From 5120f8e90c0178ac7f6d911159ceb278dd87b4c9 Mon Sep 17 00:00:00 2001
From: Michael Gugino <mgugino@redhat.com>
Date: Thu, 16 Nov 2017 14:56:14 -0500
Subject: Implement container runtime role

---
 roles/calico/handlers/main.yml                     |   4 +-
 roles/calico/templates/calico.service.j2           |   4 +-
 roles/container_runtime/README.md                  |  39 +++++
 roles/container_runtime/defaults/main.yml          |  80 +++++++++
 roles/container_runtime/handlers/main.yml          |  18 ++
 roles/container_runtime/meta/main.yml              |  15 ++
 roles/container_runtime/tasks/crio_firewall.yml    |  40 +++++
 roles/container_runtime/tasks/main.yml             |  85 +++++++++
 roles/container_runtime/tasks/package_docker.yml   | 167 ++++++++++++++++++
 roles/container_runtime/tasks/registry_auth.yml    |  32 ++++
 .../tasks/systemcontainer_crio.yml                 | 164 ++++++++++++++++++
 .../tasks/systemcontainer_docker.yml               | 163 ++++++++++++++++++
 roles/container_runtime/tasks/udev_workaround.yml  |  24 +++
 .../templates/80-openshift-sdn.conf.j2             |   5 +
 roles/container_runtime/templates/crio.conf.j2     | 164 ++++++++++++++++++
 roles/container_runtime/templates/custom.conf.j2   |  11 ++
 roles/container_runtime/templates/daemon.json      |  20 +++
 roles/container_runtime/templates/overlay.conf.j2  |   2 +
 roles/container_runtime/templates/registries.conf  |  46 +++++
 .../templates/systemcontainercustom.conf.j2        |  17 ++
 roles/container_runtime/vars/main.yml              |   5 +
 roles/contiv/defaults/main.yml                     |   2 +
 roles/contiv/tasks/netplugin.yml                   |   2 +-
 roles/contiv/templates/aci-gw.service              |   2 +-
 roles/docker/README.md                             |  43 -----
 roles/docker/defaults/main.yml                     |  40 -----
 roles/docker/handlers/main.yml                     |  18 --
 roles/docker/meta/main.yml                         |  15 --
 roles/docker/tasks/crio_firewall.yml               |  40 -----
 roles/docker/tasks/main.yml                        |  93 ----------
 roles/docker/tasks/package_docker.yml              | 163 ------------------
 roles/docker/tasks/registry_auth.yml               |  32 ----
 roles/docker/tasks/systemcontainer_crio.yml        | 187 --------------------
 roles/docker/tasks/systemcontainer_docker.yml      | 190 ---------------------
 roles/docker/tasks/udev_workaround.yml             |  24 ---
 roles/docker/templates/80-openshift-sdn.conf.j2    |   5 -
 roles/docker/templates/crio.conf.j2                | 164 ------------------
 roles/docker/templates/custom.conf.j2              |  11 --
 roles/docker/templates/daemon.json                 |  20 ---
 roles/docker/templates/overlay.conf.j2             |   2 -
 roles/docker/templates/registries.conf             |  46 -----
 .../docker/templates/systemcontainercustom.conf.j2 |  17 --
 roles/docker/vars/main.yml                         |   5 -
 roles/etcd/defaults/main.yaml                      |   2 +
 roles/etcd/templates/etcd.docker.service           |   8 +-
 roles/flannel/defaults/main.yaml                   |   2 +
 roles/flannel/handlers/main.yml                    |   2 +-
 roles/openshift_cli/defaults/main.yml              |   5 +
 roles/openshift_cli/meta/main.yml                  |   2 -
 roles/openshift_cli/tasks/main.yml                 |   6 -
 roles/openshift_docker/defaults/main.yml           |   1 -
 roles/openshift_docker/meta/main.yml               |  16 --
 roles/openshift_docker/tasks/main.yml              |   1 -
 roles/openshift_docker_facts/defaults/main.yml     |   1 -
 roles/openshift_docker_facts/meta/main.yml         |  15 --
 roles/openshift_docker_facts/tasks/main.yml        |  39 -----
 roles/openshift_docker_facts/vars/main.yml         |   2 -
 roles/openshift_etcd/meta/main.yml                 |   2 -
 roles/openshift_facts/library/openshift_facts.py   |  87 +---------
 roles/openshift_hosted/tasks/registry.yml          |   2 +-
 roles/openshift_loadbalancer/defaults/main.yml     |   2 +
 .../templates/haproxy.docker.service.j2            |   8 +-
 roles/openshift_master/defaults/main.yml           |   2 +
 .../atomic-openshift-master-api.service.j2         |   8 +-
 .../atomic-openshift-master-controllers.service.j2 |   8 +-
 roles/openshift_node/defaults/main.yml             |   3 +
 roles/openshift_node/meta/main.yml                 |   1 -
 roles/openshift_node/tasks/main.yml                |   4 +-
 .../openshift_node/tasks/node_system_container.yml |   2 +-
 .../tasks/openvswitch_system_container.yml         |   9 +-
 roles/openshift_node/tasks/upgrade/restart.yml     |   8 +-
 roles/openshift_node/templates/node.service.j2     |   6 +-
 roles/openshift_node/templates/node.yaml.v1.j2     |   2 +-
 .../templates/openshift.docker.node.dep.service    |   6 +-
 .../templates/openshift.docker.node.service        |  10 +-
 .../templates/openvswitch.docker.service           |   8 +-
 .../openshift_node_certificates/defaults/main.yml  |   2 +
 .../openshift_node_certificates/handlers/main.yml  |   4 +-
 roles/openshift_node_facts/tasks/main.yml          |   1 -
 roles/openshift_version/meta/main.yml              |   3 -
 .../tasks/set_version_containerized.yml            |  11 +-
 81 files changed, 1172 insertions(+), 1355 deletions(-)
 create mode 100644 roles/container_runtime/README.md
 create mode 100644 roles/container_runtime/defaults/main.yml
 create mode 100644 roles/container_runtime/handlers/main.yml
 create mode 100644 roles/container_runtime/meta/main.yml
 create mode 100644 roles/container_runtime/tasks/crio_firewall.yml
 create mode 100644 roles/container_runtime/tasks/main.yml
 create mode 100644 roles/container_runtime/tasks/package_docker.yml
 create mode 100644 roles/container_runtime/tasks/registry_auth.yml
 create mode 100644 roles/container_runtime/tasks/systemcontainer_crio.yml
 create mode 100644 roles/container_runtime/tasks/systemcontainer_docker.yml
 create mode 100644 roles/container_runtime/tasks/udev_workaround.yml
 create mode 100644 roles/container_runtime/templates/80-openshift-sdn.conf.j2
 create mode 100644 roles/container_runtime/templates/crio.conf.j2
 create mode 100644 roles/container_runtime/templates/custom.conf.j2
 create mode 100644 roles/container_runtime/templates/daemon.json
 create mode 100644 roles/container_runtime/templates/overlay.conf.j2
 create mode 100644 roles/container_runtime/templates/registries.conf
 create mode 100644 roles/container_runtime/templates/systemcontainercustom.conf.j2
 create mode 100644 roles/container_runtime/vars/main.yml
 delete mode 100644 roles/docker/README.md
 delete mode 100644 roles/docker/defaults/main.yml
 delete mode 100644 roles/docker/handlers/main.yml
 delete mode 100644 roles/docker/meta/main.yml
 delete mode 100644 roles/docker/tasks/crio_firewall.yml
 delete mode 100644 roles/docker/tasks/main.yml
 delete mode 100644 roles/docker/tasks/package_docker.yml
 delete mode 100644 roles/docker/tasks/registry_auth.yml
 delete mode 100644 roles/docker/tasks/systemcontainer_crio.yml
 delete mode 100644 roles/docker/tasks/systemcontainer_docker.yml
 delete mode 100644 roles/docker/tasks/udev_workaround.yml
 delete mode 100644 roles/docker/templates/80-openshift-sdn.conf.j2
 delete mode 100644 roles/docker/templates/crio.conf.j2
 delete mode 100644 roles/docker/templates/custom.conf.j2
 delete mode 100644 roles/docker/templates/daemon.json
 delete mode 100644 roles/docker/templates/overlay.conf.j2
 delete mode 100644 roles/docker/templates/registries.conf
 delete mode 100644 roles/docker/templates/systemcontainercustom.conf.j2
 delete mode 100644 roles/docker/vars/main.yml
 delete mode 100644 roles/openshift_docker/defaults/main.yml
 delete mode 100644 roles/openshift_docker/meta/main.yml
 delete mode 100644 roles/openshift_docker/tasks/main.yml
 delete mode 100644 roles/openshift_docker_facts/defaults/main.yml
 delete mode 100644 roles/openshift_docker_facts/meta/main.yml
 delete mode 100644 roles/openshift_docker_facts/tasks/main.yml
 delete mode 100644 roles/openshift_docker_facts/vars/main.yml

(limited to 'roles')

diff --git a/roles/calico/handlers/main.yml b/roles/calico/handlers/main.yml
index 67fc0065f..9cc0604a3 100644
--- a/roles/calico/handlers/main.yml
+++ b/roles/calico/handlers/main.yml
@@ -3,10 +3,10 @@
   become: yes
   systemd: name=calico state=restarted
 
-- name: restart docker
+- name: restart container runtime
   become: yes
   systemd:
-    name: "{{ openshift.docker.service_name }}"
+    name: "{{ openshift_docker_service_name }}"
     state: restarted
   register: l_docker_restart_docker_in_calico_result
   until: not l_docker_restart_docker_in_calico_result | failed
diff --git a/roles/calico/templates/calico.service.j2 b/roles/calico/templates/calico.service.j2
index 7653e19b1..a7809b9f9 100644
--- a/roles/calico/templates/calico.service.j2
+++ b/roles/calico/templates/calico.service.j2
@@ -1,7 +1,7 @@
 [Unit]
 Description=calico
-After={{ openshift.docker.service_name }}.service
-Requires={{ openshift.docker.service_name }}.service
+After={{ openshift_docker_service_name }}.service
+Requires={{ openshift_docker_service_name }}.service
 
 [Service]
 Restart=always
diff --git a/roles/container_runtime/README.md b/roles/container_runtime/README.md
new file mode 100644
index 000000000..e363c1714
--- /dev/null
+++ b/roles/container_runtime/README.md
@@ -0,0 +1,39 @@
+Docker
+=========
+
+Ensures docker package or system container is installed, and optionally raises timeout for systemd-udevd.service to 5 minutes.
+
+container-daemon.json items may be found at https://docs.docker.com/engine/reference/commandline/dockerd/#daemon-configuration-file
+
+Requirements
+------------
+
+Ansible 2.2
+
+Mandator Role Variables
+--------------
+
+
+
+Dependencies
+------------
+
+Depends on openshift_facts having already been run.
+
+Example Playbook
+----------------
+
+    - hosts: servers
+      roles:
+      - role: container_runtime
+        docker_udev_workaround: "true"
+
+License
+-------
+
+ASL 2.0
+
+Author Information
+------------------
+
+OpenShift operations, Red Hat, Inc
diff --git a/roles/container_runtime/defaults/main.yml b/roles/container_runtime/defaults/main.yml
new file mode 100644
index 000000000..62b3e141a
--- /dev/null
+++ b/roles/container_runtime/defaults/main.yml
@@ -0,0 +1,80 @@
+---
+docker_cli_auth_config_path: '/root/.docker'
+openshift_docker_signature_verification: False
+
+repoquery_cmd: "{{ 'dnf repoquery --latest-limit 1 -d 0' if ansible_pkg_mgr == 'dnf' else 'repoquery --plugins' }}"
+
+openshift_docker_alternative_creds: False
+
+# oreg_url is defined by user input.
