# conmon path woes ## background fallout of https://docs.google.com/document/d/19B8_9-ni0b_buaIR5fDlc__2z96io3MXT7xA9XQSfkI/edit working on reproducing ## current theories At some point, the nodes in build01 had their /etc/crio/crio.conf` changed. This causes rpm-ostree to not update the config file upon OS upgrade. Upon an upgrade to 4.7.25, the path of conmon disappeared from /usr/libexec/crio/conmon (despite being hard-coded into crio.conf), causing the issues. ## Reproduction attempts Mostly have not been able to reproduce the problem. Changing `ContainerRuntimeConfig` in 4.4.x [caused the MCO to write a modified `/etc/crio/crio.conf`](https://coreos.slack.com/archives/C02BPRL989H/p1629491361230800?thread_ts=1629466173.166800&cid=C02BPRL989H), but still resulted the file being removed after updates (e.g. [this 4.4.33 -> 4.5.0-rc.6 update](https://coreos.slack.com/archives/C02BPRL989H/p1629489409219900?thread_ts=1629466173.166800&cid=C02BPRL989H)). This may intersect with [this MCO commit](https://github.com/openshift/machine-config-operator/pull/1593/commits/2480784ce453942a0439f75eb94ea8230d2d39cf) which landed in 4.5. ## A slew of config pieces: <details> <summary>Current build01 master config</summary> ``` # The CRI-O configuration file specifies all of the available configuration # options and command-line flags for the crio(8) OCI Kubernetes Container Runtime # daemon, but in a TOML format that can be more easily modified and versioned. # # Please refer to crio.conf(5) for details of all configuration options. # CRI-O supports partial configuration reload during runtime, which can be # done by sending SIGHUP to the running process. Currently supported options # are explicitly mentioned with: 'This option supports live configuration # reload'. # CRI-O reads its storage defaults from the containers-storage.conf(5) file # located at /etc/containers/storage.conf. Modify this storage configuration if # you want to change the system's defaults. If you want to modify storage just # for CRI-O, you can change the storage configuration options here. [crio] # Path to the "root directory". CRI-O stores all of its data, including # containers images, in this directory. #root = "/var/lib/containers/storage" # Path to the "run directory". CRI-O stores all of its state in this directory. #runroot = "/run/user/1000" # Storage driver used to manage the storage of images and containers. Please # refer to containers-storage.conf(5) to see all available storage drivers. #storage_driver = "overlay" # List to pass options to the storage driver. Please refer to # containers-storage.conf(5) to see all available storage options. #storage_option = [ #] # The default log directory where all logs will go unless directly specified by # the kubelet. The log directory specified must be an absolute directory. # log_dir = "/var/log/crio/pods" # Location for CRI-O to lay down the version file # version_file = "/var/lib/crio/version" # The crio.api table contains settings for the kubelet/gRPC interface. [crio.api] # Path to AF_LOCAL socket on which CRI-O will listen. # listen = "/var/run/crio/crio.sock" # Host IP considered as the primary IP to use by CRI-O for things such as host network IP. # host_ip = "" # IP address on which the stream server will listen. stream_address = "" # The port on which the stream server will listen. stream_port = "10010" # Enable encrypted TLS transport of the stream server. # stream_enable_tls = false # Path to the x509 certificate file used to serve the encrypted stream. This # file can change, and CRI-O will automatically pick up the changes within 5 # minutes. # stream_tls_cert = "" # Path to the key file used to serve the encrypted stream. This file can # change and CRI-O will automatically pick up the changes within 5 minutes. # stream_tls_key = "" # Path to the x509 CA(s) file used to verify and authenticate client # communication with the encrypted stream. This file can change and CRI-O will # automatically pick up the changes within 5 minutes. # stream_tls_ca = "" # Maximum grpc send message size in bytes. If not set or <=0, then CRI-O will default to 16 * 1024 * 1024. # grpc_max_send_msg_size = 16777216 # Maximum grpc receive message size. If not set or <= 0, then CRI-O will default to 16 * 1024 * 1024. # grpc_max_recv_msg_size = 16777216 # The crio.runtime table contains settings pertaining to the OCI runtime used # and options for how to set up and manage the OCI runtime. [crio.runtime] # A list of ulimits to be set in containers by default, specified as # "<ulimit name>=<soft limit>:<hard limit>", for example: # "nofile=1024:2048" # If nothing is set here, settings will be inherited from the CRI-O daemon #default_ulimits = [ #] # default_runtime is the _name_ of the OCI runtime to be used as the default. # The name is matched against