Affected by 
Documentation
¶
Index ¶
- Constants
- Variables
- type APIConfig
- type Config
- func (c *Config) GetData() *Config
- func (c *Config) GetStore() (cstorage.Store, error)
- func (c *Config) Reload(fileName string) error
- func (c *Config) ReloadLogFilter(newConfig *Config) error
- func (c *Config) ReloadLogLevel(newConfig *Config) error
- func (c *Config) ReloadPauseImage(newConfig *Config) error
- func (c *Config) ToBytes() ([]byte, error)
- func (c *Config) ToFile(path string) error
- func (c *Config) UpdateFromFile(path string) error
- func (c *Config) UpdateFromPath(path string) error
- func (c *Config) Validate(systemContext *types.SystemContext, onExecution bool) error
- func (c *Config) WriteTemplate(w io.Writer) error
- type Iface
- type ImageConfig
- type ImageVolumesType
- type MetricsConfig
- type NetworkConfig
- type RootConfig
- type RuntimeConfig
- type RuntimeHandler
- type Runtimes
Constants ¶
View Source
const ( DefaultRuntimeType = "oci" DefaultRuntimeRoot = "/run/runc" DefaultApparmorProfile = "crio-default-" + version.Version OCIBufSize = 8192 RuntimeTypeVM = "vm" )
Defaults if none are specified
View Source
const ( // DefaultPidsLimit is the default value for maximum number of processes // allowed inside a container DefaultPidsLimit = 1024 // DefaultLogSizeMax is the default value for the maximum log size // allowed for a container. Negative values mean that no limit is imposed. DefaultLogSizeMax = -1 // DefaultLogToJournald is the default value for whether conmon should // log to journald in addition to kubernetes log file. DefaultLogToJournald = false )
View Source
const ( ContainerAttachSocketDir = "/var/run/crio" // CrioConfigPath is the default location for the conf file CrioConfigPath = "/etc/crio/crio.conf" // CrioConfigDropInPath is the default location for the drop-in config files CrioConfigDropInPath = "/etc/crio/crio.conf.d" // CrioSocketPath is where the unix socket is located CrioSocketPath = "/var/run/crio/crio.sock" // CrioVersionPath is where the CRI-O version file is located CrioVersionPath = "/var/run/crio/version" )
Defaults for linux/unix if none are specified
Variables ¶
View Source
var DefaultCapabilities = []string{
"CHOWN",
"DAC_OVERRIDE",
"FSETID",
"FOWNER",
"NET_RAW",
"SETGID",
"SETUID",
"SETPCAP",
"NET_BIND_SERVICE",
"SYS_CHROOT",
"KILL",
}
DefaultCapabilities for the default_capabilities option in the crio.conf file
Functions ¶
This section is empty.
Types ¶
type APIConfig ¶
type APIConfig struct {
// GRPCMaxSendMsgSize is the maximum grpc send message size in bytes.
GRPCMaxSendMsgSize int `toml:"grpc_max_send_msg_size"`
// GRPCMaxRecvMsgSize is the maximum grpc receive message size in bytes.
GRPCMaxRecvMsgSize int `toml:"grpc_max_recv_msg_size"`
// Listen is the path to the AF_LOCAL socket on which cri-o will listen.
// This may support proto://addr formats later, but currently this is just
// a path.
Listen string `toml:"listen"`
// StreamAddress is the IP address on which the stream server will listen.
StreamAddress string `toml:"stream_address"`
// StreamPort is the port on which the stream server will listen.
StreamPort string `toml:"stream_port"`
// StreamEnableTLS enables encrypted tls transport of the stream server
StreamEnableTLS bool `toml:"stream_enable_tls"`
// StreamTLSCert is the x509 certificate file path used to serve the encrypted stream
StreamTLSCert string `toml:"stream_tls_cert"`
// StreamTLSKey is the key file path used to serve the encrypted stream
StreamTLSKey string `toml:"stream_tls_key"`
// StreamTLSCA is the x509 CA(s) file used to verify and authenticate client
// communication with the tls encrypted stream
StreamTLSCA string `toml:"stream_tls_ca"`
}
APIConfig represents the "crio.api" TOML config table.
type Config ¶ added in v1.16.0
type Config struct {
RootConfig
APIConfig
RuntimeConfig
ImageConfig
NetworkConfig
MetricsConfig
}
Config represents the entire set of configuration values that can be set for the server. This is intended to be loaded from a toml-encoded config file.
func DefaultConfig ¶ added in v1.16.0
DefaultConfig returns the default configuration for crio.