+oreg_host: "{{ oreg_url.split('/')[0] if (oreg_url is defined and '.' in oreg_url.split('/')[0]) else '' }}"
+oreg_auth_credentials_replace: False
+
+openshift_docker_use_system_container: False
+openshift_docker_disable_push_dockerhub: False  # bool
+openshift_docker_selinux_enabled: True
+openshift_docker_service_name: "{{ 'container-engine' if (openshift_docker_use_system_container | default(False)) else 'docker' }}"
+
+openshift_docker_hosted_registry_insecure: False  # bool
+
+openshift_docker_hosted_registry_network_default: "{{ openshift_portal_net | default(False) }}"
+openshift_docker_hosted_registry_network: "{{ openshift_docker_hosted_registry_network_default }}"
+
+openshift_docker_additional_registries: []
+openshift_docker_blocked_registries: []
+openshift_docker_insecure_registries: []
+
+openshift_docker_ent_reg: 'registry.access.redhat.com'
+
+openshift_docker_options: False  # str
+openshift_docker_log_driver: False  # str
+openshift_docker_log_options: []
+
+# The l2_docker_* variables convert csv strings to lists, if
+# necessary.  These variables should be used in place of their respective
+# openshift_docker_* counterparts to ensure the properly formatted lists are
+# utilized.
+l2_docker_additional_registries: "{% if openshift_docker_additional_registries is string %}{% if openshift_docker_additional_registries == '' %}[]{% elif ',' in openshift_docker_additional_registries %}{{ openshift_docker_additional_registries.split(',') | list }}{% else %}{{ [ openshift_docker_additional_registries ] }}{% endif %}{% else %}{{ openshift_docker_additional_registries }}{% endif %}"
+l2_docker_blocked_registries: "{% if openshift_docker_blocked_registries is string %}{% if openshift_docker_blocked_registries == '' %}[]{% elif ',' in openshift_docker_blocked_registries %}{{ openshift_docker_blocked_registries.split(',') | list }}{% else %}{{ [ openshift_docker_blocked_registries ] }}{% endif %}{% else %}{{ openshift_docker_blocked_registries }}{% endif %}"
+l2_docker_insecure_registries: "{% if openshift_docker_insecure_registries is string %}{% if openshift_docker_insecure_registries == '' %}[]{% elif ',' in openshift_docker_insecure_registries %}{{ openshift_docker_insecure_registries.split(',') | list }}{% else %}{{ [ openshift_docker_insecure_registries ] }}{% endif %}{% else %}{{ openshift_docker_insecure_registries }}{% endif %}"
+l2_docker_log_options: "{% if openshift_docker_log_options is string %}{% if ',' in openshift_docker_log_options %}{{ openshift_docker_log_options.split(',') | list }}{% else %}{{ [ openshift_docker_log_options ] }}{% endif %}{% else %}{{ openshift_docker_log_options }}{% endif %}"
+
+openshift_docker_use_etc_containers: False
+containers_registries_conf_path: /etc/containers/registries.conf
+
+r_crio_firewall_enabled: "{{ os_firewall_enabled | default(True) }}"
+r_crio_use_firewalld: "{{ os_firewall_use_firewalld | default(False) }}"
+
+r_crio_os_firewall_deny: []
+r_crio_os_firewall_allow:
+- service: crio
+  port: 10010/tcp
+
+
+openshift_docker_is_node_or_master: "{{ True if inventory_hostname in (groups['oo_masters_to_config']|default([])) or inventory_hostname in (groups['oo_nodes_to_config']|default([])) else False | bool }}"
+
+docker_alt_storage_path: /var/lib/containers/docker
+docker_default_storage_path: /var/lib/docker
+
+# Set local versions of facts that must be in json format for container-daemon.json
+# NOTE: When jinja2.9+ is used the container-daemon.json file can move to using tojson
+l_docker_log_options: "{{ l2_docker_log_options | to_json }}"
+l_docker_additional_registries: "{{ l2_docker_additional_registries | to_json }}"
+l_docker_blocked_registries: "{{ l2_docker_blocked_registries | to_json }}"
+l_docker_insecure_registries: "{{ l2_docker_insecure_registries | to_json }}"
+l_docker_selinux_enabled: "{{ openshift_docker_selinux_enabled | to_json }}"
+
+docker_http_proxy: "{{ openshift_http_proxy | default('') }}"
+docker_https_proxy: "{{ openshift.common.https_proxy | default('') }}"
+docker_no_proxy: "{{ openshift.common.no_proxy | default('') }}"
+
+openshift_use_crio: False
+openshift_use_crio_only: False
+
+
+l_insecure_crio_registries: "{{ '\"{}\"'.format('\", \"'.join(l2_docker_insecure_registries)) }}"
+l_crio_registries: "{{ l2_docker_additional_registries + ['docker.io'] }}"
+l_additional_crio_registries: "{{ '\"{}\"'.format('\", \"'.join(l_crio_registries)) }}"
+
+l_openshift_image_tag_default: "{{ openshift_release }}"
+l_openshift_image_tag: "{{ openshift_image_tag | default(l_openshift_image_tag_default) | string}}"
diff --git a/roles/container_runtime/handlers/main.yml b/roles/container_runtime/handlers/main.yml
new file mode 100644
index 000000000..67cd6d782
--- /dev/null
+++ b/roles/container_runtime/handlers/main.yml
@@ -0,0 +1,18 @@
+---
+
+- name: restart container runtime
+  systemd:
+    name: "{{ openshift_docker_service_name }}"
+    state: restarted
+    daemon_reload: yes
+  register: r_docker_restart_docker_result
+  until: not r_docker_restart_docker_result | failed
+  retries: 3
+  delay: 30
+  when: not docker_service_status_changed | default(false) | bool
+
+- name: restart udev
+  systemd:
+    name: systemd-udevd
+    state: restarted
+    daemon_reload: yes
diff --git a/roles/container_runtime/meta/main.yml b/roles/container_runtime/meta/main.yml
new file mode 100644
index 000000000..02fceb745
--- /dev/null
+++ b/roles/container_runtime/meta/main.yml
@@ -0,0 +1,15 @@
+---
+galaxy_info:
+  author: OpenShift
+  description: container runtime install and configure
+  company: Red Hat, Inc
+  license: ASL 2.0
+  min_ansible_version: 2.2
+  platforms:
+  - name: EL
+    versions:
+    - 7
+dependencies:
+- role: lib_openshift
+- role: lib_os_firewall
+- role: lib_utils
diff --git a/roles/container_runtime/tasks/crio_firewall.yml b/roles/container_runtime/tasks/crio_firewall.yml
new file mode 100644
index 000000000..fbd1ff515
--- /dev/null
+++ b/roles/container_runtime/tasks/crio_firewall.yml
@@ -0,0 +1,40 @@
+---
+- when: r_crio_firewall_enabled | bool and not r_crio_use_firewalld | bool
+  block:
+  - name: Add iptables allow rules
+    os_firewall_manage_iptables:
+      name: "{{ item.service }}"
+      action: add
+      protocol: "{{ item.port.split('/')[1] }}"
+      port: "{{ item.port.split('/')[0] }}"
+    when: item.cond | default(True)
+    with_items: "{{ r_crio_os_firewall_allow }}"
+
+  - name: Remove iptables rules
+    os_firewall_manage_iptables:
+      name: "{{ item.service }}"
+      action: remove
+      protocol: "{{ item.port.split('/')[1] }}"
+      port: "{{ item.port.split('/')[0] }}"
+    when: item.cond | default(True)
+    with_items: "{{ r_crio_os_firewall_deny }}"
+
+- when: r_crio_firewall_enabled | bool and r_crio_use_firewalld | bool
+  block:
+  - name: Add firewalld allow rules
+    firewalld:
+      port: "{{ item.port }}"
+      permanent: true
+      immediate: true
+      state: enabled
+    when: item.cond | default(True)
+    with_items: "{{ r_crio_os_firewall_allow }}"
+
+  - name: Remove firewalld allow rules
+    firewalld:
+      port: "{{ item.port }}"
+      permanent: true
+      immediate: true
+      state: disabled
+    when: item.cond | default(True)
+    with_items: "{{ r_crio_os_firewall_deny }}"
diff --git a/roles/container_runtime/tasks/main.yml b/roles/container_runtime/tasks/main.yml
new file mode 100644
index 000000000..6d68082b1
--- /dev/null
+++ b/roles/container_runtime/tasks/main.yml
@@ -0,0 +1,85 @@
+---
+- include_tasks: udev_workaround.yml
+  when: docker_udev_workaround | default(False) | bool
+
+- name: Add enterprise registry, if necessary
+  set_fact:
+    l2_docker_additional_registries: "{{ l2_docker_additional_registries + [openshift_docker_ent_reg] }}"
+  when:
+    - openshift.common.deployment_type == 'openshift-enterprise'
+    - openshift_docker_ent_reg != ''
+    - openshift_docker_ent_reg not in l2_docker_additional_registries
+    - not openshift_use_crio_only | bool
+
+- name: Use Package Docker if Requested
+  include_tasks: package_docker.yml
+  when:
+    - not openshift_docker_use_system_container
+    - not openshift_use_crio_only
+
+- name: Ensure /var/lib/containers exists
+  file:
+    path: /var/lib/containers
+    state: directory
+
+- name: Fix SELinux Permissions on /var/lib/containers
+  command: "restorecon -R /var/lib/containers/"
+  changed_when: false
+
+- name: Use System Container Docker if Requested
+  include_tasks: systemcontainer_docker.yml
+  when:
+    - openshift_docker_use_system_container
+    - not openshift_use_crio_only
+
+- name: Add CRI-O usage Requested
+  include_tasks: systemcontainer_crio.yml
+  when:
+    - openshift_use_crio
+    - openshift_docker_is_node_or_master | bool
+
+- name: stat the docker data dir
+  stat:
+    path: "{{ docker_default_storage_path }}"
+  register: dockerstat
+
+- when:
+    - openshift_use_crio
+    - dockerstat.stat.islnk is defined and not (dockerstat.stat.islnk | bool)
+  block:
+    - name: stop the current running docker
+      systemd:
+        state: stopped
+        name: "{{ openshift_docker_service_name }}"
+
+    - name: copy "{{ docker_default_storage_path }}" to "{{ docker_alt_storage_path }}"
+      command: "cp -r {{ docker_default_storage_path }} {{ docker_alt_storage_path }}"
+      register: results
+      failed_when:
+        - results.rc != 0
+
+    - name: "Set the selinux context on {{ docker_alt_storage_path }}"
+      command: "semanage fcontext -a -e {{ docker_default_storage_path }} {{ docker_alt_storage_path }}"
+      register: results
+      failed_when:
+        - results.rc == 1
+        - "'already exists' not in results.stderr"
+
+    - name: "restorecon the {{ docker_alt_storage_path }}"
+      command: "restorecon -r {{ docker_alt_storage_path }}"
+
+    - name: Remove the old docker location
+      file:
+        state: absent
+        path: "{{ docker_default_storage_path }}"
+
+    - name: Setup the link
+      file:
+        state: link
+        src: "{{ docker_alt_storage_path }}"
+        path: "{{ docker_default_storage_path }}"
+
+    - name: start docker
+      systemd:
+        state: started
+        name: "{{ openshift_docker_service_name }}"
diff --git a/roles/container_runtime/tasks/package_docker.yml b/roles/container_runtime/tasks/package_docker.yml
new file mode 100644
index 000000000..40ab75a25
--- /dev/null
+++ b/roles/container_runtime/tasks/package_docker.yml
@@ -0,0 +1,167 @@
+---
+- name: Get current installed Docker version
+  command: "{{ repoquery_installed }} --qf '%{version}' docker"
+  when: not openshift.common.is_atomic | bool
+  register: curr_docker_version
+  retries: 4
+  until: curr_docker_version | succeeded
+  changed_when: false
+
+- name: Error out if Docker pre-installed but too old
+  fail:
+    msg: "Docker {{ curr_docker_version.stdout }} is installed, but >= 1.9.1 is required."
