From e781e4cb8be85e201ad6e20ddd70401318846323 Mon Sep 17 00:00:00 2001 From: Steve Milner Date: Fri, 14 Jul 2017 10:37:48 -0400 Subject: cri-o: Allow cri-o usage. This change reuses the docker role to inject cri-o usage. --- roles/docker/tasks/main.yml | 5 ++ roles/docker/tasks/systemcontainer_crio.yml | 105 ++++++++++++++++++++++++++++ 2 files changed, 110 insertions(+) create mode 100644 roles/docker/tasks/systemcontainer_crio.yml (limited to 'roles/docker/tasks') diff --git a/roles/docker/tasks/main.yml b/roles/docker/tasks/main.yml index 0c2b16acf..fab1ac57a 100644 --- a/roles/docker/tasks/main.yml +++ b/roles/docker/tasks/main.yml @@ -7,6 +7,7 @@ - set_fact: l_use_system_container: "{{ openshift.docker.use_system_container | default(False) }}" + l_use_crio: "{{ openshift.docker.use_crio | default(False) }}" - name: Use Package Docker if Requested include: package_docker.yml @@ -15,3 +16,7 @@ - name: Use System Container Docker if Requested include: systemcontainer_docker.yml when: l_use_system_container + +- name: Add CRI-O usage Requested + include: systemcontainer_crio.yml + when: l_use_crio diff --git a/roles/docker/tasks/systemcontainer_crio.yml b/roles/docker/tasks/systemcontainer_crio.yml new file mode 100644 index 000000000..c67904873 --- /dev/null +++ b/roles/docker/tasks/systemcontainer_crio.yml @@ -0,0 +1,105 @@ +--- +# TODO: Much of this file is shared with container engine tasks + +- name: Ensure container-selinux is installed + package: + name: container-selinux + state: present + when: not openshift.common.is_atomic | bool + +# Used to pull and install the system container +- name: Ensure atomic is installed + package: + name: atomic + state: present + when: not openshift.common.is_atomic | bool + +# At the time of writing the atomic command requires runc for it's own use. This +# task is here in the even that the atomic package ever removes the dependency. +- name: Ensure runc is installed + package: + name: runc + state: present + when: not openshift.common.is_atomic | bool + +- block: + + - name: Add http_proxy to /etc/atomic.conf + lineinfile: + dest: /etc/atomic.conf + regexp: "^#?http_proxy[:=]{1}" + line: "http_proxy: {{ openshift.common.http_proxy | default('') }}" + when: + - openshift.common.http_proxy is defined + - openshift.common.http_proxy != '' + + - name: Add https_proxy to /etc/atomic.conf + lineinfile: + dest: /etc/atomic.conf + regexp: "^#?https_proxy[:=]{1}" + line: "https_proxy: {{ openshift.common.https_proxy | default('') }}" + when: + - openshift.common.https_proxy is defined + - openshift.common.https_proxy != '' + + - name: Add no_proxy to /etc/atomic.conf + lineinfile: + dest: /etc/atomic.conf + regexp: "^#?no_proxy[:=]{1}" + line: "no_proxy: {{ openshift.common.no_proxy | default('') }}" + when: + - openshift.common.no_proxy is defined + - openshift.common.no_proxy != '' + + +- block: + + - name: Set to default prepend + set_fact: + l_crio_image_prepend: "gscrivano" + + - name: Use Red Hat Registry for image when distribution is Red Hat + set_fact: + l_crio_image_prepend: "registry.access.redhat.com/openshift3" + when: ansible_distribution == 'RedHat' + + - name: Use Fedora Registry for image when distribution is Fedora + set_fact: + l_crio_image_prepend: "registry.fedoraproject.org/f25" + when: ansible_distribution == 'Fedora' + + # For