1crio.conf(5) OCTOBER 2016 crio.conf(5)
2
6 crio.conf - CRI-O configuration file
7
11 The CRI-O configuration file specifies all of the available
12 command-line options for the crio(8) program, but in a TOML format that
13 can be more easily modified and versioned.
14
18 The [TOML format][toml] is used as the encoding of the configuration
19 file. Every option and subtable listed here is nested under a global
20 "crio" table. No bare options are used. The format of TOML can be
21 simplified to:
22 [table]
25 option = value
26 [table.subtable1]
28 option = value
29 [table.subtable2]
31 option = value
32
36 The crio table supports the following options:
37 root=""
40 CRIO root dir (default: "/var/lib/containers/storage")
41 runroot=""
44 CRIO state dir (default: "/var/run/containers/storage")
45 storage_driver=""
48 CRIO storage driver (default is "overlay")
49 Note:
52 overlay and overlay2 are the same driver
53 storage_option=[]
56 CRIO storage driver option list (no default)
57 Values:
60 "STORAGE_DRIVER.imagestore=/PATH",
63 Paths to additional container image stores. These are read/only and are usually stored on remote network shares, based on overlay storage format.
65 storage_option=[ "overlay.imagestore=/mnt/overlay", ]
66 "STORAGE_DRIVER.size=SIZE"
68 Maximum size of a container image. Default is 10GB. The size flag sets quota on the size of container images.
70 storage_option=[ "overlay.size=1G", ]
71 Note: Not all drivers support all options.
75 Note: In order to use the size option for quota on overlay storage you
78 must use the xfs file system. The mount point that the overlay file
79 system must be setup with the pquota flag at mount time. If you are
80 setting up / to be used with quota, you have to modify the linux boot
81 line in /etc/grubq2.conf and add the rootflags=pquota flag.
82 Example:
85 linux16 /vmlinuz-4.12.13-300.fc26.x86_64
86 root=/dev/mapper/fedora-root ro rd.lvm.lv=fedora/root
87 rd.lvm.lv=fedora/swap rhgb quiet LANG=en_US.UTF-8 rootflags=pquota
88
91 listen=""
92 Path to crio socket (default: "/var/run/crio/crio.sock")
93
96 conmon=""
97 Path to the conmon executable (default:
98 "/usr/local/libexec/crio/conmon")
99 conmon_env=[]
102 Environment variable list for conmon process (default:
103 ["PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin",])
104 log_size_max=""
107 Maximum sized allowed for the container log file (default: -1)
108 Negative numbers indicate that no size limit is imposed.
109 If it is positive, it must be >= 8192 (to match/exceed conmon read
110 buffer).
111 The file is truncated and re-opened so the limit is never exceeded.
112 log_level=""
115 Changes the verbosity of the logs based on the level it is set to.
116 Options are fatal, panic, error (default), warn, info, and debug.
117 pids_limit=""
120 Maximum number of processes allowed in a container (default: 1024)
121 runtime=""
124 OCI runtime path (default: "/usr/bin/runc")
125 selinux=true|false
128 Enable selinux support (default: false)
129 signature_policy=""
132 Path to the signature policy json file (default: "", to use the
133 system-wide default)
134 seccomp_profile=""
137 Path to the seccomp json profile to be used as the runtime's default
138 (default: "/etc/crio/seccomp.json")
139 apparmor_profile=""
142 Name of the apparmor profile to be used as the runtime's default
143 (default: "crio-default")
144 no_pivot=true|false
147 Instructs the runtime to not use pivot_root, but instead use MS_MOVE
148 default_mounts=[]
151 List of mount points, in the form host:container, to be mounted in
152 every container
153 read_only==true|false
156 Run every container in read-only mode. Automatically mount tmpfs on
157 /run, /tmp and /var/tmp.
158 Setup images to run in read-only. (default: false)
159
162 default_transport
163 A prefix to prepend to image names that can't be pulled as-is
164 (default: "docker://")
165 image_volumes=""
168 Image volume handling ('mkdir', 'bind' or 'ignore') (default:
169 "mkdir")
170 mkdir: A directory is created inside the container root filesystem
171 for the volumes.
172 bind: A directory is created inside container state directory and
173 bind mounted into
174 the container for the volumes.
175 ignore: All volumes are just ignored and no action is taken.
176 insecure_registries=""
179 Enable insecure registry communication, i.e., enable un-encrypted
180 and/or untrusted communication.
181 List of insecure registries can contain an element with CIDR notation
184 to specify a whole subnet. Insecure registries accept HTTP
185 and/or
186 accept HTTPS with certificates from unknown CAs.
187 Enabling --insecure-registry is useful when running a local registry.
190 However, because its use creates security vulnerabilities it
191 should
192 ONLY be enabled for testing purposes. For increased security,
193 users
194 should add their CA to their system's list of trusted CAs instead
195 of
196 using --insecure-registry.
197 pause_command=""
200 Path to the pause executable in the pause image (default: "/pause")
201 pause_image=""
204 Image which contains the pause executable (default:
205 "kubernetes/pause")
206 registries=""
209 Comma separated list of registries that will be prepended when
210 pulling
211 unqualified images
212
215 network_dir=""
216 Path to CNI configuration files (default: "/etc/cni/net.d/")
217 plugin_dir=""
220 Path to CNI plugin binaries (default: "/opt/cni/bin/")
221
225 crio(8)
226
230 Oct 2016, Originally compiled by Aleksa Sarai ⟨asarai@suse.de⟩
231Aleksa Sarai Open Container Initiative Daemon crio.conf(5)