the runtimes map below. # default_runtime = "runc" # If true, the runtime will not use pivot_root, but instead use MS_MOVE. # no_pivot = false # Path to the conmon binary, used for monitoring the OCI runtime. # Will be searched for using $PATH if empty. conmon = "/usr/libexec/crio/conmon" # Cgroup setting for conmon conmon_cgroup = "pod" # Environment variable list for the conmon process, used for passing necessary # environment variables to conmon or the runtime. # conmon_env = [ # "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin", # ] # If true, SELinux will be used for pod separation on the host. # selinux = true # Path to the seccomp.json profile which is used as the default seccomp profile # for the runtime. If not specified, then the internal default seccomp profile # will be used. # seccomp_profile = "/etc/crio/seccomp.json" # Used to change the name of the default AppArmor profile of CRI-O. The default # profile name is "crio-default-" followed by the version string of CRI-O. apparmor_profile = "crio-default" # Cgroup management implementation used for the runtime. cgroup_manager = "systemd" # List of default capabilities for containers. If it is empty or commented out, # only the capabilities defined in the containers json file by the user/kube # will be added. # default_capabilities = [ # "CHOWN", # "DAC_OVERRIDE", # "FSETID", # "FOWNER", # "NET_RAW", # "SETGID", # "SETUID", # "SETPCAP", # "NET_BIND_SERVICE", # "SYS_CHROOT", # "KILL", # ] # List of default sysctls. If it is empty or commented out, only the sysctls # defined in the container json file by the user/kube will be added. # default_sysctls = [ # ] # List of additional devices. specified as # "<device-on-host>:<device-on-container>:<permissions>", for example: "--device=/dev/sdc:/dev/xvdc:rwm". #If it is empty or commented out, only the devices # defined in the container json file by the user/kube will be added. # additional_devices = [ # ] # Path to OCI hooks directories for automatically executed hooks. # Note: the default is just /usr/share/containers/oci/hooks.d, but /usr is immutable in RHCOS # so we add /etc/containers/oci/hooks.d as well hooks_dir = [ "/etc/containers/oci/hooks.d", ] # List of default mounts for each container. **Deprecated:** this option will # be removed in future versions in favor of default_mounts_file. # default_mounts = [ # "/usr/share/rhel/secrets:/run/secrets", # ] # Path to the file specifying the defaults mounts for each container. The # format of the config is /SRC:/DST, one mount per line. Notice that CRI-O reads # its default mounts from the following two files: # # 1) /etc/containers/mounts.conf (i.e., default_mounts_file): This is the # override file, where users can either add in their own default mounts, or # override the default mounts shipped with the package. # # 2) /usr/share/containers/mounts.conf: This is the default file read for # mounts. If you want CRI-O to read from a different, specific mounts file, # you can change the default_mounts_file. Note, if this is done, CRI-O will # only add mounts it finds in this file. # #default_mounts_file = "" # Maximum number of processes allowed in a container. # pids_limit = 1024 # Maximum sized allowed for the container log file. Negative numbers indicate # that no size limit is imposed. If it is positive, it must be >= 8192 to # match/exceed conmon's read buffer. The file is truncated and re-opened so the # limit is never exceeded. # log_size_max = -1 # Whether container output should be logged to journald in addition to the kuberentes log file # log_to_journald = false # Path to directory in which container exit files are written to by conmon. # container_exits_dir = "/var/run/crio/exits" # Path to directory for container attach sockets. # container_attach_socket_dir = "/var/run/crio" # The prefix to use for the source of the bind mounts. # bind_mount_prefix = "" # If set to true, all containers will run in read-only mode. # read_only = false # Changes the verbosity of the logs based on the level it is set to. Options # are fatal, panic, error, warn, info, and debug. This option supports live # configuration reload. # log_level = "error" # The UID mappings for the user namespace of each container. A range is # specified in the form containerUID:HostUID:Size. Multiple ranges must be # separated by comma. # uid_mappings = "" # The GID mappings for the user namespace of each container. A range is # specified in the form containerGID:HostGID:Size. Multiple ranges must be # separated by comma. # gid_mappings = "" # The minimal amount of time in seconds to wait before issuing a timeout # regarding the proper termination of the container. # ctr_stop_timeout = 0 # ManageNetworkNSLifecycle determines whether we pin and remove network namespace # and manage its lifecycle. # manage_network_ns_lifecycle = false # The "crio.runtime.runtimes" table defines a list of OCI compatible runtimes. # The runtime to use is picked based on the runtime_handler provided by the CRI. # If no runtime_handler is provided, the runtime will be picked based on the level # of trust of the workload. Each entry in the table should follow the format: # #[crio.runtime.runtimes.runtime-handler] # runtime_path = "/path/to/the/executable" # runtime_type = "oci" # runtime_root = "/path/to/the/root" # # Where: # - runtime-handler: name used to identify the runtime # - runtime_path (optional, string): absolute path to the runtime executable in # the host filesystem. If omitted, the runtime-handler identifier should match # the runtime executable name, and the runtime executable should be placed # in $PATH. # - runtime_type (optional, string): type of runtime, one of: "oci", "vm". If # omitted, an "oci" runtime is assumed. # - runtime_root (optional, string): root directory for storage of containers # state. # [crio.runtime.runtimes.runc] # runtime_path = "" # runtime_type = "oci" # runtime_root = "/run/runc" # Kata Containers is an OCI runtime, where containers are run inside lightweight # VMs. Kata provides additional isolation towards the host, minimizing the host attack # surface and mitigating the consequences of containers breakout. # Kata Containers with the default configured VMM #[crio.runtime.runtimes.kata-runtime] # Kata Containers with the QEMU VMM #[crio.runtime.runtimes.kata-qemu] # Kata Containers with the Firecracker VMM #[crio.runtime.runtimes.kata-fc] # The crio.image table contains settings pertaining to the management of OCI images. # # CRI-O reads its configured registries defaults from the system wide # containers-registries.conf(5) located in /etc/containers/registries.conf. If # you want to modify just CRI-O, you can change the registries configuration in # this file. Otherwise, leave insecure_registries and registries commented out to # use the system's defaults from /etc/containers/registries.conf. [crio.image] # Default transport for pulling images from a remote container storage. # default_transport = "docker://" # The path to a file containing credentials necessary for pulling images from # secure registries. The file is similar to that of /var/lib/kubelet/config.json global_auth_file = "/var/lib/kubelet/config.json" # The image used to instantiate infra containers. # This option supports live configuration reload. pause_image = "quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:2dc3bdcb2b0bf1d6c6ae749be0163e6d7ca813ecfba5e5f5d88970c73a9d12a9" # The path to a file containing credentials specific for pulling the pause_image from # above. The file is similar to that of /var/lib/kubelet/config.json # This option supports live configuration reload. pause_image_auth_file = "/var/lib/kubelet/config.json" # The command to run to have a container stay in the paused state. # This option supports live configuration reload. pause_command = "/usr/bin/pod" # Path to the file which decides what sort of policy we use when deciding # whether or not to trust an image that we've pulled. It is not recommended that # this option be used, as the default behavior of using the system-wide default # policy (i.e., /etc/containers/policy.json) is most often preferred. Please # refer to containers-policy.json(5) for more details. # signature_policy = "" # List of registries to skip TLS verification for pulling images. Please # consider configuring the registries via /etc/containers/registries.conf before # changing them here. #insecure_registries = "[]" # Controls how image volumes are handled. The valid values are mkdir, bind and # ignore; the latter will ignore volumes entirely. # image_volumes = "mkdir" # List of registries to be used when pulling an unqualified image (e.g., # "alpine:latest"). By default, registries is set to "docker.io" for # compatibility reasons. Depending on your workload and usecase you may add more # registries (e.g., "quay.io", "registry.fedoraproject.org", # "registry.opensuse.org", etc.). #registries = [ # ] # The crio.network table containers settings pertaining to the management of # CNI plugins. [crio.network] # Path to the directory where CNI configuration files are located. # Note this default is changed from the RPM. network_dir = "/etc/kubernetes/cni/net.d/" # Paths to directories where CNI plugin binaries are located. # Note this default is changed from the RPM. plugin_dirs = [ "/var/lib/cni/bin", ] # A necessary configuration for Prometheus based metrics retrieval [crio.metrics] # Globally enable or disable metrics support. enable_metrics = true # The port on which the metrics server will listen. metrics_port = 9537 ``` </details> <details> <summary>Current build01 worker config</summary> ``` # The CRI-O configuration file