diff options
Diffstat (limited to 'roles/docker/tasks')
| -rw-r--r-- | roles/docker/tasks/main.yml | 16 | ||||
| -rw-r--r-- | roles/docker/tasks/package_docker.yml | 49 | ||||
| -rw-r--r-- | roles/docker/tasks/systemcontainer_crio.yml | 173 | ||||
| -rw-r--r-- | roles/docker/tasks/systemcontainer_docker.yml | 46 |
4 files changed, 256 insertions, 28 deletions
diff --git a/roles/docker/tasks/main.yml b/roles/docker/tasks/main.yml index 0c2b16acf..7ece0e061 100644 --- a/roles/docker/tasks/main.yml +++ b/roles/docker/tasks/main.yml @@ -7,11 +7,23 @@ - set_fact: l_use_system_container: "{{ openshift.docker.use_system_container | default(False) }}" + l_use_crio: "{{ openshift_use_crio | default(False) }}" + l_use_crio_only: "{{ openshift_use_crio_only | default(False) }}" - name: Use Package Docker if Requested include: package_docker.yml - when: not l_use_system_container + when: + - not l_use_system_container + - not l_use_crio_only - name: Use System Container Docker if Requested include: systemcontainer_docker.yml - when: l_use_system_container + when: + - l_use_system_container + - not l_use_crio_only + +- name: Add CRI-O usage Requested + include: systemcontainer_crio.yml + when: + - l_use_crio + - inventory_hostname in groups['oo_masters_to_config'] or inventory_hostname in groups['oo_nodes_to_config'] diff --git a/roles/docker/tasks/package_docker.yml b/roles/docker/tasks/package_docker.yml index c82d8659a..4215dc5bd 100644 --- a/roles/docker/tasks/package_docker.yml +++ b/roles/docker/tasks/package_docker.yml @@ -3,6 +3,8 @@ command: "{{ repoquery_cmd }} --installed --qf '%{version}' docker" when: not openshift.common.is_atomic | bool register: curr_docker_version + retries: 4 + until: curr_docker_version | succeeded changed_when: false - name: Error out if Docker pre-installed but too old @@ -48,25 +50,33 @@ src: custom.conf.j2 when: not os_firewall_use_firewalld | default(False) | bool +- name: Add enterprise registry, if necessary + set_fact: + l2_docker_additional_registries: "{{ l2_docker_additional_registries + [openshift_docker_ent_reg] }}" + when: + - openshift.common.deployment_type == 'openshift-enterprise' + - openshift_docker_ent_reg != '' + - openshift_docker_ent_reg not in l2_docker_additional_registries + - stat: path=/etc/sysconfig/docker register: docker_check -- name: Set registry params +- name: Comment old registry params in /etc/sysconfig/docker lineinfile: dest: /etc/sysconfig/docker regexp: '^{{ item.reg_conf_var }}=.*$' - line: "{{ item.reg_conf_var }}='{{ item.reg_fact_val | oo_prepend_strings_in_list(item.reg_flag ~ ' ') | join(' ') }}'" - when: item.reg_fact_val != '' and docker_check.stat.isreg is defined and docker_check.stat.isreg + line: "#{{ item.reg_conf_var }}=''# Moved to {{ containers_registries_conf_path }}" with_items: - reg_conf_var: ADD_REGISTRY - reg_fact_val: "{{ docker_additional_registries | default(None, true)}}" - reg_flag: --add-registry - reg_conf_var: BLOCK_REGISTRY - reg_fact_val: "{{ docker_blocked_registries| default(None, true) }}" - reg_flag: --block-registry - reg_conf_var: INSECURE_REGISTRY - reg_fact_val: "{{ docker_insecure_registries| default(None, true) }}" - reg_flag: --insecure-registry + notify: + - restart docker + +- name: Place additional/blocked/insecure registies in /etc/containers/registries.conf + template: + dest: "{{ containers_registries_conf_path }}" + src: registries.conf notify: - restart docker @@ -93,7 +103,7 @@ dest: /etc/sysconfig/docker regexp: '^OPTIONS=.*$' line: "OPTIONS='\ - {% if ansible_selinux.status | default(None) == '''enabled''' and docker_selinux_enabled | default(true) %} --selinux-enabled {% endif %}\ + {% if ansible_selinux.status | default(None) == 'enabled' and docker_selinux_enabled | default(true) | bool %} --selinux-enabled {% endif %}\ {% if docker_log_driver is defined %} --log-driver {{ docker_log_driver }}{% endif %}\ {% if docker_log_options is defined %} {{ docker_log_options | oo_split() | oo_prepend_strings_in_list('--log-opt ') | join(' ')}}{% endif %}\ {% if docker_options is defined %} {{ docker_options }}{% endif %}\ @@ -117,15 +127,30 @@ notify: - restart docker +- name: Check for credentials file for registry auth + stat: + path: "{{ docker_cli_auth_config_path }}/config.json" + when: oreg_auth_user is defined + register: docker_cli_auth_credentials_stat + +- name: Create credentials for docker cli registry auth + command: "docker --config={{ docker_cli_auth_config_path }} login -u {{ oreg_auth_user }} -p {{ oreg_auth_password }} {{ oreg_host }}" + when: + - oreg_auth_user is defined + - (not docker_cli_auth_credentials_stat.stat.exists or