+  when: not curr_docker_version | skipped and curr_docker_version.stdout != '' and curr_docker_version.stdout | version_compare('1.9.1', '<') and not docker_version is defined
+
+- name: Error out if requested Docker is too old
+  fail:
+    msg: "Docker {{ docker_version }} requested, but >= 1.9.1 is required."
+  when: docker_version is defined and docker_version | version_compare('1.9.1', '<')
+
+# If a docker_version was requested, sanity check that we can install or upgrade to it, and
+# no downgrade is required.
+- name: Fail if Docker version requested but downgrade is required
+  fail:
+    msg: "Docker {{ curr_docker_version.stdout }} is installed, but version {{ docker_version }} was requested."
+  when: not curr_docker_version | skipped and curr_docker_version.stdout != '' and docker_version is defined and curr_docker_version.stdout | version_compare(docker_version, '>')
+
+# This involves an extremely slow migration process, users should instead run the
+# Docker 1.10 upgrade playbook to accomplish this.
+- name: Error out if attempting to upgrade Docker across the 1.10 boundary
+  fail:
+    msg: "Cannot upgrade Docker to >= 1.10, please upgrade or remove Docker manually, or use the Docker upgrade playbook if OpenShift is already installed."
+  when: not curr_docker_version | skipped and curr_docker_version.stdout != '' and curr_docker_version.stdout | version_compare('1.10', '<') and docker_version is defined and docker_version | version_compare('1.10', '>=')
+
+# Make sure Docker is installed, but does not update a running version.
+# Docker upgrades are handled by a separate playbook.
+# Note: The curr_docker_version.stdout check can be removed when https://github.com/ansible/ansible/issues/33187 gets fixed.
+- name: Install Docker
+  package: name=docker{{ '-' + docker_version if docker_version is defined else '' }} state=present
+  when: not openshift.common.is_atomic | bool and not curr_docker_version | skipped and not curr_docker_version.stdout != ''
+  register: result
+  until: result | success
+
+- block:
+  # Extend the default Docker service unit file when using iptables-services
+  - name: Ensure docker.service.d directory exists
+    file:
+      path: "{{ docker_systemd_dir }}"
+      state: directory
+
+  - name: Configure Docker service unit file
+    template:
+      dest: "{{ docker_systemd_dir }}/custom.conf"
+      src: custom.conf.j2
+    notify:
+    - restart container runtime
+  when: not (os_firewall_use_firewalld | default(False)) | bool
+
+- stat: path=/etc/sysconfig/docker
+  register: docker_check
+
+- name: Set registry params
+  lineinfile:
+    dest: /etc/sysconfig/docker
+    regexp: '^{{ item.reg_conf_var }}=.*$'
+    line: "{{ item.reg_conf_var }}='{{ item.reg_fact_val | oo_prepend_strings_in_list(item.reg_flag ~ ' ') | join(' ') }}'"
+  when:
+  - item.reg_fact_val != []
+  - docker_check.stat.isreg is defined
+  - docker_check.stat.isreg
+  with_items:
+  - reg_conf_var: ADD_REGISTRY
+    reg_fact_val: "{{ l2_docker_additional_registries }}"
+    reg_flag: --add-registry
+  - reg_conf_var: BLOCK_REGISTRY
+    reg_fact_val: "{{ l2_docker_blocked_registries }}"
+    reg_flag: --block-registry
+  - reg_conf_var: INSECURE_REGISTRY
+    reg_fact_val: "{{ l2_docker_insecure_registries }}"
+    reg_flag: --insecure-registry
+  notify:
+  - restart container runtime
+
+- name: Place additional/blocked/insecure registries in /etc/containers/registries.conf
+  template:
+    dest: "{{ containers_registries_conf_path }}"
+    src: registries.conf
+  when: openshift_docker_use_etc_containers | bool
+  notify:
+  - restart container runtime
+
+- name: Set Proxy Settings
+  lineinfile:
+    dest: /etc/sysconfig/docker
+    regexp: '^{{ item.reg_conf_var }}=.*$'
+    line: "{{ item.reg_conf_var }}='{{ item.reg_fact_val }}'"
+    state: "{{ 'present' if item.reg_fact_val != '' else 'absent'}}"
+  with_items:
+  - reg_conf_var: HTTP_PROXY
+    reg_fact_val: "{{ docker_http_proxy }}"
+  - reg_conf_var: HTTPS_PROXY
+    reg_fact_val: "{{ docker_https_proxy }}"
+  - reg_conf_var: NO_PROXY
+    reg_fact_val: "{{ docker_no_proxy }}"
+  notify:
+  - restart container runtime
+  when:
+  - docker_check.stat.isreg is defined
+  - docker_check.stat.isreg
+  - docker_http_proxy != '' or docker_https_proxy != ''
+
+- name: Set various Docker options
+  lineinfile:
+    dest: /etc/sysconfig/docker
+    regexp: '^OPTIONS=.*$'
+    line: "OPTIONS='\
+      {% if ansible_selinux.status | default(None) == 'enabled' and openshift_docker_selinux_enabled | default(true) | bool %} --selinux-enabled {% endif %} \
+      {% if openshift_docker_log_driver | bool %} --log-driver {{ openshift_docker_log_driver }}{% endif %} \
+      {% if l2_docker_log_options != [] %} {{ l2_docker_log_options |  oo_split() | oo_prepend_strings_in_list('--log-opt ') | join(' ')}}{% endif %} \
+      {% if openshift_docker_hosted_registry_insecure and (openshift_docker_hosted_registry_network | bool) %} --insecure-registry={{ openshift_docker_hosted_registry_network }} {% endif %} \
+      {% if docker_options is defined %} {{ docker_options }}{% endif %} \
+      {% if openshift_docker_options %} {{ openshift_docker_options }}{% endif %} \
+      {% if openshift_docker_disable_push_dockerhub %} --confirm-def-push={{ openshift_docker_disable_push_dockerhub | bool }}{% endif %} \
+      --signature-verification={{ openshift_docker_signature_verification | bool }}'"
+  when: docker_check.stat.isreg is defined and docker_check.stat.isreg
+  notify:
+  - restart container runtime
+
+- stat: path=/etc/sysconfig/docker-network
+  register: sysconfig_docker_network_check
+
+- name: Configure Docker Network OPTIONS
+  lineinfile:
+    dest: /etc/sysconfig/docker-network
+    regexp: '^DOCKER_NETWORK_OPTIONS=.*$'
+    line: "DOCKER_NETWORK_OPTIONS='\
+      {% if openshift.node is defined and openshift.node.sdn_mtu is defined %} --mtu={{ openshift.node.sdn_mtu }}{% endif %}'"
+  when:
+  - sysconfig_docker_network_check.stat.isreg is defined
+  - sysconfig_docker_network_check.stat.isreg
+  notify:
+  - restart container runtime
+
+# The following task is needed as the systemd module may report a change in
+# state even though docker is already running.
+- name: Detect if docker is already started
+  command: "systemctl show docker -p ActiveState"
+  changed_when: False
+  register: r_docker_already_running_result
+
+- name: Start the Docker service
+  systemd:
+    name: docker
+    enabled: yes
+    state: started
+    daemon_reload: yes
+  register: r_docker_package_docker_start_result
+  until: not r_docker_package_docker_start_result | failed
+  retries: 3
+  delay: 30
+
+- set_fact:
+    docker_service_status_changed: "{{ (r_docker_package_docker_start_result | changed) and (r_docker_already_running_result.stdout != 'ActiveState=active' ) }}"
+
+- meta: flush_handlers
+
+# This needs to run after docker is restarted to account for proxy settings.
+- include_tasks: registry_auth.yml
diff --git a/roles/container_runtime/tasks/registry_auth.yml b/roles/container_runtime/tasks/registry_auth.yml
new file mode 100644
index 000000000..2c7bc5711
--- /dev/null
+++ b/roles/container_runtime/tasks/registry_auth.yml
@@ -0,0 +1,32 @@
+---
+- name: Check for credentials file for registry auth
+  stat:
+    path: "{{ docker_cli_auth_config_path }}/config.json"
+  when: oreg_auth_user is defined
+  register: docker_cli_auth_credentials_stat
+
+- name: Create credentials for docker cli registry auth
+  command: "docker --config={{ docker_cli_auth_config_path }} login -u {{ oreg_auth_user }} -p {{ oreg_auth_password }} {{ oreg_host }}"
+  register: openshift_docker_credentials_create_res
+  retries: 3
+  delay: 5
+  until: openshift_docker_credentials_create_res.rc == 0
+  when:
+  - not openshift_docker_alternative_creds | bool
+  - oreg_auth_user is defined
+  - (not docker_cli_auth_credentials_stat.stat.exists or oreg_auth_credentials_replace) | bool
+
+# docker_creds is a custom module from lib_utils
+# 'docker login' requires a docker.service running on the local host, this is an
+# alternative implementation for non-docker hosts.  This implementation does not
+# check the registry to determine whether or not the credentials will work.
+- name: Create credentials for docker cli registry auth (alternative)
+  docker_creds:
+    path: "{{ docker_cli_auth_config_path }}"
+    registry: "{{ oreg_host }}"
+    username: "{{ oreg_auth_user }}"
+    password: "{{ oreg_auth_password }}"
+  when:
+  - openshift_docker_alternative_creds | bool
+  - oreg_auth_user is defined
+  - (not docker_cli_auth_credentials_stat.stat.exists or oreg_auth_credentials_replace) | bool
diff --git a/roles/container_runtime/tasks/systemcontainer_crio.yml b/roles/container_runtime/tasks/systemcontainer_crio.yml
new file mode 100644
index 000000000..8dcfe60ef
--- /dev/null
+++ b/roles/container_runtime/tasks/systemcontainer_crio.yml
@@ -0,0 +1,164 @@
+---
+# TODO: Much of this file is shared with container engine tasks
+
+- name: Ensure container-selinux is installed
+  package:
+    name: container-selinux
+    state: present
+  when: not openshift.common.is_atomic | bool
+  register: result
+  until: result | success
+
+- name: Check we are not using node as a Docker container with CRI-O
+  fail: msg='Cannot use CRI-O with node configured as a Docker container'
+  when:
+    - openshift.common.is_containerized | bool
+    - not openshift.common.is_node_system_container | bool
+
+# Used to pull and install the system container
+- name: Ensure atomic is installed
+  package:
+    name: atomic
+    state: present
+  when: not openshift.common.is_atomic | bool
+  register: result
+  until: result | success
+
+# At the time of writing the atomic command requires runc for it's own use. This
+# task is here in the even that the atomic package ever removes the dependency.
