-
Notifications
You must be signed in to change notification settings - Fork 1k
/
config.go
1640 lines (1391 loc) · 57.7 KB
/
config.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
package config
import (
"bytes"
"encoding/json"
"errors"
"fmt"
"net"
"os"
"os/exec"
"path/filepath"
"regexp"
"slices"
"strings"
"time"
"github.com/BurntSushi/toml"
"github.com/containers/common/pkg/hooks"
conmonconfig "github.com/containers/conmon/runner/config"
"github.com/containers/image/v5/pkg/sysregistriesv2"
"github.com/containers/image/v5/types"
"github.com/containers/storage"
"github.com/containers/storage/pkg/unshare"
"github.com/cri-o/cri-o/internal/config/apparmor"
"github.com/cri-o/cri-o/internal/config/blockio"
"github.com/cri-o/cri-o/internal/config/capabilities"
"github.com/cri-o/cri-o/internal/config/cgmgr"
"github.com/cri-o/cri-o/internal/config/cnimgr"
"github.com/cri-o/cri-o/internal/config/conmonmgr"
"github.com/cri-o/cri-o/internal/config/device"
"github.com/cri-o/cri-o/internal/config/node"
"github.com/cri-o/cri-o/internal/config/nri"
"github.com/cri-o/cri-o/internal/config/nsmgr"
"github.com/cri-o/cri-o/internal/config/rdt"
"github.com/cri-o/cri-o/internal/config/seccomp"
"github.com/cri-o/cri-o/internal/config/ulimits"
"github.com/cri-o/cri-o/internal/storage/references"
"github.com/cri-o/cri-o/pkg/annotations"
"github.com/cri-o/cri-o/server/otel-collector/collectors"
"github.com/cri-o/cri-o/server/useragent"
"github.com/cri-o/cri-o/utils"
"github.com/cri-o/cri-o/utils/cmdrunner"
"github.com/cri-o/ocicni/pkg/ocicni"
"github.com/opencontainers/runtime-spec/specs-go/features"
selinux "github.com/opencontainers/selinux/go-selinux"
"github.com/sirupsen/logrus"
"k8s.io/utils/cpuset"
"tags.cncf.io/container-device-interface/pkg/cdi"
)
// Defaults if none are specified
const (
defaultGRPCMaxMsgSize = 80 * 1024 * 1024
OCIBufSize = 8192
RuntimeTypeVM = "vm"
RuntimeTypePod = "pod"
defaultCtrStopTimeout = 30 // seconds
defaultNamespacesDir = "/var/run"
RuntimeTypeVMBinaryPattern = "containerd-shim-([a-zA-Z0-9\\-\\+])+-v2"
tasksetBinary = "taskset"
MonitorExecCgroupDefault = ""
MonitorExecCgroupContainer = "container"
)
// Config represents the entire set of configuration values that can be set for
// the server. This is intended to be loaded from a toml-encoded config file.
type Config struct {
Comment string
singleConfigPath string // Path to the single config file
dropInConfigDir string // Path to the drop-in config files
RootConfig
APIConfig
RuntimeConfig
ImageConfig
NetworkConfig
MetricsConfig
TracingConfig
StatsConfig
NRI *nri.Config
SystemContext *types.SystemContext
}
// Iface provides a config interface for data encapsulation
type Iface interface {
GetStore() (storage.Store, error)
GetData() *Config
}
// GetData returns the Config of a Iface
func (c *Config) GetData() *Config {
return c
}
// ImageVolumesType describes image volume handling strategies
type ImageVolumesType string
const (
// ImageVolumesMkdir option is for using mkdir to handle image volumes
ImageVolumesMkdir ImageVolumesType = "mkdir"
// ImageVolumesIgnore option is for ignoring image volumes altogether
ImageVolumesIgnore ImageVolumesType = "ignore"
// ImageVolumesBind option is for using bind mounted volumes
)
const (
// DefaultPidsLimit is the default value for maximum number of processes
// allowed inside a container
DefaultPidsLimit = -1
// DefaultLogSizeMax is the default value for the maximum log size
// allowed for a container. Negative values mean that no limit is imposed.
DefaultLogSizeMax = -1
)
const (
// DefaultBlockIOConfigFile is the default value for blockio controller configuration file
DefaultBlockIOConfigFile = ""
// DefaultBlockIOReload is the default value for reloading blockio with changed config file and block devices.
DefaultBlockIOReload = false
)
const (
// DefaultIrqBalanceConfigFile default irqbalance service configuration file path
DefaultIrqBalanceConfigFile = "/etc/sysconfig/irqbalance"
// DefaultIrqBalanceConfigRestoreFile contains the banned cpu mask configuration to restore. Name due to backward compatibility.
DefaultIrqBalanceConfigRestoreFile = "/etc/sysconfig/orig_irq_banned_cpus"
)
// This structure is necessary to fake the TOML tables when parsing,
// while also not requiring a bunch of layered structs for no good
// reason.
