9 files changed, 177 insertions, 19 deletions
diff --git a/roles/docker/defaults/main.yml b/roles/docker/defaults/main.yml
index 1c830cb4e..224844a06 100644
--- a/roles/docker/defaults/main.yml
+++ b/roles/docker/defaults/main.yml
@@ -2,6 +2,8 @@
 docker_cli_auth_config_path: '/root/.docker'
 openshift_docker_signature_verification: False
 
+openshift_docker_alternative_creds: False
+
 # oreg_url is defined by user input.
 oreg_host: "{{ oreg_url.split('/')[0] if (oreg_url is defined and '.' in oreg_url.split('/')[0]) else '' }}"
 oreg_auth_credentials_replace: False
@@ -20,4 +22,19 @@ l2_docker_additional_registries: "{% if openshift_docker_additional_registries i
 l2_docker_blocked_registries: "{% if openshift_docker_blocked_registries is string %}{% if openshift_docker_blocked_registries == '' %}[]{% elif ',' in openshift_docker_blocked_registries %}{{ openshift_docker_blocked_registries.split(',') | list }}{% else %}{{ [ openshift_docker_blocked_registries ] }}{% endif %}{% else %}{{ openshift_docker_blocked_registries }}{% endif %}"
 l2_docker_insecure_registries: "{% if openshift_docker_insecure_registries is string %}{% if openshift_docker_insecure_registries == '' %}[]{% elif ',' in openshift_docker_insecure_registries %}{{ openshift_docker_insecure_registries.split(',') | list }}{% else %}{{ [ openshift_docker_insecure_registries ] }}{% endif %}{% else %}{{ openshift_docker_insecure_registries }}{% endif %}"
 
+openshift_docker_use_etc_containers: False
 containers_registries_conf_path: /etc/containers/registries.conf
+
+r_crio_firewall_enabled: "{{ os_firewall_enabled | default(True) }}"
+r_crio_use_firewalld: "{{ os_firewall_use_firewalld | default(False) }}"
+
+r_crio_os_firewall_deny: []
+r_crio_os_firewall_allow:
+- service: crio
+  port: 10010/tcp
+
+
+openshift_docker_is_node_or_master: "{{ True if inventory_hostname in (groups['oo_masters_to_config']|default([])) or inventory_hostname in (groups['oo_nodes_to_config']|default([])) else False | bool }}"
+
+docker_alt_storage_path: /var/lib/containers/docker
+docker_default_storage_path: /var/lib/docker
diff --git a/roles/docker/meta/main.yml b/roles/docker/meta/main.yml
index b773a417c..d5faae8df 100644
--- a/roles/docker/meta/main.yml
+++ b/roles/docker/meta/main.yml
@@ -11,3 +11,5 @@ galaxy_info:
     - 7
 dependencies:
 - role: lib_openshift
+- role: lib_os_firewall
+- role: lib_utils
diff --git a/roles/docker/tasks/crio_firewall.yml b/roles/docker/tasks/crio_firewall.yml
new file mode 100644
index 000000000..fbd1ff515
--- /dev/null
+++ b/roles/docker/tasks/crio_firewall.yml
@@ -0,0 +1,40 @@
+---
+- when: r_crio_firewall_enabled | bool and not r_crio_use_firewalld | bool
+  block:
+  - name: Add iptables allow rules
+    os_firewall_manage_iptables:
+      name: "{{ item.service }}"
+      action: add
+      protocol: "{{ item.port.split('/')[1] }}"
+      port: "{{ item.port.split('/')[0] }}"
+    when: item.cond | default(True)
+    with_items: "{{ r_crio_os_firewall_allow }}"
+
+  - name: Remove iptables rules
+    os_firewall_manage_iptables:
+      name: "{{ item.service }}"
+      action: remove
+      protocol: "{{ item.port.split('/')[1] }}"
+      port: "{{ item.port.split('/')[0] }}"
+    when: item.cond | default(True)
+    with_items: "{{ r_crio_os_firewall_deny }}"
+
+- when: r_crio_firewall_enabled | bool and r_crio_use_firewalld | bool
+  block:
+  - name: Add firewalld allow rules
+    firewalld:
+      port: "{{ item.port }}"
+      permanent: true
+      immediate: true
+      state: enabled
+    when: item.cond | default(True)
+    with_items: "{{ r_crio_os_firewall_allow }}"
+
+  - name: Remove firewalld allow rules
+    firewalld:
+      port: "{{ item.port }}"
+      permanent: true
+      immediate: true
+      state: disabled
+    when: item.cond | default(True)
+    with_items: "{{ r_crio_os_firewall_deny }}"
diff --git a/roles/docker/tasks/main.yml b/roles/docker/tasks/main.yml
index 5ea73568a..69ee62790 100644
--- a/roles/docker/tasks/main.yml
+++ b/roles/docker/tasks/main.yml
@@ -25,6 +25,15 @@
     - not l_use_system_container
     - not l_use_crio_only
 
