Hello community, here is the log from the commit of package cri-o.10751 for openSUSE:Leap:15.1:Update checked in at 2020-04-26 16:11:59 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Leap:15.1:Update/cri-o.10751 (Old) and /work/SRC/openSUSE:Leap:15.1:Update/.cri-o.10751.new.2738 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "cri-o.10751" Sun Apr 26 16:11:59 2020 rev:1 rq:796538 version:1.17.1 Changes: -------- New Changes file: --- /dev/null 2020-04-14 14:47:33.391806949 +0200 +++ /work/SRC/openSUSE:Leap:15.1:Update/.cri-o.10751.new.2738/cri-o.changes 2020-04-26 16:12:01.312232409 +0200 @@ -0,0 +1,1046 @@ +------------------------------------------------------------------- +Fri Mar 27 12:25:19 UTC 2020 - Richard Brown <[email protected]> + +- Use new pause:3.2 image + +------------------------------------------------------------------- +Mon Mar 16 16:24:00 UTC 2020 - Sascha Grunert <[email protected]> + +- Update to v1.17.1: + * Drop conmonmon + * Update docs and completions for crio wipe --force + * wipe: Add a force flag for skipping version check + * Restore sandbox selinux labels directly from config.json + * klog: don't write to /tmp + * Pass down the integer value of the stop signal + * exec: Close pipe fds to prevent hangs + * Unwrap errors from label.Relabel() before checking for ENOTSUP + * oci: Handle timeouts correctly for probes + +------------------------------------------------------------------- +Mon Feb 10 14:59:52 UTC 2020 - Sascha Grunert <[email protected]> + +- Put default configuration in /etc/crio/crio.conf.d/00-default.conf + in replacement for /etc/crio/crio.conf + +------------------------------------------------------------------- +Mon Feb 10 14:05:47 UTC 2020 - Sascha Grunert <[email protected]> + +- Uncomment default apparmor profile to always fallback to the + default one + +------------------------------------------------------------------- +Mon Feb 10 08:18:28 UTC 2020 - Sascha Grunert <[email protected]> + +- Remove prevent-local-loopback-teardown-rh1754154.patch which is + now included in upstream +- Update to v1.17.0: + * Major Changes + - Allow CRI-O to manage IPC and UTS namespaces, in addition to + Network + - Add support for drop-in configuration files + - Added image pull and network setup metrics + - Image decryption support + - Remove unneeded host_ip configuration value + * Minor Changes + - Setup container environment variables before user + - Move default version file location to a tmpfs + - Failures to stop the network will now cause a stop sandbox + request to fail + - Persist container exit codes across reboot + - Add conmonmon: a conmon monitoring loop to protect against + conmon being OOM'd + - Add namespaces{-_}dir CLI and config option + - Add disk usage for ListContainerStats + - Introduce new runtime field to restrict devices in privileged + mode + +------------------------------------------------------------------- +Sat Jan 18 17:36:51 UTC 2020 - Sascha Grunert <[email protected]> + +- Fix invalid apparmor profile (bsc#1161179) + +------------------------------------------------------------------- +Thu Jan 16 11:56:58 UTC 2020 - Sascha Grunert <[email protected]> + +- Include system proxy settings in service if present (bsc#1155323) + +------------------------------------------------------------------- +Thu Jan 16 11:30:27 UTC 2020 - Sascha Grunert <[email protected]> + +- Removed the usage of `name_` variables to reduce the error + proneness +- Fixed systemd unit install locations for crio-wipe.service and + crio-shutdown.service (bsc#1161056) + +------------------------------------------------------------------- +Fri Jan 10 13:40:13 UTC 2020 - Richard Brown <[email protected]> + +- Add prevent-local-loopback-teardown-rh1754154.patch to stop local loopback interfaces being torndown before cluster is bootstrapped + +------------------------------------------------------------------- +Tue Dec 17 08:51:58 UTC 2019 - [email protected] + +- Make cgroup-driver for kubelet be cgroupfs for SLE to be consistent + with