Update CRI-O in CentOS (#4582)

According to their compatibility matrix[1] the 1.11.5 version seems to
be deprecated. This change updates the CentOS repository reference.

[1] https://github.com/cri-o/cri-o#compatibility-matrix-cri-o---kubernetes-clusters
This commit is contained in:
Victor Morales 2019-08-22 03:16:32 -05:00 committed by Kubernetes Prow Robot
parent d4f094cc11
commit da089b5fca
3 changed files with 205 additions and 156 deletions

View file

@ -112,7 +112,7 @@ Supported Components
- [kubernetes](https://github.com/kubernetes/kubernetes) v1.15.3 - [kubernetes](https://github.com/kubernetes/kubernetes) v1.15.3
- [etcd](https://github.com/coreos/etcd) v3.3.10 - [etcd](https://github.com/coreos/etcd) v3.3.10
- [docker](https://www.docker.com/) v18.06 (see note) - [docker](https://www.docker.com/) v18.06 (see note)
- [cri-o](http://cri-o.io/) v1.11.5 (experimental: see [CRI-O Note](docs/cri-o.md). Only on centos based OS) - [cri-o](http://cri-o.io/) v1.14.0 (experimental: see [CRI-O Note](docs/cri-o.md). Only on centos based OS)
- Network Plugin - Network Plugin
- [cni-plugins](https://github.com/containernetworking/plugins) v0.8.1 - [cni-plugins](https://github.com/containernetworking/plugins) v0.8.1
- [calico](https://github.com/projectcalico/calico) v3.7.3 - [calico](https://github.com/projectcalico/calico) v3.7.3

View file

@ -1,2 +1,2 @@
--- ---
crio_rhel_repo_base_url: 'http://mirror.centos.org/centos/7/paas/x86_64/openshift-origin311/' crio_rhel_repo_base_url: 'https://cbs.centos.org/repos/paas7-crio-114-candidate/x86_64/os/'

View file

@ -1,135 +1,123 @@
# The "crio" table contains all of the server options. # The CRI-O configuration file specifies all of the available configuration
# options and command-line flags for the crio(8) OCI Kubernetes Container Runtime
# daemon, but in a TOML format that can be more easily modified and versioned.
#
# Please refer to crio.conf(5) for details of all configuration options.
# CRI-O reads its storage defaults from the containers-storage.conf(5) file
# located at /etc/containers/storage.conf. Modify this storage configuration if
# you want to change the system's defaults. If you want to modify storage just
# for CRI-O, you can change the storage configuration options here.
[crio] [crio]
# CRI-O reads its storage defaults from the containers/storage configuration # Path to the "root directory". CRI-O stores all of its data, including
# file, /etc/containers/storage.conf. Modify storage.conf if you want to # containers images, in this directory.
# change default storage for all tools that use containers/storage. If you
# want to modify just crio, you can change the storage configuration in this
# file.
# root is a path to the "root directory". CRIO stores all of its data,
# including container images, in this directory.
#root = "/var/lib/containers/storage" #root = "/var/lib/containers/storage"
# run is a path to the "run directory". CRIO stores all of its state # Path to the "run directory". CRI-O stores all of its state in this directory.
# in this directory.
#runroot = "/var/run/containers/storage" #runroot = "/var/run/containers/storage"
# storage_driver select which storage driver is used to manage storage # Storage driver used to manage the storage of images and containers. Please
# of images and containers. # refer to containers-storage.conf(5) to see all available storage drivers.
storage_driver = "overlay2" storage_driver = "overlay2"
# storage_option is used to pass an option to the storage driver. # List to pass options to the storage driver. Please refer to
# containers-storage.conf(5) to see all available storage options.
#storage_option = [ #storage_option = [
#] #]
# The "crio.api" table contains settings for the kubelet/gRPC interface. # If set to false, in-memory locking will be used instead of file-based locking.
