summaryrefslogtreecommitdiffstats
path: root/roles/docker
diff options
context:
space:
mode:
Diffstat (limited to 'roles/docker')
-rw-r--r--roles/docker/defaults/main.yml33
-rw-r--r--roles/docker/handlers/main.yml5
-rw-r--r--roles/docker/meta/main.yml2
-rw-r--r--roles/docker/tasks/crio_firewall.yml40
-rw-r--r--roles/docker/tasks/main.yml25
-rw-r--r--roles/docker/tasks/package_docker.yml51
-rw-r--r--roles/docker/tasks/registry_auth.yml12
-rw-r--r--roles/docker/tasks/systemcontainer_crio.yml185
-rw-r--r--roles/docker/tasks/systemcontainer_docker.yml106
-rw-r--r--roles/docker/templates/80-openshift-sdn.conf.j25
-rw-r--r--roles/docker/templates/crio.conf.j2159
-rw-r--r--roles/docker/templates/custom.conf.j26
-rw-r--r--roles/docker/templates/overlay.conf.j22
-rw-r--r--roles/docker/templates/registries.conf46
14 files changed, 617 insertions, 60 deletions
diff --git a/roles/docker/defaults/main.yml b/roles/docker/defaults/main.yml
index ed97d539c..fe938e52b 100644
--- a/roles/docker/defaults/main.yml
+++ b/roles/docker/defaults/main.yml
@@ -1 +1,34 @@
---
+docker_cli_auth_config_path: '/root/.docker'
+openshift_docker_signature_verification: False
+
+# oreg_url is defined by user input.
+oreg_host: "{{ oreg_url.split('/')[0] if (oreg_url is defined and '.' in oreg_url.split('/')[0]) else '' }}"
+oreg_auth_credentials_replace: False
+
+openshift_docker_additional_registries: []
+openshift_docker_blocked_registries: []
+openshift_docker_insecure_registries: []
+
+openshift_docker_ent_reg: 'registry.access.redhat.com'
+
+# The l2_docker_* variables convert csv strings to lists, if
+# necessary. These variables should be used in place of their respective
+# openshift_docker_* counterparts to ensure the properly formatted lists are
+# utilized.
+l2_docker_additional_registries: "{% if openshift_docker_additional_registries is string %}{% if openshift_docker_additional_registries == '' %}[]{% elif ',' in openshift_docker_additional_registries %}{{ openshift_docker_additional_registries.split(',') | list }}{% else %}{{ [ openshift_docker_additional_registries ] }}{% endif %}{% else %}{{ openshift_docker_additional_registries }}{% endif %}"
+l2_docker_blocked_registries: "{% if openshift_docker_blocked_registries is string %}{% if openshift_docker_blocked_registries == '' %}[]{% elif ',' in openshift_docker_blocked_registries %}{{ openshift_docker_blocked_registries.split(',') | list }}{% else %}{{ [ openshift_docker_blocked_registries ] }}{% endif %}{% else %}{{ openshift_docker_blocked_registries }}{% endif %}"
+l2_docker_insecure_registries: "{% if openshift_docker_insecure_registries is string %}{% if openshift_docker_insecure_registries == '' %}[]{% elif ',' in openshift_docker_insecure_registries %}{{ openshift_docker_insecure_registries.split(',') | list }}{% else %}{{ [ openshift_docker_insecure_registries ] }}{% endif %}{% else %}{{ openshift_docker_insecure_registries }}{% endif %}"
+
+containers_registries_conf_path: /etc/containers/registries.conf
+
+r_crio_firewall_enabled: "{{ os_firewall_enabled | default(True) }}"
+r_crio_use_firewalld: "{{ os_firewall_use_firewalld | default(False) }}"
+
+r_crio_os_firewall_deny: []
+r_crio_os_firewall_allow:
+- service: crio
+ port: 10010/tcp
+
+
+openshift_docker_is_node_or_master: "{{ True if inventory_hostname in (groups['oo_masters_to_config']|default([])) or inventory_hostname in (groups['oo_nodes_to_config']|default([])) else False | bool }}"
diff --git a/roles/docker/handlers/main.yml b/roles/docker/handlers/main.yml