the cri-o configuration + +------------------------------------------------------------------- +Wed Nov 27 10:36:29 UTC 2019 - Sascha Grunert <[email protected]> + +- Update to v1.16.1: + * Add manifest list support + * Default to system.slice for conmon cgroup + * Don't set PodIPs on host network pods + +------------------------------------------------------------------- +Tue Nov 26 13:13:16 UTC 2019 - Dirk Mueller <[email protected]> + +- switch to libcontainers-common requires, as the other two are + provided by it already (avant-garde#1056) + +------------------------------------------------------------------- +Tue Nov 19 12:19:06 UTC 2019 - David Cassany <[email protected]> + +- Revert cgroup_manager from systemd to cgroupsfs for SLE15 + + k8s default is cgroupfs and in can be modified at runtime by the + `--kubelet-cgroups` flag. However this flag is deprecated and + avoinding it is currently preferred over introducing it. In order + to switch to systemd as the cgroups manager in SLE15 further analysis is + required to find a suitable configuration strategy. + +------------------------------------------------------------------- +Fri Nov 15 04:49:31 UTC 2019 - Sascha Grunert <[email protected]> + +- Use single service macro invocation +- Add shell completions directories to files + +------------------------------------------------------------------- +Thu Nov 14 09:19:51 UTC 2019 - Sascha Grunert <[email protected]> + +- Add crio and crio-status shell completions +- Add crio-wipe and crio-shutdown services +- Update kubelet verbosity to `-v=2` +- Update conmon cgroup to `system.slice` +- Update crio.conf to match latest version +- Update to v1.16.0: + * Major Changes + * Add support for manifest lists + * Dual stack IPv6 support + * HUP reload of SystemRegistries + * file_locking is no longer a supported option in the + configuration file + * Hooks are no longer found implicitally. + * conmon now lives in a separate repository and must be + downloaded separately. + * Minor + * All OCI mounts are mounted as rw when a pod is privileged + * CRI-O can now run on a cgroupv2 system (only with the runtime + crun) + * Add environment variables to CLI flags + * Add crio-status client to conveniently query status of crio + or a container + * Conmon is now found in $PATH if a path isn't specified or is + empty + * Add metrics to configuration file + * Bandwidth burst can only be 4GB + * If another container manager shares CRI-O's storage (like + podman), CRI-O no longer attempts to restore them + * Increase validation for log_dir and runtime_type in + configuration + * Allow usage of short container ID in ContainerStats + * Make image volumes writeable by the container user + * Various man page fixes + * The crio-wipe script is now included in the crio binary (as + crio wipe), and only removes CRI-O containers and images. + * Set some previously public packages as internal (client, lib, + oci, pkg, tools, version) + * infra container now spawned as not privileged + +------------------------------------------------------------------- +Mon Nov 11 15:04:57 UTC 2019 - Richard Brown <[email protected]> + +- Switch to `systemd` cgroup driver in kubelet config also + +------------------------------------------------------------------- +Thu Oct 24 10:58:21 UTC 2019 - Sascha Grunert <[email protected]> + +- Switch to `systemd` cgroup manager in replacement for `cgroupfs` + +------------------------------------------------------------------- +Thu Oct 17 16:24:19 UTC 2019 - Richard Brown <[email protected]> + +- Remove obsolete Groups tag (fate#326485) + +------------------------------------------------------------------- +Mon Oct 7 10:34:42 UTC 2019 - Sascha Grunert <[email protected]> + +- Fix default apparmor profile to match the latest version + +------------------------------------------------------------------- +Tue Sep 10 06:45:24 UTC 2019 - Sascha Grunert <[email protected]> + +- Update to v1.15.2: + * Use HTTP2MatchHeaderFieldSendSettings for incoming gRPC connections + * Fix 32 bit