[root@sno core]# cat /etc/crio.crio.conf.d/99-capabilities.conf [crio.runtime] add_inheritable_capabilities = true [root@sno core]# crio config INFO[2022-11-29 12:55:35.676049096Z] Starting CRI-O, version: 1.25.1-2.rhaos4.12.gitafa0c57.el8, git: unknown(clean) INFO Using default capabilities: CAP_CHOWN, CAP_DAC_OVERRIDE, CAP_FSETID, CAP_FOWNER, CAP_SETGID, CAP_SETUID, CAP_SETPCAP, CAP_NET_BIND_SERVICE, CAP_KILL # The CRI-O configuration file specifies all of the available configuration # options and command-line flags for the crio(8) OCI Kubernetes Container Runtime # daemon, but in a TOML format that can be more easily modified and versioned. # # Please refer to crio.conf(5) for details of all configuration options. # CRI-O supports partial configuration reload during runtime, which can be # done by sending SIGHUP to the running process. Currently supported options # are explicitly mentioned with: 'This option supports live configuration # reload'. # CRI-O reads its storage defaults from the containers-storage.conf(5) file # located at /etc/containers/storage.conf. Modify this storage configuration if # you want to change the system's defaults. If you want to modify storage just # for CRI-O, you can change the storage configuration options here. [crio] # Path to the "root directory". CRI-O stores all of its data, including # containers images, in this directory. # root = "/var/lib/containers/storage" # Path to the "run directory". CRI-O stores all of its state in this directory. # runroot = "/run/containers/storage" # Storage driver used to manage the storage of images and containers. Please # refer to containers-storage.conf(5) to see all available storage drivers. # storage_driver = "overlay" # List to pass options to the storage driver. Please refer to # containers-storage.conf(5) to see all available storage options. # storage_option = [ # ] # The default log directory where all logs will go unless directly specified by # the kubelet. The log directory specified must be an absolute directory. # log_dir = "/var/log/crio/pods" # Location for CRI-O to lay down the temporary version file. # It is used to check if crio wipe should wipe containers, which should # always happen on a node reboot # version_file = "/var/run/crio/version" # Location for CRI-O to lay down the persistent version file. # It is used to check if crio wipe should wipe images, which should # only happen when CRI-O has been upgraded version_file_persist = "/var/lib/crio/version" # InternalWipe is whether CRI-O should wipe containers and images after a reboot when the server starts. # If set to false, one must use the external command 'crio wipe' to wipe the containers and images in these situations. # internal_wipe = true # Location for CRI-O to lay down the clean shutdown file. # It is used to check whether crio had time to sync before shutting down. # If not found, crio wipe will clear the storage directory. # clean_shutdown_file = "/var/lib/crio/clean.shutdown" # The crio.api table contains settings for the kubelet/gRPC interface. [crio.api] # Path to AF_LOCAL socket on which CRI-O will listen. # listen = "/var/run/crio/crio.sock" # IP address on which the stream server will listen. stream_address = "" # The port on which the stream server will listen. If the port is set to "0", then # CRI-O will allocate a random free port number. stream_port = "10010" # Enable encrypted TLS transport of the stream server. # stream_enable_tls = false # Length of time until open streams terminate due to lack of activity # stream_idle_timeout = "" # Path to the x509 certificate file used to serve the encrypted stream. This # file can change, and CRI-O will automatically pick up the changes within 5 # minutes. # stream_tls_cert = "" # Path to the key file used to serve the encrypted stream. This file can # change and CRI-O will automatically pick up the changes within 5 minutes. # stream_tls_key = "" # Path to the x509 CA(s) file used to