containers: cri-o: kubernetes runc backend

To prepare for native kubernetes support without docker on a target, we integrate the cri-o incubator project. cri-o is meant to provide an integration path between OCI conformant runtimes and the kubelet. Specifically, it implements the Kubelet Container Runtime Interface (CRI) using OCI conformant runtimes. The scope of cri-o is tied to the scope of the CRI. This initial introduction is build + packaging only. It is expected that configuration and deployment tweaks are done at the distro level. Signed-off-by: Bruce Ashfield <bruce.ashfield@windriver.com>
author: Bruce Ashfield <bruce.ashfield@windriver.com> 2017-09-29 08:57:44 -0400
committer: Bruce Ashfield <bruce.ashfield@windriver.com> 2017-10-02 09:15:42 -0400
commit: 0ff8923f08ae9f7a0e8ec71e4d5a7edb1d027b43 (patch)
tree: 270fe64ca18412a27ca297a3a527c65426141a32
parent: 6c3a6c31cc477dae7524f21b147783c0bd1c0a93 (diff)
download: meta-virtualization-0ff8923f08ae9f7a0e8ec71e4d5a7edb1d027b43.tar.gz
3 files changed, 303 insertions, 0 deletions
diff --git a/recipes-containers/cri-o/cri-o_git.bb b/recipes-containers/cri-o/cri-o_git.bb
new file mode 100644
index 00000000..c14d54dc
--- /dev/null
+++ b/recipes-containers/cri-o/cri-o_git.bb
@@ -0,0 +1,130 @@
+HOMEPAGE = "https://github.com/kubernetes-incubator/cri-o"
+SUMMARY = "Open Container Initiative-based implementation of Kubernetes Container Runtime Interface"
+DESCRIPTION = "cri-o is meant to provide an integration path between OCI conformant \
+runtimes and the kubelet. Specifically, it implements the Kubelet Container Runtime \
+Interface (CRI) using OCI conformant runtimes. The scope of cri-o is tied to the scope of the CRI. \
+. \
+At a high level, we expect the scope of cri-o to be restricted to the following functionalities: \
+. \
+ - Support multiple image formats including the existing Docker image format \
+ - Support for multiple means to download images including trust & image verification \
+ - Container image management (managing image layers, overlay filesystems, etc) \
+ - Container process lifecycle management \
+ - Monitoring and logging required to satisfy the CRI \
+ - Resource isolation as required by the CRI \
+ "
+SRCREV_cri-o = "65faae67828fb3eb3eac05b582aae9f9d1dea51c"
+SRC_URI = "\
+        git://github.com/kubernetes-incubator/cri-o.git;nobranch=1;name=cri-o \
+        file://0001-Makefile-force-symlinks.patch \
+        file://crio.conf \
+        "
+# Apache-2.0 for docker
+LICENSE = "Apache-2.0"
+LIC_FILES_CHKSUM = "file://src/import/LICENSE;md5=e3fc50a88d0a364313df4b21ef20c29e"
+GO_IMPORT = "import"
+PV = "1.0.0-rc3-dev+git${SRCREV_cri-o}"
+DEPENDS = " \
+    glib-2.0 \
+    btrfs-tools \
+    gpgme \
+    ostree \
+    libdevmapper \
+    "
+RDEPENDS_${PN} = " \
+    cni \
+    "
+PACKAGES =+ "${PN}-config"
+RDEPENDS_${PN} += " virtual/containerd virtual/runc"
+RDEPENDS_${PN} += " e2fsprogs-mke2fs"
+inherit systemd
+inherit go
+inherit goarch
+inherit pkgconfig
+EXTRA_OEMAKE="BUILDTAGS=''"
+do_compile() {
+        export GOARCH="${TARGET_GOARCH}"
+        export GOROOT="${STAGING_LIBDIR_NATIVE}/${TARGET_SYS}/go"
+        export GOPATH="${S}/src/import:${S}/src/import/vendor"
