Documentation ¶
Index ¶
- Constants
- func RemoveUnusedSocket(path string) error
- func RuntimesEqual(a, b Runtimes) bool
- func WorkloadsEqual(a, b Workloads) bool
- type APIConfig
- type Config
- func (c *Config) GetData() *Config
- func (c *Config) Reload() error
- func (c *Config) ReloadAppArmorProfile(newConfig *Config) error
- func (c *Config) ReloadBlockIOConfig(newConfig *Config) error
- func (c *Config) ReloadDecryptionKeyConfig(newConfig *Config)
- func (c *Config) ReloadLogFilter(newConfig *Config) error
- func (c *Config) ReloadLogLevel(newConfig *Config) error
- func (c *Config) ReloadPauseImage(newConfig *Config) error
- func (c *Config) ReloadPinnedImages(newConfig *Config)
- func (c *Config) ReloadRdtConfig(newConfig *Config) error
- func (c *Config) ReloadRegistries() error
- func (c *Config) ReloadRuntimes(newConfig *Config) error
- func (c *Config) ReloadSeccompProfile(newConfig *Config) error
- func (c *Config) SetSingleConfigPath(singleConfigPath string)
- func (c *Config) ToBytes() ([]byte, error)
- func (c *Config) ToFile(path string) error
- func (c *Config) ToString() (string, error)
- func (c *Config) UpdateFromDropInFile(path string) error
- func (c *Config) UpdateFromFile(path string) error
- func (c *Config) UpdateFromPath(path string) error
- func (c *Config) Validate(onExecution bool) error
- func (c *Config) WriteTemplate(displayAllConfig bool, w io.Writer) error
- type Iface
- type ImageConfig
- type ImageVolumesType
- type MetricsConfig
- type Namespace
- type NetworkConfig
- type Resources
- type RootConfig
- type RuntimeConfig
- func (c *RuntimeConfig) AppArmor() *apparmor.Config
- func (c *RuntimeConfig) BlockIO() *blockio.Config
- func (c *RuntimeConfig) CgroupManager() cgmgr.CgroupManager
- func (c *RuntimeConfig) CheckpointRestore() bool
- func (c *RuntimeConfig) ConmonSupportsLogGlobalSizeMax() bool
- func (c *RuntimeConfig) ConmonSupportsSync() bool
- func (c *RuntimeConfig) Devices() []device.Device
- func (c *RuntimeConfig) NamespaceManager() *nsmgr.NamespaceManager
- func (c *RuntimeConfig) Rdt() *rdt.Config
- func (c *RuntimeConfig) Seccomp() *seccomp.Config
- func (c *RuntimeConfig) Sysctls() ([]Sysctl, error)
- func (c *RuntimeConfig) TranslateMonitorFields(onExecution bool) error
- func (c *RuntimeConfig) TranslateMonitorFieldsForHandler(handler *RuntimeHandler, onExecution bool) error
- func (c *RuntimeConfig) Ulimits() []ulimits.Ulimit
- func (c *RuntimeConfig) Validate(systemContext *types.SystemContext, onExecution bool) error
- func (c *RuntimeConfig) ValidateConmonPath(executable string, handler *RuntimeHandler) error
- func (c *RuntimeConfig) ValidateDefaultRuntime() error
- func (c *RuntimeConfig) ValidatePinnsPath(executable string) error
- func (c *RuntimeConfig) ValidateRuntimes() error
- type RuntimeHandler
- func (r *RuntimeHandler) LoadRuntimeFeatures(input []byte) error
- func (r *RuntimeHandler) RuntimeSupportsIDMap() bool
- func (r *RuntimeHandler) RuntimeSupportsMountFlag(flag string) bool
- func (r *RuntimeHandler) RuntimeSupportsRROMounts() bool
- func (r *RuntimeHandler) SetContainerMinMemory() (int64, error)
- func (r *RuntimeHandler) Validate(name string) error
- func (r *RuntimeHandler) ValidateRuntimeAllowedAnnotations() error
- func (r *RuntimeHandler) ValidateRuntimeConfigPath(name string) error
- func (r *RuntimeHandler) ValidateRuntimePath(name string) error
- func (r *RuntimeHandler) ValidateRuntimeType(name string) error
- func (r *RuntimeHandler) ValidateRuntimeVMBinaryPattern() bool
- type Runtimes
- type StatsConfig
- type Sysctl
- type TracingConfig
- type WorkloadConfig
- type Workloads
- func (w Workloads) AllowedAnnotations(toFind map[string]string) []string
- func (w Workloads) FilterDisallowedAnnotations(allowed []string, toFilter map[string]string) error
- func (w Workloads) MutateSpecGivenAnnotations(ctrName string, specgen *generate.Generator, sboxAnnotations map[string]string) error
- func (w Workloads) Validate() error
Constants ¶
const ( OCIBufSize = 8192 RuntimeTypeVM = "vm" RuntimeTypePod = "pod" RuntimeTypeVMBinaryPattern = "containerd-shim-([a-zA-Z0-9\\-\\+])+-v2" MonitorExecCgroupDefault = "" MonitorExecCgroupContainer = "container" )
Defaults if none are specified
const ( // DefaultPidsLimit is the default value for maximum number of processes // allowed inside a container DefaultPidsLimit = -1 // DefaultLogSizeMax is the default value for the maximum log size // allowed for a container. Negative values mean that no limit is imposed. DefaultLogSizeMax = -1 )
const ( // DefaultBlockIOConfigFile is the default value for blockio controller configuration file DefaultBlockIOConfigFile = "" // DefaultBlockIOReload is the default value for reloading blockio with changed config file and block devices. DefaultBlockIOReload = false )
