-e, --engine
+ |
+ "engine": "lcr"
+ |
+ iSulad runtime, which is Icr by default.
+ |
+ None
+ |
+
+ -G, --group
+ |
+ "group": "isulad"
+ |
+ Socket group.
+ |
+ None
+ |
+
+ --hook-spec
+ |
+ "hook-spec": "/etc/default/isulad/hooks/default.json"
+ |
+ Default hook configuration file for all containers.
+ |
+ None
+ |
+
+ -H, --host
+ |
+ "hosts": "unix:///var/run/isulad.sock"
+ |
+ Communication mode.
+ |
+ In addition to the local socket, the tcp://ip:port mode is supported. The port number ranges from 0 to 65535, excluding occupied ports.
+ |
+
+ --log-driver
+ |
+ "log-driver": "file"
+ |
+ Log driver configuration.
+ |
+ None
+ |
+
+ -l, --log-level
+ |
+ "log-level": "ERROR"
+ |
+ Log output level.
+ |
+ None
+ |
+
+ --log-opt
+ |
+ "log-opts": {
+ "log-file-mode": "0600",
+ "log-path": "/var/lib/isulad",
+ "max-file": "1",
+ "max-size": "30KB"
+ }
+ |
+ Log-related configuration.
+ |
+ You can specify max-file, max-size, and log-path. max-file indicates the number of log files. max-size indicates the threshold for triggering log anti-explosion. If max-file is 1, max-size is invalid. log-path specifies the path for storing log files. The log-file-mode command is used to set the permissions to read and write log files. The value must be in octal format, for example, 0666.
+ |
+
+ --start-timeout
+ |
+ "start-timeout": "2m"
+ |
+ Time required for starting a container.
+ |
+ None
+ |
+
+ --runtime
+ |
+ "default-runtime": "lcr"
+ |
+ Container runtime, which is lcr by default.
+ |
+ If neither the CLI nor the configuration file specifies the runtime, lcr is used by default. The priorities of the three specifying methods are as follows: CLI > configuration file > default value lcr. Currently, lcr and kata-runtime are supported.
+ |
+
+ None
+ |
+ "runtimes": {
+ "kata-runtime": {
+ "path": "/usr/bin/kata-runtime",
+ "runtime-args": [
+ "--kata-config",
+ "/usr/share/defaults/kata-containers/configuration.toml"
+ ]
+ }
+ }
+ |
+ When starting a container, set this parameter to specify multiple runtimes. Runtimes in this set are valid for container startup.
+ |
+ Runtime whitelist of a container. The customized runtimes in this set are valid. kata-runtime is used as the example.
+ |
+
+ -p, --pidfile
+ |
+ "pidfile": "/var/run/isulad.pid"
+ |
+ File for storing PIDs.
+ |
+ This parameter is required only when more than two container engines need to be started.
+ |
+
+ -g, --graph
+ |
+ "graph": "/var/lib/isulad"
+ |
+ Root directory for iSulad runtimes.
+ |
+
+ -S, --state
+ |
+ "state": "/var/run/isulad"
+ |
+ Root directory of the execution file.
+ |
+
+ --storage-driver
+ |
+ "storage-driver": "overlay2"
+ |
+ Image storage driver, which is overlay2 by default.
+ |
+ Only overlay2 is supported.
+ |
+
+ -s, --storage-opt
+ |
+ "storage-opts": [ "overlay2.override_kernel_check=true" ]
+ |
+ Image storage driver configuration options.
+ |
+ The options are as follows:
+ overlay2.override_kernel_check=true #Ignore the kernel version check.
+ overlay2.size=${size} #Set the rootfs quota to ${size}.
+ overlay2.basesize=${size} #It is equivalent to overlay2.size.
+ |
+
+ --image-opt-timeout
+ |
+ "image-opt-timeout": "5m"
+ |
+ Image operation timeout interval, which is 5m by default.
+ |
+ The value -1 indicates that the timeout interval is not limited.
+ |
+
+ --registry-mirrors
+ |
+ "registry-mirrors": [ "docker.io" ]
+ |
+ Registry address.
+ |
+ None
+ |
+
+ --insecure-registry
+ |
+ "insecure-registries": [ ]
+ |
+ Registry without TLS verification.
+ |
+ None
+ |
+
+ --native.umask
+ |
+ "native.umask": "secure"
+ |
+ Container umask policy. The default value is secure. The value normal indicates insecure configuration.
+ |
+ Set the container umask value.
+ The value can be null (0027 by default), normal, or secure.
+ normal #The umask value of the started container is 0022.
+ secure #The umask value of the started container is 0027 (default value).
+ |
+
+ --pod-sandbox-image
+ |
+ "pod-sandbox-image": "rnd-dockerhub.huawei.com/library/pause-aarch64:3.0"
+ |
+ By default, the pod uses the image. The default value is rnd-dockerhub.huawei.com/library/pause-${machine}:3.0.
