alias urldecode='python3 -c "import sys, urllib.parse; print(urllib.parse.unquot

1. alias urldecode='python3 -c "import sys, urllib.parse; print(urllib.parse.unquote(sys.argv[1]))"'
2.  
3.  
4. urldecode "data:,%23%20The%20%22crio%22%20table%20contains%20all%20of%20the%20server%20options.%0A%5Bcrio%5D%0A%0A%23%20CRI-O%20reads%20its%20storage%20defaults%20from%20the%20containers%2Fstorage%20configuration%0A%23%20file%2C%20%2Fetc%2Fcontainers%2Fstorage.conf.%20Modify%20storage.conf%20if%20you%20want%20to%0A%23%20change%20default%20storage%20for%20all%20tools%20that%20use%20containers%2Fstorage.%20%20If%20you%0A%23%20want%20to%20modify%20just%20crio%2C%20you%20can%20change%20the%20storage%20configuration%20in%20this%0A%23%20file.%0A%0A%23%20root%20is%20a%20path%20to%20the%20%22root%20directory%22.%20CRIO%20stores%20all%20of%20its%20data%2C%0A%23%20including%20container%20images%2C%20in%20this%20directory.%0A%23root%20%3D%20%22%2Fvar%2Flib%2Fcontainers%2Fstorage%22%0A%0A%23%20run%20is%20a%20path%20to%20the%20%22run%20directory%22.%20CRIO%20stores%20all%20of%20its%20state%0A%23%20in%20this%20directory.%0A%23runroot%20%3D%20%22%2Fvar%2Frun%2Fcontainers%2Fstorage%22%0A%0A%23%20storage_driver%20select%20which%20storage%20driver%20is%20used%20to%20manage%20storage%0A%23%20of%20images%20and%20containers.%0A%23storage_driver%20%3D%20%22%22%0A%0A%23%20storage_option%20is%20used%20to%20pass%20an%20option%20to%20the%20storage%20driver.%0A%23storage_option%20%3D%20%5B%0A%23%5D%0A%0A%23%20The%20%22crio.api%22%20table%20contains%20settings%20for%20the%20kubelet%2FgRPC%20interface.%0A%5Bcrio.api%5D%0A%0A%23%20listen%20is%20the%20path%20to%20the%20AF_LOCAL%20socket%20on%20which%20crio%20will%20listen.%0Alisten%20%3D%20%22%2Fvar%2Frun%2Fcrio%2Fcrio.sock%22%0A%0A%23%20stream_address%20is%20the%20IP%20address%20on%20which%20the%20stream%20server%20will%20listen%0Astream_address%20%3D%20%22%22%0A%0A%23%20stream_port%20is%20the%20port%20on%20which%20the%20stream%20server%20will%20listen%0Astream_port%20%3D%20%2210010%22%0A%0A%23%20stream_enable_tls%20enables%20encrypted%20tls%20transport%20of%20the%20stream%20server%0Astream_enable_tls%20%3D%20false%0A%0A%23%20stream_tls_cert%20is%20the%20x509%20certificate%20file%20path%20used%20to%20serve%20the%20encrypted%20stream.%0A%23%20This%20file%20can%20change%2C%20and%20CRIO%20will%20automatically%20pick%20up%20the%20changes%20within%205%20minutes.%0Astream_tls_cert%20%3D%20%22%22%0A%0A%23%20stream_tls_key%20is%20the%20key%20file%20path%20used%20to%20serve%20the%20encrypted%20stream.%0A%23%20This%20file%20can%20change%2C%20and%20CRIO%20will%20automatically%20pick%20up%20the%20changes%20within%205%20minutes.%0Astream_tls_key%20%3D%20%22%22%0A%0A%23%20stream_tls_ca%20is%20the%20x509%20CA(s)%20file%20used%20to%20verify%20and%20authenticate%20client%0A%23%20communication%20with%20the%20tls%20encrypted%20stream.%0A%23%20This%20file%20can%20change%2C%20and%20CRIO%20will%20automatically%20pick%20up%20the%20changes%20within%205%20minutes.