const ( // DefaultIrqBalanceConfigFile default irqbalance service configuration file path DefaultIrqBalanceConfigFile = "/etc/sysconfig/irqbalance" // DefaultIrqBalanceConfigRestoreFile contains the banned cpu mask configuration to restore. Name due to backward compatibility. DefaultIrqBalanceConfigRestoreFile = "/etc/sysconfig/orig_irq_banned_cpus" )
const ( DefaultRuntimeType = "oci" DefaultRuntimeRoot = "/run/runc" // ImageVolumesBind option is for using bind mounted volumes ImageVolumesBind ImageVolumesType = "bind" // DefaultPauseImage is default pause image DefaultPauseImage string = "registry.k8s.io/pause:3.9" )
Defaults if none are specified
const ( ContainerAttachSocketDir = "/var/run/crio" // CrioConfigPath is the default location for the conf file CrioConfigPath = "/etc/crio/crio.conf" // CrioConfigDropInPath is the default location for the drop-in config files CrioConfigDropInPath = "/etc/crio/crio.conf.d" // CrioSocketPath is where the unix socket is located CrioSocketPath = "/var/run/crio/crio.sock" // CrioVersionPathTmp is where the CRI-O version file is located on a tmpfs disk // used to check if we should wipe containers CrioVersionPathTmp = "/var/run/crio/version" // CrioCleanShutdownFile is the location CRI-O will lay down the clean shutdown file // that checks whether we've had time to sync before shutting down. // If not, crio wipe will clear the storage directory. CrioCleanShutdownFile = "/var/lib/crio/clean.shutdown" )
Defaults for linux/unix if none are specified
const ( // IpcNamespace is the Linux IPC namespace IpcNamespace = Namespace("ipc") // NetNamespace is the network namespace NetNamespace = Namespace("net") )
Variables ¶
This section is empty.
Functions ¶
func RemoveUnusedSocket ¶
RemoveUnusedSocket first ensures that the path to the socket exists and removes unused socket connections if available.
func RuntimesEqual ¶
func WorkloadsEqual ¶
Types ¶
type APIConfig ¶
type APIConfig struct { // GRPCMaxSendMsgSize is the maximum grpc send message size in bytes. GRPCMaxSendMsgSize int `toml:"grpc_max_send_msg_size"` // GRPCMaxRecvMsgSize is the maximum grpc receive message size in bytes. GRPCMaxRecvMsgSize int `toml:"grpc_max_recv_msg_size"` // Listen is the path to the AF_LOCAL socket on which cri-o will listen. // This may support proto://addr formats later, but currently this is just // a path. Listen string `toml:"listen"` // StreamAddress is the IP address on which the stream server will listen. StreamAddress string `toml:"stream_address"` // StreamPort is the port on which the stream server will listen. StreamPort string `toml:"stream_port"` // StreamEnableTLS enables encrypted tls transport of the stream server StreamEnableTLS bool `toml:"stream_enable_tls"` // StreamTLSCert is the x509 certificate file path used to serve the encrypted stream StreamTLSCert string `toml:"stream_tls_cert"` // StreamTLSKey is the key file path used to serve the encrypted stream StreamTLSKey string `toml:"stream_tls_key"` // StreamTLSCA is the x509 CA(s) file used to verify and authenticate client // communication with the tls encrypted stream StreamTLSCA string `toml:"stream_tls_ca"` // StreamIdleTimeout is how long to leave idle connections open for StreamIdleTimeout string `toml:"stream_idle_timeout"` }
APIConfig represents the "crio.api" TOML config table.
type Config ¶
type Config struct { Comment string RootConfig APIConfig RuntimeConfig ImageConfig NetworkConfig MetricsConfig TracingConfig StatsConfig NRI *nri.Config SystemContext *types.SystemContext // contains filtered or unexported fields }
Config represents the entire set of configuration values that can be set for the server. This is intended to be loaded from a toml-encoded config file.
func DefaultConfig ¶
DefaultConfig returns the default configuration for crio.
func (*Config) Reload ¶
Reload reloads the configuration for the single crio.conf and the drop-in configuration directory.
func (*Config) ReloadAppArmorProfile ¶
ReloadAppArmorProfile reloads the AppArmor profile from the new config if they differ.
func (*Config) ReloadBlockIOConfig ¶
ReloadBlockIOConfig reloads the blockio configuration from the new config
func (*Config) ReloadDecryptionKeyConfig ¶
ReloadDecryptionKeyConfig updates the DecryptionKeysPath with the provided `newConfig`.
func (*Config) ReloadLogFilter ¶
ReloadLogFilter updates the LogFilter with the provided `newConfig`. It errors if the filter is not applicable.
func (*Config) ReloadLogLevel ¶
ReloadLogLevel updates the LogLevel with the provided `newConfig`. It errors if the level is not parsable.
func (*Config) ReloadPauseImage ¶
func (*Config) ReloadPinnedImages ¶
ReloadPinnedImages updates the PinnedImages with the provided `newConfig`. The method print log in case of any updates.
func (*Config) ReloadRdtConfig ¶
ReloadRdtConfig reloads the RDT configuration if changed
func (*Config) ReloadRegistries ¶
ReloadRegistries reloads the registry configuration from the Configs `SystemContext`. The method errors in case of any update failure.
