Documentation
¶
Index ¶
- Constants
- func RemoveUnusedSocket(path string) error
- type APIConfig
- type Config
- func (c *Config) GetData() *Config
- func (c *Config) Reload() error
- func (c *Config) ReloadAppArmorProfile(newConfig *Config) error
- func (c *Config) ReloadDecryptionKeyConfig(newConfig *Config)
- func (c *Config) ReloadLogFilter(newConfig *Config) error
- func (c *Config) ReloadLogLevel(newConfig *Config) error
- func (c *Config) ReloadPauseImage(newConfig *Config) error
- func (c *Config) ReloadRegistries() error
- func (c *Config) ReloadSeccompProfile(newConfig *Config) error
- func (c *Config) SetLocations(singleConfigPath, dropInConfigDir string)
- func (c *Config) StartWatcher()
- func (c *Config) ToBytes() ([]byte, error)
- func (c *Config) ToFile(path string) error
- func (c *Config) UpdateFromFile(path string) error
- func (c *Config) UpdateFromPath(path string) error
- func (c *Config) Validate(onExecution bool) error
- func (c *Config) WriteTemplate(w io.Writer) error
- type Iface
- type ImageConfig
- type ImageVolumesType
- type MetricsConfig
- type Namespace
- type NetworkConfig
- type RootConfig
- type RuntimeConfig
- func (c *RuntimeConfig) AppArmor() *apparmor.Config
- func (c *RuntimeConfig) CgroupManager() cgmgr.CgroupManager
- func (c *RuntimeConfig) ConmonSupportsSync() bool
- func (c *RuntimeConfig) Devices() []device.Device
- func (c *RuntimeConfig) Seccomp() *seccomp.Config
- func (c *RuntimeConfig) Sysctls() ([]Sysctl, error)
- func (c *RuntimeConfig) Ulimits() []ulimits.Ulimit
- func (c *RuntimeConfig) Validate(systemContext *types.SystemContext, onExecution bool) error
- func (c *RuntimeConfig) ValidateConmonPath(executable string) error
- func (c *RuntimeConfig) ValidatePinnsPath(executable string) error
- func (c *RuntimeConfig) ValidateRuntimes() error
- type RuntimeHandler
- type Runtimes
- type Sysctl
Constants ¶
View Source
const ( DefaultRuntimeType = "oci" DefaultRuntimeRoot = "/run/runc" OCIBufSize = 8192 RuntimeTypeVM = "vm" )
Defaults if none are specified
View Source
const ( // DefaultPidsLimit is the default value for maximum number of processes // allowed inside a container DefaultPidsLimit = 1024 // DefaultLogSizeMax is the default value for the maximum log size // allowed for a container. Negative values mean that no limit is imposed. DefaultLogSizeMax = -1 // DefaultLogToJournald is the default value for whether conmon should // log to journald in addition to kubernetes log file. DefaultLogToJournald = false )
View Source
const ( ContainerAttachSocketDir = "/var/run/crio" // CrioConfigPath is the default location for the conf file CrioConfigPath = "/etc/crio/crio.conf" // CrioConfigDropInPath is the default location for the drop-in config files CrioConfigDropInPath = "/etc/crio/crio.conf.d" // CrioSocketPath is where the unix socket is located CrioSocketPath = "/var/run/crio/crio.sock" // CrioVersionPathTmp is where the CRI-O version file is located on a tmpfs disk // used to check if we should wipe containers CrioVersionPathTmp = "/var/run/crio/version" // CrioVersionPathPersist is where the CRI-O version file is located // used to check whether we've upgraded, and thus need to remove images CrioVersionPathPersist = "/var/lib/crio/version" )
Defaults for linux/unix if none are specified
View Source
const ( // IpcNamespace is the Linux IPC namespace IpcNamespace = Namespace("ipc") // NetNamespace is the network namespace NetNamespace = Namespace("net") // UnknownNamespace is the zero value if no namespace is known UnknownNamespace = Namespace("") )
View Source
const (
// DefaultIrqBalanceConfigFile default irqbalance service configuration file path
DefaultIrqBalanceConfigFile = "/etc/sysconfig/irqbalance"
)
Variables ¶
This section is empty.
