1crio(8) System Manager's Manual crio(8)
2
3
4
6 crio - OCI-based implementation of Kubernetes Container Runtime Inter‐
7 face
8
9
10
12 crio
13
14
15 [--absent-mount-sources-to-reject]=[value]
16 [--add-inheritable-capabilities]
17 [--additional-devices]=[value]
18 [--allowed-devices]=[value]
19 [--apparmor-profile]=[value]
20 [--big-files-temporary-dir]=[value]
21 [--bind-mount-prefix]=[value]
22 [--blockio-config-file]=[value]
23 [--cdi-spec-dirs]=[value]
24 [--cgroup-manager]=[value]
25 [--clean-shutdown-file]=[value]
26 [--cni-config-dir]=[value]
27 [--cni-default-network]=[value]
28 [--cni-plugin-dir]=[value]
29 [--config-dir|-d]=[value]
30 [--config|-c]=[value]
31 [--conmon-cgroup]=[value]
32 [--conmon-env]=[value]
33 [--conmon]=[value]
34 [--container-attach-socket-dir]=[value]
35 [--container-exits-dir]=[value]
36 [--ctr-stop-timeout]=[value]
37 [--decryption-keys-path]=[value]
38 [--default-capabilities]=[value]
39 [--default-env]=[value]
40 [--default-mounts-file]=[value]
41 [--default-runtime]=[value]
42 [--default-sysctls]=[value]
43 [--default-transport]=[value]
44 [--default-ulimits]=[value]
45 [--device-ownership-from-security-context]
46 [--drop-infra-ctr]
47 [--enable-criu-support]
48 [--enable-metrics]
49 [--enable-nri]
50 [--enable-pod-events]
51 [--enable-profile-unix-socket]
52 [--enable-tracing]
53 [--gid-mappings]=[value]
54 [--global-auth-file]=[value]
55 [--grpc-max-recv-msg-size]=[value]
56 [--grpc-max-send-msg-size]=[value]
57 [--help|-h]
58 [--hooks-dir]=[value]
59 [--image-volumes]=[value]
60 [--infra-ctr-cpuset]=[value]
61 [--insecure-registry]=[value]
62 [--internal-wipe]
63 [--irqbalance-config-file]=[value]
64 [--listen]=[value]
65 [--log-dir]=[value]
66 [--log-filter]=[value]
67 [--log-format]=[value]
68 [--log-journald]
69 [--log-level|-l]=[value]
70 [--log-size-max]=[value]
71 [--log]=[value]
72 [--metrics-cert]=[value]
73 [--metrics-collectors]=[value]
74 [--metrics-key]=[value]
75 [--metrics-port]=[value]
76 [--metrics-socket]=[value]
77 [--minimum-mappable-gid]=[value]
78 [--minimum-mappable-uid]=[value]
79 [--namespaces-dir]=[value]
80 [--no-pivot]
81 [--nri-config-file]=[value]
82 [--nri-listen]=[value]
83 [--nri-plugin-dir]=[value]
84 [--pause-command]=[value]
85 [--pause-image-auth-file]=[value]
86 [--pause-image]=[value]
87 [--pids-limit]=[value]
88 [--pinns-path]=[value]
89 [--profile-cpu]=[value]
90 [--profile-mem]=[value]
91 [--profile-port]=[value]
92 [--profile]
93 [--rdt-config-file]=[value]
94 [--read-only]
95 [--registry]=[value]
96 [--root|-r]=[value]
97 [--runroot]=[value]
98 [--runtimes]=[value]
99 [--seccomp-profile]=[value]
100 [--seccomp-use-default-when-empty]
101 [--selinux]
102 [--separate-pull-cgroup]=[value]
103 [--signature-policy]=[value]
104 [--stats-collection-period]=[value]
105 [--storage-driver|-s]=[value]
106 [--storage-opt]=[value]
107 [--stream-address]=[value]
108 [--stream-enable-tls]
109 [--stream-idle-timeout]=[value]
110 [--stream-port]=[value]
111 [--stream-tls-ca]=[value]
112 [--stream-tls-cert]=[value]
113 [--stream-tls-key]=[value]
114 [--tracing-endpoint]=[value]
115 [--tracing-sampling-rate-per-million]=[value]
116 [--uid-mappings]=[value]
117 [--version-file-persist]=[value]
118 [--version-file]=[value]
119 [--version|-v]
120
121
122
123
125 OCI-based implementation of Kubernetes Container Runtime Interface Dae‐
126 mon
127
128
129 crio is meant to provide an integration path between OCI conformant
130 runtimes and the kubelet. Specifically, it implements the Kubelet Con‐
131 tainer Runtime Interface (CRI) using OCI conformant runtimes. The scope
132 of crio is tied to the scope of the CRI.
