1crio.conf(5)(Kubernetes) Daemon crio.conf(5)(Kubernetes)
2
3
4
5Aleksa Sarai OCTOBER 2016
6
7
9 crio.conf - configuration file of the CRI-O OCI Kubernetes Container
10 Runtime daemon
11
12
13
15 The CRI-O configuration file specifies all of the available configura‐
16 tion options and command-line flags for the crio(8) OCI Kubernetes Con‐
17 tainer Runtime daemon ⟨./crio.8.md⟩, but in a TOML format that can be
18 more easily modified and versioned.
19
20
21 CRI-O supports partial configuration reload during runtime, which can
22 be done by sending SIGHUP to the running process. Currently supported
23 options in crio.conf are explicitly marked with 'This option supports
24 live configuration reload'.
25
26
27 The containers-registries.conf(5) file can be reloaded as well by send‐
28 ing SIGHUP to the crio process.
29
30
31 The default crio.conf is located at /etc/crio/crio.conf.
32
33
34
36 The TOML format ⟨https://github.com/toml-lang/toml⟩ is used as the en‐
37 coding of the configuration file. Every option and subtable listed here
38 is nested under a global "crio" table. No bare options are used. The
39 format of TOML can be simplified to:
40
41 [table]
42 option = value
43
44 [table.subtable1]
45 option = value
46
47 [table.subtable2]
48 option = value
49
50
51
53 CRI-O reads its storage defaults from the containers-storage.conf(5)
54 file located at /etc/containers/storage.conf. Modify this storage con‐
55 figuration if you want to change the system's defaults. If you want to
56 modify storage just for CRI-O, you can change the storage configuration
57 options here.
58
59
60 root="/var/lib/containers/storage"
61 Path to the "root directory". CRI-O stores all of its data, including
62 containers images, in this directory.
63
64
65 runroot="/var/run/containers/storage"
66 Path to the "run directory". CRI-O stores all of its state in this
67 directory.
68
69
70 storage_driver="overlay"
71 Storage driver used to manage the storage of images and containers.
72 Please refer to containers-storage.conf(5) to see all available storage
73 drivers.
74
75
76 storage_option=[]
77 List to pass options to the storage driver. Please refer to contain‐
78 ers-storage.conf(5) to see all available storage options.
79
80
81 log_dir="/var/log/crio/pods"
82 The default log directory where all logs will go unless directly
83 specified by the kubelet. The log directory specified must be an abso‐
84 lute directory.
85
86
87 version_file="/var/run/crio/version"
88 Location for CRI-O to lay down the temporary version file.
89 It is used to check if crio wipe should wipe containers, which should
90 always happen on a node reboot
91
92
93 version_file_persist=""
94 Location for CRI-O to lay down the persistent version file.
95 It is used to check if crio wipe should wipe images, which should
96 only happen when CRI-O has been upgraded
97
98
99 internal_wipe=true
100 This option is currently DEPRECATED, and will be removed in the fu‐
101 ture.
102 Whether CRI-O should wipe containers after a reboot and images after
103 an upgrade when the server starts.
104 If set to false, one must run crio wipe to wipe the containers and
105 images in these situations.
106
107
108 clean_shutdown_file="/var/lib/crio/clean.shutdown"
109 Location for CRI-O to lay down the clean shutdown file.
110 It is used to check whether crio had time to sync before shutting
111 down.
112 If not found, crio wipe will clear the storage directory.
113
114
116 The crio.api table contains settings for the kubelet/gRPC interface.
117
118
119 listen="/var/run/crio/crio.sock"
120 Path to AF_LOCAL socket on which CRI-O will listen.
121
122
123 stream_address="127.0.0.1"
124 IP address on which the stream server will listen.
125
126
127 stream_port="0"
128 The port on which the stream server will listen. If the port is set
129 to "0", then CRI-O will allocate a random free port number.
130
131
132 stream_enable_tls=false
133 Enable encrypted TLS transport of the stream server.
134
135
136 stream_idle_timeout=""
137 Length of time until open streams terminate due to lack of activity.
138
139
140 stream_tls_cert=""
141 Path to the x509 certificate file used to serve the encrypted stream.
142 This file can change and CRI-O will automatically pick up the changes
143 within 5 minutes.