+        # Pass the needed cflags/ldflags so that cgo
+        # can find the needed headers files and libraries
+        export CGO_ENABLED="1"
+        export CFLAGS=""
+        export LDFLAGS=""
+        export CGO_CFLAGS="${BUILDSDK_CFLAGS} --sysroot=${STAGING_DIR_TARGET}"
+        export CGO_LDFLAGS="${BUILDSDK_LDFLAGS} --sysroot=${STAGING_DIR_TARGET}"
+        # link fixups for compilation
+        rm -f ${S}/src/import/vendor/src
+        ln -sf ./ ${S}/src/import/vendor/src
+        mkdir -p ${S}/src/import/vendor/github.com/kubernetes-incubator/cri-o
+        ln -sf ../../../../cmd ${S}/src/import/vendor/github.com/kubernetes-incubator/cri-o/cmd
+        ln -sf ../../../../test ${S}/src/import/vendor/github.com/kubernetes-incubator/cri-o/test
+        ln -sf ../../../../oci ${S}/src/import/vendor/github.com/kubernetes-incubator/cri-o/oci
+        ln -sf ../../../../server ${S}/src/import/vendor/github.com/kubernetes-incubator/cri-o/server
+        ln -sf ../../../../pkg ${S}/src/import/vendor/github.com/kubernetes-incubator/cri-o/pkg
+        ln -sf ../../../../libpod ${S}/src/import/vendor/github.com/kubernetes-incubator/cri-o/libpod
+        ln -sf ../../../../libkpod ${S}/src/import/vendor/github.com/kubernetes-incubator/cri-o/libkpod
+        ln -sf ../../../../utils ${S}/src/import/vendor/github.com/kubernetes-incubator/cri-o/utils
+        export GOPATH="${S}/src/import/.gopath:${S}/src/import/vendor:${STAGING_DIR_TARGET}/${prefix}/local/go"
+        export GOROOT="${STAGING_DIR_NATIVE}/${nonarch_libdir}/${HOST_SYS}/go"
+        # Pass the needed cflags/ldflags so that cgo
+        # can find the needed headers files and libraries
+        export CGO_ENABLED="1"
+        export CGO_CFLAGS="${CFLAGS} --sysroot=${STAGING_DIR_TARGET}"
+        export CGO_LDFLAGS="${LDFLAGS} --sysroot=${STAGING_DIR_TARGET}"
+        cd ${S}/src/import
+        oe_runmake binaries
+}
+SYSTEMD_PACKAGES = "${@bb.utils.contains('DISTRO_FEATURES','systemd','${PN}','',d)}"
+SYSTEMD_SERVICE_${PN} = "${@bb.utils.contains('DISTRO_FEATURES','systemd','crio.service','',d)}"
+SYSTEMD_AUTO_ENABLE_${PN} = "enable"
+do_install() {
+    localbindir="/usr/local/bin"
+    install -d ${D}${localbindir}
+    install -d ${D}/${libexecdir}/crio
+    install -d ${D}/${sysconfdir}/crio
+    install -d ${D}${systemd_unitdir}/system/
+    install ${WORKDIR}/crio.conf ${D}/${sysconfdir}/crio/crio.conf
+    # sample config files, they'll go in the ${PN}-config below
+    install -d ${D}/${sysconfdir}/crio/config/
+    install -m 755 -D ${S}/src/import/test/testdata/* ${D}/${sysconfdir}/crio/config/
+    install ${S}/src/import/crio ${D}/${localbindir}
+    install ${S}/src/import/crioctl ${D}/${localbindir}
+    install ${S}/src/import/kpod ${D}/${localbindir}
+    install ${S}/src/import/conmon/conmon ${D}/${libexecdir}/crio
+    install ${S}/src/import/pause/pause ${D}/${libexecdir}/crio
+    install -m 0644 ${S}/src/import/contrib/systemd/crio.service  ${D}${systemd_unitdir}/system/
+    install -m 0644 ${S}/src/import/contrib/systemd/crio-shutdown.service  ${D}${systemd_unitdir}/system/
+}
+FILES_${PN}-config = "${sysconfdir}/crio/config/*"