133
134
135 1. Support multiple image formats including the existing
136 Docker and OCI image formats.
137
138 2. Support for multiple means to download images including
139 trust & image verification.
140
141 3. Container image management (managing image layers, overlay
142 filesystems, etc).
143
144 4. Container process lifecycle management.
145
146 5. Monitoring and logging required to satisfy the CRI.
147
148 6. Resource isolation as required by the CRI.
149
150
151
152 Usage:
153
154
155 crio [GLOBAL OPTIONS] command [COMMAND OPTIONS] [ARGUMENTS...]
156
157
158
159
161 --absent-mount-sources-to-reject="": A list of paths that, when absent
162 from the host, will cause a container creation to fail (as opposed to
163 the current behavior of creating a directory).
164
165
166 --add-inheritable-capabilities: Add capabilities to the inheritable
167 set, as well as the default group of permitted, bounding and effective.
168
169
170 --additional-devices="": Devices to add to the containers.
171
172
173 --allowed-devices="": Devices a user is allowed to specify with the
174 "io.kubernetes.cri-o.Devices" allowed annotation. (default:
175 "/dev/fuse")
176
177
178 --apparmor-profile="": Name of the apparmor profile to be used as the
179 runtime's default. This only takes effect if the user does not specify
180 a profile via the Kubernetes Pod's metadata annotation. (default: crio-
181 default)
182
183
184 --big-files-temporary-dir="": Path to the temporary directory to use
185 for storing big files, used to store image blobs and data streams re‐
186 lated to containers image management.
187
188
189 --bind-mount-prefix="": A prefix to use for the source of the bind
190 mounts. This option would be useful if you were running CRI-O in a con‐
191 tainer. And had / mounted on /host in your container. Then if you ran
192 CRI-O with the --bind-mount-prefix=/host option, CRI-O would add /host
193 to any bind mounts it is handed over CRI. If Kubernetes asked to have
194 /var/lib/foobar bind mounted into the container, then CRI-O would bind
195 mount /host/var/lib/foobar. Since CRI-O itself is running in a con‐
196 tainer with / or the host mounted on /host, the container would end up
197 with /var/lib/foobar from the host mounted in the container rather then
198 /var/lib/foobar from the CRI-O container.
199
200
201 --blockio-config-file="": Path to the blockio class configuration file
202 for configuring the cgroup blockio controller.
203
204
205 --cdi-spec-dirs="": Directories to scan for CDI Spec files. (default:
206 "/etc/cdi", "/var/run/cdi")
207
208
209 --cgroup-manager="": cgroup manager (cgroupfs or systemd). (default:
210 systemd)
211
212
213 --clean-shutdown-file="": Location for CRI-O to lay down the clean
214 shutdown file. It indicates whether we've had time to sync changes to
215 disk before shutting down. If not found, crio wipe will clear the stor‐
216 age directory. (default: /var/lib/crio/clean.shutdown)
217
218
219 --cni-config-dir="": CNI configuration files directory. (default:
220 /etc/cni/net.d/)
221
222
223 --cni-default-network="": Name of the default CNI network to select. If
224 not set or "", then CRI-O will pick-up the first one found in --cni-
225 config-dir.
226
227
228 --cni-plugin-dir="": CNI plugin binaries directory.
229
230
231 --config, -c="": Path to configuration file (default:
232 /etc/crio/crio.conf)
233
234
235 --config-dir, -d="": Path to the configuration drop-in directory.
236 This directory will be recursively iterated and each file gets ap‐
237 plied
238 to the configuration in their processing order. This means that a
239 configuration file named '00-default' has a lower priority than a
240 file
241 named '01-my-overwrite'.
242 The global config file, provided via '--config,-c' or per default
243 in
244 /etc/crio/crio.conf, always has a lower priority than the files in
245 the directory specified
246 by '--config-dir,-d'.
