From 3003a54811227f5434a8a3d7c8d54c3accafd1e3 Mon Sep 17 00:00:00 2001 From: Giuseppe Scrivano Date: Wed, 19 Jul 2017 11:48:48 +0200 Subject: crio: use a template for the configuration Signed-off-by: Giuseppe Scrivano --- roles/docker/templates/crio.conf.j2 | 132 ++++++++++++++++++++++++++++++++++++ 1 file changed, 132 insertions(+) create mode 100644 roles/docker/templates/crio.conf.j2 (limited to 'roles/docker/templates') diff --git a/roles/docker/templates/crio.conf.j2 b/roles/docker/templates/crio.conf.j2 new file mode 100644 index 000000000..f7049aa41 --- /dev/null +++ b/roles/docker/templates/crio.conf.j2 @@ -0,0 +1,132 @@ +# {{ ansible_managed }} + +# The "crio" table contains all of the server options. +[crio] + +# root is a path to the "root directory". CRIO stores all of its data, +# including container images, in this directory. +root = "/var/lib/containers/storage" + +# run is a path to the "run directory". CRIO stores all of its state +# in this directory. +runroot = "/var/run/containers/storage" + +# storage_driver select which storage driver is used to manage storage +# of images and containers. +storage_driver = "overlay2" + +# storage_option is used to pass an option to the storage driver. +storage_option = [ +{% if ansible_distribution in ['RedHat', 'CentOS'] %} + "overlay2.override_kernel_check=1" +{% endif %} +] + +# The "crio.api" table contains settings for the kubelet/gRPC +# interface (which is also used by crioctl). +[crio.api] + +# listen is the path to the AF_LOCAL socket on which crio will listen. +listen = "/var/run/crio.sock" + +# stream_address is the IP address on which the stream server will listen +stream_address = "" + +# stream_port is the port on which the stream server will listen +stream_port = "10010" + +# The "crio.runtime" table contains settings pertaining to the OCI +# runtime used and options for how to set up and manage the OCI runtime. +[crio.runtime] + +# runtime is the OCI compatible runtime used for trusted container workloads. +# This is a mandatory setting as this runtime will be the default one +# and will also be used for untrusted container workloads if +# runtime_untrusted_workload is not set. +runtime = "/usr/libexec/crio/runc" + +# runtime_untrusted_workload is the OCI compatible runtime used for untrusted +# container workloads. This is an optional setting, except if +# default_container_trust is set to "untrusted". +runtime_untrusted_workload = "" + +# default_workload_trust is the default level of trust crio puts in container +# workloads. It can either be "trusted" or "untrusted", and the default +# is "trusted". +# Containers can be run through different container runtimes, depending on +# the trust hints we receive from kubelet: +# - If kubelet tags a container workload as untrusted, crio will try first to +# run it through the untrusted container workload runtime. If it is not set, +# crio will use the trusted runtime. +# - If kubelet does not provide any information about the container workload trust +# level, the selected runtime will depend on the default_container_trust setting. +# If it is set to "untrusted", then all containers except for the host privileged +# ones, will be run by the runtime_untrusted_workload runtime. Host privileged +# containers are by definition trusted and will always use the trusted container +# runtime. If default_container_trust is set to "trusted", crio will use the trusted +# container runtime for all containers. +default_workload_trust = "trusted" + +# conmon is the path to conmon binary, used for managing the runtime. +conmon = "/usr/libexec/crio/conmon" + +# conmon_env is the environment variable list for conmon process, +# used for passing necessary environment variable to conmon or runtime. +conmon_env = [ + "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin", +] + +# selinux indicates whether or not SELinux will be used for pod +# separation on the host. If you enable this flag, SELinux must be running +# on the host. +selinux = true + +# seccomp_profile is the seccomp json profile path which is used as the +# default for the