summaryrefslogtreecommitdiffstats
path: root/roles/docker
diff options
context:
space:
mode:
Diffstat (limited to 'roles/docker')
-rw-r--r--roles/docker/handlers/main.yml1
-rw-r--r--roles/docker/tasks/main.yml8
-rw-r--r--roles/docker/tasks/package_docker.yml13
-rw-r--r--roles/docker/tasks/systemcontainer_crio.yml21
-rw-r--r--roles/docker/tasks/systemcontainer_docker.yml19
-rw-r--r--roles/docker/templates/crio.conf.j226
-rw-r--r--roles/docker/templates/custom.conf.j26
7 files changed, 77 insertions, 17 deletions
diff --git a/roles/docker/handlers/main.yml b/roles/docker/handlers/main.yml
index 591367467..866ed0452 100644
--- a/roles/docker/handlers/main.yml
+++ b/roles/docker/handlers/main.yml
@@ -4,6 +4,7 @@
systemd:
name: "{{ openshift.docker.service_name }}"
state: restarted
+ daemon_reload: yes
register: r_docker_restart_docker_result
until: not r_docker_restart_docker_result | failed
retries: 3
diff --git a/roles/docker/tasks/main.yml b/roles/docker/tasks/main.yml
index dae17c3ce..f73f90686 100644
--- a/roles/docker/tasks/main.yml
+++ b/roles/docker/tasks/main.yml
@@ -10,14 +10,6 @@
l_use_crio: "{{ openshift_use_crio | default(False) }}"
l_use_crio_only: "{{ openshift_use_crio_only | default(False) }}"
-- when:
- - openshift_deployment_type == 'openshift-enterprise'
- assert:
- that:
- - "openshift_image_tag is defined"
- msg: >
- openshift_image_tag is a required inventory variable when installing openshift-enterprise
-
- name: Use Package Docker if Requested
include: package_docker.yml
when:
diff --git a/roles/docker/tasks/package_docker.yml b/roles/docker/tasks/package_docker.yml
index eab5c3bb1..888ae40e7 100644
--- a/roles/docker/tasks/package_docker.yml
+++ b/roles/docker/tasks/package_docker.yml
@@ -48,7 +48,9 @@
template:
dest: "{{ docker_systemd_dir }}/custom.conf"
src: custom.conf.j2
- when: not os_firewall_use_firewalld | default(False) | bool
+ notify:
+ - restart docker
+ when: not (os_firewall_use_firewalld | default(False)) | bool
- name: Add enterprise registry, if necessary
set_fact:
@@ -137,6 +139,13 @@
notify:
- restart docker
+# The following task is needed as the systemd module may report a change in
+# state even though docker is already running.
+- name: Detect if docker is already started
+ command: "systemctl show docker -p ActiveState"
+ changed_when: False
+ register: r_docker_already_running_result
+
- name: Start the Docker service
systemd:
name: docker
@@ -149,7 +158,7 @@
delay: 30
- set_fact:
- docker_service_status_changed: "{{ r_docker_package_docker_start_result | changed }}"
+ docker_service_status_changed: "{{ (r_docker_package_docker_start_result | changed) and (r_docker_already_running_result.stdout != 'ActiveState=active' ) }}"
- name: Check for credentials file for registry auth
stat:
diff --git a/roles/docker/tasks/systemcontainer_crio.yml b/roles/docker/tasks/systemcontainer_crio.yml
index 386369d26..fdc6cd24a 100644
--- a/roles/docker/tasks/systemcontainer_crio.yml
+++ b/roles/docker/tasks/systemcontainer_crio.yml
@@ -14,6 +14,22 @@
l_additional_crio_registries: "{{ '\"{}\"'.format('\", \"'.join(l_crio_registries)) }}"
when: l2_docker_additional_registries
+- set_fact:
+ l_openshift_image_tag: "{{ openshift_image_tag | string }}"
+ when: openshift_image_tag is defined
+
+- set_fact:
+ l_openshift_image_tag: "latest"
+ when:
+ - openshift_image_tag is not defined
+ - openshift_release == "latest"
+
+- set_fact:
+ l_openshift_image_tag: "{{ openshift_release | string }}"
+ when:
+ - openshift_image_tag is not defined
+ - openshift_release != "latest"
+
- name: Ensure container-selinux is installed
package:
name: container-selinux
@@ -106,10 +122,9 @@
- name: Set CRI-O image tag
set_fact:
- l_crio_image_tag: "{{ openshift_image_tag }}"
+ l_crio_image_tag: "{{ l_openshift_image_tag }}"
when:
- openshift_deployment_type == 'openshift-enterprise'
- - openshift_image_tag is defined
- name: Use RHEL based image when distribution is Red Hat
set_fact:
@@ -147,7 +162,7 @@
image: "{{ l_crio_image }}"
state: latest
-- name: Remove CRI-o default configuration files
+- name: Remove CRI-O default configuration files
file:
path: "{{ item }}"
state: absent
diff --git a/roles/docker/tasks/systemcontainer_docker.yml b/roles/docker/tasks/systemcontainer_docker.yml