247 Besides that, provided command line parameters have a higher prior‐
248 ity
249 than any configuration file. (default: /etc/crio/crio.conf.d)
250
251
252 --conmon="": Path to the conmon binary, used for monitoring the OCI
253 runtime. Will be searched for using $PATH if empty. This option is dep‐
254 recated, and will be removed in the future.
255
256
257 --conmon-cgroup="": cgroup to be used for conmon process. This option
258 is deprecated and will be removed in the future.
259
260
261 --conmon-env="": Environment variable list for the conmon process, used
262 for passing necessary environment variables to conmon or the runtime.
263 This option is deprecated and will be removed in the future.
264
265
266 --container-attach-socket-dir="": Path to directory for container at‐
267 tach sockets. (default: /var/run/crio)
268
269
270 --container-exits-dir="": Path to directory in which container exit
271 files are written to by conmon. (default: /var/run/crio/exits)
272
273
274 --ctr-stop-timeout="": The minimal amount of time in seconds to wait
275 before issuing a timeout regarding the proper termination of the con‐
276 tainer. The lowest possible value is 30s, whereas lower values are not
277 considered by CRI-O. (default: 30)
278
279
280 --decryption-keys-path="": Path to load keys for image decryption. (de‐
281 fault: /etc/crio/keys/)
282
283
284 --default-capabilities="": Capabilities to add to the containers. (de‐
285 fault: "CHOWN", "DAC_OVERRIDE", "FSETID", "FOWNER", "SETGID", "SETUID",
286 "SETPCAP", "NET_BIND_SERVICE", "KILL")
287
288
289 --default-env="": Additional environment variables to set for all con‐
290 tainers.
291
292
293 --default-mounts-file="": Path to default mounts file.
294
295
296 --default-runtime="": Default OCI runtime from the runtimes config.
297 (default: runc)
298
299
300 --default-sysctls="": Sysctls to add to the containers.
301
302
303 --default-transport="": A prefix to prepend to image names that cannot
304 be pulled as-is. (default: docker://)
305
306
307 --default-ulimits="": Ulimits to apply to containers by default
308 (name=soft:hard).
309
310
311 --device-ownership-from-security-context: Set devices' uid/gid owner‐
312 ship from runAsUser/runAsGroup.
313
314
315 --drop-infra-ctr: Determines whether pods are created without an infra
316 container, when the pod is not using a pod level PID namespace.
317
318
319 --enable-criu-support: Enable CRIU integration, requires that the criu
320 binary is available in $PATH.
321
322
323 --enable-metrics: Enable metrics endpoint for the server on local‐
324 host:9090.
325
326
327 --enable-nri: Enable NRI (Node Resource Interface) support. (default:
328 false)
329
330
331 --enable-pod-events: If true, CRI-O starts sending the container events
332 to the kubelet
333
334
335 --enable-profile-unix-socket: Enable pprof profiler on crio unix domain
336 socket.
337
338
339 --enable-tracing: Enable OpenTelemetry trace data exporting.
340
341
342 --gid-mappings="": Specify the GID mappings to use for the user name‐
343 space.
344
345
346 --global-auth-file="": Path to a file like /var/lib/kubelet/config.json
347 holding credentials necessary for pulling images from secure reg‐
348 istries.
349
350
351 --grpc-max-recv-msg-size="": Maximum grpc receive message size in
352 bytes. (default: 83886080)
353
354
355 --grpc-max-send-msg-size="": Maximum grpc receive message size. (de‐
356 fault: 83886080)
357
358
359 --help, -h: show help
360
361
362 --hooks-dir="": Set the OCI hooks directory path (may be set multiple
363 times)
364 If one of the directories does not exist, then CRI-O will automati‐
365 cally
366 skip them.
367 Each '*.json' file in the path configures a hook for CRI-O
368 containers. For more details on the syntax of the JSON files and
369 the semantics of hook injection, see 'oci-hooks(5)'. CRI-O
370 currently support both the 1.0.0 and 0.1.0 hook schemas, although
371 the 0.1.0 schema is deprecated.
372 This option may be set multiple times; paths from later options
373 have higher precedence ('oci-hooks(5)' discusses directory
374 precedence).
375 For the annotation conditions, CRI-O uses the Kubernetes
376 annotations, which are a subset of the annotations passed to the
377 OCI runtime. For example, 'io.kubernetes.cri-o.Volumes' is part of
378 the OCI runtime configuration annotations, but it is not part of
379 the Kubernetes annotations being matched for hooks.
