diff options
Diffstat (limited to 'roles/docker')
| -rw-r--r-- | roles/docker/defaults/main.yml | 18 | ||||
| -rw-r--r-- | roles/docker/handlers/main.yml | 1 | ||||
| -rw-r--r-- | roles/docker/meta/main.yml | 2 | ||||
| -rw-r--r-- | roles/docker/tasks/crio_firewall.yml | 40 | ||||
| -rw-r--r-- | roles/docker/tasks/main.yml | 71 | ||||
| -rw-r--r-- | roles/docker/tasks/package_docker.yml | 46 | ||||
| -rw-r--r-- | roles/docker/tasks/registry_auth.yml | 32 | ||||
| -rw-r--r-- | roles/docker/tasks/systemcontainer_crio.yml | 81 | ||||
| -rw-r--r-- | roles/docker/tasks/systemcontainer_docker.yml | 61 | ||||
| -rw-r--r-- | roles/docker/templates/crio.conf.j2 | 31 | ||||
| -rw-r--r-- | roles/docker/templates/custom.conf.j2 | 6 |
11 files changed, 281 insertions, 108 deletions
diff --git a/roles/docker/defaults/main.yml b/roles/docker/defaults/main.yml index e36dfa7b9..224844a06 100644 --- a/roles/docker/defaults/main.yml +++ b/roles/docker/defaults/main.yml @@ -1,5 +1,8 @@ --- docker_cli_auth_config_path: '/root/.docker' +openshift_docker_signature_verification: False + +openshift_docker_alternative_creds: False # oreg_url is defined by user input. oreg_host: "{{ oreg_url.split('/')[0] if (oreg_url is defined and '.' in oreg_url.split('/')[0]) else '' }}" @@ -19,4 +22,19 @@ l2_docker_additional_registries: "{% if openshift_docker_additional_registries i l2_docker_blocked_registries: "{% if openshift_docker_blocked_registries is string %}{% if openshift_docker_blocked_registries == '' %}[]{% elif ',' in openshift_docker_blocked_registries %}{{ openshift_docker_blocked_registries.split(',') | list }}{% else %}{{ [ openshift_docker_blocked_registries ] }}{% endif %}{% else %}{{ openshift_docker_blocked_registries }}{% endif %}" l2_docker_insecure_registries: "{% if openshift_docker_insecure_registries is string %}{% if openshift_docker_insecure_registries == '' %}[]{% elif ',' in openshift_docker_insecure_registries %}{{ openshift_docker_insecure_registries.split(',') | list }}{% else %}{{ [ openshift_docker_insecure_registries ] }}{% endif %}{% else %}{{ openshift_docker_insecure_registries }}{% endif %}" +openshift_docker_use_etc_containers: False containers_registries_conf_path: /etc/containers/registries.conf + +r_crio_firewall_enabled: "{{ os_firewall_enabled | default(True) }}" +r_crio_use_firewalld: "{{ os_firewall_use_firewalld | default(False) }}" + +r_crio_os_firewall_deny: [] +r_crio_os_firewall_allow: +- service: crio + port: 10010/tcp + + +openshift_docker_is_node_or_master: "{{ True if inventory_hostname in (groups['oo_masters_to_config']|default([])) or inventory_hostname in (groups['oo_nodes_to_config']|default([])) else False | bool }}" + +docker_alt_storage_path: /var/lib/containers/docker +docker_default_storage_path: /var/lib/docker diff --git a/roles/docker/handlers/main.yml b/roles/docker/handlers/main.yml index 591367467..866ed0452 100644 --- a/roles/docker/handlers/main.yml +++ b/roles/docker/handlers/main.yml @@ -4,6 +4,7 @@ systemd: name: "{{ openshift.docker.service_name }}" state: restarted + daemon_reload: yes register: r_docker_restart_docker_result until: not r_docker_restart_docker_result | failed retries: 3 diff --git a/roles/docker/meta/main.yml b/roles/docker/meta/main.yml index b773a417c..d5faae8df 100644 --- a/roles/docker/meta/main.yml +++ b/roles/docker/meta/main.yml @@ -11,3 +11,5 @@ galaxy_info: - 7 dependencies: - role: lib_openshift +- role: lib_os_firewall +- role: lib_utils diff --git a/roles/docker/tasks/crio_firewall.yml b/roles/docker/tasks/crio_firewall.yml new file mode 100644 index 000000000..fbd1ff515 --- /dev/null +++ b/roles/docker/tasks/crio_firewall.yml @@ -0,0 +1,40 @@ +--- +- when: r_crio_firewall_enabled | bool and not r_crio_use_firewalld | bool + block: + - name: Add iptables allow rules + os_firewall_manage_iptables: + name: "{{ item.service }}" + action: add + protocol: "{{ item.port.split('/')[1] }}" + port: "{{ item.port.split('/')[0] }}" + when: item.cond | default(True) + with_items: "{{ r_crio_os_firewall_allow }}" + + - name: Remove iptables rules + os_firewall_manage_iptables: + name: "{{ item.service }}" + action: remove + protocol: "{{ item.port.split('/')[1] }}" + port: "{{ item.port.split('/')[0] }}" + when: item.cond | default(True) + with_items: "{{ r_crio_os_firewall_deny }}" + +- when: r_crio_firewall_enabled | bool and r_crio_use_firewalld | bool + block: + - name: Add firewalld allow rules + firewalld: + port: "{{ item.port }}" + permanent: true + immediate: true + state: enabled + when: item.cond | default(True) + with_items: "{{ r_crio_os_firewall_allow }}" + + - name: Remove firewalld allow rules + firewalld: + port: "{{ item.port }}" + permanent: true + immediate: true + state: disabled + when: item.cond | default(True) + with_items: "{{ r_crio_os_firewall_deny }}" diff --git a/roles/docker/tasks/main.yml b/roles/docker/tasks/main.yml index dae17c3ce..69ee62790 100644 --- a/roles/docker/tasks/main.yml +++ b/roles/docker/tasks/main.yml @@ -10,13 +10,14 @@ l_use_crio: "{{ openshift_use_crio | default(False) }}" l_use_crio_only: "{{ openshift_use_crio_only | default(False) }}" -- when: - - openshift_deployment_type == 'openshift-enterprise' - assert: - that: - - "openshift_image_tag is defined" - msg: > - openshift_image_tag is a required inventory variable when installing openshift-enterprise +- name: Add enterprise registry, if necessary + set_fact: + l2_docker_additional_registries: "{{ l2_docker_additional_registries + [openshift_docker_ent_reg] }}" + when: + - openshift.common.deployment_type == 'openshift-enterprise' + - openshift_docker_ent_reg != '' + - openshift_docker_ent_reg not in l2_docker_additional_registries + - not l_use_crio_only - name: Use Package Docker if Requested include: package_docker.yml @@ -24,6 +25,15 @@ - not l_use_system_container - not l_use_crio_only +- name: Ensure /var/lib/containers exists + file: + path: /var/lib/containers + state: directory + +- name: Fix SELinux Permissions on /var/lib/containers + command: "restorecon -R /var/lib/containers/" + changed_when: false + - name: Use System Container Docker if Requested include: systemcontainer_docker.yml when: @@ -34,4 +44,49 @@ include: systemcontainer_crio.yml when: - l_use_crio - - inventory_hostname in groups['oo_masters_to_config'] or inventory_hostname in groups['oo_nodes_to_config'] + - openshift_docker_is_node_or_master | bool + +- name: stat the docker data dir + stat: + path: "{{ docker_default_storage_path }}" + register: dockerstat + +- when: + - l_use_crio + - dockerstat.stat.islnk is defined and not (dockerstat.stat.islnk | bool) + block: + - name: stop the current running docker + systemd: + state: stopped + name: "{{ openshift.docker.service_name }}" + + - name: "Ensure {{ docker_alt_storage_path }} exists" + file: + path: "{{ docker_alt_storage_path }}" + state: directory + + - name: "Set the selinux context on {{ docker_alt_storage_path }}" + command: "semanage fcontext -a -e {{ docker_default_storage_path }} {{ docker_alt_storage_path }}" + register: results + failed_when: + - results.rc == 1 + - "'already exists' not in results.stderr" + + - name: "restorecon the {{ docker_alt_storage_path }}" + command: "restorecon -r {{ docker_alt_storage_path }}" + + - name: Remove the old docker location + file: + state: absent + path: "{{ docker_default_storage_path }}" + + - name: Setup the link + file: + state: link + src: "{{ docker_alt_storage_path }}" + path: "{{ docker_default_storage_path }}" + + - name: start docker + systemd: + state: started + name: "{{ openshift.docker.service_name }}" diff --git a/roles/docker/tasks/package_docker.yml b/roles/docker/tasks/package_docker.yml index a35335937..8121163a6 