index 7f91afb37..866ed0452 100644
--- a/roles/docker/handlers/main.yml
+++ b/roles/docker/handlers/main.yml
@@ -4,6 +4,11 @@
systemd:
name: "{{ openshift.docker.service_name }}"
state: restarted
+ daemon_reload: yes
+ register: r_docker_restart_docker_result
+ until: not r_docker_restart_docker_result | failed
+ retries: 3
+ delay: 30
when: not docker_service_status_changed | default(false) | bool
- name: restart udev
diff --git a/roles/docker/meta/main.yml b/roles/docker/meta/main.yml
index cd4083572..62b8a2eb5 100644
--- a/roles/docker/meta/main.yml
+++ b/roles/docker/meta/main.yml
@@ -10,5 +10,5 @@ galaxy_info:
versions:
- 7
dependencies:
-- role: os_firewall
- role: lib_openshift
+- role: lib_os_firewall
diff --git a/roles/docker/tasks/crio_firewall.yml b/roles/docker/tasks/crio_firewall.yml
new file mode 100644
index 000000000..fbd1ff515
--- /dev/null
+++ b/roles/docker/tasks/crio_firewall.yml
@@ -0,0 +1,40 @@
+---
+- when: r_crio_firewall_enabled | bool and not r_crio_use_firewalld | bool
+ block:
+ - name: Add iptables allow rules
+ os_firewall_manage_iptables:
+ name: "{{ item.service }}"
+ action: add
+ protocol: "{{ item.port.split('/')[1] }}"
+ port: "{{ item.port.split('/')[0] }}"
+ when: item.cond | default(True)
+ with_items: "{{ r_crio_os_firewall_allow }}"
+
+ - name: Remove iptables rules
+ os_firewall_manage_iptables:
+ name: "{{ item.service }}"
+ action: remove
+ protocol: "{{ item.port.split('/')[1] }}"
+ port: "{{ item.port.split('/')[0] }}"
+ when: item.cond | default(True)
+ with_items: "{{ r_crio_os_firewall_deny }}"
+
+- when: r_crio_firewall_enabled | bool and r_crio_use_firewalld | bool
+ block:
+ - name: Add firewalld allow rules
+ firewalld:
+ port: "{{ item.port }}"
+ permanent: true
+ immediate: true
+ state: enabled
+ when: item.cond | default(True)
+ with_items: "{{ r_crio_os_firewall_allow }}"
+
+ - name: Remove firewalld allow rules
+ firewalld:
+ port: "{{ item.port }}"
+ permanent: true
+ immediate: true
+ state: disabled
+ when: item.cond | default(True)
+ with_items: "{{ r_crio_os_firewall_deny }}"
diff --git a/roles/docker/tasks/main.yml b/roles/docker/tasks/main.yml
index 0c2b16acf..1539af53f 100644
--- a/roles/docker/tasks/main.yml
+++ b/roles/docker/tasks/main.yml
@@ -7,11 +7,32 @@
- set_fact:
l_use_system_container: "{{ openshift.docker.use_system_container | default(False) }}"
+ l_use_crio: "{{ openshift_use_crio | default(False) }}"
+ l_use_crio_only: "{{ openshift_use_crio_only | default(False) }}"
+
+- name: Add enterprise registry, if necessary
+ set_fact:
+ l2_docker_additional_registries: "{{ l2_docker_additional_registries + [openshift_docker_ent_reg] }}"
+ when:
+ - openshift.common.deployment_type == 'openshift-enterprise'
+ - openshift_docker_ent_reg != ''
+ - openshift_docker_ent_reg not in l2_docker_additional_registries
+ - not l_use_crio_only
- name: Use Package Docker if Requested
include: package_docker.yml
- when: not l_use_system_container
+ when:
+ - not l_use_system_container
+ - not l_use_crio_only
- name: Use System Container Docker if Requested
include: systemcontainer_docker.yml
- when: l_use_system_container
+ when:
+ - l_use_system_container
+ - not l_use_crio_only
+
+- name: Add CRI-O usage Requested
+ include: systemcontainer_crio.yml
+ when:
+ - l_use_crio
+ - openshift_docker_is_node_or_master | bool
diff --git a/roles/docker/tasks/package_docker.yml b/roles/docker/tasks/package_docker.yml
index c82d8659a..b16413f72 100644
--- a/roles/docker/tasks/package_docker.yml
