1crio(8) System Manager's Manual crio(8)
2
6 crio - OCI-based implementation of Kubernetes Container Runtime Inter‐
7 face
8
12 crio
13 [--absent-mount-sources-to-reject]=[value]
15 [--add-inheritable-capabilities]
16 [--additional-devices]=[value]
17 [--allowed-devices]=[value]
18 [--apparmor-profile]=[value]
19 [--big-files-temporary-dir]=[value]
20 [--bind-mount-prefix]=[value]
21 [--blockio-config-file]=[value]
22 [--cdi-spec-dirs]=[value]
23 [--cgroup-manager]=[value]
24 [--clean-shutdown-file]=[value]
25 [--cni-config-dir]=[value]
26 [--cni-default-network]=[value]
27 [--cni-plugin-dir]=[value]
28 [--config-dir|-d]=[value]
29 [--config|-c]=[value]
30 [--conmon-cgroup]=[value]
31 [--conmon-env]=[value]
32 [--conmon]=[value]
33 [--container-attach-socket-dir]=[value]
34 [--container-exits-dir]=[value]
35 [--ctr-stop-timeout]=[value]
36 [--decryption-keys-path]=[value]
37 [--default-capabilities]=[value]
38 [--default-env]=[value]
39 [--default-mounts-file]=[value]
40 [--default-runtime]=[value]
41 [--default-sysctls]=[value]
42 [--default-transport]=[value]
43 [--default-ulimits]=[value]
44 [--device-ownership-from-security-context]
45 [--drop-infra-ctr]
46 [--enable-criu-support]
47 [--enable-metrics]
48 [--enable-nri]
49 [--enable-pod-events]
50 [--enable-profile-unix-socket]
51 [--enable-tracing]
52 [--gid-mappings]=[value]
53 [--global-auth-file]=[value]
54 [--grpc-max-recv-msg-size]=[value]
55 [--grpc-max-send-msg-size]=[value]
56 [--help|-h]
57 [--hooks-dir]=[value]
58 [--hostnetwork-disable-selinux]
59 [--image-volumes]=[value]
60 [--infra-ctr-cpuset]=[value]
61 [--insecure-registry]=[value]
62 [--internal-wipe]
63 [--irqbalance-config-file]=[value]
64 [--irqbalance-config-restore-file]=[value]
65 [--listen]=[value]
66 [--log-dir]=[value]
67 [--log-filter]=[value]
68 [--log-format]=[value]
69 [--log-journald]
70 [--log-level|-l]=[value]
71 [--log-size-max]=[value]
72 [--log]=[value]
73 [--metrics-cert]=[value]
74 [--metrics-collectors]=[value]
75 [--metrics-key]=[value]
76 [--metrics-port]=[value]
77 [--metrics-socket]=[value]
78 [--minimum-mappable-gid]=[value]
79 [--minimum-mappable-uid]=[value]
80 [--namespaces-dir]=[value]
81 [--no-pivot]
82 [--nri-disable-connections]=[value]
83 [--nri-listen]=[value]
84 [--nri-plugin-config-dir]=[value]
85 [--nri-plugin-dir]=[value]
86 [--nri-plugin-registration-timeout]=[value]
87 [--nri-plugin-request-timeout]=[value]
88 [--pause-command]=[value]
89 [--pause-image-auth-file]=[value]
90 [--pause-image]=[value]
91 [--pids-limit]=[value]
92 [--pinns-path]=[value]
93 [--profile-cpu]=[value]
94 [--profile-mem]=[value]
95 [--profile-port]=[value]
96 [--profile]
97 [--rdt-config-file]=[value]
98 [--read-only]
99 [--registry]=[value]
100 [--root|-r]=[value]
101 [--runroot]=[value]
102 [--runtimes]=[value]
103 [--seccomp-profile]=[value]
104 [--seccomp-use-default-when-empty]
105 [--selinux]
106 [--separate-pull-cgroup]=[value]
107 [--signature-policy-dir]=[value]
108 [--signature-policy]=[value]
109 [--stats-collection-period]=[value]
110 [--storage-driver|-s]=[value]
111 [--storage-opt]=[value]
112 [--stream-address]=[value]
113 [--stream-enable-tls]
114 [--stream-idle-timeout]=[value]
115 [--stream-port]=[value]
116 [--stream-tls-ca]=[value]
117 [--stream-tls-cert]=[value]
118 [--stream-tls-key]=[value]
119 [--tracing-endpoint]=[value]
120 [--tracing-sampling-rate-per-million]=[value]
121 [--uid-mappings]=[value]
122 [--version-file-persist]=[value]
123 [--version-file]=[value]
124 [--version|-v]
125
130 OCI-based implementation of Kubernetes Container Runtime Interface Dae‐
131 mon
132 crio is meant to provide an integration path between OCI conformant
135 runtimes and the kubelet. Specifically, it implements the Kubelet Con‐
136 tainer Runtime Interface (CRI) using OCI conformant runtimes. The scope
137 of crio is tied to the scope of the CRI.
