy the CRI.
70 6. Resource isolation as required by the CRI.
72 Usage:
75 crio [GLOBAL OPTIONS]
78 crio [GLOBAL OPTIONS] config [OPTIONS]
79
84 --apparmor_profile="": Name of the apparmor profile to be used as the
85 runtime's default (default: "crio-default")
86 --bind-mount-prefix="": A prefix to use for the source of the bind
89 mounts. This option would be useful if you were running CRI-O in a
90 container. And had / mounted on /host in your container. Then if you
91 ran CRI-O with the --bind-mount-prefix=/host option, CRI-O would add
92 /host to any bind mounts it is handed over CRI. If Kubernetes asked to
93 have /var/lib/foobar bind mounted into the container, then CRI-I would
94 bind mount /host/var/lib/foobar. Since CRI-O itself is running in a
95 container with / or the host mounted on /host, the container would end
96 up with /var/lib/foobar from the host mounted in the container rather
97 then /var/lib/foobar from the CRI-O container.
98 --cgroup-manager="": cgroup manager (cgroupfs or systemd)
101 --cni-config-dir="": CNI configuration files directory (default:
104 "/etc/cni/net.d/")
105 --cni-plugin-dir="": CNI plugin binaries directory (default:
108 "/opt/cni/bin/")
109 --config="": path to configuration file
112 --conmon="": path to the conmon executable (default:
115 "/usr/local/libexec/crio/conmon")
116 --cpu-profile="": set the CPU profile file path
119 --default-transport: A prefix to prepend to image names that can't be
122 pulled as-is.
123 --gid-mappings: Specify the GID mappings to use for user namespace.
126 --help, -h: Print usage statement
129 --insecure-registry=: Enable insecure registry communication, i.e.,
132 enable un-encrypted and/or untrusted communication.
133 1. List of insecure registries can contain an element with CIDR
135 notation to specify a whole subnet.
136 2. Insecure registries accept HTTP or accept HTTPS with certificates
138 from unknown CAs.
139 3. Enabling --insecure-registry is useful when running a local
141 registry. However, because its use creates security
142 vulnerabilities, it should ONLY be enabled for testing purposes.
143 For increased security, users should add their CA to their
144 system's list of trusted CAs instead of using --insecure-registry.
145 --image-volumes="": Image volume handling ('mkdir', 'bind' or 'ignore')
148 (default: "mkdir")
149 1. mkdir: A directory is created inside the container root filesystem
151 for the volumes.
152 2. bind: A directory is created inside container state directory and
154 bind mounted into the container for the volumes.
155 3. ignore: All volumes are just ignored and no action is taken.
157 --listen="": Path to CRI-O socket (default: "/var/run/crio/crio.sock")
160 --log="": Set the log file path where internal debug information is
163 written
164 --log-format="": Set the format used by logs ('text' (default), or
167 'json') (default: "text")
168 --log-level="": log crio messages above specified level: debug, info,
171 warn, error (default), fatal or panic
172 --log-size-max="": Maximum log size in bytes for a container (default:
175 -1 (no limit)). If it is positive, it must be >= 8192 (to match/exceed
176 conmon read buffer).
177 --pause-command="": Path to the pause executable in the pause image
180 (default: "/pause")
181 --pause-image="": Image which contains the pause executable (default:
184 "kubernetes/pause")
185 --pids-limit="": Maximum number of processes allowed in a container
188 (default: 1024)
189 --read-only=true|false: Run all containers in read-only mode (default:
192 false). Automatically mount tmpfs on /run, /tmp and /var/tmp.
193 --root="": The crio root dir (default: "/var/lib/containers/storage")
196 --registry="": Registry host which will be prepended to unqualified
199 images, can be specified multiple times
200 --runroot="": The crio state dir (default:
203 "/var/run/containers/storage")
204 --runtime="": OCI runtime path (default: "/usr/bin/runc")
207 --selinux=true|false: Enable selinux support (default: false)
210 --seccomp-profile="": Path to the seccomp json profile to be used as
213 the runtime's default (default: "/etc/crio/seccomp.json")
214 --signature-policy="": Path to the signature policy json file (default:
217 "", to use the system-wide default)
218 --storage-driver: OCI storage driver (default: "devicemapper")
221 --storage-opt: OCI storage driver option (no default)
224 --uid-mappings: Specify the UID mappings to use for user namespace.
227 --version, -v: Print the version
230
234 CRI-O's default command is to start the daemon. However, it currently
235 offers a single additional subcommand.
236
239 Outputs a commented version of the configuration file that would've
240 been used by CRI-O. This allows you to save you current configuration
241 setup and then load it later with --config. Global options will modify
242 the output.
243 --default
246 Output the default configuration (without taking into account any
247 configuration options).
248
251 crio.conf (/etc/crio/crio.conf)
252 cri-o configuration file for all of the available command-line
253 options for the crio(8) program, but in a TOML format that can be more
254 easily modified and versioned.
255 hook JSON (/etc/containers/oci/hooks.d/*.json,
258 /usr/share/containers/oci/hooks.d/*.json)
259 Each *.json file in /etc/containers/oci/hooks.d and
262 /usr/share/containers/oci/hooks.d configures a hook for CRI-O
263 containers, with /etc/containers/oci/hooks.d having higher precedence.
264 crio(8) monitors the hook directories for changes, so there is no need
265 to restart the server after adjusting the hook configuration. For more
266 details on the syntax of the JSON files and the semantics of hook
267 injection, see oci-hooks(5).
268 CRI-O currently supports both the 1.0.0 and 0.1.0 hook schemas,
271 although the 0.1.0 schema is deprecated.
272 For the annotation conditions, CRI-O uses the Kubernetes annotations,
275 which are a subset of the annotations passed to the OCI runtime. For
276 example, io.kubernetes.cri-o.Volumes is part of the OCI runtime
277 configuration annotations, but it is not part of the Kubernetes
278 annotations being matched for hooks.
279 For the bind-mount conditions, only mounts explicitly requested by
282 Kubernetes configuration are considered. Bind mounts that CRI-O
283 inserts by default (e.g. /dev/shm) are not considered.
284 policy.json (/etc/containers/policy.json)
287 Signature verification policy files are used to specify policy, e.g.
288 trusted keys, applicable when deciding whether to accept an image, or
289 individual signatures of that image, as valid.
290 registries.conf (/etc/containers/registries.conf)
293 Registry configuration file specifies registries which are consulted
294 when completing image names that do not include a registry or domain
295 portion.
296 storage.conf (/etc/containers/storage.conf)
299 Storage configuration file specifies all of the available container
300 storage options for tools using shared container storage.
301
305 crio.conf(5), oci-hooks(5), policy.json(5), registries.conf(5),
306 storage.conf(5)
307
311 Sept 2016, Originally compiled by Dan Walsh ⟨dwalsh@redhat.com⟩ and
312 Aleksa Sarai ⟨asarai@suse.de⟩
313Dan Walsh Open Container Initiative Daemon crio(8)