+++ b/roles/docker/tasks/package_docker.yml
@@ -3,6 +3,8 @@
command: "{{ repoquery_cmd }} --installed --qf '%{version}' docker"
when: not openshift.common.is_atomic | bool
register: curr_docker_version
+ retries: 4
+ until: curr_docker_version | succeeded
changed_when: false
- name: Error out if Docker pre-installed but too old
@@ -46,7 +48,9 @@
template:
dest: "{{ docker_systemd_dir }}/custom.conf"
src: custom.conf.j2
- when: not os_firewall_use_firewalld | default(False) | bool
+ notify:
+ - restart docker
+ when: not (os_firewall_use_firewalld | default(False)) | bool
- stat: path=/etc/sysconfig/docker
register: docker_check
@@ -56,20 +60,30 @@
dest: /etc/sysconfig/docker
regexp: '^{{ item.reg_conf_var }}=.*$'
line: "{{ item.reg_conf_var }}='{{ item.reg_fact_val | oo_prepend_strings_in_list(item.reg_flag ~ ' ') | join(' ') }}'"
- when: item.reg_fact_val != '' and docker_check.stat.isreg is defined and docker_check.stat.isreg
+ when:
+ - item.reg_fact_val != []
+ - docker_check.stat.isreg is defined
+ - docker_check.stat.isreg
with_items:
- reg_conf_var: ADD_REGISTRY
- reg_fact_val: "{{ docker_additional_registries | default(None, true)}}"
+ reg_fact_val: "{{ l2_docker_additional_registries }}"
reg_flag: --add-registry
- reg_conf_var: BLOCK_REGISTRY
- reg_fact_val: "{{ docker_blocked_registries| default(None, true) }}"
+ reg_fact_val: "{{ l2_docker_blocked_registries }}"
reg_flag: --block-registry
- reg_conf_var: INSECURE_REGISTRY
- reg_fact_val: "{{ docker_insecure_registries| default(None, true) }}"
+ reg_fact_val: "{{ l2_docker_insecure_registries }}"
reg_flag: --insecure-registry
notify:
- restart docker
+- name: Place additional/blocked/insecure registries in /etc/containers/registries.conf
+ template:
+ dest: "{{ containers_registries_conf_path }}"
+ src: registries.conf
+ notify:
+ - restart docker
+
- name: Set Proxy Settings
lineinfile:
dest: /etc/sysconfig/docker
@@ -93,11 +107,12 @@
dest: /etc/sysconfig/docker
regexp: '^OPTIONS=.*$'
line: "OPTIONS='\
- {% if ansible_selinux.status | default(None) == '''enabled''' and docker_selinux_enabled | default(true) %} --selinux-enabled {% endif %}\
- {% if docker_log_driver is defined %} --log-driver {{ docker_log_driver }}{% endif %}\
- {% if docker_log_options is defined %} {{ docker_log_options | oo_split() | oo_prepend_strings_in_list('--log-opt ') | join(' ')}}{% endif %}\
- {% if docker_options is defined %} {{ docker_options }}{% endif %}\
- {% if docker_disable_push_dockerhub is defined %} --confirm-def-push={{ docker_disable_push_dockerhub | bool }}{% endif %}'"
+ {% if ansible_selinux.status | default(None) == 'enabled' and docker_selinux_enabled | default(true) | bool %} --selinux-enabled {% endif %} \
+ {% if docker_log_driver is defined %} --log-driver {{ docker_log_driver }}{% endif %} \
+ {% if docker_log_options is defined %} {{ docker_log_options | oo_split() | oo_prepend_strings_in_list('--log-opt ') | join(' ')}}{% endif %} \
+ {% if docker_options is defined %} {{ docker_options }}{% endif %} \
+ {% if docker_disable_push_dockerhub is defined %} --confirm-def-push={{ docker_disable_push_dockerhub | bool }}{% endif %} \
+ --signature-verification={{ openshift_docker_signature_verification | bool }}'"
when: docker_check.stat.isreg is defined and docker_check.stat.isreg
notify:
- restart docker
@@ -117,15 +132,27 @@
notify:
- restart docker
+# The following task is needed as the systemd module may report a change in
+# state even though docker is already running.