builds + * crio-wipe: Fix int compare in lib.bash + +------------------------------------------------------------------- +Thu Sep 5 15:01:52 UTC 2019 - Marco Vedovati <[email protected]> + +- Add katacontainers as a recommended package, and include it as an + additional OCI runtime in the configuration. +- Document the format of the [crio.runtime.runtimes] table entries, + and remove clutter from the current runc entry. + +------------------------------------------------------------------- +Thu Sep 5 08:35:05 UTC 2019 - David Cassany <[email protected]> ++++ 849 more lines (skipped) ++++ between /dev/null ++++ and /work/SRC/openSUSE:Leap:15.1:Update/.cri-o.10751.new.2738/cri-o.changes New: ---- _constraints _service cri-o-1.17.1.tar.xz cri-o-rpmlintrc cri-o.changes cri-o.spec crio-shutdown.service crio-wipe.service crio.conf crio.service kubelet.env sysconfig.crio ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ cri-o.spec ++++++ # # spec file for package cri-o # # Copyright (c) 2018 SUSE LINUX GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed # upon. The license for this file, and modifications and additions to the # file, is the same license as for the pristine package itself (unless the # license for the pristine package is not an Open Source License, in which # case the license is the MIT License). An "Open Source License" is a # license that conforms to the Open Source Definition (Version 1.9) # published by the Open Source Initiative. # Please submit bugfixes or comments via http://bugs.opensuse.org/ # #Compat macro for new _fillupdir macro introduced in Nov 2017 %if ! %{defined _fillupdir} %define _fillupdir /var/adm/fillup-templates %endif %define project github.com/cri-o/cri-o # Define macros for further referenced sources Name: cri-o Version: 1.17.1 Release: 0 Summary: OCI-based implementation of Kubernetes Container Runtime Interface License: Apache-2.0 Url: https://github.com/cri-o/cri-o ExcludeArch: i586 Source0: %{name}-%{version}.tar.xz Source1: crio.service Source2: sysconfig.crio Source3: crio.conf Source4: cri-o-rpmlintrc Source5: kubelet.env Source6: crio-wipe.service Source7: crio-shutdown.service BuildRequires: device-mapper-devel BuildRequires: fdupes BuildRequires: glib2-devel-static BuildRequires: glibc-devel-static BuildRequires: golang-packaging BuildRequires: libapparmor-devel BuildRequires: libassuan-devel BuildRequires: libbtrfs-devel BuildRequires: libgpgme-devel BuildRequires: libseccomp-devel BuildRequires: golang(API) >= 1.12 BuildRequires: sed Requires: patterns-base-apparmor Requires: conntrack-tools Requires: cni Requires: cni-plugins Requires: iproute2 Requires: iptables Requires: libcontainers-common >= 0.0.1 Requires: runc >= 1.0.0~rc6 Requires: socat Requires: conmon Recommends: katacontainers # Provide generic cri-runtime dependency (needed by kubernetes) Provides: cri-runtime # disable stripping of binaries %{go_nostrip} %description CRI-O provides an integration path between OCI conformant runtimes and the kubelet. Specifically, it implements the Kubelet Container Runtime Interface (CRI) using OCI conformant runtimes. The scope of CRI-O is tied to the scope of the CRI. %package kubeadm-criconfig Summary: CRI-O container runtime configuration for kubeadm Requires: kubernetes-kubeadm Requires(post): %fillup_prereq Supplements: cri-o Provides: kubernetes-kubeadm-criconfig Conflicts: docker-kubic-kubeadm-criconfig %description kubeadm-criconfig This package provides the CRI-O container runtime configuration for kubeadm %prep %setup -q %build # Keep cgroupfs as the default cgroup manager for SLE15 builds %if 0%{?sle_version} >= 150000 && !0%{?is_opensuse} sed -i "s|^cgroup_manager = \"systemd\"$|cgroup_manager = \"cgroupfs\"|g" %{SOURCE3} sed -i "s|--cgroup-driver=systemd|--cgroup-driver=cgroupfs|g" %{SOURCE5} %endif # We can't use symlinks here because go-list gets confused by symlinks, so we # have to copy the source to $HOME/go and then use that as the GOPATH. export GOPATH=$HOME/go mkdir -pv $HOME/go/src/%{project} rm -rf $HOME/go/src/%{project}/* cp -avr * $HOME/go/src/%{project} cd $HOME/go/src/%{project} # Build crio make %pre %service_add_pre crio.service crio-wipe.service crio-shutdown.service %post %service_add_post crio.service crio-wipe.service crio-shutdown.service # This is the additional directory where cri-o is going to look up for CNI # plugins installed by DaemonSets running on Kubernetes (i.e. Cilium). mkdir -p /opt/cni/bin %post kubeadm-criconfig %fillup_only -n kubelet %preun %service_del_preun crio.service crio-wipe.service crio-shutdown.service %postun %service_del_postun crio.service crio-wipe.service crio-shutdown.service %install cd $HOME/go/src/%{project} # Binaries install -D -m 0755 bin/crio %{buildroot}/%{_bindir}/crio install -D -m 0755 bin/crio-status %{buildroot}/%{_bindir}/crio-status install -D -m 0755 bin/pinns %{buildroot}/%{_bindir}/pinns install -d %{buildroot}/%{_libexecdir}/crio/bin # Completions install -D -m 0644 completions/bash/crio %{buildroot}/%{_datadir}/bash-completion/completions/crio install -D -m 0644 completions/zsh/_crio %{buildroot}%{_sysconfdir}/zsh_completion.d/_crio install -D -m 0644 completions/fish/crio.fish %{buildroot}/%{_datadir}/fish/completions/crio.fish install -D -m 0644 completions/bash/crio-status %{buildroot}/%{_datadir}/bash-completion/completions/crio-status install -D -m 0644 completions/zsh/_crio-status %{buildroot}%{_sysconfdir}/zsh_completion.d/_crio-status install -D -m 0644 completions/fish/crio-status.fish %{buildroot}/%{_datadir}/fish/completions/crio-status.fish # Manpages install -d %{buildroot}/%{_mandir}/man5 install -d %{buildroot}/%{_mandir}/man8 install -m 0644 docs/crio.conf.5 %{buildroot}/%{_mandir}/man5 install -m 0644 docs/crio.8 %{buildroot}/%{_mandir}/man8 # Configs install -D -m 0644 %{SOURCE3} %{buildroot}/%{_sysconfdir}/crio/crio.conf.d/00-default.conf install -D -m 0644 crio-umount.conf %{buildroot}/%{_datadir}/oci-umount/oci-umount.d/cri-umount.conf install -D -m 0644 %{SOURCE2} %{buildroot}%{_fillupdir}/sysconfig.crio # Systemd install -D -m 0644 %{SOURCE1} %{buildroot}%{_unitdir}/crio.service install -D -m 0644 %{SOURCE6} %{buildroot}%{_unitdir}/crio-wipe.service install -D -m 0644 %{SOURCE7} %{buildroot}%{_unitdir}/crio-shutdown.service # place kubelet.env in fillupdir install -D -m 0644 %{SOURCE5} %{buildroot}%{_fillupdir}/sysconfig.kubelet # Symlinks to rc files install -d -m 0755 %{buildroot}%{_sbindir} ln -sf service %{buildroot}%{_sbindir}/rccrio %fdupes %{buildroot}/%{_prefix} %files # Binaries %{_bindir}/crio %{_bindir}/crio-status %{_bindir}/pinns %dir %{_libexecdir}/crio %dir %{_libexecdir}/crio/bin # Completions %{_datadir}/bash-completion/completions/crio %{_datadir}/bash-completion/completions/crio-status %{_sysconfdir}/zsh_completion.d %{_sysconfdir}/zsh_completion.d/_crio %{_sysconfdir}/zsh_completion.d/_crio-status %{_datadir}/fish %{_datadir}/fish/completions %{_datadir}/fish/completions/crio.fish %{_datadir}/fish/completions/crio-status.fish # Manpages %{_mandir}/man5/crio.conf.5* %{_mandir}/man8/crio.8* # License %license LICENSE # Configs %dir %{_sysconfdir}/crio %dir %{_sysconfdir}/crio/crio.conf.d %config %{_sysconfdir}/crio/crio.conf.d/00-default.conf %dir %{_datadir}/oci-umount %dir %{_datadir}/oci-umount/oci-umount.d %{_datadir}/oci-umount/oci-umount.d/cri-umount.conf %{_fillupdir}/sysconfig.crio # Systemd %{_unitdir}/crio.service %{_unitdir}/crio-wipe.service %{_unitdir}/crio-shutdown.service %{_sbindir}/rccrio %files kubeadm-criconfig %defattr(-,root,root) %{_fillupdir}/sysconfig.kubelet %changelog ++++++ _constraints ++++++ <?xml version="1.0" encoding="UTF-8"?> <constraints> <hardware> <memory> <size unit="M">2500</size> </memory> </hardware> </constraints> ++++++ _service ++++++ <services> <service name="tar_scm" mode="disabled"> <param name="url">https://github.com/cri-o/cri-o</param> <param name="scm">git</param> <param name="versionformat">1.17.1</param> <param name="revision">v1.17.1</param> </service> <service name="recompress" mode="disabled"> <param name="file">cri-o-*.tar</param> <param name="compression">xz</param> </service> <service name="set_version" mode="disabled"> <param name="basename">cri-o</param> </service> </services> ++++++ cri-o-rpmlintrc ++++++ addFilter (".