138 1. Support multiple image formats including the existing
141 Docker and OCI image formats.
142 2. Support for multiple means to download images including
144 trust & image verification.
145 3. Container image management (managing image layers, overlay
147 filesystems, etc).
148 4. Container process lifecycle management.
150 5. Monitoring and logging required to satisfy the CRI.
152 6. Resource isolation as required by the CRI.
154 Usage:
158 crio [GLOBAL OPTIONS] command [COMMAND OPTIONS] [ARGUMENTS...]
160
165 --absent-mount-sources-to-reject="": A list of paths that, when absent
166 from the host, will cause a container creation to fail (as opposed to
167 the current behavior of creating a directory).
168 --add-inheritable-capabilities: Add capabilities to the inheritable
171 set, as well as the default group of permitted, bounding and effective.
172 --additional-devices="": Devices to add to the containers.
175 --allowed-devices="": Devices a user is allowed to specify with the
178 "io.kubernetes.cri-o.Devices" allowed annotation. (default:
179 "/dev/fuse")
180 --apparmor-profile="": Name of the apparmor profile to be used as the
183 runtime's default. This only takes effect if the user does not specify
184 a profile via the Kubernetes Pod's metadata annotation. (default: crio-
185 default)
186 --big-files-temporary-dir="": Path to the temporary directory to use
189 for storing big files, used to store image blobs and data streams re‐
190 lated to containers image management.
191 --bind-mount-prefix="": A prefix to use for the source of the bind
194 mounts. This option would be useful if you were running CRI-O in a con‐
195 tainer. And had / mounted on /host in your container. Then if you ran
196 CRI-O with the --bind-mount-prefix=/host option, CRI-O would add /host
197 to any bind mounts it is handed over CRI. If Kubernetes asked to have
198 /var/lib/foobar bind mounted into the container, then CRI-O would bind
199 mount /host/var/lib/foobar. Since CRI-O itself is running in a con‐
200 tainer with / or the host mounted on /host, the container would end up
201 with /var/lib/foobar from the host mounted in the container rather then
202 /var/lib/foobar from the CRI-O container.
203 --blockio-config-file="": Path to the blockio class configuration file
206 for configuring the cgroup blockio controller.
207 --cdi-spec-dirs="": Directories to scan for CDI Spec files. (default:
210 "/etc/cdi", "/var/run/cdi")
211 --cgroup-manager="": cgroup manager (cgroupfs or systemd). (default:
214 systemd)
215 --clean-shutdown-file="": Location for CRI-O to lay down the clean
218 shutdown file. It indicates whether we've had time to sync changes to
219 disk before shutting down. If not found, crio wipe will clear the stor‐
220 age directory. (default: /var/lib/crio/clean.shutdown)
221 --cni-config-dir="": CNI configuration files directory. (default:
224 /etc/cni/net.d/)
225 --cni-default-network="": Name of the default CNI network to select. If
228 not set or "", then CRI-O will pick-up the first one found in --cni-
229 config-dir.
230 --cni-plugin-dir="": CNI plugin binaries directory.
233 --config, -c="": Path to configuration file (default:
236 /etc/crio/crio.conf)
237 --config-dir, -d="": Path to the configuration drop-in directory.
240 This directory will be recursively iterated and each file gets ap‐
241 plied
242 to the configuration in their processing order. This means that a
243 configuration file named '00-default' has a lower priority than a
244 file
245 named '01-my-overwrite'.
246 The global config file, provided via '--config,-c' or per default
247 in
248 /etc/crio/crio.conf, always has a lower priority than the files in
249 the directory specified
250 by '--config-dir,-d'.
