From 5120f8e90c0178ac7f6d911159ceb278dd87b4c9 Mon Sep 17 00:00:00 2001 From: Michael Gugino Date: Thu, 16 Nov 2017 14:56:14 -0500 Subject: Implement container runtime role --- .../templates/80-openshift-sdn.conf.j2 | 5 + roles/container_runtime/templates/crio.conf.j2 | 164 +++++++++++++++++++++ roles/container_runtime/templates/custom.conf.j2 | 11 ++ roles/container_runtime/templates/daemon.json | 20 +++ roles/container_runtime/templates/overlay.conf.j2 | 2 + roles/container_runtime/templates/registries.conf | 46 ++++++ .../templates/systemcontainercustom.conf.j2 | 17 +++ 7 files changed, 265 insertions(+) create mode 100644 roles/container_runtime/templates/80-openshift-sdn.conf.j2 create mode 100644 roles/container_runtime/templates/crio.conf.j2 create mode 100644 roles/container_runtime/templates/custom.conf.j2 create mode 100644 roles/container_runtime/templates/daemon.json create mode 100644 roles/container_runtime/templates/overlay.conf.j2 create mode 100644 roles/container_runtime/templates/registries.conf create mode 100644 roles/container_runtime/templates/systemcontainercustom.conf.j2 (limited to 'roles/container_runtime/templates') diff --git a/roles/container_runtime/templates/80-openshift-sdn.conf.j2 b/roles/container_runtime/templates/80-openshift-sdn.conf.j2 new file mode 100644 index 000000000..a693aea5f --- /dev/null +++ b/roles/container_runtime/templates/80-openshift-sdn.conf.j2 @@ -0,0 +1,5 @@ +{ + "cniVersion": "0.1.0", + "name": "openshift-sdn", + "type": "openshift-sdn" +} diff --git a/roles/container_runtime/templates/crio.conf.j2 b/roles/container_runtime/templates/crio.conf.j2 new file mode 100644 index 000000000..3f066a17f --- /dev/null +++ b/roles/container_runtime/templates/crio.conf.j2 @@ -0,0 +1,164 @@ +# {{ ansible_managed }} + +# The "crio" table contains all of the server options. +[crio] + +# root is a path to the "root directory". CRIO stores all of its data, +# including container images, in this directory. +root = "/var/lib/containers/storage" + +# run is a path to the "run directory". CRIO stores all of its state +# in this directory. +runroot = "/var/run/containers/storage" + +# storage_driver select which storage driver is used to manage storage +# of images and containers. +storage_driver = "overlay" + +# storage_option is used to pass an option to the storage driver. +storage_option = [ +{% if ansible_distribution in ['RedHat', 'CentOS'] %} + "overlay.override_kernel_check=1" +{% endif %} +] + +# The "crio.api" table contains settings for the kubelet/gRPC +# interface (which is also used by crioctl). +[crio.api] + +# listen is the path to the AF_LOCAL socket on which crio will listen. +listen = "/var/run/crio.sock" + +# stream_address is the IP address on which the stream server will listen +stream_address = "" + +# stream_port is the port on which the stream server will listen +stream_port = "10010" + +# file_locking is whether file-based locking will be used instead of +# in-memory locking +file_locking = true + +# The "crio.runtime" table contains settings pertaining to the OCI +# runtime used and options for how to set up and manage the OCI runtime. +[crio.runtime] + +# runtime is the OCI compatible runtime used for trusted container workloads. +# This is a mandatory setting as this runtime will be the default one +# and will also be used for untrusted container workloads if +# runtime_untrusted_workload is not set. +runtime = "/usr/bin/runc" + +# runtime_untrusted_workload is the OCI compatible runtime used for untrusted +# container workloads. This is an optional setting, except if +# default_container_trust is set to "untrusted". +runtime_untrusted_workload = "" + +# default_workload_trust is the default level of trust crio puts in container +# workloads. It can either be "trusted" or "untrusted", and the default +# is "trusted". +# Containers can be run through different container runtimes, depending on +# the trust hints we receive from kubelet: +# - If kubelet tags a container workload as untrusted, crio will try first to +# run it through the untrusted container workload runtime. If it is not set, +# crio will use the trusted runtime. +# - If kubelet does not provide any information about the container workload trust +# level, the selected runtime will depend on the default_container_trust setting. +# If it is set to "untrusted", then all containers except for the host privileged +# ones, will be run by the runtime_untrusted_workload runtime. Host privileged +# containers are by definition trusted and will always use the trusted container +# runtime. If default_container_trust is set to "trusted", crio will use the trusted +# container runtime for all containers. +default_workload_trust = "trusted" + +# no_pivot instructs the runtime to not use pivot_root, but instead use MS_MOVE +no_pivot = false + +# conmon is the path to conmon binary, used for managing the runtime. +conmon = "/usr/libexec/crio/conmon" + +# conmon_env is the environment variable list for conmon process, +# used for passing necessary environment variable to conmon or runtime. +conmon_env = [ + "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin", +] + +# selinux indicates whether or not SELinux will be used for pod +# separation on the host. If you enable this flag, SELinux must be running +# on the host. +selinux = true + +# seccomp_profile is the seccomp json profile path which is used as the +# default for the runtime. +seccomp_profile = "/etc/crio/seccomp.json" + +# apparmor_profile is the apparmor profile name which is used as the +# default for the runtime. +apparmor_profile = "crio-default" + +# cgroup_manager is the cgroup management implementation to be used +# for the runtime. +cgroup_manager = "systemd" + +# hooks_dir_path is the oci hooks directory for automatically executed hooks +hooks_dir_path = "/usr/share/containers/oci/hooks.d" + +# default_mounts is the mounts list to be mounted for the container when created +default_mounts = [ + "/usr/share/rhel/secrets:/run/secrets", +] + +# pids_limit is the number of processes allowed in a container +pids_limit = 1024 + +# log_size_max is the max limit for the container log size in bytes. +# Negative values indicate that no limit is imposed. +log_size_max = 52428800 + +# The "crio.image" table contains settings pertaining to the +# management of OCI images. +[crio.image] + +# default_transport is the prefix we try prepending to an image name if the +# image name as we receive it can't be parsed as a valid source reference +default_transport = "docker://" + +# pause_image is the image which we use to instantiate infra containers. +pause_image = "kubernetes/pause" + +# pause_command is the command to run in a pause_image to have a container just +# sit there. If the image contains the necessary information, this value need +# not be specified. +pause_command = "/pause" + +# signature_policy is the name of the file which decides what sort of policy we +# use when deciding whether or not to trust an image that we've pulled. +# Outside of testing situations, it is strongly advised that this be left +# unspecified so that the default system-wide policy will be used. +signature_policy = "" + +# image_volumes controls how image volumes are handled. +# The valid values are mkdir and ignore. +image_volumes = "mkdir" + +# insecure_registries is used to skip TLS verification when pulling images. +insecure_registries = [ +{{ l_insecure_crio_registries|default("") }} +] + +# registries is used to specify a comma separated list of registries to be used +# when pulling an unqualified image (e.g. fedora:rawhide). +registries = [ +{{ l_additional_crio_registries|default("") }} +] + +# The "crio.network" table contains settings pertaining to the +# management of CNI plugins. +[crio.network] + +# network_dir is is where CNI network configuration +# files are stored. +network_dir = "/etc/cni/net.d/" + +# plugin_dir is is where CNI plugin binaries are stored. +plugin_dir = "/opt/cni/bin/" diff --git a/roles/container_runtime/templates/custom.conf.j2 b/roles/container_runtime/templates/custom.conf.j2 