* W: explicit-lib-dependency libcontainers-common") addFilter (".* W: explicit-lib-dependency libcontainers-image") addFilter (".* W: explicit-lib-dependency libcontainers-storage") addFilter (".* W: statically-linked-binary /usr/lib/crio/bin/pause") addFilter (".* W: position-independent-executable-suggested /usr/lib/crio/bin/conmon") addFilter (".* W: position-independent-executable-suggested /usr/lib/crio/bin/pause") addFilter (".* W: unstripped-binary-or-object /usr/bin/crio") addFilter (".* W: unstripped-binary-or-object /usr/lib/crio/bin/conmon") addFilter (".* W: unstripped-binary-or-object /usr/lib/crio/bin/pause") addFilter ("no-version-in-last-changelog") ++++++ crio-shutdown.service ++++++ [Unit] Description=Shutdown CRI-O containers before shutting down the system Wants=crio.service After=crio.service Documentation=man:crio(8) [Service] Type=oneshot ExecStart=/usr/bin/rm -f /var/lib/crio/crio.shutdown ExecStop=/usr/bin/bash -c "/usr/bin/mkdir /var/lib/crio; /usr/bin/touch /var/lib/crio/crio.shutdown" RemainAfterExit=yes [Install] WantedBy=multi-user.target ++++++ crio-wipe.service ++++++ [Unit] Description=CRI-O Auto Update Script Before=crio.service RequiresMountsFor=/var/lib/containers [Service] EnvironmentFile=-/etc/sysconfig/crio ExecStart=/usr/bin/crio $CRIO_OPTIONS wipe Type=oneshot [Install] WantedBy=multi-user.target ++++++ crio.conf ++++++ # The CRI-O configuration file specifies all of the available configuration # options and command-line flags for the crio(8) OCI Kubernetes Container Runtime # daemon, but in a TOML format that can be more easily modified and versioned. # # Please refer to crio.conf(5) for details of all configuration options. # CRI-O supports partial configuration reload during runtime, which can be # done by sending SIGHUP to the running process. Currently supported options # are explicitly mentioned with: 'This option supports live configuration # reload'. # CRI-O reads its storage defaults from the containers-storage.conf(5) file # located at /etc/containers/storage.conf. Modify this storage configuration if # you want to change the system's defaults. If you want to modify storage just # for CRI-O, you can change the storage configuration options here. [crio] # Path to the "root directory". CRI-O stores all of its data, including # containers images, in this directory. #root = "/var/lib/containers/storage" # Path to the "run directory". CRI-O stores all of its state in this directory. #runroot = "/var/run/containers/storage" # Storage driver used to manage the storage of images and containers. Please # refer to containers-storage.conf(5) to see all available storage drivers. #storage_driver = "btrfs" # List to pass options to the storage driver. Please refer to # containers-storage.conf(5) to see all available storage options. #storage_option = [ #] # The default log directory where all logs will go unless directly specified by # the kubelet. The log directory specified must be an absolute directory. log_dir = "/var/log/crio/pods" # Location for CRI-O to lay down the version file version_file = "/var/run/crio/version" # The crio.api table contains settings for the kubelet/gRPC interface. [crio.api] # Path to AF_LOCAL socket on which CRI-O will listen. listen = "/var/run/crio/crio.sock" # IP address on which the stream server will listen. stream_address = "127.0.0.1" # The port on which the stream server will listen. stream_port = "0" # Enable encrypted TLS transport of the stream server. stream_enable_tls = false # Path to the x509 certificate file used to serve the encrypted stream. This # file can change, and CRI-O will automatically pick up the changes within 5 # minutes. stream_tls_cert = "" # Path to the key file used to serve the encrypted stream. This file can # change and CRI-O will automatically pick up the