verify and authenticate client # communication with the encrypted stream. This file can change and CRI-O will # automatically pick up the changes within 5 minutes. # stream_tls_ca = "" # Maximum grpc send message size in bytes. If not set or <=0, then CRI-O will default to 16 * 1024 * 1024. # grpc_max_send_msg_size = 83886080 # Maximum grpc receive message size. If not set or <= 0, then CRI-O will default to 16 * 1024 * 1024. # grpc_max_recv_msg_size = 83886080 # The crio.runtime table contains settings pertaining to the OCI runtime used # and options for how to set up and manage the OCI runtime. [crio.runtime] # A list of ulimits to be set in containers by default, specified as # "=:", for example: # "nofile=1024:2048" # If nothing is set here, settings will be inherited from the CRI-O daemon # default_ulimits = [ # ] # If true, the runtime will not use pivot_root, but instead use MS_MOVE. # no_pivot = false # decryption_keys_path is the path where the keys required for # image decryption are stored. This option supports live configuration reload. # decryption_keys_path = "/etc/crio/keys/" # Path to the conmon binary, used for monitoring the OCI runtime. # Will be searched for using $PATH if empty. # This option is currently deprecated, and will be replaced with RuntimeHandler.MonitorEnv. # conmon = "" # Cgroup setting for conmon # This option is currently deprecated, and will be replaced with RuntimeHandler.MonitorCgroup. conmon_cgroup = "pod" # Environment variable list for the conmon process, used for passing necessary # environment variables to conmon or the runtime. # This option is currently deprecated, and will be replaced with RuntimeHandler.MonitorEnv. # conmon_env = [ # ] # Additional environment variables to set for all the # containers. These are overridden if set in the # container image spec or in the container runtime configuration. default_env = [ "NSS_SDB_USE_CACHE=no", ] # If true, SELinux will be used for pod separation on the host. # selinux = true # Path to the seccomp.json profile which is used as the default seccomp profile # for the runtime. If not specified, then the internal default seccomp profile # will be used. This option supports live configuration reload. # seccomp_profile = "" # Changes the meaning of an empty seccomp profile. By default # (and according to CRI spec), an empty profile means unconfined. # This option tells CRI-O to treat an empty profile as the default profile, # which might increase security. # seccomp_use_default_when_empty = true # Used to change the name of the default AppArmor profile of CRI-O. The default # profile name is "crio-default". This profile only takes effect if the user # does not specify a profile via the Kubernetes Pod's metadata annotation. If # the profile is set to "unconfined", then this equals to disabling AppArmor. # This option supports live configuration reload. # apparmor_profile = "crio-default" # Path to the blockio class configuration file for configuring # the cgroup blockio controller. # blockio_config_file = "" # Used to change irqbalance service config file path which is used for configuring # irqbalance daemon. # irqbalance_config_file = "/etc/sysconfig/irqbalance" # Path to the RDT configuration file for configuring the resctrl pseudo-filesystem. # This option supports live configuration reload. # rdt_config_file = "" # Cgroup management implementation used for the runtime. # cgroup_manager = "systemd" # Specify whether the image pull must be performed in a separate cgroup. # separate_pull_cgroup = "" # List of default capabilities for containers. If it is empty or commented out, # only the capabilities defined in the containers json file by the user/kube # will be added. # default_capabilities = [ # "CHOWN", # "DAC_OVERRIDE", # "FSETID", # "FOWNER", # "SETGID", # "SETUID", # "SETPCAP", # "NET_BIND_SERVICE", # "KILL", # ] # Add capabilities to the inheritable set, as well as the default group of