144
145
146 stream_tls_key=""
147 Path to the key file used to serve the encrypted stream. This file
148 can change and CRI-O will automatically pick up the changes within 5
149 minutes.
150
151
152 stream_tls_ca=""
153 Path to the x509 CA(s) file used to verify and authenticate client
154 communication with the encrypted stream. This file can change and CRI-O
155 will automatically pick up the changes within 5 minutes.
156
157
158 grpc_max_send_msg_size=83886080
159 Maximum grpc send message size in bytes. If not set or <=0, then CRI-
160 O will default to 80 * 1024 * 1024.
161
162
163 grpc_max_recv_msg_size=83886080
164 Maximum grpc receive message size. If not set or <= 0, then CRI-O
165 will default to 80 * 1024 * 1024.
166
167
169 The crio.runtime table contains settings pertaining to the OCI runtime
170 used and options for how to set up and manage the OCI runtime.
171
172
173 default_runtime="runc"
174 The name of the OCI runtime to be used as the default. This option
175 supports live configuration reload.
176
177
178 default_ulimits=[]
179 A list of ulimits to be set in containers by default, specified as
180 "=:", for example:"nofile=1024:2048". If nothing is set here, settings
181 will be inherited from the CRI-O daemon.
182
183
184 no_pivot=false
185 If true, the runtime will not use pivot_root, but instead use
186 MS_MOVE.
187
188
189 decryption_keys_path="/etc/crio/keys/"
190 Path where the keys required for image decryption are located
191
192
193 conmon=""
194 Path to the conmon binary, used for monitoring the OCI runtime. Will
195 be searched for using $PATH if empty.
196 This option is currently deprecated, and will be replaced with Run‐
197 timeHandler.MonitorPath.
198
199
200 conmon_cgroup=""
201 Cgroup setting for conmon
202 This option is currently deprecated, and will be replaced with Run‐
203 timeHandler.MonitorCgroup.
204
205
206 conmon_env=[]
207 Environment variable list for the conmon process, used for passing
208 necessary environment variables to conmon or the runtime.
209 This option is currently deprecated, and will be replaced with Run‐
210 timeHandler.MonitorEnv.
211
212
213 default_env=[]
214 Additional environment variables to set for all the containers. These
215 are overridden if set in the container image spec or in the container
216 runtime configuration.
217
218
219 selinux=false
220 If true, SELinux will be used for pod separation on the host.
221
222
223 seccomp_profile=""
224 Path to the seccomp.json profile which is used as the default seccomp
225 profile for the runtime. If not specified, then the internal default
226 seccomp profile will be used.
227 This option is currently deprecated, and will be replaced by the Sec‐
228 compDefault FeatureGate in Kubernetes.
229
230
231 seccomp_use_default_when_empty=true
232 Changes the meaning of an empty seccomp profile. By default (and ac‐
233 cording to CRI spec), an empty profile means unconfined.
234 This option tells CRI-O to treat an empty profile as the default pro‐
235 file, which might increase security.
236
237
238 apparmor_profile=""
239 Used to change the name of the default AppArmor profile of CRI-O. The
240 default profile name is "crio-default".
241
242
243 blockio_config_file=""
244 Path to the blockio class configuration file for configuring the
245 cgroup blockio controller.
246
247
248 cdi_spec_dirs=[]
249 Directories to scan for Container Device Interface Specifications to
250 enable CDI device injection. For more details about CDI and the syntax
251 of CDI Spec files please refer to https://github.com/container-orches‐
252 trated-devices/container-device-interface.
253
254
255 Directories later in the list have precedence over earlier ones. The
256 default directory list is:
257
258 cdi_spec_dirs = [
259 "/etc/cdi",
260 "/var/run/cdi",
261 ]
262
263
264
265 irqbalance_config_file="/etc/sysconfig/irqbalance"
266 Used to change irqbalance service config file which is used by CRI-O.
267 For CentOS/SUSE, this file is located at /etc/sysconfig/irqbalance.
268 For Ubuntu, this file is located at /etc/default/irqbalance.
269
270
271 irqbalance_config_restore_file="/etc/sysconfig/orig_irq_banned_cpus"
272 Used to set the irqbalance banned cpu mask to restore at CRI-O
273 startup. If set to 'disable', no restoration attempt will be done.