new file mode 100644 index 000000000..713412473 --- /dev/null +++ b/roles/container_runtime/templates/custom.conf.j2 @@ -0,0 +1,11 @@ +# {{ ansible_managed }} + +[Unit] +Wants=iptables.service +After=iptables.service + +# The following line is a work-around to ensure docker is restarted whenever +# iptables is restarted. This ensures the proper iptables rules will be in +# place for docker. +# Note: This will also cause docker to be stopped if iptables is stopped. +PartOf=iptables.service diff --git a/roles/container_runtime/templates/daemon.json b/roles/container_runtime/templates/daemon.json new file mode 100644 index 000000000..383963bd3 --- /dev/null +++ b/roles/container_runtime/templates/daemon.json @@ -0,0 +1,20 @@ +{ + "authorization-plugins": ["rhel-push-plugin"], + "default-runtime": "oci", + "containerd": "/run/containerd.sock", + "disable-legacy-registry": false, + "exec-opts": ["native.cgroupdriver=systemd"], + "insecure-registries": {{ l_docker_insecure_registries }}, +{% if openshift_docker_log_driver is defined %} + "log-driver": "{{ openshift_docker_log_driver }}", +{%- endif %} + "log-opts": {{ l_docker_log_options }}, + "runtimes": { + "oci": { + "path": "/usr/libexec/docker/docker-runc-current" + } + }, + "selinux-enabled": {{ l_docker_selinux_enabled | lower }}, + "add-registry": {{ l_docker_additional_registries }}, + "block-registry": {{ l_docker_blocked_registries }} +} diff --git a/roles/container_runtime/templates/overlay.conf.j2 b/roles/container_runtime/templates/overlay.conf.j2 new file mode 100644 index 000000000..782f46c2e --- /dev/null +++ b/roles/container_runtime/templates/overlay.conf.j2 @@ -0,0 +1,2 @@ +### {{ ansible_managed }} +overlay diff --git a/roles/container_runtime/templates/registries.conf b/roles/container_runtime/templates/registries.conf new file mode 100644 index 000000000..d379b2be0 --- /dev/null +++ b/roles/container_runtime/templates/registries.conf @@ -0,0 +1,46 @@ +# {{ ansible_managed }} +# This is a system-wide configuration file used to +# keep track of registries for various container backends. +# It adheres to YAML format and does not support recursive +# lists of registries. + +# The default location for this configuration file is /etc/containers/registries.conf. + +# The only valid categories are: 'registries', 'insecure_registries', +# and 'block_registries'. + + +#registries: +# - registry.access.redhat.com + +{% if l2_docker_additional_registries %} +registries: +{% for reg in l2_docker_additional_registries %} + - {{ reg }} +{% endfor %} +{% endif %} + +# If you need to access insecure registries, uncomment the section below +# and add the registries fully-qualified name. An insecure registry is one +# that does not have a valid SSL certificate or only does HTTP. +#insecure_registries: +# - + +{% if l2_docker_insecure_registries %} +insecure_registries: +{% for reg in l2_docker_insecure_registries %} + - {{ reg }} +{% endfor %} +{% endif %} + +# If you need to block pull access from a registry, uncomment the section below +# and add the registries fully-qualified name. +#block_registries: +# - + +{% if l2_docker_blocked_registries %} +block_registries: +{% for reg in l2_docker_blocked_registries %} + - {{ reg }} +{% endfor %} +{% endif %} diff --git a/roles/container_runtime/templates/systemcontainercustom.conf.j2 b/roles/container_runtime/templates/systemcontainercustom.conf.j2 new file mode 100644 index 000000000..86eebfba6 --- /dev/null +++ b/roles/container_runtime/templates/systemcontainercustom.conf.j2 @@ -0,0 +1,17 @@ +# {{ ansible_managed }} + +[Service] +{% if "http_proxy" in openshift.common %} +Environment=HTTP_PROXY={{ docker_http_proxy }} +{% endif -%} +{% if "https_proxy" in openshift.common %} +Environment=HTTPS_PROXY={{ docker_http_proxy }} +{% endif -%} +{% if "no_proxy" in openshift.common %} +Environment=NO_PROXY={{ docker_no_proxy }} +{% endif %} +{%- if os_firewall_use_firewalld|default(false) %} +[Unit] +Wants=iptables.service +After=iptables.service +{%- endif %} -- cgit v1.2.3