+- name: Detect if docker is already started
+ command: "systemctl show docker -p ActiveState"
+ changed_when: False
+ register: r_docker_already_running_result
+
- name: Start the Docker service
systemd:
name: docker
enabled: yes
state: started
daemon_reload: yes
- register: start_result
+ register: r_docker_package_docker_start_result
+ until: not r_docker_package_docker_start_result | failed
+ retries: 3
+ delay: 30
- set_fact:
- docker_service_status_changed: start_result | changed
+ docker_service_status_changed: "{{ (r_docker_package_docker_start_result | changed) and (r_docker_already_running_result.stdout != 'ActiveState=active' ) }}"
+
+- include: registry_auth.yml
- meta: flush_handlers
diff --git a/roles/docker/tasks/registry_auth.yml b/roles/docker/tasks/registry_auth.yml
new file mode 100644
index 000000000..65ed60efa
--- /dev/null
+++ b/roles/docker/tasks/registry_auth.yml
@@ -0,0 +1,12 @@
+---
+- name: Check for credentials file for registry auth
+ stat:
+ path: "{{ docker_cli_auth_config_path }}/config.json"
+ when: oreg_auth_user is defined
+ register: docker_cli_auth_credentials_stat
+
+- name: Create credentials for docker cli registry auth
+ command: "docker --config={{ docker_cli_auth_config_path }} login -u {{ oreg_auth_user }} -p {{ oreg_auth_password }} {{ oreg_host }}"
+ when:
+ - oreg_auth_user is defined
+ - (not docker_cli_auth_credentials_stat.stat.exists or oreg_auth_credentials_replace) | bool
diff --git a/roles/docker/tasks/systemcontainer_crio.yml b/roles/docker/tasks/systemcontainer_crio.yml
new file mode 100644
index 000000000..67ede0d21
--- /dev/null
+++ b/roles/docker/tasks/systemcontainer_crio.yml
@@ -0,0 +1,185 @@
+---
+
+# TODO: Much of this file is shared with container engine tasks
+- set_fact:
+ l_insecure_crio_registries: "{{ '\"{}\"'.format('\", \"'.join(l2_docker_insecure_registries)) }}"
+ when: l2_docker_insecure_registries | bool
+- set_fact:
+ l_crio_registries: "{{ l2_docker_additional_registries + ['docker.io'] }}"
+ when: l2_docker_additional_registries | bool
+- set_fact:
+ l_crio_registries: "{{ ['docker.io'] }}"
+ when: not (l2_docker_additional_registries | bool)
+- set_fact:
+ l_additional_crio_registries: "{{ '\"{}\"'.format('\", \"'.join(l_crio_registries)) }}"
+ when: l2_docker_additional_registries | bool
+
+- set_fact:
+ l_openshift_image_tag: "{{ openshift_image_tag | string }}"
+ when: openshift_image_tag is defined
+
+- set_fact:
+ l_openshift_image_tag: "latest"
+ when:
+ - openshift_image_tag is not defined
+ - openshift_release == "latest"
+
+- set_fact:
+ l_openshift_image_tag: "{{ openshift_release | string }}"
+ when:
+ - openshift_image_tag is not defined
+ - openshift_release != "latest"
+
+- name: Ensure container-selinux is installed
+ package:
+ name: container-selinux
+ state: present
+ when: not openshift.common.is_atomic | bool
+
+- name: Check we are not using node as a Docker container with CRI-O
+ fail: msg='Cannot use CRI-O with node configured as a Docker container'
+ when:
+ - openshift.common.is_containerized | bool
+ - not openshift.common.is_node_system_container | bool
+
+# Used to pull and install the system container
+- name: Ensure atomic is installed
+ package:
+ name: atomic
+ state: present
+ when: not openshift.common.is_atomic | bool
+
+# At the time of writing the atomic command requires runc for it's own use. This
+# task is here in the even that the atomic package ever removes the dependency.
+- name: Ensure runc is installed
+ package:
+ name: runc
+ state: present
+ when: not openshift.common.is_atomic | bool
+
+
+- name: Check that overlay is in the kernel
+ shell: lsmod | grep overlay
+ register: l_has_overlay_in_kernel
+ ignore_errors: yes
+ failed_when: false
+
+- when: l_has_overlay_in_kernel.rc != 0
+ block:
+
+ - name: Add overlay to modprobe.d
+ template:
+ dest: /etc/modules-load.d/overlay.conf
+ src: overlay.conf.j2
+ backup: yes
+
