diff options
Diffstat (limited to 'roles/docker')
-rw-r--r-- | roles/docker/handlers/main.yml | 1 | ||||
-rw-r--r-- | roles/docker/tasks/main.yml | 8 | ||||
-rw-r--r-- | roles/docker/tasks/package_docker.yml | 13 | ||||
-rw-r--r-- | roles/docker/tasks/systemcontainer_crio.yml | 21 | ||||
-rw-r--r-- | roles/docker/tasks/systemcontainer_docker.yml | 19 | ||||
-rw-r--r-- | roles/docker/templates/crio.conf.j2 | 26 | ||||
-rw-r--r-- | roles/docker/templates/custom.conf.j2 | 6 |
7 files changed, 77 insertions, 17 deletions
diff --git a/roles/docker/handlers/main.yml b/roles/docker/handlers/main.yml index 591367467..866ed0452 100644 --- a/roles/docker/handlers/main.yml +++ b/roles/docker/handlers/main.yml @@ -4,6 +4,7 @@ systemd: name: "{{ openshift.docker.service_name }}" state: restarted + daemon_reload: yes register: r_docker_restart_docker_result until: not r_docker_restart_docker_result | failed retries: 3 diff --git a/roles/docker/tasks/main.yml b/roles/docker/tasks/main.yml index dae17c3ce..f73f90686 100644 --- a/roles/docker/tasks/main.yml +++ b/roles/docker/tasks/main.yml @@ -10,14 +10,6 @@ l_use_crio: "{{ openshift_use_crio | default(False) }}" l_use_crio_only: "{{ openshift_use_crio_only | default(False) }}" -- when: - - openshift_deployment_type == 'openshift-enterprise' - assert: - that: - - "openshift_image_tag is defined" - msg: > - openshift_image_tag is a required inventory variable when installing openshift-enterprise - - name: Use Package Docker if Requested include: package_docker.yml when: diff --git a/roles/docker/tasks/package_docker.yml b/roles/docker/tasks/package_docker.yml index eab5c3bb1..888ae40e7 100644 --- a/roles/docker/tasks/package_docker.yml +++ b/roles/docker/tasks/package_docker.yml @@ -48,7 +48,9 @@ template: dest: "{{ docker_systemd_dir }}/custom.conf" src: custom.conf.j2 - when: not os_firewall_use_firewalld | default(False) | bool + notify: + - restart docker + when: not (os_firewall_use_firewalld | default(False)) | bool - name: Add enterprise registry, if necessary set_fact: @@ -137,6 +139,13 @@ notify: - restart docker +# The following task is needed as the systemd module may report a change in +# state even though docker is already running. +- name: Detect if docker is already started + command: "systemctl show docker -p ActiveState" + changed_when: False + register: r_docker_already_running_result + - name: Start the Docker service systemd: name: docker @@ -149,7 +158,7 @@ delay: 30 - set_fact: - docker_service_status_changed: "{{ r_docker_package_docker_start_result | changed }}" + docker_service_status_changed: "{{ (r_docker_package_docker_start_result | changed) and (r_docker_already_running_result.stdout != 'ActiveState=active' ) }}" - name: Check for credentials file for registry auth stat: diff --git a/roles/docker/tasks/systemcontainer_crio.yml b/roles/docker/tasks/systemcontainer_crio.yml index 386369d26..fdc6cd24a 100644 --- a/roles/docker/tasks/systemcontainer_crio.yml +++ b/roles/docker/tasks/systemcontainer_crio.yml @@ -14,6 +14,22 @@ l_additional_crio_registries: "{{ '\"{}\"'.format('\", \"'.join(l_crio_registries)) }}" when: l2_docker_additional_registries +- set_fact: + l_openshift_image_tag: "{{ openshift_image_tag | string }}" + when: openshift_image_tag is defined + +- set_fact: + l_openshift_image_tag: "latest" + when: + - openshift_image_tag is not defined + - openshift_release == "latest" + +- set_fact: + l_openshift_image_tag: "{{ openshift_release | string }}" + when: + - openshift_image_tag is not defined + - openshift_release != "latest" + - name: Ensure container-selinux is installed package: name: container-selinux @@ -106,10 +122,9 @@ - name: Set CRI-O image tag set_fact: - l_crio_image_tag: "{{ openshift_image_tag }}" + l_crio_image_tag: "{{ l_openshift_image_tag }}" when: - openshift_deployment_type == 'openshift-enterprise' - - openshift_image_tag is defined - name: Use RHEL based image when distribution is Red Hat set_fact: @@ -147,7 +162,7 @@ image: "{{ l_crio_image }}" state: latest -- name: Remove CRI-o default configuration files +- name: Remove CRI-O default configuration files file: path: "{{ item }}" state: absent diff --git a/roles/docker/tasks/systemcontainer_docker.yml b/roles/docker/tasks/systemcontainer_docker.yml