+- name: Ensure runc is installed
+  package:
+    name: runc
+    state: present
+  when: not openshift.common.is_atomic | bool
+  register: result
+  until: result | success
+
+
+- name: Check that overlay is in the kernel
+  shell: lsmod | grep overlay
+  register: l_has_overlay_in_kernel
+  ignore_errors: yes
+  failed_when: false
+
+- when: l_has_overlay_in_kernel.rc != 0
+  block:
+
+    - name: Add overlay to modprobe.d
+      template:
+        dest: /etc/modules-load.d/overlay.conf
+        src: overlay.conf.j2
+        backup: yes
+
+    - name: Manually modprobe overlay into the kernel
+      command: modprobe overlay
+
+    - name: Enable and start systemd-modules-load
+      service:
+        name: systemd-modules-load
+        enabled: yes
+        state: restarted
+
+- name: Ensure proxies are in the atomic.conf
+  include_role:
+    name: openshift_atomic
+    tasks_from: proxy
+
+- block:
+
+    - name: Set CRI-O image defaults
+      set_fact:
+        l_crio_image_prepend: "docker.io/gscrivano"
+        l_crio_image_name: "cri-o-fedora"
+        l_crio_image_tag: "latest"
+
+    - name: Use Centos based image when distribution is CentOS
+      set_fact:
+        l_crio_image_name: "cri-o-centos"
+      when: ansible_distribution == "CentOS"
+
+    - name: Set CRI-O image tag
+      set_fact:
+        l_crio_image_tag: "{{ l_openshift_image_tag }}"
+      when:
+        - openshift_deployment_type == 'openshift-enterprise'
+
+    - name: Use RHEL based image when distribution is Red Hat
+      set_fact:
+        l_crio_image_prepend: "registry.access.redhat.com/openshift3"
+        l_crio_image_name: "cri-o"
+      when: ansible_distribution == "RedHat"
+
+    - name: Set the full image name
+      set_fact:
+        l_crio_image: "{{ l_crio_image_prepend }}/{{ l_crio_image_name }}:{{ l_crio_image_tag }}"
+
+    # For https://github.com/openshift/aos-cd-jobs/pull/624#pullrequestreview-61816548
+    - name: Use a specific image if requested
+      set_fact:
+        l_crio_image: "{{ openshift_crio_systemcontainer_image_override }}"
+      when:
+        - openshift_crio_systemcontainer_image_override is defined
+        - openshift_crio_systemcontainer_image_override != ""
+
+    # Be nice and let the user see the variable result
+    - debug:
+        var: l_crio_image
+
+# NOTE: no_proxy added as a workaround until https://github.com/projectatomic/atomic/pull/999 is released
+- name: Pre-pull CRI-O System Container image
+  command: "atomic pull --storage ostree {{ l_crio_image }}"
+  changed_when: false
+  environment:
+    NO_PROXY: "{{ openshift.common.no_proxy | default('') }}"
+
+
+- name: Install CRI-O System Container
+  oc_atomic_container:
+    name: "cri-o"
+    image: "{{ l_crio_image }}"
+    state: latest
+
+- name: Remove CRI-O default configuration files
+  file:
+    path: "{{ item }}"
+    state: absent
+  with_items:
+    - /etc/cni/net.d/200-loopback.conf
+    - /etc/cni/net.d/100-crio-bridge.conf
+
+- name: Create the CRI-O configuration
+  template:
+    dest: /etc/crio/crio.conf
+    src: crio.conf.j2
+    backup: yes
+
+- name: Ensure CNI configuration directory exists
+  file:
+    path: /etc/cni/net.d/
+    state: directory
+
+- name: setup firewall for CRI-O
+  include_tasks: crio_firewall.yml
+  static: yes
+
+- name: Configure the CNI network
+  template:
+    dest: /etc/cni/net.d/openshift-sdn.conf
+    src: 80-openshift-sdn.conf.j2
+
+- name: Start the CRI-O service
+  systemd:
+    name: "cri-o"
+    enabled: yes
+    state: started
+    daemon_reload: yes
+  register: start_result
+
+- meta: flush_handlers
+
+# If we are using crio only, docker.service might not be available for
+# 'docker login'
+- include_tasks: registry_auth.yml
+  vars:
+    openshift_docker_alternative_creds: "{{ openshift_use_crio_only }}"
diff --git a/roles/container_runtime/tasks/systemcontainer_docker.yml b/roles/container_runtime/tasks/systemcontainer_docker.yml
new file mode 100644
index 000000000..84217e50c
--- /dev/null
+++ b/roles/container_runtime/tasks/systemcontainer_docker.yml
@@ -0,0 +1,163 @@
+---
+# If docker_options are provided we should fail. We should not install docker and ignore
+# the users configuration. NOTE: docker_options == inventory:openshift_docker_options
+- name: Fail quickly if openshift_docker_options are set
+  assert:
+    that:
+      - "{% if not openshift_docker_options %}1{% else %}0{% endif %}"
+    msg: |
+      Docker via System Container does not allow for the use of the openshift_docker_options
+      variable. If you want to use openshift_docker_options you will need to use the
+      traditional docker package install. Otherwise, comment out openshift_docker_options
+      in your inventory file.
+
+- name: Ensure container-selinux is installed
+  package:
+    name: container-selinux
+    state: present
+  when: not openshift.common.is_atomic | bool
+  register: result
+  until: result | success
+
+# Used to pull and install the system container
+- name: Ensure atomic is installed
+  package:
+    name: atomic
+    state: present
+  when: not openshift.common.is_atomic | bool
+  register: result
+  until: result | success
+
+# At the time of writing the atomic command requires runc for it's own use. This
+# task is here in the even that the atomic package ever removes the dependency.
+- name: Ensure runc is installed
+  package:
+    name: runc
+    state: present
+  when: not openshift.common.is_atomic | bool
+  register: result
+  until: result | success
+
+# Make sure Docker is installed so we are able to use the client
+- name: Install Docker so we can use the client
+  package: name=docker{{ '-' + docker_version if docker_version is defined else '' }} state=present
+  when: not openshift.common.is_atomic | bool
+  register: result
+  until: result | success
+
+# Make sure docker is disabled. Errors are ignored.
+- name: Disable Docker
+  systemd:
+    name: docker
+    enabled: no
+    state: stopped
+    daemon_reload: yes
+  ignore_errors: True
+  register: r_docker_systemcontainer_docker_stop_result
+  until: not r_docker_systemcontainer_docker_stop_result | failed
+  retries: 3
+  delay: 30
+
+- name: Ensure proxies are in the atomic.conf
+  include_role:
+    name: openshift_atomic
+    tasks_from: proxy
+
+- block:
+
+    - name: Set to default prepend
+      set_fact:
+        l_docker_image_prepend: "gscrivano"
+        l_docker_image_tag: "latest"
+
+    - name: Set container engine image tag
+      set_fact:
+        l_docker_image_tag: "{{ l_openshift_image_tag }}"
+      when:
+        - openshift_deployment_type == 'openshift-enterprise'
+
+    - name: Use Red Hat Registry for image when distribution is Red Hat
+      set_fact:
+        l_docker_image_prepend: "registry.access.redhat.com/openshift3"
+      when: ansible_distribution == 'RedHat'
+
+    - name: Use Fedora Registry for image when distribution is Fedora
+      set_fact:
+        l_docker_image_prepend: "registry.fedoraproject.org/f25"
+      when: ansible_distribution == 'Fedora'
+
+    - name: Set the full image name
+      set_fact:
+        l_docker_image: "{{ l_docker_image_prepend }}/{{ openshift_docker_service_name }}:{{ l_docker_image_tag }}"
+
+    # For https://github.com/openshift/openshift-ansible/pull/5354#issuecomment-328552959
+    - name: Use a specific image if requested
+      set_fact:
+        l_docker_image: "{{ openshift_docker_systemcontainer_image_override }}"
+      when:
+        - openshift_docker_systemcontainer_image_override is defined
+        - openshift_docker_systemcontainer_image_override != ""
+
+    # Be nice and let the user see the variable result
+    - debug:
+        var: l_docker_image
+
+# NOTE: no_proxy added as a workaround until https://github.com/projectatomic/atomic/pull/999 is released
+- name: Pre-pull Container Engine System Container image
+  command: "atomic pull --storage ostree {{ l_docker_image }}"
+  changed_when: false
+  environment:
+    NO_PROXY: "{{ docker_no_proxy }}"
+
+
+- name: Ensure container-engine.service.d directory exists
+  file:
+    path: "{{ container_engine_systemd_dir }}"
+    state: directory
+
+- name: Ensure /etc/docker directory exists
+  file:
+    path: "{{ docker_conf_dir }}"
+    state: directory
+
+- name: Install Container Engine System Container
+  oc_atomic_container:
+    name: "{{ openshift_docker_service_name }}"
+    image: "{{ l_docker_image }}"
+    state: latest
+
+- name: Configure Container Engine Service File
+  template:
+    dest: "{{ container_engine_systemd_dir }}/custom.conf"
+    src: systemcontainercustom.conf.j2
+
+# Configure container-engine using the container-daemon.json file
+# NOTE: daemon.json and container-daemon.json have been seperated to avoid
+#       collision.
+- name: Configure Container Engine
+  template:
+    dest: "{{ docker_conf_dir }}/container-daemon.json"
+    src: daemon.json
+
+# Enable and start the container-engine service
+- name: Start the Container Engine service
+  systemd:
+    name: "{{ openshift_docker_service_name }}"
+    enabled: yes
+    state: started
+    daemon_reload: yes
+  register: r_docker_systemcontainer_docker_start_result
+  until: not r_docker_systemcontainer_docker_start_result | failed
+  retries: 3
+  delay: 30
+
+- set_fact:
+    docker_service_status_changed: "{{ r_docker_systemcontainer_docker_start_result | changed }}"
+
+- meta: flush_handlers
+
+# Since docker is running as a system container, docker login will fail to create
+# credentials.  Use alternate method if requiring authenticated registries.
+- include_tasks: registry_auth.yml
+  vars:
+    openshift_docker_alternative_creds: True
diff --git a/roles/container_runtime/tasks/udev_workaround.yml b/roles/container_runtime/tasks/udev_workaround.yml
new file mode 100644
index 000000000..257c3123d
--- /dev/null
+++ b/roles/container_runtime/tasks/udev_workaround.yml
@@ -0,0 +1,24 @@
+---
+
+- name: Getting current systemd-udevd exec command
+  command: grep -e "^ExecStart=" /lib/systemd/system/systemd-udevd.service
+  changed_when: false
+  register: udevw_udev_start_cmd
+
+- name: Assure systemd-udevd.service.d directory exists
+  file:
+    path: "{{ udevw_udevd_dir }}"
+    state: directory
+
+- name: Create systemd-udevd override file
+  copy:
+    content: |
+      [Service]
+      #Need blank ExecStart to "clear" pre-existing one
+      ExecStart=
+      {{ udevw_udev_start_cmd.stdout }} --event-timeout=300
+    dest: "{{ udevw_udevd_dir }}/override.conf"
+    owner: root
+    mode: "0644"
+  notify:
+    - restart udev
diff --git a/roles/container_runtime/templates/80-openshift-sdn.conf.j2 b/roles/container_runtime/templates/80-openshift-sdn.conf.j2
new file mode 100644
index 000000000..a693aea5f
--- /dev/null
+++ b/roles/container_runtime/templates/80-openshift-sdn.conf.j2
@@ -0,0 +1,5 @@
+{
+  "cniVersion": "0.1.0",
+  "name": "openshift-sdn",
+  "type": "openshift-sdn"
+}
diff --git a/roles/container_runtime/templates/crio.conf.j2 b/roles/container_runtime/templates/crio.conf.j2
new file mode 100644
index 000000000..3f066a17f
--- /dev/null
+++ b/roles/container_runtime/templates/crio.conf.j2
@@ -0,0 +1,164 @@
+# {{ ansible_managed }}
+
+# The "crio" table contains all of the server options.