380 For the bind-mount conditions, only mounts explicitly requested by
381 Kubernetes configuration are considered. Bind mounts that CRI-O
382 inserts by default (e.g. '/dev/shm') are not considered. (default:
383 "/usr/share/containers/oci/hooks.d")
384
385
386 --image-volumes="": Image volume handling ('mkdir', 'bind', or 'ig‐
387 nore')
388 1. mkdir: A directory is created inside the container root filesys‐
389 tem for
390 the volumes.
391 2. bind: A directory is created inside container state directory
392 and bind
393 mounted into the container for the volumes. 3. ignore: All
394 volumes are just ignored and no action is taken. (default: mkdir)
395
396
397 --infra-ctr-cpuset="": CPU set to run infra containers, if not speci‐
398 fied CRI-O will use all online CPUs to run infra containers.
399
400
401 --insecure-registry="": Enable insecure registry communication, i.e.,
402 enable un-encrypted and/or untrusted communication.
403 1. List of insecure registries can contain an element with CIDR no‐
404 tation to
405 specify a whole subnet.
406 2. Insecure registries accept HTTP or accept HTTPS with certifi‐
407 cates from
408 unknown CAs.
409 3. Enabling '--insecure-registry' is useful when running a local
410 registry.
411 However, because its use creates security vulnerabilities, it
412 should ONLY
413 be enabled for testing purposes. For increased security, users
414 should add
415 their CA to their system's list of trusted CAs instead of using
416 '--insecure-registry'.
417
418
419 --internal-wipe: Whether CRI-O should wipe containers after a reboot
420 and images after an upgrade when the server starts. If set to false,
421 one must run crio wipe to wipe the containers and images in these situ‐
422 ations. This option is deprecated, and will be removed in the future.
423
424
425 --irqbalance-config-file="": The irqbalance service config file which
426 is used by CRI-O. (default: /etc/sysconfig/irqbalance)
427
428
429 --listen="": Path to the CRI-O socket. (default:
430 /var/run/crio/crio.sock)
431
432
433 --log="": Set the log file path where internal debug information is
434 written.
435
436
437 --log-dir="": Default log directory where all logs will go unless di‐
438 rectly specified by the kubelet. (default: /var/log/crio/pods)
439
440
441 --log-filter="": Filter the log messages by the provided regular ex‐
442 pression. For example 'request.*' filters all gRPC requests.
443
444
445 --log-format="": Set the format used by logs: 'text' or 'json'. (de‐
446 fault: text)
447
448
449 --log-journald: Log to systemd journal (journald) in addition to kuber‐
450 netes log file.
451
452
453 --log-level, -l="": Log messages above specified level: trace, debug,
454 info, warn, error, fatal or panic. (default: info)
455
456
457 --log-size-max="": Maximum log size in bytes for a container. If it is
458 positive, it must be >= 8192 to match/exceed conmon read buffer. This
459 option is deprecated. The Kubelet flag '--container-log-max-size'
460 should be used instead. (default: -1)
461
462
463 --metrics-cert="": Certificate for the secure metrics endpoint.
464
465
466 --metrics-collectors="": Enabled metrics collectors. (default: "opera‐
467 tions", "operations_latency_microseconds_total", "operations_la‐
468 tency_microseconds", "operations_errors", "image_pulls_by_digest", "im‐
469 age_pulls_by_name", "image_pulls_by_name_skipped", "image_pulls_fail‐
470 ures", "image_pulls_successes", "image_pulls_layer_size", "im‐
471 age_layer_reuse", "containers_oom_total", "containers_oom", "pro‐
472 cesses_defunct", "operations_total", "operations_latency_seconds", "op‐
473 erations_latency_seconds_total", "operations_errors_total", "im‐
474 age_pulls_bytes_total", "image_pulls_skipped_bytes_total", "im‐
475 age_pulls_failure_total", "image_pulls_success_total", "image_layer_re‐
476 use_total", "containers_oom_count_total", "containers_seccomp_noti‐
477 fier_count_total")
478
479
480 --metrics-key="": Certificate key for the secure metrics endpoint.