+ - name: Manually modprobe overlay into the kernel
+ command: modprobe overlay
+
+ - name: Enable and start systemd-modules-load
+ service:
+ name: systemd-modules-load
+ enabled: yes
+ state: restarted
+
+- name: Ensure proxies are in the atomic.conf
+ include_role:
+ name: openshift_atomic
+ tasks_from: proxy
+
+- block:
+
+ - name: Set CRI-O image defaults
+ set_fact:
+ l_crio_image_prepend: "docker.io/gscrivano"
+ l_crio_image_name: "cri-o-fedora"
+ l_crio_image_tag: "latest"
+
+ - name: Use Centos based image when distribution is CentOS
+ set_fact:
+ l_crio_image_name: "cri-o-centos"
+ when: ansible_distribution == "CentOS"
+
+ - name: Set CRI-O image tag
+ set_fact:
+ l_crio_image_tag: "{{ l_openshift_image_tag }}"
+ when:
+ - openshift_deployment_type == 'openshift-enterprise'
+
+ - name: Use RHEL based image when distribution is Red Hat
+ set_fact:
+ l_crio_image_prepend: "registry.access.redhat.com/openshift3"
+ l_crio_image_name: "cri-o"
+ when: ansible_distribution == "RedHat"
+
+ - name: Set the full image name
+ set_fact:
+ l_crio_image: "{{ l_crio_image_prepend }}/{{ l_crio_image_name }}:{{ l_crio_image_tag }}"
+
+ # For https://github.com/openshift/aos-cd-jobs/pull/624#pullrequestreview-61816548
+ - name: Use a specific image if requested
+ set_fact:
+ l_crio_image: "{{ openshift_crio_systemcontainer_image_override }}"
+ when:
+ - openshift_crio_systemcontainer_image_override is defined
+ - openshift_crio_systemcontainer_image_override != ""
+
+ # Be nice and let the user see the variable result
+ - debug:
+ var: l_crio_image
+
+# NOTE: no_proxy added as a workaround until https://github.com/projectatomic/atomic/pull/999 is released
+- name: Pre-pull CRI-O System Container image
+ command: "atomic pull --storage ostree {{ l_crio_image }}"
+ changed_when: false
+ environment:
+ NO_PROXY: "{{ openshift.common.no_proxy | default('') }}"
+
+
+- name: Install CRI-O System Container
+ oc_atomic_container:
+ name: "cri-o"
+ image: "{{ l_crio_image }}"
+ state: latest
+
+- name: Remove CRI-O default configuration files
+ file:
+ path: "{{ item }}"
+ state: absent
+ with_items:
+ - /etc/cni/net.d/200-loopback.conf
+ - /etc/cni/net.d/100-crio-bridge.conf
+
+- name: Create the CRI-O configuration
+ template:
+ dest: /etc/crio/crio.conf
+ src: crio.conf.j2
+ backup: yes
+
+- name: Ensure CNI configuration directory exists
+ file:
+ path: /etc/cni/net.d/
+ state: directory
+
+- name: setup firewall for CRI-O
+ include: crio_firewall.yml
+ static: yes
+
+- name: Configure the CNI network
+ template:
+ dest: /etc/cni/net.d/openshift-sdn.conf
+ src: 80-openshift-sdn.conf.j2
+
+- name: Fix SELinux Permissions on /var/lib/containers
+ command: "restorecon -R /var/lib/containers/"
+ changed_when: false
+
+- name: Start the CRI-O service
+ systemd:
+ name: "cri-o"
+ enabled: yes
+ state: started
+ daemon_reload: yes
+ register: start_result
+
+- meta: flush_handlers
diff --git a/roles/docker/tasks/systemcontainer_docker.yml b/roles/docker/tasks/systemcontainer_docker.yml
index 650f06f86..aa3b35ddd 100644
--- a/roles/docker/tasks/systemcontainer_docker.yml
+++ b/roles/docker/tasks/systemcontainer_docker.yml
@@ -1,4 +1,21 @@
---
+
+- set_fact:
+ l_openshift_image_tag: "{{ openshift_image_tag | string }}"
+ when: openshift_image_tag is defined
+
+- set_fact:
+ l_openshift_image_tag: "latest"
+ when:
+ - openshift_image_tag is not defined
+ - openshift_release == "latest"
+
+- set_fact:
+ l_openshift_image_tag: "{{ openshift_release | string }}"
+ when:
+ - openshift_image_tag is not defined
+ - openshift_release != "latest"
+
# If docker_options are provided we should fail. We should not install docker and ignore
# the users configuration. NOTE: docker_options == inventory:openshift_docker_options
- name: Fail quickly if openshift_docker_options are set
@@ -12,6 +29,12 @@
traditional docker package install. Otherwise, comment out openshift_docker_options
in your inventory file.