// RootConfig represents the root of the "crio" TOML config table.
type RootConfig struct {
// Root is a path to the "root directory" where data not
// explicitly handled by other options will be stored.
Root string `toml:"root"`
// RunRoot is a path to the "run directory" where state information not
// explicitly handled by other options will be stored.
RunRoot string `toml:"runroot"`
// ImageStore if set it will allow end-users to store newly pulled image
// in path provided by `ImageStore` instead of path provided in `Root`.
ImageStore string `toml:"imagestore"`
// Storage is the name of the storage driver which handles actually
// storing the contents of containers.
Storage string `toml:"storage_driver"`
// StorageOption is a list of storage driver specific options.
StorageOptions []string `toml:"storage_option"`
// LogDir is the default log directory where all logs will go unless kubelet
// tells us to put them somewhere else.
LogDir string `toml:"log_dir"`
// VersionFile is the location CRI-O will lay down the version file
// that checks whether we've rebooted
VersionFile string `toml:"version_file"`
// VersionFilePersist is the location CRI-O will lay down the version file
// that checks whether we've upgraded
VersionFilePersist string `toml:"version_file_persist"`
// CleanShutdownFile is the location CRI-O will lay down the clean shutdown file
// that checks whether we've had time to sync before shutting down
CleanShutdownFile string `toml:"clean_shutdown_file"`
// InternalWipe is whether CRI-O should wipe containers and images after a reboot when the server starts.
// If set to false, one must use the external command `crio wipe` to wipe the containers and images in these situations.
// The option InternalWipe is deprecated, and will be removed in a future release.
InternalWipe bool `toml:"internal_wipe"`
// InternalRepair is used to repair the affected images.
InternalRepair bool `toml:"internal_repair"`
}
// GetStore returns the container storage for a given configuration
func (c *RootConfig) GetStore() (storage.Store, error) {
return storage.GetStore(storage.StoreOptions{
RunRoot: c.RunRoot,
GraphRoot: c.Root,
ImageStore: c.ImageStore,
GraphDriverName: c.Storage,
GraphDriverOptions: c.StorageOptions,
})
}
// RuntimeHandler represents each item of the "crio.runtime.runtimes" TOML
// config table.
type RuntimeHandler struct {
RuntimeConfigPath string `toml:"runtime_config_path"`
RuntimePath string `toml:"runtime_path"`
RuntimeType string `toml:"runtime_type"`
RuntimeRoot string `toml:"runtime_root"`
// PrivilegedWithoutHostDevices can be used to restrict passing host devices
// to a container running as privileged.
PrivilegedWithoutHostDevices bool `toml:"privileged_without_host_devices,omitempty"`
// AllowedAnnotations is a slice of experimental annotations that this runtime handler is allowed to process.
// The currently recognized values are:
// "io.kubernetes.cri-o.userns-mode" for configuring a user namespace for the pod.
// "io.kubernetes.cri-o.Devices" for configuring devices for the pod.
// "io.kubernetes.cri-o.ShmSize" for configuring the size of /dev/shm.
// "io.kubernetes.cri-o.UnifiedCgroup.$CTR_NAME" for configuring the cgroup v2 unified block for a container.
// "io.containers.trace-syscall" for tracing syscalls via the OCI seccomp BPF hook.
// "io.kubernetes.cri-o.LinkLogs" for linking logs into the pod.
// "seccomp-profile.kubernetes.cri-o.io" for setting the seccomp profile for:
// - a specific container by using: `seccomp-profile.kubernetes.cri-o.io/<CONTAINER_NAME>`
// - a whole pod by using: `seccomp-profile.kubernetes.cri-o.io/POD`
// Note that the annotation works on containers as well as on images.
// For images, the plain annotation `seccomp-profile.kubernetes.cri-o.io`
// can be used without the required `/POD` suffix or a container name.
AllowedAnnotations []string `toml:"allowed_annotations,omitempty"`
// DisallowedAnnotations is the slice of experimental annotations that are not allowed for this handler.
DisallowedAnnotations []string
// Fields prefixed by Monitor hold the configuration for the monitor for this runtime. At present, the following monitors are supported:
// oci supports conmon
// vm does not support any runtime monitor
MonitorPath string `toml:"monitor_path,omitempty"`
MonitorCgroup string `toml:"monitor_cgroup,omitempty"`
MonitorEnv []string `toml:"monitor_env,omitempty"`
// MonitorExecCgroup indicates whether to move exec probes to the container's cgroup.
MonitorExecCgroup string `toml:"monitor_exec_cgroup,omitempty"`
// PlatformRuntimePaths defines a configuration option that specifies
// the runtime paths for different platforms.
PlatformRuntimePaths map[string]string `toml:"platform_runtime_paths,omitempty"`
// Marks the runtime as performing image pulling on its own, and doesn't
// require crio to do it.
RuntimePullImage bool `toml:"runtime_pull_image,omitempty"`
// Output of the "features" subcommand.
