summaryrefslogtreecommitdiffstats
path: root/roles/docker
diff options
context:
space:
mode:
Diffstat (limited to 'roles/docker')
-rw-r--r--roles/docker/defaults/main.yml2
-rw-r--r--roles/docker/meta/main.yml1
-rw-r--r--roles/docker/tasks/package_docker.yml5
-rw-r--r--roles/docker/tasks/registry_auth.yml16
-rw-r--r--roles/docker/tasks/systemcontainer_crio.yml6
-rw-r--r--roles/docker/tasks/systemcontainer_docker.yml8
-rw-r--r--roles/docker/templates/crio.conf.j25
7 files changed, 39 insertions, 4 deletions
diff --git a/roles/docker/defaults/main.yml b/roles/docker/defaults/main.yml
index c086c28df..224844a06 100644
--- a/roles/docker/defaults/main.yml
+++ b/roles/docker/defaults/main.yml
@@ -2,6 +2,8 @@
docker_cli_auth_config_path: '/root/.docker'
openshift_docker_signature_verification: False
+openshift_docker_alternative_creds: False
+
# oreg_url is defined by user input.
oreg_host: "{{ oreg_url.split('/')[0] if (oreg_url is defined and '.' in oreg_url.split('/')[0]) else '' }}"
oreg_auth_credentials_replace: False
diff --git a/roles/docker/meta/main.yml b/roles/docker/meta/main.yml
index 62b8a2eb5..d5faae8df 100644
--- a/roles/docker/meta/main.yml
+++ b/roles/docker/meta/main.yml
@@ -12,3 +12,4 @@ galaxy_info:
dependencies:
- role: lib_openshift
- role: lib_os_firewall
+- role: lib_utils
diff --git a/roles/docker/tasks/package_docker.yml b/roles/docker/tasks/package_docker.yml
index c1aedf879..8121163a6 100644
--- a/roles/docker/tasks/package_docker.yml
+++ b/roles/docker/tasks/package_docker.yml
@@ -154,6 +154,7 @@
- set_fact:
docker_service_status_changed: "{{ (r_docker_package_docker_start_result | changed) and (r_docker_already_running_result.stdout != 'ActiveState=active' ) }}"
-- include: registry_auth.yml
-
- meta: flush_handlers
+
+# This needs to run after docker is restarted to account for proxy settings.
+- include: registry_auth.yml
diff --git a/roles/docker/tasks/registry_auth.yml b/roles/docker/tasks/registry_auth.yml
index d05b7f2b8..2c7bc5711 100644
--- a/roles/docker/tasks/registry_auth.yml
+++ b/roles/docker/tasks/registry_auth.yml
@@ -12,5 +12,21 @@
delay: 5
until: openshift_docker_credentials_create_res.rc == 0
when:
+ - not openshift_docker_alternative_creds | bool
+ - oreg_auth_user is defined
+ - (not docker_cli_auth_credentials_stat.stat.exists or oreg_auth_credentials_replace) | bool
+
+# docker_creds is a custom module from lib_utils
+# 'docker login' requires a docker.service running on the local host, this is an
+# alternative implementation for non-docker hosts. This implementation does not
+# check the registry to determine whether or not the credentials will work.
+- name: Create credentials for docker cli registry auth (alternative)
+ docker_creds:
+ path: "{{ docker_cli_auth_config_path }}"
+ registry: "{{ oreg_host }}"
+ username: "{{ oreg_auth_user }}"
+ password: "{{ oreg_auth_password }}"
+ when:
+ - openshift_docker_alternative_creds | bool
- oreg_auth_user is defined
- (not docker_cli_auth_credentials_stat.stat.exists or oreg_auth_credentials_replace) | bool
diff --git a/roles/docker/tasks/systemcontainer_crio.yml b/roles/docker/tasks/systemcontainer_crio.yml
index 1e2d64293..3fe10454d 100644
--- a/roles/docker/tasks/systemcontainer_crio.yml
+++ b/roles/docker/tasks/systemcontainer_crio.yml
@@ -179,3 +179,9 @@
register: start_result
- meta: flush_handlers
+
+# If we are using crio only, docker.service might not be available for
+# 'docker login'
+- include: registry_auth.yml
+ vars:
+ openshift_docker_alternative_creds: "{{ l_use_crio_only }}"
diff --git a/roles/docker/tasks/systemcontainer_docker.yml b/roles/docker/tasks/systemcontainer_docker.yml
index aa3b35ddd..84220fa66 100644
--- a/roles/docker/tasks/systemcontainer_docker.yml
+++ b/roles/docker/tasks/systemcontainer_docker.yml
@@ -173,6 +173,10 @@
- set_fact:
docker_service_status_changed: "{{ r_docker_systemcontainer_docker_start_result | changed }}"
-- include: registry_auth.yml
-
- meta: flush_handlers
+
+# Since docker is running as a system container, docker login will fail to create
+# credentials. Use alternate method if requiring authenticated registries.
+- include: registry_auth.yml
+ vars:
+ openshift_docker_alternative_creds: True
diff --git a/roles/docker/templates/crio.conf.j2 b/roles/docker/templates/crio.conf.j2
index 93014a80d..3f066a17f 100644
--- a/roles/docker/templates/crio.conf.j2
+++ b/roles/docker/templates/crio.conf.j2
@@ -103,6 +103,11 @@ cgroup_manager = "systemd"
# hooks_dir_path is the oci hooks directory for automatically executed hooks
hooks_dir_path = "/usr/share/containers/oci/hooks.d"
+# default_mounts is the mounts list to be mounted for the container when created
+default_mounts = [
+ "/usr/share/rhel/secrets:/run/secrets",
+]
+
# pids_limit is the number of processes allowed in a container
pids_limit = 1024
generated by cgit v1.2.3 (git 2.25.1) at 2025-11-04 11:28:15 +0000