specifies all of the available configuration # options and command-line flags for the crio(8) OCI Kubernetes Container Runtime # daemon, but in a TOML format that can be more easily modified and versioned. # # Please refer to crio.conf(5) for details of all configuration options. # CRI-O supports partial configuration reload during runtime, which can be # done by sending SIGHUP to the running process. Currently supported options # are explicitly mentioned with: 'This option supports live configuration # reload'. # CRI-O reads its storage defaults from the containers-storage.conf(5) file # located at /etc/containers/storage.conf. Modify this storage configuration if # you want to change the system's defaults. If you want to modify storage just # for CRI-O, you can change the storage configuration options here. [crio] # Storage driver used to manage the storage of images and containers. Please # refer to containers-storage.conf(5) to see all available storage drivers. storage_driver = "overlay" # List to pass options to the storage driver. Please refer to # containers-storage.conf(5) to see all available storage options. storage_option = [ "overlay.override_kernel_check=1", ] # The crio.runtime table contains settings pertaining to the OCI runtime used # and options for how to set up and manage the OCI runtime. [crio.runtime] # If true, SELinux will be used for pod separation on the host. selinux = true # The crio.network table containers settings pertaining to the management of # CNI plugins. [crio.network] # Paths to directories where CNI plugin binaries are located. plugin_dirs = [ "/usr/libexec/cni", ] # A necessary configuration for Prometheus based metrics retrieval [crio.metrics] # Globally enable or disable metrics support. enable_metrics = true # The port on which the metrics server will listen. metrics_port = 9537 ``` </details> <details> <summary>Current build02 master config</summary> ``` [crio] # The default log directory where all logs will go unless directly specified by # the kubelet. The log directory specified must be an absolute directory. log_dir = "/var/log/crio/pods" # Location for CRI-O to lay down the temporary version file version_file = "/var/run/crio/version" # Location for CRI-O to lay down the persistent version file version_file_persist = "/var/lib/crio/version" # The crio.api table contains settings for the kubelet/gRPC interface. [crio.api] # Path to AF_LOCAL socket on which CRI-O will listen. listen = "/var/run/crio/crio.sock" # Host IP considered as the primary IP to use by CRI-O for things such as host network IP. host_ip = "" # IP address on which the stream server will listen. stream_address = "" # The port on which the stream server will listen. ``` </details> <details> <summary>4.4.33 default config (same on control-plane and compute nodes)</summary> ``` [crio] # The default log directory where all logs will go unless directly specified by # the kubelet. The log directory specified must be an absolute directory. log_dir = "/var/log/crio/pods" # Location for CRI-O to lay down the temporary version file version_file = "/var/run/crio/version" # Location for CRI-O to lay down the persistent version file version_file_persist = "/var/lib/crio/version" # The crio.api table contains settings for the kubelet/gRPC interface. [crio.api] # Path to AF_LOCAL socket on which CRI-O will listen. listen = "/var/run/crio/crio.sock" # Host IP considered as the primary IP to use by CRI-O for things such as host network IP. host_ip = "" # IP address on which the stream server will listen. stream_address = "" # The port on which the stream server will listen. stream_port = "10010" # Enable encrypted TLS transport of the stream server. stream_enable_tls = false # Path to the x509 certificate file used to serve the encrypted stream. This # file can change, and CRI-O will automatically pick up the changes within 5 # minutes. stream_tls_cert = "" # Path to the key file used to serve the encrypted stream. This file can # change and CRI-O will automatically pick up the changes within 5 minutes. stream_tls_key = "" # Path to the x509 CA(s) file used to verify and authenticate client # communication with the encrypted stream. This file can change and CRI-O will # automatically pick up the changes within 5 minutes. stream_tls_ca = "" # Maximum grpc send message size in bytes. If not set or <=0, then CRI-O will default to 16 * 1024 * 1024. grpc_max_send_msg_size = 16777216 # Maximum grpc receive message size. If not set or <= 0, then CRI-O will default to 16 * 1024 * 1024. grpc_max_recv_msg_size = 16777216 # The crio.runtime table contains settings pertaining to the OCI runtime used # and options for how to set up and manage the OCI runtime. [crio.runtime] # default_runtime is the _name_ of the OCI runtime to be used as the default. # The name is matched