// This is populated dynamically and not read from config.
features features.Features
}
// Multiple runtime Handlers in a map
type Runtimes map[string]*RuntimeHandler
// RuntimeConfig represents the "crio.runtime" TOML config table.
type RuntimeConfig struct {
// NoPivot instructs the runtime to not use `pivot_root`, but instead use `MS_MOVE`
NoPivot bool `toml:"no_pivot"`
// SELinux determines whether or not SELinux is used for pod separation.
SELinux bool `toml:"selinux"`
// Whether container output should be logged to journald in addition
// to the kubernetes log file
LogToJournald bool `toml:"log_to_journald"`
// DropInfraCtr determines whether the infra container is dropped when appropriate.
DropInfraCtr bool `toml:"drop_infra_ctr"`
// ReadOnly run all pods/containers in read-only mode.
// This mode will mount tmpfs on /run, /tmp and /var/tmp, if those are not mountpoints
// Will also set the readonly flag in the OCI Runtime Spec. In this mode containers
// will only be able to write to volumes mounted into them
ReadOnly bool `toml:"read_only"`
// ConmonEnv is the environment variable list for conmon process.
// This option is currently deprecated, and will be replaced with RuntimeHandler.MonitorEnv.
ConmonEnv []string `toml:"conmon_env"`
// HooksDir holds paths to the directories containing hooks
// configuration files. When the same filename is present in
// multiple directories, the file in the directory listed last in
// this slice takes precedence.
HooksDir []string `toml:"hooks_dir"`
// Capabilities to add to all containers.
DefaultCapabilities capabilities.Capabilities `toml:"default_capabilities"`
// AddInheritableCapabilities can be set to add inheritable capabilities. They were pre-1.23 by default, and were dropped in 1.24.
// This can cause a regression with non-root users not getting capabilities as they previously did.
AddInheritableCapabilities bool `toml:"add_inheritable_capabilities"`
// Additional environment variables to set for all the
// containers. These are overridden if set in the
// container image spec or in the container runtime configuration.
DefaultEnv []string `toml:"default_env"`
// Sysctls to add to all containers.
DefaultSysctls []string `toml:"default_sysctls"`
// DefaultUlimits specifies the default ulimits to apply to containers
DefaultUlimits []string `toml:"default_ulimits"`
// Devices that are allowed to be configured.
AllowedDevices []string `toml:"allowed_devices"`
// Devices to add to containers
AdditionalDevices []string `toml:"additional_devices"`
// CDISpecDirs specifies the directories CRI-O/CDI will scan for CDI Spec files.
CDISpecDirs []string `toml:"cdi_spec_dirs"`
// DeviceOwnershipFromSecurityContext changes the default behavior of setting container devices uid/gid
// from CRI's SecurityContext (RunAsUser/RunAsGroup) instead of taking host's uid/gid. Defaults to false.
DeviceOwnershipFromSecurityContext bool `toml:"device_ownership_from_security_context"`
// DefaultRuntime is the _name_ of the OCI runtime to be used as the default.
// The name is matched against the Runtimes map below.
DefaultRuntime string `toml:"default_runtime"`
// DecryptionKeysPath is the path where keys for image decryption are stored.
DecryptionKeysPath string `toml:"decryption_keys_path"`
// Conmon is the path to conmon binary, used for managing the runtime.
// This option is currently deprecated, and will be replaced with RuntimeHandler.MonitorConfig.Path.
Conmon string `toml:"conmon"`
// ConmonCgroup is the cgroup setting used for conmon.
// This option is currently deprecated, and will be replaced with RuntimeHandler.MonitorConfig.Cgroup.
ConmonCgroup string `toml:"conmon_cgroup"`
// SeccompProfile is the seccomp.json profile path which is used as the
// default for the runtime.
SeccompProfile string `toml:"seccomp_profile"`
// ApparmorProfile is the apparmor profile name which is used as the
// default for the runtime.
ApparmorProfile string `toml:"apparmor_profile"`
// BlockIOConfigFile is the path to the blockio class configuration
// file for configuring the cgroup blockio controller.
BlockIOConfigFile string `toml:"blockio_config_file"`
// BlockIOReload instructs the runtime to reload blockio configuration
// rescan block devices in the system before assigning blockio parameters.
BlockIOReload bool `toml:"blockio_reload"`
// IrqBalanceConfigFile is the irqbalance service config file which is used
// for configuring irqbalance daemon.
IrqBalanceConfigFile string `toml:"irqbalance_config_file"`
// RdtConfigFile is the RDT config file used for configuring resctrl fs
RdtConfigFile string `toml:"rdt_config_file"`
// CgroupManagerName is the manager implementation name which is used to
// handle cgroups for containers.
CgroupManagerName string `toml:"cgroup_manager"`
// DefaultMountsFile is the file path for the default mounts to be mounted for the container
// Note, for testing purposes mainly
DefaultMountsFile string `toml:"default_mounts_file"`
// ContainerExitsDir is the directory in which container exit files are
// written to by conmon.
ContainerExitsDir string `toml:"container_exits_dir"`
// ContainerAttachSocketDir is the location for container attach sockets.
ContainerAttachSocketDir string `toml:"container_attach_socket_dir"`
// BindMountPrefix is the prefix to use for the source of the bind mounts.
BindMountPrefix string `toml:"bind_mount_prefix"`
// UIDMappings specifies the UID mappings to have in the user namespace.
// A range is specified in the form containerUID:HostUID:Size. Multiple
// ranges are separated by comma.
UIDMappings string `toml:"uid_mappings"`
// MinimumMappableUID specifies the minimum UID value which can be
// specified in a uid_mappings value, whether configured here or sent
// to us via CRI, for a pod that isn't to be run as UID 0.
MinimumMappableUID int64 `toml:"minimum_mappable_uid"`
// GIDMappings specifies the GID mappings to have in the user namespace.
// A range is specified in the form containerUID:HostUID:Size. Multiple
// ranges are separated by comma.
GIDMappings string `toml:"gid_mappings"`
// MinimumMappableGID specifies the minimum GID value which can be
// specified in a gid_mappings value, whether configured here or sent
// to us via CRI, for a pod that isn't to be run as UID 0.
MinimumMappableGID int64 `toml:"minimum_mappable_gid"`
// LogLevel determines the verbosity of the logs based on the level it is set to.
// Options are fatal, panic, error (default), warn, info, debug, and trace.
LogLevel string `toml:"log_level"`
// LogFilter specifies a regular expression to filter the log messages
LogFilter string `toml:"log_filter"`
// NamespacesDir is the directory where the state of the managed namespaces
// gets tracked
NamespacesDir string `toml:"namespaces_dir"`
// PinNSPath is the path to find the pinns binary, which is needed
// to manage namespace lifecycle
PinnsPath string `toml:"pinns_path"`
// CriuPath is the path to find the criu binary, which is needed
// to checkpoint and restore containers
EnableCriuSupport bool `toml:"enable_criu_support"`
// Runtimes defines a list of OCI compatible runtimes. The runtime to
// use is picked based on the runtime_handler provided by the CRI. If
// no runtime_handler is provided, the runtime will be picked based on
// the level of trust of the workload.
Runtimes Runtimes `toml:"runtimes"`
// Workloads defines a list of workloads types that are have grouped settings
// that will be applied to containers.
Workloads Workloads `toml:"workloads"`
// PidsLimit is the number of processes each container is restricted to
// by the cgroup process number controller.
PidsLimit int64 `toml:"pids_limit"`
// LogSizeMax is the maximum number of bytes after which the log file
// will be truncated. It can be expressed as a human-friendly string
// that is parsed to bytes.
// Negative values indicate that the log file won't be truncated.
LogSizeMax int64 `toml:"log_size_max"`
// CtrStopTimeout specifies the time to wait before to generate an
// error because the container state is still tagged as "running".
CtrStopTimeout int64 `toml:"ctr_stop_timeout"`
// SeparatePullCgroup specifies whether an image pull must be performed in a separate cgroup
SeparatePullCgroup string `toml:"separate_pull_cgroup"`
// InfraCtrCPUSet is the CPUs set that will be used to run infra containers
InfraCtrCPUSet string `toml:"infra_ctr_cpuset"`
// SharedCPUSet is the CPUs set that will be used for guaranteed containers that
// want access to shared cpus.
SharedCPUSet string `toml:"shared_cpuset"`
// AbsentMountSourcesToReject is a list of paths that, when absent from the host,
// will cause a container creation to fail (as opposed to the current behavior of creating a directory).
AbsentMountSourcesToReject []string `toml:"absent_mount_sources_to_reject"`
// EnablePodEvents specifies if the container pod-level events should be generated to optimize the PLEG at Kubelet.
EnablePodEvents bool `toml:"enable_pod_events"`
// IrqBalanceConfigRestoreFile is the irqbalance service banned CPU list to restore.
// If empty, no restoration attempt will be done.
IrqBalanceConfigRestoreFile string `toml:"irqbalance_config_restore_file"`
// seccompConfig is the internal seccomp configuration
seccompConfig *seccomp.Config
// apparmorConfig is the internal AppArmor configuration
apparmorConfig *apparmor.Config
// blockioConfig is the internal blockio configuration
blockioConfig *blockio.Config
// rdtConfig is the internal Rdt configuration
rdtConfig *rdt.Config
// ulimitConfig is the internal ulimit configuration
ulimitsConfig *ulimits.Config
// deviceConfig is the internal additional devices configuration
deviceConfig *device.Config
// cgroupManager is the internal CgroupManager configuration
cgroupManager cgmgr.CgroupManager
// conmonManager is the internal ConmonManager configuration
conmonManager *conmonmgr.ConmonManager
// namespaceManager is the internal NamespaceManager configuration
namespaceManager *nsmgr.NamespaceManager
// Whether SELinux should be disabled within a pod,
// when it is running in the host network namespace
// https://github.com/cri-o/cri-o/issues/5501
HostNetworkDisableSELinux bool `toml:"hostnetwork_disable_selinux"`
// Option to disable hostport mapping in CRI-O
// Default value is 'false'
DisableHostPortMapping bool `toml:"disable_hostport_mapping"`
// Option to set the timezone inside the container.
// Use 'Local' to match the timezone of the host machine.
Timezone string `toml:"timezone"`
}
// ImageConfig represents the "crio.image" TOML config table.
type ImageConfig struct {
// DefaultTransport is a value we prefix to image names that fail to
// validate source references.
DefaultTransport string `toml:"default_transport"`
// GlobalAuthFile is a path to a file like /var/lib/kubelet/config.json
// containing credentials necessary for pulling images from secure
// registries.
GlobalAuthFile string `toml:"global_auth_file"`
// PauseImage is the name of an image on a registry which we use to instantiate infra
// containers. It should start with a registry host name.
// Format is enforced by validation.
PauseImage string `toml:"pause_image"`
// PauseImageAuthFile, if not empty, is a path to a file like
// /var/lib/kubelet/config.json containing credentials necessary
// for pulling PauseImage
PauseImageAuthFile string `toml:"pause_image_auth_file"`
// PauseCommand is the path of the binary we run in an infra
// container that's been instantiated using PauseImage.
PauseCommand string `toml:"pause_command"`
// PinnedImages is a list of container images that should be pinned
// and not subject to garbage collection by kubelet.
// Pinned images will remain in the container runtime's storage until
// they are manually removed. Default value: empty list (no images pinned)
PinnedImages []string `toml:"pinned_images"`
// SignaturePolicyPath is the name of the file which decides what sort
// of policy we use when deciding whether or not to trust an image that
// we've pulled. Outside of testing situations, it is strongly advised
// that this be left unspecified so that the default system-wide policy
// will be used.
SignaturePolicyPath string `toml:"signature_policy"`
// SignaturePolicyDir is the root path for pod namespace-separated
// signature policies. The final policy to be used on image pull will be
// <SIGNATURE_POLICY_DIR>/<NAMESPACE>.json.
// If no pod namespace is being provided on image pull (via the sandbox
// config), or the concatenated path is non existent, then the
// SignaturePolicyPath or system wide policy will be used as fallback.
// Must be an absolute path.
SignaturePolicyDir string `toml:"signature_policy_dir"`
// InsecureRegistries is a list of registries that must be contacted w/o
// TLS verification.
InsecureRegistries []string `toml:"insecure_registries"`
// ImageVolumes controls how volumes specified in image config are handled
ImageVolumes ImageVolumesType `toml:"image_volumes"`
// Registries holds a list of registries used to pull unqualified images
Registries []string `toml:"registries"`
// Temporary directory for big files
BigFilesTemporaryDir string `toml:"big_files_temporary_dir"`
}
// NetworkConfig represents the "crio.network" TOML config table
type NetworkConfig struct {
// CNIDefaultNetwork is the default CNI network name to be selected
CNIDefaultNetwork string `toml:"cni_default_network"`
// NetworkDir is where CNI network configuration files are stored.
NetworkDir string `toml:"network_dir"`
// PluginDir is where CNI plugin binaries are stored.
PluginDir string `toml:"plugin_dir,omitempty"`
// PluginDirs is where CNI plugin binaries are stored.
PluginDirs []string `toml:"plugin_dirs"`
// cniManager manages the internal ocicni plugin
cniManager *cnimgr.CNIManager
}
// APIConfig represents the "crio.api" TOML config table.
type APIConfig struct {
// GRPCMaxSendMsgSize is the maximum grpc send message size in bytes.
GRPCMaxSendMsgSize int `toml:"grpc_max_send_msg_size"`
// GRPCMaxRecvMsgSize is the maximum grpc receive message size in bytes.
GRPCMaxRecvMsgSize int `toml:"grpc_max_recv_msg_size"`
// Listen is the path to the AF_LOCAL socket on which cri-o will listen.
// This may support proto://addr formats later, but currently this is just
// a path.
Listen string `toml:"listen"`
// StreamAddress is the IP address on which the stream server will listen.
StreamAddress string `toml:"stream_address"`
// StreamPort is the port on which the stream server will listen.
StreamPort string `toml:"stream_port"`
// StreamEnableTLS enables encrypted tls transport of the stream server
StreamEnableTLS bool `toml:"stream_enable_tls"`
// StreamTLSCert is the x509 certificate file path used to serve the encrypted stream
StreamTLSCert string `toml:"stream_tls_cert"`
// StreamTLSKey is the key file path used to serve the encrypted stream
StreamTLSKey string `toml:"stream_tls_key"`
// StreamTLSCA is the x509 CA(s) file used to verify and authenticate client
// communication with the tls encrypted stream
StreamTLSCA string `toml:"stream_tls_ca"`
// StreamIdleTimeout is how long to leave idle connections open for
StreamIdleTimeout string `toml:"stream_idle_timeout"`
}
// MetricsConfig specifies all necessary configuration for Prometheus based
// metrics retrieval
type MetricsConfig struct {
// EnableMetrics can be used to globally enable or disable metrics support
EnableMetrics bool `toml:"enable_metrics"`
// MetricsCollectors specifies enabled metrics collectors.