runtime. +seccomp_profile = "/etc/crio/seccomp.json" + +# apparmor_profile is the apparmor profile name which is used as the +# default for the runtime. +apparmor_profile = "crio-default" + +# cgroup_manager is the cgroup management implementation to be used +# for the runtime. +cgroup_manager = "systemd" + +# The "crio.image" table contains settings pertaining to the +# management of OCI images. +[crio.image] + +# default_transport is the prefix we try prepending to an image name if the +# image name as we receive it can't be parsed as a valid source reference +default_transport = "docker://" + +# pause_image is the image which we use to instantiate infra containers. +pause_image = "kubernetes/pause" + +# pause_command is the command to run in a pause_image to have a container just +# sit there. If the image contains the necessary information, this value need +# not be specified. +pause_command = "/pause" + +# signature_policy is the name of the file which decides what sort of policy we +# use when deciding whether or not to trust an image that we've pulled. +# Outside of testing situations, it is strongly advised that this be left +# unspecified so that the default system-wide policy will be used. +signature_policy = "" + +# insecure_registries is used to skip TLS verification when pulling images. +insecure_registries = [ +{{ l_insecure_crio_registries }} +] + +# The "crio.network" table contains settings pertaining to the +# management of CNI plugins. +[crio.network] + +# network_dir is is where CNI network configuration +# files are stored. +network_dir = "/etc/cni/net.d/" + +# plugin_dir is is where CNI plugin binaries are stored. +plugin_dir = "/opt/cni/bin/" -- cgit v1.2.3 From c66d51f519acf2958a378c109750b86620e32122 Mon Sep 17 00:00:00 2001 From: Steve Milner Date: Wed, 19 Jul 2017 09:55:59 -0400 Subject: cri-o: Default insecure registries to "" --- roles/docker/templates/crio.conf.j2 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'roles/docker/templates') diff --git a/roles/docker/templates/crio.conf.j2 b/roles/docker/templates/crio.conf.j2 index f7049aa41..eae1759ab 100644 --- a/roles/docker/templates/crio.conf.j2 +++ b/roles/docker/templates/crio.conf.j2 @@ -117,7 +117,7 @@ signature_policy = "" # insecure_registries is used to skip TLS verification when pulling images. insecure_registries = [ -{{ l_insecure_crio_registries }} +{{ l_insecure_crio_registries|default("") }} ] # The "crio.network" table contains settings pertaining to the -- cgit v1.2.3 From 941b8905feb30f2537360b002ae4b9a457b0f3e2 Mon Sep 17 00:00:00 2001 From: Steve Milner Date: Wed, 19 Jul 2017 10:22:40 -0400 Subject: cri-o: Ensure overlay is available Some distro releases may not have overlay loaded into the kernel. This change looks for overlay via lsmod and, if it isn't already there, uses modprobe to load it in and then drops a load config into /etc/modules-load.d/overlay.conf. --- roles/docker/templates/overlay.conf.j2 | 2 ++ 1 file changed, 2 insertions(+) create mode 100644 roles/docker/templates/overlay.conf.j2 (limited to 'roles/docker/templates') diff --git a/roles/docker/templates/overlay.conf.j2 b/roles/docker/templates/overlay.conf.j2 new file mode 100644 index 000000000..782f46c2e --- /dev/null +++ b/roles/docker/templates/overlay.conf.j2 @@ -0,0 +1,2 @@ +### {{ ansible_managed }} +overlay -- cgit v1.2.3 From 31e708a5d440a6ad13f81c4b94ad26e0b2d9587a Mon Sep 17 00:00:00 2001 From: Giuseppe Scrivano Date: Wed, 2 Aug 2017 18:44:08 +0200 Subject: cri-o: configure the CNI network Signed-off-by: Giuseppe Scrivano --- roles/docker/templates/80-openshift-sdn.conf.j2 | 5 +++++ 1 file changed, 5 insertions(+) create mode 100644 roles/docker/templates/80-openshift-sdn.conf.j2 (limited to 'roles/docker/templates') diff --git a/roles/docker/templates/80-openshift-sdn.conf.j2 b/roles/docker/templates/80-openshift-sdn.conf.j2 new file mode 100644 index 000000000..a693aea5f --- /dev/null +++ b/roles/docker/templates/80-openshift-sdn.conf.j2 @@ -0,0 +1,5 @@ +{ + "cniVersion": "0.1.0", + "name": "openshift-sdn", + "type": "openshift-sdn" +} -- cgit v1.2.3