against the runtimes map below. default_runtime = "runc" # If true, the runtime will not use pivot_root, but instead use MS_MOVE. no_pivot = false # Path to the conmon binary, used for monitoring the OCI runtime. # Will be searched for using $PATH if empty. conmon = "/usr/libexec/crio/conmon" # Cgroup setting for conmon conmon_cgroup = "pod" # Environment variable list for the conmon process, used for passing necessary # environment variables to conmon or the runtime. conmon_env = [ "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin", ] default_env = [ "NSS_SDB_USE_CACHE=no", ] # If true, SELinux will be used for pod separation on the host. selinux = true # Path to the seccomp.json profile which is used as the default seccomp profile # for the runtime. If not specified, then the internal default seccomp profile # will be used. seccomp_profile = "" # Used to change the name of the default AppArmor profile of CRI-O. The default # profile name is "crio-default-" followed by the version string of CRI-O. apparmor_profile = "crio-default" # Cgroup management implementation used for the runtime. cgroup_manager = "systemd" # List of default capabilities for containers. If it is empty or commented out, # only the capabilities defined in the containers json file by the user/kube # will be added. default_capabilities = [ "CHOWN", "DAC_OVERRIDE", "FSETID", "FOWNER", "NET_RAW", "SETGID", "SETUID", "SETPCAP", "NET_BIND_SERVICE", "SYS_CHROOT", "KILL", ] # List of default sysctls. If it is empty or commented out, only the sysctls # defined in the container json file by the user/kube will be added. default_sysctls = [ ] # List of additional devices. specified as # "<device-on-host>:<device-on-container>:<permissions>", for example: "--device=/dev/sdc:/dev/xvdc:rwm". #If it is empty or commented out, only the devices # defined in the container json file by the user/kube will be added. additional_devices = [ ] # Path to OCI hooks directories for automatically executed hooks. hooks_dir = [ "/etc/containers/oci/hooks.d", ] # List of default mounts for each container. **Deprecated:** this option will # be removed in future versions in favor of default_mounts_file. default_mounts = [ ] # Maximum number of processes allowed in a container. pids_limit = 1024 # Maximum sized allowed for the container log file. Negative numbers indicate # that no size limit is imposed. If it is positive, it must be >= 8192 to # match/exceed conmon's read buffer. The file is truncated and re-opened so the # limit is never exceeded. log_size_max = -1 # Whether container output should be logged to journald in addition to the kuberentes log file log_to_journald = false # Path to directory in which container exit files are written to by conmon. container_exits_dir = "/var/run/crio/exits" # Path to directory for container attach sockets. container_attach_socket_dir = "/var/run/crio" # The prefix to use for the source of the bind mounts. bind_mount_prefix = "" # If set to true, all containers will run in read-only mode. read_only = false # Changes the verbosity of the logs based on the level it is set to. Options # are fatal, panic, error, warn, info, and debug. This option supports live # configuration reload. log_level = "info" # The UID mappings for the user namespace of each container. A range is # specified in the form containerUID:HostUID:Size. Multiple ranges must be # separated by comma. uid_mappings = "" # The GID mappings for the user namespace of each container. A range is # specified in the form containerGID:HostGID:Size. Multiple ranges must be # separated by comma. gid_mappings = "" # The minimal amount of time in seconds to wait before issuing a timeout # regarding the proper termination of the container. ctr_stop_timeout = 0 # ManageNSLifecycle determines whether we pin and remove namespaces # and manage their lifecycle. manage_ns_lifecycle = true # The "crio.runtime.runtimes" table defines a list of OCI compatible runtimes. # The runtime to use is picked based on the runtime_handler provided by the CRI. # If no runtime_handler is provided, the runtime will be picked based on the level # of trust of the workload. Each entry in the table should follow the format: # #[crio.runtime.runtimes.runtime-handler] # runtime_path = "/path/to/the/executable" # runtime_type = "oci" # runtime_root = "/path/to/the/root" # # Where: # - runtime-handler: name used to identify the runtime # - runtime_path (optional, string): absolute path to the runtime executable in # the host filesystem. If omitted, the runtime-handler identifier should match # the runtime executable name, and the runtime executable should be placed # in $PATH. # - runtime_type (optional, string): type of runtime, one of: "oci", "vm". If # omitted, an "oci" runtime is assumed. # - runtime_root (optional, string): root directory