1crio(8)                         SEPTEMBER 2016                         crio(8)
2
3
4

NAME

6       crio - OCI Kubernetes Container Runtime daemon
7
8
9

SYNOPSIS

11       crio
12
13
14              [--apparmor-profile=[value]]
15              [--bind-mount-prefix=[value]]
16              [--cgroup-manager=[value]]
17              [--cni-config-dir=[value]]
18              [--cni-plugin-dir=[value]]
19              [--config=[value]]
20              [--conmon=[value]]
21              [--cpu-profile=[value]]
22              [--default-transport=[value]]
23              [--gid-mappings=[value]]
24              [--help|-h]
25              [--insecure-registry=[value]]
26              [--listen=[value]]
27              [--log=[value]]
28              [--log-format value]
29              [--log-level value]
30              [--pause-command=[value]]
31              [--pause-image=[value]]
32              [--read-only]
33              [--registry=[value]]
34              [--root=[value]]
35              [--runroot=[value]]
36              [--runtime=[value]]
37              [--seccomp-profile=[value]]
38              [--selinux]
39              [--signature-policy=[value]]
40              [--storage-driver=[value]]
41              [--storage-opt=[value]]
42              [--uid-mappings=[value]]
43              [--version|-v]
44
45
46
47

DESCRIPTION

49       OCI-based implementation of Kubernetes Container Runtime Interface
50       Daemon
51
52
53       crio is meant to provide an integration path between OCI conformant
54       runtimes and the kubelet. Specifically, it implements the Kubelet
55       Container Runtime Interface (CRI) using OCI conformant runtimes. The
56       scope of crio is tied to the scope of the CRI.
57
58         1. Support multiple image formats including the existing Docker image
59            format.
60
61         2. Support for multiple means to download images including trust
62            image verification.
63
64         3. Container image management (managing image layers, overlay
65            filesystems, etc).
66
67         4. Container process lifecycle management.
68
69         5. Monitoring and logging required to satisfy the CRI.
70
71         6. Resource isolation as required by the CRI.
72
73
74       Usage:
75
76
77              crio [GLOBAL OPTIONS]
78              crio [GLOBAL OPTIONS] config [OPTIONS]
79
80
81
82

GLOBAL OPTIONS

84       --apparmor_profile="": Name of the apparmor profile to be used as the
85       runtime's default (default: "crio-default")
86
87
88       --bind-mount-prefix="": A prefix to use for the source of the bind
89       mounts.  This option would be useful if you were running CRI-O in a
90       container.  And had / mounted on /host in your container.  Then if you
91       ran CRI-O with the --bind-mount-prefix=/host option, CRI-O would add
92       /host to any bind mounts it is handed over CRI.  If Kubernetes asked to
93       have /var/lib/foobar bind mounted into the container, then CRI-I would
94       bind mount /host/var/lib/foobar.  Since CRI-O itself is running in a
95       container with / or the host mounted on /host, the container would end
96       up with /var/lib/foobar from the host mounted in the container rather
97       then /var/lib/foobar from the CRI-O container.
98
99
100       --cgroup-manager="": cgroup manager (cgroupfs or systemd)
101
102
103       --cni-config-dir="": CNI configuration files directory (default:
104       "/etc/cni/net.d/")
105
106
107       --cni-plugin-dir="": CNI plugin binaries directory (default:
108       "/opt/cni/bin/")
109
110
111       --config="": path to configuration file
112
113
114       --conmon="": path to the conmon executable (default:
115       "/usr/local/libexec/crio/conmon")
116
117
118       --cpu-profile="": set the CPU profile file path
119
120
121       --default-transport: A prefix to prepend to image names that can't be
122       pulled as-is.
123
124
125       --gid-mappings: Specify the GID mappings to use for user namespace.
126
127
128       --help, -h: Print usage statement
129
130
131       --insecure-registry=: Enable insecure registry communication, i.e.,
132       enable un-encrypted and/or untrusted communication.
133
134         1. List of insecure registries can contain an element with CIDR
135            notation to specify a whole subnet.
136
137         2. Insecure registries accept HTTP or accept HTTPS with certificates
138            from unknown CAs.
139
140         3. Enabling --insecure-registry  is useful when running a local
141            registry. However, because its use creates security
142            vulnerabilities, it should ONLY be enabled for testing purposes.
143            For increased security, users should add their CA to their
144            system's list of trusted CAs instead of using --insecure-registry.
145
146
147       --image-volumes="": Image volume handling ('mkdir', 'bind' or 'ignore')
148       (default: "mkdir")
149
150         1. mkdir: A directory is created inside the container root filesystem
151            for the volumes.
152
153         2. bind: A directory is created inside container state directory and
154            bind mounted into the container for the volumes.
155
156         3. ignore: All volumes are just ignored and no action is taken.
157
158
159       --listen="": Path to CRI-O socket (default: "/var/run/crio/crio.sock")
160
161
162       --log="": Set the log file path where internal debug information is
163       written
164
165
166       --log-format="": Set the format used by logs ('text' (default), or
167       'json') (default: "text")
168
169
170       --log-level="": log crio messages above specified level: debug, info,
171       warn, error (default), fatal or panic
172
173
174       --log-size-max="": Maximum log size in bytes for a container (default:
175       -1 (no limit)). If it is positive, it must be >= 8192 (to match/exceed
176       conmon read buffer).
177
178
179       --pause-command="": Path to the pause executable in the pause image
180       (default: "/pause")
181
182
183       --pause-image="": Image which contains the pause executable (default:
184       "kubernetes/pause")
185
186
187       --pids-limit="": Maximum number of processes allowed in a container
188       (default: 1024)
189
190
191       --read-only=true|false: Run all containers in read-only mode (default:
192       false). Automatically mount tmpfs on /run, /tmp and /var/tmp.
193
194
195       --root="": The crio root dir (default: "/var/lib/containers/storage")
196
197
198       --registry="": Registry host which will be prepended to unqualified
199       images, can be specified multiple times
200
201
202       --runroot="": The crio state dir (default:
203       "/var/run/containers/storage")
204
205
206       --runtime="": OCI runtime path (default: "/usr/bin/runc")
207
208
209       --selinux=true|false: Enable selinux support (default: false)
210
211
212       --seccomp-profile="": Path to the seccomp json profile to be used as
213       the runtime's default (default: "/etc/crio/seccomp.json")
214
215
216       --signature-policy="": Path to the signature policy json file (default:
217       "", to use the system-wide default)
218
219
220       --storage-driver: OCI storage driver (default: "devicemapper")
221
222
223       --storage-opt: OCI storage driver option (no default)
224
225
226       --uid-mappings: Specify the UID mappings to use for user namespace.
227
228
229       --version, -v: Print the version
230
231
232