481
482
483 --metrics-port="": Port for the metrics endpoint. (default: 9090)
484
485
486 --metrics-socket="": Socket for the metrics endpoint.
487
488
489 --minimum-mappable-gid="": Specify the lowest host GID which can be
490 specified in mappings for a pod that will be run as a UID other than 0.
491 (default: -1)
492
493
494 --minimum-mappable-uid="": Specify the lowest host UID which can be
495 specified in mappings for a pod that will be run as a UID other than 0.
496 (default: -1)
497
498
499 --namespaces-dir="": The directory where the state of the managed name‐
500 spaces gets tracked. Only used when manage-ns-lifecycle is true. (de‐
501 fault: /var/run)
502
503
504 --no-pivot: If true, the runtime will not use pivot_root, but instead
505 use MS_MOVE.
506
507
508 --nri-config-file="": NRI configuration file to use. (default:
509 "/etc/nri/nri.conf")
510
511
512 --nri-listen="": Socket to listen on for externally started NRI plugins
513 to connect to. (default: "/var/run/nri.sock")
514
515
516 --nri-plugin-dir="": Directory to scan for pre-installed NRI plugins to
517 start automatically. (default: "/opt/nri/plugins")
518
519
520 --pause-command="": Path to the pause executable in the pause image.
521 (default: /pause)
522
523
524 --pause-image="": Image which contains the pause executable. (default:
525 registry.k8s.io/pause:3.6)
526
527
528 --pause-image-auth-file="": Path to a config file containing creden‐
529 tials for --pause-image.
530
531
532 --pids-limit="": Maximum number of processes allowed in a container.
533 This option is deprecated. The Kubelet flag '--pod-pids-limit' should
534 be used instead. (default: 0)
535
536
537 --pinns-path="": The path to find the pinns binary, which is needed to
538 manage namespace lifecycle. Will be searched for in $PATH if empty.
539
540
541 --profile: Enable pprof remote profiler on localhost:6060.
542
543
544 --profile-cpu="": Write a pprof CPU profile to the provided path.
545
546
547 --profile-mem="": Write a pprof memory profile to the provided path.
548
549
550 --profile-port="": Port for the pprof profiler. (default: 6060)
551
552
553 --rdt-config-file="": Path to the RDT configuration file for configur‐
554 ing the resctrl pseudo-filesystem.
555
556
557 --read-only: Setup all unprivileged containers to run as read-only. Au‐
558 tomatically mounts the containers' tmpfs on /run, /tmp and /var/tmp.
559
560
561 --registry="": Registry to be prepended when pulling unqualified im‐
562 ages. Can be specified multiple times.
563
564
565 --root, -r="": The CRI-O root directory. (default: /var/lib/contain‐
566 ers/storage)
567
568
569 --runroot="": The CRI-O state directory. (default: /run/contain‐
570 ers/storage)
571
572
573 --runtimes="": OCI runtimes, format is 'runtime_name:runtime_path:run‐
574 time_root:runtime_type:privileged_without_host_devices:runtime_con‐
575 fig_path'.
576
577
578 --seccomp-profile="": Path to the seccomp.json profile to be used as
579 the runtime's default. If not specified, then the internal default sec‐
580 comp profile will be used.
581
582
583 --seccomp-use-default-when-empty: Use the default seccomp profile when
584 an empty one is specified.
585
586
587 --selinux: Enable selinux support.
588
589
590 --separate-pull-cgroup="": [EXPERIMENTAL] Pull in new cgroup.
591
592
593 --signature-policy="": Path to signature policy JSON file.
594
595
596 --stats-collection-period="": The number of seconds between collecting
597 pod and container stats. If set to 0, the stats are collected on-demand
598 instead. (default: 0)
599
600
601 --storage-driver, -s="": OCI storage driver.
602
603
604 --storage-opt="": OCI storage driver option.
605
606
607 --stream-address="": Bind address for streaming socket. (default:
608 127.0.0.1)
609
610
611 --stream-enable-tls: Enable encrypted TLS transport of the stream
612 server.
613
614
615 --stream-idle-timeout="": Length of time until open streams terminate
616 due to lack of activity.
617
618
619 --stream-port="": Bind port for streaming socket. If the port is set to
620 '0', then CRI-O will allocate a random free port number. (default: 0)
621
622
623 --stream-tls-ca="": Path to the x509 CA(s) file used to verify and au‐
624 thenticate client communication with the encrypted stream. This file
625 can change and CRI-O will automatically pick up the changes within 5
626 minutes.