Functions ¶
func RemoveUnusedSocket ¶ added in v1.19.0
RemoveUnusedSocket first ensures that the path to the socket exists and removes unused socket connections if available.
Types ¶
type APIConfig ¶
type APIConfig struct {
// GRPCMaxSendMsgSize is the maximum grpc send message size in bytes.
GRPCMaxSendMsgSize int `toml:"grpc_max_send_msg_size"`
// GRPCMaxRecvMsgSize is the maximum grpc receive message size in bytes.
GRPCMaxRecvMsgSize int `toml:"grpc_max_recv_msg_size"`
// Listen is the path to the AF_LOCAL socket on which cri-o will listen.
// This may support proto://addr formats later, but currently this is just
// a path.
Listen string `toml:"listen"`
// StreamAddress is the IP address on which the stream server will listen.
StreamAddress string `toml:"stream_address"`
// StreamPort is the port on which the stream server will listen.
StreamPort string `toml:"stream_port"`
// StreamEnableTLS enables encrypted tls transport of the stream server
StreamEnableTLS bool `toml:"stream_enable_tls"`
// StreamTLSCert is the x509 certificate file path used to serve the encrypted stream
StreamTLSCert string `toml:"stream_tls_cert"`
// StreamTLSKey is the key file path used to serve the encrypted stream
StreamTLSKey string `toml:"stream_tls_key"`
// StreamTLSCA is the x509 CA(s) file used to verify and authenticate client
// communication with the tls encrypted stream
StreamTLSCA string `toml:"stream_tls_ca"`
// StreamIdleTimeout is how long to leave idle connections open for
StreamIdleTimeout string `toml:"stream_idle_timeout"`
}
APIConfig represents the "crio.api" TOML config table.
type Config ¶ added in v1.16.0
type Config struct {
RootConfig
APIConfig
RuntimeConfig
ImageConfig
NetworkConfig
MetricsConfig
SystemContext *types.SystemContext
// contains filtered or unexported fields
}
Config represents the entire set of configuration values that can be set for the server. This is intended to be loaded from a toml-encoded config file.
func DefaultConfig ¶ added in v1.16.0
DefaultConfig returns the default configuration for crio.
func (*Config) Reload ¶ added in v1.16.0
Reload reloads the configuration for the single crio.conf and the drop-in configuration directory.
func (*Config) ReloadAppArmorProfile ¶ added in v1.18.0
ReloadAppArmorProfile reloads the AppArmor profile from the new config if they differ.
func (*Config) ReloadDecryptionKeyConfig ¶ added in v1.18.0
ReloadDecryptionKeyConfig updates the DecryptionKeysPath with the provided `newConfig`.
func (*Config) ReloadLogFilter ¶ added in v1.17.0
ReloadLogFilter updates the LogFilter with the provided `newConfig`. It errors if the filter is not applicable.
func (*Config) ReloadLogLevel ¶ added in v1.16.0
ReloadLogLevel updates the LogLevel with the provided `newConfig`. It errors if the level is not parsable.
func (*Config) ReloadPauseImage ¶ added in v1.16.0
func (*Config) ReloadRegistries ¶ added in v1.18.0
ReloadRegistries reloads the registry configuration from the Configs `SystemContext`. The method errors in case of any update failure.
func (*Config) ReloadSeccompProfile ¶ added in v1.18.0
ReloadSeccompProfile reloads the seccomp profile from the new config if their paths differ.
func (*Config) SetLocations ¶ added in v1.18.0
func (*Config) StartWatcher ¶ added in v1.18.0
func (c *Config) StartWatcher()
StartWatcher starts a new SIGHUP go routine for the current config.
func (*Config) ToBytes ¶ added in v1.16.0
ToBytes encodes the config into a byte slice. It errors if the encoding fails, which should never happen at all because of general type safeness.
func (*Config) ToFile ¶ added in v1.16.0
ToFile outputs the given Config as a TOML-encoded file at the given path. Returns errors encountered when generating or writing the file, or nil otherwise.
func (*Config) UpdateFromFile ¶ added in v1.16.0
UpdateFromFile populates the Config from the TOML-encoded file at the given path. Returns errors encountered when reading or parsing the files, or nil otherwise.
func (*Config) UpdateFromPath ¶ added in v1.17.0
UpdateFromPath recursively iterates the provided path and updates the configuration for it
type ImageConfig ¶
type ImageConfig struct {
// DefaultTransport is a value we prefix to image names that fail to
// validate source references.
