7 files changed, 88 insertions, 28 deletions
diff --git a/roles/docker/handlers/main.yml b/roles/docker/handlers/main.yml
index 591367467..866ed0452 100644
--- a/roles/docker/handlers/main.yml
+++ b/roles/docker/handlers/main.yml
@@ -4,6 +4,7 @@
   systemd:
     name: "{{ openshift.docker.service_name }}"
     state: restarted
+    daemon_reload: yes
   register: r_docker_restart_docker_result
   until: not r_docker_restart_docker_result | failed
   retries: 3
diff --git a/roles/docker/tasks/main.yml b/roles/docker/tasks/main.yml
index dae17c3ce..f73f90686 100644
--- a/roles/docker/tasks/main.yml
+++ b/roles/docker/tasks/main.yml
@@ -10,14 +10,6 @@
     l_use_crio: "{{ openshift_use_crio | default(False) }}"
     l_use_crio_only: "{{ openshift_use_crio_only | default(False) }}"
 
-- when:
-    - openshift_deployment_type == 'openshift-enterprise'
-  assert:
-    that:
-      - "openshift_image_tag is defined"
-    msg: >
-      openshift_image_tag is a required inventory variable when installing openshift-enterprise
-
 - name: Use Package Docker if Requested
   include: package_docker.yml
   when:
diff --git a/roles/docker/tasks/package_docker.yml b/roles/docker/tasks/package_docker.yml
index a35335937..888ae40e7 100644
--- a/roles/docker/tasks/package_docker.yml
+++ b/roles/docker/tasks/package_docker.yml
@@ -48,7 +48,9 @@
     template:
       dest: "{{ docker_systemd_dir }}/custom.conf"
       src: custom.conf.j2
-  when: not os_firewall_use_firewalld | default(False) | bool
+    notify:
+    - restart docker
+  when: not (os_firewall_use_firewalld | default(False)) | bool
 
 - name: Add enterprise registry, if necessary
   set_fact:
@@ -137,17 +139,12 @@
   notify:
   - restart docker
 
-- name: Check for credentials file for registry auth
-  stat:
-    path: "{{ docker_cli_auth_config_path }}/config.json"
-  when: oreg_auth_user is defined
-  register: docker_cli_auth_credentials_stat
-
-- name: Create credentials for docker cli registry auth
-  command: "docker --config={{ docker_cli_auth_config_path }} login -u {{ oreg_auth_user }} -p {{ oreg_auth_password }} {{ oreg_host }}"
-  when:
-  - oreg_auth_user is defined
-  - (not docker_cli_auth_credentials_stat.stat.exists or oreg_auth_credentials_replace) | bool
+# The following task is needed as the systemd module may report a change in
+# state even though docker is already running.
+- name: Detect if docker is already started
+  command: "systemctl show docker -p ActiveState"
+  changed_when: False
+  register: r_docker_already_running_result
 
 - name: Start the Docker service
   systemd:
@@ -161,6 +158,18 @@
   delay: 30
 
 - set_fact:
-    docker_service_status_changed: "{{ r_docker_package_docker_start_result | changed }}"
+    docker_service_status_changed: "{{ (r_docker_package_docker_start_result | changed) and (r_docker_already_running_result.stdout != 'ActiveState=active' ) }}"
+
+- name: Check for credentials file for registry auth
+  stat:
+    path: "{{ docker_cli_auth_config_path }}/config.json"
+  when: oreg_auth_user is defined
+  register: docker_cli_auth_credentials_stat
+
+- name: Create credentials for docker cli registry auth
+  command: "docker --config={{ docker_cli_auth_config_path }} login -u {{ oreg_auth_user }} -p {{ oreg_auth_password }} {{ oreg_host }}"
+  when:
+  - oreg_auth_user is defined
+  - (not docker_cli_auth_credentials_stat.stat.exists or oreg_auth_credentials_replace) | bool
 
 - meta: flush_handlers
diff --git a/roles/docker/tasks/systemcontainer_crio.yml b/roles/docker/tasks/systemcontainer_crio.yml
index 386369d26..fdc6cd24a 100644
--- a/roles/docker/tasks/systemcontainer_crio.yml
+++ b/roles/docker/tasks/systemcontainer_crio.yml
@@ -14,6 +14,22 @@
     l_additional_crio_registries: "{{ '\"{}\"'.format('\", \"'.join(l_crio_registries)) }}"
   when: l2_docker_additional_registries
 
+- set_fact:
+    l_openshift_image_tag: "{{ openshift_image_tag | string }}"
+  when: openshift_image_tag is defined
+
+- set_fact:
+    l_openshift_image_tag: "latest"
+  when:
+    - openshift_image_tag is not defined
+    - openshift_release == "latest"
+
+- set_fact:
+    l_openshift_image_tag: "{{ openshift_release | string }}"
+  when:
+    - openshift_image_tag is not defined
+    - openshift_release != "latest"
+
 - name: Ensure container-selinux is installed
   package:
     name: container-selinux
@@ -106,10 +122,9 @@
 
     - name: Set CRI-O image tag
       set_fact:
-        l_crio_image_tag: "{{ openshift_image_tag }}"
+        l_crio_image_tag: "{{ l_openshift_image_tag }}"
       when:
         - openshift_deployment_type == 'openshift-enterprise'
-        - openshift_image_tag is defined
 