%0Astream_tls_ca%20%3D%20%22%22%0A%0A%23%20file_locking%20is%20whether%20file-based%20locking%20will%20be%20used%20instead%20of%0A%23%20in-memory%20locking%0Afile_locking%20%3D%20false%0A%0A%23%20The%20%22crio.runtime%22%20table%20contains%20settings%20pertaining%20to%20the%20OCI%0A%23%20runtime%20used%20and%20options%20for%20how%20to%20set%20up%20and%20manage%20the%20OCI%20runtime.%0A%5Bcrio.runtime%5D%0A%0A%23%20runtime%20is%20the%20OCI%20compatible%20runtime%20used%20for%20trusted%20container%20workloads.%0A%23%20This%20is%20a%20mandatory%20setting%20as%20this%20runtime%20will%20be%20the%20default%20one%0A%23%20and%20will%20also%20be%20used%20for%20untrusted%20container%20workloads%20if%0A%23%20runtime_untrusted_workload%20is%20not%20set.%0Aruntime%20%3D%20%22%2Fusr%2Fbin%2Frunc%22%0A%0A%23%20runtime_untrusted_workload%20is%20the%20OCI%20compatible%20runtime%20used%20for%20untrusted%0A%23%20container%20workloads.%20This%20is%20an%20optional%20setting%2C%20except%20if%0A%23%20default_container_trust%20is%20set%20to%20%22untrusted%22.%0Aruntime_untrusted_workload%20%3D%20%22%22%0A%0A%23%20default_workload_trust%20is%20the%20default%20level%20of%20trust%20crio%20puts%20in%20container%0A%23%20workloads.%20It%20can%20either%20be%20%22trusted%22%20or%20%22untrusted%22%2C%20and%20the%20default%0A%23%20is%20%22trusted%22.%0A%23%20Containers%20can%20be%20run%20through%20different%20container%20runtimes%2C%20depending%20on%0A%23%20the%20trust%20hints%20we%20receive%20from%20kubelet%3A%0A%23%20-%20If%20kubelet%20tags%20a%20container%20workload%20as%20untrusted%2C%20crio%20will%20try%20first%20to%0A%23%20run%20it%20through%20the%20untrusted%20container%20workload%20runtime.%20If%20it%20is%20not%20set%2C%0A%23%20crio%20will%20use%20the%20trusted%20runtime.%0A%23%20-%20If%20kubelet%20does%20not%20provide%20any%20information%20about%20the%20container%20workload%20trust%0A%23%20level%2C%20the%20selected%20runtime%20will%20depend%20on%20the%20default_container_trust%20setting.%0A%23%20If%20it%20is%20set%20to%20%22untrusted%22%2C%20then%20all%20containers%20except%20for%20the%20host%20privileged%0A%23%20ones%2C%20will%20be%20run%20by%20the%20runtime_untrusted_workload%20runtime.%20Host%20privileged%0A%23%20containers%20are%20by%20definition%20trusted%20and%20will%20always%20use%20the%20trusted%20container%0A%23%20runtime.%20If%20default_container_trust%20is%20set%20to%20%22trusted%22%2C%20crio%20will%20use%20the%20trusted%0A%23%20container%20runtime%20for%20all%20containers.%0Adefault_workload_trust%20%3D%20%22trusted%22%0A%0A%23%20no_pivot%20instructs%20the%20runtime%20to%20not%20use%20pivot_root%2C%20but%20instead%20use%20MS_MOVE%0Ano_pivot%20%3D%20false%0A%0A%23%20conmon%20is%20the%20path%20to%20conmon%20binary%2C%20used%20for%20managing%20the%20runtime.%0Aconmon%20%3D%20%22%2Fusr%2Flibexec%2Fcrio%2Fconmon%22%0A%0A%23%20conmon_env%20is%20the%20environment%20variable%20list%20for%20conmon%20process%2C%0A%23%20used%20for%20passing%20necessary%20environment%20variable%20to%20conmon%20or%20runtime.%0Aconmon_env%20%3D%20%5B%0A%20%20%22PATH%3D%2Fusr%2Flocal%2Fsbin%3A%2Fusr%2Flocal%2Fbin%3A%2Fusr%2Fsbin%3A%2Fusr%2Fbin%3A%2Fsbin%3A%2Fbin%22%2C%0A%5D%0A%0A%23%20selinux%20indicates%20whether%20or%20not%20SELinux%20will%20be%20used%20for%20pod%0A%23%20separation%20on%20the%20host.