DefaultTransport string `toml:"default_transport"`
// GlobalAuthFile is a path to a file like /var/lib/kubelet/config.json
// containing credentials necessary for pulling images from secure
// registries.
GlobalAuthFile string `toml:"global_auth_file"`
// PauseImage is the name of an image which we use to instantiate infra
// containers.
PauseImage string `toml:"pause_image"`
// PauseImageAuthFile, if not empty, is a path to a file like
// /var/lib/kubelet/config.json containing credentials necessary
// for pulling PauseImage
PauseImageAuthFile string `toml:"pause_image_auth_file"`
// PauseCommand is the path of the binary we run in an infra
// container that's been instantiated using PauseImage.
PauseCommand string `toml:"pause_command"`
// SignaturePolicyPath is the name of the file which decides what sort
// of policy we use when deciding whether or not to trust an image that
// we've pulled. Outside of testing situations, it is strongly advised
// that this be left unspecified so that the default system-wide policy
// will be used.
SignaturePolicyPath string `toml:"signature_policy"`
// InsecureRegistries is a list of registries that must be contacted w/o
// TLS verification.
InsecureRegistries []string `toml:"insecure_registries"`
// ImageVolumes controls how volumes specified in image config are handled
ImageVolumes ImageVolumesType `toml:"image_volumes"`
// Registries holds a list of registries used to pull unqualified images
Registries []string `toml:"registries"`
// Temporary directory for big files
BigFilesTemporaryDir string `toml:"big_files_temporary_dir"`
}
ImageConfig represents the "crio.image" TOML config table.
type ImageVolumesType ¶
type ImageVolumesType string
ImageVolumesType describes image volume handling strategies
const ( // ImageVolumesMkdir option is for using mkdir to handle image volumes ImageVolumesMkdir ImageVolumesType = "mkdir" // ImageVolumesIgnore option is for ignoring image volumes altogether ImageVolumesIgnore ImageVolumesType = "ignore" // ImageVolumesBind option is for using bind mounted volumes ImageVolumesBind ImageVolumesType = "bind" )
type MetricsConfig ¶ added in v1.16.0
type MetricsConfig struct {
// EnableMetrics can be used to globally enable or disable metrics support
EnableMetrics bool `toml:"enable_metrics"`
// MetricsPort is the port on which the metrics server will listen.
MetricsPort int `toml:"metrics_port"`
// Local socket path to bind the metrics server to
MetricsSocket string `toml:"metrics_socket"`
}
MetricsConfig specifies all necessary configuration for Prometheus based metrics retrieval
type Namespace ¶ added in v1.18.0
type Namespace string
Namespace represents a kernel namespace name.
type NetworkConfig ¶
type NetworkConfig struct {
// CNIDefaultNetwork is the default CNI network name to be selected
CNIDefaultNetwork string `toml:"cni_default_network"`
// NetworkDir is where CNI network configuration files are stored.
NetworkDir string `toml:"network_dir"`
// PluginDir is where CNI plugin binaries are stored.
PluginDir string `toml:"plugin_dir,omitempty"`
// PluginDirs is where CNI plugin binaries are stored.
PluginDirs []string `toml:"plugin_dirs"`
// contains filtered or unexported fields
}
NetworkConfig represents the "crio.network" TOML config table
func (*NetworkConfig) CNIPlugin ¶ added in v1.18.0
func (c *NetworkConfig) CNIPlugin() ocicni.CNIPlugin
CNIPlugin returns the network configuration CNI plugin
func (*NetworkConfig) Validate ¶ added in v1.16.0
func (c *NetworkConfig) Validate(onExecution bool) error
Validate is the main entry point for network configuration validation. The parameter `onExecution` specifies if the validation should include execution checks. It returns an `error` on validation failure, otherwise `nil`.
type RootConfig ¶
type RootConfig struct {
// Root is a path to the "root directory" where data not
// explicitly handled by other options will be stored.