251 Besides that, provided command line parameters have a higher prior‐
252 ity
253 than any configuration file. (default: /etc/crio/crio.conf.d)
254 --conmon="": Path to the conmon binary, used for monitoring the OCI
257 runtime. Will be searched for using $PATH if empty. This option is dep‐
258 recated, and will be removed in the future.
259 --conmon-cgroup="": cgroup to be used for conmon process. This option
262 is deprecated and will be removed in the future.
263 --conmon-env="": Environment variable list for the conmon process, used
266 for passing necessary environment variables to conmon or the runtime.
267 This option is deprecated and will be removed in the future.
268 --container-attach-socket-dir="": Path to directory for container at‐
271 tach sockets. (default: /var/run/crio)
272 --container-exits-dir="": Path to directory in which container exit
275 files are written to by conmon. (default: /var/run/crio/exits)
276 --ctr-stop-timeout="": The minimal amount of time in seconds to wait
279 before issuing a timeout regarding the proper termination of the con‐
280 tainer. The lowest possible value is 30s, whereas lower values are not
281 considered by CRI-O. (default: 30)
282 --decryption-keys-path="": Path to load keys for image decryption. (de‐
285 fault: /etc/crio/keys/)
286 --default-capabilities="": Capabilities to add to the containers. (de‐
289 fault: "CHOWN", "DAC_OVERRIDE", "FSETID", "FOWNER", "SETGID", "SETUID",
290 "SETPCAP", "NET_BIND_SERVICE", "KILL")
291 --default-env="": Additional environment variables to set for all con‐
294 tainers.
295 --default-mounts-file="": Path to default mounts file.
298 --default-runtime="": Default OCI runtime from the runtimes config.
301 (default: runc)
302 --default-sysctls="": Sysctls to add to the containers.
305 --default-transport="": A prefix to prepend to image names that cannot
308 be pulled as-is. (default: docker://)
309 --default-ulimits="": Ulimits to apply to containers by default
312 (name=soft:hard).
313 --device-ownership-from-security-context: Set devices' uid/gid owner‐
316 ship from runAsUser/runAsGroup.
317 --drop-infra-ctr: Determines whether pods are created without an infra
320 container, when the pod is not using a pod level PID namespace.
321 --enable-criu-support: Enable CRIU integration, requires that the criu
324 binary is available in $PATH.
325 --enable-metrics: Enable metrics endpoint for the server on local‐
328 host:9090.
329 --enable-nri: Enable NRI (Node Resource Interface) support. (default:
332 false)
333 --enable-pod-events: If true, CRI-O starts sending the container events
336 to the kubelet
337 --enable-profile-unix-socket: Enable pprof profiler on crio unix domain
340 socket.
341 --enable-tracing: Enable OpenTelemetry trace data exporting.
344 --gid-mappings="": Specify the GID mappings to use for the user name‐
347 space.
348 --global-auth-file="": Path to a file like /var/lib/kubelet/config.json
351 holding credentials necessary for pulling images from secure reg‐
352 istries.
353 --grpc-max-recv-msg-size="": Maximum grpc receive message size in
356 bytes. (default: 83886080)
357 --grpc-max-send-msg-size="": Maximum grpc receive message size. (de‐
360 fault: 83886080)
361 --help, -h: show help
364 --hooks-dir="": Set the OCI hooks directory path (may be set multiple
367 times)
368 If one of the directories does not exist, then CRI-O will automati‐
369 cally
370 skip them.
371 Each '*.json' file in the path configures a hook for CRI-O
372 containers. For more details on the syntax of the JSON files and
373 the semantics of hook injection, see 'oci-hooks(5)'. CRI-O
374 currently support both the 1.0.0 and 0.1.0 hook schemas, although
375 the 0.1.0 schema is deprecated.
376 This option may be set multiple times; paths from later options
377 have higher precedence ('oci-hooks(5)' discusses directory
378 precedence).
379 For the annotation conditions, CRI-O uses the Kubernetes
380 annotations, which are a subset of the annotations passed to the
381 OCI runtime. For example, 'io.kubernetes.cri-o.Volumes' is part of
382 the OCI runtime configuration annotations, but it is not part of
383 the Kubernetes annotations being matched for hooks.