func (*Config) GetStore ¶ added in v1.16.0
GetStore returns the container storage for a given configuration
func (*Config) Reload ¶ added in v1.16.0
Reload reloads the configuration with the config at the provided `fileName` path. The method errors in case of any read or update failure.
func (*Config) ReloadLogFilter ¶ added in v1.17.0
ReloadLogFilter updates the LogFilter with the provided `newConfig`. It errors if the filter is not applicable.
func (*Config) ReloadLogLevel ¶ added in v1.16.0
ReloadLogLevel updates the LogLevel with the provided `newConfig`. It errors if the level is not parsable.
func (*Config) ReloadPauseImage ¶ added in v1.16.0
func (*Config) ToBytes ¶ added in v1.16.0
ToBytes encodes the config into a byte slice. It errors if the encoding fails, which should never happen at all because of general type safeness.
func (*Config) ToFile ¶ added in v1.16.0
ToFile outputs the given Config as a TOML-encoded file at the given path. Returns errors encountered when generating or writing the file, or nil otherwise.
func (*Config) UpdateFromFile ¶ added in v1.16.0
UpdateFromFile populates the Config from the TOML-encoded file at the given path. Returns errors encountered when reading or parsing the files, or nil otherwise.
func (*Config) UpdateFromPath ¶ added in v1.17.0
UpdateFromPath recursively iterates the provided path and updates the configuration for it
func (*Config) Validate ¶ added in v1.16.0
func (c *Config) Validate(systemContext *types.SystemContext, onExecution bool) error
Validate is the main entry point for library configuration validation. The parameter `onExecution` specifies if the validation should include execution checks. It returns an `error` on validation failure, otherwise `nil`.
type ImageConfig ¶
type ImageConfig struct {
// DefaultTransport is a value we prefix to image names that fail to
// validate source references.
DefaultTransport string `toml:"default_transport"`
// GlobalAuthFile is a path to a file like /var/lib/kubelet/config.json
// containing credentials necessary for pulling images from secure
// registries.
GlobalAuthFile string `toml:"global_auth_file"`
// PauseImage is the name of an image which we use to instantiate infra
// containers.
PauseImage string `toml:"pause_image"`
// PauseImageAuthFile, if not empty, is a path to a file like
// /var/lib/kubelet/config.json containing credentials necessary
// for pulling PauseImage
PauseImageAuthFile string `toml:"pause_image_auth_file"`
// PauseCommand is the path of the binary we run in an infra
// container that's been instantiated using PauseImage.
PauseCommand string `toml:"pause_command"`
// SignaturePolicyPath is the name of the file which decides what sort
// of policy we use when deciding whether or not to trust an image that
// we've pulled. Outside of testing situations, it is strongly advised
// that this be left unspecified so that the default system-wide policy
// will be used.
SignaturePolicyPath string `toml:"signature_policy"`
// InsecureRegistries is a list of registries that must be contacted w/o
// TLS verification.
InsecureRegistries []string `toml:"insecure_registries"`
// ImageVolumes controls how volumes specified in image config are handled
ImageVolumes ImageVolumesType `toml:"image_volumes"`
// Registries holds a list of registries used to pull unqualified images
Registries []string `toml:"registries"`
}
ImageConfig represents the "crio.image" TOML config table.
type ImageVolumesType ¶
type ImageVolumesType string
ImageVolumesType describes image volume handling strategies
const ( // ImageVolumesMkdir option is for using mkdir to handle image volumes ImageVolumesMkdir ImageVolumesType = "mkdir" // ImageVolumesIgnore option is for ignoring image volumes altogether ImageVolumesIgnore ImageVolumesType = "ignore" // ImageVolumesBind option is for using bind mounted volumes ImageVolumesBind ImageVolumesType = "bind" )
type MetricsConfig ¶ added in v1.16.0
type MetricsConfig struct {
// EnableMetrics can be used to globally enable or disable metrics support
EnableMetrics bool `toml:"enable_metrics"`
// MetricsPort is the port on which the metrics server will listen.
MetricsPort int `toml:"metrics_port"`
}
MetricsConfig specifies all necessary configuration for Prometheus based metrics retrieval
type NetworkConfig ¶
type NetworkConfig struct {
// NetworkDir is where CNI network configuration files are stored.
NetworkDir string `toml:"network_dir"`
// PluginDir is where CNI plugin binaries are stored.
PluginDir string `toml:"plugin_dir,omitempty"`
// PluginDirs is where CNI plugin binaries are stored.