%20If%20you%20enable%20this%20flag%2C%20SELinux%20must%20be%20running%0A%23%20on%20the%20host.%0Aselinux%20%3D%20true%0A%0A%23%20seccomp_profile%20is%20the%20seccomp%20json%20profile%20path%20which%20is%20used%20as%20the%0A%23%20default%20for%20the%20runtime.%0Aseccomp_profile%20%3D%20%22%2Fetc%2Fcrio%2Fseccomp.json%22%0A%0A%23%20apparmor_profile%20is%20the%20apparmor%20profile%20name%20which%20is%20used%20as%20the%0A%23%20default%20for%20the%20runtime.%0Aapparmor_profile%20%3D%20%22crio-default%22%0A%0A%23%20cgroup_manager%20is%20the%20cgroup%20management%20implementation%20to%20be%20used%0A%23%20for%20the%20runtime.%0Acgroup_manager%20%3D%20%22systemd%22%0A%0A%23%20default_capabilities%20is%20the%20list%20of%20capabilities%20to%20add%20and%20can%20be%20modified%20here.%0A%23%20If%20capabilities%20below%20is%20commented%20out%2C%20the%20default%20list%20of%20capabilities%20defined%20in%20the%0A%23%20spec%20will%20be%20added.%0A%23%20If%20capabilities%20is%20empty%20below%2C%20only%20the%20capabilities%20defined%20in%20the%20container%20json%0A%23%20file%20by%20the%20user%2Fkube%20will%20be%20added.%0Adefault_capabilities%20%3D%20%5B%0A%20%20%22CHOWN%22%2C%20%0A%20%20%22DAC_OVERRIDE%22%2C%20%0A%20%20%22FSETID%22%2C%20%0A%20%20%22FOWNER%22%2C%20%0A%20%20%22NET_RAW%22%2C%20%0A%20%20%22SETGID%22%2C%20%0A%20%20%22SETUID%22%2C%20%0A%20%20%22SETPCAP%22%2C%20%0A%20%20%22NET_BIND_SERVICE%22%2C%20%0A%20%20%22SYS_CHROOT%22%2C%20%0A%20%20%22KILL%22%2C%20%0A%5D%0A%0A%23%20hooks_dir_path%20is%20the%20oci%20hooks%20directory%20for%20automatically%20executed%20hooks%0Ahooks_dir_path%20%3D%20%22%2Fusr%2Fshare%2Fcontainers%2Foci%2Fhooks.d%22%0A%0A%23%20default_mounts%20is%20the%20mounts%20list%20to%20be%20mounted%20for%20the%20container%20when%20created%0A%23%20deprecated%2C%20will%20be%20taken%20out%20in%20future%20versions%2C%20add%20default%20mounts%20to%20either%0A%23%20%2Fusr%2Fshare%2Fcontainers%2Fmounts.conf%20or%20%2Fetc%2Fcontainers%2Fmounts.conf%0Adefault_mounts%20%3D%20%5B%0A%20%20%22%2Fusr%2Fshare%2Frhel%2Fsecrets%3A%2Frun%2Fsecrets%22%2C%20%0A%5D%0A%0A%23%20Path%20to%20directory%20in%20which%20container%20exit%20files%20are%20written%20to%20by%20conmon.%0Acontainer_exits_dir%20%3D%20%22%2Fvar%2Frun%2Fcrio%2Fexits%22%0A%0A%23%20Path%20to%20directory%20for%20container%20attach%20sockets.%0Acontainer_attach_socket_dir%20%3D%20%22%2Fvar%2Frun%2Fcrio%22%0A%0A%23%20CRI-O%20reads%20its%20default%20mounts%20from%20the%20following%20two%20files%3A%0A%23%201)%20%2Fetc%2Fcontainers%2Fmounts.conf%20-%20this%20is%20the%20override%20file%2C%20where%20users%20can%0A%23%20either%20add%20in%20their%20own%20default%20mounts%2C%20or%20override%20the%20default%20mounts%20shipped%0A%23%20with%20the%20package.%0A%23%202)%20%2Fusr%2Fshare%2Fcontainers%2Fmounts.conf%20-%20this%20is%20the%20default%20file%20read%20for%20mounts.%0A%23%20If%20you%20want%20CRI-O%20to%20read%20from%20a%20different%2C%20specific%20mounts%20file%2C%20you%20can%20change%0A%23%20the%20default_mounts_file%20path%20right%20below.%20Note%2C%20if%20this%20is%20done%2C%20CRI-O%20will%20only%20add%0A%23%20mounts%20it%20finds%20in%20this%20file.