permitted, bounding and effective. # If capabilities are expected to work for non-root users, this option should be set. # add_inheritable_capabilities = false # List of default sysctls. If it is empty or commented out, only the sysctls # defined in the container json file by the user/kube will be added. default_sysctls = [ "net.ipv4.ping_group_range=0 2147483647", ] # List of devices on the host that a # user can specify with the "io.kubernetes.cri-o.Devices" allowed annotation. # allowed_devices = [ # "/dev/fuse", # ] # List of additional devices. specified as # "::", for example: "--device=/dev/sdc:/dev/xvdc:rwm". # If it is empty or commented out, only the devices # defined in the container json file by the user/kube will be added. # additional_devices = [ # ] # List of directories to scan for CDI Spec files. # cdi_spec_dirs = [ # "/etc/cdi", # "/var/run/cdi", # ] # Change the default behavior of setting container devices uid/gid from CRI's # SecurityContext (RunAsUser/RunAsGroup) instead of taking host's uid/gid. # Defaults to false. # device_ownership_from_security_context = false # Path to OCI hooks directories for automatically executed hooks. If one of the # directories does not exist, then CRI-O will automatically skip them. hooks_dir = [ "/etc/containers/oci/hooks.d", "/run/containers/oci/hooks.d", "/usr/share/containers/oci/hooks.d", ] # Path to the file specifying the defaults mounts for each container. The # format of the config is /SRC:/DST, one mount per line. Notice that CRI-O reads # its default mounts from the following two files: # # 1) /etc/containers/mounts.conf (i.e., default_mounts_file): This is the # override file, where users can either add in their own default mounts, or # override the default mounts shipped with the package. # # 2) /usr/share/containers/mounts.conf: This is the default file read for # mounts. If you want CRI-O to read from a different, specific mounts file, # you can change the default_mounts_file. Note, if this is done, CRI-O will # only add mounts it finds in this file. # # default_mounts_file = "" # Maximum number of processes allowed in a container. # This option is deprecated. The Kubelet flag '--pod-pids-limit' should be used instead. # pids_limit = 0 # Maximum sized allowed for the container log file. Negative numbers indicate # that no size limit is imposed. If it is positive, it must be >= 8192 to # match/exceed conmon's read buffer. The file is truncated and re-opened so the # limit is never exceeded. This option is deprecated. The Kubelet flag '--container-log-max-size' should be used instead. # log_size_max = -1 # Whether container output should be logged to journald in addition to the kuberentes log file # log_to_journald = false # Path to directory in which container exit files are written to by conmon. # container_exits_dir = "/var/run/crio/exits" # Path to directory for container attach sockets. # container_attach_socket_dir = "/var/run/crio" # The prefix to use for the source of the bind mounts. # bind_mount_prefix = "" # If set to true, all containers will run in read-only mode. # read_only = false # Changes the verbosity of the logs based on the level it is set to. Options # are fatal, panic, error, warn, info, debug and trace. This option supports # live configuration reload. # log_level = "info" # Filter the log messages by the provided regular expression. # This option supports live configuration reload. # log_filter = "" # The UID mappings for the user namespace of each container. A range is # specified in the form containerUID:HostUID:Size. Multiple ranges must be # separated by comma. # uid_mappings = "" # The GID mappings for the user namespace of each container. A range is # specified in the form containerGID:HostGID:Size. Multiple ranges must be # separated by comma. # gid_mappings = "" # If set, CRI-O will reject any attempt to map host UIDs below this value # into user namespaces. A negative value indicates that no minimum is