+[crio]
+
+# root is a path to the "root directory". CRIO stores all of its data,
+# including container images, in this directory.
+root = "/var/lib/containers/storage"
+
+# run is a path to the "run directory". CRIO stores all of its state
+# in this directory.
+runroot = "/var/run/containers/storage"
+
+# storage_driver select which storage driver is used to manage storage
+# of images and containers.
+storage_driver = "overlay"
+
+# storage_option is used to pass an option to the storage driver.
+storage_option = [
+{% if ansible_distribution in ['RedHat', 'CentOS'] %}
+	"overlay.override_kernel_check=1"
+{% endif %}
+]
+
+# The "crio.api" table contains settings for the kubelet/gRPC
+# interface (which is also used by crioctl).
+[crio.api]
+
+# listen is the path to the AF_LOCAL socket on which crio will listen.
+listen = "/var/run/crio.sock"
+
+# stream_address is the IP address on which the stream server will listen
+stream_address = ""
+
+# stream_port is the port on which the stream server will listen
+stream_port = "10010"
+
+# file_locking is whether file-based locking will be used instead of
+# in-memory locking
+file_locking = true
+
+# The "crio.runtime" table contains settings pertaining to the OCI
+# runtime used and options for how to set up and manage the OCI runtime.
+[crio.runtime]
+
+# runtime is the OCI compatible runtime used for trusted container workloads.
+# This is a mandatory setting as this runtime will be the default one
+# and will also be used for untrusted container workloads if
+# runtime_untrusted_workload is not set.
+runtime = "/usr/bin/runc"
+
+# runtime_untrusted_workload is the OCI compatible runtime used for untrusted
+# container workloads. This is an optional setting, except if
+# default_container_trust is set to "untrusted".
+runtime_untrusted_workload = ""
+
+# default_workload_trust is the default level of trust crio puts in container
+# workloads. It can either be "trusted" or "untrusted", and the default
+# is "trusted".
+# Containers can be run through different container runtimes, depending on
+# the trust hints we receive from kubelet:
+# - If kubelet tags a container workload as untrusted, crio will try first to
+# run it through the untrusted container workload runtime. If it is not set,
+# crio will use the trusted runtime.
+# - If kubelet does not provide any information about the container workload trust
+# level, the selected runtime will depend on the default_container_trust setting.
+# If it is set to "untrusted", then all containers except for the host privileged
+# ones, will be run by the runtime_untrusted_workload runtime. Host privileged
+# containers are by definition trusted and will always use the trusted container
+# runtime. If default_container_trust is set to "trusted", crio will use the trusted
+# container runtime for all containers.
+default_workload_trust = "trusted"
+
+# no_pivot instructs the runtime to not use pivot_root, but instead use MS_MOVE
+no_pivot = false
+
+# conmon is the path to conmon binary, used for managing the runtime.
+conmon = "/usr/libexec/crio/conmon"
+
+# conmon_env is the environment variable list for conmon process,
+# used for passing necessary environment variable to conmon or runtime.
+conmon_env = [
+	"PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin",
+]
+
+# selinux indicates whether or not SELinux will be used for pod
+# separation on the host. If you enable this flag, SELinux must be running
+# on the host.
+selinux = true
+
+# seccomp_profile is the seccomp json profile path which is used as the
+# default for the runtime.
+seccomp_profile = "/etc/crio/seccomp.json"
+
+# apparmor_profile is the apparmor profile name which is used as the
+# default for the runtime.
+apparmor_profile = "crio-default"
+
+# cgroup_manager is the cgroup management implementation to be used
+# for the runtime.
+cgroup_manager = "systemd"
+
+# hooks_dir_path is the oci hooks directory for automatically executed hooks
+hooks_dir_path = "/usr/share/containers/oci/hooks.d"
+
+# default_mounts is the mounts list to be mounted for the container when created
+default_mounts = [
+	"/usr/share/rhel/secrets:/run/secrets",
+]
+
+# pids_limit is the number of processes allowed in a container
+pids_limit = 1024
+
+# log_size_max is the max limit for the container log size in bytes.
+# Negative values indicate that no limit is imposed.
+log_size_max = 52428800
+
+# The "crio.image" table contains settings pertaining to the
+# management of OCI images.
+[crio.image]
+
+# default_transport is the prefix we try prepending to an image name if the
+# image name as we receive it can't be parsed as a valid source reference
+default_transport = "docker://"
+
+# pause_image is the image which we use to instantiate infra containers.
+pause_image = "kubernetes/pause"
+
+# pause_command is the command to run in a pause_image to have a container just
+# sit there.  If the image contains the necessary information, this value need
+# not be specified.
+pause_command = "/pause"
+
+# signature_policy is the name of the file which decides what sort of policy we
+# use when deciding whether or not to trust an image that we've pulled.
+# Outside of testing situations, it is strongly advised that this be left
+# unspecified so that the default system-wide policy will be used.
+signature_policy = ""
+
+# image_volumes controls how image volumes are handled.
+# The valid values are mkdir and ignore.
+image_volumes = "mkdir"
+
+# insecure_registries is used to skip TLS verification when pulling images.
+insecure_registries = [
+{{ l_insecure_crio_registries|default("") }}
+]
+
+# registries is used to specify a comma separated list of registries to be used
+# when pulling an unqualified image (e.g. fedora:rawhide).
+registries = [
+{{ l_additional_crio_registries|default("") }}
+]
+
+# The "crio.network" table contains settings pertaining to the
+# management of CNI plugins.
+[crio.network]
+
+# network_dir is is where CNI network configuration
+# files are stored.
+network_dir = "/etc/cni/net.d/"
+
+# plugin_dir is is where CNI plugin binaries are stored.
+plugin_dir = "/opt/cni/bin/"
diff --git a/roles/container_runtime/templates/custom.conf.j2 b/roles/container_runtime/templates/custom.conf.j2
new file mode 100644
index 000000000..713412473
--- /dev/null
+++ b/roles/container_runtime/templates/custom.conf.j2
@@ -0,0 +1,11 @@
+# {{ ansible_managed }}
+
+[Unit]
+Wants=iptables.service
+After=iptables.service
+
+# The following line is a work-around to ensure docker is restarted whenever
+# iptables is restarted.  This ensures the proper iptables rules will be in
+# place for docker.
+# Note:  This will also cause docker to be stopped if iptables is stopped.
+PartOf=iptables.service
diff --git a/roles/container_runtime/templates/daemon.json b/roles/container_runtime/templates/daemon.json
new file mode 100644
index 000000000..383963bd3
--- /dev/null
+++ b/roles/container_runtime/templates/daemon.json
@@ -0,0 +1,20 @@
+{
+    "authorization-plugins": ["rhel-push-plugin"],
+    "default-runtime": "oci",
+    "containerd": "/run/containerd.sock",
+    "disable-legacy-registry": false,
+    "exec-opts": ["native.cgroupdriver=systemd"],
+    "insecure-registries": {{ l_docker_insecure_registries }},
+{% if openshift_docker_log_driver is defined  %}
+    "log-driver": "{{ openshift_docker_log_driver }}",
+{%- endif %}
+    "log-opts": {{ l_docker_log_options }},
+    "runtimes": {
+	"oci": {
+	    "path": "/usr/libexec/docker/docker-runc-current"
+	}
+    },
+    "selinux-enabled": {{ l_docker_selinux_enabled | lower }},
+    "add-registry": {{ l_docker_additional_registries }},
+    "block-registry": {{ l_docker_blocked_registries }}
+}
diff --git a/roles/container_runtime/templates/overlay.conf.j2 b/roles/container_runtime/templates/overlay.conf.j2
new file mode 100644
index 000000000..782f46c2e
--- /dev/null
+++ b/roles/container_runtime/templates/overlay.conf.j2
@@ -0,0 +1,2 @@
+### {{ ansible_managed }}
+overlay
diff --git a/roles/container_runtime/templates/registries.conf b/roles/container_runtime/templates/registries.conf
new file mode 100644
index 000000000..d379b2be0
--- /dev/null
+++ b/roles/container_runtime/templates/registries.conf
@@ -0,0 +1,46 @@
+# {{ ansible_managed }}
+# This is a system-wide configuration file used to
+# keep track of registries for various container backends.
+# It adheres to YAML format and does not support recursive
+# lists of registries.
+
+# The default location for this configuration file is /etc/containers/registries.conf.
+
+# The only valid categories are: 'registries', 'insecure_registries',
+# and 'block_registries'.
+
+
+#registries:
+#  - registry.access.redhat.com
+
+{% if l2_docker_additional_registries %}
+registries:
+{% for reg in l2_docker_additional_registries %}
+  - {{ reg }}
+{% endfor %}
+{% endif %}
+
+# If you need to access insecure registries, uncomment the section below
+# and add the registries fully-qualified name. An insecure registry is one
+# that does not have a valid SSL certificate or only does HTTP.
+#insecure_registries:
+#  -
+
+{% if l2_docker_insecure_registries %}
+insecure_registries:
+{% for reg in l2_docker_insecure_registries %}
+  - {{ reg }}
+{% endfor %}
+{% endif %}
+
+# If you need to block pull access from a registry, uncomment the section below
+# and add the registries fully-qualified name.