+FILES_${PN} += "${systemd_unitdir}/system/*"
+FILES_${PN} += "/usr/local/bin/*"
+INHIBIT_PACKAGE_STRIP = "1"
+INSANE_SKIP_${PN} += "ldflags already-stripped"
diff --git a/recipes-containers/cri-o/files/0001-Makefile-force-symlinks.patch b/recipes-containers/cri-o/files/0001-Makefile-force-symlinks.patch
new file mode 100644
index 00000000..320eac86
--- /dev/null
+++ b/recipes-containers/cri-o/files/0001-Makefile-force-symlinks.patch
@@ -0,0 +1,26 @@
+From a4433978bf324525b4c260b0e9615ae27271fe55 Mon Sep 17 00:00:00 2001
+From: Bruce Ashfield <bruce.ashfield@windriver.com>
+Date: Wed, 20 Sep 2017 12:05:40 -0400
+Subject: [PATCH] Makefile: force symlinks
+Signed-off-by: Bruce Ashfield <bruce.ashfield@windriver.com>
+---
+ Makefile | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+diff --git a/src/import/Makefile b/src/import/Makefile
+index e3e5050bb7f6..4ad3fb7ff0a9 100644
+--- a/src/import/Makefile
+++ b/src/import/Makefile
+@@ -53,7 +53,7 @@ help:
+ .gopathok:
+ ifeq ("$(wildcard $(GOPKGDIR))","")
+        mkdir -p "$(GOPKGBASEDIR)"
+-       ln -s "$(CURDIR)" "$(GOPKGBASEDIR)"
+       ln -sf "$(CURDIR)" "$(GOPKGBASEDIR)"
+ endif
+        touch "$(GOPATH)/.gopathok"
+ 
+-- 
+2.4.0.53.g8440f74
diff --git a/recipes-containers/cri-o/files/crio.conf b/recipes-containers/cri-o/files/crio.conf
new file mode 100644
index 00000000..51d7f404
--- /dev/null
+++ b/recipes-containers/cri-o/files/crio.conf
@@ -0,0 +1,147 @@
+# generated via: crio --config="" config --default
+# The "crio" table contains all of the server options.
+[crio]
+# root is a path to the "root directory". CRIO stores all of its data,
+# including container images, in this directory.
+root = "/var/lib/containers/storage"
+# run is a path to the "run directory". CRIO stores all of its state
+# in this directory.
+runroot = "/var/run/containers/storage"
+# storage_driver select which storage driver is used to manage storage
+# of images and containers.
+storage_driver = ""
+# storage_option is used to pass an option to the storage driver.
+storage_option = [
+]
+# The "crio.api" table contains settings for the kubelet/gRPC
+# interface (which is also used by crioctl).
+[crio.api]
+# listen is the path to the AF_LOCAL socket on which crio will listen.
+listen = "/var/run/crio.sock"
+# stream_address is the IP address on which the stream server will listen
+stream_address = ""
+# stream_port is the port on which the stream server will listen
+stream_port = "10010"
+# file_locking is whether file-based locking will be used instead of
+# in-memory locking
+file_locking = true
+# The "crio.runtime" table contains settings pertaining to the OCI
+# runtime used and options for how to set up and manage the OCI runtime.
+[crio.runtime]
+# runtime is the OCI compatible runtime used for trusted container workloads.
+# This is a mandatory setting as this runtime will be the default one
+# and will also be used for untrusted container workloads if
+# runtime_untrusted_workload is not set.
+runtime = "/usr/bin/runc"
+# runtime_untrusted_workload is the OCI compatible runtime used for untrusted
+# container workloads. This is an optional setting, except if
+# default_container_trust is set to "untrusted".