+- name: Ensure container-selinux is installed
+ package:
+ name: container-selinux
+ state: present
+ when: not openshift.common.is_atomic | bool
+
# Used to pull and install the system container
- name: Ensure atomic is installed
package:
@@ -40,44 +63,28 @@
state: stopped
daemon_reload: yes
ignore_errors: True
+ register: r_docker_systemcontainer_docker_stop_result
+ until: not r_docker_systemcontainer_docker_stop_result | failed
+ retries: 3
+ delay: 30
-# Set http_proxy, https_proxy, and no_proxy in /etc/atomic.conf
-# regexp: the line starts with or without #, followed by the string
-# http_proxy, then either : or =
-- block:
-
- - name: Add http_proxy to /etc/atomic.conf
- lineinfile:
- dest: /etc/atomic.conf
- regexp: "^#?http_proxy[:=]{1}"
- line: "http_proxy: {{ openshift.common.http_proxy | default('') }}"
- when:
- - openshift.common.http_proxy is defined
- - openshift.common.http_proxy != ''
-
- - name: Add https_proxy to /etc/atomic.conf
- lineinfile:
- dest: /etc/atomic.conf
- regexp: "^#?https_proxy[:=]{1}"
- line: "https_proxy: {{ openshift.common.https_proxy | default('') }}"
- when:
- - openshift.common.https_proxy is defined
- - openshift.common.https_proxy != ''
-
- - name: Add no_proxy to /etc/atomic.conf
- lineinfile:
- dest: /etc/atomic.conf
- regexp: "^#?no_proxy[:=]{1}"
- line: "no_proxy: {{ openshift.common.no_proxy | default('') }}"
- when:
- - openshift.common.no_proxy is defined
- - openshift.common.no_proxy != ''
+- name: Ensure proxies are in the atomic.conf
+ include_role:
+ name: openshift_atomic
+ tasks_from: proxy
- block:
- name: Set to default prepend
set_fact:
l_docker_image_prepend: "gscrivano"
+ l_docker_image_tag: "latest"
+
+ - name: Set container engine image tag
+ set_fact:
+ l_docker_image_tag: "{{ l_openshift_image_tag }}"
+ when:
+ - openshift_deployment_type == 'openshift-enterprise'
- name: Use Red Hat Registry for image when distribution is Red Hat
set_fact:
@@ -86,20 +93,24 @@
- name: Use Fedora Registry for image when distribution is Fedora
set_fact:
- l_docker_image_prepend: "registry.fedoraproject.org"
+ l_docker_image_prepend: "registry.fedoraproject.org/f25"
when: ansible_distribution == 'Fedora'
- # For https://github.com/openshift/openshift-ansible/pull/4049#discussion_r114478504
- - name: Use a testing registry if requested
+ - name: Set the full image name
set_fact:
- l_docker_image_prepend: "{{ openshift_docker_systemcontainer_image_registry_override }}"
- when:
- - openshift_docker_systemcontainer_image_registry_override is defined
- - openshift_docker_systemcontainer_image_registry_override != ""
+ l_docker_image: "{{ l_docker_image_prepend }}/{{ openshift.docker.service_name }}:{{ l_docker_image_tag }}"
- - name: Set the full image name
+ # For https://github.com/openshift/openshift-ansible/pull/5354#issuecomment-328552959
+ - name: Use a specific image if requested
set_fact:
- l_docker_image: "{{ l_docker_image_prepend }}/{{ openshift.docker.service_name }}:latest"
+ l_docker_image: "{{ openshift_docker_systemcontainer_image_override }}"
+ when:
+ - openshift_docker_systemcontainer_image_override is defined
+ - openshift_docker_systemcontainer_image_override != ""
+
+ # Be nice and let the user see the variable result
+ - debug:
+ var: l_docker_image
# NOTE: no_proxy added as a workaround until https://github.com/projectatomic/atomic/pull/999 is released
- name: Pre-pull Container Engine System Container image
@@ -133,10 +144,10 @@
# Set local versions of facts that must be in json format for container-daemon.json
# NOTE: When jinja2.9+ is used the container-daemon.json file can move to using tojson
- set_fact:
- l_docker_insecure_registries: "{{ docker_insecure_registries | default([]) | to_json }}"
+ l_docker_insecure_registries: "{{ l2_docker_insecure_registries | default([]) | to_json }}"
l_docker_log_options: "{{ docker_log_options | default({}) | to_json }}"
- l_docker_additional_registries: "{{ docker_additional_registries | default([]) | to_json }}"
- l_docker_blocked_registries: "{{ docker_blocked_registries | default([]) | to_json }}"
+ l_docker_additional_registries: "{{ l2_docker_additional_registries | default([]) | to_json }}"
+ l_docker_blocked_registries: "{{ l2_docker_blocked_registries | default([]) | to_json }}"
l_docker_selinux_enabled: "{{ docker_selinux_enabled | default(true) | to_json }}"
# Configure container-engine using the container-daemon.json file
@@ -154,9 +165,14 @@
enabled: yes
state: started
daemon_reload: yes
- register: start_result
+ register: r_docker_systemcontainer_docker_start_result
+ until: not r_docker_systemcontainer_docker_start_result | failed
+ retries: 3
+ delay: 30
- set_fact:
- docker_service_status_changed: start_result | changed
+ docker_service_status_changed: "{{ r_docker_systemcontainer_docker_start_result | changed }}"
+
+- include: registry_auth.yml
- meta: flush_handlers
diff --git a/roles/docker/templates/80-openshift-sdn.conf.j2 b/roles/docker/templates/80-openshift-sdn.conf.j2
new file mode 100644
index 000000000..a693aea5f
--- /dev/null
+++ b/roles/docker/templates/80-openshift-sdn.conf.j2
@@ -0,0 +1,5 @@
+{
+ "cniVersion": "0.1.0",
+ "name": "openshift-sdn",
+ "type": "openshift-sdn"
+}
diff --git a/roles/docker/templates/crio.conf.j2 b/roles/docker/templates/crio.conf.j2
new file mode 100644
index 000000000..93014a80d
--- /dev/null
+++ b/roles/docker/templates/crio.conf.j2
@@ -0,0 +1,159 @@
+# {{ ansible_managed }}
+
+# The "crio" table contains all of the server options.