PluginDirs []string `toml:"plugin_dirs"`
}
NetworkConfig represents the "crio.network" TOML config table
func (*NetworkConfig) Validate ¶ added in v1.16.0
func (c *NetworkConfig) Validate(onExecution bool) error
Validate is the main entry point for network configuration validation. The parameter `onExecution` specifies if the validation should include execution checks. It returns an `error` on validation failure, otherwise `nil`.
type RootConfig ¶
type RootConfig struct {
// Root is a path to the "root directory" where data not
// explicitly handled by other options will be stored.
Root string `toml:"root"`
// RunRoot is a path to the "run directory" where state information not
// explicitly handled by other options will be stored.
RunRoot string `toml:"runroot"`
// Storage is the name of the storage driver which handles actually
// storing the contents of containers.
Storage string `toml:"storage_driver"`
// StorageOption is a list of storage driver specific options.
StorageOptions []string `toml:"storage_option"`
// LogDir is the default log directory where all logs will go unless kubelet
// tells us to put them somewhere else.
LogDir string `toml:"log_dir"`
// VersionFile is the location CRI-O will lay down the version file
VersionFile string `toml:"version_file"`
}
RootConfig represents the root of the "crio" TOML config table.
func (*RootConfig) Validate ¶ added in v1.16.0
func (c *RootConfig) Validate(onExecution bool) error
Validate is the main entry point for root configuration validation. The parameter `onExecution` specifies if the validation should include execution checks. It returns an `error` on validation failure, otherwise `nil`.
type RuntimeConfig ¶
type RuntimeConfig struct {
// ConmonEnv is the environment variable list for conmon process.
ConmonEnv []string `toml:"conmon_env"`
// HooksDir holds paths to the directories containing hooks
// configuration files. When the same filename is present in in
// multiple directories, the file in the directory listed last in
// this slice takes precedence.
HooksDir []string `toml:"hooks_dir"`
// DefaultMounts is the list of mounts to be mounted for each container
// The format of each mount is "host-path:container-path"
DefaultMounts []string `toml:"default_mounts"`
// Capabilities to add to all containers.
DefaultCapabilities []string `toml:"default_capabilities"`
// Sysctls to add to all containers.
DefaultSysctls []string `toml:"default_sysctls"`
// DefaultUlimits specifies the default ulimits to apply to containers
DefaultUlimits []string `toml:"default_ulimits"`
// Devices to add to containers
AdditionalDevices []string `toml:"additional_devices"`
// DefaultRuntime is the _name_ of the OCI runtime to be used as the default.
// The name is matched against the Runtimes map below.
DefaultRuntime string `toml:"default_runtime"`
// DecryptionKeysPath is the path where keys for image decryption are stored.
DecryptionKeysPath string `toml:"decryption_keys_path"`
// Conmon is the path to conmon binary, used for managing the runtime.
Conmon string `toml:"conmon"`
// ConmonCgroup is the cgroup setting used for conmon.
ConmonCgroup string `toml:"conmon_cgroup"`
// SeccompProfile is the seccomp.json profile path which is used as the
// default for the runtime.
SeccompProfile string `toml:"seccomp_profile"`
// ApparmorProfile is the apparmor profile name which is used as the
// default for the runtime.
ApparmorProfile string `toml:"apparmor_profile"`
// CgroupManager is the manager implementation name which is used to
// handle cgroups for containers.
CgroupManager string `toml:"cgroup_manager"`
// DefaultMountsFile is the file path for the default mounts to be mounted for the container
// Note, for testing purposes mainly
DefaultMountsFile string `toml:"default_mounts_file"`
// ContainerExitsDir is the directory in which container exit files are
// written to by conmon.
ContainerExitsDir string `toml:"container_exits_dir"`
// ContainerAttachSocketDir is the location for container attach sockets.
ContainerAttachSocketDir string `toml:"container_attach_socket_dir"`
// BindMountPrefix is the prefix to use for the source of the bind mounts.
BindMountPrefix string `toml:"bind_mount_prefix"`
// UIDMappings specifies the UID mappings to have in the user namespace.
// A range is specified in the form containerUID:HostUID:Size. Multiple
// ranges are separated by comma.
UIDMappings string `toml:"uid_mappings"`
// GIDMappings specifies the GID mappings to have in the user namespace.
// A range is specified in the form containerUID:HostUID:Size. Multiple
// ranges are separated by comma.
GIDMappings string `toml:"gid_mappings"`
// LogLevel determines the verbosity of the logs based on the level it is set to.
// Options are fatal, panic, error (default), warn, info, and debug.