274
275
276 rdt_config_file=""
277 Path to the RDT configuration file for configuring the resctrl
278 pseudo-filesystem.
279
280
281 cgroup_manager="systemd"
282 Cgroup management implementation used for the runtime.
283
284
285 default_capabilities=[]
286 List of default capabilities for containers. If it is empty or com‐
287 mented out, only the capabilities defined in the container json file by
288 the user/kube will be added.
289
290
291 The default list is:
292
293 default_capabilities = [
294 "CHOWN",
295 "DAC_OVERRIDE",
296 "FSETID",
297 "FOWNER",
298 "SETGID",
299 "SETUID",
300 "SETPCAP",
301 "NET_BIND_SERVICE",
302 "KILL",
303 ]
304
305
306
307 add_inheritable_capabilities=false
308 Add capabilities to the inheritable set, as well as the default group
309 of permitted, bounding and effective.
310 If capabilities are expected to work for non-root users, this option
311 should be set.
312
313
314 default_sysctls=[]
315 List of default sysctls. If it is empty or commented out, only the
316 sysctls defined in the container json file by the user/kube will be
317 added.
318
319
320 One example would be allowing ping inside of containers. On systems
321 that support /proc/sys/net/ipv4/ping_group_range, the default list
322 could be:
323
324 default_sysctls = [
325 "net.ipv4.ping_group_range = 0 2147483647",
326 ]
327
328
329
330 allowed_devices=[]
331 List of devices on the host that a user can specify with the "io.ku‐
332 bernetes.cri-o.Devices" allowed annotation.
333
334
335 additional_devices=[]
336 List of additional devices. Specified as "::", for example: "--addi‐
337 tional-devices=/dev/sdc:/dev/xvdc:rwm". If it is empty or commented
338 out, only the devices defined in the container json file by the
339 user/kube will be added.
340
341
342 hooks_dir=["path", ...]
343 Each *.json file in the path configures a hook for CRI-O containers.
344 For more details on the syntax of the JSON files and the semantics of
345 hook injection, see oci-hooks(5). CRI-O currently support both the
346 1.0.0 and 0.1.0 hook schemas, although the 0.1.0 schema is deprecated.
347
348
349 Paths listed later in the array have higher precedence (oci-hooks(5)
350 discusses directory precedence).
351
352
353 For the annotation conditions, CRI-O uses the Kubernetes annotations,
354 which are a subset of the annotations passed to the OCI runtime. For
355 example, io.kubernetes.cri-o.Volumes is part of the OCI runtime config‐
356 uration annotations, but it is not part of the Kubernetes annotations
357 being matched for hooks.
358
359
360 For the bind-mount conditions, only mounts explicitly requested by Ku‐
361 bernetes configuration are considered. Bind mounts that CRI-O inserts
362 by default (e.g. /dev/shm) are not considered.
363
364
365 default_mounts=[]
366 List of default mounts for each container. Deprecated: this option
367 will be removed in future versions in favor of default_mounts_file.
368
369
370 default_mounts_file=""
371 Path to the file specifying the defaults mounts for each container.
372 The format of the config is /SRC:/DST, one mount per line. Notice that
373 CRI-O reads its default mounts from the following two files:
374
375 1) `/etc/containers/mounts.conf` (i.e., default_mounts_file): This is the override file, where users can either add in their own default mounts, or override the default mounts shipped with the package.
376
377 2) `/usr/share/containers/mounts.conf`: This is the default file read for mounts. If you want CRI-O to read from a different, specific mounts file, you can change the default_mounts_file. Note, if this is done, CRI-O will only add mounts it finds in this file.
378
379
380
381 pids_limit=0
382 Maximum number of processes allowed in a container.
383 This option is deprecated. The Kubelet flag --pod-pids-limit should
384 be used instead.