384 For the bind-mount conditions, only mounts explicitly requested by
385 Kubernetes configuration are considered. Bind mounts that CRI-O
386 inserts by default (e.g. '/dev/shm') are not considered. (default:
387 "/usr/share/containers/oci/hooks.d")
388 --hostnetwork-disable-selinux: Determines whether SELinux should be
391 disabled within a pod when it is running in the host network namespace.
392 --image-volumes="": Image volume handling ('mkdir', 'bind', or 'ig‐
395 nore')
396 1. mkdir: A directory is created inside the container root filesys‐
397 tem for
398 the volumes.
399 2. bind: A directory is created inside container state directory
400 and bind
401 mounted into the container for the volumes. 3. ignore: All
402 volumes are just ignored and no action is taken. (default: mkdir)
403 --infra-ctr-cpuset="": CPU set to run infra containers, if not speci‐
406 fied CRI-O will use all online CPUs to run infra containers.
407 --insecure-registry="": Enable insecure registry communication, i.e.,
410 enable un-encrypted and/or untrusted communication.
411 1. List of insecure registries can contain an element with CIDR no‐
412 tation to
413 specify a whole subnet.
414 2. Insecure registries accept HTTP or accept HTTPS with certifi‐
415 cates from
416 unknown CAs.
417 3. Enabling '--insecure-registry' is useful when running a local
418 registry.
419 However, because its use creates security vulnerabilities, it
420 should ONLY
421 be enabled for testing purposes. For increased security, users
422 should add
423 their CA to their system's list of trusted CAs instead of using
424 '--insecure-registry'.
425 --internal-wipe: Whether CRI-O should wipe containers after a reboot
428 and images after an upgrade when the server starts. If set to false,
429 one must run crio wipe to wipe the containers and images in these situ‐
430 ations. This option is deprecated, and will be removed in the future.
431 --irqbalance-config-file="": The irqbalance service config file which
434 is used by CRI-O. (default: /etc/sysconfig/irqbalance)
435 --irqbalance-config-restore-file="": Determines if CRI-O should attempt
438 to restore the irqbalance config at startup with the mask in this file.
439 Use the 'disable' value to disable the restore flow entirely. (default:
440 /etc/sysconfig/orig_irq_banned_cpus)
441 --listen="": Path to the CRI-O socket. (default:
444 /var/run/crio/crio.sock)
445 --log="": Set the log file path where internal debug information is
448 written.
449 --log-dir="": Default log directory where all logs will go unless di‐
452 rectly specified by the kubelet. (default: /var/log/crio/pods)
453 --log-filter="": Filter the log messages by the provided regular ex‐
456 pression. For example 'request.*' filters all gRPC requests.
457 --log-format="": Set the format used by logs: 'text' or 'json'. (de‐
460 fault: text)
461 --log-journald: Log to systemd journal (journald) in addition to kuber‐
464 netes log file.
465 --log-level, -l="": Log messages above specified level: trace, debug,
468 info, warn, error, fatal or panic. (default: info)
469 --log-size-max="": Maximum log size in bytes for a container. If it is
472 positive, it must be >= 8192 to match/exceed conmon read buffer. This
473 option is deprecated. The Kubelet flag '--container-log-max-size'
474 should be used instead. (default: -1)
475 --metrics-cert="": Certificate for the secure metrics endpoint.
478 --metrics-collectors="": Enabled metrics collectors. (default: "opera‐
481 tions", "operations_latency_microseconds_total", "operations_la‐
482 tency_microseconds", "operations_errors", "image_pulls_by_digest", "im‐
483 age_pulls_by_name", "image_pulls_by_name_skipped", "image_pulls_fail‐
484 ures", "image_pulls_successes", "image_pulls_layer_size", "im‐
485 age_layer_reuse", "containers_oom_total", "containers_oom", "pro‐
486 cesses_defunct", "operations_total", "operations_latency_seconds", "op‐
487 erations_latency_seconds_total", "operations_errors_total", "im‐
488 age_pulls_bytes_total", "image_pulls_skipped_bytes_total", "im‐
489 age_pulls_failure_total", "image_pulls_success_total", "image_layer_re‐
490 use_total", "containers_oom_count_total", "containers_seccomp_noti‐
491 fier_count_total")
492 --metrics-key="": Certificate key for the secure metrics endpoint.
495 --metrics-port="": Port for the metrics endpoint. (default: 9090)
498 --metrics-socket="": Socket for the metrics endpoint.
501 --minimum-mappable-gid="": Specify the lowest host GID which can be
504 specified in mappings for a pod that will be run as a UID other than 0.
505 (default: -1)
506 --minimum-mappable-uid="": Specify the lowest host UID which can be
509 specified in mappings for a pod that will be run as a UID other than 0.
510 (default: -1)
511 --namespaces-dir="": The directory where the state of the managed name‐
514 spaces gets tracked. Only used when manage-ns-lifecycle is true. (de‐
515 fault: /var/run)
516 --no-pivot: If true, the runtime will not use pivot_root, but instead
519 use MS_MOVE.
520 --nri-disable-connections="": Disable connections from externally
523 started NRI plugins. (default: false)
524 --nri-listen="": Socket to listen on for externally started NRI plugins
527 to connect to. (default: "/var/run/nri/nri.sock")
528 --nri-plugin-config-dir="": Directory to scan for configuration of pre-
531 installed NRI plugins. (default: "/etc/nri/conf.d")
532 --nri-plugin-dir="": Directory to scan for pre-installed NRI plugins to
535 start automatically. (default: "/opt/nri/plugins")
536 --nri-plugin-registration-timeout="": Timeout for a plugin to register
539 itself with NRI. (default: 5s)
540 --nri-plugin-request-timeout="": Timeout for a plugin to handle an NRI
543 request. (default: 2s)
544 --pause-command="": Path to the pause executable in the pause image.
547 (default: /pause)
548 --pause-image="": Image which contains the pause executable. (default:
551 registry.k8s.io/pause:3.9)
552 --pause-image-auth-file="": Path to a config file containing creden‐
555 tials for --pause-image.
556 --pids-limit="": Maximum number of processes allowed in a container.
559 This option is deprecated. The Kubelet flag '--pod-pids-limit' should
560 be used instead. (default: 0)
561 --pinns-path="": The path to find the pinns binary, which is needed to
564 manage namespace lifecycle. Will be searched for in $PATH if empty.
565 --profile: Enable pprof remote profiler on localhost:6060.
568 --profile-cpu="": Write a pprof CPU profile to the provided path.
571 --profile-mem="": Write a pprof memory profile to the provided path.
574 --profile-port="": Port for the pprof profiler. (default: 6060)
577 --rdt-config-file="": Path to the RDT configuration file for configur‐
580 ing the resctrl pseudo-filesystem.
581 --read-only: Setup all unprivileged containers to run as read-only. Au‐
584 tomatically mounts the containers' tmpfs on /run, /tmp and /var/tmp.
585 --registry="": Registry to be prepended when pulling unqualified im‐
588 ages. Can be specified multiple times.
589 --root, -r="": The CRI-O root directory. (default: /var/lib/contain‐
592 ers/storage)
593 --runroot="": The CRI-O state directory. (default: /run/contain‐
596 ers/storage)
597 --runtimes="": OCI runtimes, format is 'runtime_name:runtime_path:run‐
600 time_root:runtime_type:privileged_without_host_devices:runtime_con‐
601 fig_path'.
602 --seccomp-profile="": Path to the seccomp.json profile to be used as
605 the runtime's default. If not specified, then the internal default sec‐
606 comp profile will be used.
607 --seccomp-use-default-when-empty: Use the default seccomp profile when
610 an empty one is specified. This option is currently deprecated, and
611 will be replaced by the SeccompDefault FeatureGate in Kubernetes.
612 --selinux: Enable selinux support.
615 --separate-pull-cgroup="": [EXPERIMENTAL] Pull in new cgroup.
618 --signature-policy="": Path to signature policy JSON file.
621 --signature-policy-dir="": Path to the root directory for namespaced
624 signature policies. Must be an absolute path. (default: /etc/crio/poli‐
625 cies)
626 --stats-collection-period="": The number of seconds between collecting
629 pod and container stats. If set to 0, the stats are collected on-demand
630 instead. (default: 0)
631 --storage-driver, -s="": OCI storage driver.
634 --storage-opt="": OCI storage driver option.
637 --stream-address="": Bind address for streaming socket. (default:
640 127.0.0.1)
641 --stream-enable-tls: Enable encrypted TLS transport of the stream
644 server.
645 --stream-idle-timeout="": Length of time until open streams terminate
648 due to lack of activity.
