-
Notifications
You must be signed in to change notification settings - Fork 6
/
Copy pathmain.yml
112 lines (90 loc) · 4.98 KB
/
main.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
---
# Copyright 2025 Wong Hoi Sing Edison <[email protected]>
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
# Kubernetes release.
kube_release: "{{ _kube_release }}"
# CRI-O version.
cri_o_version: "{{ _cri_o_version[kube_release] }}"
# Path to the "root directory". CRI-O stores all of its data, including
# containers images, in this directory.
cri_o_crio_root: /var/lib/containers/storage
# Path to the "run directory". CRI-O stores all of its state in this directory.
cri_o_crio_runroot: /run/containers/storage
# Storage driver used to manage the storage of images and containers. Please
# refer to containers-storage.conf(5) to see all available storage drivers.
cri_o_crio_storage_driver: overlay
# Path to an helper program to use for mounting the file system instead of
# mounting it directly.
cri_o_crio_storage_options_overlay_mount_program: /usr/bin/fuse-overlayfs
# mountopt specifies comma separated list of extra mount options.
cri_o_crio_storage_options_overlay_mountopt: nodev
# InternalWipe is whether CRI-O should wipe containers and images after a
# reboot when the ser ver starts. If set to false, one must use the
# external command 'crio wipe' to wipe the containers and i mages in these
# situations.
cri_o_crio_internal_wipe: false
# InternalRepair is whether CRI-O should check if the container and image
# storage was corrupted after a sudden restart. If it was, CRI-O also
# attempts to repair the storage.
cri_o_crio_internal_repair: true
# default_runtime is the _name_ of the OCI runtime to be used as the default.
# The name is matched against the runtimes map below.
cri_o_crio_runtime_default_runtime: "{{ _cri_o_crio_runtime_default_runtime }}"
# Cgroup setting for conmon.
cri_o_crio_runtime_conmon_cgroup: "{{ _cri_o_crio_runtime_conmon_cgroup }}"
# Path to the seccomp.json profile which is used as the default seccomp profile
# for the runtime. If not specified, then the internal default seccomp profile
# will be used. This option supports live configuration reload.
cri_o_crio_runtime_seccomp_profile: /usr/share/containers/seccomp.json
# Used to change the name of the default AppArmor profile of CRI-O. The default
# profile name is "crio-default-" followed by the version string of CRI-O.
cri_o_crio_runtime_apparmor_profile: "{{ _cri_o_crio_runtime_apparmor_profile }}"
# Cgroup management implementation used for the runtime.
cri_o_crio_runtime_cgroup_manager: "{{ _cri_o_crio_runtime_cgroup_manager }}"
# Changes the verbosity of the logs based on the level it is set to. Options
# are fatal, panic, error, warn, info, debug and trace. This option supports
# live configuration reload.
cri_o_crio_runtime_log_level: warn
# Path to the directory where CNI configuration files are located.
cri_o_crio_network_network_dir: /etc/cni/net.d
# Globally enable or disable metrics support.
cri_o_crio_metrics_enable_metrics: "true"
# Endpoint of CRI container runtime service.
cri_o_runtime_endpoint: unix:///var/run/crio/crio.sock
# Endpoint of CRI image manager service service.
cri_o_image_endpoint: unix:///var/run/crio/crio.sock
# Kernel modules.
cri_o_modprobe:
- { state: present, option: br_netfilter }
- { state: present, option: overlay }
# Entries for sysctl.
cri_o_sysctl:
- { state: present, name: kernel.pid_max, value: "4194303" }
- { state: present, name: net.bridge.bridge-nf-call-arptables, value: "1" }
- { state: present, name: net.bridge.bridge-nf-call-ip6tables, value: "1" }
- { state: present, name: net.bridge.bridge-nf-call-iptables, value: "1" }
- { state: present, name: net.ipv4.conf.*.rp_filter, value: "0" }
- { state: present, name: net.ipv4.conf.lo.rp_filter, value: "0" }
- { state: present, name: "net.ipv4.conf.{{ ansible_default_ipv4.interface }}.rp_filter", value: "0" }
- { state: present, name: net.ipv4.conf.all.rp_filter, value: "0" }
- { state: present, name: net.ipv4.conf.default.rp_filter, value: "0" }
- { state: present, name: net.ipv4.ip_forward, value: "1" }
- { state: present, name: net.ipv6.conf.*.disable_ipv6, value: "1" }
- { state: present, name: net.ipv6.conf.lo.disable_ipv6, value: "1" }
- { state: present, name: "net.ipv6.conf.{{ ansible_default_ipv4.interface }}.disable_ipv6", value: "1" }
- { state: present, name: net.ipv6.conf.all.disable_ipv6, value: "1" }
- { state: present, name: net.ipv6.conf.all.forwarding, value: "0" }
- { state: present, name: net.ipv6.conf.default.disable_ipv6, value: "1" }
- { state: present, name: vm.min_free_kbytes, value: "65536" }
- { state: present, name: vm.swappiness, value: "0" }