1crio.conf(5) OCTOBER 2016 crio.conf(5)
2
3
4
6 crio.conf - CRI-O configuration file
7
8
9
11 The CRI-O configuration file specifies all of the available
12 command-line options for the crio(8) program, but in a TOML format that
13 can be more easily modified and versioned.
14
15
16
18 The [TOML format][toml] is used as the encoding of the configuration
19 file. Every option and subtable listed here is nested under a global
20 "crio" table. No bare options are used. The format of TOML can be
21 simplified to:
22
23
24 [table]
25 option = value
26
27 [table.subtable1]
28 option = value
29
30 [table.subtable2]
31 option = value
32
33
34
36 The crio table supports the following options:
37
38
39 root=""
40 CRIO root dir (default: "/var/lib/containers/storage")
41
42
43 runroot=""
44 CRIO state dir (default: "/var/run/containers/storage")
45
46
47 storage_driver=""
48 CRIO storage driver (default is "overlay")
49
50
51 Note:
52 overlay and overlay2 are the same driver
53
54
55 storage_option=[]
56 CRIO storage driver option list (no default)
57
58
59 Values:
60
61
62 "STORAGE_DRIVER.imagestore=/PATH",
63
64 Paths to additional container image stores. These are read/only and are usually stored on remote network shares, based on overlay storage format.
65 storage_option=[ "overlay.imagestore=/mnt/overlay", ]
66
67 "STORAGE_DRIVER.size=SIZE"
68
69 Maximum size of a container image. Default is 10GB. The size flag sets quota on the size of container images.
70 storage_option=[ "overlay.size=1G", ]
71
72
73
74 Note: Not all drivers support all options.
75
76
77 Note: In order to use the size option for quota on overlay storage you
78 must use the xfs file system. The mount point that the overlay file
79 system must be setup with the pquota flag at mount time. If you are
80 setting up / to be used with quota, you have to modify the linux boot
81 line in /etc/grubq2.conf and add the rootflags=pquota flag.
82
83
84 Example:
85 linux16 /vmlinuz-4.12.13-300.fc26.x86_64
86 root=/dev/mapper/fedora-root ro rd.lvm.lv=fedora/root
87 rd.lvm.lv=fedora/swap rhgb quiet LANG=en_US.UTF-8 rootflags=pquota
88
89
91 listen=""
92 Path to crio socket (default: "/var/run/crio/crio.sock")
93
94
96 conmon=""
97 Path to the conmon executable (default:
98 "/usr/local/libexec/crio/conmon")
99
100
101 conmon_env=[]
102 Environment variable list for conmon process (default:
103 ["PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin",])
104
105
106 log_size_max=""
107 Maximum sized allowed for the container log file (default: -1)
108 Negative numbers indicate that no size limit is imposed.
109 If it is positive, it must be >= 8192 (to match/exceed conmon read
110 buffer).
111 The file is truncated and re-opened so the limit is never exceeded.
112
113
114 log_level=""
115 Changes the verbosity of the logs based on the level it is set to.
116 Options are fatal, panic, error (default), warn, info, and debug.
117
118
119 pids_limit=""
120 Maximum number of processes allowed in a container (default: 1024)
121
122
123 runtime=""
124 OCI runtime path (default: "/usr/bin/runc")
125
126
127 selinux=true|false
128 Enable selinux support (default: false)
129
130
131 signature_policy=""
132 Path to the signature policy json file (default: "", to use the
133 system-wide default)
134
135
136 seccomp_profile=""
137 Path to the seccomp json profile to be used as the runtime's default
138 (default: "/etc/crio/seccomp.json")
139
140
141 apparmor_profile=""
142 Name of the apparmor profile to be used as the runtime's default
143 (default: "crio-default")
144
145
146 no_pivot=true|false
147 Instructs the runtime to not use pivot_root, but instead use MS_MOVE
148
149
150 default_mounts=[]
151 List of mount points, in the form host:container, to be mounted in
152 every container
153
154
155 read_only==true|false
156 Run every container in read-only mode. Automatically mount tmpfs on
157 /run, /tmp and /var/tmp.
158 Setup images to run in read-only. (default: false)
159
160
162 default_transport
163 A prefix to prepend to image names that can't be pulled as-is
164 (default: "docker://")
165
166
167 image_volumes=""
168 Image volume handling ('mkdir', 'bind' or 'ignore') (default:
169 "mkdir")
170 mkdir: A directory is created inside the container root filesystem
171 for the volumes.
172 bind: A directory is created inside container state directory and
173 bind mounted into
174 the container for the volumes.
175 ignore: All volumes are just ignored and no action is taken.
176
177
178 insecure_registries=""
179 Enable insecure registry communication, i.e., enable un-encrypted
180 and/or untrusted communication.
181
182
183 List of insecure registries can contain an element with CIDR notation
184 to specify a whole subnet. Insecure registries accept HTTP
185 and/or
186 accept HTTPS with certificates from unknown CAs.
187
188
189 Enabling --insecure-registry is useful when running a local registry.
190 However, because its use creates security vulnerabilities it
191 should
192 ONLY be enabled for testing purposes. For increased security,
193 users
194 should add their CA to their system's list of trusted CAs instead
195 of
196 using --insecure-registry.
197
198
199 pause_command=""
200 Path to the pause executable in the pause image (default: "/pause")
201
202
203 pause_image=""
204 Image which contains the pause executable (default:
205 "kubernetes/pause")
206
207
208 registries=""
209 Comma separated list of registries that will be prepended when
210 pulling
211 unqualified images
212
213
215 network_dir=""
216 Path to CNI configuration files (default: "/etc/cni/net.d/")
217
218
219 plugin_dir=""
220 Path to CNI plugin binaries (default: "/opt/cni/bin/")
221
222
223
225 crio(8)
226
227
228
230 Oct 2016, Originally compiled by Aleksa Sarai ⟨asarai@suse.de⟩
231
232
233
234Aleksa Sarai Open Container Initiative Daemon crio.conf(5)