func (*Config) ReloadRuntimes ¶
ReloadRuntimes reloads the runtimes configuration if changed
func (*Config) ReloadSeccompProfile ¶
ReloadSeccompProfile reloads the seccomp profile from the new config if their paths differ.
func (*Config) SetSingleConfigPath ¶
SetSingleConfigPath set single config path for config
func (*Config) ToBytes ¶
ToBytes encodes the config into a byte slice. It errors if the encoding fails, which should never happen at all because of general type safeness.
func (*Config) ToFile ¶
ToFile outputs the given Config as a TOML-encoded file at the given path. Returns errors encountered when generating or writing the file, or nil otherwise.
func (*Config) UpdateFromDropInFile ¶
UpdateFromDropInFile populates the Config from the TOML-encoded file at the given path. The file may be the main configuration file, or it can be one of the drop-in files which are used to supplement it. Returns errors encountered when reading or parsing the files, or nil otherwise.
func (*Config) UpdateFromFile ¶
UpdateFromFile populates the Config from the TOML-encoded file at the given path and "remembers" that we should reload this file's contents when we receive a SIGHUP. Returns errors encountered when reading or parsing the files, or nil otherwise.
func (*Config) UpdateFromPath ¶
UpdateFromPath recursively iterates the provided path and updates the configuration for it
type ImageConfig ¶
type ImageConfig struct { // DefaultTransport is a value we prefix to image names that fail to // validate source references. DefaultTransport string `toml:"default_transport"` // GlobalAuthFile is a path to a file like /var/lib/kubelet/config.json // containing credentials necessary for pulling images from secure // registries. GlobalAuthFile string `toml:"global_auth_file"` // PauseImage is the name of an image on a registry which we use to instantiate infra // containers. It should start with a registry host name. // Format is enforced by validation. PauseImage string `toml:"pause_image"` // PauseImageAuthFile, if not empty, is a path to a file like // /var/lib/kubelet/config.json containing credentials necessary // for pulling PauseImage PauseImageAuthFile string `toml:"pause_image_auth_file"` // PauseCommand is the path of the binary we run in an infra // container that's been instantiated using PauseImage. PauseCommand string `toml:"pause_command"` // PinnedImages is a list of container images that should be pinned // and not subject to garbage collection by kubelet. // Pinned images will remain in the container runtime's storage until // they are manually removed. Default value: empty list (no images pinned) PinnedImages []string `toml:"pinned_images"` // SignaturePolicyPath is the name of the file which decides what sort // of policy we use when deciding whether or not to trust an image that // we've pulled. Outside of testing situations, it is strongly advised // that this be left unspecified so that the default system-wide policy // will be used. SignaturePolicyPath string `toml:"signature_policy"` // SignaturePolicyDir is the root path for pod namespace-separated // signature policies. The final policy to be used on image pull will be // <SIGNATURE_POLICY_DIR>/<NAMESPACE>.json. // If no pod namespace is being provided on image pull (via the sandbox // config), or the concatenated path is non existent, then the // SignaturePolicyPath or system wide policy will be used as fallback. // Must be an absolute path. SignaturePolicyDir string `toml:"signature_policy_dir"` // InsecureRegistries is a list of registries that must be contacted w/o // TLS verification. InsecureRegistries []string `toml:"insecure_registries"` // ImageVolumes controls how volumes specified in image config are handled ImageVolumes ImageVolumesType `toml:"image_volumes"` // Temporary directory for big files BigFilesTemporaryDir string `toml:"big_files_temporary_dir"` // AutoReloadRegistries if set to true, will automatically // reload the mirror registry when there is an update to the // 'registries.conf.d' directory. AutoReloadRegistries bool `toml:"auto_reload_registries"` }
ImageConfig represents the "crio.image" TOML config table.
func (*ImageConfig) ParsePauseImage ¶
func (c *ImageConfig) ParsePauseImage() (references.RegistryImageReference, error)
ParsePauseImage parses the .PauseImage value as into a validated, well-typed value.
func (*ImageConfig) Validate ¶
func (c *ImageConfig) Validate(onExecution bool) error
Validate is the main entry point for image configuration validation. It returns an error on validation failure, otherwise nil.