+- name: Ensure /var/lib/containers exists
+  file:
+    path: /var/lib/containers
+    state: directory
+
+- name: Fix SELinux Permissions on /var/lib/containers
+  command: "restorecon -R /var/lib/containers/"
+  changed_when: false
+
 - name: Use System Container Docker if Requested
   include: systemcontainer_docker.yml
   when:
@@ -35,4 +44,49 @@
   include: systemcontainer_crio.yml
   when:
     - l_use_crio
-    - inventory_hostname in groups['oo_masters_to_config'] or inventory_hostname in groups['oo_nodes_to_config']
+    - openshift_docker_is_node_or_master | bool
+
+- name: stat the docker data dir
+  stat:
+    path: "{{ docker_default_storage_path }}"
+  register: dockerstat
+
+- when:
+    - l_use_crio
+    - dockerstat.stat.islnk is defined and not (dockerstat.stat.islnk | bool)
+  block:
+    - name: stop the current running docker
+      systemd:
+        state: stopped
+        name: "{{ openshift.docker.service_name }}"
+
+    - name: "Ensure {{ docker_alt_storage_path }} exists"
+      file:
+        path: "{{ docker_alt_storage_path }}"
+        state: directory
+
+    - name: "Set the selinux context on {{ docker_alt_storage_path }}"
+      command: "semanage fcontext -a -e {{ docker_default_storage_path }} {{ docker_alt_storage_path }}"
+      register: results
+      failed_when:
+        - results.rc == 1
+        - "'already exists' not in results.stderr"
+
+    - name: "restorecon the {{ docker_alt_storage_path }}"
+      command: "restorecon -r {{ docker_alt_storage_path }}"
+
+    - name: Remove the old docker location
+      file:
+        state: absent
+        path: "{{ docker_default_storage_path }}"
+
+    - name: Setup the link
+      file:
+        state: link
+        src: "{{ docker_alt_storage_path }}"
+        path: "{{ docker_default_storage_path }}"
+
+    - name: start docker
+      systemd:
+        state: started
+        name: "{{ openshift.docker.service_name }}"
diff --git a/roles/docker/tasks/package_docker.yml b/roles/docker/tasks/package_docker.yml
index d6aee0513..8121163a6 100644
--- a/roles/docker/tasks/package_docker.yml
+++ b/roles/docker/tasks/package_docker.yml
@@ -81,6 +81,7 @@
   template:
     dest: "{{ containers_registries_conf_path }}"
     src: registries.conf
+  when: openshift_docker_use_etc_containers | bool
   notify:
   - restart docker
 
@@ -153,16 +154,7 @@
 - set_fact:
     docker_service_status_changed: "{{ (r_docker_package_docker_start_result | changed) and (r_docker_already_running_result.stdout != 'ActiveState=active' ) }}"
 