+ |
+ None
+ |
+
+ --network-plugin
+ |
+ "network-plugin": ""
+ |
+ Specifies a network plug-in. The value is a null character by default, indicating that no network configuration is available and the created sandbox has only the loop NIC.
+ |
+ The CNI and null characters are supported. Other invalid values will cause iSulad startup failure.
+ |
+
+ --cni-bin-dir
+ |
+ "cni-bin-dir": ""
+ |
+ Specifies the storage location of the binary file on which the CNI plug-in depends.
+ |
+ The default value is /opt/cni/bin.
+ |
+
+ --cni-conf-dir
+ |
+ "cni-conf-dir": ""
+ |
+ Specifies the storage location of the CNI network configuration file.
+ |
+ The default value is /etc/cni/net.d.
+ |
+
+ --image-layer-check=false
+ |
+ "image-layer-check": false
+ |
+ Image layer integrity check. To enable the function, set it to true; otherwise, set it to false. It is disabled by default.
+ |
+ When iSulad is started, the image layer integrity is checked. If the image layer is damaged, the related images are unavailable. iSulad cannot verify empty files, directories, and link files. Therefore, if the preceding files are lost due to a power failure, the integrity check of iSulad image data may fail to be identified. When the iSulad version changes, check whether the parameter is supported. If not, delete it from the configuration file.
+ |
+
+ --insecure-skip-verify-enforce=false
+ |
+ "insecure-skip-verify-enforce": false
+ |
+ Indicates whether to forcibly skip the verification of the certificate host name/domain name. The value is of the Boolean type, and the default value is false. If this parameter is set to true, the verification of the certificate host name/domain name is skipped.
+ |
+ The default value is false (not skipped). Note: Restricted by the YAJL JSON parsing library, if a non-Boolean value that meets the JSON format requirements is configured in the /etc/isulad/daemon.json configuration file, the default value used by iSulad is false.
+ |
+
+ --use-decrypted-key=true
+ |
+ "use-decrypted-key": true
+ |
+ Specifies whether to use an unencrypted private key. The value is of the Boolean type. If this parameter is set to true, an unencrypted private key is used. If this parameter is set to false, the encrypted private key is used, that is, two-way authentication is required.
+ |
+ The default value is true, indicating that an unencrypted private key is used. Note: Restricted by the YAJL JSON parsing library, if a non-Boolean value that meets the JSON format requirements is configured in the /etc/isulad/daemon.json configuration file, the default value used by iSulad is true.
+ |
+
+ --tls
+ |
+ "tls":false
+ |
+ Specifies whether to use TLS. The value is of the Boolean type.
+ |
+ This parameter is used only in -H tcp://IP:PORT mode. The default value is false.
+ |
+
+ --tlsverify
+ |
+ "tlsverify":false
+ |
+ Specifies whether to use TLS and verify remote access. The value is of the Boolean type.
+ |
+ This parameter is used only in -H tcp://IP:PORT mode.
+ |
+
+ --tlscacert
+ --tlscert
+ --tlskey
+ |
+ "tls-config": {
+ "CAFile": "/root/.iSulad/ca.pem",
+ "CertFile": "/root/.iSulad/server-cert.pem",
+ "KeyFile":"/root/.iSulad/server-key.pem"
+ }
+ |
+ TLS certificate-related configuration.
+ |
+ This parameter is used only in -H tcp://IP:PORT mode.
+ |
+
+ --authorization-plugin
+ |
+ "authorization-plugin": "authz-broker"
+ |
+ User permission authentication plugin.
+ |
+ Only authz-broker is supported.
+ |
+
+ --cgroup-parent
+ |
+ "cgroup-parent": "lxc/mycgroup"
+ |
+ Default cgroup parent path of a container, which is of the string type.
+ |
+ Specifies the cgroup parent path of a container. If --cgroup-parent is specified on the client, the client parameter prevails.
+ Note: If container A is started before container B, the cgroup parent path of container B is specified as the cgroup path of container A. When deleting a container, you need to delete container B and then container A in sequence. Otherwise, residual cgroup resources exist.
+ |
+
+ --default-ulimits
+ |
+ "default-ulimits": {
+ "nofile": {
+ "Name": "nofile",
+ "Hard": 6400,
+ "Soft": 3200
+ }
+ }
+ |
+ Specifies the ulimit restriction type, soft value, and hard value.
+ |
+ Specifies the restricted resource type, for example, nofile. The two field names must be the same, that is, nofile. Otherwise, an error is reported. The value of Hard must be greater than or equal to that of Soft. If the Hard or Soft field is not set, the default value 0 is used.
+ |
+
+ --websocket-server-listening-port
+ |
+ "websocket-server-listening-port": 10350
+ |
+ Specifies the listening port of the CRI WebSocket streaming service. The default port number is 10350.
+ |
+ Specifies the listening port of the CRI websocket streaming service.
+ If the client specifies --websocket-server-listening-port, the specified value is used. The port number ranges from 1024 to 49151.
+ |
+
+
+