CRI-O常用命令详解
宦树
crio --help
[root@k8s-master 7]# crio --help
WARN[0000] Failed to decode the keys ["secret" "secret.opts"] from "/usr/share/containers/containers.conf".
NAME:
crio - OCI-based implementation of Kubernetes Container Runtime Interface
USAGE:
OCI-based implementation of Kubernetes Container Runtime Interface Daemon
crio is meant to provide an integration path between OCI conformant runtimes
and the kubelet. Specifically, it implements the Kubelet Container Runtime
Interface (CRI) using OCI conformant runtimes. The scope of crio is tied to the
scope of the CRI.
1. Support multiple image formats including the existing Docker and OCI image formats.
2. Support for multiple means to download images including trust & image verification.
3. Container image management (managing image layers, overlay filesystems, etc).
4. Container process lifecycle management.
5. Monitoring and logging required to satisfy the CRI.
6. Resource isolation as required by the CRI.
VERSION:
1.23.5
Version: 1.23.5
GitCommit: d12c2842e9e4d051a2496e1740f846ffa22b3f1d
GitTreeState: clean
BuildDate: 2023-01-10T21:29:58Z
GoVersion: go1.17.12
Compiler: gc
Platform: linux/amd64
Linkmode: dynamic
BuildTags: exclude_graphdriver_devicemapper, seccomp, selinux
SeccompEnabled: true
AppArmorEnabled: false
DESCRIPTION:
OCI-based implementation of Kubernetes Container Runtime Interface
AUTHOR:
The CRI-O Maintainers
COMMANDS:
complete, completion Generate bash, fish or zsh completions.
man Generate the man page documentation.
markdown, md Generate the markdown documentation.
config Outputs a commented version of the configuration file that could be used
by CRI-O. This allows you to save you current configuration setup and then load
it later with **--config**. Global options will modify the output.
version display detailed version information
wipe wipe CRI-O's container and image storage
help, h Shows a list of commands or help for one command
GLOBAL OPTIONS:
--absent-mount-sources-to-reject value A list of paths that, when absent from the host, will cause a container creation to fail (as opposed to the current behavior of creating a directory). [$CONTAINER_ABSENT_MOUNT_SOURCES_TO_REJECT]
--additional-devices value Devices to add to the containers [$CONTAINER_ADDITIONAL_DEVICES]
--allowed-devices value Devices a user is allowed to specify with the "io.kubernetes.cri-o.Devices" allowed annotation (default: "/dev/fuse") [$CONTAINER_ALLOWED_DEVICES]
--apparmor-profile value Name of the apparmor profile to be used as the runtime's default. This only takes effect if the user does not specify a profile via the Kubernetes Pod's metadata annotation. (default: "crio-default") [$CONTAINER_APPARMOR_PROFILE]
--big-files-temporary-dir value Path to the temporary directory to use for storing big files, used to store image blobs and data streams related to containers image management. [$CONTAINER_BIG_FILES_TEMPORARY_DIR]
--bind-mount-prefix / A prefix to use for the source of the bind mounts. This option would be useful if you were running CRI-O in a container. And had / mounted on `/host` in your container. Then if you ran CRI-O with the `--bind-mount-prefix=/host` option, CRI-O would add /host to any bind mounts it is handed over CRI. If Kubernetes asked to have `/var/lib/foobar` bind mounted into the container, then CRI-O would bind mount `/host/var/lib/foobar`. Since CRI-O itself is running in a container with `/` or the host mounted on `/host`, the container would end up with `/var/lib/foobar` from the host mounted in the container rather then `/var/lib/foobar` from the CRI-O container. (default: "") [$CONTAINER_BIND_MOUNT_PREFIX]
--blockio-config-file value Path to the blockio class configuration file for configuring the cgroup blockio controller.