https://github.com/openshift/openshift-ansible/pull/4049#discussion_r114478504 + - name: Use a testing registry if requested + set_fact: + l_crio_image_prepend: "{{ openshift_docker_systemcontainer_image_registry_override }}" + when: + - openshift_docker_systemcontainer_image_registry_override is defined + - openshift_docker_systemcontainer_image_registry_override != "" + + - name: Set the full image name + set_fact: + l_crio_image: "{{ l_crio_image_prepend }}/{{ openshift.docker.service_name }}:latest" + +# NOTE: no_proxy added as a workaround until https://github.com/projectatomic/atomic/pull/999 is released +- name: Pre-pull CRI-O System Container image + command: "atomic pull --storage ostree {{ l_crio_image }}" + changed_when: false + environment: + NO_PROXY: "{{ openshift.common.no_proxy | default('') }}" + + +- name: Install CRI-O System Container + oc_atomic_container: + name: "cri-o" + image: "{{ l_crio_image }}" + state: latest + +- name: Start the CRI-O service + systemd: + name: "cri-o" + enabled: yes + state: started + daemon_reload: yes + register: start_result + +- meta: flush_handlers -- cgit v1.2.3 From ba71fba1dc64a05b9cc26b72263255a915601c84 Mon Sep 17 00:00:00 2001 From: Giuseppe Scrivano Date: Sun, 16 Jul 2017 00:25:26 +0200 Subject: cri-o: configure storage and insecure registries Signed-off-by: Giuseppe Scrivano --- roles/docker/tasks/main.yml | 10 +++++++--- roles/docker/tasks/systemcontainer_crio.yml | 27 +++++++++++++++++++++++++++ 2 files changed, 34 insertions(+), 3 deletions(-) (limited to 'roles/docker/tasks') diff --git a/roles/docker/tasks/main.yml b/roles/docker/tasks/main.yml index fab1ac57a..61230fa3d 100644 --- a/roles/docker/tasks/main.yml +++ b/roles/docker/tasks/main.yml @@ -7,7 +7,7 @@ - set_fact: l_use_system_container: "{{ openshift.docker.use_system_container | default(False) }}" - l_use_crio: "{{ openshift.docker.use_crio | default(False) }}" + l_use_crio: "{{ use_crio | default(False) }}" - name: Use Package Docker if Requested include: package_docker.yml @@ -15,8 +15,12 @@ - name: Use System Container Docker if Requested include: systemcontainer_docker.yml - when: l_use_system_container + when: + - l_use_system_container + - not l_use_crio - name: Add CRI-O usage Requested include: systemcontainer_crio.yml - when: l_use_crio + when: + - l_use_system_container + - l_use_crio diff --git a/roles/docker/tasks/systemcontainer_crio.yml b/roles/docker/tasks/systemcontainer_crio.yml index c67904873..f3c03df2c 100644 --- a/roles/docker/tasks/systemcontainer_crio.yml +++ b/roles/docker/tasks/systemcontainer_crio.yml @@ -1,5 +1,7 @@ --- # TODO: Much of this file is shared with container engine tasks +- set_fact: + l_insecure_registries: "{{ '\"{}\"'.format('\", \"'.join(openshift.docker.insecure_registries)) }}" - name: Ensure container-selinux is installed package: @@ -94,6 +96,31 @@ image: "{{ l_crio_image }}" state: latest +- name: run CRI-O with overlay2 + replace: + regexp: 'storage_driver = ""' + replace: 'storage_driver = "overlay2"' + name: /etc/crio/crio.conf + backup: yes + +- name: Add overlay2 storage opts for CRI-O + lineinfile: + dest: /etc/crio/crio.conf + line: '"overlay2.override_kernel_check=1"' + insertafter: 'storage_option = \[' + regexp: 'overlay2\.override_kernel_check=1' + state: present + when: ansible_distribution in ['RedHat', 