index 5b1605b58..15c6a55db 100644 --- a/roles/docker/tasks/systemcontainer_docker.yml +++ b/roles/docker/tasks/systemcontainer_docker.yml @@ -1,5 +1,21 @@ --- +- set_fact: + l_openshift_image_tag: "{{ openshift_image_tag | string }}" + when: openshift_image_tag is defined + +- set_fact: + l_openshift_image_tag: "latest" + when: + - openshift_image_tag is not defined + - openshift_release == "latest" + +- set_fact: + l_openshift_image_tag: "{{ openshift_release | string }}" + when: + - openshift_image_tag is not defined + - openshift_release != "latest" + # If docker_options are provided we should fail. We should not install docker and ignore # the users configuration. NOTE: docker_options == inventory:openshift_docker_options - name: Fail quickly if openshift_docker_options are set @@ -94,10 +110,9 @@ - name: Set container engine image tag set_fact: - l_docker_image_tag: "{{ openshift_image_tag }}" + l_docker_image_tag: "{{ l_openshift_image_tag }}" when: - openshift_deployment_type == 'openshift-enterprise' - - openshift_image_tag is defined - name: Use Red Hat Registry for image when distribution is Red Hat set_fact: diff --git a/roles/docker/templates/crio.conf.j2 b/roles/docker/templates/crio.conf.j2 index b4ee84fd0..b715c2ffa 100644 --- a/roles/docker/templates/crio.conf.j2 +++ b/roles/docker/templates/crio.conf.j2 @@ -13,12 +13,12 @@ runroot = "/var/run/containers/storage" # storage_driver select which storage driver is used to manage storage # of images and containers. -storage_driver = "overlay2" +storage_driver = "overlay" # storage_option is used to pass an option to the storage driver. storage_option = [ {% if ansible_distribution in ['RedHat', 'CentOS'] %} - "overlay2.override_kernel_check=1" + "overlay.override_kernel_check=1" {% endif %} ] @@ -35,6 +35,10 @@ stream_address = "" # stream_port is the port on which the stream server will listen stream_port = "10010" +# file_locking is whether file-based locking will be used instead of +# in-memory locking +file_locking = true + # The "crio.runtime" table contains settings pertaining to the OCI # runtime used and options for how to set up and manage the OCI runtime. [crio.runtime] @@ -67,6 +71,9 @@ runtime_untrusted_workload = "" # container runtime for all containers. default_workload_trust = "trusted" +# no_pivot instructs the runtime to not use pivot_root, but instead use MS_MOVE +no_pivot = false + # conmon is the path to conmon binary, used for managing the runtime. conmon = "/usr/libexec/crio/conmon" @@ -93,6 +100,16 @@ apparmor_profile = "crio-default" # for the runtime. cgroup_manager = "systemd" +# hooks_dir_path is the oci hooks directory for automatically executed hooks +hooks_dir_path = "/usr/share/containers/oci/hooks.d" + +# pids_limit is the number of processes allowed in a container +pids_limit = 1024 + +# log_size_max is the max limit for the container log size in bytes. +# Negative values indicate that no limit is imposed. +log_size_max = -1 + # The "crio.image" table contains settings pertaining to the # management of OCI images. [crio.image] @@ -115,6 +132,10 @@ pause_command = "/pause" # unspecified so that the default system-wide policy will be used. signature_policy = "" +# image_volumes controls how image volumes are handled. +# The valid values are mkdir and ignore. +image_volumes = "mkdir" + # insecure_registries is used to skip TLS verification when pulling images. insecure_registries = [ {{ l_insecure_crio_registries|default("") }} @@ -125,6 +146,7 @@ insecure_registries = [ registries = [ {{ l_additional_crio_registries|default("") }} ] + # The "crio.network" table contains settings pertaining to the # management of CNI plugins. [crio.network] diff --git a/roles/docker/templates/custom.conf.j2 b/roles/docker/templates/custom.conf.j2 index 9b47cb6ab..713412473 100644 --- a/roles/docker/templates/custom.conf.j2 +++ b/roles/docker/templates/custom.conf.j2 @@ -3,3 +3,9 @@ [Unit] Wants=iptables.service After=iptables.service + +# The following line is a work-around to ensure docker is restarted whenever +# iptables is restarted. This ensures the proper iptables rules will be in +# place for docker. +# Note: This will also cause docker to be stopped if iptables is stopped. +PartOf=iptables.service |