[crio.api]
# listen is the path to the AF_LOCAL socket on which crio will listen.
listen = "/var/run/crio/crio.sock"
# stream_address is the IP address on which the stream server will listen
stream_address = ""
# stream_port is the port on which the stream server will listen
stream_port = "10010"
# stream_enable_tls enables encrypted tls transport of the stream server
stream_enable_tls = false
# stream_tls_cert is the x509 certificate file path used to serve the encrypted stream.
# This file can change, and CRIO will automatically pick up the changes within 5 minutes.
stream_tls_cert = ""
# stream_tls_key is the key file path used to serve the encrypted stream.
# This file can change, and CRIO will automatically pick up the changes within 5 minutes.
stream_tls_key = ""
# stream_tls_ca is the x509 CA(s) file used to verify and authenticate client
# communication with the tls encrypted stream.
# This file can change, and CRIO will automatically pick up the changes within 5 minutes.
stream_tls_ca = ""
# file_locking is whether file-based locking will be used instead of
# in-memory locking
file_locking = true file_locking = true
# The "crio.runtime" table contains settings pertaining to the OCI # Path to the lock file.
# runtime used and options for how to set up and manage the OCI runtime. file_locking_path = "/run/crio.lock"
# The crio.api table contains settings for the kubelet/gRPC interface.
[crio.api]
# Path to AF_LOCAL socket on which CRI-O will listen.
listen = "/var/run/crio/crio.sock"
# IP address on which the stream server will listen.
stream_address = ""
# The port on which the stream server will listen.
stream_port = "10010"
# Enable encrypted TLS transport of the stream server.
stream_enable_tls = false
# Path to the x509 certificate file used to serve the encrypted stream. This
# file can change, and CRI-O will automatically pick up the changes within 5
# minutes.
stream_tls_cert = ""
# Path to the key file used to serve the encrypted stream. This file can
# change, and CRI-O will automatically pick up the changes within 5 minutes.
stream_tls_key = ""
# Path to the x509 CA(s) file used to verify and authenticate client
# communication with the encrypted stream. This file can change, and CRI-O will
# automatically pick up the changes within 5 minutes.
stream_tls_ca = ""
# Maximum grpc send message size in bytes. If not set or <=0, then CRI-O will default to 16 * 1024 * 1024.
grpc_max_send_msg_size = 16777216
# Maximum grpc receive message size. If not set or <= 0, then CRI-O will default to 16 * 1024 * 1024.
grpc_max_recv_msg_size = 16777216
# The crio.runtime table contains settings pertaining to the OCI runtime used
# and options for how to set up and manage the OCI runtime.
[crio.runtime] [crio.runtime]
# runtime is the OCI compatible runtime used for trusted container workloads. # A list of ulimits to be set in containers by default, specified as
# This is a mandatory setting as this runtime will be the default one # "<ulimit name>=<soft limit>:<hard limit>", for example:
# and will also be used for untrusted container workloads if # "nofile=1024:2048"
# runtime_untrusted_workload is not set. # If nothing is set here, settings will be inherited from the CRI-O daemon
{% if ansible_os_family == "ClearLinux" or ansible_os_family == "RedHat" or ansible_distribution == "Ubuntu" %} #default_ulimits = [
runtime = "/usr/bin/runc" # "nofile=65536:65536",
{% else %} #]
runtime = "/usr/sbin/runc"
{% endif %}
# runtime_untrusted_workload is the OCI compatible runtime used for untrusted # default_runtime is the _name_ of the OCI runtime to be used as the default.
# container workloads. This is an optional setting, except if # The name is matched against the runtimes map below.
# default_container_trust is set to "untrusted". default_runtime = "runc"
runtime_untrusted_workload = ""
# default_workload_trust is the default level of trust crio puts in container # If true, the runtime will not use pivot_root, but instead use MS_MOVE.