+runtime_untrusted_workload = ""
+# default_workload_trust is the default level of trust crio puts in container
+# workloads. It can either be "trusted" or "untrusted", and the default
+# is "trusted".
+# Containers can be run through different container runtimes, depending on
+# the trust hints we receive from kubelet:
+# - If kubelet tags a container workload as untrusted, crio will try first to
+# run it through the untrusted container workload runtime. If it is not set,
+# crio will use the trusted runtime.
+# - If kubelet does not provide any information about the container workload trust
+# level, the selected runtime will depend on the default_container_trust setting.
+# If it is set to "untrusted", then all containers except for the host privileged
+# ones, will be run by the runtime_untrusted_workload runtime. Host privileged
+# containers are by definition trusted and will always use the trusted container
+# runtime. If default_container_trust is set to "trusted", crio will use the trusted
+# container runtime for all containers.
+default_workload_trust = "trusted"
+# conmon is the path to conmon binary, used for managing the runtime.
+conmon = "/usr/libexec/crio/conmon"
+# conmon_env is the environment variable list for conmon process,
+# used for passing necessary environment variable to conmon or runtime.
+conmon_env = [
+        "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin",
+]
+# selinux indicates whether or not SELinux will be used for pod
+# separation on the host. If you enable this flag, SELinux must be running
+# on the host.
+selinux = false
+# seccomp_profile is the seccomp json profile path which is used as the
+# default for the runtime.
+seccomp_profile = "/etc/crio/seccomp.json"
+# apparmor_profile is the apparmor profile name which is used as the
+# default for the runtime.
+apparmor_profile = "crio-default"
+# cgroup_manager is the cgroup management implementation to be used
+# for the runtime.
+cgroup_manager = "cgroupfs"
+# hooks_dir_path is the oci hooks directory for automatically executed hooks
+hooks_dir_path = "/usr/share/containers/oci/hooks.d"
+# pids_limit is the number of processes allowed in a container
+pids_limit = 1024
+# The "crio.image" table contains settings pertaining to the
+# management of OCI images.
+[crio.image]
+# default_transport is the prefix we try prepending to an image name if the
+# image name as we receive it can't be parsed as a valid source reference
+default_transport = "docker://"
+# pause_image is the image which we use to instantiate infra containers.
+pause_image = "kubernetes/pause"
+# pause_command is the command to run in a pause_image to have a container just
+# sit there.  If the image contains the necessary information, this value need
+# not be specified.
+pause_command = "/pause"
+# signature_policy is the name of the file which decides what sort of policy we
+# use when deciding whether or not to trust an image that we've pulled.
+# Outside of testing situations, it is strongly advised that this be left
+# unspecified so that the default system-wide policy will be used.
+signature_policy = ""
+# image_volumes controls how image volumes are handled.
+# The valid values are mkdir and ignore.
+image_volumes = "mkdir"
+# insecure_registries is used to skip TLS verification when pulling images.
+insecure_registries = [
+]
+# registries is used to specify a comma separated list of registries to be used
+# when pulling an unqualified image (e.g. fedora:rawhide).
+registries = [
+]
+# The "crio.network" table contains settings pertaining to the
+# management of CNI plugins.
+[crio.network]
+# network_dir is is where CNI network configuration
+# files are stored.
+network_dir = "/etc/cni/net.d/"
+# plugin_dir is is where CNI plugin binaries are stored.