+#block_registries:
+# -
+
+{% if l2_docker_blocked_registries %}
+block_registries:
+{% for reg in l2_docker_blocked_registries %}
+  - {{ reg }}
+{% endfor %}
+{% endif %}
diff --git a/roles/container_runtime/templates/systemcontainercustom.conf.j2 b/roles/container_runtime/templates/systemcontainercustom.conf.j2
new file mode 100644
index 000000000..86eebfba6
--- /dev/null
+++ b/roles/container_runtime/templates/systemcontainercustom.conf.j2
@@ -0,0 +1,17 @@
+# {{ ansible_managed }}
+
+[Service]
+{% if "http_proxy" in openshift.common %}
+Environment=HTTP_PROXY={{ docker_http_proxy }}
+{% endif -%}
+{% if "https_proxy" in openshift.common %}
+Environment=HTTPS_PROXY={{ docker_http_proxy }}
+{% endif -%}
+{% if "no_proxy" in openshift.common %}
+Environment=NO_PROXY={{ docker_no_proxy }}
+{% endif %}
+{%- if os_firewall_use_firewalld|default(false) %}
+[Unit]
+Wants=iptables.service
+After=iptables.service
+{%- endif %}
diff --git a/roles/container_runtime/vars/main.yml b/roles/container_runtime/vars/main.yml
new file mode 100644
index 000000000..4e940b7f5
--- /dev/null
+++ b/roles/container_runtime/vars/main.yml
@@ -0,0 +1,5 @@
+---
+docker_systemd_dir: /etc/systemd/system/docker.service.d
+container_engine_systemd_dir: /etc/systemd/system/container-engine.service.d
+docker_conf_dir: /etc/docker/
+udevw_udevd_dir: /etc/systemd/system/systemd-udevd.service.d
diff --git a/roles/contiv/defaults/main.yml b/roles/contiv/defaults/main.yml
index b5d2f7c6e..aa976d921 100644
--- a/roles/contiv/defaults/main.yml
+++ b/roles/contiv/defaults/main.yml
@@ -119,3 +119,5 @@ contiv_h1_gw_default: "10.129.0.1"
 
 # contiv default private subnet for ext access
 contiv_private_ext_subnet: "10.130.0.0/16"
+
+openshift_docker_service_name: "{{ 'container-engine' if (openshift_docker_use_system_container | default(False)) else 'docker' }}"
diff --git a/roles/contiv/tasks/netplugin.yml b/roles/contiv/tasks/netplugin.yml
index 0b2f91bab..cf92a8cc0 100644
--- a/roles/contiv/tasks/netplugin.yml
+++ b/roles/contiv/tasks/netplugin.yml
@@ -105,7 +105,7 @@
 
 - name: Docker | Restart docker
   service:
-    name: "{{ openshift.docker.service_name }}"
+    name: "{{ openshift_docker_service_name }}"
     state: restarted
   when: docker_updated|changed
   register: l_docker_restart_docker_in_contiv_result
diff --git a/roles/contiv/templates/aci-gw.service b/roles/contiv/templates/aci-gw.service
index 4506d2231..90bb98001 100644
--- a/roles/contiv/templates/aci-gw.service
+++ b/roles/contiv/templates/aci-gw.service
@@ -1,6 +1,6 @@
 [Unit]
 Description=Contiv ACI gw
-After=auditd.service systemd-user-sessions.service time-sync.target {{ openshift.docker.service_name }}.service
+After=auditd.service systemd-user-sessions.service time-sync.target {{ openshift_docker_service_name }}.service
 
 [Service]
 ExecStart={{ bin_dir }}/aci_gw.sh start
diff --git a/roles/docker/README.md b/roles/docker/README.md
deleted file mode 100644
index 19908c036..000000000
--- a/roles/docker/README.md
+++ /dev/null
@@ -1,43 +0,0 @@
-Docker
-=========
-
-Ensures docker package or system container is installed, and optionally raises timeout for systemd-udevd.service to 5 minutes.
-
-container-daemon.json items may be found at https://docs.docker.com/engine/reference/commandline/dockerd/#daemon-configuration-file
-
-Requirements
-------------
-
-Ansible 2.2
-
-Role Variables
---------------
-
-docker_conf_dir: location of the Docker configuration directory
-docker_systemd_dir location of the systemd directory for Docker
-docker_udev_workaround: raises udevd timeout to 5 minutes (https://bugzilla.redhat.com/show_bug.cgi?id=1272446)
-udevw_udevd_dir: location of systemd config for systemd-udevd.service
-
-Dependencies
-------------
-
-Depends on the os_firewall role.
-
-Example Playbook
-----------------
-
-    - hosts: servers
-      roles:
-      - role: docker
-        docker_udev_workaround: "true"
-        docker_use_system_container: False
-
-License
--------
-
-ASL 2.0
-
-Author Information
-------------------
-
-OpenShift operations, Red Hat, Inc
diff --git a/roles/docker/defaults/main.yml b/roles/docker/defaults/main.yml
deleted file mode 100644
index 224844a06..000000000
--- a/roles/docker/defaults/main.yml
+++ /dev/null
@@ -1,40 +0,0 @@
----
-docker_cli_auth_config_path: '/root/.docker'
-openshift_docker_signature_verification: False
-
-openshift_docker_alternative_creds: False
-
-# oreg_url is defined by user input.
-oreg_host: "{{ oreg_url.split('/')[0] if (oreg_url is defined and '.' in oreg_url.split('/')[0]) else '' }}"
-oreg_auth_credentials_replace: False
-
-openshift_docker_additional_registries: []
-openshift_docker_blocked_registries: []
-openshift_docker_insecure_registries: []
-
-openshift_docker_ent_reg: 'registry.access.redhat.com'
-
-# The l2_docker_* variables convert csv strings to lists, if
-# necessary.  These variables should be used in place of their respective
-# openshift_docker_* counterparts to ensure the properly formatted lists are
-# utilized.
-l2_docker_additional_registries: "{% if openshift_docker_additional_registries is string %}{% if openshift_docker_additional_registries == '' %}[]{% elif ',' in openshift_docker_additional_registries %}{{ openshift_docker_additional_registries.split(',') | list }}{% else %}{{ [ openshift_docker_additional_registries ] }}{% endif %}{% else %}{{ openshift_docker_additional_registries }}{% endif %}"
-l2_docker_blocked_registries: "{% if openshift_docker_blocked_registries is string %}{% if openshift_docker_blocked_registries == '' %}[]{% elif ',' in openshift_docker_blocked_registries %}{{ openshift_docker_blocked_registries.split(',') | list }}{% else %}{{ [ openshift_docker_blocked_registries ] }}{% endif %}{% else %}{{ openshift_docker_blocked_registries }}{% endif %}"
-l2_docker_insecure_registries: "{% if openshift_docker_insecure_registries is string %}{% if openshift_docker_insecure_registries == '' %}[]{% elif ',' in openshift_docker_insecure_registries %}{{ openshift_docker_insecure_registries.split(',') | list }}{% else %}{{ [ openshift_docker_insecure_registries ] }}{% endif %}{% else %}{{ openshift_docker_insecure_registries }}{% endif %}"
-
-openshift_docker_use_etc_containers: False
-containers_registries_conf_path: /etc/containers/registries.conf
-
-r_crio_firewall_enabled: "{{ os_firewall_enabled | default(True) }}"
-r_crio_use_firewalld: "{{ os_firewall_use_firewalld | default(False) }}"
-
-r_crio_os_firewall_deny: []
-r_crio_os_firewall_allow:
-- service: crio
-  port: 10010/tcp
-
-
-openshift_docker_is_node_or_master: "{{ True if inventory_hostname in (groups['oo_masters_to_config']|default([])) or inventory_hostname in (groups['oo_nodes_to_config']|default([])) else False | bool }}"
-
-docker_alt_storage_path: /var/lib/containers/docker
-docker_default_storage_path: /var/lib/docker
diff --git a/roles/docker/handlers/main.yml b/roles/docker/handlers/main.yml
deleted file mode 100644
index 866ed0452..000000000
--- a/roles/docker/handlers/main.yml
+++ /dev/null
@@ -1,18 +0,0 @@
----
-
-- name: restart docker
-  systemd:
-    name: "{{ openshift.docker.service_name }}"
-    state: restarted
-    daemon_reload: yes
-  register: r_docker_restart_docker_result
-  until: not r_docker_restart_docker_result | failed
-  retries: 3
-  delay: 30
-  when: not docker_service_status_changed | default(false) | bool
-
-- name: restart udev
-  systemd:
-    name: systemd-udevd
-    state: restarted
-    daemon_reload: yes
diff --git a/roles/docker/meta/main.yml b/roles/docker/meta/main.yml
deleted file mode 100644
index d5faae8df..000000000
--- a/roles/docker/meta/main.yml
+++ /dev/null
@@ -1,15 +0,0 @@
----
-galaxy_info:
-  author: OpenShift
-  description: docker package install
-  company: Red Hat, Inc
-  license: ASL 2.0
-  min_ansible_version: 2.2
-  platforms:
-  - name: EL
-    versions:
-    - 7
-dependencies:
-- role: lib_openshift
-- role: lib_os_firewall
-- role: lib_utils
diff --git a/roles/docker/tasks/crio_firewall.yml b/roles/docker/tasks/crio_firewall.yml
deleted file mode 100644
index fbd1ff515..000000000
--- a/roles/docker/tasks/crio_firewall.yml
+++ /dev/null
@@ -1,40 +0,0 @@
----
-- when: r_crio_firewall_enabled | bool and not r_crio_use_firewalld | bool
-  block:
-  - name: Add iptables allow rules
-    os_firewall_manage_iptables:
-      name: "{{ item.service }}"
-      action: add
-      protocol: "{{ item.port.split('/')[1] }}"
-      port: "{{ item.port.split('/')[0] }}"
-    when: item.cond | default(True)
-    with_items: "{{ r_crio_os_firewall_allow }}"
-
-  - name: Remove iptables rules
-    os_firewall_manage_iptables:
-      name: "{{ item.service }}"
-      action: remove
-      protocol: "{{ item.port.split('/')[1] }}"
-      port: "{{ item.port.split('/')[0] }}"
-    when: item.cond | default(True)
-    with_items: "{{ r_crio_os_firewall_deny }}"
-
-- when: r_crio_firewall_enabled | bool and r_crio_use_firewalld | bool
-  block:
-  - name: Add firewalld allow rules
-    firewalld:
-      port: "{{ item.port }}"
-      permanent: true
-      immediate: true
-      state: enabled
-    when: item.cond | default(True)
-    with_items: "{{ r_crio_os_firewall_allow }}"
-
-  - name: Remove firewalld allow rules
-    firewalld:
-      port: "{{ item.port }}"
-      permanent: true
-      immediate: true
-      state: disabled
-    when: item.cond | default(True)
-    with_items: "{{ r_crio_os_firewall_deny }}"
diff --git a/roles/docker/tasks/main.yml b/roles/docker/tasks/main.yml
deleted file mode 100644
index b02a74711..000000000
--- a/roles/docker/tasks/main.yml
+++ /dev/null
@@ -1,93 +0,0 @@
----
-# These tasks dispatch to the proper set of docker tasks based on the
-# inventory:openshift_docker_use_system_container variable
-
-- include_tasks: udev_workaround.yml
-  when: docker_udev_workaround | default(False) | bool
-
-- set_fact:
-    l_use_system_container: "{{ openshift.docker.use_system_container | default(False) }}"
-    l_use_crio: "{{ openshift_use_crio | default(False) }}"
-    l_use_crio_only: "{{ openshift_use_crio_only | default(False) }}"
-
-- name: Add enterprise registry, if necessary
-  set_fact:
-    l2_docker_additional_registries: "{{ l2_docker_additional_registries + [openshift_docker_ent_reg] }}"
-  when:
-    - openshift.common.deployment_type == 'openshift-enterprise'
-    - openshift_docker_ent_reg != ''
-    - openshift_docker_ent_reg not in l2_docker_additional_registries
-    - not l_use_crio_only
-
-- name: Use Package Docker if Requested
-  include_tasks: package_docker.yml
-  when:
-    - not l_use_system_container
-    - not l_use_crio_only
-
-- name: Ensure /var/lib/containers exists
-  file:
-    path: /var/lib/containers
-    state: directory
-
-- name: Fix SELinux Permissions on /var/lib/containers
-  command: "restorecon -R /var/lib/containers/"
-  changed_when: false
-
-- name: Use System Container Docker if Requested
-  include_tasks: systemcontainer_docker.yml
-  when:
-    - l_use_system_container
-    - not l_use_crio_only
-
-- name: Add CRI-O usage Requested
-  include_tasks: systemcontainer_crio.yml
-  when:
-    - l_use_crio
-    - openshift_docker_is_node_or_master | bool
-
-- name: stat the docker data dir
-  stat:
-    path: "{{ docker_default_storage_path }}"
-  register: dockerstat
-
-- when:
-    - l_use_crio
-    - dockerstat.stat.islnk is defined and not (dockerstat.stat.islnk | bool)
-  block:
-    - name: stop the current running docker
-      systemd:
-        state: stopped
-        name: "{{ openshift.docker.service_name }}"
-
-    - name: copy "{{ docker_default_storage_path }}" to "{{ docker_alt_storage_path }}"
-      command: "cp -r {{ docker_default_storage_path }} {{ docker_alt_storage_path }}"
-      register: results
-      failed_when:
-        - results.rc != 0
-
-    - name: "Set the selinux context on {{ docker_alt_storage_path }}"
-      command: "semanage fcontext -a -e {{ docker_default_storage_path }} {{ docker_alt_storage_path }}"
-      register: results
-      failed_when:
-        - results.rc == 1
-        - "'already exists' not in results.stderr"
-
-    - name: "restorecon the {{ docker_alt_storage_path }}"
-      command: "restorecon -r {{ docker_alt_storage_path }}"
-
-    - name: Remove the old docker location
-      file:
-        state: absent
-        path: "{{ docker_default_storage_path }}"
-
-    - name: Setup the link
-      file:
-        state: link
-        src: "{{ docker_alt_storage_path }}"
-        path: "{{ docker_default_storage_path }}"
-
-    - name: start docker
-      systemd:
-        state: started
-        name: "{{ openshift.docker.service_name }}"
diff --git a/roles/docker/tasks/package_docker.yml b/roles/docker/tasks/package_docker.yml
deleted file mode 100644
index 044b04478..000000000
--- a/roles/docker/tasks/package_docker.yml
+++ /dev/null
@@ -1,163 +0,0 @@
----
-- name: Get current installed Docker version
-  command: "{{ repoquery_installed }} --qf '%{version}' docker"
-  when: not openshift.common.is_atomic | bool
-  register: curr_docker_version
-  retries: 4
-  until: curr_docker_version | succeeded
-  changed_when: false
-
-- name: Error out if Docker pre-installed but too old
-  fail:
-    msg: "Docker {{ curr_docker_version.stdout }} is installed, but >= 1.9.1 is required."