# workloads. It can either be "trusted" or "untrusted", and the default
# is "trusted".
# Containers can be run through different container runtimes, depending on
# the trust hints we receive from kubelet:
# - If kubelet tags a container workload as untrusted, crio will try first to
# run it through the untrusted container workload runtime. If it is not set,
# crio will use the trusted runtime.
# - If kubelet does not provide any information about the container workload trust
# level, the selected runtime will depend on the default_container_trust setting.
# If it is set to "untrusted", then all containers except for the host privileged
# ones, will be run by the runtime_untrusted_workload runtime. Host privileged
# containers are by definition trusted and will always use the trusted container
# runtime. If default_container_trust is set to "trusted", crio will use the trusted
# container runtime for all containers.
default_workload_trust = "trusted"
# no_pivot instructs the runtime to not use pivot_root, but instead use MS_MOVE
no_pivot = false no_pivot = false
# conmon is the path to conmon binary, used for managing the runtime. # Path to the conmon binary, used for monitoring the OCI runtime.
conmon = "{{ crio_conmon }}" conmon = "{{ crio_conmon }}"
# conmon_env is the environment variable list for conmon process, # Environment variable list for the conmon process, used for passing necessary
# used for passing necessary environment variable to conmon or runtime. # environment variables to conmon or the runtime.
conmon_env = [ conmon_env = [
"PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin", "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin",
] ]
# selinux indicates whether or not SELinux will be used for pod # If true, SELinux will be used for pod separation on the host.
# separation on the host. If you enable this flag, SELinux must be running
# on the host.
selinux = {{ (preinstall_selinux_state == 'enforcing')|lower }} selinux = {{ (preinstall_selinux_state == 'enforcing')|lower }}
# seccomp_profile is the seccomp json profile path which is used as the # Path to the seccomp.json profile which is used as the default seccomp profile
# default for the runtime. # for the runtime.
{% if ansible_os_family == "ClearLinux" %} {% if ansible_os_family == "ClearLinux" %}
seccomp_profile = "/usr/share/defaults/crio/seccomp.json" seccomp_profile = "/usr/share/defaults/crio/seccomp.json"
{% else %} {% else %}
seccomp_profile = "/etc/crio/seccomp.json" seccomp_profile = "/etc/crio/seccomp.json"
{% endif %} {% endif %}
# apparmor_profile is the apparmor profile name which is used as the # Used to change the name of the default AppArmor profile of CRI-O. The default
# default for the runtime. # profile name is "crio-default-" followed by the version string of CRI-O.
apparmor_profile = "crio-default" apparmor_profile = "crio-default"
# cgroup_manager is the cgroup management implementation to be used # Cgroup management implementation used for the runtime.
# for the runtime.
cgroup_manager = "cgroupfs" cgroup_manager = "cgroupfs"
# default_capabilities is the list of capabilities to add and can be modified here. # List of default capabilities for containers. If it is empty or commented out,
# If capabilities below is commented out, the default list of capabilities defined in the # only the capabilities defined in the containers json file by the user/kube
# spec will be added. # will be added.
# If capabilities is empty below, only the capabilities defined in the container json
# file by the user/kube will be added.
default_capabilities = [ default_capabilities = [
"CHOWN", "CHOWN",
"DAC_OVERRIDE", "DAC_OVERRIDE",
@ -144,103 +132,164 @@ default_capabilities = [
"KILL", "KILL",
] ]
# hooks_dir_path is the oci hooks directory for automatically executed hooks # List of default sysctls. If it is empty or commented out, only the sysctls
hooks_dir_path = "/usr/share/containers/oci/hooks.d" # defined in the container json file by the user/kube will be added.
default_sysctls = [
# default_mounts is the mounts list to be mounted for the container when created
# deprecated, will be taken out in future versions, add default mounts to either
# /usr/share/containers/mounts.conf or /etc/containers/mounts.conf
default_mounts = [
] ]
# CRI-O reads its default mounts from the following two files: # List of additional devices. specified as
# 1) /etc/containers/mounts.conf - this is the override file, where users can # "<device-on-host>:<device-on-container>:<permissions>", for example: "--device=/dev/sdc:/dev/xvdc:rwm".