--cgroup-manager value cgroup manager (cgroupfs or systemd) (default: "systemd") [$CONTAINER_CGROUP_MANAGER]
--clean-shutdown-file value Location for CRI-O to lay down the clean shutdown file. It indicates whether we've had time to sync changes to disk before shutting down. If not found, crio wipe will clear the storage directory (default: "/var/lib/crio/clean.shutdown") [$CONTAINER_CLEAN_SHUTDOWN_FILE]
--cni-config-dir value CNI configuration files directory (default: "/etc/cni/net.d/") [$CONTAINER_CNI_CONFIG_DIR]
--cni-default-network value Name of the default CNI network to select. If not set or "", then CRI-O will pick-up the first one found in --cni-config-dir. [$CONTAINER_CNI_DEFAULT_NETWORK]
--cni-plugin-dir value CNI plugin binaries directory [$CONTAINER_CNI_PLUGIN_DIR]
--config value, -c value Path to configuration file (default: "/etc/crio/crio.conf") [$CONTAINER_CONFIG]
--config-dir value, -d value Path to the configuration drop-in directory.
This directory will be recursively iterated and each file gets applied
to the configuration in their processing order. This means that a
configuration file named '00-default' has a lower priority than a file
named '01-my-overwrite'.
The global config file, provided via '--config,-c' or per default in
/etc/crio/crio.conf, always has a lower priority than the files in the directory specified
by '--config-dir,-d'.
Besides that, provided command line parameters have a higher priority
than any configuration file. (default: "/etc/crio/crio.conf.d") [$CONTAINER_CONFIG_DIR]
--conmon value Path to the conmon binary, used for monitoring the OCI runtime. Will be searched for using $PATH if empty. (default: "") [$CONTAINER_CONMON]
--conmon-cgroup value cgroup to be used for conmon process (default: "system.slice") [$CONTAINER_CONMON_CGROUP]
--conmon-env value Environment variable list for the conmon process, used for passing necessary environment variables to conmon or the runtime (default: "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin") [$CONTAINER_CONMON_ENV]
--container-attach-socket-dir value Path to directory for container attach sockets (default: "/var/run/crio") [$CONTAINER_ATTACH_SOCKET_DIR]
--container-exits-dir value Path to directory in which container exit files are written to by conmon (default: "/var/run/crio/exits") [$CONTAINER_EXITS_DIR]
--ctr-stop-timeout value The minimal amount of time in seconds to wait before issuing a timeout regarding the proper termination of the container. The lowest possible value is 30s, whereas lower values are not considered by CRI-O (default: 30) [$CONTAINER_STOP_TIMEOUT]
--decryption-keys-path value Path to load keys for image decryption. (default: "/etc/crio/keys/")
--default-capabilities value Capabilities to add to the containers (default: "CHOWN", "DAC_OVERRIDE", "FSETID", "FOWNER", "SETGID", "SETUID", "SETPCAP", "NET_BIND_SERVICE", "KILL") [$CONTAINER_DEFAULT_CAPABILITIES]
--default-env value Additional environment variables to set for all containers [$CONTAINER_DEFAULT_ENV]
--default-mounts-file value Path to default mounts file (default: "") [$CONTAINER_DEFAULT_MOUNTS_FILE]
--default-runtime value Default OCI runtime from the runtimes config (default: "runc") [$CONTAINER_DEFAULT_RUNTIME]
--default-sysctls value Sysctls to add to the containers [$CONTAINER_DEFAULT_SYSCTLS]
--default-transport value A prefix to prepend to image names that cannot be pulled as-is (default: "docker://") [$CONTAINER_DEFAULT_TRANSPORT]
--default-ulimits value Ulimits to apply to containers by default (name=soft:hard) (default: []) [$CONTAINER_DEFAULT_ULIMITS]
--device-ownership-from-security-context Set devices' uid/gid ownership from runAsUser/runAsGroup (default: false)
--drop-infra-ctr Determines whether pods are created without an infra container, when the pod is not using a pod level PID namespace (default: true) (default: false) [$CONTAINER_DROP_INFRA_CTR]
--enable-metrics Enable metrics endpoint for the server on localhost:9090 (default: false) [$CONTAINER_ENABLE_METRICS]
--enable-profile-unix-socket Enable pprof profiler on crio unix domain socket (default: false) [$ENABLE_PROFILE_UNIX_SOCKET]
--enable-tracing Enable OpenTelemetry trace data exporting (default: false) [$CONTAINER_ENABLE_TRACING]
--gid-mappings value Specify the GID mappings to use for the user namespace (default: "") [$CONTAINER_GID_MAPPINGS]
--global-auth-file value Path to a file like /var/lib/kubelet/config.json holding credentials necessary for pulling images from secure registries (default: "") [$CONTAINER_GLOBAL_AUTH_FILE]
--grpc-max-recv-msg-size value Maximum grpc receive message size in bytes (default: 83886080) [$CONTAINER_GRPC_MAX_RECV_MSG_SIZE]
--grpc-max-send-msg-size value Maximum grpc receive message size (default: 83886080) [$CONTAINER_GRPC_MAX_SEND_MSG_SIZE]
--hooks-dir value Set the OCI hooks directory path (may be set multiple times)
If one of the directories does not exist, then CRI-O will automatically
skip them.