MetricsCollectors collectors.Collectors `toml:"metrics_collectors"`
// MetricsHost is the IP address or hostname on which the metrics server will listen.
MetricsHost string `toml:"metrics_host"`
// MetricsPort is the port on which the metrics server will listen.
MetricsPort int `toml:"metrics_port"`
// Local socket path to bind the metrics server to
MetricsSocket string `toml:"metrics_socket"`
// MetricsCert is the certificate for the secure metrics server.
MetricsCert string `toml:"metrics_cert"`
// MetricsKey is the certificate key for the secure metrics server.
MetricsKey string `toml:"metrics_key"`
}
// TracingConfig specifies all necessary configuration for opentelemetry trace exports
type TracingConfig struct {
// EnableTracing can be used to globally enable or disable tracing support
EnableTracing bool `toml:"enable_tracing"`
// TracingEndpoint is the address on which the grpc tracing collector server will listen.
TracingEndpoint string `toml:"tracing_endpoint"`
// TracingSamplingRatePerMillion is the number of samples to collect per million spans. Set to 1000000 to always sample.
// Defaults to 0.
TracingSamplingRatePerMillion int `toml:"tracing_sampling_rate_per_million"`
}
// StatsConfig specifies all necessary configuration for reporting container and pod stats
type StatsConfig struct {
// StatsCollectionPeriod is the number of seconds between collecting pod and container stats.
// If set to 0, the stats are collected on-demand instead.
StatsCollectionPeriod int `toml:"stats_collection_period"`
}
// tomlConfig is another way of looking at a Config, which is
// TOML-friendly (it has all of the explicit tables). It's just used for
// conversions.
type tomlConfig struct {
Crio struct {
RootConfig
API struct{ APIConfig } `toml:"api"`
Runtime struct{ RuntimeConfig } `toml:"runtime"`
Image struct{ ImageConfig } `toml:"image"`
Network struct{ NetworkConfig } `toml:"network"`
Metrics struct{ MetricsConfig } `toml:"metrics"`
Tracing struct{ TracingConfig } `toml:"tracing"`
Stats struct{ StatsConfig } `toml:"stats"`
NRI struct{ *nri.Config } `toml:"nri"`
} `toml:"crio"`
}
// SetSystemContext configures the SystemContext used by containers/image library
func (t *tomlConfig) SetSystemContext(c *Config) {
c.SystemContext.BigFilesTemporaryDir = c.ImageConfig.BigFilesTemporaryDir
}
func (t *tomlConfig) toConfig(c *Config) {
c.Comment = "# "
c.RootConfig = t.Crio.RootConfig
c.APIConfig = t.Crio.API.APIConfig
c.RuntimeConfig = t.Crio.Runtime.RuntimeConfig
c.ImageConfig = t.Crio.Image.ImageConfig
c.NetworkConfig = t.Crio.Network.NetworkConfig
c.MetricsConfig = t.Crio.Metrics.MetricsConfig
c.TracingConfig = t.Crio.Tracing.TracingConfig
c.StatsConfig = t.Crio.Stats.StatsConfig
c.NRI = t.Crio.NRI.Config
t.SetSystemContext(c)
}
func (t *tomlConfig) fromConfig(c *Config) {
t.Crio.RootConfig = c.RootConfig
t.Crio.API.APIConfig = c.APIConfig
t.Crio.Runtime.RuntimeConfig = c.RuntimeConfig
t.Crio.Image.ImageConfig = c.ImageConfig
t.Crio.Network.NetworkConfig = c.NetworkConfig
t.Crio.Metrics.MetricsConfig = c.MetricsConfig
t.Crio.Tracing.TracingConfig = c.TracingConfig
t.Crio.Stats.StatsConfig = c.StatsConfig
t.Crio.NRI.Config = c.NRI
}
// UpdateFromFile populates the Config from the TOML-encoded file at the given
// path and "remembers" that we should reload this file's contents when we
// receive a SIGHUP.
// Returns errors encountered when reading or parsing the files, or nil
// otherwise.
func (c *Config) UpdateFromFile(path string) error {
if err := c.UpdateFromDropInFile(path); err != nil {
return err
}
c.singleConfigPath = path
return nil
}
// UpdateFromDropInFile populates the Config from the TOML-encoded file at the
// given path. The file may be the main configuration file, or it can be one
// of the drop-in files which are used to supplement it.