Root string `toml:"root"`
// RunRoot is a path to the "run directory" where state information not
// explicitly handled by other options will be stored.
RunRoot string `toml:"runroot"`
// Storage is the name of the storage driver which handles actually
// storing the contents of containers.
Storage string `toml:"storage_driver"`
// StorageOption is a list of storage driver specific options.
StorageOptions []string `toml:"storage_option"`
// LogDir is the default log directory where all logs will go unless kubelet
// tells us to put them somewhere else.
LogDir string `toml:"log_dir"`
// VersionFile is the location CRI-O will lay down the version file
// that checks whether we've rebooted
VersionFile string `toml:"version_file"`
// VersionFilePersist is the location CRI-O will lay down the version file
// that checks whether we've upgraded
VersionFilePersist string `toml:"version_file_persist"`
// InternalWipe is whether CRI-O should wipe containers and images after a reboot when the server starts.
// If set to false, one must use the external command `crio wipe` to wipe the containers and images in these situations.
InternalWipe bool `toml:"internal_wipe"`
}
RootConfig represents the root of the "crio" TOML config table.
func (*RootConfig) GetStore ¶ added in v1.18.4
func (c *RootConfig) GetStore() (storage.Store, error)
GetStore returns the container storage for a given configuration
func (*RootConfig) Validate ¶ added in v1.16.0
func (c *RootConfig) Validate(onExecution bool) error
Validate is the main entry point for root configuration validation. The parameter `onExecution` specifies if the validation should include execution checks. It returns an `error` on validation failure, otherwise `nil`.
type RuntimeConfig ¶
type RuntimeConfig struct {
// SeccompUseDefaultWhenEmpty specifies whether the default profile
// should be used when an empty one is specified.
SeccompUseDefaultWhenEmpty bool `toml:"seccomp_use_default_when_empty"`
// NoPivot instructs the runtime to not use `pivot_root`, but instead use `MS_MOVE`
NoPivot bool `toml:"no_pivot"`
// SELinux determines whether or not SELinux is used for pod separation.
SELinux bool `toml:"selinux"`
// Whether container output should be logged to journald in addition
// to the kubernetes log file
LogToJournald bool `toml:"log_to_journald"`
// ManageNSLifecycle determines whether we pin and remove namespaces
// and manage their lifecycle
// This option is being deprecated
ManageNSLifecycle bool `toml:"manage_ns_lifecycle"`
// DropInfraCtr determines whether the infra container is dropped when appropriate.
// Requires ManageNSLifecycle to be true.
DropInfraCtr bool `toml:"drop_infra_ctr"`
// ReadOnly run all pods/containers in read-only mode.
// This mode will mount tmpfs on /run, /tmp and /var/tmp, if those are not mountpoints
// Will also set the readonly flag in the OCI Runtime Spec. In this mode containers
// will only be able to write to volumes mounted into them
ReadOnly bool `toml:"read_only"`
// ConmonEnv is the environment variable list for conmon process.
ConmonEnv []string `toml:"conmon_env"`
// HooksDir holds paths to the directories containing hooks
// configuration files. When the same filename is present in in
// multiple directories, the file in the directory listed last in
// this slice takes precedence.
HooksDir []string `toml:"hooks_dir"`
// Capabilities to add to all containers.
DefaultCapabilities capabilities.Capabilities `toml:"default_capabilities"`
// Additional environment variables to set for all the
// containers. These are overridden if set in the
// container image spec or in the container runtime configuration.
DefaultEnv []string `toml:"default_env"`
// Sysctls to add to all containers.
DefaultSysctls []string `toml:"default_sysctls"`
// DefaultUlimits specifies the default ulimits to apply to containers
DefaultUlimits []string `toml:"default_ulimits"`
// Devices to add to containers
AdditionalDevices []string `toml:"additional_devices"`
// DefaultRuntime is the _name_ of the OCI runtime to be used as the default.
// The name is matched against the Runtimes map below.
DefaultRuntime string `toml:"default_runtime"`
// DecryptionKeysPath is the path where keys for image decryption are stored.
DecryptionKeysPath string `toml:"decryption_keys_path"`
// Conmon is the path to conmon binary, used for managing the runtime.