Each '\*.json' file in the path configures a hook for CRI-O
containers. For more details on the syntax of the JSON files and
the semantics of hook injection, see 'oci-hooks(5)'. CRI-O
currently support both the 1.0.0 and 0.1.0 hook schemas, although
the 0.1.0 schema is deprecated.
This option may be set multiple times; paths from later options
have higher precedence ('oci-hooks(5)' discusses directory
precedence).
For the annotation conditions, CRI-O uses the Kubernetes
annotations, which are a subset of the annotations passed to the
OCI runtime. For example, 'io.kubernetes.cri-o.Volumes' is part of
the OCI runtime configuration annotations, but it is not part of
the Kubernetes annotations being matched for hooks.
For the bind-mount conditions, only mounts explicitly requested by
Kubernetes configuration are considered. Bind mounts that CRI-O
inserts by default (e.g. '/dev/shm') are not considered. (default: "/usr/share/containers/oci/hooks.d") [$CONTAINER_HOOKS_DIR]
--image-volumes value Image volume handling ('mkdir', 'bind', or 'ignore')
1. mkdir: A directory is created inside the container root filesystem for
the volumes.
2. bind: A directory is created inside container state directory and bind
mounted into the container for the volumes.
3. ignore: All volumes are just ignored and no action is taken. (default: "mkdir") [$CONTAINER_IMAGE_VOLUMES]
--infra-ctr-cpuset value CPU set to run infra containers, if not specified CRI-O will use all online CPUs to run infra containers (default: ''). [$CONTAINER_INFRA_CTR_CPUSET]
--insecure-registry value Enable insecure registry communication, i.e., enable un-encrypted and/or untrusted communication.
1. List of insecure registries can contain an element with CIDR notation to
specify a whole subnet.
2. Insecure registries accept HTTP or accept HTTPS with certificates from
unknown CAs.