// Returns errors encountered when reading or parsing the files, or nil
// otherwise.
func (c *Config) UpdateFromDropInFile(path string) error {
// keeps the storage options from storage.conf and merge it to crio config
var storageOpts []string
storageOpts = append(storageOpts, c.StorageOptions...)
// storage configurations from storage.conf, if crio config has no values for these, they will be merged to crio config
graphRoot := c.Root
runRoot := c.RunRoot
storageDriver := c.Storage
data, err := os.ReadFile(path)
if err != nil {
return err
}
t := new(tomlConfig)
t.fromConfig(c)
_, err = toml.Decode(string(data), t)
if err != nil {
return fmt.Errorf("unable to decode configuration %v: %w", path, err)
}
storageOpts = append(storageOpts, t.Crio.RootConfig.StorageOptions...)
storageOpts = removeDupStorageOpts(storageOpts)
t.Crio.RootConfig.StorageOptions = storageOpts
// inherits storage configurations from storage.conf
if t.Crio.Root == "" {
t.Crio.Root = graphRoot
}
if t.Crio.RunRoot == "" {
t.Crio.RunRoot = runRoot
}
if t.Crio.Storage == "" {
t.Crio.Storage = storageDriver
}
// Registries are deprecated in cri-o.conf and turned into a NOP.
// Users should use registries.conf instead, so let's log it.
if len(t.Crio.Image.Registries) > 0 {
t.Crio.Image.Registries = nil
logrus.Warnf("Support for the 'registries' option has been dropped but it is referenced in %q. Please use containers-registries.conf(5) for configuring unqualified-search registries instead.", path)
}
t.toConfig(c)
return nil
}
// removeDupStorageOpts removes duplicated storage option from the list
// keeps the last appearance
func removeDupStorageOpts(storageOpts []string) []string {
var resOpts []string
opts := make(map[string]bool)
for i := len(storageOpts) - 1; i >= 0; i-- {
if ok := opts[storageOpts[i]]; ok {
continue
}
opts[storageOpts[i]] = true
resOpts = append(resOpts, storageOpts[i])
}
for i, j := 0, len(resOpts)-1; i < j; i, j = i+1, j-1 {
resOpts[i], resOpts[j] = resOpts[j], resOpts[i]
}
return resOpts
}
// UpdateFromPath recursively iterates the provided path and updates the
// configuration for it
func (c *Config) UpdateFromPath(path string) error {
if _, err := os.Stat(path); err != nil && os.IsNotExist(err) {
return nil
}
if err := filepath.Walk(path,
func(p string, info os.FileInfo, err error) error {
if err != nil {
return err
}
if info.IsDir() {
return nil
}
return c.UpdateFromDropInFile(p)
}); err != nil {
return err
}
c.dropInConfigDir = path
return nil
}
// ToFile outputs the given Config as a TOML-encoded file at the given path.
// Returns errors encountered when generating or writing the file, or nil
// otherwise.
func (c *Config) ToFile(path string) error {
b, err := c.ToBytes()
if err != nil {
return err
}
return os.WriteFile(path, b, 0o644)
}
// ToBytes encodes the config into a byte slice. It errors if the encoding
// fails, which should never happen at all because of general type safeness.
func (c *Config) ToBytes() ([]byte, error) {
var buffer bytes.Buffer
e := toml.NewEncoder(&buffer)
tc := tomlConfig{}
tc.fromConfig(c)
if err := e.Encode(tc); err != nil {
return nil, err
}
return buffer.Bytes(), nil
}
// DefaultConfig returns the default configuration for crio.
func DefaultConfig() (*Config, error) {
storeOpts, err := storage.DefaultStoreOptions(unshare.IsRootless(), unshare.GetRootlessUID())
if err != nil {
return nil, err
}
cgroupManager := cgmgr.New()
ua, err := useragent.Get()
if err != nil {
return nil, fmt.Errorf("get user agent: %w", err)
}
return &Config{
Comment: "# ",
SystemContext: &types.SystemContext{
DockerRegistryUserAgent: ua,
},
RootConfig: RootConfig{
Root: storeOpts.GraphRoot,
RunRoot: storeOpts.RunRoot,
ImageStore: storeOpts.ImageStore,
Storage: storeOpts.GraphDriverName,
StorageOptions: storeOpts.GraphDriverOptions,
LogDir: "/var/log/crio/pods",
VersionFile: CrioVersionPathTmp,
CleanShutdownFile: CrioCleanShutdownFile,
InternalWipe: true,
InternalRepair: false,
},
APIConfig: APIConfig{
Listen: CrioSocketPath,
StreamAddress: "127.0.0.1",
StreamPort: "0",
GRPCMaxSendMsgSize: defaultGRPCMaxMsgSize,
GRPCMaxRecvMsgSize: defaultGRPCMaxMsgSize,