'CentOS'] + +- name: Configure insecure registries for CRI-O + lineinfile: + dest: /etc/crio/crio.conf + line: "{{ l_insecure_registries }}" + insertafter: 'insecure_registries = \[' + regexp: "{{ l_insecure_registries }}" + state: present + when: openshift_docker_insecure_registries is defined + - name: Start the CRI-O service systemd: name: "cri-o" -- cgit v1.2.3 From 0622da00a835fb431654cf997adc08e87b563efa Mon Sep 17 00:00:00 2001 From: Steve Milner Date: Mon, 17 Jul 2017 17:10:50 -0400 Subject: cri-o: Hardcode image name to cri-o --- roles/docker/tasks/systemcontainer_crio.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'roles/docker/tasks') diff --git a/roles/docker/tasks/systemcontainer_crio.yml b/roles/docker/tasks/systemcontainer_crio.yml index f3c03df2c..f88f167c7 100644 --- a/roles/docker/tasks/systemcontainer_crio.yml +++ b/roles/docker/tasks/systemcontainer_crio.yml @@ -80,7 +80,7 @@ - name: Set the full image name set_fact: - l_crio_image: "{{ l_crio_image_prepend }}/{{ openshift.docker.service_name }}:latest" + l_crio_image: "{{ l_crio_image_prepend }}/cri-o:latest" # NOTE: no_proxy added as a workaround until https://github.com/projectatomic/atomic/pull/999 is released - name: Pre-pull CRI-O System Container image -- cgit v1.2.3 From d27fe5a5513649d34c7f208975b2ada5ea459d9b Mon Sep 17 00:00:00 2001 From: Steve Milner Date: Tue, 18 Jul 2017 16:48:22 -0400 Subject: cri-o: Minor fixes for tasks --- roles/docker/tasks/main.yml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) (limited to 'roles/docker/tasks') diff --git a/roles/docker/tasks/main.yml b/roles/docker/tasks/main.yml index 61230fa3d..5f9e4cf8a 100644 --- a/roles/docker/tasks/main.yml +++ b/roles/docker/tasks/main.yml @@ -7,7 +7,7 @@ - set_fact: l_use_system_container: "{{ openshift.docker.use_system_container | default(False) }}" - l_use_crio: "{{ use_crio | default(False) }}" + l_use_crio: "{{ openshift.docker.use_crio | default(False) }}" - name: Use Package Docker if Requested include: package_docker.yml @@ -22,5 +22,4 @@ - name: Add CRI-O usage Requested include: systemcontainer_crio.yml when: - - l_use_system_container - l_use_crio -- cgit v1.2.3 From 3003a54811227f5434a8a3d7c8d54c3accafd1e3 Mon Sep 17 00:00:00 2001 From: Giuseppe Scrivano Date: Wed, 19 Jul 2017 11:48:48 +0200 Subject: crio: use a template for the configuration Signed-off-by: Giuseppe Scrivano --- roles/docker/tasks/systemcontainer_crio.yml | 29 +++++------------------------ 1 file changed, 5 insertions(+), 24 deletions(-) (limited to 'roles/docker/tasks') diff --git a/roles/docker/tasks/systemcontainer_crio.yml b/roles/docker/tasks/systemcontainer_crio.yml index f88f167c7..7c3ed90d8 100644 --- a/roles/docker/tasks/systemcontainer_crio.yml +++ b/roles/docker/tasks/systemcontainer_crio.yml @@ -1,7 +1,7 @@ --- # TODO: Much of this file is shared with container engine tasks - set_fact: - l_insecure_registries: "{{ '\"{}\"'.format('\", \"'.join(openshift.docker.insecure_registries)) }}" + l_insecure_crio_registries: "{{ '\"{}\"'.format('\", \"'.join(openshift.docker.insecure_registries)) }}" - name: Ensure container-selinux is installed package: @@ -96,30 +96,11 @@ image: "{{ l_crio_image }}" state: latest -- name: run CRI-O with overlay2 - replace: - regexp: 'storage_driver = ""' - replace: 'storage_driver = "overlay2"' - name: /etc/crio/crio.conf - backup: yes - -- name: Add overlay2 storage opts for CRI-O - lineinfile: +- name: Create the CRI-O configuration + template: dest: /etc/crio/crio.conf - line: '"overlay2.override_kernel_check=1"' - insertafter: 'storage_option = \[' - regexp: 'overlay2\.override_kernel_check=1' - state: present - when: ansible_distribution in ['RedHat', 'CentOS'] - -- name: Configure insecure registries for CRI-O - lineinfile: - dest: /etc/crio/crio.conf - line: "{{ l_insecure_registries }}" - insertafter: 'insecure_registries = \[' - regexp: "{{ l_insecure_registries }}" - state: present - when: openshift_docker_insecure_registries is defined + src: crio.conf.j2 + backup: yes - name: Start the CRI-O service systemd: -- cgit v1.2.3 From c66d51f519acf2958a378c109750b86620e32122 Mon Sep 17 00:00:00 2001 From: Steve Milner Date: Wed, 19 Jul 2017 09:55:59 -0400 Subject: cri-o: Default insecure registries to "" --- roles/docker/tasks/systemcontainer_crio.yml | 1 + 1 file changed, 1 insertion(+) (limited to 'roles/docker/tasks') diff --git a/roles/docker/tasks/systemcontainer_crio.yml b/roles/docker/tasks/systemcontainer_crio.yml index 7c3ed90d8..651a20ea2 100644 --- a/roles/docker/tasks/systemcontainer_crio.yml +++ b/roles/docker/tasks/systemcontainer_crio.yml @@ -2,6 +2,7 @@ # TODO: Much of this file is shared with container engine tasks - set_fact: l_insecure_crio_registries: "{{ '\"{}\"'.format('\", \"'.join(openshift.docker.insecure_registries)) }}" + when: openshift.docker.insecure_registries - name: Ensure container-selinux is installed package: -- cgit v1.2.3 From 941b8905feb30f2537360b002ae4b9a457b0f3e2 Mon Sep 17 00:00:00 2001 From: Steve Milner Date: Wed, 19 Jul 2017 10:22:40 -0400 Subject: cri-o: Ensure overlay is available Some distro releases may not have overlay loaded into the kernel. This change looks for overlay via lsmod and, if it isn't already there, uses modprobe to load it in and then drops a load config into /etc/modules-load.d/overlay.conf. --- roles/docker/tasks/systemcontainer_crio.yml | 20 ++++++++++++++++++++ 1 file changed, 20 insertions(+) (limited to 'roles/docker/tasks') diff --git a/roles/docker/tasks/systemcontainer_crio.yml b/roles/docker/tasks/systemcontainer_crio.yml index 651a20ea2..68f9d9649 100644 --- a/roles/docker/tasks/systemcontainer_crio.yml +++ b/roles/docker/tasks/systemcontainer_crio.yml @@ -25,6 +25,26 @@ state: present when: not openshift.common.is_atomic | bool + +- name: Check that overlay is in the kernel + shell: lsmod | grep overlay + register: l_has_overlay_in_kernel + ignore_errors: yes + + +- when: l_has_overlay_in_kernel.rc != 0 + block: + + - name: Add overlay to modprobe.d + template: + dest: /etc/modules-load.d/overlay.conf + src: overlay.conf.j2 + backup: yes + + - name: Manually modprobe overlay into the kernel + command: modprobe overlay + + - block: - name: Add http_proxy to /etc/atomic.conf -- cgit v1.2.3 From 5e218e1a1df44897b46f5467e14c97d0155bae97 Mon Sep 17 00:00:00 2001 From: Steve Milner Date: Thu, 20 Jul 2017 12:38:56 -0400 Subject: cri-o: Enable systemd-modules-load if required If we had to drop the overlay file in /etc/modules-load.d/ then enable the systemd-modules-load service and make sure it runs. --- roles/docker/tasks/systemcontainer_crio.yml | 6 ++++++ 1 file changed, 6 insertions(+) (limited to 'roles/docker/tasks') diff --git a/roles/docker/tasks/systemcontainer_crio.yml b/roles/docker/tasks/systemcontainer_crio.yml index 68f9d9649..21fc703fe 100644 --- a/roles/docker/tasks/systemcontainer_crio.yml +++ b/roles/docker/tasks/systemcontainer_crio.yml @@ -44,6 +44,12 @@ - name: Manually modprobe overlay into the kernel command: modprobe overlay + - name: Enable and start systemd-modules-load + service: + name: systemd-modules-load + enabled: yes + state: restarted + - block: -- cgit v1.2.3 From 72eaf22e58299e6584b026afb609266835177175 Mon Sep 17 00:00:00 2001 From: Giuseppe Scrivano Date: Thu, 27 Jul 2017 09:20:10 +0200 Subject: cri-o: use only images from Docker Hub For the time being it won't be added to the Red Hat registry, so use only what is available on Docker Hub. Signed-off-by: Giuseppe Scrivano --- roles/docker/tasks/systemcontainer_crio.yml | 16 ++++++---------- 1 file changed, 6 insertions(+), 10 deletions(-) (limited to 'roles/docker/tasks') diff --git a/roles/docker/tasks/systemcontainer_crio.yml b/roles/docker/tasks/systemcontainer_crio.yml index 21fc703fe..cfc9157cc 100644 --- a/roles/docker/tasks/systemcontainer_crio.yml +++ b/roles/docker/tasks/systemcontainer_crio.yml @@ -85,17 +85,13 @@ - name: Set to default prepend set_fact: - l_crio_image_prepend: "gscrivano" + l_crio_image_prepend: "docker.io/gscrivano" + l_crio_image_name: "crio-o-fedora" - - name: Use Red Hat Registry for image when distribution is Red Hat + - name: Use Centos based image when distribution is Red Hat or CentOS set_fact: - l_crio_image_prepend: "registry.access.redhat.com/openshift3" - when: ansible_distribution == 'RedHat' - - - name: Use Fedora Registry for image when distribution is Fedora - set_fact: - l_crio_image_prepend: "registry.fedoraproject.org/f25" - when: ansible_distribution == 'Fedora' + l_crio_image_name: "cri-o-centos" + when: ansible_distribution in ['RedHat', 'CentOS'] # For https://github.com/openshift/openshift-ansible/pull/4049#discussion_r114478504 - name: Use a testing registry if requested @@ -107,7 +103,7 @@ - name: Set the full image name set_fact: - l_crio_image: "{{ l_crio_image_prepend }}/cri-o:latest" + l_crio_image: "{{ l_crio_image_prepend }}/{{ l_crio_image_name }}:latest" # NOTE: no_proxy added as a workaround until https://github.com/projectatomic/atomic/pull/999 is released - name: Pre-pull CRI-O System Container image -- cgit v1.2.3 From 0898ff62d1b17c5102d394bf5fbf7ca54b266b75 Mon Sep 17 00:00:00 2001 From: Giuseppe Scrivano Date: Fri, 28 Jul 2017 12:10:18 +0200 Subject: docker: skip Docker setup when using CRI-O Signed-off-by: Giuseppe Scrivano --- roles/docker/tasks/main.yml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) (limited to 'roles/docker/tasks') diff --git a/roles/docker/tasks/main.yml b/roles/docker/tasks/main.yml index 5f9e4cf8a..aecb289d5 100644 --- a/roles/docker/tasks/main.yml +++ b/roles/docker/tasks/main.yml @@ -11,7 +11,9 @@ - name: Use Package Docker if Requested include: package_docker.yml - when: not l_use_system_container + when: + - not l_use_system_container + - not l_use_crio - name: Use System Container Docker if Requested include: systemcontainer_docker.yml -- cgit v1.2.3 From f0a0e8466a917f0bf40c8b7f3076a1e8a2c8ed68 Mon Sep 17 00:00:00 2001 From: Giuseppe Scrivano Date: Fri, 28 Jul 2017 18:37:58 +0200 Subject: docker: introduce