type ImageVolumesType ¶
type ImageVolumesType string
ImageVolumesType describes image volume handling strategies
const ( // ImageVolumesMkdir option is for using mkdir to handle image volumes ImageVolumesMkdir ImageVolumesType = "mkdir" // ImageVolumesIgnore option is for ignoring image volumes altogether ImageVolumesIgnore ImageVolumesType = "ignore" )
type MetricsConfig ¶
type MetricsConfig struct { // EnableMetrics can be used to globally enable or disable metrics support EnableMetrics bool `toml:"enable_metrics"` // MetricsCollectors specifies enabled metrics collectors. MetricsCollectors collectors.Collectors `toml:"metrics_collectors"` // MetricsHost is the IP address or hostname on which the metrics server will listen. MetricsHost string `toml:"metrics_host"` // MetricsPort is the port on which the metrics server will listen. MetricsPort int `toml:"metrics_port"` // Local socket path to bind the metrics server to MetricsSocket string `toml:"metrics_socket"` // MetricsCert is the certificate for the secure metrics server. MetricsCert string `toml:"metrics_cert"` // MetricsKey is the certificate key for the secure metrics server. MetricsKey string `toml:"metrics_key"` }
MetricsConfig specifies all necessary configuration for Prometheus based metrics retrieval
type NetworkConfig ¶
type NetworkConfig struct { // CNIDefaultNetwork is the default CNI network name to be selected CNIDefaultNetwork string `toml:"cni_default_network"` // NetworkDir is where CNI network configuration files are stored. NetworkDir string `toml:"network_dir"` // PluginDir is where CNI plugin binaries are stored. PluginDir string `toml:"plugin_dir,omitempty"` // PluginDirs is where CNI plugin binaries are stored. PluginDirs []string `toml:"plugin_dirs"` // contains filtered or unexported fields }
NetworkConfig represents the "crio.network" TOML config table
func (*NetworkConfig) CNIManagerShutdown ¶
func (c *NetworkConfig) CNIManagerShutdown()
CNIManagerShutdown shuts down the CNI Manager
func (*NetworkConfig) CNIPlugin ¶
func (c *NetworkConfig) CNIPlugin() ocicni.CNIPlugin
CNIPlugin returns the network configuration CNI plugin
func (*NetworkConfig) CNIPluginAddWatcher ¶
func (c *NetworkConfig) CNIPluginAddWatcher() chan bool
CNIPluginAddWatcher returns the network configuration CNI plugin
func (*NetworkConfig) CNIPluginReadyOrError ¶
func (c *NetworkConfig) CNIPluginReadyOrError() error
CNIPluginReadyOrError returns whether the cni plugin is ready
func (*NetworkConfig) Validate ¶
func (c *NetworkConfig) Validate(onExecution bool) error
Validate is the main entry point for network configuration validation. The parameter `onExecution` specifies if the validation should include execution checks. It returns an `error` on validation failure, otherwise `nil`.
type Resources ¶
type Resources struct { uint64 `json:"cpushares,omitempty"` // Specifies the CPU quota this Pod is limited to in microseconds. CPUQuota int64 `json:"cpuquota,omitempty"` // Specifies the CPU period this Pod will use in microseconds. CPUPeriod uint64 `json:"cpuperiod,omitempty"` // Specifies the cpuset this Pod has access to. CPUSet string `json:"cpuset,omitempty"` // Specifies the CPU limit in millicores. This will be used to calculate the CPU quota. CPULimit int64 `json:"cpulimit,omitempty"` }CPUShares
Resources is a structure for overriding certain resources for the pod. This resources structure provides a default value, and can be overridden by using the AnnotationPrefix.
func (*Resources) MutateSpec ¶
func (*Resources) ValidateDefaults ¶
type RootConfig ¶
type RootConfig struct { // Root is a path to the "root directory" where data not // explicitly handled by other options will be stored. Root string `toml:"root"` // RunRoot is a path to the "run directory" where state information not // explicitly handled by other options will be stored. RunRoot string `toml:"runroot"` // ImageStore if set it will allow end-users to store newly pulled image // in path provided by `ImageStore` instead of path provided in `Root`. ImageStore string `toml:"imagestore"` // Storage is the name of the storage driver which handles actually // storing the contents of containers. Storage string `toml:"storage_driver"` // StorageOption is a list of storage driver specific options. StorageOptions []string `toml:"storage_option"` // LogDir is the default log directory where all logs will go unless kubelet // tells us to put them somewhere else. LogDir string `toml:"log_dir"` // VersionFile is the location CRI-O will lay down the version file // that checks whether we've rebooted VersionFile string `toml:"version_file"` // VersionFilePersist is the location CRI-O will lay down the version file // that checks whether we've upgraded VersionFilePersist string `toml:"version_file_persist"` // CleanShutdownFile is the location CRI-O will lay down the clean shutdown file // that checks whether we've had time to sync before shutting down CleanShutdownFile string `toml:"clean_shutdown_file"` // InternalWipe is whether CRI-O should wipe containers and images after a reboot when the server starts. // If set to false, one must use the external command `crio wipe` to wipe the containers and images in these situations. // The option InternalWipe is deprecated, and will be removed in a future release. InternalWipe bool `toml:"internal_wipe"` // InternalRepair is used to repair the affected images. InternalRepair bool `toml:"internal_repair"` }
RootConfig represents the root of the "crio" TOML config table.
func (*RootConfig) CleanShutdownSupportedFileName ¶
func (c *RootConfig) CleanShutdownSupportedFileName() string
func (*RootConfig) GetStore ¶
func (c *RootConfig) GetStore() (storage.Store, error)
GetStore returns the container storage for a given configuration
func (*RootConfig) Validate ¶
func (c *RootConfig) Validate(onExecution bool) error
Validate is the main entry point for root configuration validation. The parameter `onExecution` specifies if the validation should include execution checks. It returns an `error` on validation failure, otherwise `nil`.