100644 --- a/roles/docker/tasks/package_docker.yml +++ b/roles/docker/tasks/package_docker.yml @@ -48,15 +48,9 @@ template: dest: "{{ docker_systemd_dir }}/custom.conf" src: custom.conf.j2 - when: not os_firewall_use_firewalld | default(False) | bool - -- name: Add enterprise registry, if necessary - set_fact: - l2_docker_additional_registries: "{{ l2_docker_additional_registries + [openshift_docker_ent_reg] }}" - when: - - openshift.common.deployment_type == 'openshift-enterprise' - - openshift_docker_ent_reg != '' - - openshift_docker_ent_reg not in l2_docker_additional_registries + notify: + - restart docker + when: not (os_firewall_use_firewalld | default(False)) | bool - stat: path=/etc/sysconfig/docker register: docker_check @@ -87,6 +81,7 @@ template: dest: "{{ containers_registries_conf_path }}" src: registries.conf + when: openshift_docker_use_etc_containers | bool notify: - restart docker @@ -113,11 +108,12 @@ dest: /etc/sysconfig/docker regexp: '^OPTIONS=.*$' line: "OPTIONS='\ - {% if ansible_selinux.status | default(None) == 'enabled' and docker_selinux_enabled | default(true) | bool %} --selinux-enabled {% endif %}\ - {% if docker_log_driver is defined %} --log-driver {{ docker_log_driver }}{% endif %}\ - {% if docker_log_options is defined %} {{ docker_log_options | oo_split() | oo_prepend_strings_in_list('--log-opt ') | join(' ')}}{% endif %}\ - {% if docker_options is defined %} {{ docker_options }}{% endif %}\ - {% if docker_disable_push_dockerhub is defined %} --confirm-def-push={{ docker_disable_push_dockerhub | bool }}{% endif %}'" + {% if ansible_selinux.status | default(None) == 'enabled' and docker_selinux_enabled | default(true) | bool %} --selinux-enabled {% endif %} \ + {% if docker_log_driver is defined %} --log-driver {{ docker_log_driver }}{% endif %} \ + {% if docker_log_options is defined %} {{ docker_log_options | oo_split() | oo_prepend_strings_in_list('--log-opt ') | join(' ')}}{% endif %} \ + {% if docker_options is defined %} {{ docker_options }}{% endif %} \ + {% if docker_disable_push_dockerhub is defined %} --confirm-def-push={{ docker_disable_push_dockerhub | bool }}{% endif %} \ + --signature-verification={{ openshift_docker_signature_verification | bool }}'" when: docker_check.stat.isreg is defined and docker_check.stat.isreg notify: - restart docker @@ -137,17 +133,12 @@ notify: - restart docker -- name: Check for credentials file for registry auth - stat: - path: "{{ docker_cli_auth_config_path }}/config.json" - when: oreg_auth_user is defined - register: docker_cli_auth_credentials_stat - -- name: Create credentials for docker cli registry auth - command: "docker --config={{ docker_cli_auth_config_path }} login -u {{ oreg_auth_user }} -p {{ oreg_auth_password }} {{ oreg_host }}" - when: - - oreg_auth_user is defined - - (not docker_cli_auth_credentials_stat.stat.exists or oreg_auth_credentials_replace) | bool +# The following task is needed as the systemd module may report a change in +# state even though docker is already running. +- name: Detect if docker is already started + command: "systemctl show docker -p ActiveState" + changed_when: False + register: r_docker_already_running_result - name: Start the Docker service systemd: @@ -161,6 +152,9 @@ delay: 30 - set_fact: - docker_service_status_changed: "{{ r_docker_package_docker_start_result | changed }}" + docker_service_status_changed: "{{ (r_docker_package_docker_start_result | changed) and (r_docker_already_running_result.stdout != 'ActiveState=active' ) }}" - meta: flush_handlers + +# This needs to run after docker is restarted to account for proxy settings. +- include: registry_auth.yml diff --git a/roles/docker/tasks/registry_auth.yml b/roles/docker/tasks/registry_auth.yml new file mode 100644 index 000000000..2c7bc5711 --- /dev/null +++ b/roles/docker/tasks/registry_auth.yml @@ -0,0 +1,32 @@ +--- +- name: Check for credentials file for registry auth + stat: + path: "{{ docker_cli_auth_config_path }}/config.json" + when: oreg_auth_user is defined + register: docker_cli_auth_credentials_stat + +- name: Create credentials for docker cli registry auth + command: "docker --config={{ docker_cli_auth_config_path }} login -u {{ oreg_auth_user }} -p {{ oreg_auth_password }} {{ oreg_host }}" + register: openshift_docker_credentials_create_res + retries: 3 + delay: 5 + until: openshift_docker_credentials_create_res.rc == 0 + when: + - not openshift_docker_alternative_creds | bool + - oreg_auth_user is defined + - (not docker_cli_auth_credentials_stat.stat.exists or oreg_auth_credentials_replace) | bool + +# docker_creds is a custom module from lib_utils +# 'docker login' requires a docker.service running on the local host, this is an +# alternative implementation for non-docker hosts. This implementation does not +# check the registry to determine whether or not the credentials will work. +- name: Create credentials for docker cli registry auth (alternative) + docker_creds: + path: "{{ docker_cli_auth_config_path }}" + registry: "{{ oreg_host }}" + username: "{{ oreg_auth_user }}" + password: "{{ oreg_auth_password }}" + when: + - openshift_docker_alternative_creds | bool + - oreg_auth_user is defined + - (not docker_cli_auth_credentials_stat.stat.exists or oreg_auth_credentials_replace) | bool diff --git a/roles/docker/tasks/systemcontainer_crio.yml b/roles/docker/tasks/systemcontainer_crio.yml index 386369d26..3fe10454d 100644 --- a/roles/docker/tasks/systemcontainer_crio.yml +++ b/roles/docker/tasks/systemcontainer_crio.yml @@ -3,16 +3,32 @@ # TODO: Much of this file is shared with container engine tasks - set_fact: l_insecure_crio_registries: "{{ '\"{}\"'.format('\", \"'.join(l2_docker_insecure_registries)) }}" - when: l2_docker_insecure_registries + when: l2_docker_insecure_registries | bool - set_fact: l_crio_registries: "{{ l2_docker_additional_registries + ['docker.io'] }}" - when: l2_docker_additional_registries + when: l2_docker_additional_registries | bool - set_fact: l_crio_registries: "{{ ['docker.io'] }}" - when: not l2_docker_additional_registries + when: not (l2_docker_additional_registries | bool) - set_fact: l_additional_crio_registries: "{{ '\"{}\"'.format('\", \"'.join(l_crio_registries)) }}" - when: l2_docker_additional_registries + when: l2_docker_additional_registries | bool + +- set_fact: + l_openshift_image_tag: "{{ openshift_image_tag | string }}" + when: openshift_image_tag is defined + +- set_fact: + l_openshift_image_tag: "latest" + when: + - openshift_image_tag is not defined + - openshift_release == "latest" + +- set_fact: + l_openshift_image_tag: "{{ openshift_release | string }}" + when: + - openshift_image_tag is not defined + - openshift_release != "latest" - name: Ensure container-selinux is installed package: @@ -20,6 +36,12 @@ state: present when: not openshift.common.is_atomic | bool +- name: Check we are not using node as a Docker container with CRI-O + fail: msg='Cannot use CRI-O with node configured as a Docker container' + when: + - openshift.common.is_containerized | bool + - not openshift.common.is_node_system_container | bool + # Used to pull and install the system container - name: Ensure atomic is installed package: @@ -40,7 +62,7 @@ shell: lsmod | grep overlay register: l_has_overlay_in_kernel ignore_errors: yes - + failed_when: false - when: l_has_overlay_in_kernel.rc != 0 block: @@ -60,36 +82,10 @@ enabled: yes state: restarted - -- block: - - - name: Add http_proxy to /etc/atomic.conf - lineinfile: - dest: /etc/atomic.conf - regexp: "^#?http_proxy[:=]{1}" - line: "http_proxy: {{ openshift.common.http_proxy | default('') }}" - when: - - openshift.common.http_proxy is defined - - openshift.common.http_proxy != '' - - - name: Add