use_crio_only Introduce a new variable that disable the installation of Docker. For the time being we will still need Docker for building images, so by default leave it installed. Signed-off-by: Giuseppe Scrivano --- roles/docker/tasks/main.yml | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) (limited to 'roles/docker/tasks') diff --git a/roles/docker/tasks/main.yml b/roles/docker/tasks/main.yml index aecb289d5..1f9ac5059 100644 --- a/roles/docker/tasks/main.yml +++ b/roles/docker/tasks/main.yml @@ -8,18 +8,19 @@ - set_fact: l_use_system_container: "{{ openshift.docker.use_system_container | default(False) }}" l_use_crio: "{{ openshift.docker.use_crio | default(False) }}" + l_use_crio_only: "{{ openshift.docker.use_crio_only | default(False) }}" - name: Use Package Docker if Requested include: package_docker.yml when: - not l_use_system_container - - not l_use_crio + - not l_use_crio_only - name: Use System Container Docker if Requested include: systemcontainer_docker.yml when: - l_use_system_container - - not l_use_crio + - not l_use_crio_only - name: Add CRI-O usage Requested include: systemcontainer_crio.yml -- cgit v1.2.3 From 59c9668c314518762cceb5845998bc9466fa5722 Mon Sep 17 00:00:00 2001 From: Giuseppe Scrivano Date: Mon, 31 Jul 2017 08:29:40 +0200 Subject: cri-o: allow to override CRI-O image indipendently from Docker Signed-off-by: Giuseppe Scrivano --- roles/docker/tasks/systemcontainer_crio.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) (limited to 'roles/docker/tasks') diff --git a/roles/docker/tasks/systemcontainer_crio.yml b/roles/docker/tasks/systemcontainer_crio.yml index cfc9157cc..f18a5b117 100644 --- a/roles/docker/tasks/systemcontainer_crio.yml +++ b/roles/docker/tasks/systemcontainer_crio.yml @@ -96,10 +96,10 @@ # For https://github.com/openshift/openshift-ansible/pull/4049#discussion_r114478504 - name: Use a testing registry if requested set_fact: - l_crio_image_prepend: "{{ openshift_docker_systemcontainer_image_registry_override }}" + l_crio_image_prepend: "{{ openshift_crio_systemcontainer_image_registry_override }}" when: - - openshift_docker_systemcontainer_image_registry_override is defined - - openshift_docker_systemcontainer_image_registry_override != "" + - openshift_crio_systemcontainer_image_registry_override is defined + - openshift_crio_systemcontainer_image_registry_override != "" - name: Set the full image name set_fact: -- cgit v1.2.3 From 31e708a5d440a6ad13f81c4b94ad26e0b2d9587a Mon Sep 17 00:00:00 2001 From: Giuseppe Scrivano Date: Wed, 2 Aug 2017 18:44:08 +0200 Subject: cri-o: configure the CNI network Signed-off-by: Giuseppe Scrivano --- roles/docker/tasks/systemcontainer_crio.yml | 10 ++++++++++ 1 file changed, 10 insertions(+) (limited to 'roles/docker/tasks') diff --git a/roles/docker/tasks/systemcontainer_crio.yml b/roles/docker/tasks/systemcontainer_crio.yml index f18a5b117..787f51f94 100644 --- a/roles/docker/tasks/systemcontainer_crio.yml +++ b/roles/docker/tasks/systemcontainer_crio.yml @@ -125,6 +125,16 @@ src: crio.conf.j2 backup: yes +- name: Ensure CNI configuration directory exists + file: + path: /etc/cni/net.d/ + state: directory + +- name: Configure the CNI network + template: + dest: /etc/cni/net.d/openshift-sdn.conf + src: 80-openshift-sdn.conf.j2 + - name: Start the CRI-O service systemd: name: "cri-o" -- cgit v1.2.3