From 804b33492e771a57316ed203ba19b1ea2add5933 Mon Sep 17 00:00:00 2001 From: Brad Davidson Date: Tue, 4 Feb 2025 00:44:08 +0000 Subject: [PATCH] Consolidate linux and windows containerd config templates Signed-off-by: Brad Davidson --- pkg/agent/config/config.go | 55 ++++------ pkg/agent/config/config_linux.go | 42 ++++++- pkg/agent/config/config_windows.go | 18 ++- pkg/agent/containerd/config_windows.go | 2 - pkg/agent/templates/templates.go | 102 +++++++++++++++++ pkg/agent/templates/templates_linux.go | 99 ----------------- pkg/agent/templates/templates_windows.go | 134 ----------------------- 7 files changed, 172 insertions(+), 280 deletions(-) diff --git a/pkg/agent/config/config.go b/pkg/agent/config/config.go index 2e5efd1a4de8..76a96ab91f28 100644 --- a/pkg/agent/config/config.go +++ b/pkg/agent/config/config.go @@ -22,7 +22,6 @@ import ( "strings" "time" - "github.com/k3s-io/k3s/pkg/agent/containerd" "github.com/k3s-io/k3s/pkg/agent/proxy" agentutil "github.com/k3s-io/k3s/pkg/agent/util" "github.com/k3s-io/k3s/pkg/cli/cmds" @@ -647,43 +646,18 @@ func get(ctx context.Context, envInfo *cmds.Agent, proxy proxy.Proxy) (*config.N nodeConfig.Containerd.Config = filepath.Join(envInfo.DataDir, "agent", "etc", "containerd", "config.toml") nodeConfig.Containerd.Root = filepath.Join(envInfo.DataDir, "agent", "containerd") nodeConfig.CRIDockerd.Root = filepath.Join(envInfo.DataDir, "agent", "cri-dockerd") - if !nodeConfig.Docker { - if nodeConfig.ImageServiceEndpoint != "" { - nodeConfig.AgentConfig.ImageServiceSocket = nodeConfig.ImageServiceEndpoint - } else if nodeConfig.ContainerRuntimeEndpoint == "" { - switch nodeConfig.AgentConfig.Snapshotter { - case "overlayfs": - if err := containerd.OverlaySupported(nodeConfig.Containerd.Root); err != nil { - return nil, errors.Wrapf(err, "\"overlayfs\" snapshotter cannot be enabled for %q, try using \"fuse-overlayfs\" or \"native\"", - nodeConfig.Containerd.Root) - } - case "fuse-overlayfs": - if err := containerd.FuseoverlayfsSupported(nodeConfig.Containerd.Root); err != nil { - return nil, errors.Wrapf(err, "\"fuse-overlayfs\" snapshotter cannot be enabled for %q, try using \"native\"", - nodeConfig.Containerd.Root) - } - case "stargz": - if err := containerd.StargzSupported(nodeConfig.Containerd.Root); err != nil { - return nil, errors.Wrapf(err, "\"stargz\" snapshotter cannot be enabled for %q, try using \"overlayfs\" or \"native\"", - nodeConfig.Containerd.Root) - } - nodeConfig.AgentConfig.ImageServiceSocket = "/run/containerd-stargz-grpc/containerd-stargz-grpc.sock" - } - } else { - nodeConfig.AgentConfig.ImageServiceSocket = nodeConfig.ContainerRuntimeEndpoint - } - } nodeConfig.Containerd.Opt = filepath.Join(envInfo.DataDir, "agent", "containerd") nodeConfig.Containerd.Log = filepath.Join(envInfo.DataDir, "agent", "containerd", "containerd.log") nodeConfig.Containerd.Registry = filepath.Join(envInfo.DataDir, "agent", "etc", "containerd", "certs.d") nodeConfig.Containerd.NoDefault = envInfo.ContainerdNoDefault nodeConfig.Containerd.NonrootDevices = envInfo.ContainerdNonrootDevices nodeConfig.Containerd.Debug = envInfo.Debug - applyContainerdStateAndAddress(nodeConfig) - applyCRIDockerdAddress(nodeConfig) - applyContainerdQoSClassConfigFileIfPresent(envInfo, &nodeConfig.Containerd) nodeConfig.Containerd.Template = filepath.Join(envInfo.DataDir, "agent", "etc", "containerd", "config.toml.tmpl") + if nodeConfig.Docker { + } else { + } + if envInfo.BindAddress != "" { nodeConfig.AgentConfig.ListenAddress = envInfo.BindAddress } else { @@ -739,13 +713,26 @@ func get(ctx context.Context, envInfo *cmds.Agent, proxy proxy.Proxy) (*config.N } } - if nodeConfig.Docker { + if nodeConfig.ImageServiceEndpoint != "" { + nodeConfig.AgentConfig.ImageServiceSocket = nodeConfig.ImageServiceEndpoint + } + + if nodeConfig.ContainerRuntimeEndpoint != "" { + nodeConfig.AgentConfig.RuntimeSocket = nodeConfig.ContainerRuntimeEndpoint + } else if nodeConfig.Docker { + if err := applyCRIDockerdOSSpecificConfig(nodeConfig); err != nil { + return nil, err + } nodeConfig.AgentConfig.CNIPlugin = true nodeConfig.AgentConfig.RuntimeSocket = nodeConfig.CRIDockerd.Address - } else if nodeConfig.ContainerRuntimeEndpoint == "" { - nodeConfig.AgentConfig.RuntimeSocket = nodeConfig.Containerd.Address } else { - nodeConfig.AgentConfig.RuntimeSocket = nodeConfig.ContainerRuntimeEndpoint + if err := applyContainerdOSSpecificConfig(nodeConfig); err != nil { + return nil, err + } + if err := applyContainerdQoSClassConfigFileIfPresent(envInfo, &nodeConfig.Containerd); err != nil { + return nil, err + } + nodeConfig.AgentConfig.RuntimeSocket = nodeConfig.Containerd.Address } if controlConfig.ClusterIPRange != nil { diff --git a/pkg/agent/config/config_linux.go b/pkg/agent/config/config_linux.go index 04746bb6ea58..4059d5228127 100644 --- a/pkg/agent/config/config_linux.go +++ b/pkg/agent/config/config_linux.go @@ -4,25 +4,47 @@ package config import ( - "errors" "os" "path/filepath" + "github.com/k3s-io/k3s/pkg/agent/containerd" "github.com/k3s-io/k3s/pkg/cli/cmds" "github.com/k3s-io/k3s/pkg/daemons/config" + "github.com/pkg/errors" "github.com/sirupsen/logrus" ) -func applyContainerdStateAndAddress(nodeConfig *config.Node) { +// applyContainerdOSSpecificConfig sets linux-specific containerd config +func applyContainerdOSSpecificConfig(nodeConfig *config.Node) error { nodeConfig.Containerd.State = "/run/k3s/containerd" nodeConfig.Containerd.Address = filepath.Join(nodeConfig.Containerd.State, "containerd.sock") -} -func applyCRIDockerdAddress(nodeConfig *config.Node) { - nodeConfig.CRIDockerd.Address = "unix:///run/k3s/cri-dockerd/cri-dockerd.sock" + // validate that the selected snapshotter supports the filesystem at the root path. + // for stargz, also overrides the image service endpoint path. + switch nodeConfig.AgentConfig.Snapshotter { + case "overlayfs": + if err := containerd.OverlaySupported(nodeConfig.Containerd.Root); err != nil { + return errors.Wrapf(err, "\"overlayfs\" snapshotter cannot be enabled for %q, try using \"fuse-overlayfs\" or \"native\"", + nodeConfig.Containerd.Root) + } + case "fuse-overlayfs": + if err := containerd.FuseoverlayfsSupported(nodeConfig.Containerd.Root); err != nil { + return errors.Wrapf(err, "\"fuse-overlayfs\" snapshotter cannot be enabled for %q, try using \"native\"", + nodeConfig.Containerd.Root) + } + case "stargz": + if err := containerd.StargzSupported(nodeConfig.Containerd.Root); err != nil { + return errors.Wrapf(err, "\"stargz\" snapshotter cannot be enabled for %q, try using \"overlayfs\" or \"native\"", + nodeConfig.Containerd.Root) + } + nodeConfig.AgentConfig.ImageServiceSocket = "/run/containerd-stargz-grpc/containerd-stargz-grpc.sock" + } + + return nil } -func applyContainerdQoSClassConfigFileIfPresent(envInfo *cmds.Agent, containerdConfig *config.Containerd) { +// applyContainerdQoSClassConfigFileIfPresent sets linux-specific qos config +func applyContainerdQoSClassConfigFileIfPresent(envInfo *cmds.Agent, containerdConfig *config.Containerd) error { containerdConfigDir := filepath.Join(envInfo.DataDir, "agent", "etc", "containerd") blockioPath := filepath.Join(containerdConfigDir, "blockio_config.yaml") @@ -44,6 +66,14 @@ func applyContainerdQoSClassConfigFileIfPresent(envInfo *cmds.Agent, containerdC containerdConfig.RDTConfig = rdtPath } } + + return nil +} + +// applyCRIDockerdOSSpecificConfig sets linux-specific cri-dockerd config +func applyCRIDockerdOSSpecificConfig(nodeConfig *config.Node) error { + nodeConfig.CRIDockerd.Address = "unix:///run/k3s/cri-dockerd/cri-dockerd.sock" + return nil } // configureACL will configure an Access Control List for the specified file. diff --git a/pkg/agent/config/config_windows.go b/pkg/agent/config/config_windows.go index 10f6973d4e3b..2c6e3ae10005 100644 --- a/pkg/agent/config/config_windows.go +++ b/pkg/agent/config/config_windows.go @@ -15,17 +15,25 @@ import ( "golang.org/x/sys/windows" ) -func applyContainerdStateAndAddress(nodeConfig *config.Node) { +// applyContainerdOSSpecificConfig sets windows-specific containerd config +func applyContainerdOSSpecificConfig(nodeConfig *config.Node) error { + nodeConfig.AgentConfig.Snapshotter = "windows" nodeConfig.Containerd.State = filepath.Join(nodeConfig.Containerd.Root, "state") nodeConfig.Containerd.Address = "npipe:////./pipe/containerd-containerd" + nodeConfig.DefaultRuntime = "runhcs-wcow-process" + return nil } -func applyCRIDockerdAddress(nodeConfig *config.Node) { - nodeConfig.CRIDockerd.Address = "npipe:////.pipe/cri-dockerd" +// applyContainerdQoSClassConfigFileIfPresent sets windows-specific qos config +func applyContainerdQoSClassConfigFileIfPresent(envInfo *cmds.Agent, containerdConfig *config.Containerd) error { + // QoS-class resource management not supported on windows. + return nil } -func applyContainerdQoSClassConfigFileIfPresent(envInfo *cmds.Agent, containerdConfig *config.Containerd) { - // QoS-class resource management not supported on windows. +// applyCRIDockerdOSpecificConfig sets windows-specific cri-dockerd config +func applyCRIDockerdOSpecificConfig(nodeConfig *config.Node) error { + nodeConfig.CRIDockerd.Address = "npipe:////.pipe/cri-dockerd" + return nil } // configureACL will configure an Access Control List for the specified file, diff --git a/pkg/agent/containerd/config_windows.go b/pkg/agent/containerd/config_windows.go index 5e102401e5eb..7383470cf78e 100644 --- a/pkg/agent/containerd/config_windows.go +++ b/pkg/agent/containerd/config_windows.go @@ -31,8 +31,6 @@ func SetupContainerdConfig(cfg *config.Node) error { containerdConfig := templates.ContainerdConfig{ NodeConfig: cfg, DisableCgroup: true, - SystemdCgroup: false, - IsRunningInUserNS: false, PrivateRegistryConfig: cfg.AgentConfig.Registry, NoDefaultEndpoint: cfg.Containerd.NoDefault, } diff --git a/pkg/agent/templates/templates.go b/pkg/agent/templates/templates.go index 9a66b9007472..405e57e35264 100644 --- a/pkg/agent/templates/templates.go +++ b/pkg/agent/templates/templates.go @@ -42,6 +42,108 @@ type HostConfig struct { Endpoints []RegistryEndpoint } +const ContainerdConfigTemplate = ` +{{- /* */ -}} +# File generated by {{ .Program }}. DO NOT EDIT. Use config.toml.tmpl instead. +version = 2 +root = {{ printf "%q" .NodeConfig.Containerd.Root }} +state = {{ printf "%q" .NodeConfig.Containerd.State }} + +[plugins."io.containerd.internal.v1.opt"] + path = {{ printf "%q" .NodeConfig.Containerd.Opt }} + +[plugins."io.containerd.grpc.v1.cri"] + stream_server_address = "127.0.0.1" + stream_server_port = "10010" + enable_selinux = {{ .NodeConfig.SELinux }} + enable_unprivileged_ports = {{ .EnableUnprivileged }} + enable_unprivileged_icmp = {{ .EnableUnprivileged }} + device_ownership_from_security_context = {{ .NonrootDevices }} + +{{- if .DisableCgroup}} + disable_cgroup = true +{{end}} +{{- if .IsRunningInUserNS }} + disable_apparmor = true + restrict_oom_score_adj = true +{{end}} + +{{- if .NodeConfig.AgentConfig.PauseImage }} + sandbox_image = "{{ .NodeConfig.AgentConfig.PauseImage }}" +{{end}} + +{{- if .NodeConfig.AgentConfig.Snapshotter }} +[plugins."io.containerd.grpc.v1.cri".containerd] + snapshotter = "{{ .NodeConfig.AgentConfig.Snapshotter }}" + disable_snapshot_annotations = {{ if eq .NodeConfig.AgentConfig.Snapshotter "stargz" }}false{{else}}true{{end}} + {{ if .NodeConfig.DefaultRuntime }}default_runtime_name = "{{ .NodeConfig.DefaultRuntime }}"{{end}} +{{ if eq .NodeConfig.AgentConfig.Snapshotter "stargz" }} +{{ if .NodeConfig.AgentConfig.ImageServiceSocket }} +[plugins."io.containerd.snapshotter.v1.stargz"] +cri_keychain_image_service_path = "{{ .NodeConfig.AgentConfig.ImageServiceSocket }}" +[plugins."io.containerd.snapshotter.v1.stargz".cri_keychain] +enable_keychain = true +{{end}} + +[plugins."io.containerd.snapshotter.v1.stargz".registry] + config_path = "{{ .NodeConfig.Containerd.Registry }}" + +{{ if .PrivateRegistryConfig }} +{{range $k, $v := .PrivateRegistryConfig.Configs }} +{{ if $v.Auth }} +[plugins."io.containerd.snapshotter.v1.stargz".registry.configs."{{$k}}".auth] + {{ if $v.Auth.Username }}username = {{ printf "%q" $v.Auth.Username }}{{end}} + {{ if $v.Auth.Password }}password = {{ printf "%q" $v.Auth.Password }}{{end}} + {{ if $v.Auth.Auth }}auth = {{ printf "%q" $v.Auth.Auth }}{{end}} + {{ if $v.Auth.IdentityToken }}identitytoken = {{ printf "%q" $v.Auth.IdentityToken }}{{end}} +{{end}} +{{end}} +{{end}} +{{end}} +{{end}} + +{{- if not .NodeConfig.NoFlannel }} +[plugins."io.containerd.grpc.v1.cri".cni] + bin_dir = "{{ .NodeConfig.AgentConfig.CNIBinDir }}" + conf_dir = "{{ .NodeConfig.AgentConfig.CNIConfDir }}" +{{end}} + +{{- if or .NodeConfig.Containerd.BlockIOConfig .NodeConfig.Containerd.RDTConfig }} +[plugins."io.containerd.service.v1.tasks-service"] + {{ if .NodeConfig.Containerd.BlockIOConfig }}blockio_config_file = "{{ .NodeConfig.Containerd.BlockIOConfig }}"{{end}} + {{ if .NodeConfig.Containerd.RDTConfig }}rdt_config_file = "{{ .NodeConfig.Containerd.RDTConfig }}"{{end}} +{{end}} + +[plugins."io.containerd.grpc.v1.cri".containerd.runtimes.runc] + runtime_type = "io.containerd.runc.v2" + +[plugins."io.containerd.grpc.v1.cri".containerd.runtimes.runc.options] + SystemdCgroup = {{ .SystemdCgroup }} + +[plugins."io.containerd.grpc.v1.cri".registry] + config_path = "{{ .NodeConfig.Containerd.Registry }}" + +{{ if .PrivateRegistryConfig }} +{{range $k, $v := .PrivateRegistryConfig.Configs }} +{{ if $v.Auth }} +[plugins."io.containerd.grpc.v1.cri".registry.configs."