+[crio]
+
+# root is a path to the "root directory". CRIO stores all of its data,
+# including container images, in this directory.
+root = "/var/lib/containers/storage"
+
+# run is a path to the "run directory". CRIO stores all of its state
+# in this directory.
+runroot = "/var/run/containers/storage"
+
+# storage_driver select which storage driver is used to manage storage
+# of images and containers.
+storage_driver = "overlay"
+
+# storage_option is used to pass an option to the storage driver.
+storage_option = [
+{% if ansible_distribution in ['RedHat', 'CentOS'] %}
+ "overlay.override_kernel_check=1"
+{% endif %}
+]
+
+# The "crio.api" table contains settings for the kubelet/gRPC
+# interface (which is also used by crioctl).
+[crio.api]
+
+# listen is the path to the AF_LOCAL socket on which crio will listen.
+listen = "/var/run/crio.sock"
+
+# stream_address is the IP address on which the stream server will listen
+stream_address = ""
+
+# stream_port is the port on which the stream server will listen
+stream_port = "10010"
+
+# file_locking is whether file-based locking will be used instead of
+# in-memory locking
+file_locking = true
+
+# The "crio.runtime" table contains settings pertaining to the OCI
+# runtime used and options for how to set up and manage the OCI runtime.
+[crio.runtime]
+
+# runtime is the OCI compatible runtime used for trusted container workloads.
+# This is a mandatory setting as this runtime will be the default one
+# and will also be used for untrusted container workloads if
+# runtime_untrusted_workload is not set.
+runtime = "/usr/bin/runc"
+
+# runtime_untrusted_workload is the OCI compatible runtime used for untrusted
+# container workloads. This is an optional setting, except if
+# default_container_trust is set to "untrusted".
+runtime_untrusted_workload = ""
+
+# default_workload_trust is the default level of trust crio puts in container
+# workloads. It can either be "trusted" or "untrusted", and the default
+# is "trusted".
+# Containers can be run through different container runtimes, depending on
+# the trust hints we receive from kubelet:
+# - If kubelet tags a container workload as untrusted, crio will try first to
+# run it through the untrusted container workload runtime. If it is not set,
+# crio will use the trusted runtime.
+# - If kubelet does not provide any information about the container workload trust
+# level, the selected runtime will depend on the default_container_trust setting.
+# If it is set to "untrusted", then all containers except for the host privileged
+# ones, will be run by the runtime_untrusted_workload runtime. Host privileged
+# containers are by definition trusted and will always use the trusted container
+# runtime. If default_container_trust is set to "trusted", crio will use the trusted
+# container runtime for all containers.
+default_workload_trust = "trusted"
+
+# no_pivot instructs the runtime to not use pivot_root, but instead use MS_MOVE
+no_pivot = false
+
+# conmon is the path to conmon binary, used for managing the runtime.
+conmon = "/usr/libexec/crio/conmon"
+
+# conmon_env is the environment variable list for conmon process,
+# used for passing necessary environment variable to conmon or runtime.
+conmon_env = [
+ "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin",
+]
+
+# selinux indicates whether or not SELinux will be used for pod
+# separation on the host. If you enable this flag, SELinux must be running
+# on the host.
+selinux = true
+
+# seccomp_profile is the seccomp json profile path which is used as the
+# default for the runtime.
+seccomp_profile = "/etc/crio/seccomp.json"
+
+# apparmor_profile is the apparmor profile name which is used as the
+# default for the runtime.
+apparmor_profile = "crio-default"
+
+# cgroup_manager is the cgroup management implementation to be used
+# for the runtime.
