c12s-kubespray/roles/container-engine/containerd/templates/config.toml.j2
Victor Morales dc5df57c26
Add privileged_without_host_devices support (#7343)
When privileged is enabled for a container, all the `/dev/*` block
devices from the host are mounted into the guest. The
`privileged_without_host_devices` flag prevents host devices from
being passed to privileged containers.

More information:
* https://github.com/containerd/cri/pull/1225
* 1d0f68156b
2021-03-08 00:17:44 -08:00

80 lines
2.7 KiB
Django/Jinja

# persistent data location
root = "{{ containerd_metadata_root_dir }}"
# runtime state information
state = "{{ containerd_state_dir }}"
# Kubernetes doesn't use containerd restart manager.
disabled_plugins = ["restart"]
[debug]
level = "{{ containerd_config.debug.level | default("") }}"
{% if 'grpc' in containerd_config %}
[grpc]
{% for param, value in containerd_config.grpc.items() %}
{{ param }} = {{ value }}
{% endfor %}
{% endif %}
[plugins.linux]
shim = "/usr/bin/containerd-shim"
runtime = "{{ runc_binary }}"
[plugins.cri]
stream_server_address = "127.0.0.1"
max_container_log_line_size = {{ containerd_config.max_container_log_line_size }}
sandbox_image = "{{ pod_infra_image_repo }}:{{ pod_infra_image_tag }}"
systemd_cgroup = {{ containerd_use_systemd_cgroup|lower }}
[plugins.cri.cni]
bin_dir = "/opt/cni/bin"
conf_dir = "/etc/cni/net.d"
conf_template = ""
{% if 'containerd' in containerd_config %}
[plugins.cri.containerd]
{% for param, value in containerd_config.containerd.items() %}
{{ param }} = "{{ value }}"
{% endfor %}
{% endif %}
[plugins.cri.containerd.default_runtime]
runtime_type = "{{ containerd_default_runtime.type }}"
runtime_engine = "{{ containerd_default_runtime.engine }}"
runtime_root = "{{ containerd_default_runtime.root }}"
privileged_without_host_devices = {{ containerd_default_runtime.privileged_without_host_devices|default(false)|lower }}
{% if kata_containers_enabled %}
[plugins.cri.containerd.runtimes.kata-qemu]
runtime_type = "io.containerd.kata-qemu.v2"
[plugins.cri.containerd.runtimes.kata-qemu.options]
ConfigPath = "/etc/kata-containers/configuration-qemu.toml"
{% endif %}
{% for runtime in containerd_runtimes %}
[plugins.cri.containerd.runtimes.{{ runtime.name }}]
runtime_type = "{{ runtime.type }}"
runtime_engine = "{{ runtime.engine }}"
runtime_root = "{{ runtime.root }}"
privileged_without_host_devices = {{ runtime.privileged_without_host_devices|default(false)|lower }}
{% endfor %}
[plugins.cri.containerd.untrusted_workload_runtime]
runtime_type = "{{ containerd_untrusted_runtime_type }}"
runtime_engine = "{{ containerd_untrusted_runtime_engine }}"
runtime_root = "{{ containerd_untrusted_runtime_root }}"
{% if 'registries' in containerd_config %}
[plugins.cri.registry]
[plugins.cri.registry.mirrors]
{% for registry, addr in containerd_config.registries.items() %}
[plugins.cri.registry.mirrors."{{ registry }}"]
endpoint = ["{{ ([ addr ] | flatten ) | join('","') }}"]
{% endfor %}
{% endif %}
{% if 'metrics' in containerd_config %}
[metrics]
address = "{{ containerd_config.metrics.address | default('') }}"
grpc_histogram = {{ containerd_config.metrics.grpc_histogram | default(false) | lower }}
{% endif %}