https_proxy to /etc/atomic.conf - lineinfile: - dest: /etc/atomic.conf - regexp: "^#?https_proxy[:=]{1}" - line: "https_proxy: {{ openshift.common.https_proxy | default('') }}" - when: - - openshift.common.https_proxy is defined - - openshift.common.https_proxy != '' - - - name: Add no_proxy to /etc/atomic.conf - lineinfile: - dest: /etc/atomic.conf - regexp: "^#?no_proxy[:=]{1}" - line: "no_proxy: {{ openshift.common.no_proxy | default('') }}" - when: - - openshift.common.no_proxy is defined - - openshift.common.no_proxy != '' - +- name: Ensure proxies are in the atomic.conf + include_role: + name: openshift_atomic + tasks_from: proxy - block: @@ -106,10 +102,9 @@ - name: Set CRI-O image tag set_fact: - l_crio_image_tag: "{{ openshift_image_tag }}" + l_crio_image_tag: "{{ l_openshift_image_tag }}" when: - openshift_deployment_type == 'openshift-enterprise' - - openshift_image_tag is defined - name: Use RHEL based image when distribution is Red Hat set_fact: @@ -147,7 +142,7 @@ image: "{{ l_crio_image }}" state: latest -- name: Remove CRI-o default configuration files +- name: Remove CRI-O default configuration files file: path: "{{ item }}" state: absent @@ -166,6 +161,10 @@ path: /etc/cni/net.d/ state: directory +- name: setup firewall for CRI-O + include: crio_firewall.yml + static: yes + - name: Configure the CNI network template: dest: /etc/cni/net.d/openshift-sdn.conf @@ -180,3 +179,9 @@ register: start_result - meta: flush_handlers + +# If we are using crio only, docker.service might not be available for +# 'docker login' +- include: registry_auth.yml + vars: + openshift_docker_alternative_creds: "{{ l_use_crio_only }}" diff --git a/roles/docker/tasks/systemcontainer_docker.yml b/roles/docker/tasks/systemcontainer_docker.yml index 5b1605b58..84220fa66 100644 --- a/roles/docker/tasks/systemcontainer_docker.yml +++ b/roles/docker/tasks/systemcontainer_docker.yml @@ -1,5 +1,21 @@ --- +- set_fact: + l_openshift_image_tag: "{{ openshift_image_tag | string }}" + when: openshift_image_tag is defined + +- set_fact: + l_openshift_image_tag: "latest" + when: + - openshift_image_tag is not defined + - openshift_release == "latest" + +- set_fact: + l_openshift_image_tag: "{{ openshift_release | string }}" + when: + - openshift_image_tag is not defined + - openshift_release != "latest" + # If docker_options are provided we should fail. We should not install docker and ignore # the users configuration. NOTE: docker_options == inventory:openshift_docker_options - name: Fail quickly if openshift_docker_options are set @@ -52,38 +68,10 @@ retries: 3 delay: 30 - -# Set http_proxy, https_proxy, and no_proxy in /etc/atomic.conf -# regexp: the line starts with or without #, followed by the string -# http_proxy, then either : or = -- block: - - - name: Add http_proxy to /etc/atomic.conf - lineinfile: - dest: /etc/atomic.conf - regexp: "^#?http_proxy[:=]{1}" - line: "http_proxy: {{ openshift.common.http_proxy | default('') }}" - when: - - openshift.common.http_proxy is defined - - openshift.common.http_proxy != '' - - - name: Add https_proxy to /etc/atomic.conf - lineinfile: - dest: /etc/atomic.conf - regexp: "^#?https_proxy[:=]{1}" - line: "https_proxy: {{ openshift.common.https_proxy | default('') }}" - when: - - openshift.common.https_proxy is defined - - openshift.common.https_proxy != '' - - - name: Add no_proxy to /etc/atomic.conf - lineinfile: - dest: /etc/atomic.conf - regexp: "^#?no_proxy[:=]{1}" - line: "no_proxy: {{ openshift.common.no_proxy | default('') }}" - when: - - openshift.common.no_proxy is defined - - openshift.common.no_proxy != '' +- name: Ensure proxies are in the atomic.conf + include_role: + name: openshift_atomic + tasks_from: proxy - block: @@ -94,10 +82,9 @@ - name: Set container engine image tag set_fact: - l_docker_image_tag: "{{ openshift_image_tag }}" + l_docker_image_tag: "{{ l_openshift_image_tag }}" when: - openshift_deployment_type == 'openshift-enterprise' - - openshift_image_tag is defined - name: Use Red Hat Registry for image when distribution is Red Hat set_fact: @@ -187,3 +174,9 @@ docker_service_status_changed: "{{ r_docker_systemcontainer_docker_start_result | changed }}" - meta: flush_handlers + +# Since docker is running as a system container, docker login will fail to create +# credentials. Use alternate method if requiring authenticated registries. +- include: registry_auth.yml + vars: + openshift_docker_alternative_creds: True diff --git a/roles/docker/templates/crio.conf.j2 b/roles/docker/templates/crio.conf.j2 index b4ee84fd0..3f066a17f 100644 --- a/roles/docker/templates/crio.conf.j2 +++ b/roles/docker/templates/crio.conf.j2 @@ -13,12 +13,12 @@ runroot = "/var/run/containers/storage" # storage_driver select which storage driver is used to manage storage # of images and containers. -storage_driver = "overlay2" +storage_driver = "overlay" # storage_option is used to pass an option to the storage driver. storage_option = [ {% if ansible_distribution in ['RedHat', 'CentOS'] %} - "overlay2.override_kernel_check=1" + "overlay.override_kernel_check=1" {% endif %} ] @@ -35,6 +35,10 @@ stream_address = "" # stream_port is the port on which the stream server will listen stream_port = "10010" +# file_locking is whether file-based locking will be used instead of +# in-memory locking +file_locking = true + # The "crio.runtime" table contains settings pertaining to the OCI # runtime used and options for how to set up and manage the OCI runtime. [crio.runtime] @@ -67,6 +71,9 @@ runtime_untrusted_workload = "" # container runtime for all containers. default_workload_trust = "trusted" +# no_pivot instructs the runtime to not use pivot_root, but instead use MS_MOVE +no_pivot = false + # conmon is the path to conmon binary, used for managing the runtime. conmon = "/usr/libexec/crio/conmon" @@ -93,6 +100,21 @@ apparmor_profile = "crio-default" # for the runtime. cgroup_manager = "systemd" +# hooks_dir_path is the oci hooks directory for automatically executed hooks +hooks_dir_path = "/usr/share/containers/oci/hooks.d" + +# default_mounts is the mounts list to be mounted for the container when created +default_mounts = [ + "/usr/share/rhel/secrets:/run/secrets", +] + +# pids_limit is the number of processes allowed in a container +pids_limit = 1024 + +# log_size_max is the max limit for the container log size in bytes. +# Negative values indicate that no limit is imposed. +log_size_max = 52428800 + # The "crio.image" table contains settings pertaining to the # management of OCI images. [crio.image] @@ -115,6 +137,10 @@ pause_command = "/pause" # unspecified so that the default system-wide policy will be used. signature_policy = "" +# image_volumes controls how image volumes are handled. +# The valid values are mkdir and ignore. +image_volumes = "mkdir" + # insecure_registries is used to skip TLS verification when pulling images. insecure_registries = [ {{ l_insecure_crio_registries|default("") }} @@ -125,6 +151,7 @@ insecure_registries = [ registries = [ {{ l_additional_crio_registries|default("") }} ] + # The "crio.network" table contains settings pertaining to the # management of CNI plugins. [crio.network] diff --git a/roles/docker/templates/custom.conf.j2 b/roles/docker/templates/custom.conf.j2 index 9b47cb6ab..713412473 100644 --- a/roles/docker/templates/custom.conf.j2 +++ b/roles/docker/templates/custom.conf.j2 @@ -3,3 +3,9 @@ [Unit] Wants=iptables.service After=iptables.service + +# The following line is a work-around to ensure docker is restarted whenever +# iptables is restarted. This ensures the proper iptables rules will be in +# place for docker. +# Note: This will also cause docker to be stopped if iptables is stopped. +PartOf=iptables.service |