+plugin_dir = "/opt/cni/bin/"
author	Bruce Ashfield <bruce.ashfield@windriver.com>	2017-09-29 08:57:44 -0400
committer	Bruce Ashfield <bruce.ashfield@windriver.com>	2017-10-02 09:15:42 -0400
commit	0ff8923f08ae9f7a0e8ec71e4d5a7edb1d027b43 (patch)
tree	270fe64ca18412a27ca297a3a527c65426141a32
parent	6c3a6c31cc477dae7524f21b147783c0bd1c0a93 (diff)
download	meta-virtualization-0ff8923f08ae9f7a0e8ec71e4d5a7edb1d027b43.tar.gz

diff --git a/recipes-containers/cri-o/cri-o_git.bb b/recipes-containers/cri-o/cri-o_git.bb new file mode 100644 index 00000000..c14d54dc --- /dev/null +++ b/recipes-containers/cri-o/cri-o_git.bb
@@ -0,0 +1,130 @@
	1	HOMEPAGE = "https://github.com/kubernetes-incubator/cri-o"
	2	SUMMARY = "Open Container Initiative-based implementation of Kubernetes Container Runtime Interface"
	3	DESCRIPTION = "cri-o is meant to provide an integration path between OCI conformant \
	4	runtimes and the kubelet. Specifically, it implements the Kubelet Container Runtime \
	5	Interface (CRI) using OCI conformant runtimes. The scope of cri-o is tied to the scope of the CRI. \
	6	. \
	7	At a high level, we expect the scope of cri-o to be restricted to the following functionalities: \
	8	. \
	9	- Support multiple image formats including the existing Docker image format \
	10	- Support for multiple means to download images including trust & image verification \
	11	- Container image management (managing image layers, overlay filesystems, etc) \
	12	- Container process lifecycle management \
	13	- Monitoring and logging required to satisfy the CRI \
	14	- Resource isolation as required by the CRI \
	15	"
	16
	17	SRCREV_cri-o = "65faae67828fb3eb3eac05b582aae9f9d1dea51c"
	18	SRC_URI = "\
	19	git://github.com/kubernetes-incubator/cri-o.git;nobranch=1;name=cri-o \
	20	file://0001-Makefile-force-symlinks.patch \
	21	file://crio.conf \
	22	"
	23
	24	# Apache-2.0 for docker
	25	LICENSE = "Apache-2.0"
	26	LIC_FILES_CHKSUM = "file://src/import/LICENSE;md5=e3fc50a88d0a364313df4b21ef20c29e"
	27
	28	GO_IMPORT = "import"
	29
	30	PV = "1.0.0-rc3-dev+git${SRCREV_cri-o}"
	31
	32	DEPENDS = " \
	33	glib-2.0 \
	34	btrfs-tools \
	35	gpgme \
	36	ostree \
	37	libdevmapper \
	38	"
	39	RDEPENDS_${PN} = " \
	40	cni \
	41	"
	42
	43	PACKAGES =+ "${PN}-config"
	44
	45	RDEPENDS_${PN} += " virtual/containerd virtual/runc"
	46	RDEPENDS_${PN} += " e2fsprogs-mke2fs"
	47
	48	inherit systemd
	49	inherit go
	50	inherit goarch
	51	inherit pkgconfig
	52
	53	EXTRA_OEMAKE="BUILDTAGS=''"
	54
	55	do_compile() {
	56	export GOARCH="${TARGET_GOARCH}"
	57	export GOROOT="${STAGING_LIBDIR_NATIVE}/${TARGET_SYS}/go"
	58	export GOPATH="${S}/src/import:${S}/src/import/vendor"
	59
	60	# Pass the needed cflags/ldflags so that cgo
	61	# can find the needed headers files and libraries
	62	export CGO_ENABLED="1"
	63	export CFLAGS=""
	64	export LDFLAGS=""
	65	export CGO_CFLAGS="${BUILDSDK_CFLAGS} --sysroot=${STAGING_DIR_TARGET}"
	66	export CGO_LDFLAGS="${BUILDSDK_LDFLAGS} --sysroot=${STAGING_DIR_TARGET}"
	67
	68	# link fixups for compilation
	69	rm -f ${S}/src/import/vendor/src