%0A%0A%23%20default_mounts_file%20is%20the%20file%20path%20holding%20the%20default%20mounts%20to%20be%20mounted%20for%20the%0A%23%20container%20when%20created.%0A%23%20default_mounts_file%20%3D%20%22%22%0A%0A%23%20pids_limit%20is%20the%20number%20of%20processes%20allowed%20in%20a%20container%0Apids_limit%20%3D%201024%0A%0A%23%20log_size_max%20is%20the%20max%20limit%20for%20the%20container%20log%20size%20in%20bytes.%0A%23%20Negative%20values%20indicate%20that%20no%20limit%20is%20imposed.%0Alog_size_max%20%3D%20-1%0A%0A%23%20read-only%20indicates%20whether%20all%20containers%20will%20run%20in%20read-only%20mode%0Aread_only%20%3D%20false%0A%0A%23%20log_level%20changes%20the%20verbosity%20of%20the%20logs%20printed.%0A%23%20Options%20are%3A%20error%20(default)%2C%20fatal%2C%20panic%2C%20warn%2C%20info%2C%20and%20debug%0Alog_level%20%3D%20%22error%22%0A%0A%23%20The%20%22crio.image%22%20table%20contains%20settings%20pertaining%20to%20the%0A%23%20management%20of%20OCI%20images.%0A%0A%23%20uid_mappings%20specifies%20the%20UID%20mappings%20to%20have%20in%20the%20user%20namespace.%0A%23%20A%20range%20is%20specified%20in%20the%20form%20containerUID%3AHostUID%3ASize.%20%20Multiple%0A%23%20ranges%20are%20separed%20by%20comma.%0Auid_mappings%20%3D%20%22%22%0A%0A%23%20gid_mappings%20specifies%20the%20GID%20mappings%20to%20have%20in%20the%20user%20namespace.%0A%23%20A%20range%20is%20specified%20in%20the%20form%20containerGID%3AHostGID%3ASize.%20%20Multiple%0A%23%20ranges%20are%20separed%20by%20comma.%0Agid_mappings%20%3D%20%22%22%0A%0A%5Bcrio.image%5D%0A%0A%23%20default_transport%20is%20the%20prefix%20we%20try%20prepending%20to%20an%20image%20name%20if%20the%0A%23%20image%20name%20as%20we%20receive%20it%20can't%20be%20parsed%20as%20a%20valid%20source%20reference%0Adefault_transport%20%3D%20%22docker%3A%2F%2F%22%0A%0A%23%20pause_image%20is%20the%20image%20which%20we%20use%20to%20instantiate%20infra%20containers.%0Apause_image%20%3D%20%22quay.io%2Fopenshift-release-dev%2Focp-v4.0-art-dev%40sha256%3A0f4767e691bd6b984691dd48a13313c13fece8442d0bd43756f8e9d0145861d4%22%0A%0A%23%20If%20not%20empty%2C%20the%20path%20to%20a%20docker%2Fconfig.json-like%20file%20containing%20credentials%0A%23%20necessary%20for%20pulling%20the%20image%20specified%20by%20pause_image%C2%A0above.%0Apause_image_auth_file%20%3D%20%22%2Fvar%2Flib%2Fkubelet%2Fconfig.json%22%0A%0A%23%20pause_command%20is%20the%20command%20to%20run%20in%20a%20pause_image%20to%20have%20a%20container%20just%0A%23%20sit%20there.%20%20If%20the%20image%20contains%20the%20necessary%20information%2C%20this%20value%20need%0A%23%20not%20be%20specified.%0Apause_command%20%3D%20%22%2Fusr%2Fbin%2Fpod%22%0A%0A%23%20signature_policy%20is%20the%20name%20of%20the%20file%20which%20decides%20what%20sort%20of%20policy%20we%0A%23%20use%20when%20deciding%20whether%20or%20not%20to%20trust%20an%20image%20that%20we've%20pulled.%0A%23%20Outside%20of%20testing%20situations%2C%20it%20is%20strongly%20advised%20that%20this%20be%20left%0A%23%20unspecified%20so%20that%20the%20default%20system-wide%20policy%20will%20be%20used.%0Asignature_policy%20%3D%20%22%22%0A%0A%23%20image_volumes%20controls%20how%20image%20volumes%20are%20handled.