{{$k}}".auth] + {{ if $v.Auth.Username }}username = {{ printf "%q" $v.Auth.Username }}{{end}} + {{ if $v.Auth.Password }}password = {{ printf "%q" $v.Auth.Password }}{{end}} + {{ if $v.Auth.Auth }}auth = {{ printf "%q" $v.Auth.Auth }}{{end}} + {{ if $v.Auth.IdentityToken }}identitytoken = {{ printf "%q" $v.Auth.IdentityToken }}{{end}} +{{end}} +{{end}} +{{end}} + +{{range $k, $v := .ExtraRuntimes}} +[plugins."io.containerd.grpc.v1.cri".containerd.runtimes."{{$k}}"] + runtime_type = "{{$v.RuntimeType}}" +[plugins."io.containerd.grpc.v1.cri".containerd.runtimes."{{$k}}".options] + BinaryName = "{{$v.BinaryName}}" + SystemdCgroup = {{ $.SystemdCgroup }} +{{end}} +` + var HostsTomlHeader = "# File generated by " + version.Program + ". DO NOT EDIT.\n" const HostsTomlTemplate = ` diff --git a/pkg/agent/templates/templates_linux.go b/pkg/agent/templates/templates_linux.go index dffce1737ccb..b3950a23a9c4 100644 --- a/pkg/agent/templates/templates_linux.go +++ b/pkg/agent/templates/templates_linux.go @@ -6,105 +6,6 @@ import ( "text/template" ) -const ContainerdConfigTemplate = ` -{{- /* */ -}} -# File generated by {{ .Program }}. DO NOT EDIT. Use config.toml.tmpl instead. -version = 2 - -[plugins."io.containerd.internal.v1.opt"] - path = "{{ .NodeConfig.Containerd.Opt }}" -[plugins."io.containerd.grpc.v1.cri"] - stream_server_address = "127.0.0.1" - stream_server_port = "10010" - enable_selinux = {{ .NodeConfig.SELinux }} - enable_unprivileged_ports = {{ .EnableUnprivileged }} - enable_unprivileged_icmp = {{ .EnableUnprivileged }} - device_ownership_from_security_context = {{ .NonrootDevices }} - -{{- if .DisableCgroup}} - disable_cgroup = true -{{end}} -{{- if .IsRunningInUserNS }} - disable_apparmor = true - restrict_oom_score_adj = true -{{end}} - -{{- if .NodeConfig.AgentConfig.PauseImage }} - sandbox_image = "{{ .NodeConfig.AgentConfig.PauseImage }}" -{{end}} - -{{- if .NodeConfig.AgentConfig.Snapshotter }} -[plugins."io.containerd.grpc.v1.cri".containerd] - snapshotter = "{{ .NodeConfig.AgentConfig.Snapshotter }}" - disable_snapshot_annotations = {{ if eq .NodeConfig.AgentConfig.Snapshotter "stargz" }}false{{else}}true{{end}} - {{ if .NodeConfig.DefaultRuntime }}default_runtime_name = "{{ .NodeConfig.DefaultRuntime }}"{{end}} -{{ if eq .NodeConfig.AgentConfig.Snapshotter "stargz" }} -{{ if .NodeConfig.AgentConfig.ImageServiceSocket }} -[plugins."io.containerd.snapshotter.v1.stargz"] -cri_keychain_image_service_path = "{{ .NodeConfig.AgentConfig.ImageServiceSocket }}" -[plugins."io.containerd.snapshotter.v1.stargz".cri_keychain] -enable_keychain = true -{{end}} - -[plugins."io.containerd.snapshotter.v1.stargz".registry] - config_path = "{{ .NodeConfig.Containerd.Registry }}" - -{{ if .PrivateRegistryConfig }} -{{range $k, $v := .PrivateRegistryConfig.Configs }} -{{ if $v.Auth }} -[plugins."io.containerd.snapshotter.v1.stargz".registry.configs."