	70	ln -sf ./ ${S}/src/import/vendor/src
	71
	72	mkdir -p ${S}/src/import/vendor/github.com/kubernetes-incubator/cri-o
	73	ln -sf ../../../../cmd ${S}/src/import/vendor/github.com/kubernetes-incubator/cri-o/cmd
	74	ln -sf ../../../../test ${S}/src/import/vendor/github.com/kubernetes-incubator/cri-o/test
	75	ln -sf ../../../../oci ${S}/src/import/vendor/github.com/kubernetes-incubator/cri-o/oci
	76	ln -sf ../../../../server ${S}/src/import/vendor/github.com/kubernetes-incubator/cri-o/server
	77	ln -sf ../../../../pkg ${S}/src/import/vendor/github.com/kubernetes-incubator/cri-o/pkg
	78	ln -sf ../../../../libpod ${S}/src/import/vendor/github.com/kubernetes-incubator/cri-o/libpod
	79	ln -sf ../../../../libkpod ${S}/src/import/vendor/github.com/kubernetes-incubator/cri-o/libkpod
	80	ln -sf ../../../../utils ${S}/src/import/vendor/github.com/kubernetes-incubator/cri-o/utils
	81
	82	export GOPATH="${S}/src/import/.gopath:${S}/src/import/vendor:${STAGING_DIR_TARGET}/${prefix}/local/go"
	83	export GOROOT="${STAGING_DIR_NATIVE}/${nonarch_libdir}/${HOST_SYS}/go"
	84
	85	# Pass the needed cflags/ldflags so that cgo
	86	# can find the needed headers files and libraries
	87	export CGO_ENABLED="1"
	88	export CGO_CFLAGS="${CFLAGS} --sysroot=${STAGING_DIR_TARGET}"
	89	export CGO_LDFLAGS="${LDFLAGS} --sysroot=${STAGING_DIR_TARGET}"
	90
	91	cd ${S}/src/import
	92
	93	oe_runmake binaries
	94	}
	95
	96	SYSTEMD_PACKAGES = "${@bb.utils.contains('DISTRO_FEATURES','systemd','${PN}','',d)}"
	97	SYSTEMD_SERVICE_${PN} = "${@bb.utils.contains('DISTRO_FEATURES','systemd','crio.service','',d)}"
	98	SYSTEMD_AUTO_ENABLE_${PN} = "enable"
	99
	100	do_install() {
	101	localbindir="/usr/local/bin"
	102
	103	install -d ${D}${localbindir}
	104	install -d ${D}/${libexecdir}/crio
	105	install -d ${D}/${sysconfdir}/crio
	106	install -d ${D}${systemd_unitdir}/system/
	107
	108	install ${WORKDIR}/crio.conf ${D}/${sysconfdir}/crio/crio.conf
	109
	110	# sample config files, they'll go in the ${PN}-config below
	111	install -d ${D}/${sysconfdir}/crio/config/
	112	install -m 755 -D ${S}/src/import/test/testdata/* ${D}/${sysconfdir}/crio/config/
	113
	114	install ${S}/src/import/crio ${D}/${localbindir}
	115	install ${S}/src/import/crioctl ${D}/${localbindir}
	116	install ${S}/src/import/kpod ${D}/${localbindir}
	117
	118	install ${S}/src/import/conmon/conmon ${D}/${libexecdir}/crio
	119	install ${S}/src/import/pause/pause ${D}/${libexecdir}/crio
	120
	121	install -m 0644 ${S}/src/import/contrib/systemd/crio.service ${D}${systemd_unitdir}/system/
	122	install -m 0644 ${S}/src/import/contrib/systemd/crio-shutdown.service ${D}${systemd_unitdir}/system/
	123	}
	124
	125	FILES_${PN}-config = "${sysconfdir}/crio/config/*"
	126	FILES_${PN} += "${systemd_unitdir}/system/*"
	127	FILES_${PN} += "/usr/local/bin/*"
	128
	129	INHIBIT_PACKAGE_STRIP = "1"
	130	INSANE_SKIP_${PN} += "ldflags already-stripped"


diff --git a/recipes-containers/cri-o/files/0001-Makefile-force-symlinks.patch b/recipes-containers/cri-o/files/0001-Makefile-force-symlinks.patch new file mode 100644 index 00000000..320eac86 --- /dev/null +++ b/recipes-containers/cri-o/files/0001-Makefile-force-symlinks.patch