},
RuntimeConfig: RuntimeConfig{
AllowedDevices: []string{"/dev/fuse"},
DecryptionKeysPath: "/etc/crio/keys/",
DefaultRuntime: defaultRuntime,
Runtimes: Runtimes{
defaultRuntime: defaultRuntimeHandler(),
},
SELinux: selinuxEnabled(),
ApparmorProfile: apparmor.DefaultProfile,
BlockIOConfigFile: DefaultBlockIOConfigFile,
BlockIOReload: DefaultBlockIOReload,
IrqBalanceConfigFile: DefaultIrqBalanceConfigFile,
RdtConfigFile: rdt.DefaultRdtConfigFile,
CgroupManagerName: cgroupManager.Name(),
PidsLimit: DefaultPidsLimit,
ContainerExitsDir: containerExitsDir,
ContainerAttachSocketDir: conmonconfig.ContainerAttachSocketDir,
MinimumMappableUID: -1,
MinimumMappableGID: -1,
LogSizeMax: DefaultLogSizeMax,
CtrStopTimeout: defaultCtrStopTimeout,
DefaultCapabilities: capabilities.Default(),
LogLevel: "info",
HooksDir: []string{hooks.DefaultDir},
CDISpecDirs: cdi.DefaultSpecDirs,
NamespacesDir: defaultNamespacesDir,
DropInfraCtr: true,
IrqBalanceConfigRestoreFile: DefaultIrqBalanceConfigRestoreFile,
seccompConfig: seccomp.New(),
apparmorConfig: apparmor.New(),
blockioConfig: blockio.New(),
cgroupManager: cgroupManager,
deviceConfig: device.New(),
namespaceManager: nsmgr.New(defaultNamespacesDir, ""),
rdtConfig: rdt.New(),
ulimitsConfig: ulimits.New(),
HostNetworkDisableSELinux: true,
DisableHostPortMapping: false,
EnableCriuSupport: true,
},
ImageConfig: ImageConfig{
DefaultTransport: "docker://",
PauseImage: DefaultPauseImage,
PauseCommand: "/pause",
ImageVolumes: ImageVolumesMkdir,
SignaturePolicyDir: "/etc/crio/policies",
},
NetworkConfig: NetworkConfig{
NetworkDir: cniConfigDir,
PluginDirs: []string{cniBinDir},
},
MetricsConfig: MetricsConfig{
MetricsHost: "127.0.0.1",
MetricsPort: 9090,
MetricsCollectors: collectors.All(),
},
TracingConfig: TracingConfig{
TracingEndpoint: "0.0.0.0:4317",
TracingSamplingRatePerMillion: 0,
EnableTracing: false,
},
NRI: nri.New(),
}, nil
}
// Validate is the main entry point for library configuration validation.
// The parameter `onExecution` specifies if the validation should include
// execution checks. It returns an `error` on validation failure, otherwise
// `nil`.
func (c *Config) Validate(onExecution bool) error {
switch c.ImageVolumes {
case ImageVolumesMkdir:
case ImageVolumesIgnore:
case ImageVolumesBind:
default:
return errors.New("unrecognized image volume type specified")
}
if onExecution {
if err := node.ValidateConfig(); err != nil {
return err
}
}
if err := c.RootConfig.Validate(onExecution); err != nil {
return fmt.Errorf("validating root config: %w", err)
}
if err := c.RuntimeConfig.Validate(c.SystemContext, onExecution); err != nil {
return fmt.Errorf("validating runtime config: %w", err)
}
c.RuntimeConfig.seccompConfig.SetNotifierPath(
filepath.Join(filepath.Dir(c.Listen), "seccomp"),
)
if err := c.ImageConfig.Validate(onExecution); err != nil {
return fmt.Errorf("validating image config: %w", err)
}
if err := c.NetworkConfig.Validate(onExecution); err != nil {
return fmt.Errorf("validating network config: %w", err)
}
if err := c.APIConfig.Validate(onExecution); err != nil {
return fmt.Errorf("validating api config: %w", err)
}
if !c.SELinux {
selinux.SetDisabled()
}
if err := c.NRI.Validate(onExecution); err != nil {
return fmt.Errorf("validating NRI config: %w", err)
}
return nil
}
// Validate is the main entry point for API configuration validation.
// The parameter `onExecution` specifies if the validation should include
// execution checks. It returns an `error` on validation failure, otherwise
// `nil`.
func (c *APIConfig) Validate(onExecution bool) error {
if c.GRPCMaxSendMsgSize <= 0 {
c.GRPCMaxSendMsgSize = defaultGRPCMaxMsgSize
}
if c.GRPCMaxRecvMsgSize <= 0 {
c.GRPCMaxRecvMsgSize = defaultGRPCMaxMsgSize
}
if onExecution {
return RemoveUnusedSocket(c.Listen)
}
return nil
}
// RemoveUnusedSocket first ensures that the path to the socket exists and
// removes unused socket connections if available.
func RemoveUnusedSocket(path string) error {
if err := os.MkdirAll(filepath.Dir(path), 0o755); err != nil {
return fmt.Errorf("creating socket directories: %w", err)
}
// Remove the socket if it already exists