+cgroup_manager = "systemd"
+
+# hooks_dir_path is the oci hooks directory for automatically executed hooks
+hooks_dir_path = "/usr/share/containers/oci/hooks.d"
+
+# pids_limit is the number of processes allowed in a container
+pids_limit = 1024
+
+# log_size_max is the max limit for the container log size in bytes.
+# Negative values indicate that no limit is imposed.
+log_size_max = 52428800
+
+# The "crio.image" table contains settings pertaining to the
+# management of OCI images.
+[crio.image]
+
+# default_transport is the prefix we try prepending to an image name if the
+# image name as we receive it can't be parsed as a valid source reference
+default_transport = "docker://"
+
+# pause_image is the image which we use to instantiate infra containers.
+pause_image = "kubernetes/pause"
+
+# pause_command is the command to run in a pause_image to have a container just
+# sit there. If the image contains the necessary information, this value need
+# not be specified.
+pause_command = "/pause"
+
+# signature_policy is the name of the file which decides what sort of policy we
+# use when deciding whether or not to trust an image that we've pulled.
+# Outside of testing situations, it is strongly advised that this be left
+# unspecified so that the default system-wide policy will be used.
+signature_policy = ""
+
+# image_volumes controls how image volumes are handled.
+# The valid values are mkdir and ignore.
+image_volumes = "mkdir"
+
+# insecure_registries is used to skip TLS verification when pulling images.
+insecure_registries = [
+{{ l_insecure_crio_registries|default("") }}
+]
+
+# registries is used to specify a comma separated list of registries to be used
+# when pulling an unqualified image (e.g. fedora:rawhide).
+registries = [
+{{ l_additional_crio_registries|default("") }}
+]
+
+# The "crio.network" table contains settings pertaining to the
+# management of CNI plugins.
+[crio.network]
+
+# network_dir is is where CNI network configuration
+# files are stored.
+network_dir = "/etc/cni/net.d/"
+
+# plugin_dir is is where CNI plugin binaries are stored.
+plugin_dir = "/opt/cni/bin/"
diff --git a/roles/docker/templates/custom.conf.j2 b/roles/docker/templates/custom.conf.j2
index 9b47cb6ab..713412473 100644
--- a/roles/docker/templates/custom.conf.j2
+++ b/roles/docker/templates/custom.conf.j2
@@ -3,3 +3,9 @@
[Unit]
Wants=iptables.service
After=iptables.service
+
+# The following line is a work-around to ensure docker is restarted whenever
+# iptables is restarted. This ensures the proper iptables rules will be in
+# place for docker.
+# Note: This will also cause docker to be stopped if iptables is stopped.
+PartOf=iptables.service
diff --git a/roles/docker/templates/overlay.conf.j2 b/roles/docker/templates/overlay.conf.j2
new file mode 100644
index 000000000..782f46c2e
--- /dev/null
+++ b/roles/docker/templates/overlay.conf.j2
@@ -0,0 +1,2 @@
+### {{ ansible_managed }}
+overlay
diff --git a/roles/docker/templates/registries.conf b/roles/docker/templates/registries.conf
new file mode 100644
index 000000000..d379b2be0
--- /dev/null
+++ b/roles/docker/templates/registries.conf
@@ -0,0 +1,46 @@
+# {{ ansible_managed }}
+# This is a system-wide configuration file used to
+# keep track of registries for various container backends.
+# It adheres to YAML format and does not support recursive
+# lists of registries.
+
+# The default location for this configuration file is /etc/containers/registries.conf.
+
+# The only valid categories are: 'registries', 'insecure_registries',
+# and 'block_registries'.
+
+
+#registries:
+# - registry.access.redhat.com
+
+{% if l2_docker_additional_registries %}
+registries:
+{% for reg in l2_docker_additional_registries %}
+ - {{ reg }}
+{% endfor %}
+{% endif %}
+
+# If you need to access insecure registries, uncomment the section below
+# and add the registries fully-qualified name. An insecure registry is one
+# that does not have a valid SSL certificate or only does HTTP.
+#insecure_registries:
+# -
+
+{% if l2_docker_insecure_registries %}
+insecure_registries:
+{% for reg in l2_docker_insecure_registries %}
+ - {{ reg }}
+{% endfor %}
+{% endif %}
+
+# If you need to block pull access from a registry, uncomment the section below
+# and add the registries fully-qualified name.
+#block_registries:
+# -
+
+{% if l2_docker_blocked_registries %}
+block_registries:
+{% for reg in l2_docker_blocked_registries %}
+ - {{ reg }}
+{% endfor %}
+{% endif %}