-  when: not curr_docker_version | skipped and curr_docker_version.stdout != '' and curr_docker_version.stdout | version_compare('1.9.1', '<') and not docker_version is defined
-
-- name: Error out if requested Docker is too old
-  fail:
-    msg: "Docker {{ docker_version }} requested, but >= 1.9.1 is required."
-  when: docker_version is defined and docker_version | version_compare('1.9.1', '<')
-
-# If a docker_version was requested, sanity check that we can install or upgrade to it, and
-# no downgrade is required.
-- name: Fail if Docker version requested but downgrade is required
-  fail:
-    msg: "Docker {{ curr_docker_version.stdout }} is installed, but version {{ docker_version }} was requested."
-  when: not curr_docker_version | skipped and curr_docker_version.stdout != '' and docker_version is defined and curr_docker_version.stdout | version_compare(docker_version, '>')
-
-# This involves an extremely slow migration process, users should instead run the
-# Docker 1.10 upgrade playbook to accomplish this.
-- name: Error out if attempting to upgrade Docker across the 1.10 boundary
-  fail:
-    msg: "Cannot upgrade Docker to >= 1.10, please upgrade or remove Docker manually, or use the Docker upgrade playbook if OpenShift is already installed."
-  when: not curr_docker_version | skipped and curr_docker_version.stdout != '' and curr_docker_version.stdout | version_compare('1.10', '<') and docker_version is defined and docker_version | version_compare('1.10', '>=')
-
-# Make sure Docker is installed, but does not update a running version.
-# Docker upgrades are handled by a separate playbook.
-# Note: The curr_docker_version.stdout check can be removed when https://github.com/ansible/ansible/issues/33187 gets fixed.
-- name: Install Docker
-  package: name=docker{{ '-' + docker_version if docker_version is defined else '' }} state=present
-  when: not openshift.common.is_atomic | bool and not curr_docker_version | skipped and not curr_docker_version.stdout != ''
-  register: result
-  until: result | success
-
-- block:
-  # Extend the default Docker service unit file when using iptables-services
-  - name: Ensure docker.service.d directory exists
-    file:
-      path: "{{ docker_systemd_dir }}"
-      state: directory
-
-  - name: Configure Docker service unit file
-    template:
-      dest: "{{ docker_systemd_dir }}/custom.conf"
-      src: custom.conf.j2
-    notify:
-    - restart docker
-  when: not (os_firewall_use_firewalld | default(False)) | bool
-
-- stat: path=/etc/sysconfig/docker
-  register: docker_check
-
-- name: Set registry params
-  lineinfile:
-    dest: /etc/sysconfig/docker
-    regexp: '^{{ item.reg_conf_var }}=.*$'
-    line: "{{ item.reg_conf_var }}='{{ item.reg_fact_val | oo_prepend_strings_in_list(item.reg_flag ~ ' ') | join(' ') }}'"
-  when:
-  - item.reg_fact_val != []
-  - docker_check.stat.isreg is defined
-  - docker_check.stat.isreg
-  with_items:
-  - reg_conf_var: ADD_REGISTRY
-    reg_fact_val: "{{ l2_docker_additional_registries }}"
-    reg_flag: --add-registry
-  - reg_conf_var: BLOCK_REGISTRY
-    reg_fact_val: "{{ l2_docker_blocked_registries }}"
-    reg_flag: --block-registry
-  - reg_conf_var: INSECURE_REGISTRY
-    reg_fact_val: "{{ l2_docker_insecure_registries }}"
-    reg_flag: --insecure-registry
-  notify:
-  - restart docker
-
-- name: Place additional/blocked/insecure registries in /etc/containers/registries.conf
-  template:
-    dest: "{{ containers_registries_conf_path }}"
-    src: registries.conf
-  when: openshift_docker_use_etc_containers | bool
-  notify:
-  - restart docker
-
-- name: Set Proxy Settings
-  lineinfile:
-    dest: /etc/sysconfig/docker
-    regexp: '^{{ item.reg_conf_var }}=.*$'
-    line: "{{ item.reg_conf_var }}='{{ item.reg_fact_val }}'"
-    state: "{{ 'present' if item.reg_fact_val != '' else 'absent'}}"
-  with_items:
-  - reg_conf_var: HTTP_PROXY
-    reg_fact_val: "{{ docker_http_proxy | default('') }}"
-  - reg_conf_var: HTTPS_PROXY
-    reg_fact_val: "{{ docker_https_proxy | default('') }}"
-  - reg_conf_var: NO_PROXY
-    reg_fact_val: "{{ docker_no_proxy | default('') }}"
-  notify:
-  - restart docker
-  when:
-  - docker_check.stat.isreg is defined and docker_check.stat.isreg and '"http_proxy" in openshift.common or "https_proxy" in openshift.common'
-
-- name: Set various Docker options
-  lineinfile:
-    dest: /etc/sysconfig/docker
-    regexp: '^OPTIONS=.*$'
-    line: "OPTIONS='\
-      {% if ansible_selinux.status | default(None) == 'enabled' and docker_selinux_enabled | default(true) | bool %} --selinux-enabled {% endif %} \
-      {% if docker_log_driver is defined  %} --log-driver {{ docker_log_driver }}{% endif %} \
-      {% if docker_log_options is defined %} {{ docker_log_options |  oo_split() | oo_prepend_strings_in_list('--log-opt ') | join(' ')}}{% endif %} \
-      {% if docker_options is defined %} {{ docker_options }}{% endif %} \
-      {% if docker_disable_push_dockerhub is defined %} --confirm-def-push={{ docker_disable_push_dockerhub | bool }}{% endif %} \
-      --signature-verification={{ openshift_docker_signature_verification | bool }}'"
-  when: docker_check.stat.isreg is defined and docker_check.stat.isreg
-  notify:
-  - restart docker
-
-- stat: path=/etc/sysconfig/docker-network
-  register: sysconfig_docker_network_check
-
-- name: Configure Docker Network OPTIONS
-  lineinfile:
-    dest: /etc/sysconfig/docker-network
-    regexp: '^DOCKER_NETWORK_OPTIONS=.*$'
-    line: "DOCKER_NETWORK_OPTIONS='\
-      {% if openshift.node is defined and openshift.node.sdn_mtu is defined %} --mtu={{ openshift.node.sdn_mtu }}{% endif %}'"
-  when:
-  - sysconfig_docker_network_check.stat.isreg is defined
-  - sysconfig_docker_network_check.stat.isreg
-  notify:
-  - restart docker
-
-# The following task is needed as the systemd module may report a change in
-# state even though docker is already running.
-- name: Detect if docker is already started
-  command: "systemctl show docker -p ActiveState"
-  changed_when: False
-  register: r_docker_already_running_result
-
-- name: Start the Docker service
-  systemd:
-    name: docker
-    enabled: yes
-    state: started
-    daemon_reload: yes
-  register: r_docker_package_docker_start_result
-  until: not r_docker_package_docker_start_result | failed
-  retries: 3
-  delay: 30
-
-- set_fact:
-    docker_service_status_changed: "{{ (r_docker_package_docker_start_result | changed) and (r_docker_already_running_result.stdout != 'ActiveState=active' ) }}"
-
-- meta: flush_handlers
-
-# This needs to run after docker is restarted to account for proxy settings.
-- include_tasks: registry_auth.yml
diff --git a/roles/docker/tasks/registry_auth.yml b/roles/docker/tasks/registry_auth.yml
deleted file mode 100644
index 2c7bc5711..000000000
--- a/roles/docker/tasks/registry_auth.yml
+++ /dev/null
@@ -1,32 +0,0 @@
----
-- name: Check for credentials file for registry auth
-  stat:
-    path: "{{ docker_cli_auth_config_path }}/config.json"
-  when: oreg_auth_user is defined
-  register: docker_cli_auth_credentials_stat
-
-- name: Create credentials for docker cli registry auth
-  command: "docker --config={{ docker_cli_auth_config_path }} login -u {{ oreg_auth_user }} -p {{ oreg_auth_password }} {{ oreg_host }}"
-  register: openshift_docker_credentials_create_res
-  retries: 3
-  delay: 5
-  until: openshift_docker_credentials_create_res.rc == 0
-  when:
-  - not openshift_docker_alternative_creds | bool
-  - oreg_auth_user is defined
-  - (not docker_cli_auth_credentials_stat.stat.exists or oreg_auth_credentials_replace) | bool
-
-# docker_creds is a custom module from lib_utils
-# 'docker login' requires a docker.service running on the local host, this is an
-# alternative implementation for non-docker hosts.  This implementation does not
-# check the registry to determine whether or not the credentials will work.
-- name: Create credentials for docker cli registry auth (alternative)
-  docker_creds:
-    path: "{{ docker_cli_auth_config_path }}"
-    registry: "{{ oreg_host }}"
-    username: "{{ oreg_auth_user }}"
-    password: "{{ oreg_auth_password }}"
-  when:
-  - openshift_docker_alternative_creds | bool
-  - oreg_auth_user is defined
-  - (not docker_cli_auth_credentials_stat.stat.exists or oreg_auth_credentials_replace) | bool
diff --git a/roles/docker/tasks/systemcontainer_crio.yml b/roles/docker/tasks/systemcontainer_crio.yml
deleted file mode 100644
index 3439aa353..000000000
--- a/roles/docker/tasks/systemcontainer_crio.yml
+++ /dev/null
@@ -1,187 +0,0 @@
----
-
-# TODO: Much of this file is shared with container engine tasks
-- set_fact:
-    l_insecure_crio_registries: "{{ '\"{}\"'.format('\", \"'.join(l2_docker_insecure_registries)) }}"
-- set_fact:
-    l_crio_registries: "{{ l2_docker_additional_registries + ['docker.io'] }}"
-- set_fact:
-    l_additional_crio_registries: "{{ '\"{}\"'.format('\", \"'.join(l_crio_registries)) }}"
-
-- set_fact:
-    l_openshift_image_tag: "{{ openshift_image_tag | string }}"
-  when: openshift_image_tag is defined
-
-- set_fact:
-    l_openshift_image_tag: "latest"
-  when:
-    - openshift_image_tag is not defined
-    - openshift_release == "latest"
-
-- set_fact:
-    l_openshift_image_tag: "{{ openshift_release | string }}"
-  when:
-    - openshift_image_tag is not defined
-    - openshift_release != "latest"
-
-- name: Ensure container-selinux is installed
-  package:
-    name: container-selinux
-    state: present
-  when: not openshift.common.is_atomic | bool
-  register: result
-  until: result | success
-
-- name: Check we are not using node as a Docker container with CRI-O
-  fail: msg='Cannot use CRI-O with node configured as a Docker container'
-  when:
-    - openshift.common.is_containerized | bool
-    - not openshift.common.is_node_system_container | bool
-
-# Used to pull and install the system container
-- name: Ensure atomic is installed
-  package:
-    name: atomic
-    state: present
-  when: not openshift.common.is_atomic | bool
-  register: result
-  until: result | success
-
-# At the time of writing the atomic command requires runc for it's own use. This
-# task is here in the even that the atomic package ever removes the dependency.