for storage of containers # state. [crio.runtime.runtimes.runc] runtime_path = "" runtime_type = "oci" runtime_root = "/run/runc" # CRI-O reads its configured registries defaults from the system wide # containers-registries.conf(5) located in /etc/containers/registries.conf. If # you want to modify just CRI-O, you can change the registries configuration in # this file. Otherwise, leave insecure_registries and registries commented out to # use the system's defaults from /etc/containers/registries.conf. [crio.image] # Default transport for pulling images from a remote container storage. default_transport = "docker://" # The path to a file containing credentials necessary for pulling images from # secure registries. The file is similar to that of /var/lib/kubelet/config.json global_auth_file = "/var/lib/kubelet/config.json" # The image used to instantiate infra containers. # This option supports live configuration reload. pause_image = "quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:1a344eb9f01841441579b9e05724ee1672be2982291a423649f86bd79d4d3feb" # The path to a file containing credentials specific for pulling the pause_image from # above. The file is similar to that of /var/lib/kubelet/config.json # This option supports live configuration reload. pause_image_auth_file = "/var/lib/kubelet/config.json" # The command to run to have a container stay in the paused state. # When explicitly set to "", it will fallback to the entrypoint and command # specified in the pause image. When commented out, it will fallback to the # default: "/pause". This option supports live configuration reload. pause_command = "/usr/bin/pod" # Path to the file which decides what sort of policy we use when deciding # whether or not to trust an image that we've pulled. It is not recommended that # this option be used, as the default behavior of using the system-wide default # policy (i.e., /etc/containers/policy.json) is most often preferred. Please # refer to containers-policy.json(5) for more details. signature_policy = "" # Controls how image volumes are handled. The valid values are mkdir, bind and # ignore; the latter will ignore volumes entirely. image_volumes = "mkdir" # The crio.network table containers settings pertaining to the management of # CNI plugins. [crio.network] # Path to the directory where CNI configuration files are located. network_dir = "/etc/kubernetes/cni/net.d/" # Paths to directories where CNI plugin binaries are located. plugin_dirs = [ "/var/lib/cni/bin", "/usr/libexec/cni", ] # A necessary configuration for Prometheus based metrics retrieval [crio.metrics] # Globally enable or disable metrics support. enable_metrics = true # The port on which the metrics server will listen. metrics_port = 9537 ``` </details> <details> <summary>4.4.33 config with a pidsLimit-bumping ContainerRuntimeConfig</summary> ``` [crio] root = "" runroot = "" storage_driver = "" storage_option = [] log_dir = "/var/log/crio/pods" version_file = "/var/run/crio/version" [crio.api] grpc_max_send_msg_size = 16777216 grpc_max_recv_msg_size = 16777216 listen = "/var/run/crio/crio.sock" stream_address = "" stream_port = "10010" stream_enable_tls = false stream_tls_cert = "" stream_tls_key = "" stream_tls_ca = "" host_ip = "" [crio.runtime] conmon_env = ["PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"] hooks_dir = ["/etc/containers/oci/hooks.d"] default_mounts = [] default_capabilities = ["CHOWN", "DAC_OVERRIDE", "FSETID", "FOWNER", "NET_RAW", "SETGID", "SETUID", "SETPCAP", "NET_BIND_SERVICE", "SYS_CHROOT", "KILL"] default_sysctls = [] additional_devices = [] default_runtime = "runc" conmon = "/usr/libexec/crio/conmon" conmon_cgroup = "pod" seccomp_profile = "" apparmor_profile = "crio-default" cgroup_manager = "systemd" default_mounts_file = "" container_exits_dir = "/var/run/crio/exits" container_attach_socket_dir = "/var/run/crio" bind_mount_prefix = "" uid_mappings = "" gid_mappings = "" log_level = "info" pids_limit = 2048 log_size_max = -1 ctr_stop_timeout = 0 no_pivot = false selinux = true log_to_journald = false manage_network_ns_lifecycle = false read_only = false [crio.runtime.runtimes] [crio.runtime.runtimes.runc] runtime_path = "" runtime_type = "oci" runtime_root = "/run/runc" privileged_without_host_devices = false [crio.image] default_transport = "docker://" global_auth_file = "/var/lib/kubelet/config.json" pause_image = "quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:1a344eb9f01841441579b9e05724ee1672be2982291a423649f86bd79d4d3feb" pause_image_auth_file = "/var/lib/kubelet/config.json" pause_command = "/usr/bin/pod" signature_policy = "" image_volumes = "mkdir" [crio.network] network_dir = "/etc/kubernetes/cni/net.d/" plugin_dirs = ["/var/lib/cni/bin", "/usr/libexec/cni"] [crio.metrics] enable_metrics = true metrics_port = 9537 ``` </details>