-- name: Check for credentials file for registry auth
-  stat:
-    path: "{{ docker_cli_auth_config_path }}/config.json"
-  when: oreg_auth_user is defined
-  register: docker_cli_auth_credentials_stat
-
-- name: Create credentials for docker cli registry auth
-  command: "docker --config={{ docker_cli_auth_config_path }} login -u {{ oreg_auth_user }} -p {{ oreg_auth_password }} {{ oreg_host }}"
-  when:
-  - oreg_auth_user is defined
-  - (not docker_cli_auth_credentials_stat.stat.exists or oreg_auth_credentials_replace) | bool
-
 - meta: flush_handlers
+
+# This needs to run after docker is restarted to account for proxy settings.
+- include: registry_auth.yml
diff --git a/roles/docker/tasks/registry_auth.yml b/roles/docker/tasks/registry_auth.yml
new file mode 100644
index 000000000..2c7bc5711
--- /dev/null
+++ b/roles/docker/tasks/registry_auth.yml
@@ -0,0 +1,32 @@
+---
+- name: Check for credentials file for registry auth
+  stat:
+    path: "{{ docker_cli_auth_config_path }}/config.json"
+  when: oreg_auth_user is defined
+  register: docker_cli_auth_credentials_stat
+
+- name: Create credentials for docker cli registry auth
+  command: "docker --config={{ docker_cli_auth_config_path }} login -u {{ oreg_auth_user }} -p {{ oreg_auth_password }} {{ oreg_host }}"
+  register: openshift_docker_credentials_create_res
+  retries: 3
+  delay: 5
+  until: openshift_docker_credentials_create_res.rc == 0
+  when:
+  - not openshift_docker_alternative_creds | bool
+  - oreg_auth_user is defined
+  - (not docker_cli_auth_credentials_stat.stat.exists or oreg_auth_credentials_replace) | bool
+
+# docker_creds is a custom module from lib_utils
+# 'docker login' requires a docker.service running on the local host, this is an
+# alternative implementation for non-docker hosts.  This implementation does not
+# check the registry to determine whether or not the credentials will work.
+- name: Create credentials for docker cli registry auth (alternative)
+  docker_creds:
+    path: "{{ docker_cli_auth_config_path }}"
+    registry: "{{ oreg_host }}"
+    username: "{{ oreg_auth_user }}"
+    password: "{{ oreg_auth_password }}"
+  when:
+  - openshift_docker_alternative_creds | bool
+  - oreg_auth_user is defined
+  - (not docker_cli_auth_credentials_stat.stat.exists or oreg_auth_credentials_replace) | bool
diff --git a/roles/docker/tasks/systemcontainer_crio.yml b/roles/docker/tasks/systemcontainer_crio.yml
index 13bbd359e..3fe10454d 100644
--- a/roles/docker/tasks/systemcontainer_crio.yml
+++ b/roles/docker/tasks/systemcontainer_crio.yml
@@ -3,16 +3,16 @@
 # TODO: Much of this file is shared with container engine tasks
 - set_fact:
     l_insecure_crio_registries: "{{ '\"{}\"'.format('\", \"'.join(l2_docker_insecure_registries)) }}"
-  when: l2_docker_insecure_registries
+  when: l2_docker_insecure_registries | bool
 - set_fact:
     l_crio_registries: "{{ l2_docker_additional_registries + ['docker.io'] }}"
-  when: l2_docker_additional_registries
+  when: l2_docker_additional_registries | bool
 - set_fact:
     l_crio_registries: "{{ ['docker.io'] }}"
-  when: not l2_docker_additional_registries
+  when: not (l2_docker_additional_registries | bool)
 - set_fact:
     l_additional_crio_registries: "{{ '\"{}\"'.format('\", \"'.join(l_crio_registries)) }}"
-  when: l2_docker_additional_registries
+  when: l2_docker_additional_registries | bool
 
 - set_fact:
     l_openshift_image_tag: "{{ openshift_image_tag | string }}"
@@ -62,7 +62,7 @@
   shell: lsmod | grep overlay
   register: l_has_overlay_in_kernel
   ignore_errors: yes
-
+  failed_when: false
 
 - when: l_has_overlay_in_kernel.rc != 0
   block:
@@ -161,6 +161,10 @@
     path: /etc/cni/net.d/
     state: directory
 
+- name: setup firewall for CRI-O
+  include: crio_firewall.yml
+  static: yes
+
 - name: Configure the CNI network
   template:
     dest: /etc/cni/net.d/openshift-sdn.conf
@@ -175,3 +179,9 @@
   register: start_result
 
 - meta: flush_handlers
+
+# If we are using crio only, docker.service might not be available for
+# 'docker login'
+- include: registry_auth.yml
+  vars:
+    openshift_docker_alternative_creds: "{{ l_use_crio_only }}"
diff --git a/roles/docker/tasks/systemcontainer_docker.yml b/roles/docker/tasks/systemcontainer_docker.yml
index 726e8ada7..84220fa66 100644
--- a/roles/docker/tasks/systemcontainer_docker.yml
+++ b/roles/docker/tasks/systemcontainer_docker.yml
@@ -174,3 +174,9 @@
     docker_service_status_changed: "{{ r_docker_systemcontainer_docker_start_result | changed }}"
 
 - meta: flush_handlers
+
+# Since docker is running as a system container, docker login will fail to create
+# credentials.  Use alternate method if requiring authenticated registries.
+- include: registry_auth.yml
+  vars:
+    openshift_docker_alternative_creds: True
diff --git a/roles/docker/templates/crio.conf.j2 b/roles/docker/templates/crio.conf.j2
index b715c2ffa..3f066a17f 100644
--- a/roles/docker/templates/crio.conf.j2
+++ b/roles/docker/templates/crio.conf.j2
@@ -103,12 +103,17 @@ cgroup_manager = "systemd"
 # hooks_dir_path is the oci hooks directory for automatically executed hooks
 hooks_dir_path = "/usr/share/containers/oci/hooks.d"
 
+# default_mounts is the mounts list to be mounted for the container when created
+default_mounts = [
+	"/usr/share/rhel/secrets:/run/secrets",
+]
+
 # pids_limit is the number of processes allowed in a container
 pids_limit = 1024
 
 # log_size_max is the max limit for the container log size in bytes.
 # Negative values indicate that no limit is imposed.
-log_size_max = -1
+log_size_max = 52428800
 
 # The "crio.image" table contains settings pertaining to the
 # management of OCI images.