6 files changed, 76 insertions, 9 deletions
diff --git a/roles/docker/defaults/main.yml b/roles/docker/defaults/main.yml
index 3f0752f4c..c086c28df 100644
--- a/roles/docker/defaults/main.yml
+++ b/roles/docker/defaults/main.yml
@@ -20,6 +20,7 @@ l2_docker_additional_registries: "{% if openshift_docker_additional_registries i
 l2_docker_blocked_registries: "{% if openshift_docker_blocked_registries is string %}{% if openshift_docker_blocked_registries == '' %}[]{% elif ',' in openshift_docker_blocked_registries %}{{ openshift_docker_blocked_registries.split(',') | list }}{% else %}{{ [ openshift_docker_blocked_registries ] }}{% endif %}{% else %}{{ openshift_docker_blocked_registries }}{% endif %}"
 l2_docker_insecure_registries: "{% if openshift_docker_insecure_registries is string %}{% if openshift_docker_insecure_registries == '' %}[]{% elif ',' in openshift_docker_insecure_registries %}{{ openshift_docker_insecure_registries.split(',') | list }}{% else %}{{ [ openshift_docker_insecure_registries ] }}{% endif %}{% else %}{{ openshift_docker_insecure_registries }}{% endif %}"
 
+openshift_docker_use_etc_containers: False
 containers_registries_conf_path: /etc/containers/registries.conf
 
 r_crio_firewall_enabled: "{{ os_firewall_enabled | default(True) }}"
@@ -29,3 +30,9 @@ r_crio_os_firewall_deny: []
 r_crio_os_firewall_allow:
 - service: crio
   port: 10010/tcp
+
+
+openshift_docker_is_node_or_master: "{{ True if inventory_hostname in (groups['oo_masters_to_config']|default([])) or inventory_hostname in (groups['oo_nodes_to_config']|default([])) else False | bool }}"
+
+docker_alt_storage_path: /var/lib/containers/docker
+docker_default_storage_path: /var/lib/docker
diff --git a/roles/docker/tasks/main.yml b/roles/docker/tasks/main.yml
index 5ea73568a..3c814d8d8 100644
--- a/roles/docker/tasks/main.yml
+++ b/roles/docker/tasks/main.yml
@@ -25,6 +25,15 @@
     - not l_use_system_container
     - not l_use_crio_only
 
+- name: Ensure /var/lib/containers exists
+  file:
+    path: /var/lib/containers
+    state: directory
+
+- name: Fix SELinux Permissions on /var/lib/containers
+  command: "restorecon -R /var/lib/containers/"
+  changed_when: false
+
 - name: Use System Container Docker if Requested
   include: systemcontainer_docker.yml
   when:
@@ -35,4 +44,49 @@
   include: systemcontainer_crio.yml
   when:
     - l_use_crio
-    - inventory_hostname in groups['oo_masters_to_config'] or inventory_hostname in groups['oo_nodes_to_config']
+    - openshift_docker_is_node_or_master | bool
+
+- name: stat the docker data dir
+  stat:
+    path: "{{ docker_default_storage_path }}"
+  register: dockerstat
+
+- when:
+    - l_use_crio
+    - dockerstat.stat.islink is defined and not (dockerstat.stat.islink | bool)
+  block:
+    - name: stop the current running docker
+      systemd:
+        state: stopped
+        name: "{{ openshift.docker.service_name }}"
+
+    - name: "Ensure {{ docker_alt_storage_path }} exists"
+      file:
+        path: "{{ docker_alt_storage_path }}"
+        state: directory
+
+    - name: "Set the selinux context on {{ docker_alt_storage_path }}"
+      command: "semanage fcontext -a -e {{ docker_default_storage_path }} {{ docker_alt_storage_path }}"
+      register: results
+      failed_when:
+        - results.rc == 1
+        - "'already exists' not in results.stderr"
+
+    - name: "restorecon the {{ docker_alt_storage_path }}"
+      command: "restorecon -r {{ docker_alt_storage_path }}"
+
+    - name: Remove the old docker location
+      file:
+        state: absent
+        path: "{{ docker_default_storage_path }}"
+
+    - name: Setup the link
+      file:
+        state: link
+        src: "{{ docker_alt_storage_path }}"
+        path: "{{ docker_default_storage_path }}"
+
+    - name: start docker
+      systemd:
+        state: started
+        name: "{{ openshift.docker.service_name }}"
diff --git a/roles/docker/tasks/package_docker.yml b/roles/docker/tasks/package_docker.yml
index b16413f72..c1aedf879 100644
--- a/roles/docker/tasks/package_docker.yml
+++ b/roles/docker/tasks/package_docker.yml
@@ -81,6 +81,7 @@
   template:
     dest: "{{ containers_registries_conf_path }}"
     src: registries.conf
+  when: openshift_docker_use_etc_containers | bool
   notify:
   - restart docker
 
diff --git a/roles/docker/tasks/registry_auth.yml b/roles/docker/tasks/registry_auth.yml
index 65ed60efa..d05b7f2b8 100644
--- a/roles/docker/tasks/registry_auth.yml
+++ b/roles/docker/tasks/registry_auth.yml
@@ -7,6 +7,10 @@
 
 - name: Create credentials for docker cli registry auth
   command: "docker --config={{ docker_cli_auth_config_path }} login -u {{ oreg_auth_user }} -p {{ oreg_auth_password }} {{ oreg_host }}"
+  register: openshift_docker_credentials_create_res
+  retries: 3
+  delay: 5
+  until: openshift_docker_credentials_create_res.rc == 0
   when:
   - oreg_auth_user is defined
   - (not docker_cli_auth_credentials_stat.stat.exists or oreg_auth_credentials_replace) | bool
diff --git a/roles/docker/tasks/systemcontainer_crio.yml b/roles/docker/tasks/systemcontainer_crio.yml
index 5a87813a0..1e2d64293 100644
--- a/roles/docker/tasks/systemcontainer_crio.yml
+++ b/roles/docker/tasks/systemcontainer_crio.yml
@@ -3,16 +3,16 @@
 # TODO: Much of this file is shared with container engine tasks
 - set_fact:
     l_insecure_crio_registries: "{{ '\"{}\"'.format('\", \"'.join(l2_docker_insecure_registries)) }}"
-  when: l2_docker_insecure_registries
+  when: l2_docker_insecure_registries | bool
 - set_fact:
     l_crio_registries: "{{ l2_docker_additional_registries + ['docker.io'] }}"
-  when: l2_docker_additional_registries
+  when: l2_docker_additional_registries | bool
 - set_fact:
     l_crio_registries: "{{ ['docker.io'] }}"
-  when: not l2_docker_additional_registries
+  when: not (l2_docker_additional_registries | bool)
 - set_fact:
     l_additional_crio_registries: "{{ '\"{}\"'.format('\", \"'.join(l_crio_registries)) }}"
-  when: l2_docker_additional_registries
+  when: l2_docker_additional_registries | bool
 
 - set_fact:
     l_openshift_image_tag: "{{ openshift_image_tag | string }}"
@@ -170,10 +170,6 @@
     dest: /etc/cni/net.d/openshift-sdn.conf
     src: 80-openshift-sdn.conf.j2
 
-- name: Fix SELinux Permissions on /var/lib/containers
-  command: "restorecon -R /var/lib/containers/"
-  changed_when: false
-
 - name: Start the CRI-O service
   systemd:
     name: "cri-o"
diff --git a/roles/docker/templates/crio.conf.j2 b/roles/docker/templates/crio.conf.j2
index 93014a80d..3f066a17f 100644
--- a/roles/docker/templates/crio.conf.j2
+++ b/roles/docker/templates/crio.conf.j2
@@ -103,6 +103,11 @@ cgroup_manager = "systemd"
 # hooks_dir_path is the oci hooks directory for automatically executed hooks
 hooks_dir_path = "/usr/share/containers/oci/hooks.d"
 
+# default_mounts is the mounts list to be mounted for the container when created
+default_mounts = [
+	"/usr/share/rhel/secrets:/run/secrets",
+]
+
 # pids_limit is the number of processes allowed in a container
 pids_limit = 1024