385
386
387 log_filter=""
388 Filter the log messages by the provided regular expression. This op‐
389 tion supports live configuration reload. For example 'request:.*' fil‐
390 ters all gRPC requests.
391
392
393 log_level="info"
394 Changes the verbosity of the logs based on the level it is set to.
395 Options are fatal, panic, error, warn, info, debug, and trace. This op‐
396 tion supports live configuration reload.
397
398
399 log_size_max=-1
400 Maximum size allowed for the container log file. Negative numbers in‐
401 dicate that no size limit is imposed. If it is positive, it must be >=
402 8192 to match/exceed conmon's read buffer. The file is truncated and
403 re-opened so the limit is never exceeded.
404 This option is deprecated. The Kubelet flag --container-log-max-size
405 should be used instead.
406
407
408 log_to_journald=false
409 Whether container output should be logged to journald in addition to
410 the kuberentes log file.
411
412
413 container_exits_dir="/var/run/crio/exits"
414 Path to directory in which container exit files are written to by
415 conmon.
416
417
418 container_attach_socket_dir="/var/run/crio"
419 Path to directory for container attach sockets.
420
421
422 bind_mount_prefix=""
423 A prefix to use for the source of the bind mounts. This option would
424 be useful when running CRI-O in a container and the / directory on the
425 host is mounted as /host in the container. Then if CRI-O runs with the
426 --bind-mount-prefix=/host option, CRI-O would add the /host directory
427 to any bind mounts it hands over to CRI. If Kubernetes asked to have
428 /var/lib/foobar bind mounted into the container, then CRI-O would bind
429 mount /host/var/lib/foobar. Since CRI-O itself is running in a con‐
430 tainer with / or the host mounted on /host, the container would end up
431 with /var/lib/foobar from the host mounted in the container rather than
432 /var/lib/foobar from the CRI-O container.
433
434
435 read_only=false
436 If set to true, all containers will run in read-only mode.
437
438
439 uid_mappings=""
440 The UID mappings for the user namespace of each container. A range is
441 specified in the form containerUID:HostUID:Size. Multiple ranges must
442 be separated by comma.
443
444
445 minimum_mappable_uid=-1
446 The lowest host UID which can be specified in mappings supplied, ei‐
447 ther as part of a uid_mappings or as part of a request received over
448 CRI, for a pod that will be run as a UID other than 0.
449
450
451 gid_mappings=""
452 The GID mappings for the user namespace of each container. A range is
453 specified in the form containerGID:HostGID:Size. Multiple ranges must
454 be separated by comma.
455
456
457 minimum_mappable_gid=-1
458 The lowest host GID which can be specified in mappings supplied, ei‐
459 ther as part of a gid_mappings or as part of a request received over
460 CRI, for a pod that will be run as a UID other than 0.
461
462
463 ctr_stop_timeout=30
464 The minimal amount of time in seconds to wait before issuing a time‐
465 out regarding the proper termination of the container.
466
467
468 drop_infra_ctr=true
469 Determines whether we drop the infra container when a pod does not
470 have a private PID namespace, and does not use a kernel separating run‐
471 time (like kata).
472 Requies manage_ns_lifecycle to be true.
473
474
475 infra_ctr_cpuset=""
476 Determines the CPU set to run infra containers. If not specified,
477 the CRI-O will use all online CPUs to run infra containers.
478 You can specify CPUs in the Linux CPU list format.
479 To get better isolation for guaranteed pods, set this parameter to
480 be equal to kubelet reserved-cpus.
481
482
483 namespaces_dir="/var/run"
484 The directory where the state of the managed namespaces gets tracked.
485 Only used when manage_ns_lifecycle is true
486
487
488 pinns_path=""
489 The path to find the pinns binary, which is needed to manage name‐
490 space lifecycle
491
492
493 absent_mount_sources_to_reject=[]
494 A list of paths that, when absent from the host, will cause a con‐
495 tainer creation to fail (as opposed to the current behavior of creating
496 a directory).
497
498
499 device_ownership_from_security_context=false
500 Changes the default behavior of setting container devices uid/gid
501 from CRI's SecurityContext (RunAsUser/RunAsGroup) instead of taking
502 host's uid/gid.