627
628
629 --stream-tls-cert="": Path to the x509 certificate file used to serve
630 the encrypted stream. This file can change and CRI-O will automatically
631 pick up the changes within 5 minutes.
632
633
634 --stream-tls-key="": Path to the key file used to serve the encrypted
635 stream. This file can change and CRI-O will automatically pick up the
636 changes within 5 minutes.
637
638
639 --tracing-endpoint="": Address on which the gRPC tracing collector will
640 listen. (default: 0.0.0.0:4317)
641
642
643 --tracing-sampling-rate-per-million="": Number of samples to collect
644 per million OpenTelemetry spans. Set to 1000000 to always sample. (de‐
645 fault: 0)
646
647
648 --uid-mappings="": Specify the UID mappings to use for the user name‐
649 space.
650
651
652 --version, -v: print the version
653
654
655 --version-file="": Location for CRI-O to lay down the temporary version
656 file. It is used to check if crio wipe should wipe containers, which
657 should always happen on a node reboot. (default: /var/run/crio/version)
658
659
660 --version-file-persist="": Location for CRI-O to lay down the persis‐
661 tent version file. It is used to check if crio wipe should wipe images,
662 which should only happen when CRI-O has been upgraded. (default:
663 /var/run/crio/version)
664
665
666
669 Generate bash, fish or zsh completions.
670
671
673 Generate the man page documentation.
674
675
677 Generate the markdown documentation.
678
679
680 --help, -h: show help
681
682
683 help, h
684 Shows a list of commands or help for one command
685
686
688 Outputs a commented version of the configuration file that could be
689 used by CRI-O. This allows you to save you current configuration setup
690 and then load it later with --config. Global options will modify the
691 output.
692
693
694 --default: Output the default configuration (without taking into ac‐
695 count any configuration options).
696
697
698 --migrate-defaults, -m="": Migrate the default config from a specified
699 version.
700 To run a config migration, just select the input config via the
701 global
702 '--config,-c' command line argument, for example:
703
704 crio -c /etc/crio/crio.conf.d/00-default.conf config -m 1.17
705 The migration will print converted configuration options to stderr
706 and will
707 output the resulting configuration to stdout.
708 Please note that the migration will overwrite any fields that have
709 changed
710 defaults between versions. To save a custom configuration change,
711 it should
712 be in a drop-in configuration file instead.
713 Possible values: "1.17" (default: 1.17)
714
715
717 display detailed version information
718
719
720 --json, -j: print JSON instead of text
721
722
723 --verbose, -v: print verbose information (for example all golang depen‐
724 dencies)
725
726
728 wipe CRI-O's container and image storage
729
730
731 --force, -f: force wipe by skipping the version check
732
733
735 Shows a list of commands or help for one command
736
737
739 crio.conf (/etc/crio/crio.conf)
740 cri-o configuration file for all of the available command-line op‐
741 tions for
742 the crio(8) program, but in a TOML format that can be more easily
743 modified
744 and versioned.
745
746
747 policy.json (/etc/containers/policy.json)
748 Signature verification policy files are used to specify policy, e.g.
749 trusted
750 keys, applicable when deciding whether to accept an image, or indi‐
751 vidual
752 signatures of that image, as valid.
753
754
755 registries.conf (/etc/containers/registries.conf)
756 Registry configuration file specifies registries which are consulted
757 when
758 completing image names that do not include a registry or domain por‐
759 tion.
760
761
762 storage.conf (/etc/containers/storage.conf)
763 Storage configuration file specifies all of the available container
764 storage
765 options for tools using shared container storage.
766
767
768
770 All command-line options may also be specified as environment vari‐
771 ables. The options detailed in this section, however, can only be set
772 via environment variables.
773
774
775 KUBENSMNT: Path to a bind-mounted mount namespace that CRI-O should
776 join before launching any containers. If the path does not exist, or
777 does not point to a mount namespace bindmount, CRI-O will run in its
778 parent's mount namespace and log a warning that the requested namespace
779 was not joined.
780
781
782
784 crio.conf(5), crio.conf.d(5), oci-hooks(5), policy.json(5), reg‐
785 istries.conf(5), storage.conf(5)
786
787
788
789 crio(8)