3. Enabling '--insecure-registry' is useful when running a local registry.
However, because its use creates security vulnerabilities, **it should ONLY
be enabled for testing purposes**. For increased security, users should add
their CA to their system's list of trusted CAs instead of using
'--insecure-registry'. [$CONTAINER_INSECURE_REGISTRY]
--internal-wipe crio wipe Whether CRI-O should wipe containers after a reboot and images after an upgrade when the server starts. If set to false, one must run crio wipe to wipe the containers and images in these situations. This option is deprecated, and will be removed in the future. (default: true) [$CONTAINER_INTERNAL_WIPE]
--irqbalance-config-file value The irqbalance service config file which is used by CRI-O. (default: "/etc/sysconfig/irqbalance")
--listen value Path to the CRI-O socket (default: "/var/run/crio/crio.sock") [$CONTAINER_LISTEN]
--log value Set the log file path where internal debug information is written [$CONTAINER_LOG]
--log-dir value Default log directory where all logs will go unless directly specified by the kubelet (default: "/var/log/crio/pods") [$CONTAINER_LOG_DIR]
--log-filter value Filter the log messages by the provided regular expression. For example 'request.\*' filters all gRPC requests. [$CONTAINER_LOG_FILTER]
--log-format value Set the format used by logs: 'text' or 'json' (default: "text") [$CONTAINER_LOG_FORMAT]
--log-journald Log to systemd journal (journald) in addition to kubernetes log file (default: false) (default: false) [$CONTAINER_LOG_JOURNALD]
--log-level value, -l value Log messages above specified level: trace, debug, info, warn, error, fatal or panic (default: "info") [$CONTAINER_LOG_LEVEL]
--log-size-max value Maximum log size in bytes for a container. If it is positive, it must be >= 8192 to match/exceed conmon read buffer (default: -1) [$CONTAINER_LOG_SIZE_MAX]
--metrics-cert value Certificate for the secure metrics endpoint [$CONTAINER_METRICS_CERT]
--metrics-collectors value Enabled metrics collectors (default: "operations", "operations_latency_microseconds_total", "operations_latency_microseconds", "operations_errors", "image_pulls_by_digest", "image_pulls_by_name", "image_pulls_by_name_skipped", "image_pulls_failures", "image_pulls_successes", "image_pulls_layer_size", "image_layer_reuse", "containers_oom_total", "containers_oom", "processes_defunct", "operations_total", "operations_latency_seconds", "operations_latency_seconds_total", "operations_errors_total", "image_pulls_bytes_total", "image_pulls_skipped_bytes_total", "image_pulls_failure_total", "image_pulls_success_total", "image_layer_reuse_total", "containers_oom_count_total") [$CONTAINER_METRICS_COLLECTORS]
--metrics-key value Certificate key for the secure metrics endpoint [$CONTAINER_METRICS_KEY]
--metrics-port value Port for the metrics endpoint (default: 9090) [$CONTAINER_METRICS_PORT]
--metrics-socket value Socket for the metrics endpoint [$CONTAINER_METRICS_SOCKET]
--minimum-mappable-gid value Specify the lowest host GID which can be specified in mappings for a pod that will be run as a UID other than 0 (default: -1) [$CONTAINER_MINIMUM_MAPPABLE_GID]
--minimum-mappable-uid value Specify the lowest host UID which can be specified in mappings for a pod that will be run as a UID other than 0 (default: -1) [$CONTAINER_MINIMUM_MAPPABLE_UID]
--namespaces-dir value The directory where the state of the managed namespaces gets tracked. Only used when manage-ns-lifecycle is true (default: "/var/run") [$CONTAINER_NAMESPACES_DIR]
--no-pivot pivot_root If true, the runtime will not use pivot_root, but instead use `MS_MOVE` (default: false) (default: false) [$CONTAINER_NO_PIVOT]
--pause-command value Path to the pause executable in the pause image (default: "/pause") [$CONTAINER_PAUSE_COMMAND]
--pause-image value Image which contains the pause executable (default: "k8s.gcr.io/pause:3.6") [$CONTAINER_PAUSE_IMAGE]
--pause-image-auth-file value Path to a config file containing credentials for --pause-image (default: "") [$CONTAINER_PAUSE_IMAGE_AUTH_FILE]
--pids-limit value Maximum number of processes allowed in a container (default: 1024) [$CONTAINER_PIDS_LIMIT]
--pinns-path value The path to find the pinns binary, which is needed to manage namespace lifecycle. Will be searched for in $PATH if empty (default: "") [$CONTAINER_PINNS_PATH]
--profile Enable pprof remote profiler on localhost:6060 (default: false) [$CONTAINER_PROFILE]
