From 5120f8e90c0178ac7f6d911159ceb278dd87b4c9 Mon Sep 17 00:00:00 2001 From: Michael Gugino Date: Thu, 16 Nov 2017 14:56:14 -0500 Subject: Implement container runtime role --- roles/docker/templates/crio.conf.j2 | 164 ------------------------------------ 1 file changed, 164 deletions(-) delete mode 100644 roles/docker/templates/crio.conf.j2 (limited to 'roles/docker/templates/crio.conf.j2') diff --git a/roles/docker/templates/crio.conf.j2 b/roles/docker/templates/crio.conf.j2 deleted file mode 100644 index 3f066a17f..000000000 --- a/roles/docker/templates/crio.conf.j2 +++ /dev/null @@ -1,164 +0,0 @@ -# {{ ansible_managed }} - -# The "crio" table contains all of the server options. -[crio] - -# root is a path to the "root directory". CRIO stores all of its data, -# including container images, in this directory. -root = "/var/lib/containers/storage" - -# run is a path to the "run directory". CRIO stores all of its state -# in this directory. -runroot = "/var/run/containers/storage" - -# storage_driver select which storage driver is used to manage storage -# of images and containers. -storage_driver = "overlay" - -# storage_option is used to pass an option to the storage driver. -storage_option = [ -{% if ansible_distribution in ['RedHat', 'CentOS'] %} - "overlay.override_kernel_check=1" -{% endif %} -] - -# The "crio.api" table contains settings for the kubelet/gRPC -# interface (which is also used by crioctl). -[crio.api] - -# listen is the path to the AF_LOCAL socket on which crio will listen. -listen = "/var/run/crio.sock" - -# stream_address is the IP address on which the stream server will listen -stream_address = "" - -# stream_port is the port on which the stream server will listen -stream_port = "10010" - -# file_locking is whether file-based locking will be used instead of -# in-memory locking -file_locking = true - -# The "crio.runtime" table contains settings pertaining to the OCI -# runtime used and options for how to set up and manage the OCI runtime. -[crio.runtime] - -# runtime is the OCI compatible runtime used for trusted container workloads. -# This is a mandatory setting as this runtime will be the default one -# and will also be used for untrusted container workloads if -# runtime_untrusted_workload is not set. -runtime = "/usr/bin/runc" - -# runtime_untrusted_workload is the OCI compatible runtime used for untrusted -# container workloads. This is an optional setting, except if -# default_container_trust is set to "untrusted". -runtime_untrusted_workload = "" - -# default_workload_trust is the default level of trust crio puts in container -# workloads. It can either be "trusted" or "untrusted", and the default -# is "trusted". -# Containers can be run through different container runtimes, depending on -# the trust hints we receive from kubelet: -# - If kubelet tags a container workload as untrusted, crio will try first to -# run it through the untrusted container workload runtime. If it is not set, -# crio will use the trusted runtime. -# - If kubelet does not provide any information about the container workload trust -# level, the selected runtime will depend on the default_container_trust setting. -# If it is set to "untrusted", then all containers except for the host privileged -# ones, will be run by the runtime_untrusted_workload runtime. Host privileged -# containers are by definition trusted and will always use the trusted container -# runtime. If default_container_trust is set to "trusted", crio will use the trusted -# container runtime for all containers. -default_workload_trust = "trusted" - -# no_pivot instructs the runtime to not use pivot_root, but instead use MS_MOVE -no_pivot = false - -# conmon is the path to conmon binary, used for managing the runtime. -conmon = "/usr/libexec/crio/conmon" - -# conmon_env is the environment variable list for conmon process, -# used for passing necessary environment variable to conmon or runtime. -conmon_env = [ - "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin", -] - -# selinux indicates whether or not SELinux will be used for pod -# separation on the host. If you enable this flag, SELinux must be running -# on the host. -selinux = true - -# seccomp_profile is the seccomp json profile path which is used as the -# default for the runtime. -seccomp_profile = "/etc/crio/seccomp.json" - -# apparmor_profile is the apparmor profile name which is used as the -# default for the runtime. -apparmor_profile = "crio-default" - -# cgroup_manager is the cgroup management implementation to be used -# for the runtime. -cgroup_manager = "systemd" - -# hooks_dir_path is the oci hooks directory for automatically executed hooks -hooks_dir_path = "/usr/share/containers/oci/hooks.d" - -# default_mounts is the mounts list to be mounted for the container when created -default_mounts = [ - "/usr/share/rhel/secrets:/run/secrets", -] - -# pids_limit is the number of processes allowed in a container -pids_limit = 1024 - -# log_size_max is the max limit for the container log size in bytes. -# Negative values indicate that no limit is imposed. -log_size_max = 52428800 - -# The "crio.image" table contains settings pertaining to the -# management of OCI images. -[crio.image] - -# default_transport is the prefix we try prepending to an image name if the -# image name as we receive it can't be parsed as a valid source reference -default_transport = "docker://" - -# pause_image is the image which we use to instantiate infra containers. -pause_image = "kubernetes/pause" - -# pause_command is the command to run in a pause_image to have a container just -# sit there. If the image contains the necessary information, this value need -# not be specified. -pause_command = "/pause" - -# signature_policy is the name of the file which decides what sort of policy we -# use when deciding whether or not to trust an image that we've pulled. -# Outside of testing situations, it is strongly advised that this be left -# unspecified so that the default system-wide policy will be used. -signature_policy = "" - -# image_volumes controls how image volumes are handled. -# The valid values are mkdir and ignore. -image_volumes = "mkdir" - -# insecure_registries is used to skip TLS verification when pulling images. -insecure_registries = [ -{{ l_insecure_crio_registries|default("") }} -] - -# registries is used to specify a comma separated list of registries to be used -# when pulling an unqualified image (e.g. fedora:rawhide). -registries = [ -{{ l_additional_crio_registries|default("") }} -] - -# The "crio.network" table contains settings pertaining to the -# management of CNI plugins. -[crio.network] - -# network_dir is is where CNI network configuration -# files are stored. -network_dir = "/etc/cni/net.d/" - -# plugin_dir is is where CNI plugin binaries are stored. -plugin_dir = "/opt/cni/bin/" -- cgit v1.2.3