@@ -0,0 +1,26 @@
	1	From a4433978bf324525b4c260b0e9615ae27271fe55 Mon Sep 17 00:00:00 2001
	2	From: Bruce Ashfield <bruce.ashfield@windriver.com>
	3	Date: Wed, 20 Sep 2017 12:05:40 -0400
	4	Subject: [PATCH] Makefile: force symlinks
	5
	6	Signed-off-by: Bruce Ashfield <bruce.ashfield@windriver.com>
	7	---
	8	Makefile \| 2 +-
	9	1 file changed, 1 insertion(+), 1 deletion(-)
	10
	11	diff --git a/src/import/Makefile b/src/import/Makefile
	12	index e3e5050bb7f6..4ad3fb7ff0a9 100644
	13	--- a/src/import/Makefile
	14	+++ b/src/import/Makefile
	15	@@ -53,7 +53,7 @@ help:
	16	.gopathok:
	17	ifeq ("$(wildcard $(GOPKGDIR))","")
	18	mkdir -p "$(GOPKGBASEDIR)"
	19	- ln -s "$(CURDIR)" "$(GOPKGBASEDIR)"
	20	+ ln -sf "$(CURDIR)" "$(GOPKGBASEDIR)"
	21	endif
	22	touch "$(GOPATH)/.gopathok"
	23
	24	--
	25	2.4.0.53.g8440f74
	26


diff --git a/recipes-containers/cri-o/files/crio.conf b/recipes-containers/cri-o/files/crio.conf new file mode 100644 index 00000000..51d7f404 --- /dev/null +++ b/recipes-containers/cri-o/files/crio.conf
@@ -0,0 +1,147 @@
	1	# generated via: crio --config="" config --default
	2
	3	# The "crio" table contains all of the server options.
	4	[crio]
	5
	6	# root is a path to the "root directory". CRIO stores all of its data,
	7	# including container images, in this directory.
	8	root = "/var/lib/containers/storage"
	9
	10	# run is a path to the "run directory". CRIO stores all of its state
	11	# in this directory.
	12	runroot = "/var/run/containers/storage"
	13
	14	# storage_driver select which storage driver is used to manage storage
	15	# of images and containers.
	16	storage_driver = ""
	17
	18	# storage_option is used to pass an option to the storage driver.
	19	storage_option = [
	20	]
	21
	22	# The "crio.api" table contains settings for the kubelet/gRPC
	23	# interface (which is also used by crioctl).
	24	[crio.api]
	25
	26	# listen is the path to the AF_LOCAL socket on which crio will listen.
	27	listen = "/var/run/crio.sock"
	28
	29	# stream_address is the IP address on which the stream server will listen
	30	stream_address = ""
	31
	32	# stream_port is the port on which the stream server will listen
	33	stream_port = "10010"
	34
	35	# file_locking is whether file-based locking will be used instead of
	36	# in-memory locking
	37	file_locking = true
	38
	39	# The "crio.runtime" table contains settings pertaining to the OCI
	40	# runtime used and options for how to set up and manage the OCI runtime.
	41	[crio.runtime]
	42
	43	# runtime is the OCI compatible runtime used for trusted container workloads.
	44	# This is a mandatory setting as this runtime will be the default one
	45	# and will also be used for untrusted container workloads if
	46	# runtime_untrusted_workload is not set.
	47	runtime = "/usr/bin/runc"
	48
	49	# runtime_untrusted_workload is the OCI compatible runtime used for untrusted
	50	# container workloads. This is an optional setting, except if
	51	# default_container_trust is set to "untrusted".