Conmon string `toml:"conmon"`
// ConmonCgroup is the cgroup setting used for conmon.
ConmonCgroup string `toml:"conmon_cgroup"`
// SeccompProfile is the seccomp.json profile path which is used as the
// default for the runtime.
SeccompProfile string `toml:"seccomp_profile"`
// ApparmorProfile is the apparmor profile name which is used as the
// default for the runtime.
ApparmorProfile string `toml:"apparmor_profile"`
// IrqBalanceConfigFile is the irqbalance service config file which is used
// for configuring irqbalance daemon.
IrqBalanceConfigFile string `toml:"irqbalance_config_file"`
// CgroupManagerName is the manager implementation name which is used to
// handle cgroups for containers.
CgroupManagerName string `toml:"cgroup_manager"`
// DefaultMountsFile is the file path for the default mounts to be mounted for the container
// Note, for testing purposes mainly
DefaultMountsFile string `toml:"default_mounts_file"`
// ContainerExitsDir is the directory in which container exit files are
// written to by conmon.
ContainerExitsDir string `toml:"container_exits_dir"`
// ContainerAttachSocketDir is the location for container attach sockets.
ContainerAttachSocketDir string `toml:"container_attach_socket_dir"`
// BindMountPrefix is the prefix to use for the source of the bind mounts.
BindMountPrefix string `toml:"bind_mount_prefix"`
// UIDMappings specifies the UID mappings to have in the user namespace.
// A range is specified in the form containerUID:HostUID:Size. Multiple
// ranges are separated by comma.
UIDMappings string `toml:"uid_mappings"`
// GIDMappings specifies the GID mappings to have in the user namespace.
// A range is specified in the form containerUID:HostUID:Size. Multiple
// ranges are separated by comma.
GIDMappings string `toml:"gid_mappings"`
// LogLevel determines the verbosity of the logs based on the level it is set to.
// Options are fatal, panic, error (default), warn, info, and debug.
LogLevel string `toml:"log_level"`
// LogFilter specifies a regular expression to filter the log messages
LogFilter string `toml:"log_filter"`
// NamespacesDir is the directory where the state of the managed namespaces
// gets tracked
NamespacesDir string `toml:"namespaces_dir"`
// PinNSPath is the path to find the pinns binary, which is needed
// to manage namespace lifecycle
PinnsPath string `toml:"pinns_path"`
// Runtimes defines a list of OCI compatible runtimes. The runtime to
// use is picked based on the runtime_handler provided by the CRI. If
// no runtime_handler is provided, the runtime will be picked based on
// the level of trust of the workload.
Runtimes Runtimes `toml:"runtimes"`
// PidsLimit is the number of processes each container is restricted to
// by the cgroup process number controller.
PidsLimit int64 `toml:"pids_limit"`
// LogSizeMax is the maximum number of bytes after which the log file
// will be truncated. It can be expressed as a human-friendly string
// that is parsed to bytes.
// Negative values indicate that the log file won't be truncated.
LogSizeMax int64 `toml:"log_size_max"`
// CtrStopTimeout specifies the time to wait before to generate an
// error because the container state is still tagged as "running".
CtrStopTimeout int64 `toml:"ctr_stop_timeout"`
// SeparatePullCgroup specifies whether an image pull must be performed in a separate cgroup
SeparatePullCgroup string `toml:"separate_pull_cgroup"`
// InfraCtrCPUSet is the CPUs set that will be used to run infra containers
InfraCtrCPUSet string `toml:"infra_ctr_cpuset"`
// contains filtered or unexported fields
}
RuntimeConfig represents the "crio.runtime" TOML config table.