type RuntimeConfig ¶
type RuntimeConfig struct { // NoPivot instructs the runtime to not use `pivot_root`, but instead use `MS_MOVE` NoPivot bool `toml:"no_pivot"` // SELinux determines whether or not SELinux is used for pod separation. SELinux bool `toml:"selinux"` // Whether container output should be logged to journald in addition // to the kubernetes log file LogToJournald bool `toml:"log_to_journald"` // DropInfraCtr determines whether the infra container is dropped when appropriate. DropInfraCtr bool `toml:"drop_infra_ctr"` // ReadOnly run all pods/containers in read-only mode. // This mode will mount tmpfs on /run, /tmp and /var/tmp, if those are not mountpoints // Will also set the readonly flag in the OCI Runtime Spec. In this mode containers // will only be able to write to volumes mounted into them ReadOnly bool `toml:"read_only"` // ConmonEnv is the environment variable list for conmon process. // This option is currently deprecated, and will be replaced with RuntimeHandler.MonitorEnv. ConmonEnv []string `toml:"conmon_env"` // HooksDir holds paths to the directories containing hooks // configuration files. When the same filename is present in // multiple directories, the file in the directory listed last in // this slice takes precedence. HooksDir []string `toml:"hooks_dir"` // Capabilities to add to all containers. DefaultCapabilities capabilities.Capabilities `toml:"default_capabilities"` // AddInheritableCapabilities can be set to add inheritable capabilities. They were pre-1.23 by default, and were dropped in 1.24. // This can cause a regression with non-root users not getting capabilities as they previously did. AddInheritableCapabilities bool `toml:"add_inheritable_capabilities"` // Additional environment variables to set for all the // containers. These are overridden if set in the // container image spec or in the container runtime configuration. DefaultEnv []string `toml:"default_env"` // Sysctls to add to all containers. DefaultSysctls []string `toml:"default_sysctls"` // DefaultUlimits specifies the default ulimits to apply to containers DefaultUlimits []string `toml:"default_ulimits"` // Devices that are allowed to be configured. AllowedDevices []string `toml:"allowed_devices"` // Devices to add to containers AdditionalDevices []string `toml:"additional_devices"` // CDISpecDirs specifies the directories CRI-O/CDI will scan for CDI Spec files. CDISpecDirs []string `toml:"cdi_spec_dirs"` // DeviceOwnershipFromSecurityContext changes the default behavior of setting container devices uid/gid // from CRI's SecurityContext (RunAsUser/RunAsGroup) instead of taking host's uid/gid. Defaults to false. DeviceOwnershipFromSecurityContext bool `toml:"device_ownership_from_security_context"` // DefaultRuntime is the _name_ of the OCI runtime to be used as the default. // The name is matched against the Runtimes map below. DefaultRuntime string `toml:"default_runtime"` // DecryptionKeysPath is the path where keys for image decryption are stored. DecryptionKeysPath string `toml:"decryption_keys_path"` // Conmon is the path to conmon binary, used for managing the runtime. // This option is currently deprecated, and will be replaced with RuntimeHandler.MonitorConfig.Path. Conmon string `toml:"conmon"` // ConmonCgroup is the cgroup setting used for conmon. // This option is currently deprecated, and will be replaced with RuntimeHandler.MonitorConfig.Cgroup. ConmonCgroup string `toml:"conmon_cgroup"` // SeccompProfile is the seccomp.json profile path which is used as the // default for the runtime. SeccompProfile string `toml:"seccomp_profile"` // ApparmorProfile is the apparmor profile name which is used as the // default for the runtime. ApparmorProfile string `toml:"apparmor_profile"` // BlockIOConfigFile is the path to the blockio class configuration // file for configuring the cgroup blockio controller. BlockIOConfigFile string `toml:"blockio_config_file"` // BlockIOReload instructs the runtime to reload blockio configuration // rescan block devices in the system before assigning blockio parameters. BlockIOReload bool `toml:"blockio_reload"` // IrqBalanceConfigFile is the irqbalance service config file which is used // for configuring irqbalance daemon. IrqBalanceConfigFile string `toml:"irqbalance_config_file"` // RdtConfigFile is the RDT config file used for configuring resctrl fs RdtConfigFile string `toml:"rdt_config_file"` // CgroupManagerName is the manager implementation name which is used to // handle cgroups for containers. CgroupManagerName string `toml:"cgroup_manager"` // DefaultMountsFile is the file path for the default mounts to be mounted for the container // Note, for testing purposes mainly DefaultMountsFile string `toml:"default_mounts_file"` // ContainerExitsDir is the directory in which container exit files are // written to by conmon. ContainerExitsDir string `toml:"container_exits_dir"` // ContainerAttachSocketDir is the location for container attach sockets. ContainerAttachSocketDir string `toml:"container_attach_socket_dir"` // BindMountPrefix is the prefix to use for the source of the bind mounts. BindMountPrefix string `toml:"bind_mount_prefix"` // UIDMappings specifies the UID mappings to have in the user namespace. // A range is specified in the form containerUID:HostUID:Size. Multiple // ranges are separated by comma. UIDMappings string `toml:"uid_mappings"` // MinimumMappableUID specifies the minimum UID value which can be // specified in a uid_mappings value, whether configured here or sent // to us via CRI, for a pod that isn't to be run as UID 0. MinimumMappableUID int64 `toml:"minimum_mappable_uid"` // GIDMappings specifies the GID mappings to have in the user namespace. // A range is specified in the form containerUID:HostUID:Size. Multiple // ranges are separated by comma. GIDMappings string `toml:"gid_mappings"` // MinimumMappableGID specifies the minimum GID value which