503
504
505 enable_criu_support=false
506 Enable CRIU integration, requires that the criu binary is available
507 in $PATH. (default: false)
508
509
510 enable_pod_events=false Enable CRI-O to generate the container pod-
511 level events in order to optimize the performance of the Pod Lifecycle
512 Event Generator (PLEG) module in Kubelet.
513
514
515 hostnetwork_disable_selinux=true
516 Determines whether SELinux should be disabled within a pod when it is
517 running in the host network namespace.
518
519
520 CRIO.RUNTIME.RUNTIMES TABLE
521 The "crio.runtime.runtimes" table defines a list of OCI compatible run‐
522 times. The runtime to use is picked based on the runtime handler pro‐
523 vided by the CRI. If no runtime handler is provided, the runtime will
524 be picked based on the level of trust of the workload. This option sup‐
525 ports live configuration reload. This option supports live configura‐
526 tion reload.
527
528
529 runtime_path=""
530 Path to the OCI compatible runtime used for this runtime handler.
531
532
533 runtime_root=""
534 Root directory used to store runtime data
535
536
537 runtime_type="oci"
538 Type of the runtime used for this runtime handler. "oci", "vm"
539
540
541 runtime_config_path=""
542 Path to the runtime configuration file, should only be used with VM
543 runtime types
544
545
546 privileged_without_host_devices=false
547 Whether this runtime handler prevents host devices from being passed
548 to privileged containers.
549
550
551 allowed_annotations=[]
552 This field is currently DEPRECATED. If you'd like to use allowed_an‐
553 notations, please use a workload.
554 A list of experimental annotations this runtime handler is allowed to
555 process.
556 The currently recognized values are:
557 "io.kubernetes.cri-o.userns-mode" for configuring a user namespace
558 for the pod.
559 "io.kubernetes.cri-o.Devices" for configuring devices for the pod.
560 "io.kubernetes.cri-o.ShmSize" for configuring the size of /dev/shm.
561 "io.kubernetes.cri-o.UnifiedCgroup.$CTR_NAME" for configuring the
562 cgroup v2 unified block for a container.
563 "io.containers.trace-syscall" for tracing syscalls via the OCI sec‐
564 comp BPF hook.
565
566
567 platform_runtime_paths={}
568 A mapping of platforms to the corresponding runtime executable paths
569 for the runtime handler.
570
571
572 CRIO.RUNTIME.WORKLOADS TABLE
573 The "crio.runtime.workloads" table defines a list of workloads - a way
574 to customize the behavior of a pod and container. A workload is chosen
575 for a pod based on whether the workload's activation_annotation is an
576 annotation on the pod.
577
578
579 activation_annotation=""
580 activation_annotation is the pod annotation that activates these
581 workload settings.
582
583
584 annotation_prefix=""
585 annotation_prefix is the way a pod can override a specific resource
586 for a container.
587 The full annotation must be of the form $annotation_prefix.$re‐
588 source/$ctrname = $value.
589
590
591 allowed_annotations=[]
592 allowed_annotations is a slice of experimental annotations that this
593 workload is allowed to process.
594 The currently recognized values are:
595 "io.kubernetes.cri-o.userns-mode" for configuring a user namespace
596 for the pod.
597 "io.kubernetes.cri-o.Devices" for configuring devices for the pod.
598 "io.kubernetes.cri-o.ShmSize" for configuring the size of /dev/shm.
599 "io.kubernetes.cri-o.UnifiedCgroup.$CTR_NAME" for configuring the
600 cgroup v2 unified block for a container.
601 "io.containers.trace-syscall" for tracing syscalls via the OCI sec‐
602 comp BPF hook.
603 "io.kubernetes.cri-o.seccompNotifierAction" for enabling the seccomp
604 notifier feature.
605 "io.kubernetes.cri-o.umask" for setting the umask for container init
606 process.
607
608
609 Using the seccomp notifier feature:
610 This feature can help you to debug seccomp related issues, for example
611 if blocked syscalls (permission denied errors) have negative impact on
612 the workload.