%0A%23%20The%20valid%20values%20are%20mkdir%20and%20ignore.%0Aimage_volumes%20%3D%20%22mkdir%22%0A%0A%23%20CRI-O%20reads%20its%20configured%20registries%20defaults%20from%20the%20containers%2Fimage%20configuration%0A%23%20file%2C%20%2Fetc%2Fcontainers%2Fregistries.conf.%20Modify%20registries.conf%20if%20you%20want%20to%0A%23%20change%20default%20registries%20for%20all%20tools%20that%20use%20containers%2Fimage.%20%20If%20you%0A%23%20want%20to%20modify%20just%20crio%2C%20you%20can%20change%20the%20registies%20configuration%20in%20this%0A%23%20file.%0A%0A%23%20insecure_registries%20is%20used%20to%20skip%20TLS%20verification%20when%20pulling%20images.%0A%23%20insecure_registries%20%3D%20%5B%0A%23%20%5D%0A%0A%23%20registries%20is%20used%20to%20specify%20a%20comma%20separated%20list%20of%20registries%20to%20be%20used%0A%23%20when%20pulling%20an%20unqualified%20image%20(e.g.%20fedora%3Arawhide).%0A%23registries%20%3D%20%5B%0A%23%20%5D%0A%0A%23%20The%20%22crio.network%22%20table%20contains%20settings%20pertaining%20to%20the%0A%23%20management%20of%20CNI%20plugins.%0A%5Bcrio.network%5D%0A%0A%23%20network_dir%20is%20is%20where%20CNI%20network%20configuration%0A%23%20files%20are%20stored.%0Anetwork_dir%20%3D%20%22%2Fetc%2Fcni%2Fnet.d%2F%22%0A%0A%23%20plugin_dir%20is%20is%20where%20CNI%20plugin%20binaries%20are%20stored.%0Aplugin_dir%20%3D%20%22%2Fusr%2Flibexec%2Fcni%22%0A"
5. data:,# The "crio" table contains all of the server options.
6. [crio]
7.  
8. # CRI-O reads its storage defaults from the containers/storage configuration
9. # file, /etc/containers/storage.conf. Modify storage.conf if you want to
10. # change default storage for all tools that use containers/storage. If you
11. # want to modify just crio, you can change the storage configuration in this
12. # file.
13.  
14. # root is a path to the "root directory". CRIO stores all of its data,
15. # including container images, in this directory.
16. #root = "/var/lib/containers/storage"
17.  
18. # run is a path to the "run directory". CRIO stores all of its state
19. # in this directory.
20. #runroot = "/var/run/containers/storage"
21.  
22. # storage_driver select which storage driver is used to manage storage
23. # of images and containers.
24. #storage_driver = ""
25.  
26. # storage_option is used to pass an option to the storage driver.
27. #storage_option = [
28. #]
29.  
30. # The "crio.api" table contains settings for the kubelet/gRPC interface.
31. [crio.api]
32.  
33. # listen is the path to the AF_LOCAL socket on which crio will listen.
34. listen = "/var/run/crio/crio.sock"
35.  
36. # stream_address is the IP address on which the stream server will listen
37. stream_address = ""
38.  
39. # stream_port is the port on which the stream server will listen
40. stream_port = "10010"
41.  
42. # stream_enable_tls enables encrypted tls transport of the stream server
43. stream_enable_tls = false
44.  
45. # stream_tls_cert is the x509 certificate file path used to serve the encrypted stream.
46. # This file can change, and CRIO will automatically pick up the changes within 5 minutes.
47. stream_tls_cert = ""
48.  