can be // specified in a gid_mappings value, whether configured here or sent // to us via CRI, for a pod that isn't to be run as UID 0. MinimumMappableGID int64 `toml:"minimum_mappable_gid"` // LogLevel determines the verbosity of the logs based on the level it is set to. // Options are fatal, panic, error (default), warn, info, debug, and trace. LogLevel string `toml:"log_level"` // LogFilter specifies a regular expression to filter the log messages LogFilter string `toml:"log_filter"` // NamespacesDir is the directory where the state of the managed namespaces // gets tracked NamespacesDir string `toml:"namespaces_dir"` // PinNSPath is the path to find the pinns binary, which is needed // to manage namespace lifecycle PinnsPath string `toml:"pinns_path"` // CriuPath is the path to find the criu binary, which is needed // to checkpoint and restore containers EnableCriuSupport bool `toml:"enable_criu_support"` // Runtimes defines a list of OCI compatible runtimes. The runtime to // use is picked based on the runtime_handler provided by the CRI. If // no runtime_handler is provided, the runtime will be picked based on // the level of trust of the workload. Runtimes Runtimes `toml:"runtimes"` // Workloads defines a list of workloads types that are have grouped settings // that will be applied to containers. Workloads Workloads `toml:"workloads"` // PidsLimit is the number of processes each container is restricted to // by the cgroup process number controller. PidsLimit int64 `toml:"pids_limit"` // LogSizeMax is the maximum number of bytes after which the log file // will be truncated. It can be expressed as a human-friendly string // that is parsed to bytes. // Negative values indicate that the log file won't be truncated. LogSizeMax int64 `toml:"log_size_max"` // CtrStopTimeout specifies the time to wait before to generate an // error because the container state is still tagged as "running". CtrStopTimeout int64 `toml:"ctr_stop_timeout"` // SeparatePullCgroup specifies whether an image pull must be performed in a separate cgroup SeparatePullCgroup string `toml:"separate_pull_cgroup"` // InfraCtrCPUSet is the CPUs set that will be used to run infra containers InfraCtrCPUSet string `toml:"infra_ctr_cpuset"` // want access to shared cpus. SharedCPUSet string `toml:"shared_cpuset"` // AbsentMountSourcesToReject is a list of paths that, when absent from the host, // will cause a container creation to fail (as opposed to the current behavior of creating a directory). AbsentMountSourcesToReject []string `toml:"absent_mount_sources_to_reject"` // EnablePodEvents specifies if the container pod-level events should be generated to optimize the PLEG at Kubelet. EnablePodEvents bool `toml:"enable_pod_events"` // IrqBalanceConfigRestoreFile is the irqbalance service banned CPU list to restore. // If empty, no restoration attempt will be done. IrqBalanceConfigRestoreFile string `toml:"irqbalance_config_restore_file"` // Whether SELinux should be disabled within a pod, // when it is running in the host network namespace // https://github.com/cri-o/cri-o/issues/5501 HostNetworkDisableSELinux bool `toml:"hostnetwork_disable_selinux"` // Option to disable hostport mapping in CRI-O // Default value is 'false' DisableHostPortMapping bool `toml:"disable_hostport_mapping"` // Option to set the timezone inside the container. // Use 'Local' to match the timezone of the host machine. Timezone string `toml:"timezone"` // contains filtered or unexported fields }
RuntimeConfig represents the "crio.runtime" TOML config table.
func (*RuntimeConfig) AppArmor ¶
func (c *RuntimeConfig) AppArmor() *apparmor.Config
AppArmor returns the AppArmor configuration
func (*RuntimeConfig) BlockIO ¶
func (c *RuntimeConfig) BlockIO() *blockio.Config
BlockIO returns the blockio configuration
func (*RuntimeConfig) CgroupManager ¶
func (c *RuntimeConfig) CgroupManager() cgmgr.CgroupManager
CgroupManager returns the CgroupManager configuration
func (*RuntimeConfig) CheckpointRestore ¶
func (c *RuntimeConfig) CheckpointRestore() bool
func (*RuntimeConfig) ConmonSupportsLogGlobalSizeMax ¶
func (c *RuntimeConfig) ConmonSupportsLogGlobalSizeMax() bool
func (*RuntimeConfig) ConmonSupportsSync ¶
func (c *RuntimeConfig) ConmonSupportsSync() bool
func (*RuntimeConfig) Devices ¶
func (c *RuntimeConfig) Devices() []device.Device
func (*RuntimeConfig) NamespaceManager ¶
func (c *RuntimeConfig) NamespaceManager() *nsmgr.NamespaceManager
NamespaceManager returns the NamespaceManager configuration
func (*RuntimeConfig) Rdt ¶
func (c *RuntimeConfig) Rdt() *rdt.Config
Rdt returns the RDT configuration
func (*RuntimeConfig) Seccomp ¶
func (c *RuntimeConfig) Seccomp() *seccomp.Config
Seccomp returns the seccomp configuration
func (*RuntimeConfig) Sysctls ¶
func (c *RuntimeConfig) Sysctls() ([]Sysctl, error)
Sysctls returns the parsed sysctl slice and an error if not parsable Some validation based on https://github.com/containers/common/blob/main/pkg/sysctl/sysctl.go
func (*RuntimeConfig) TranslateMonitorFields ¶
func (c *RuntimeConfig) TranslateMonitorFields(onExecution bool) error
func (*RuntimeConfig) TranslateMonitorFieldsForHandler ¶
func (c *RuntimeConfig) TranslateMonitorFieldsForHandler(handler *RuntimeHandler, onExecution bool) error
TranslateMonitorFields is a transitional function that takes the configuration fields previously held by the RuntimeConfig that are being moved inside of the runtime handler structure.
func (*RuntimeConfig) Ulimits ¶
func (c *RuntimeConfig) Ulimits() []ulimits.Ulimit
Ulimits returns the Ulimits configuration
func (*RuntimeConfig) Validate ¶
func (c *RuntimeConfig) Validate(systemContext *types.SystemContext, onExecution bool) error
Validate is the main entry point for runtime configuration validation The parameter `onExecution` specifies if the validation should include execution checks. It returns an `error` on validation failure, otherwise `nil`.