set, # so specifying mappings will only be allowed for pods that run as UID 0. # minimum_mappable_uid = -1 # If set, CRI-O will reject any attempt to map host GIDs below this value # into user namespaces. A negative value indicates that no minimum is set, # so specifying mappings will only be allowed for pods that run as UID 0. # minimum_mappable_gid = -1 # The minimal amount of time in seconds to wait before issuing a timeout # regarding the proper termination of the container. The lowest possible # value is 30s, whereas lower values are not considered by CRI-O. # ctr_stop_timeout = 30 # drop_infra_ctr determines whether CRI-O drops the infra container # when a pod does not have a private PID namespace, and does not use # a kernel separating runtime (like kata). # It requires manage_ns_lifecycle to be true. # drop_infra_ctr = true # infra_ctr_cpuset determines what CPUs will be used to run infra containers. # You can use linux CPU list format to specify desired CPUs. # To get better isolation for guaranteed pods, set this parameter to be equal to kubelet reserved-cpus. infra_ctr_cpuset = "0-1,32-33" # The directory where the state of the managed namespaces gets tracked. # Only used when manage_ns_lifecycle is true. # namespaces_dir = "/var/run" # pinns_path is the path to find the pinns binary, which is needed to manage namespace lifecycle # pinns_path = "" # Globally enable/disable CRIU support which is necessary to # checkpoint and restore container or pods (even if CRIU is found in $PATH). # enable_criu_support = false # default_runtime is the _name_ of the OCI runtime to be used as the default. # default_runtime is the _name_ of the OCI runtime to be used as the default. # The name is matched against the runtimes map below. # default_runtime = "runc" # A list of paths that, when absent from the host, # will cause a container creation to fail (as opposed to the current behavior being created as a directory). # This option is to protect from source locations whose existence as a directory could jepordize the health of the node, and whose # creation as a file is not desired either. # An example is /etc/hostname, which will cause failures on reboot if it's created as a directory, but often doesn't exist because # the hostname is being managed dynamically. absent_mount_sources_to_reject = [ "/etc/hostname", ] # The "crio.runtime.runtimes" table defines a list of OCI compatible runtimes. # The runtime to use is picked based on the runtime handler provided by the CRI. # If no runtime handler is provided, the "default_runtime" will be used. # Each entry in the table should follow the format: # # [crio.runtime.runtimes.runtime-handler] # runtime_path = "/path/to/the/executable" # runtime_type = "oci" # runtime_root = "/path/to/the/root" # monitor_path = "/path/to/container/monitor" # monitor_cgroup = "/cgroup/path" # monitor_exec_cgroup = "/cgroup/path" # monitor_env = [] # privileged_without_host_devices = false # allowed_annotations = [] # Where: # - runtime-handler: Name used to identify the runtime. # - runtime_path (optional, string): Absolute path to the runtime executable in # the host filesystem. If omitted, the runtime-handler identifier should match # the runtime executable name, and the runtime executable should be placed # in $PATH. # - runtime_type (optional, string): Type of runtime, one of: "oci", "vm". If # omitted, an "oci" runtime is assumed. # - runtime_root (optional, string): Root directory for storage of containers # state. # - runtime_config_path (optional, string): the path for the runtime configuration # file. This can only be used with when using the VM runtime_type. # - privileged_without_host_devices (optional, bool): an option for restricting # host devices from being passed to privileged containers. # - allowed_annotations (optional, array of strings): an option for specifying # a list of experimental annotations that this runtime handler is allowed to process. # The currently recognized values are: # "io.kubernetes.cri-o.userns-mode" for configuring a user namespace for the pod. # "io.kubernetes.cri-o.cgroup2-mount-hierarchy-rw" for mounting cgroups writably when set to "true". # "io.kubernetes.cri-o.Devices" for configuring devices for the pod. # "io.kubernetes.cri-o.ShmSize" for configuring the size of /dev/shm. # "io.kubernetes.cri-o.UnifiedCgroup.$CTR_NAME" for configuring the cgroup v2 unified block for a container. # "io.containers.trace-syscall" for tracing syscalls via the OCI seccomp BPF hook. # "io.kubernetes.cri.rdt-class" for setting the RDT class of a container # - monitor_path (optional, string): The path of the monitor binary. Replaces # deprecated option "conmon". # - monitor_cgroup (optional, string): The cgroup the container monitor process will be put in. # Replaces deprecated option "conmon_cgroup". # - monitor_exec_cgroup (optional, string): If set to "container", indicates exec probes # should be moved to the container's cgroup # - monitor_env (optional, array of strings): Environment variables to pass to the montior. # Replaces deprecated option "conmon_env". [crio.runtime.runtimes.crun] runtime_path = "" runtime_type = "oci" runtime_root = "/run/crun" runtime_config_path = "" monitor_path = "" monitor_cgroup = "pod" monitor_exec_cgroup = "" privileged_without_host_devices = false [crio.runtime.runtimes.high-performance] runtime_path = "/bin/runc" runtime_type = "oci" runtime_root = "/run/runc" runtime_config_path = "" monitor_path = "" monitor_cgroup = "pod" monitor_exec_cgroup = "" allowed_annotations = [ "cpu-load-balancing.crio.io", "cpu-quota.crio.io", "irq-load-balancing.crio.io", "cpu-c-states.crio.io", "cpu-freq-governor.crio.io", ] privileged_without_host_devices = false [crio.runtime.runtimes.runc] runtime_path = "" runtime_type = "oci" runtime_root = "/run/runc" runtime_config_path = "" monitor_path = "" monitor_cgroup = "pod" monitor_exec_cgroup = "" privileged_without_host_devices = false # The workloads table defines ways to customize containers with different resources # that work based on annotations, rather than the CRI. # Note, the behavior of this table is EXPERIMENTAL and may change at any time. # Each workload, has a name, activation_annotation, annotation_prefix and set of resources it supports mutating. # The currently supported resources are "cpu" (to configure the cpu shares) and "cpuset" to configure the cpuset. # Each resource can have a default value specified, or be empty. # For a container to opt-into this workload, the pod should be configured with the annotation $activation_annotation (key only, value is ignored). # To customize per-container, an annotation of the form $annotation_prefix.$resource/$ctrName = "value" can be specified # signifying for that resource type to override the default value. # If the annotation_prefix is not present, every container in the pod will be given the default values. # Example: # [crio.runtime.workloads.workload-type] # activation_annotation = "io.crio/workload" # annotation_prefix = "io.crio.workload-type" # [crio.runtime.workloads.workload-type.resources] # cpuset = 0 # cpushares = "0-1" # Where: # The workload name is workload-type. # To specify, the pod must have the "io.crio.workload" annotation (this is a precise string match). # This workload supports setting cpuset and cpu resources. # annotation_prefix is used to customize the different resources. # To configure the cpu shares a container gets in the example above, the pod would have to have the following annotation: # "io.crio.workload-type/$container_name = {"cpushares": "value"}" [crio.runtime.workloads.management] activation_annotation = "target.workload.openshift.io/management" annotation_prefix = "resources.workload.openshift.io" [crio.runtime.workloads.management.resources] cpuset = "0-1,32-33" cpushares = 0 [crio.runtime.workloads.openshift-builder] activation_annotation = "io.openshift.builder" annotation_prefix = "" [crio.runtime.workloads.openshift-builder.resources] cpuset = "" cpushares = 0 # The crio.image table contains settings pertaining to the management of OCI images. # # CRI-O reads its configured registries defaults from the system wide # containers-registries.conf(5) located in /etc/containers/registries.conf. If # you want to modify just CRI-O, you can change the registries configuration in # this file. Otherwise, leave insecure_registries and registries commented out to # use the system's defaults from /etc/containers/registries.conf. [crio.image] # Default transport for pulling images from a remote container storage. # default_transport = "docker://" # The path to a file containing credentials necessary for pulling images from # secure registries. The file is similar to that of /var/lib/kubelet/config.json global_auth_file = "/var/lib/kubelet/config.json" # The image used to instantiate infra containers. # This option supports live configuration reload. pause_image = "registry.kni-qe-0.lab.eng.rdu2.redhat.com:5000/openshift-release-dev@sha256:be5ae7ff1af2efa6789c73ff50e0164f6b063e6398a9084105cf1e8f00c8589f" # The path to a file containing credentials specific for pulling the pause_image from # above. The file is similar to that of /var/lib/kubelet/config.json # This option supports live configuration reload. pause_image_auth_file = "/var/lib/kubelet/config.json" # The command to run to have a container stay in the paused state. # When explicitly set to "", it will fallback to the entrypoint and command # specified in the pause image. When commented out, it will fallback to the # default: "/pause". This option supports live configuration reload. pause_command = "/usr/bin/pod" # Path to the file which decides what sort of policy we use when deciding # whether or not to trust an image that we've pulled. It is not recommended that # this option be used, as the default behavior of using the system-wide default # policy (i.e., /etc/containers/policy.json) is most often preferred. Please # refer to containers-policy.json(5) for more details. # signature_policy = "" # List of registries to skip TLS verification for pulling images. Please # consider configuring the registries via /etc/containers/registries.conf before # changing them here. # insecure_registries = [ # ] # Controls how image volumes are handled. The valid values are mkdir, bind and # ignore; the latter will ignore volumes entirely. # image_volumes = "mkdir" # Temporary directory to use for storing big files # big_files_temporary_dir = "" # The crio.network table containers settings pertaining to the management of # CNI plugins. [crio.network] # The default CNI network name to be selected. If not set or "", then # CRI-O will pick-up the first one found in network_dir. # cni_default_network = "" # Path to the directory where CNI configuration files are located. network_dir = "/etc/kubernetes/cni/net.d/" # Paths to directories where CNI plugin binaries are located. plugin_dirs = [ "/var/lib/cni/bin", "/usr/libexec/cni", ] # A necessary configuration for Prometheus based metrics retrieval [crio.metrics] # Globally enable or disable metrics support. enable_metrics = true # Specify enabled metrics collectors. # Per default all metrics are enabled. # It is possible, to prefix the metrics with "container_runtime_" and "crio_". # For example, the metrics collector "operations" would be treated in the same # way as "crio_operations" and "container_runtime_crio_operations". metrics_collectors = [ "operations", "operations_latency_microseconds_total", "operations_latency_microseconds", "operations_errors", "image_pulls_layer_size", "containers_oom_total", "containers_oom", "operations_total", "operations_latency_seconds_total", "operations_latency_seconds", "operations_errors_total", "image_pulls_bytes_total", "image_pulls_skipped_bytes_total", "image_pulls_success_total", "image_pulls_failure_total", "image_layer_reuse_total", "containers_oom_count_total", "processes_defunct", ] # The