613
614
615 To be able to use this feature, configure a runtime which has the anno‐
616 tation "io.kubernetes.cri-o.seccompNotifierAction" in the allowed_anno‐
617 tations array.
618
619
620 It also requires at least runc 1.1.0 or crun 0.19 which support the no‐
621 tifier feature.
622
623
624 If everything is setup, CRI-O will modify chosen seccomp profiles for
625 containers if the annotation "io.kubernetes.cri-o.seccompNotifierAc‐
626 tion" is set on the Pod sandbox. CRI-O will then get notified if a con‐
627 tainer is using a blocked syscall and then terminate the workload after
628 a timeout of 5 seconds if the value of "io.kubernetes.cri-o.seccompNo‐
629 tifierAction=stop".
630
631
632 This also means that multiple syscalls can be captured during that pe‐
633 riod, while the timeout will get reset once a new syscall has been dis‐
634 covered.
635
636
637 This also means that the Pods "restartPolicy" has to be set to "Never",
638 otherwise the kubelet will restart the container immediately.
639
640
641 Please be aware that CRI-O is not able to get notified if a syscall
642 gets blocked based on the seccomp defaultAction, which is a general
643 runtime limitation.
644
645
646 CRIO.RUNTIME.WORKLOAD.RESOURCES TABLE
647 The resources table is a structure for overriding certain resources for
648 pods using this workload. This structure provides a default value, and
649 can be overridden by using the AnnotationPrefix.
650
651
652 cpushares="" Specifies the number of CPU shares this pod has access to.
653
654
655 cpuset="" Specifies the cpuset this pod has access to.
656
657
659 The crio.image table contains settings pertaining to the management of
660 OCI images.
661
662
663 CRI-O reads its configured registries defaults from the system wide
664 containers-registries.conf(5) located in /etc/containers/reg‐
665 istries.conf. If you want to modify just CRI-O, you can change the reg‐
666 istries configuration in this file. Otherwise, leave insecure_reg‐
667 istries and registries commented out to use the system's defaults from
668 /etc/containers/registries.conf.
669
670
671 default_transport="docker://"
672 Default transport for pulling images from a remote container storage.
673
674
675 global_auth_file=""
676 The path to a file like /var/lib/kubelet/config.json holding creden‐
677 tials necessary for pulling images from secure registries.
678
679
680 pause_image="registry.k8s.io/pause:3.9"
681 The image used to instantiate infra containers. This option supports
682 live configuration reload.
683
684
685 pause_image_auth_file=""
686 The path to a file like /var/lib/kubelet/config.json holding creden‐
687 tials specific to pulling the pause_image from above. This option sup‐
688 ports live configuration reload.
689
690
691 pause_command="/pause"
692 The command to run to have a container stay in the paused state. This
693 option supports live configuration reload.
694
695
696 signature_policy=""
697 Path to the file which decides what sort of policy we use when decid‐
698 ing whether or not to trust an image that we've pulled. It is not rec‐
699 ommended that this option be used, as the default behavior of using the
700 system-wide default policy (i.e., /etc/containers/policy.json) is most
701 often preferred. Please refer to containers-policy.json(5) for more de‐
702 tails.
703
704
705 signature_policy_dir="/etc/crio/policies"
706 Root path for pod namespace-separated signature policies. The final
707 policy to be used on image pull will be /.json. If no pod namespace is
708 being provided on image pull (via the sandbox config), or the concate‐
709 nated path is non existent, then the signature_policy or system wide
710 policy will be used as fallback. Must be an absolute path.
711
712
713 image_volumes="mkdir"
714 Controls how image volumes are handled. The valid values are mkdir,
715 bind and ignore; the latter will ignore volumes entirely.
716
717
718 insecure_registries=[]
719 List of registries to skip TLS verification for pulling images.
720
721
722 registries=["docker.io"]
723 List of registries to be used when pulling an unqualified image. Note
724 support for this option has been dropped and it has no effect. Please
725 refer to containers-registries.conf(5) for configuring unqualified-
726 search registries.