func (*RuntimeConfig) ValidateConmonPath ¶
func (c *RuntimeConfig) ValidateConmonPath(executable string, handler *RuntimeHandler) error
ValidateConmonPath checks if `Conmon` is set within the `RuntimeConfig`. If this is not the case, it tries to find it within the $PATH variable. In any other case, it simply checks if `Conmon` is a valid file.
func (*RuntimeConfig) ValidateDefaultRuntime ¶
func (c *RuntimeConfig) ValidateDefaultRuntime() error
ValidateDefaultRuntime ensures that the default runtime is set and valid.
func (*RuntimeConfig) ValidatePinnsPath ¶
func (c *RuntimeConfig) ValidatePinnsPath(executable string) error
func (*RuntimeConfig) ValidateRuntimes ¶
func (c *RuntimeConfig) ValidateRuntimes() error
ValidateRuntimes checks every runtime if its members are valid
type RuntimeHandler ¶
type RuntimeHandler struct { RuntimeConfigPath string `toml:"runtime_config_path"` RuntimePath string `toml:"runtime_path"` RuntimeType string `toml:"runtime_type"` RuntimeRoot string `toml:"runtime_root"` // PrivilegedWithoutHostDevices can be used to restrict passing host devices // to a container running as privileged. PrivilegedWithoutHostDevices bool `toml:"privileged_without_host_devices,omitempty"` // AllowedAnnotations is a slice of experimental annotations that this runtime handler is allowed to process. // The currently recognized values are: // "io.kubernetes.cri-o.userns-mode" for configuring a user namespace for the pod. // "io.kubernetes.cri-o.Devices" for configuring devices for the pod. // "io.kubernetes.cri-o.ShmSize" for configuring the size of /dev/shm. // "io.kubernetes.cri-o.UnifiedCgroup.$CTR_NAME" for configuring the cgroup v2 unified block for a container. // "io.containers.trace-syscall" for tracing syscalls via the OCI seccomp BPF hook. // "io.kubernetes.cri-o.LinkLogs" for linking logs into the pod. // "seccomp-profile.kubernetes.cri-o.io" for setting the seccomp profile for: // - a specific container by using: `seccomp-profile.kubernetes.cri-o.io/<CONTAINER_NAME>` // - a whole pod by using: `seccomp-profile.kubernetes.cri-o.io/POD` // Note that the annotation works on containers as well as on images. // For images, the plain annotation `seccomp-profile.kubernetes.cri-o.io` // can be used without the required `/POD` suffix or a container name. // "io.kubernetes.cri-o.DisableFIPS" for disabling FIPS mode for a pod within a FIPS-enabled Kubernetes cluster. AllowedAnnotations []string `toml:"allowed_annotations,omitempty"` // DisallowedAnnotations is the slice of experimental annotations that are not allowed for this handler. DisallowedAnnotations []string `toml:"-"` // Fields prefixed by Monitor hold the configuration for the monitor for this runtime. At present, the following monitors are supported: // oci supports conmon // vm does not support any runtime monitor MonitorPath string `toml:"monitor_path,omitempty"` MonitorCgroup string `toml:"monitor_cgroup,omitempty"` MonitorEnv []string `toml:"monitor_env,omitempty"` // MonitorExecCgroup indicates whether to move exec probes to the container's cgroup. MonitorExecCgroup string `toml:"monitor_exec_cgroup,omitempty"` // PlatformRuntimePaths defines a configuration option that specifies // the runtime paths for different platforms. PlatformRuntimePaths map[string]string `toml:"platform_runtime_paths,omitempty"` // Marks the runtime as performing image pulling on its own, and doesn't // require crio to do it. RuntimePullImage bool `toml:"runtime_pull_image,omitempty"` // ContainerMinMemory is the minimum memory that must be set for a container. ContainerMinMemory string `toml:"container_min_memory,omitempty"` // contains filtered or unexported fields }
RuntimeHandler represents each item of the "crio.runtime.runtimes" TOML config table.
func (*RuntimeHandler) LoadRuntimeFeatures ¶
func (r *RuntimeHandler) LoadRuntimeFeatures(input []byte) error
LoadRuntimeFeatures loads features for a given runtime handler using the "features" sub-command output, where said output contains a JSON document called "Features Structure" that describes the runtime handler's supported features.
func (*RuntimeHandler) RuntimeSupportsIDMap ¶
func (r *RuntimeHandler) RuntimeSupportsIDMap() bool
RuntimeSupportsIDMap returns whether this runtime supports the "runtime features" command, and that the output of that command advertises IDMap mounts as an option
func (*RuntimeHandler) RuntimeSupportsMountFlag ¶
func (r *RuntimeHandler) RuntimeSupportsMountFlag(flag string) bool
RuntimeSupportsMountFlag returns whether this runtime supports the specified mount option.
func (*RuntimeHandler) RuntimeSupportsRROMounts ¶
func (r *RuntimeHandler) RuntimeSupportsRROMounts() bool
RuntimeSupportsRROMounts returns whether this runtime supports the Recursive Read-only mount as an option.
func (*RuntimeHandler) SetContainerMinMemory ¶
func (r *RuntimeHandler) SetContainerMinMemory() (int64, error)
SetContainerMinMemory sets the minimum container memory for a given runtime. assigns defaultContainerMinMemory if no container_min_memory provided.