port on which the metrics server will listen. metrics_port = 9537 # Local socket path to bind the metrics server to # metrics_socket = "" # The certificate for the secure metrics server. # If the certificate is not available on disk, then CRI-O will generate a # self-signed one. CRI-O also watches for changes of this path and reloads the # certificate on any modification event. # metrics_cert = "" # The certificate key for the secure metrics server. # Behaves in the same way as the metrics_cert. # metrics_key = "" # A necessary configuration for OpenTelemetry trace data exporting [crio.tracing] # Globally enable or disable exporting OpenTelemetry traces. # enable_tracing = false # Address on which the gRPC trace collector listens on. # tracing_endpoint = "0.0.0.0:4317" # Number of samples to collect per million spans. # tracing_sampling_rate_per_million = 0 # Necessary information pertaining to container and pod stats reporting. [crio.stats] # The number of seconds between collecting pod and container stats. # If set to 0, the stats are collected on-demand instead. # stats_collection_period = 0 [root@sno core]# crio-status config [crio] root = "/var/lib/containers/storage" runroot = "/run/containers/storage" storage_driver = "overlay" log_dir = "/var/log/crio/pods" version_file = "/var/run/crio/version" version_file_persist = "/var/lib/crio/version" clean_shutdown_file = "/var/lib/crio/clean.shutdown" internal_wipe = true [crio.api] grpc_max_send_msg_size = 83886080 grpc_max_recv_msg_size = 83886080 listen = "/var/run/crio/crio.sock" stream_address = "2620:52:0:8e6::d0" stream_port = "10010" stream_enable_tls = false stream_tls_cert = "" stream_tls_key = "" stream_tls_ca = "" stream_idle_timeout = "" [crio.runtime] seccomp_use_default_when_empty = true no_pivot = false selinux = true log_to_journald = false drop_infra_ctr = true read_only = false hooks_dir = ["/etc/containers/oci/hooks.d", "/run/containers/oci/hooks.d", "/usr/share/containers/oci/hooks.d"] default_capabilities = ["CHOWN", "DAC_OVERRIDE", "FSETID", "FOWNER", "SETGID", "SETUID", "SETPCAP", "NET_BIND_SERVICE", "KILL"] add_inheritable_capabilities = false default_env = ["NSS_SDB_USE_CACHE=no"] default_sysctls = ["net.ipv4.ping_group_range=0 2147483647"] allowed_devices = ["/dev/fuse"] cdi_spec_dirs = ["/etc/cdi", "/var/run/cdi"] device_ownership_from_security_context = false default_runtime = "runc" decryption_keys_path = "/etc/crio/keys/" conmon = "" conmon_cgroup = "pod" seccomp_profile = "" apparmor_profile = "crio-default" blockio_config_file = "" irqbalance_config_file = "/etc/sysconfig/irqbalance" rdt_config_file = "" cgroup_manager = "systemd" default_mounts_file = "" container_exits_dir = "/var/run/crio/exits" container_attach_socket_dir = "/var/run/crio" bind_mount_prefix = "" uid_mappings = "" minimum_mappable_uid = -1 gid_mappings = "" minimum_mappable_gid = -1 log_level = "info" log_filter = "" namespaces_dir = "/var/run" pinns_path = "/usr/bin/pinns" enable_criu_support = false pids_limit = 0 log_size_max = -1 ctr_stop_timeout = 30 separate_pull_cgroup = "" infra_ctr_cpuset = "0-1,32-33" absent_mount_sources_to_reject = ["/etc/hostname"] [crio.runtime.runtimes] [crio.runtime.runtimes.crun] runtime_config_path = "" runtime_path = "/usr/bin/crun" runtime_type = "oci" runtime_root = "/run/crun" DisallowedAnnotations = ["io.kubernetes.cri-o.ShmSize", "io.kubernetes.cri-o.Devices", "cpu-load-balancing.crio.io", "io.containers.trace-syscall", "io.kubernetes.cri-o.userns-mode", "io.kubernetes.cri-o.cgroup2-mount-hierarchy-rw", "io.kubernetes.cri-o.UnifiedCgroup", "io.kubernetes.cri-o.TrySkipVolumeSELinuxLabel", "cpu-c-states.crio.io", "cpu-freq-governor.crio.io", "cpu-quota.crio.io", "irq-load-balancing.crio.io", "io.kubernetes.cri.rdt-class"] monitor_path = "/usr/bin/conmon" monitor_cgroup = "pod" [crio.runtime.runtimes.high-performance] runtime_config_path = "" runtime_path = "/bin/runc" runtime_type = "oci" runtime_root = "/run/runc" allowed_annotations = ["cpu-load-balancing.crio.io", "cpu-quota.crio.io", "irq-load-balancing.crio.io", "cpu-c-states.crio.io", "cpu-freq-governor.crio.io"] DisallowedAnnotations = ["io.kubernetes.cri.rdt-class", "io.kubernetes.cri-o.TrySkipVolumeSELinuxLabel", "io.kubernetes.cri-o.ShmSize", "io.kubernetes.cri-o.Devices", "io.containers.trace-syscall", "io.kubernetes.cri-o.userns-mode", "io.kubernetes.cri-o.cgroup2-mount-hierarchy-rw", "io.kubernetes.cri-o.UnifiedCgroup"] monitor_path = "/usr/bin/conmon" monitor_cgroup = "pod" [crio.runtime.runtimes.runc] runtime_config_path = "" runtime_path = "/usr/bin/runc" runtime_type = "oci" runtime_root = "/run/runc" DisallowedAnnotations = ["io.kubernetes.cri-o.cgroup2-mount-hierarchy-rw", "io.kubernetes.cri-o.UnifiedCgroup", "cpu-load-balancing.crio.io", "io.containers.trace-syscall", "io.kubernetes.cri-o.TrySkipVolumeSELinuxLabel", "cpu-freq-governor.crio.io", "cpu-c-states.crio.io", "io.kubernetes.cri-o.userns-mode", "io.kubernetes.cri-o.ShmSize", "io.kubernetes.cri-o.Devices", "cpu-quota.crio.io", "irq-load-balancing.crio.io", "io.kubernetes.cri.rdt-class"] monitor_path = "/usr/bin/conmon" monitor_cgroup = "pod" [crio.runtime.workloads] [crio.runtime.workloads.management] activation_annotation = "target.workload.openshift.io/management" annotation_prefix = "resources.workload.openshift.io" DisallowedAnnotations = ["irq-load-balancing.crio.io", "io.kubernetes.cri.rdt-class", "cpu-freq-governor.crio.io", "io.kubernetes.cri-o.cgroup2-mount-hierarchy-rw", "io.kubernetes.cri-o.UnifiedCgroup", "io.kubernetes.cri-o.Devices", "cpu-quota.crio.io", "io.kubernetes.cri-o.TrySkipVolumeSELinuxLabel", "cpu-c-states.crio.io", "io.kubernetes.cri-o.userns-mode", "io.kubernetes.cri-o.ShmSize", "cpu-load-balancing.crio.io", "io.containers.trace-syscall"] [crio.runtime.workloads.management.resources] CPUShares = 0 CPUSet = "0-1,32-33" [crio.runtime.workloads.openshift-builder] activation_annotation = "io.openshift.builder" annotation_prefix = "" allowed_annotations = ["io.kubernetes.cri-o.userns-mode", "io.kubernetes.cri-o.Devices"] DisallowedAnnotations = ["io.kubernetes.cri-o.ShmSize", "cpu-load-balancing.crio.io", "cpu-quota.crio.io", "irq-load-balancing.crio.io", "io.kubernetes.cri-o.UnifiedCgroup", "io.containers.trace-syscall", "io.kubernetes.cri.rdt-class", "io.kubernetes.cri-o.TrySkipVolumeSELinuxLabel", "cpu-c-states.crio.io", "cpu-freq-governor.crio.io", "io.kubernetes.cri-o.cgroup2-mount-hierarchy-rw"] [crio.runtime.workloads.openshift-builder.resources] CPUShares = 0 CPUSet = "" [crio.image] default_transport = "docker://" global_auth_file = "/var/lib/kubelet/config.json" pause_image = "registry.kni-qe-0.lab.eng.rdu2.redhat.com:5000/openshift-release-dev@sha256:be5ae7ff1af2efa6789c73ff50e0164f6b063e6398a9084105cf1e8f00c8589f" pause_image_auth_file = "/var/lib/kubelet/config.json" pause_command = "/usr/bin/pod" signature_policy = "" image_volumes = "mkdir" big_files_temporary_dir = "" [crio.network] cni_default_network = "" network_dir = "/etc/kubernetes/cni/net.d/" plugin_dirs = ["/var/lib/cni/bin", "/usr/libexec/cni"] [crio.metrics] enable_metrics = true metrics_collectors = ["operations", "operations_latency_microseconds_total", "operations_latency_microseconds", "operations_errors", "image_pulls_layer_size", "containers_oom_total", "containers_oom", "operations_total", "operations_latency_seconds_total", "operations_latency_seconds", "operations_errors_total", "image_pulls_bytes_total", "image_pulls_skipped_bytes_total", "image_pulls_success_total", "image_pulls_failure_total", "image_layer_reuse_total", "containers_oom_count_total", "processes_defunct"] metrics_port = 9537 metrics_socket = "" metrics_cert = "" metrics_key = "" [crio.tracing] enable_tracing = false tracing_endpoint = "0.0.0.0:4317" tracing_sampling_rate_per_million = 0 [crio.stats] stats_collection_period = 0