727
728
729 big_files_temporary_dir=""
730 Path to the temporary directory to use for storing big files, used to
731 store image blobs and data streams related to containers image manage‐
732 ment.
733
734
735 separate_pull_cgroup=""
736 [EXPERIMENTAL] If its value is set, then images are pulled into the
737 specified cgroup. If its value is set to "pod", then the pod's cgroup
738 is used. It is currently supported only with the systemd cgroup man‐
739 ager.
740
741
743 The crio.network table containers settings pertaining to the management
744 of CNI plugins.
745
746
747 cni_default_network=""
748 The default CNI network name to be selected. If not set or "", then
749 CRI-O will pick-up the first one found in network_dir.
750
751
752 network_dir="/etc/cni/net.d/"
753 Path to the directory where CNI configuration files are located.
754
755
756 plugin_dirs=["/opt/cni/bin/",]
757 List of paths to directories where CNI plugin binaries are located.
758
759
761 The crio.metrics table containers settings pertaining to the Prometheus
762 based metrics retrieval.
763
764
765 enable_metrics=false
766 Globally enable or disable metrics support.
767
768
769 metrics_collectors=["operations", "operations_latency_microseconds_to‐
770 tal", "operations_latency_microseconds", "operations_errors", "im‐
771 age_pulls_by_digest", "image_pulls_by_name", "im‐
772 age_pulls_by_name_skipped", "image_pulls_failures", "image_pulls_suc‐
773 cesses", "image_pulls_layer_size", "image_layer_reuse", "contain‐
774 ers_oom_total", "containers_oom", "processes_defunct"]
775 Enabled metrics collectors
776
777
778 metrics_port=9090
779 The port on which the metrics server will listen.
780
781
782 metrics_socket=""
783 The socket on which the metrics server will listen.
784
785
786 metrics_cert=""
787 The certificate for the secure metrics server.
788
789
790 metrics_key=""
791 The certificate key for the secure metrics server.
792
793
795 [EXPERIMENTAL] The crio.tracing table containers settings pertaining to
796 the export of OpenTelemetry trace data.
797
798
799 enable_tracing=false
800 Globally enable or disable OpenTelemetry trace data exporting.
801
802
803 tracing_endpoint="0.0.0.0:4317"
804 Address on which the gRPC trace collector will listen.
805
806
807 tracing_sampling_rate_per_million=""
808 Number of samples to collect per million OpenTelemetry spans. Set to
809 1000000 to always sample.
810
811
813 The crio.stats table specifies all necessary configuration for report‐
814 ing container and pod stats.
815
816
817 stats_collection_period=0
818 The number of seconds between collecting pod and container stats. If
819 set to 0, the stats are collected on-demand instead.
820
821
823 The crio.nri table contains settings for controlling NRI (Node Resource
824 Interface) support in CRI-O. enable_nri=false
825 Enable CRI-O NRI support.
826
827
828 nri_plugin_dir="/opt/nri/plugins"
829 Directory to scan for pre-installed plugins to automatically start.
830
831
832 nri_plugin_config_dir="/etc/nri/conf.d"
833 Directory to scan for configuration of pre-installed plugins.
834
835
836 nri_listen="/var/run/nri/nri.sock"
837 Socket to listen on for externally started NRI plugins to connect to.
838
839
840 nri_disable_connections=false
841 Disable connections from externally started NRI plugins.
842
843
844 nri_plugin_registration_timeout="5s"
845 Timeout for a plugin to register itself with NRI.
846
847
848 nri_plugin_request_timeout="2s"
849 Timeout for a plugin to handle an NRI request.
850
851
852
854 crio.conf.d(5), containers-storage.conf(5), containers-policy.json(5),
855 containers-registries.conf(5), crio(8)
856
857
858
860 Aug 2018, Update to the latest state by Valentin Rothberg vroth‐
861 berg@suse.com ⟨mailto:vrothberg@suse.com⟩
862
863
864 Oct 2016, Originally compiled by Aleksa Sarai asarai@suse.de
865 ⟨mailto:asarai@suse.de⟩
866
867
868
869Runtime Container crio.conf(5)(Kubernetes)