changes within 5 minutes. stream_tls_key = "" # Path to the x509 CA(s) file used to verify and authenticate client # communication with the encrypted stream. This file can change and CRI-O will # automatically pick up the changes within 5 minutes. stream_tls_ca = "" # Maximum grpc send message size in bytes. If not set or <=0, then CRI-O will default to 16 * 1024 * 1024. grpc_max_send_msg_size = 16777216 # Maximum grpc receive message size. If not set or <= 0, then CRI-O will default to 16 * 1024 * 1024. grpc_max_recv_msg_size = 16777216 # The crio.runtime table contains settings pertaining to the OCI runtime used # and options for how to set up and manage the OCI runtime. [crio.runtime] # A list of ulimits to be set in containers by default, specified as # "<ulimit name>=<soft limit>:<hard limit>", for example: # "nofile=1024:2048" # If nothing is set here, settings will be inherited from the CRI-O daemon #default_ulimits = [ #] # default_runtime is the _name_ of the OCI runtime to be used as the default. # The name is matched against the runtimes map below. default_runtime = "runc" # If true, the runtime will not use pivot_root, but instead use MS_MOVE. no_pivot = false # decryption_keys_path is the path where the keys required for # image decryption are stored. decryption_keys_path = "/etc/crio/keys/" # Path to the conmon binary, used for monitoring the OCI runtime. # Will be searched for using $PATH if empty. conmon = "" # Cgroup setting for conmon conmon_cgroup = "system.slice" # Environment variable list for the conmon process, used for passing necessary # environment variables to conmon or the runtime. conmon_env = [ "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin", ] # If true, SELinux will be used for pod separation on the host. selinux = false # Path to the seccomp.json profile which is used as the default seccomp profile # for the runtime. If not specified, then the internal default seccomp profile # will be used. seccomp_profile = "" # Used to change the name of the default AppArmor profile of CRI-O. The default # profile name is "crio-default-" followed by the version string of CRI-O. # apparmor_profile = "crio-default-1.17.0" # Cgroup management implementation used for the runtime. cgroup_manager = "systemd" # List of default capabilities for containers. If it is empty or commented out, # only the capabilities defined in the containers json file by the user/kube # will be added. default_capabilities = [ "CHOWN", "DAC_OVERRIDE", "FSETID", "FOWNER", "NET_RAW", "SETGID", "SETUID", "SETPCAP", "NET_BIND_SERVICE", "SYS_CHROOT", "KILL", ] # List of default sysctls. If it is empty or commented out, only the sysctls # defined in the container json file by the user/kube will be added. default_sysctls = [ ] # List of additional devices. specified as # "<device-on-host>:<device-on-container>:<permissions>", for example: "--device=/dev/sdc:/dev/xvdc:rwm". #If it is empty or commented out, only the devices # defined in the container json file by the user/kube will be added. additional_devices = [ ] # Path to OCI hooks directories for automatically executed hooks. hooks_dir = [ "/usr/share/containers/oci/hooks.d" ] # List of default mounts for each container. **Deprecated:** this option will # be removed in future versions in favor of default_mounts_file. default_mounts = [ ] # Path to the file specifying the defaults mounts for each container. The # format of the config is /SRC:/DST, one mount per line. Notice that CRI-O reads # its default mounts from the following two files: # # 1) /etc/containers/mounts.conf (i.e., default_mounts_file): This is the # override file, where users can either add in their own default mounts, or # override the default mounts shipped with the package. # # 2) /usr/share/containers/mounts.conf: This is the default file read for # mounts. If you want CRI-O to read from a different, specific mounts file, # you can change the default_mounts_file. Note, if this is done, CRI-O will # only add mounts it finds in this file. # #default_mounts_file = "" # Maximum number of processes allowed in a container. pids_limit = 1024 # Maximum sized allowed for the container log file. Negative numbers indicate # that no size limit is imposed. If it is positive, it must be >= 8192 to # match/exceed conmon's read buffer. The file is truncated and re-opened so the # limit is never exceeded. log_size_max = -1 # Whether container output should be logged to journald in addition to the kuberentes log file log_to_journald = false # Path to directory in which container exit files are written to by conmon. container_exits_dir = "/var/run/crio/exits" # Path to directory for container attach sockets. container_attach_socket_dir = "/var/run/crio" # The prefix to use for the source of the bind mounts. bind_mount_prefix = "" # If set to true, all containers will run in read-only mode. read_only = false # Changes the verbosity of the logs based on the level it is set to. Options # are fatal, panic, error, warn, info, debug and trace. This option supports # live configuration reload. log_level = "error" # Filter the log messages by the provided regular expression. # This option supports live configuration reload. log_filter = "" # The UID mappings for the user namespace of each container. A range is # specified in the form containerUID:HostUID:Size. Multiple ranges must be # separated by comma. uid_mappings = "" # The GID mappings for the user namespace of each container. A range is # specified in the form containerGID:HostGID:Size. Multiple ranges must be # separated by comma. gid_mappings = "" # The minimal amount of time in seconds to wait before issuing a timeout # regarding the proper termination of the container. ctr_stop_timeout = 0 # **DEPRECATED** this option is being replaced by manage_ns_lifecycle, which is described below. # manage_network_ns_lifecycle = false # manage_ns_lifecycle determines whether we pin and remove namespaces # and manage their lifecycle manage_ns_lifecycle = true # The directory where the state of the managed namespaces gets tracked. # Only used when manage_ns_lifecycle is true. namespaces_dir = "/var/run/crio/ns" # pinns_path is the path to find the pinns binary, which is needed to manage namespace lifecycle pinns_path = "" # The "crio.runtime.runtimes" table defines a list of OCI compatible runtimes. # The runtime to use is picked based on the runtime_handler provided by the CRI. # If no runtime_handler is provided, the runtime will be picked based on the level # of trust of the workload. Each entry in the table should follow the format: # #[crio.runtime.runtimes.runtime-handler] # runtime_path = "/path/to/the/executable" # runtime_type = "oci" # runtime_root = "/path/to/the/root" # # Where: # - runtime-handler: name used to identify the runtime # - runtime_path (optional, string): absolute path to the runtime executable in # the host filesystem. If omitted, the runtime-handler identifier should match # the runtime executable name, and the runtime executable should be placed # in $PATH. # - runtime_type (optional, string): type of runtime, one of: "oci", "vm". If # omitted, an "oci" runtime is assumed. # - runtime_root (optional, string): root directory for storage of containers # state. [crio.runtime.runtimes.runc] # Kata Containers is an OCI runtime, where containers are run inside lightweight # VMs. Kata provides additional isolation towards the host, minimizing the host attack # surface and mitigating the consequences of containers breakout. # Kata Containers with the default configured VMM #[crio.runtime.runtimes.kata-runtime] # Kata Containers with the QEMU VMM #[crio.runtime.runtimes.kata-qemu] # Kata Containers with the Firecracker VMM #[crio.runtime.runtimes.kata-fc] # The crio.image table contains settings pertaining to the management of OCI images. # # CRI-O reads its configured registries defaults from the system wide # containers-registries.conf(5) located in /etc/containers/registries.conf. If # you want to modify just CRI-O, you can change the registries configuration in # this file. Otherwise, leave