{{$k}}".auth] - {{ if $v.Auth.Username }}username = {{ printf "%q" $v.Auth.Username }}{{end}} - {{ if $v.Auth.Password }}password = {{ printf "%q" $v.Auth.Password }}{{end}} - {{ if $v.Auth.Auth }}auth = {{ printf "%q" $v.Auth.Auth }}{{end}} - {{ if $v.Auth.IdentityToken }}identitytoken = {{ printf "%q" $v.Auth.IdentityToken }}{{end}} -{{end}} -{{end}} -{{end}} -{{end}} -{{end}} - -{{- if not .NodeConfig.NoFlannel }} -[plugins."io.containerd.grpc.v1.cri".cni] - bin_dir = "{{ .NodeConfig.AgentConfig.CNIBinDir }}" - conf_dir = "{{ .NodeConfig.AgentConfig.CNIConfDir }}" -{{end}} - -{{- if or .NodeConfig.Containerd.BlockIOConfig .NodeConfig.Containerd.RDTConfig }} -[plugins."io.containerd.service.v1.tasks-service"] - {{ if .NodeConfig.Containerd.BlockIOConfig }}blockio_config_file = "{{ .NodeConfig.Containerd.BlockIOConfig }}"{{end}} - {{ if .NodeConfig.Containerd.RDTConfig }}rdt_config_file = "{{ .NodeConfig.Containerd.RDTConfig }}"{{end}} -{{end}} - -[plugins."io.containerd.grpc.v1.cri".containerd.runtimes.runc] - runtime_type = "io.containerd.runc.v2" - -[plugins."io.containerd.grpc.v1.cri".containerd.runtimes.runc.options] - SystemdCgroup = {{ .SystemdCgroup }} - -[plugins."io.containerd.grpc.v1.cri".registry] - config_path = "{{ .NodeConfig.Containerd.Registry }}" - -{{ if .PrivateRegistryConfig }} -{{range $k, $v := .PrivateRegistryConfig.Configs }} -{{ if $v.Auth }} -[plugins."io.containerd.grpc.v1.cri".registry.configs."{{$k}}".auth] - {{ if $v.Auth.Username }}username = {{ printf "%q" $v.Auth.Username }}{{end}} - {{ if $v.Auth.Password }}password = {{ printf "%q" $v.Auth.Password }}{{end}} - {{ if $v.Auth.Auth }}auth = {{ printf "%q" $v.Auth.Auth }}{{end}} - {{ if $v.Auth.IdentityToken }}identitytoken = {{ printf "%q" $v.Auth.IdentityToken }}{{end}} -{{end}} -{{end}} -{{end}} - -{{range $k, $v := .ExtraRuntimes}} -[plugins."io.containerd.grpc.v1.cri".containerd.runtimes."{{$k}}"] - runtime_type = "{{$v.RuntimeType}}" -[plugins."io.containerd.grpc.v1.cri".containerd.runtimes."{{$k}}".options] - BinaryName = "{{$v.BinaryName}}" - SystemdCgroup = {{ $.SystemdCgroup }} -{{end}} -` - // Linux config templates do not need fixups var templateFuncs = template.FuncMap{ "deschemify": func(s string) string { diff --git a/pkg/agent/templates/templates_windows.go b/pkg/agent/templates/templates_windows.go index 5cccd7e43d08..4bd82dacfbc8 100644 --- a/pkg/agent/templates/templates_windows.go +++ b/pkg/agent/templates/templates_windows.go @@ -9,140 +9,6 @@ import ( "text/template" ) -const ContainerdConfigTemplate = ` -{{- /* */ -}} -# File generated by {{ .Program }}. DO NOT EDIT. Use config.toml.tmpl instead. -version = 2 -root = {{ printf "%q" .NodeConfig.Containerd.Root }} -state = {{ printf "%q" .NodeConfig.Containerd.State }} -plugin_dir = "" -disabled_plugins = [] -required_plugins = [] -oom_score = 0 - -[grpc] - address = "{{ deschemify .NodeConfig.Containerd.Address }}" - tcp_address = "" - tcp_tls_cert = "" - tcp_tls_key = "" - uid = 0 - gid = 0 - max_recv_message_size = 16777216 - max_send_message_size = 16777216 - -[ttrpc] - address = "" - uid = 0 - gid = 0 - -[debug] - address = "" - uid = 0 - gid = 0 - level = "" - -[metrics] - address = "" - grpc_histogram = false - -[cgroup] - path = "" - -[timeouts] - "io.containerd.timeout.shim.cleanup" = "5s" - "io.containerd.timeout.shim.load" = "5s" - "io.containerd.timeout.shim.shutdown" = "3s" - "io.containerd.timeout.task.state" = "2s" - -[plugins] - [plugins."io.containerd.gc.v1.scheduler"] - pause_threshold = 0.02 - deletion_threshold = 0 - mutation_threshold = 100 - schedule_delay = "0s" - startup_delay = "100ms" - [plugins."io.containerd.grpc.v1.cri"] - disable_tcp_service = true - stream_server_address = "127.0.0.1" - stream_server_port = "0" - stream_idle_timeout = "4h0m0s" - enable_selinux = false - selinux_category_range = 0 - sandbox_image = "{{ .NodeConfig.AgentConfig.PauseImage }}" - stats_collect_period = 10 - systemd_cgroup = false - enable_tls_streaming = false - max_container_log_line_size = 16384 - disable_cgroup = false - disable_apparmor = false - restrict_oom_score_adj = false - max_concurrent_downloads = 3 - disable_proc_mount = false - unset_seccomp_profile = "" - tolerate_missing_hugetlb_controller = false - disable_hugetlb_controller = false - ignore_image_defined_volumes = false - [plugins."io.containerd.grpc.v1.cri".containerd] - snapshotter = "windows" - default_runtime_name = "runhcs-wcow-process" - no_pivot = false - disable_snapshot_annotations = false - discard_unpacked_layers = false - [plugins."io.containerd.grpc.v1.cri".containerd.default_runtime] - runtime_type = "" - runtime_engine = "" - runtime_root = "" - privileged_without_host_devices = false - base_runtime_spec = "" - [plugins."io.containerd.grpc.v1.cri".containerd.untrusted_workload_runtime] - runtime_type = "" - runtime_engine = "" - runtime_root = "" - privileged_without_host_devices = false - base_runtime_spec = "" - [plugins."io.containerd.grpc.v1.cri".containerd.runtimes] - [plugins."io.containerd.grpc.v1.cri".containerd.runtimes.runhcs-wcow-process] - runtime_type = "io.containerd.runhcs.v1" - runtime_engine = "" - runtime_root = "" - privileged_without_host_devices = false - base_runtime_spec = "" - [plugins."io.containerd.grpc.v1.cri".cni] - bin_dir = {{ printf "%q" .NodeConfig.AgentConfig.CNIBinDir }} - conf_dir = {{ printf "%q" .NodeConfig.AgentConfig.CNIConfDir }} - max_conf_num = 1 - conf_template = "" - [plugins."io.containerd.grpc.v1.cri".registry] - config_path = {{ printf "%q" .NodeConfig.Containerd.Registry }} - - {{ if .PrivateRegistryConfig }} - {{range $k, $v := .PrivateRegistryConfig.Configs }} - {{ if $v.Auth }} - [plugins."io.containerd.grpc.v1.cri".registry.configs.auth."{{$k}}"] - {{ if $v.Auth.Username }}username = {{ printf "%q" $v.Auth.Username }}{{end}} - {{ if $v.Auth.Password }}password = {{ printf "%q" $v.Auth.Password }}{{end}} - {{ if $v.Auth.Auth }}auth = {{ printf "%q" $v.Auth.Auth }}{{end}} - {{ if $v.Auth.IdentityToken }}identitytoken = {{ printf "%q" $v.Auth.IdentityToken }}{{end}} - {{end}} - {{end}} - {{end}} - [plugins."io.containerd.grpc.v1.cri".image_decryption] - key_model = "" - [plugins."io.containerd.grpc.v1.cri".x509_key_pair_streaming] - tls_cert_file = "" - tls_key_file = "" - [plugins."io.containerd.internal.v1.opt"] - path = {{ printf "%q" .NodeConfig.Containerd.Opt }} - [plugins."io.containerd.internal.v1.restart"] - interval = "10s" - [plugins."io.containerd.metadata.v1.bolt"] - content_sharing_policy = "shared" - [plugins."io.containerd.runtime.v2.task"] - platforms = ["windows/amd64", "linux/amd64"] - [plugins."io.containerd.service.v1.diff-service"] - default = ["windows", "windows-lcow"] -` - // Windows config templates need named pipe addresses fixed up var templateFuncs = template.FuncMap{ "deschemify": func(s string) string {