# either add in their own default mounts, or override the default mounts shipped #If it is empty or commented out, only the devices
# with the package. # defined in the container json file by the user/kube will be added.
# 2) /usr/share/containers/mounts.conf - this is the default file read for mounts. additional_devices = [
# If you want CRI-O to read from a different, specific mounts file, you can change ]
# the default_mounts_file path right below. Note, if this is done, CRI-O will only add
# mounts it finds in this file.
# default_mounts_file is the file path holding the default mounts to be mounted for the # Path to OCI hooks directories for automatically executed hooks.
# container when created. hooks_dir = [
]
# List of default mounts for each container. **Deprecated:** this option will
# be removed in future versions in favor of default_mounts_file.
default_mounts = [
{% if ansible_os_family == "RedHat" %}
"/usr/share/rhel/secrets:/run/secrets",
{% endif %}
]
# Path to the file specifying the defaults mounts for each container. The
# format of the config is /SRC:/DST, one mount per line. Notice that CRI-O reads
# its default mounts from the following two files:
#
# 1) /etc/containers/mounts.conf (i.e., default_mounts_file): This is the
# override file, where users can either add in their own default mounts, or
# override the default mounts shipped with the package.
#
# 2) /usr/share/containers/mounts.conf: This is the default file read for
# mounts. If you want CRI-O to read from a different, specific mounts file,
# you can change the default_mounts_file. Note, if this is done, CRI-O will
# only add mounts it finds in this file.
#
#default_mounts_file = "" #default_mounts_file = ""
# pids_limit is the number of processes allowed in a container # Maximum number of processes allowed in a container.
pids_limit = 1024 pids_limit = 1024
# log_size_max is the max limit for the container log size in bytes. # Maximum sized allowed for the container log file. Negative numbers indicate
# Negative values indicate that no limit is imposed. # that no size limit is imposed. If it is positive, it must be >= 8192 to
# match/exceed conmon's read buffer. The file is truncated and re-opened so the
# limit is never exceeded.
log_size_max = -1 log_size_max = -1
# read-only indicates whether all containers will run in read-only mode # Whether container output should be logged to journald in addition to the kuberentes log file
log_to_journald = false
# Path to directory in which container exit files are written to by conmon.
container_exits_dir = "/var/run/crio/exits"
# Path to directory for container attach sockets.
container_attach_socket_dir = "/var/run/crio"
# If set to true, all containers will run in read-only mode.
read_only = false read_only = false
# The "crio.image" table contains settings pertaining to the # Changes the verbosity of the logs based on the level it is set to. Options
# management of OCI images. # are fatal, panic, error, warn, info, and debug.
log_level = "error"
# uid_mappings specifies the UID mappings to have in the user namespace. # The UID mappings for the user namespace of each container. A range is
# A range is specified in the form containerUID:HostUID:Size. Multiple # specified in the form containerUID:HostUID:Size. Multiple ranges must be
# ranges are separed by comma. # separated by comma.
uid_mappings = "" uid_mappings = ""
# gid_mappings specifies the GID mappings to have in the user namespace. # The GID mappings for the user namespace of each container. A range is
# A range is specified in the form containerGID:HostGID:Size. Multiple # specified in the form containerGID:HostGID:Size. Multiple ranges must be
# ranges are separed by comma. # separated by comma.
gid_mappings = "" gid_mappings = ""
# The minimal amount of time in seconds to wait before issuing a timeout
# regarding the proper termination of the container.
ctr_stop_timeout = 0
# The "crio.runtime.runtimes" table defines a list of OCI compatible runtimes.
# The runtime to use is picked based on the runtime_handler provided by the CRI.
# If no runtime_handler is provided, the runtime will be picked based on the level
# of trust of the workload.
[crio.runtime.runtimes.runc]
{% if ansible_os_family == "ClearLinux" or ansible_os_family == "RedHat" or ansible_distribution == "Ubuntu" %}
runtime_path = "/usr/bin/runc"
{% else %}
runtime_path = "/usr/sbin/runc"
{% endif %}
runtime_type = "oci"
# The crio.image table contains settings pertaining to the management of OCI images.
#
# CRI-O reads its configured registries defaults from the system wide
# containers-registries.conf(5) located in /etc/containers/registries.conf. If
# you want to modify just CRI-O, you can change the registries configuration in
# this file. Otherwise, leave insecure_registries and registries commented out to
# use the system's defaults from /etc/containers/registries.conf.
[crio.image] [crio.image]
# default_transport is the prefix we try prepending to an image name if the # Default transport for pulling images from a remote container storage.