49. # stream_tls_key is the key file path used to serve the encrypted stream.
50. # This file can change, and CRIO will automatically pick up the changes within 5 minutes.
51. stream_tls_key = ""
52.  
53. # stream_tls_ca is the x509 CA(s) file used to verify and authenticate client
54. # communication with the tls encrypted stream.
55. # This file can change, and CRIO will automatically pick up the changes within 5 minutes.
56. stream_tls_ca = ""
57.  
58. # file_locking is whether file-based locking will be used instead of
59. # in-memory locking
60. file_locking = false
61.  
62. # The "crio.runtime" table contains settings pertaining to the OCI
63. # runtime used and options for how to set up and manage the OCI runtime.
64. [crio.runtime]
65.  
66. # runtime is the OCI compatible runtime used for trusted container workloads.
67. # This is a mandatory setting as this runtime will be the default one
68. # and will also be used for untrusted container workloads if
69. # runtime_untrusted_workload is not set.
70. runtime = "/usr/bin/runc"
71.  
72. # runtime_untrusted_workload is the OCI compatible runtime used for untrusted
73. # container workloads. This is an optional setting, except if
74. # default_container_trust is set to "untrusted".
75. runtime_untrusted_workload = ""
76.  
77. # default_workload_trust is the default level of trust crio puts in container
78. # workloads. It can either be "trusted" or "untrusted", and the default
79. # is "trusted".
80. # Containers can be run through different container runtimes, depending on
81. # the trust hints we receive from kubelet:
82. # - If kubelet tags a container workload as untrusted, crio will try first to
83. # run it through the untrusted container workload runtime. If it is not set,
84. # crio will use the trusted runtime.
85. # - If kubelet does not provide any information about the container workload trust
86. # level, the selected runtime will depend on the default_container_trust setting.
87. # If it is set to "untrusted", then all containers except for the host privileged
88. # ones, will be run by the runtime_untrusted_workload runtime. Host privileged
89. # containers are by definition trusted and will always use the trusted container
90. # runtime. If default_container_trust is set to "trusted", crio will use the trusted
91. # container runtime for all containers.
92. default_workload_trust = "trusted"
93.  
94. # no_pivot instructs the runtime to not use pivot_root, but instead use MS_MOVE
95. no_pivot = false
96.  
97. # conmon is the path to conmon binary, used for managing the runtime.
98. conmon = "/usr/libexec/crio/conmon"
99.  
100. # conmon_env is the environment variable list for conmon process,
101. # used for passing necessary environment variable to conmon or runtime.
102. conmon_env = [
103. "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin",
104. ]
105.  
106. # selinux indicates whether or not SELinux will be used for pod
107. # separation on the host. If you enable this flag, SELinux must be running
108. # on the host.
109. selinux = true
110.  
111. # seccomp_profile is the seccomp json profile path which is used as the
112. # default for the runtime.
113. seccomp_profile = "/etc/crio/seccomp.json"
114.  
115. # apparmor_profile is the apparmor profile name which is used as the
116. # default for the runtime.
117. apparmor_profile = "crio-default"
118.  
119. # cgroup_manager is the cgroup management implementation to be used
120. # for the runtime.
121. cgroup_manager = "systemd"
122.  
123. # default_capabilities is the list of capabilities to add and can be modified here.
124. # If capabilities below is commented out, the default list of capabilities defined in the
125. # spec will be added.
126. # If capabilities is empty below, only the capabilities defined in the container json
127. # file by the user/kube will be added.
128. default_capabilities = [
129. "CHOWN",
130. "DAC_OVERRIDE",
131. "FSETID",
132. "FOWNER",
133. "NET_RAW",
134. "SETGID",
135. "SETUID",
136. "SETPCAP",
137. "NET_BIND_SERVICE",
138. "SYS_CHROOT",
139. "KILL",
140. ]
141.  
142. # hooks_dir_path is the oci hooks directory for automatically executed hooks
143. hooks_dir_path = "/usr/share/containers/oci/hooks.d"
144.  
145. # default_mounts is the mounts list to be mounted for the container when created
146. # deprecated, will be taken out in future versions, add default mounts to either
147. # /usr/share/containers/mounts.conf or /etc/containers/mounts.conf
148. default_mounts = [
149. "/usr/share/rhel/secrets:/run/secrets",
150. ]
151.  