func (*RuntimeConfig) AppArmor ¶ added in v1.18.0
func (c *RuntimeConfig) AppArmor() *apparmor.Config
AppArmor returns the AppArmor configuration
func (*RuntimeConfig) CgroupManager ¶
func (c *RuntimeConfig) CgroupManager() cgmgr.CgroupManager
CgroupManager returns the CgroupManager configuration
func (*RuntimeConfig) ConmonSupportsSync ¶ added in v1.18.3
func (c *RuntimeConfig) ConmonSupportsSync() bool
func (*RuntimeConfig) Devices ¶ added in v1.20.0
func (c *RuntimeConfig) Devices() []device.Device
func (*RuntimeConfig) Seccomp ¶ added in v1.18.0
func (c *RuntimeConfig) Seccomp() *seccomp.Config
Seccomp returns the seccomp configuration
func (*RuntimeConfig) Sysctls ¶ added in v1.18.0
func (c *RuntimeConfig) Sysctls() ([]Sysctl, error)
Sysctls returns the parsed sysctl slice and an error if not parsable
func (*RuntimeConfig) Ulimits ¶ added in v1.19.0
func (c *RuntimeConfig) Ulimits() []ulimits.Ulimit
Ulimits returns the Ulimits configuration
func (*RuntimeConfig) Validate ¶ added in v1.16.0
func (c *RuntimeConfig) Validate(systemContext *types.SystemContext, onExecution bool) error
Validate is the main entry point for runtime configuration validation The parameter `onExecution` specifies if the validation should include execution checks. It returns an `error` on validation failure, otherwise `nil`.
func (*RuntimeConfig) ValidateConmonPath ¶ added in v1.16.0
func (c *RuntimeConfig) ValidateConmonPath(executable string) error
ValidateConmonPath checks if `Conmon` is set within the `RuntimeConfig`. If this is not the case, it tries to find it within the $PATH variable. In any other case, it simply checks if `Conmon` is a valid file.
func (*RuntimeConfig) ValidatePinnsPath ¶ added in v1.17.0
func (c *RuntimeConfig) ValidatePinnsPath(executable string) error
func (*RuntimeConfig) ValidateRuntimes ¶ added in v1.16.0
func (c *RuntimeConfig) ValidateRuntimes() error
ValidateRuntimes checks every runtime if its members are valid
type RuntimeHandler ¶ added in v1.16.0
type RuntimeHandler struct {
RuntimePath string `toml:"runtime_path"`
RuntimeType string `toml:"runtime_type"`
RuntimeRoot string `toml:"runtime_root"`
// PrivilegedWithoutHostDevices can be used to restrict passing host devices
// to a container running as privileged.
PrivilegedWithoutHostDevices bool `toml:"privileged_without_host_devices,omitempty"`
// AllowedAnnotations is a slice of experimental annotations that this runtime handler is allowed to process.
// The currently recognized values are:
// "io.kubernetes.cri-o.userns-mode" for configuring a user namespace for the pod.
// "io.kubernetes.cri-o.Devices" for configuring devices for the pod.
// "io.kubernetes.cri-o.ShmSize" for configuring the size of /dev/shm.
AllowedAnnotations []string `toml:"allowed_annotations,omitempty"`
}
RuntimeHandler represents each item of the "crio.runtime.runtimes" TOML config table.
func (*RuntimeHandler) Validate ¶ added in v1.16.0
func (r *RuntimeHandler) Validate(name string) error
Validate checks if the whole runtime is valid.
func (*RuntimeHandler) ValidateRuntimePath ¶ added in v1.16.0
func (r *RuntimeHandler) ValidateRuntimePath(name string) error
ValidateRuntimePath checks if the `RuntimePath` is either set or available within the $PATH environment. The method fails on any `RuntimePath` lookup error.
func (*RuntimeHandler) ValidateRuntimeType ¶ added in v1.16.0
func (r *RuntimeHandler) ValidateRuntimeType(name string) error
ValidateRuntimeType checks if the `RuntimeType` is valid.
type Runtimes ¶ added in v1.16.0
type Runtimes map[string]*RuntimeHandler
Multiple runtime Handlers in a map
type Sysctl ¶ added in v1.18.0
type Sysctl struct {
// contains filtered or unexported fields
}
Sysctl is a generic abstraction over key value based sysctls
func (*Sysctl) Validate ¶ added in v1.18.0
Validate checks that a sysctl is whitelisted because it is known to be namespaced by the Linux kernel. The parameters hostNet and hostIPC are used to forbid sysctls for pod sharing the respective namespaces with the host. This check is only used on sysctls defined by the user in the crio.conf file.
Source Files
Click to show internal directories.
Click to hide internal directories.