-
Notifications
You must be signed in to change notification settings - Fork 549
/
crio.go
222 lines (173 loc) · 7.25 KB
/
crio.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
package service
import (
"fmt"
"io/ioutil"
"github.com/autonomy/dianemo/src/initramfs/cmd/init/pkg/service/conditions"
"github.com/autonomy/dianemo/src/initramfs/pkg/userdata"
)
const crioConf = `
# The "crio" table contains all of the server options.
[crio]
# root is a path to the "root directory". CRIO stores all of its data,
# including container images, in this directory.
root = "/var/lib/containers/storage"
# run is a path to the "run directory". CRIO stores all of its state
# in this directory.
runroot = "/var/run/containers/storage"
# storage_driver select which storage driver is used to manage storage
# of images and containers.
storage_driver = "overlay"
# storage_option is used to pass an option to the storage driver.
storage_option = [
]
# The "crio.api" table contains settings for the kubelet/gRPC interface.
[crio.api]
# listen is the path to the AF_LOCAL socket on which crio will listen.
listen = "/var/run/crio/crio.sock"
# stream_address is the IP address on which the stream server will listen
stream_address = ""
# stream_port is the port on which the stream server will listen
stream_port = "10010"
# file_locking is whether file-based locking will be used instead of
# in-memory locking
file_locking = true
# The "crio.runtime" table contains settings pertaining to the OCI
# runtime used and options for how to set up and manage the OCI runtime.
[crio.runtime]
# runtime is the OCI compatible runtime used for trusted container workloads.
# This is a mandatory setting as this runtime will be the default one
# and will also be used for untrusted container workloads if
# runtime_untrusted_workload is not set.
runtime = "/bin/runc"
# runtime_untrusted_workload is the OCI compatible runtime used for untrusted
# container workloads. This is an optional setting, except if
# default_container_trust is set to "untrusted".
runtime_untrusted_workload = ""
# default_workload_trust is the default level of trust crio puts in container
# workloads. It can either be "trusted" or "untrusted", and the default
# is "trusted".
# Containers can be run through different container runtimes, depending on
# the trust hints we receive from kubelet:
# - If kubelet tags a container workload as untrusted, crio will try first to
# run it through the untrusted container workload runtime. If it is not set,
# crio will use the trusted runtime.
# - If kubelet does not provide any information about the container workload trust
# level, the selected runtime will depend on the default_container_trust setting.
# If it is set to "untrusted", then all containers except for the host privileged
# ones, will be run by the runtime_untrusted_workload runtime. Host privileged
# containers are by definition trusted and will always use the trusted container
# runtime. If default_container_trust is set to "trusted", crio will use the trusted
# container runtime for all containers.
default_workload_trust = "trusted"
# no_pivot instructs the runtime to not use pivot_root, but instead use MS_MOVE
no_pivot = false
# conmon is the path to conmon binary, used for managing the runtime.
conmon = "/usr/local/libexec/crio/conmon"
# conmon_env is the environment variable list for conmon process,
# used for passing necessary environment variable to conmon or runtime.
conmon_env = [
"PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin",
]
# selinux indicates whether or not SELinux will be used for pod
# separation on the host. If you enable this flag, SELinux must be running
# on the host.
selinux = false
# seccomp_profile is the seccomp json profile path which is used as the
# default for the runtime.
seccomp_profile = "/etc/crio/seccomp.json"
# apparmor_profile is the apparmor profile name which is used as the
# default for the runtime.
apparmor_profile = "crio-default"
# cgroup_manager is the cgroup management implementation to be used
# for the runtime.
cgroup_manager = "cgroupfs"
# hooks_dir_path is the oci hooks directory for automatically executed hooks
hooks_dir_path = "/var/containers/oci/hooks.d"
# default_mounts is the mounts list to be mounted for the container when created
default_mounts = [
]
# pids_limit is the number of processes allowed in a container
pids_limit = 1024
# enable using a shared PID namespace for containers in a pod
enable_shared_pid_namespace = false
# log_size_max is the max limit for the container log size in bytes.
# Negative values indicate that no limit is imposed.
log_size_max = 1000000
# The "crio.image" table contains settings pertaining to the
# management of OCI images.
[crio.image]
# default_transport is the prefix we try prepending to an image name if the
# image name as we receive it can't be parsed as a valid source reference
default_transport = "docker://"
# pause_image is the image which we use to instantiate infra containers.
pause_image = "kubernetes/pause"
# pause_command is the command to run in a pause_image to have a container just
# sit there. If the image contains the necessary information, this value need
# not be specified.
pause_command = "/pause"
# signature_policy is the name of the file which decides what sort of policy we
# use when deciding whether or not to trust an image that we've pulled.
# Outside of testing situations, it is strongly advised that this be left
# unspecified so that the default system-wide policy will be used.
signature_policy = ""
# image_volumes controls how image volumes are handled.
# The valid values are mkdir and ignore.
image_volumes = "mkdir"
# insecure_registries is used to skip TLS verification when pulling images.
insecure_registries = [
]
# registries is used to specify a comma separated list of registries to be used
# when pulling an unqualified image (e.g. fedora:rawhide).
registries = [
"docker.io",
]
# The "crio.network" table contains settings pertaining to the
# management of CNI plugins.
[crio.network]
# network_dir is is where CNI network configuration
# files are stored.
network_dir = "/etc/cni/net.d/"
# plugin_dir is is where CNI plugin binaries are stored.
plugin_dir = "/opt/cni/bin/"
`
const crioPolicy = `
{
"default": [
{
"type": "insecureAcceptAnything"
}
]
}
`
// CRIO implements the Service interface. It serves as the concrete type with
// the required methods.
type CRIO struct{}
// Pre implements the Service interface.
func (p *CRIO) Pre(data userdata.UserData) error {
if err := ioutil.WriteFile("/etc/crio/crio.conf", []byte(crioConf), 0644); err != nil {
return fmt.Errorf("write crio.conf: %s", err.Error())
}
if err := ioutil.WriteFile("/etc/containers/policy.json", []byte(crioPolicy), 0644); err != nil {
return fmt.Errorf("write policy.json: %s", err.Error())
}
return nil
}
// Post implements the Service interface.
func (p *CRIO) Post(data userdata.UserData) (err error) {
return nil
}
// Cmd implements the Service interface.
func (p *CRIO) Cmd(data userdata.UserData, cmdArgs *CmdArgs) error {
cmdArgs.Name = "crio"
cmdArgs.Path = "/bin/crio"
cmdArgs.Args = []string{}
return nil
}
// Condition implements the Service interface.
func (p *CRIO) Condition(data userdata.UserData) func() (bool, error) {
return conditions.None()
}
// Env implements the Service interface.
func (p *CRIO) Env() []string { return []string{} }
// Type implements the Service interface.
func (p *CRIO) Type() Type { return Forever }