     - name: Use RHEL based image when distribution is Red Hat
       set_fact:
@@ -147,7 +162,7 @@
     image: "{{ l_crio_image }}"
     state: latest
 
-- name: Remove CRI-o default configuration files
+- name: Remove CRI-O default configuration files
   file:
     path: "{{ item }}"
     state: absent
diff --git a/roles/docker/tasks/systemcontainer_docker.yml b/roles/docker/tasks/systemcontainer_docker.yml
index 5b1605b58..15c6a55db 100644
--- a/roles/docker/tasks/systemcontainer_docker.yml
+++ b/roles/docker/tasks/systemcontainer_docker.yml
@@ -1,5 +1,21 @@
 ---
 
+- set_fact:
+    l_openshift_image_tag: "{{ openshift_image_tag | string }}"
+  when: openshift_image_tag is defined
+
+- set_fact:
+    l_openshift_image_tag: "latest"
+  when:
+    - openshift_image_tag is not defined
+    - openshift_release == "latest"
+
+- set_fact:
+    l_openshift_image_tag: "{{ openshift_release | string }}"
+  when:
+    - openshift_image_tag is not defined
+    - openshift_release != "latest"
+
 # If docker_options are provided we should fail. We should not install docker and ignore
 # the users configuration. NOTE: docker_options == inventory:openshift_docker_options
 - name: Fail quickly if openshift_docker_options are set
@@ -94,10 +110,9 @@
 
     - name: Set container engine image tag
       set_fact:
-        l_docker_image_tag: "{{ openshift_image_tag }}"
+        l_docker_image_tag: "{{ l_openshift_image_tag }}"
       when:
         - openshift_deployment_type == 'openshift-enterprise'
-        - openshift_image_tag is defined
 
     - name: Use Red Hat Registry for image when distribution is Red Hat
       set_fact:
diff --git a/roles/docker/templates/crio.conf.j2 b/roles/docker/templates/crio.conf.j2
index b4ee84fd0..b715c2ffa 100644
--- a/roles/docker/templates/crio.conf.j2
+++ b/roles/docker/templates/crio.conf.j2
@@ -13,12 +13,12 @@ runroot = "/var/run/containers/storage"
 
 # storage_driver select which storage driver is used to manage storage
 # of images and containers.
-storage_driver = "overlay2"
+storage_driver = "overlay"
 
 # storage_option is used to pass an option to the storage driver.
 storage_option = [
 {% if ansible_distribution in ['RedHat', 'CentOS'] %}
-	"overlay2.override_kernel_check=1"
+	"overlay.override_kernel_check=1"
 {% endif %}
 ]
 
@@ -35,6 +35,10 @@ stream_address = ""
 # stream_port is the port on which the stream server will listen
 stream_port = "10010"
 
+# file_locking is whether file-based locking will be used instead of
+# in-memory locking
+file_locking = true
+
 # The "crio.runtime" table contains settings pertaining to the OCI
 # runtime used and options for how to set up and manage the OCI runtime.
 [crio.runtime]
@@ -67,6 +71,9 @@ runtime_untrusted_workload = ""
 # container runtime for all containers.
 default_workload_trust = "trusted"
 
+# no_pivot instructs the runtime to not use pivot_root, but instead use MS_MOVE
+no_pivot = false
+
 # conmon is the path to conmon binary, used for managing the runtime.
 conmon = "/usr/libexec/crio/conmon"
 
@@ -93,6 +100,16 @@ apparmor_profile = "crio-default"
 # for the runtime.
 cgroup_manager = "systemd"
 
+# hooks_dir_path is the oci hooks directory for automatically executed hooks
+hooks_dir_path = "/usr/share/containers/oci/hooks.d"
+
+# pids_limit is the number of processes allowed in a container
+pids_limit = 1024
+
+# log_size_max is the max limit for the container log size in bytes.
+# Negative values indicate that no limit is imposed.
+log_size_max = -1
+
 # The "crio.image" table contains settings pertaining to the
 # management of OCI images.
 [crio.image]
@@ -115,6 +132,10 @@ pause_command = "/pause"
 # unspecified so that the default system-wide policy will be used.
 signature_policy = ""
 
+# image_volumes controls how image volumes are handled.
+# The valid values are mkdir and ignore.
+image_volumes = "mkdir"
+
 # insecure_registries is used to skip TLS verification when pulling images.
 insecure_registries = [
 {{ l_insecure_crio_registries|default("") }}
@@ -125,6 +146,7 @@ insecure_registries = [
 registries = [
 {{ l_additional_crio_registries|default("") }}
 ]
+
 # The "crio.network" table contains settings pertaining to the
 # management of CNI plugins.
 [crio.network]
diff --git a/roles/docker/templates/custom.conf.j2 b/roles/docker/templates/custom.conf.j2
index 9b47cb6ab..713412473 100644
--- a/roles/docker/templates/custom.conf.j2
+++ b/roles/docker/templates/custom.conf.j2
@@ -3,3 +3,9 @@
 [Unit]
 Wants=iptables.service
 After=iptables.service
+
+# The following line is a work-around to ensure docker is restarted whenever
+# iptables is restarted.  This ensures the proper iptables rules will be in
+# place for docker.
+# Note:  This will also cause docker to be stopped if iptables is stopped.
+PartOf=iptables.service