--profile-cpu value Write a pprof CPU profile to the provided path [$CONTAINER_PROFILE_CPU]
--profile-mem value Write a pprof memory profile to the provided path [$CONTAINER_PROFILE_MEM]
--profile-port value Port for the pprof profiler (default: 6060) [$CONTAINER_PROFILE_PORT]
--rdt-config-file value Path to the RDT configuration file for configuring the resctrl pseudo-filesystem
--read-only /run Setup all unprivileged containers to run as read-only. Automatically mounts tmpfs on /run, `/tmp` and `/var/tmp`. (default: false) (default: false) [$CONTAINER_READ_ONLY]
--registry value Registry to be prepended when pulling unqualified images, can be specified multiple times [$CONTAINER_REGISTRY]
--root value, -r value The CRI-O root directory (default: "/var/lib/containers/storage") [$CONTAINER_ROOT]
--runroot value The CRI-O state directory (default: "/run/containers/storage") [$CONTAINER_RUNROOT]
--runtimes value OCI runtimes, format is runtime_name:runtime_path:runtime_root:runtime_type:privileged_without_host_devices:runtime_config_path [$CONTAINER_RUNTIMES]
--seccomp-profile value Path to the seccomp.json profile to be used as the runtime's default. If not specified, then the internal default seccomp profile will be used. (default: "") [$CONTAINER_SECCOMP_PROFILE]
--seccomp-use-default-when-empty value Use the default seccomp profile when an empty one is specified (default: false) [$CONTAINER_SECCOMP_USE_DEFAULT_WHEN_EMPTY]
--selinux Enable selinux support (default: false) (default: false) [$CONTAINER_SELINUX]
--separate-pull-cgroup value [EXPERIMENTAL] Pull in new cgroup (default: "") [$PULL_IN_A_CGROUP]
--signature-policy value Path to signature policy JSON file. (default: "", to use the system-wide default) [$CONTAINER_SIGNATURE_POLICY]
--stats-collection-period value The number of seconds between collecting pod and container stats. If set to 0, the stats are collected on-demand instead. (default: 0) [$CONTAINER_STATS_COLLECTION_PERIOD]
--storage-driver value, -s value OCI storage driver (default: "overlay") [$CONTAINER_STORAGE_DRIVER]
--storage-opt value OCI storage driver option (default: "overlay.mountopt=nodev") [$CONTAINER_STORAGE_OPT]
--stream-address value Bind address for streaming socket (default: "127.0.0.1") [$CONTAINER_STREAM_ADDRESS]
--stream-enable-tls Enable encrypted TLS transport of the stream server (default: false) (default: false) [$CONTAINER_ENABLE_TLS]
--stream-idle-timeout value Length of time until open streams terminate due to lack of activity [$STREAM_IDLE_TIMEOUT]
--stream-port value Bind port for streaming socket. If the port is set to '0', then CRI-O will allocate a random free port number. (default: "0") [$CONTAINER_STREAM_PORT]
--stream-tls-ca value Path to the x509 CA(s) file used to verify and authenticate client communication with the encrypted stream. This file can change and CRI-O will automatically pick up the changes within 5 minutes (default: "") [$CONTAINER_TLS_CA]
--stream-tls-cert value Path to the x509 certificate file used to serve the encrypted stream. This file can change and CRI-O will automatically pick up the changes within 5 minutes (default: "") [$CONTAINER_TLS_CERT]
--stream-tls-key value Path to the key file used to serve the encrypted stream. This file can change and CRI-O will automatically pick up the changes within 5 minutes (default: "") [$CONTAINER_TLS_KEY]
--tracing-endpoint value Address on which the gRPC tracing collector will listen (default: "0.0.0.0:4317") [$CONTAINER_TRACING_ENDPOINT]
--tracing-sampling-rate-per-million value Number of samples to collect per million OpenTelemetry spans (default: 0) [$CONTAINER_TRACING_SAMPLING_RATE_PER_MILLION]
--uid-mappings value Specify the UID mappings to use for the user namespace (default: "") [$CONTAINER_UID_MAPPINGS]
--version-file value Location for CRI-O to lay down the temporary version file. It is used to check if crio wipe should wipe containers, which should always happen on a node reboot (default: "/var/run/crio/version") [$CONTAINER_VERSION_FILE]
--version-file-persist value Location for CRI-O to lay down the persistent version file. It is used to check if crio wipe should wipe images, which should only happen when CRI-O has been upgraded (default: "/var/run/crio/version") [$CONTAINER_VERSION_FILE_PERSIST]
--help, -h show help (default: false)
--version, -v print the version (default: false)
类似资料: