Add documentation for container_create_timeout configuration option

snir911 · snir911 · commit 2d2024a0f66e · 2025-11-26T17:07:04.000+02:00
- Add container_create_timeout to crio.conf.5.md man page documentation
- Add container_create_timeout to configuration template in template.go

Signed-off-by: Snir Schreiber &lt;ssheribe@redhat.com&gt;
diff --git a/docs/crio.conf.5.md b/docs/crio.conf.5.md
@@ -392,6 +392,12 @@ conmon-rs (`runtime_type = "pod"`) supports this configuration for exec and atta
 Path to the seccomp.json profile which is used as the default seccomp profile for the runtime. If not specified, then the `crio.runtime` seccomp profile will be used.
 If that is also not specified, then the internal default seccomp profile will be used.
 
+**container_create_timeout**=240
+The timeout for container creation operations in seconds. If not set, defaults to 240 seconds. If set to a value less than 30 seconds, it will be automatically adjusted to 30 seconds (the minimum allowed value). This allows different runtime handlers to have different container creation timeouts, which is useful for VM-based runtimes that may need longer timeouts than OCI runtimes.
+conmon-rs (`runtime_type = "pod"`) doesn't support the configurable container creation timeout.
+
+Note: The effective timeout is the **minimum** of this value and kubelet's `--runtime-request-timeout` (default: 2 minutes). If you set `container_create_timeout = 600` (10 minutes) but kubelet has the default 2-minute timeout, the operation will be canceled after 2 minutes. Configure both values consistently for VM-based runtimes. For more information about kubelet's runtime request timeout, see the [Kubelet documentation](https://kubernetes.io/docs/reference/command-line-tools-reference/kubelet/).
+
 ### CRIO.RUNTIME.WORKLOADS TABLE
 
 The "crio.runtime.workloads" table defines a list of workloads - a way to customize the behavior of a pod and container.
diff --git a/pkg/config/template.go b/pkg/config/template.go
@@ -1261,6 +1261,7 @@ const templateStringCrioRuntimeRuntimesRuntimeHandler = `# The "crio.runtime.run
 # default_annotations = {}
 # stream_websockets = false
 # seccomp_profile = ""
+# container_create_timeout = 240
 # Where:
 # - runtime-handler: Name used to identify the runtime.
 # - runtime_path (optional, string): Absolute path to the runtime executable in
@@ -1324,6 +1325,11 @@ const templateStringCrioRuntimeRuntimesRuntimeHandler = `# The "crio.runtime.run
 #   seccomp profile for the runtime.
 #   If not specified or set to "", the runtime seccomp_profile will be used.
 #   If that is also not specified or set to "", the internal default seccomp profile will be applied.
+# - container_create_timeout (optional, int64): The timeout for container creation operations in seconds.
+#   If not set, defaults to 240 seconds. If set to a value less than 30 seconds, it will be automatically
+#   adjusted to 30 seconds (the minimum allowed value). This allows different runtime handlers to have
+#   different container creation timeouts, which is useful for VM-based runtimes that may need longer
+#   timeouts than OCI runtimes.
 #
 # Using the seccomp notifier feature:
 #