# image name as we receive it can't be parsed as a valid source reference
default_transport = "docker://" default_transport = "docker://"
# pause_image is the image which we use to instantiate infra containers. # The image used to instantiate infra containers.
pause_image = "docker://k8s.gcr.io/pause:3.1" pause_image = "docker://k8s.gcr.io/pause:3.1"
# pause_command is the command to run in a pause_image to have a container just # If not empty, the path to a docker/config.json-like file containing credentials
# sit there. If the image contains the necessary information, this value need # necessary for pulling the image specified by pause_image above.
# not be specified. pause_image_auth_file = ""
# The command to run to have a container stay in the paused state.
pause_command = "/pause" pause_command = "/pause"
# signature_policy is the name of the file which decides what sort of policy we # Path to the file which decides what sort of policy we use when deciding
# use when deciding whether or not to trust an image that we've pulled. # whether or not to trust an image that we've pulled. It is not recommended that
# Outside of testing situations, it is strongly advised that this be left # this option be used, as the default behavior of using the system-wide default
# unspecified so that the default system-wide policy will be used. # policy (i.e., /etc/containers/policy.json) is most often preferred. Please
# refer to containers-policy.json(5) for more details.
{% if ansible_os_family == "ClearLinux" %} {% if ansible_os_family == "ClearLinux" %}
signature_policy = "/usr/share/defaults/crio/policy.json" signature_policy = "/usr/share/defaults/crio/policy.json"
{% else %} {% else %}
signature_policy = "" signature_policy = ""
{% endif %} {% endif %}
# image_volumes controls how image volumes are handled. # Controls how image volumes are handled. The valid values are mkdir, bind and
# The valid values are mkdir and ignore. # ignore; the latter will ignore volumes entirely.
image_volumes = "mkdir" image_volumes = "mkdir"
# CRI-O reads its configured registries defaults from the containers/image configuration # List of registries to be used when pulling an unqualified image (e.g.,
# file, /etc/containers/registries.conf. Modify registries.conf if you want to # "alpine:latest"). By default, registries is set to "docker.io" for
# change default registries for all tools that use containers/image. If you # compatibility reasons. Depending on your workload and usecase you may add more
# want to modify just crio, you can change the registies configuration in this # registries (e.g., "quay.io", "registry.fedoraproject.org",
# file. # "registry.opensuse.org", etc.).
registries = [
"docker.io"
]
# "registry.fedoraproject.org",
# "quay.io",
# "registry.centos.org",
#]
# insecure_registries is used to skip TLS verification when pulling images.
insecure_registries = [ insecure_registries = [
"{{ kube_service_addresses }}" "{{ kube_service_addresses }}"
] ]
# registries is used to specify a comma separated list of registries to be used # The crio.network table containers settings pertaining to the management of
# when pulling an unqualified image (e.g. fedora:rawhide). # CNI plugins.
registries = [
"docker.io"
]
# The "crio.network" table contains settings pertaining to the
# management of CNI plugins.
[crio.network] [crio.network]
# network_dir is where CNI network configuration # Path to the directory where CNI configuration files are located.
# files are stored.
network_dir = "/etc/cni/net.d/" network_dir = "/etc/cni/net.d/"
# plugin_dir is where CNI plugin binaries are stored. # Paths to directories where CNI plugin binaries are located.
plugin_dir = "/opt/cni/bin/" plugin_dirs = [
"/usr/libexec/cni",
{% if ansible_os_family == "ClearLinux" %}
"/opt/cni/bin/",
{% endif %}
]