LogLevel string `toml:"log_level"`
// LogFilter specifies a regular expression to filter the log messages
LogFilter string `toml:"log_filter"`
// NamespacesDir is the directory where the state of the managed namespaces
// gets tracked
NamespacesDir string `toml:"namespaces_dir"`
// PinNSPath is the path to find the pinns binary, which is needed
// to manage namespace lifecycle
PinnsPath string `toml:"pinns_path"`
// Runtimes defines a list of OCI compatible runtimes. The runtime to
// use is picked based on the runtime_handler provided by the CRI. If
// no runtime_handler is provided, the runtime will be picked based on
// the level of trust of the workload.
Runtimes Runtimes `toml:"runtimes"`
// PidsLimit is the number of processes each container is restricted to
// by the cgroup process number controller.
PidsLimit int64 `toml:"pids_limit"`
// LogSizeMax is the maximum number of bytes after which the log file
// will be truncated. It can be expressed as a human-friendly string
// that is parsed to bytes.
// Negative values indicate that the log file won't be truncated.
LogSizeMax int64 `toml:"log_size_max"`
// CtrStopTimeout specifies the time to wait before to generate an
// error because the container state is still tagged as "running".
CtrStopTimeout int64 `toml:"ctr_stop_timeout"`
// NoPivot instructs the runtime to not use `pivot_root`, but instead use `MS_MOVE`
NoPivot bool `toml:"no_pivot"`
// SELinux determines whether or not SELinux is used for pod separation.
SELinux bool `toml:"selinux"`
// Whether container output should be logged to journald in addition
// to the kubernetes log file
LogToJournald bool `toml:"log_to_journald"`
// Deprecated: In favor of ManageNSLifecycle (described below)
ManageNetworkNSLifecycle bool `toml:"manage_network_ns_lifecycle"`
// ManageNSLifecycle determines whether we pin and remove namespaces
// and manage their lifecycle
ManageNSLifecycle bool `toml:"manage_ns_lifecycle"`
// ReadOnly run all pods/containers in read-only mode.
// This mode will mount tmpfs on /run, /tmp and /var/tmp, if those are not mountpoints
// Will also set the readonly flag in the OCI Runtime Spec. In this mode containers
// will only be able to write to volumes mounted into them
ReadOnly bool `toml:"read_only"`
}
RuntimeConfig represents the "crio.runtime" TOML config table.
func (*RuntimeConfig) Validate ¶ added in v1.16.0
func (c *RuntimeConfig) Validate(systemContext *types.SystemContext, onExecution bool) error
Validate is the main entry point for runtime configuration validation The parameter `onExecution` specifies if the validation should include execution checks. It returns an `error` on validation failure, otherwise `nil`.
func (*RuntimeConfig) ValidateConmonPath ¶ added in v1.16.0
func (c *RuntimeConfig) ValidateConmonPath(executable string) error
ValidateConmonPath checks if `Conmon` is set within the `RuntimeConfig`. If this is not the case, it tries to find it within the $PATH variable. In any other case, it simply checks if `Conmon` is a valid file.
func (*RuntimeConfig) ValidatePinnsPath ¶ added in v1.17.0
func (c *RuntimeConfig) ValidatePinnsPath(executable string) error
func (*RuntimeConfig) ValidateRuntimes ¶ added in v1.16.0
func (c *RuntimeConfig) ValidateRuntimes() error
ValidateRuntimes checks every runtime if its members are valid
type RuntimeHandler ¶ added in v1.16.0
type RuntimeHandler struct {
RuntimePath string `toml:"runtime_path"`
RuntimeType string `toml:"runtime_type"`
RuntimeRoot string `toml:"runtime_root"`
// PrivilegedWithoutHostDevices can be used to restrict passing host devices
// to a container running as privileged.
PrivilegedWithoutHostDevices bool `toml:"privileged_without_host_devices"`
}
RuntimeHandler represents each item of the "crio.runtime.runtimes" TOML config table.
func (*RuntimeHandler) Validate ¶ added in v1.16.0
func (r *RuntimeHandler) Validate(name string) error
Validate checks if the whole runtime is valid.
func (*RuntimeHandler) ValidateRuntimePath ¶ added in v1.16.0
func (r *RuntimeHandler) ValidateRuntimePath(name string) error
ValidateRuntimePath checks if the `RuntimePath` is either set or available within the $PATH environment. The method fails on any `RuntimePath` lookup error.
func (*RuntimeHandler) ValidateRuntimeType ¶ added in v1.16.0
func (r *RuntimeHandler) ValidateRuntimeType(name string) error
ValidateRuntimeType checks if the `RuntimeType` is valid.
type Runtimes ¶ added in v1.16.0
type Runtimes map[string]*RuntimeHandler
Multiple runtime Handlers in a map
Source Files
Click to show internal directories.
Click to hide internal directories.