oreg_auth_credentials_replace) | bool + - name: Start the Docker service systemd: name: docker enabled: yes state: started daemon_reload: yes - register: start_result + register: r_docker_package_docker_start_result + until: not r_docker_package_docker_start_result | failed + retries: 3 + delay: 30 - set_fact: - docker_service_status_changed: start_result | changed + docker_service_status_changed: "{{ r_docker_package_docker_start_result | changed }}" - meta: flush_handlers diff --git a/roles/docker/tasks/systemcontainer_crio.yml b/roles/docker/tasks/systemcontainer_crio.yml new file mode 100644 index 000000000..66ce475e1 --- /dev/null +++ b/roles/docker/tasks/systemcontainer_crio.yml @@ -0,0 +1,173 @@ +--- +# TODO: Much of this file is shared with container engine tasks +- set_fact: + l_insecure_crio_registries: "{{ '\"{}\"'.format('\", \"'.join(l2_docker_insecure_registries)) }}" + when: l2_docker_insecure_registries +- set_fact: + l_crio_registries: "{{ l2_docker_additional_registries + ['docker.io'] }}" + when: l2_docker_additional_registries +- set_fact: + l_crio_registries: "{{ ['docker.io'] }}" + when: not l2_docker_additional_registries +- set_fact: + l_additional_crio_registries: "{{ '\"{}\"'.format('\", \"'.join(l_crio_registries)) }}" + when: l2_docker_additional_registries + +- name: Ensure container-selinux is installed + package: + name: container-selinux + state: present + when: not openshift.common.is_atomic | bool + +# Used to pull and install the system container +- name: Ensure atomic is installed + package: + name: atomic + state: present + when: not openshift.common.is_atomic | bool + +# At the time of writing the atomic command requires runc for it's own use. This +# task is here in the even that the atomic package ever removes the dependency. +- name: Ensure runc is installed + package: + name: runc + state: present + when: not openshift.common.is_atomic | bool + + +- name: Check that overlay is in the kernel + shell: lsmod | grep overlay + register: l_has_overlay_in_kernel + ignore_errors: yes + + +- when: l_has_overlay_in_kernel.rc != 0 + block: + + - name: Add overlay to modprobe.d + template: + dest: /etc/modules-load.d/overlay.conf + src: overlay.conf.j2 + backup: yes + + - name: Manually modprobe overlay into the kernel + command: modprobe overlay + + - name: Enable and start systemd-modules-load + service: + name: systemd-modules-load + enabled: yes + state: restarted + + +- block: + + - name: Add http_proxy to /etc/atomic.conf + lineinfile: + dest: /etc/atomic.conf + regexp: "^#?http_proxy[:=]{1}" + line: "http_proxy: {{ openshift.common.http_proxy | default('') }}" + when: + - openshift.common.http_proxy is defined + - openshift.common.http_proxy != '' + + - name: Add https_proxy to /etc/atomic.conf + lineinfile: + dest: /etc/atomic.conf + regexp: "^#?https_proxy[:=]{1}" + line: "https_proxy: {{ openshift.common.https_proxy | default('') }}" + when: + - openshift.common.https_proxy is defined + - openshift.common.https_proxy != '' + + - name: Add no_proxy to /etc/atomic.conf + lineinfile: + dest: /etc/atomic.conf + regexp: "^#?no_proxy[:=]{1}" + line: "no_proxy: {{ openshift.common.no_proxy | default('') }}" + when: + - openshift.common.no_proxy is defined + - openshift.common.no_proxy != '' + + +- block: + + - name: Set to default prepend + set_fact: + l_crio_image_prepend: "docker.io/gscrivano" + l_crio_image_name: "cri-o-fedora" + + - name: Use Centos based image when distribution is CentOS + set_fact: + l_crio_image_name: "cri-o-centos" + when: ansible_distribution == "CentOS" + + - name: Use RHEL based image when distribution is Red Hat + set_fact: + l_crio_image_prepend: "registry.access.redhat.com/openshift3" + l_crio_image_name: "cri-o" + when: ansible_distribution == "RedHat" + + - name: Set the full image name + set_fact: + l_crio_image: "{{ l_crio_image_prepend }}/{{ l_crio_image_name }}:latest" + + # For https://github.com/openshift/aos-cd-jobs/pull/624#pullrequestreview-61816548 + - name: Use a specific image if requested + set_fact: + l_crio_image: "{{ openshift_crio_systemcontainer_image_override }}" + when: + - openshift_crio_systemcontainer_image_override is defined + - openshift_crio_systemcontainer_image_override != "" + + # Be nice and let the user see the variable result + - debug: + var: l_crio_image + +# NOTE: no_proxy added as a workaround until https://github.com/projectatomic/atomic/pull/999 is released +- name: Pre-pull CRI-O System Container image + command: "atomic pull --storage ostree {{ l_crio_image }}" + changed_when: false + environment: + NO_PROXY: "{{ openshift.common.no_proxy | default('') }}" + + +- name: Install CRI-O System Container + oc_atomic_container: + name: "cri-o" + image: "{{ l_crio_image }}" + state: latest + +- name: Remove CRI-o default configuration files + file: + path: "{{ item }}" + state: absent + with_items: + - /etc/cni/net.d/200-loopback.conf + - /etc/cni/net.d/100-crio-bridge.conf + +- name: Create the CRI-O configuration + template: + dest: /etc/crio/crio.conf + src: crio.conf.j2 + backup: yes + +- name: Ensure CNI configuration directory exists + file: + path: /etc/cni/net.d/ + state: directory + +- name: Configure the CNI network + template: + dest: /etc/cni/net.d/openshift-sdn.conf + src: 80-openshift-sdn.conf.j2 + +- name: Start the CRI-O service + systemd: + name: "cri-o" + enabled: yes + state: started + daemon_reload: yes + register: start_result + +- meta: flush_handlers diff --git a/roles/docker/tasks/systemcontainer_docker.yml b/roles/docker/tasks/systemcontainer_docker.yml index 650f06f86..8b43393cb 100644 --- a/roles/docker/tasks/systemcontainer_docker.yml +++ b/roles/docker/tasks/systemcontainer_docker.yml @@ -12,6 +12,12 @@ traditional docker package install. Otherwise, comment out openshift_docker_options in your inventory file. +- name: Ensure container-selinux is installed + package: + name: container-selinux + state: present + when: not openshift.common.is_atomic | bool + # Used to pull and install the system container - name: Ensure atomic is installed package: @@ -40,6 +46,11 @@ state: stopped daemon_reload: yes ignore_errors: True + register: r_docker_systemcontainer_docker_stop_result + until: not r_docker_systemcontainer_docker_stop_result | failed + retries: 3 + delay: 30 + # Set http_proxy, https_proxy, and no_proxy in /etc/atomic.conf # regexp: the line starts with or without #, followed by the string @@ -86,21 +97,25 @@ - name: Use Fedora Registry for image when distribution is Fedora set_fact: - l_docker_image_prepend: "registry.fedoraproject.org" + l_docker_image_prepend: "registry.fedoraproject.org/f25" when: ansible_distribution == 'Fedora' - # For https://github.com/openshift/openshift-ansible/pull/4049#discussion_r114478504 - - name: Use a testing registry if requested - set_fact: - l_docker_image_prepend: "{{ openshift_docker_systemcontainer_image_registry_override }}" - when: - - openshift_docker_systemcontainer_image_registry_override is defined - - openshift_docker_systemcontainer_image_registry_override != "" - - name: Set the full image name set_fact: l_docker_image: "{{ l_docker_image_prepend }}/{{ openshift.docker.service_name }}:latest" + # For https://github.com/openshift/openshift-ansible/pull/5354#issuecomment-328552959 + - name: Use a specific image if requested + set_fact: + l_docker_image: "{{ openshift_docker_systemcontainer_image_override }}" + when: + - openshift_docker_systemcontainer_image_override is defined + - openshift_docker_systemcontainer_image_override != "" + + # Be nice and let the user see the variable result + - debug: + var: l_docker_image + # NOTE: no_proxy added as a workaround until https://github.com/projectatomic/atomic/pull/999 is released - name: Pre-pull Container Engine System Container image command: "atomic pull --storage ostree {{ l_docker_image }}" @@ -133,10 +148,10 @@ # Set local versions of facts that must be in json format for container-daemon.json # NOTE: When jinja2.9+ is used the container-daemon.json file can move to using tojson - set_fact: - l_docker_insecure_registries: "{{ docker_insecure_registries | default([]) | to_json }}" + l_docker_insecure_registries: "{{ l2_docker_insecure_registries | default([]) | to_json }}" l_docker_log_options: "{{ docker_log_options | default({}) | to_json }}" - l_docker_additional_registries: "{{ docker_additional_registries | default([]) | to_json }}" - l_docker_blocked_registries: "{{ docker_blocked_registries | default([]) | to_json }}" + l_docker_additional_registries: "{{ l2_docker_additional_registries | default([]) | to_json }}" + l_docker_blocked_registries: "{{ l2_docker_blocked_registries | default([]) | to_json }}" l_docker_selinux_enabled: "{{ docker_selinux_enabled | default(true) | to_json }}" # Configure container-engine using the container-daemon.json file @@ -154,9 +169,12 @@ enabled: yes state: started daemon_reload: yes - register: start_result + register: r_docker_systemcontainer_docker_start_result + until: not r_docker_systemcontainer_docker_start_result | failed + retries: 3 + delay: 30 - set_fact: - docker_service_status_changed: start_result | changed + docker_service_status_changed: "{{ r_docker_systemcontainer_docker_start_result | changed }}" - meta: flush_handlers |