@@ -35,27 +35,22 @@ storage_driver = "overlay"
3535# the kubelet. The log directory specified must be an absolute directory.
3636log_dir = "/var/log/crio/pods"
3737
38- # Location for CRI-O to lay down the temporary version file.
39- # It is used to check if crio wipe should wipe containers, which should
40- # always happen on a node reboot
41- version_file = "/var/run/crio/version"
42-
43- # Location for CRI-O to lay down the persistent version file.
44- # It is used to check if crio wipe should wipe images, which should
45- # only happen when CRI-O has been upgraded
46- version_file_persist = "/var/lib/crio/version"
38+ # Location for CRI-O to lay down the version file
39+ version_file = "/var/lib/crio/version"
4740
4841# The crio.api table contains settings for the kubelet/gRPC interface.
4942[crio.api]
5043
5144# Path to AF_LOCAL socket on which CRI-O will listen.
5245listen = "/var/run/crio/crio.sock"
5346
47+ # Host IP considered as the primary IP to use by CRI-O for things such as host network IP.
48+ host_ip = ""
49+
5450# IP address on which the stream server will listen.
5551stream_address = "127.0.0.1"
5652
57- # The port on which the stream server will listen. If the port is set to "0", then
58- # CRI-O will allocate a random free port number.
53+ # The port on which the stream server will listen.
5954stream_port = "0"
6055
6156# Enable encrypted TLS transport of the stream server.
@@ -99,10 +94,6 @@ default_runtime = "runc"
9994# If true, the runtime will not use pivot_root, but instead use MS_MOVE.
10095no_pivot = false
10196
102- # decryption_keys_path is the path where the keys required for
103- # image decryption are stored. This option supports live configuration reload.
104- decryption_keys_path = "/etc/crio/keys/"
105-
10697# Path to the conmon binary, used for monitoring the OCI runtime.
10798# Will be searched for using $PATH if empty.
10899conmon = "/usr/libexec/crio/conmon"
@@ -116,26 +107,17 @@ conmon_env = [
116107 "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin",
117108]
118109
119- # Additional environment variables to set for all the
120- # containers. These are overridden if set in the
121- # container image spec or in the container runtime configuration.
122- default_env = [
123- ]
124-
125110# If true, SELinux will be used for pod separation on the host.
126111selinux = false
127112
128113# Path to the seccomp.json profile which is used as the default seccomp profile
129114# for the runtime. If not specified, then the internal default seccomp profile
130- # will be used. This option supports live configuration reload.
115+ # will be used.
131116seccomp_profile = ""
132117
133118# Used to change the name of the default AppArmor profile of CRI-O. The default
134- # profile name is "crio-default". This profile only takes effect if the user
135- # does not specify a profile via the Kubernetes Pod's metadata annotation. If
136- # the profile is set to "unconfined", then this equals to disabling AppArmor.
137- # This option supports live configuration reload.
138- apparmor_profile = "crio-default"
119+ # profile name is "crio-default-" followed by the version string of CRI-O.
120+ apparmor_profile = "crio-default-1.16.1"
139121
140122# Cgroup management implementation used for the runtime.
141123cgroup_manager = "systemd"
@@ -144,15 +126,17 @@ cgroup_manager = "systemd"
144126# only the capabilities defined in the containers json file by the user/kube
145127# will be added.
146128default_capabilities = [
147- "CHOWN",
148- "DAC_OVERRIDE",
149- "FSETID",
150- "FOWNER",
151- "SETGID",
152- "SETUID",
153- "SETPCAP",
154- "NET_BIND_SERVICE",
155- "KILL",
129+ "CHOWN",
130+ "DAC_OVERRIDE",
131+ "FSETID",
132+ "FOWNER",
133+ "NET_RAW",
134+ "SETGID",
135+ "SETUID",
136+ "SETPCAP",
137+ "NET_BIND_SERVICE",
138+ "SYS_CHROOT",
139+ "KILL",
156140]
157141
158142# List of default sysctls. If it is empty or commented out, only the sysctls
@@ -167,10 +151,8 @@ default_sysctls = [
167151additional_devices = [
168152]
169153
170- # Path to OCI hooks directories for automatically executed hooks. If one of the
171- # directories does not exist, then CRI-O will automatically skip them.
154+ # Path to OCI hooks directories for automatically executed hooks.
172155hooks_dir = [
173- "/usr/share/containers/oci/hooks.d",
174156]
175157
176158# List of default mounts for each container. **Deprecated:** this option will
@@ -218,13 +200,9 @@ bind_mount_prefix = ""
218200read_only = false
219201
220202# Changes the verbosity of the logs based on the level it is set to. Options
221- # are fatal, panic, error, warn, info, debug and trace. This option supports
222- # live configuration reload.
223- log_level = "info"
224-
225- # Filter the log messages by the provided regular expression.
226- # This option supports live configuration reload.
227- log_filter = ""
203+ # are fatal, panic, error, warn, info, and debug. This option supports live
204+ # configuration reload.
205+ log_level = "error"
228206
229207# The UID mappings for the user namespace of each container. A range is
230208# specified in the form containerUID:HostUID:Size. Multiple ranges must be
@@ -237,23 +215,12 @@ uid_mappings = ""
237215gid_mappings = ""
238216
239217# The minimal amount of time in seconds to wait before issuing a timeout
240- # regarding the proper termination of the container. The lowest possible
241- # value is 30s, whereas lower values are not considered by CRI-O.
242- ctr_stop_timeout = 30
243-
244- # **DEPRECATED** this option is being replaced by manage_ns_lifecycle, which is described below.
245- # manage_network_ns_lifecycle = false
218+ # regarding the proper termination of the container.
219+ ctr_stop_timeout = 0
246220
247- # manage_ns_lifecycle determines whether we pin and remove namespaces
248- # and manage their lifecycle
249- manage_ns_lifecycle = false
250-
251- # The directory where the state of the managed namespaces gets tracked.
252- # Only used when manage_ns_lifecycle is true.
253- namespaces_dir = "/var/run"
254-
255- # pinns_path is the path to find the pinns binary, which is needed to manage namespace lifecycle
256- pinns_path = "/usr/bin/pinns"
221+ # ManageNetworkNSLifecycle determines whether we pin and remove network namespace
222+ # and manage its lifecycle.
223+ manage_network_ns_lifecycle = false
257224
258225# The "crio.runtime.runtimes" table defines a list of OCI compatible runtimes.
259226# The runtime to use is picked based on the runtime_handler provided by the CRI.
@@ -314,7 +281,7 @@ global_auth_file = ""
314281
315282# The image used to instantiate infra containers.
316283# This option supports live configuration reload.
317- pause_image = "k8s.gcr.io/pause:3.2 "
284+ pause_image = "k8s.gcr.io/pause:3.1 "
318285
319286# The path to a file containing credentials specific for pulling the pause_image from
320287# above. The file is similar to that of /var/lib/kubelet/config.json
@@ -357,10 +324,6 @@ registries = [
357324# CNI plugins.
358325[crio.network]
359326
360- # The default CNI network name to be selected. If not set or "", then
361- # CRI-O will pick-up the first one found in network_dir.
362- # cni_default_network = ""
363-
364327# Path to the directory where CNI configuration files are located.
365328network_dir = "/etc/cni/net.d/"
366329
0 commit comments