insecure_registries and registries commented out to # use the system's defaults from /etc/containers/registries.conf. [crio.image] # Default transport for pulling images from a remote container storage. default_transport = "docker://" # The path to a file containing credentials necessary for pulling images from # secure registries. The file is similar to that of /var/lib/kubelet/config.json global_auth_file = "" # The image used to instantiate infra containers. # This option supports live configuration reload. pause_image = "registry.opensuse.org/kubic/pause:3.2" # The path to a file containing credentials specific for pulling the pause_image from # above. The file is similar to that of /var/lib/kubelet/config.json # This option supports live configuration reload. pause_image_auth_file = "" # The command to run to have a container stay in the paused state. # When explicitly set to "", it will fallback to the entrypoint and command # specified in the pause image. When commented out, it will fallback to the # default: "/pause". This option supports live configuration reload. pause_command = "" # Path to the file which decides what sort of policy we use when deciding # whether or not to trust an image that we've pulled. It is not recommended that # this option be used, as the default behavior of using the system-wide default # policy (i.e., /etc/containers/policy.json) is most often preferred. Please # refer to containers-policy.json(5) for more details. signature_policy = "" # List of registries to skip TLS verification for pulling images. Please # consider configuring the registries via /etc/containers/registries.conf before # changing them here. #insecure_registries = "[]" # Controls how image volumes are handled. The valid values are mkdir, bind and # ignore; the latter will ignore volumes entirely. image_volumes = "mkdir" # List of registries to be used when pulling an unqualified image (e.g., # "alpine:latest"). By default, registries is set to "docker.io" for # compatibility reasons. Depending on your workload and usecase you may add more # registries (e.g., "quay.io", "registry.fedoraproject.org", # "registry.opensuse.org", etc.). #registries = [ # ] # The crio.network table containers settings pertaining to the management of # CNI plugins. [crio.network] # Path to the directory where CNI configuration files are located. network_dir = "/etc/cni/net.d/" # Paths to directories where CNI plugin binaries are located. plugin_dirs = [ "/opt/cni/bin/", "/usr/lib/cni/", ] # A necessary configuration for Prometheus based metrics retrieval [crio.metrics] # Globally enable or disable metrics support. enable_metrics = false # The port on which the metrics server will listen. metrics_port = 9090 ++++++ crio.service ++++++ [Unit] Description=Container Runtime Interface for OCI (CRI-O) Documentation=https://github.com/cri-o/cri-o After=network.target After=lwm2-monitor.service After=SuSEfirewall2.service After=crio-wipe.service Requires=crio-wipe.service [Service] Type=notify EnvironmentFile=-/etc/sysconfig/proxy EnvironmentFile=-/etc/sysconfig/crio Environment=GOTRACEBACK=crash ExecStart=/usr/bin/crio $CRIO_OPTIONS ExecReload=/bin/kill -s HUP $MAINPID TasksMax=infinity LimitNOFILE=1048576 LimitNPROC=1048576 LimitCORE=infinity # Set delegate yes so that systemd does not reset the cgroups of containers. # Only systemd 218 and above support this property. Delegate=yes OOMScoreAdjust=-999 TimeoutStartSec=0 Restart=on-abnormal # Place cri-o under the podruntime slice, this is part of the recommended # deployment to allow fine resource control on Kubernetes Slice=podruntime.slice [Install] WantedBy=multi-user.target ++++++ kubelet.env ++++++ KUBELET_EXTRA_ARGS="--container-runtime=remote --container-runtime-endpoint=unix:///var/run/crio/crio.sock --runtime-request-timeout=15m --cgroup-driver=systemd -v=2" ++++++ sysconfig.crio ++++++ ## Path : System/Management ## Description : Extra cli switches for crio daemon ## Type : string ## Default : "" ## ServiceRestart : crio # CRIO_OPTIONS=""