	52	runtime_untrusted_workload = ""
	53
	54	# default_workload_trust is the default level of trust crio puts in container
	55	# workloads. It can either be "trusted" or "untrusted", and the default
	56	# is "trusted".
	57	# Containers can be run through different container runtimes, depending on
	58	# the trust hints we receive from kubelet:
	59	# - If kubelet tags a container workload as untrusted, crio will try first to
	60	# run it through the untrusted container workload runtime. If it is not set,
	61	# crio will use the trusted runtime.
	62	# - If kubelet does not provide any information about the container workload trust
	63	# level, the selected runtime will depend on the default_container_trust setting.
	64	# If it is set to "untrusted", then all containers except for the host privileged
	65	# ones, will be run by the runtime_untrusted_workload runtime. Host privileged
	66	# containers are by definition trusted and will always use the trusted container
	67	# runtime. If default_container_trust is set to "trusted", crio will use the trusted
	68	# container runtime for all containers.
	69	default_workload_trust = "trusted"
	70
	71	# conmon is the path to conmon binary, used for managing the runtime.
	72	conmon = "/usr/libexec/crio/conmon"
	73
	74	# conmon_env is the environment variable list for conmon process,
	75	# used for passing necessary environment variable to conmon or runtime.
	76	conmon_env = [
	77	"PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin",
	78	]
	79
	80	# selinux indicates whether or not SELinux will be used for pod
	81	# separation on the host. If you enable this flag, SELinux must be running
	82	# on the host.
	83	selinux = false
	84
	85	# seccomp_profile is the seccomp json profile path which is used as the
	86	# default for the runtime.
	87	seccomp_profile = "/etc/crio/seccomp.json"
	88
	89	# apparmor_profile is the apparmor profile name which is used as the
	90	# default for the runtime.
	91	apparmor_profile = "crio-default"
	92
	93	# cgroup_manager is the cgroup management implementation to be used
	94	# for the runtime.
	95	cgroup_manager = "cgroupfs"
	96
	97	# hooks_dir_path is the oci hooks directory for automatically executed hooks
	98	hooks_dir_path = "/usr/share/containers/oci/hooks.d"
	99
	100	# pids_limit is the number of processes allowed in a container
	101	pids_limit = 1024
	102
	103	# The "crio.image" table contains settings pertaining to the
	104	# management of OCI images.
	105	[crio.image]
	106
	107	# default_transport is the prefix we try prepending to an image name if the
	108	# image name as we receive it can't be parsed as a valid source reference
	109	default_transport = "docker://"
	110
	111	# pause_image is the image which we use to instantiate infra containers.
	112	pause_image = "kubernetes/pause"
	113
	114	# pause_command is the command to run in a pause_image to have a container just
	115	# sit there. If the image contains the necessary information, this value need
	116	# not be specified.
	117	pause_command = "/pause"
	118
	119	# signature_policy is the name of the file which decides what sort of policy we
	120	# use when deciding whether or not to trust an image that we've pulled.
	121	# Outside of testing situations, it is strongly advised that this be left
	122	# unspecified so that the default system-wide policy will be used.
	123	signature_policy = ""
	124
	125	# image_volumes controls how image volumes are handled.
	126	# The valid values are mkdir and ignore.
	127	image_volumes = "mkdir"
	128
	129	# insecure_registries is used to skip TLS verification when pulling images.
	130	insecure_registries = [
	131	]
	132
	133	# registries is used to specify a comma separated list of registries to be used
	134	# when pulling an unqualified image (e.g. fedora:rawhide).
	135	registries = [
	136	]
	137
	138	# The "crio.network" table contains settings pertaining to the
	139	# management of CNI plugins.
	140	[crio.network]
	141
	142	# network_dir is is where CNI network configuration
	143	# files are stored.
	144	network_dir = "/etc/cni/net.d/"
	145
	146	# plugin_dir is is where CNI plugin binaries are stored.
	147	plugin_dir = "/opt/cni/bin/"