152. # Path to directory in which container exit files are written to by conmon.
153. container_exits_dir = "/var/run/crio/exits"
154.  
155. # Path to directory for container attach sockets.
156. container_attach_socket_dir = "/var/run/crio"
157.  
158. # CRI-O reads its default mounts from the following two files:
159. # 1) /etc/containers/mounts.conf - this is the override file, where users can
160. # either add in their own default mounts, or override the default mounts shipped
161. # with the package.
162. # 2) /usr/share/containers/mounts.conf - this is the default file read for mounts.
163. # If you want CRI-O to read from a different, specific mounts file, you can change
164. # the default_mounts_file path right below. Note, if this is done, CRI-O will only add
165. # mounts it finds in this file.
166.  
167. # default_mounts_file is the file path holding the default mounts to be mounted for the
168. # container when created.
169. # default_mounts_file = ""
170.  
171. # pids_limit is the number of processes allowed in a container
172. pids_limit = 1024
173.  
174. # log_size_max is the max limit for the container log size in bytes.
175. # Negative values indicate that no limit is imposed.
176. log_size_max = -1
177.  
178. # read-only indicates whether all containers will run in read-only mode
179. read_only = false
180.  
181. # log_level changes the verbosity of the logs printed.
182. # Options are: error (default), fatal, panic, warn, info, and debug
183. log_level = "error"
184.  
185. # The "crio.image" table contains settings pertaining to the
186. # management of OCI images.
187.  
188. # uid_mappings specifies the UID mappings to have in the user namespace.
189. # A range is specified in the form containerUID:HostUID:Size. Multiple
190. # ranges are separed by comma.
191. uid_mappings = ""
192.  
193. # gid_mappings specifies the GID mappings to have in the user namespace.
194. # A range is specified in the form containerGID:HostGID:Size. Multiple
195. # ranges are separed by comma.
196. gid_mappings = ""
197.  
198. [crio.image]
199.  
200. # default_transport is the prefix we try prepending to an image name if the
201. # image name as we receive it can't be parsed as a valid source reference
202. default_transport = "docker://"
203.  
204. # pause_image is the image which we use to instantiate infra containers.
205. pause_image = "quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:0f4767e691bd6b984691dd48a13313c13fece8442d0bd43756f8e9d0145861d4"
206.  
207. # If not empty, the path to a docker/config.json-like file containing credentials
208. # necessary for pulling the image specified by pause_image above.
209. pause_image_auth_file = "/var/lib/kubelet/config.json"
210.  
211. # pause_command is the command to run in a pause_image to have a container just
212. # sit there. If the image contains the necessary information, this value need
213. # not be specified.
214. pause_command = "/usr/bin/pod"
215.  
216. # signature_policy is the name of the file which decides what sort of policy we
217. # use when deciding whether or not to trust an image that we've pulled.
218. # Outside of testing situations, it is strongly advised that this be left
219. # unspecified so that the default system-wide policy will be used.
220. signature_policy = ""
221.  
222. # image_volumes controls how image volumes are handled.
223. # The valid values are mkdir and ignore.
224. image_volumes = "mkdir"
225.  
226. # CRI-O reads its configured registries defaults from the containers/image configuration
227. # file, /etc/containers/registries.conf. Modify registries.conf if you want to
228. # change default registries for all tools that use containers/image. If you
229. # want to modify just crio, you can change the registies configuration in this
230. # file.
231.  
232. # insecure_registries is used to skip TLS verification when pulling images.
233. # insecure_registries = [
234. # ]
235.  
236. # registries is used to specify a comma separated list of registries to be used
237. # when pulling an unqualified image (e.g. fedora:rawhide).
238. #registries = [
239. # ]
240.  
241. # The "crio.network" table contains settings pertaining to the
242. # management of CNI plugins.
243. [crio.network]
244.  
245. # network_dir is is where CNI network configuration
246. # files are stored.
247. network_dir = "/etc/cni/net.d/"
248.  
249. # plugin_dir is is where CNI plugin binaries are stored.
250. plugin_dir = "/usr/libexec/cni"