COMMANDS

234       CRI-O's default command is to start the daemon. However, it currently
235       offers a single additional subcommand.
236
237

config

239       Outputs a commented version of the configuration file that would've
240       been used by CRI-O. This allows you to save you current configuration
241       setup and then load it later with --config. Global options will modify
242       the output.
243
244
245       --default
246         Output the default configuration (without taking into account any
247       configuration options).
248
249

FILES

251       crio.conf (/etc/crio/crio.conf)
252         cri-o configuration file for all of the available command-line
253       options for the crio(8) program, but in a TOML format that can be more
254       easily modified and versioned.
255
256
257       hook JSON (/etc/containers/oci/hooks.d/*.json,
258       /usr/share/containers/oci/hooks.d/*.json)
259
260
261       Each *.json file in /etc/containers/oci/hooks.d and
262       /usr/share/containers/oci/hooks.d configures a hook for CRI-O
263       containers, with /etc/containers/oci/hooks.d having higher precedence.
264       crio(8) monitors the hook directories for changes, so there is no need
265       to restart the server after adjusting the hook configuration.  For more
266       details on the syntax of the JSON files and the semantics of hook
267       injection, see oci-hooks(5).
268
269
270       CRI-O currently supports both the 1.0.0 and 0.1.0 hook schemas,
271       although the 0.1.0 schema is deprecated.
272
273
274       For the annotation conditions, CRI-O uses the Kubernetes annotations,
275       which are a subset of the annotations passed to the OCI runtime.  For
276       example, io.kubernetes.cri-o.Volumes is part of the OCI runtime
277       configuration annotations, but it is not part of the Kubernetes
278       annotations being matched for hooks.
279
280
281       For the bind-mount conditions, only mounts explicitly requested by
282       Kubernetes configuration are considered.  Bind mounts that CRI-O
283       inserts by default (e.g. /dev/shm) are not considered.
284
285
286       policy.json (/etc/containers/policy.json)
287         Signature verification policy files are used to specify policy, e.g.
288       trusted keys, applicable when deciding whether to accept an image, or
289       individual signatures of that image, as valid.
290
291
292       registries.conf (/etc/containers/registries.conf)
293         Registry configuration file specifies registries which are consulted
294       when completing image names that do not include a registry or domain
295       portion.
296
297
298       storage.conf (/etc/containers/storage.conf)
299         Storage configuration file specifies all of the available container
300       storage options for tools using shared container storage.
301
302
303

SEE ALSO

305       crio.conf(5), oci-hooks(5), policy.json(5), registries.conf(5),
306       storage.conf(5)
307
308
309

HISTORY

311       Sept 2016, Originally compiled by Dan Walsh ⟨dwalsh@redhat.com⟩ and
312       Aleksa Sarai ⟨asarai@suse.de⟩
313
314
315
316Dan Walsh               Open Container Initiative Daemon               crio(8)
Impressum