func (*RuntimeHandler) Validate ¶
func (r *RuntimeHandler) Validate(name string) error
Validate checks if the whole runtime is valid.
func (*RuntimeHandler) ValidateRuntimeAllowedAnnotations ¶
func (r *RuntimeHandler) ValidateRuntimeAllowedAnnotations() error
func (*RuntimeHandler) ValidateRuntimeConfigPath ¶
func (r *RuntimeHandler) ValidateRuntimeConfigPath(name string) error
ValidateRuntimeConfigPath checks if the `RuntimeConfigPath` exists.
func (*RuntimeHandler) ValidateRuntimePath ¶
func (r *RuntimeHandler) ValidateRuntimePath(name string) error
ValidateRuntimePath checks if the `RuntimePath` is either set or available within the $PATH environment. The method fails on any `RuntimePath` lookup error.
func (*RuntimeHandler) ValidateRuntimeType ¶
func (r *RuntimeHandler) ValidateRuntimeType(name string) error
ValidateRuntimeType checks if the `RuntimeType` is valid.
func (*RuntimeHandler) ValidateRuntimeVMBinaryPattern ¶
func (r *RuntimeHandler) ValidateRuntimeVMBinaryPattern() bool
type StatsConfig ¶
type StatsConfig struct { // StatsCollectionPeriod is the number of seconds between collecting pod and container stats. // If set to 0, the stats are collected on-demand instead. StatsCollectionPeriod int `toml:"stats_collection_period"` // CollectionPeriod is the number of seconds between collecting pod/container stats // and pod sandbox metrics. If set to 0, the metrics/stats are collected on-demand instead. CollectionPeriod int `toml:"collection_period"` // IncludedPodMetrics specifies the list of metrics to include when collecting pod metrics. // If empty, all available metrics will be collected. IncludedPodMetrics []string `toml:"included_pod_metrics"` }
StatsConfig specifies all necessary configuration for reporting container/pod stats and pod sandbox metrics.
type Sysctl ¶
type Sysctl struct {
// contains filtered or unexported fields
}
Sysctl is a generic abstraction over key value based sysctls
func (*Sysctl) Validate ¶
Validate checks that a sysctl is whitelisted because it is known to be namespaced by the Linux kernel. The parameters hostNet and hostIPC are used to forbid sysctls for pod sharing the respective namespaces with the host. This check is only used on sysctls defined by the user in the crio.conf file.
type TracingConfig ¶
type TracingConfig struct { // EnableTracing can be used to globally enable or disable tracing support EnableTracing bool `toml:"enable_tracing"` // TracingEndpoint is the address on which the grpc tracing collector server will listen. TracingEndpoint string `toml:"tracing_endpoint"` // TracingSamplingRatePerMillion is the number of samples to collect per million spans. Set to 1000000 to always sample. // Defaults to 0. TracingSamplingRatePerMillion int `toml:"tracing_sampling_rate_per_million"` }
TracingConfig specifies all necessary configuration for opentelemetry trace exports
type WorkloadConfig ¶
type WorkloadConfig struct { // ActivationAnnotation is the pod annotation that activates these workload settings ActivationAnnotation string `toml:"activation_annotation"` // AnnotationPrefix is the way a pod can override a specific resource for a container. // The full annotation must be of the form $annotation_prefix.$resource/$ctrname = $value AnnotationPrefix string `toml:"annotation_prefix"` // AllowedAnnotations is a slice of experimental annotations that this workload is allowed to process. // The currently recognized values are: // "io.kubernetes.cri-o.userns-mode" for configuring a user namespace for the pod. // "io.kubernetes.cri-o.Devices" for configuring devices for the pod. // "io.kubernetes.cri-o.ShmSize" for configuring the size of /dev/shm. // "io.kubernetes.cri-o.UnifiedCgroup.$CTR_NAME" for configuring the cgroup v2 unified block for a container. // "io.containers.trace-syscall" for tracing syscalls via the OCI seccomp BPF hook. // "seccomp-profile.kubernetes.cri-o.io" for setting the seccomp profile for a specific container, pod or whole image. AllowedAnnotations []string `toml:"allowed_annotations,omitempty"` // DisallowedAnnotations is the slice of experimental annotations that are not allowed for this workload. DisallowedAnnotations []string // Resources are the names of the resources that can be overridden by annotation. // The key of the map is the resource name. The following resources are supported: // `cpushares`: configure cpu shares for a given container // `cpuquota`: configure cpu quota for a given container // `cpuperiod`: configure cpu period for a given container // `cpuset`: configure cpuset for a given container // `cpulimit`: configure cpu quota in millicores for a given container, overrides the `cpuquota` field // The value of the map is the default value for that resource. // If a container is configured to use this workload, and does not specify // the annotation with the resource and value, the default value will apply. // Default values do not need to be specified. Resources *Resources `toml:"resources"` }
func (*WorkloadConfig) Validate ¶
func (w *WorkloadConfig) Validate(workloadName string) error
func (*WorkloadConfig) ValidateWorkloadAllowedAnnotations ¶
func (w *WorkloadConfig) ValidateWorkloadAllowedAnnotations() error
type Workloads ¶
type Workloads map[string]*WorkloadConfig
func (Workloads) AllowedAnnotations ¶
func (Workloads) FilterDisallowedAnnotations ¶
FilterDisallowedAnnotations filters annotations that are not specified in the allowed_annotations map for a given handler. This function returns an error if the runtime handler can't be found. The annotations map is mutated in-place.