649 --stream-port="": Bind port for streaming socket. If the port is set to
652 '0', then CRI-O will allocate a random free port number. (default: 0)
653 --stream-tls-ca="": Path to the x509 CA(s) file used to verify and au‐
656 thenticate client communication with the encrypted stream. This file
657 can change and CRI-O will automatically pick up the changes within 5
658 minutes.
659 --stream-tls-cert="": Path to the x509 certificate file used to serve
662 the encrypted stream. This file can change and CRI-O will automatically
663 pick up the changes within 5 minutes.
664 --stream-tls-key="": Path to the key file used to serve the encrypted
667 stream. This file can change and CRI-O will automatically pick up the
668 changes within 5 minutes.
669 --tracing-endpoint="": Address on which the gRPC tracing collector will
672 listen. (default: 0.0.0.0:4317)
673 --tracing-sampling-rate-per-million="": Number of samples to collect
676 per million OpenTelemetry spans. Set to 1000000 to always sample. (de‐
677 fault: 0)
678 --uid-mappings="": Specify the UID mappings to use for the user name‐
681 space.
682 --version, -v: print the version
685 --version-file="": Location for CRI-O to lay down the temporary version
688 file. It is used to check if crio wipe should wipe containers, which
689 should always happen on a node reboot. (default: /var/run/crio/version)
690 --version-file-persist="": Location for CRI-O to lay down the persis‐
693 tent version file. It is used to check if crio wipe should wipe images,
694 which should only happen when CRI-O has been upgraded. (default:
695 /var/run/crio/version)
696
701 Generate bash, fish or zsh completions.
702
705 Generate the man page documentation.
706
709 Generate the markdown documentation.
710 --help, -h: show help
713 help, h
716 Shows a list of commands or help for one command
717
720 Outputs a commented version of the configuration file that could be
721 used by CRI-O. This allows you to save you current configuration setup
722 and then load it later with --config. Global options will modify the
723 output.
724 --default: Output the default configuration (without taking into ac‐
727 count any configuration options).
728 --migrate-defaults, -m="": Migrate the default config from a specified
731 version.
732 To run a config migration, just select the input config via the
733 global
734 '--config,-c' command line argument, for example:
735 crio -c /etc/crio/crio.conf.d/00-default.conf config -m 1.17
737 The migration will print converted configuration options to stderr
738 and will
739 output the resulting configuration to stdout.
740 Please note that the migration will overwrite any fields that have
741 changed
742 defaults between versions. To save a custom configuration change,
743 it should
744 be in a drop-in configuration file instead.
745 Possible values: "1.17" (default: 1.17)
746
749 display detailed version information
750 --json, -j: print JSON instead of text
753 --verbose, -v: print verbose information (for example all golang depen‐
756 dencies)
757
760 wipe CRI-O's container and image storage
761 --force, -f: force wipe by skipping the version check
764
767 Shows a list of commands or help for one command
768
771 crio.conf (/etc/crio/crio.conf)
772 cri-o configuration file for all of the available command-line op‐
773 tions for
774 the crio(8) program, but in a TOML format that can be more easily
775 modified
776 and versioned.
777 policy.json (/etc/containers/policy.json)
780 Signature verification policy files are used to specify policy, e.g.
781 trusted
782 keys, applicable when deciding whether to accept an image, or indi‐
783 vidual
784 signatures of that image, as valid.
785 registries.conf (/etc/containers/registries.conf)
788 Registry configuration file specifies registries which are consulted
789 when
790 completing image names that do not include a registry or domain por‐
791 tion.
792 storage.conf (/etc/containers/storage.conf)
795 Storage configuration file specifies all of the available container
796 storage
797 options for tools using shared container storage.
798
802 All command-line options may also be specified as environment vari‐
803 ables. The options detailed in this section, however, can only be set
804 via environment variables.
805 KUBENSMNT: Path to a bind-mounted mount namespace that CRI-O should
808 join before launching any containers. If the path does not exist, or
809 does not point to a mount namespace bindmount, CRI-O will run in its
810 parent's mount namespace and log a warning that the requested namespace
811 was not joined.
812
816 crio.conf(5), crio.conf.d(5), oci-hooks(5), policy.json(5), reg‐
817 istries.conf(5), storage.conf(5)
818 crio(8)