index 5b1605b58..15c6a55db 100644
--- a/roles/docker/tasks/systemcontainer_docker.yml
+++ b/roles/docker/tasks/systemcontainer_docker.yml
@@ -1,5 +1,21 @@
---
+- set_fact:
+ l_openshift_image_tag: "{{ openshift_image_tag | string }}"
+ when: openshift_image_tag is defined
+
+- set_fact:
+ l_openshift_image_tag: "latest"
+ when:
+ - openshift_image_tag is not defined
+ - openshift_release == "latest"
+
+- set_fact:
+ l_openshift_image_tag: "{{ openshift_release | string }}"
+ when:
+ - openshift_image_tag is not defined
+ - openshift_release != "latest"
+
# If docker_options are provided we should fail. We should not install docker and ignore
# the users configuration. NOTE: docker_options == inventory:openshift_docker_options
- name: Fail quickly if openshift_docker_options are set
@@ -94,10 +110,9 @@
- name: Set container engine image tag
set_fact:
- l_docker_image_tag: "{{ openshift_image_tag }}"
+ l_docker_image_tag: "{{ l_openshift_image_tag }}"
when:
- openshift_deployment_type == 'openshift-enterprise'
- - openshift_image_tag is defined
- name: Use Red Hat Registry for image when distribution is Red Hat
set_fact:
diff --git a/roles/docker/templates/crio.conf.j2 b/roles/docker/templates/crio.conf.j2
index b4ee84fd0..b715c2ffa 100644
--- a/roles/docker/templates/crio.conf.j2
+++ b/roles/docker/templates/crio.conf.j2
@@ -13,12 +13,12 @@ runroot = "/var/run/containers/storage"
# storage_driver select which storage driver is used to manage storage
# of images and containers.
-storage_driver = "overlay2"
+storage_driver = "overlay"
# storage_option is used to pass an option to the storage driver.
storage_option = [
{% if ansible_distribution in ['RedHat', 'CentOS'] %}
- "overlay2.override_kernel_check=1"
+ "overlay.override_kernel_check=1"
{% endif %}
]
@@ -35,6 +35,10 @@ stream_address = ""
# stream_port is the port on which the stream server will listen
stream_port = "10010"
+# file_locking is whether file-based locking will be used instead of
+# in-memory locking
+file_locking = true
+
# The "crio.runtime" table contains settings pertaining to the OCI
# runtime used and options for how to set up and manage the OCI runtime.
[crio.runtime]
@@ -67,6 +71,9 @@ runtime_untrusted_workload = ""
# container runtime for all containers.
default_workload_trust = "trusted"
+# no_pivot instructs the runtime to not use pivot_root, but instead use MS_MOVE
+no_pivot = false
+
# conmon is the path to conmon binary, used for managing the runtime.
conmon = "/usr/libexec/crio/conmon"
@@ -93,6 +100,16 @@ apparmor_profile = "crio-default"
# for the runtime.
cgroup_manager = "systemd"
+# hooks_dir_path is the oci hooks directory for automatically executed hooks
+hooks_dir_path = "/usr/share/containers/oci/hooks.d"
+
+# pids_limit is the number of processes allowed in a container
+pids_limit = 1024
+
+# log_size_max is the max limit for the container log size in bytes.
+# Negative values indicate that no limit is imposed.
+log_size_max = -1
+
# The "crio.image" table contains settings pertaining to the
# management of OCI images.
[crio.image]
@@ -115,6 +132,10 @@ pause_command = "/pause"
# unspecified so that the default system-wide policy will be used.
signature_policy = ""
+# image_volumes controls how image volumes are handled.
+# The valid values are mkdir and ignore.
+image_volumes = "mkdir"
+
# insecure_registries is used to skip TLS verification when pulling images.
insecure_registries = [
{{ l_insecure_crio_registries|default("") }}
@@ -125,6 +146,7 @@ insecure_registries = [
registries = [
{{ l_additional_crio_registries|default("") }}
]
+
# The "crio.network" table contains settings pertaining to the
# management of CNI plugins.
[crio.network]
diff --git a/roles/docker/templates/custom.conf.j2 b/roles/docker/templates/custom.conf.j2
index 9b47cb6ab..713412473 100644
--- a/roles/docker/templates/custom.conf.j2
+++ b/roles/docker/templates/custom.conf.j2
@@ -3,3 +3,9 @@
[Unit]
Wants=iptables.service
After=iptables.service
+
+# The following line is a work-around to ensure docker is restarted whenever
+# iptables is restarted. This ensures the proper iptables rules will be in
+# place for docker.
+# Note: This will also cause docker to be stopped if iptables is stopped.
+PartOf=iptables.service