-- name: Ensure runc is installed
-  package:
-    name: runc
-    state: present
-  when: not openshift.common.is_atomic | bool
-  register: result
-  until: result | success
-
-
-- name: Check that overlay is in the kernel
-  shell: lsmod | grep overlay
-  register: l_has_overlay_in_kernel
-  ignore_errors: yes
-  failed_when: false
-
-- when: l_has_overlay_in_kernel.rc != 0
-  block:
-
-    - name: Add overlay to modprobe.d
-      template:
-        dest: /etc/modules-load.d/overlay.conf
-        src: overlay.conf.j2
-        backup: yes
-
-    - name: Manually modprobe overlay into the kernel
-      command: modprobe overlay
-
-    - name: Enable and start systemd-modules-load
-      service:
-        name: systemd-modules-load
-        enabled: yes
-        state: restarted
-
-- name: Ensure proxies are in the atomic.conf
-  include_role:
-    name: openshift_atomic
-    tasks_from: proxy
-
-- block:
-
-    - name: Set CRI-O image defaults
-      set_fact:
-        l_crio_image_prepend: "docker.io/gscrivano"
-        l_crio_image_name: "cri-o-fedora"
-        l_crio_image_tag: "latest"
-
-    - name: Use Centos based image when distribution is CentOS
-      set_fact:
-        l_crio_image_name: "cri-o-centos"
-      when: ansible_distribution == "CentOS"
-
-    - name: Set CRI-O image tag
-      set_fact:
-        l_crio_image_tag: "{{ l_openshift_image_tag }}"
-      when:
-        - openshift_deployment_type == 'openshift-enterprise'
-
-    - name: Use RHEL based image when distribution is Red Hat
-      set_fact:
-        l_crio_image_prepend: "registry.access.redhat.com/openshift3"
-        l_crio_image_name: "cri-o"
-      when: ansible_distribution == "RedHat"
-
-    - name: Set the full image name
-      set_fact:
-        l_crio_image: "{{ l_crio_image_prepend }}/{{ l_crio_image_name }}:{{ l_crio_image_tag }}"
-
-    # For https://github.com/openshift/aos-cd-jobs/pull/624#pullrequestreview-61816548
-    - name: Use a specific image if requested
-      set_fact:
-        l_crio_image: "{{ openshift_crio_systemcontainer_image_override }}"
-      when:
-        - openshift_crio_systemcontainer_image_override is defined
-        - openshift_crio_systemcontainer_image_override != ""
-
-    # Be nice and let the user see the variable result
-    - debug:
-        var: l_crio_image
-
-# NOTE: no_proxy added as a workaround until https://github.com/projectatomic/atomic/pull/999 is released
-- name: Pre-pull CRI-O System Container image
-  command: "atomic pull --storage ostree {{ l_crio_image }}"
-  changed_when: false
-  environment:
-    NO_PROXY: "{{ openshift.common.no_proxy | default('') }}"
-
-
-- name: Install CRI-O System Container
-  oc_atomic_container:
-    name: "cri-o"
-    image: "{{ l_crio_image }}"
-    state: latest
-
-- name: Remove CRI-O default configuration files
-  file:
-    path: "{{ item }}"
-    state: absent
-  with_items:
-    - /etc/cni/net.d/200-loopback.conf
-    - /etc/cni/net.d/100-crio-bridge.conf
-
-- name: Create the CRI-O configuration
-  template:
-    dest: /etc/crio/crio.conf
-    src: crio.conf.j2
-    backup: yes
-
-- name: Ensure CNI configuration directory exists
-  file:
-    path: /etc/cni/net.d/
-    state: directory
-
-- name: setup firewall for CRI-O
-  include_tasks: crio_firewall.yml
-  static: yes
-
-- name: Configure the CNI network
-  template:
-    dest: /etc/cni/net.d/openshift-sdn.conf
-    src: 80-openshift-sdn.conf.j2
-
-- name: Start the CRI-O service
-  systemd:
-    name: "cri-o"
-    enabled: yes
-    state: started
-    daemon_reload: yes
-  register: start_result
-
-- meta: flush_handlers
-
-# If we are using crio only, docker.service might not be available for
-# 'docker login'
-- include_tasks: registry_auth.yml
-  vars:
-    openshift_docker_alternative_creds: "{{ l_use_crio_only }}"
diff --git a/roles/docker/tasks/systemcontainer_docker.yml b/roles/docker/tasks/systemcontainer_docker.yml
deleted file mode 100644
index 881d83f50..000000000
--- a/roles/docker/tasks/systemcontainer_docker.yml
+++ /dev/null
@@ -1,190 +0,0 @@
----
-
-- set_fact:
-    l_openshift_image_tag: "{{ openshift_image_tag | string }}"
-  when: openshift_image_tag is defined
-
-- set_fact:
-    l_openshift_image_tag: "latest"
-  when:
-    - openshift_image_tag is not defined
-    - openshift_release == "latest"
-
-- set_fact:
-    l_openshift_image_tag: "{{ openshift_release | string }}"
-  when:
-    - openshift_image_tag is not defined
-    - openshift_release != "latest"
-
-# If docker_options are provided we should fail. We should not install docker and ignore
-# the users configuration. NOTE: docker_options == inventory:openshift_docker_options
-- name: Fail quickly if openshift_docker_options are set
-  assert:
-    that:
-      - docker_options is defined
-      - docker_options != ""
-    msg: |
-      Docker via System Container does not allow for the use of the openshift_docker_options
-      variable. If you want to use openshift_docker_options you will need to use the
-      traditional docker package install. Otherwise, comment out openshift_docker_options
-      in your inventory file.
-
-- name: Ensure container-selinux is installed
-  package:
-    name: container-selinux
-    state: present
-  when: not openshift.common.is_atomic | bool
-  register: result
-  until: result | success
-
-# Used to pull and install the system container
-- name: Ensure atomic is installed
-  package:
-    name: atomic
-    state: present
-  when: not openshift.common.is_atomic | bool
-  register: result
-  until: result | success
-
-# At the time of writing the atomic command requires runc for it's own use. This
-# task is here in the even that the atomic package ever removes the dependency.
-- name: Ensure runc is installed
-  package:
-    name: runc
-    state: present
-  when: not openshift.common.is_atomic | bool
-  register: result
-  until: result | success
-
-# Make sure Docker is installed so we are able to use the client
-- name: Install Docker so we can use the client
-  package: name=docker{{ '-' + docker_version if docker_version is defined else '' }} state=present
-  when: not openshift.common.is_atomic | bool
-  register: result
-  until: result | success
-
-# Make sure docker is disabled. Errors are ignored.
-- name: Disable Docker
-  systemd:
-    name: docker
-    enabled: no
-    state: stopped
-    daemon_reload: yes
-  ignore_errors: True
-  register: r_docker_systemcontainer_docker_stop_result
-  until: not r_docker_systemcontainer_docker_stop_result | failed
-  retries: 3
-  delay: 30
-
-- name: Ensure proxies are in the atomic.conf
-  include_role:
-    name: openshift_atomic
-    tasks_from: proxy
-
-- block:
-
-    - name: Set to default prepend
-      set_fact:
-        l_docker_image_prepend: "gscrivano"
-        l_docker_image_tag: "latest"
-
-    - name: Set container engine image tag
-      set_fact:
-        l_docker_image_tag: "{{ l_openshift_image_tag }}"
-      when:
-        - openshift_deployment_type == 'openshift-enterprise'
-
-    - name: Use Red Hat Registry for image when distribution is Red Hat
-      set_fact:
-        l_docker_image_prepend: "registry.access.redhat.com/openshift3"
-      when: ansible_distribution == 'RedHat'
-
-    - name: Use Fedora Registry for image when distribution is Fedora
-      set_fact:
-        l_docker_image_prepend: "registry.fedoraproject.org/f25"
-      when: ansible_distribution == 'Fedora'
-
-    - name: Set the full image name
-      set_fact:
-        l_docker_image: "{{ l_docker_image_prepend }}/{{ openshift.docker.service_name }}:{{ l_docker_image_tag }}"
-
-    # For https://github.com/openshift/openshift-ansible/pull/5354#issuecomment-328552959
-    - name: Use a specific image if requested
-      set_fact:
-        l_docker_image: "{{ openshift_docker_systemcontainer_image_override }}"
-      when:
-        - openshift_docker_systemcontainer_image_override is defined
-        - openshift_docker_systemcontainer_image_override != ""
-
-    # Be nice and let the user see the variable result
-    - debug:
-        var: l_docker_image
-
-# NOTE: no_proxy added as a workaround until https://github.com/projectatomic/atomic/pull/999 is released
-- name: Pre-pull Container Engine System Container image
-  command: "atomic pull --storage ostree {{ l_docker_image }}"
-  changed_when: false
-  environment:
-    NO_PROXY: "{{ openshift.common.no_proxy | default('') }}"
-
-
-- name: Ensure container-engine.service.d directory exists
-  file:
-    path: "{{ container_engine_systemd_dir }}"
-    state: directory
-
-- name: Ensure /etc/docker directory exists
-  file:
-    path: "{{ docker_conf_dir }}"
-    state: directory
-
-- name: Install Container Engine System Container
-  oc_atomic_container:
-    name: "{{ openshift.docker.service_name }}"
-    image: "{{ l_docker_image }}"
-    state: latest
-
-- name: Configure Container Engine Service File
-  template:
-    dest: "{{ container_engine_systemd_dir }}/custom.conf"
-    src: systemcontainercustom.conf.j2
-
-# Set local versions of facts that must be in json format for container-daemon.json
-# NOTE: When jinja2.9+ is used the container-daemon.json file can move to using tojson
-- set_fact:
-    l_docker_insecure_registries: "{{ l2_docker_insecure_registries | default([]) | to_json }}"
-    l_docker_log_options: "{{ docker_log_options | default({}) | to_json }}"
-    l_docker_additional_registries: "{{ l2_docker_additional_registries | default([]) | to_json }}"
-    l_docker_blocked_registries: "{{ l2_docker_blocked_registries | default([]) | to_json }}"
-    l_docker_selinux_enabled: "{{ docker_selinux_enabled | default(true) | to_json }}"
-
-# Configure container-engine using the container-daemon.json file
-# NOTE: daemon.json and container-daemon.json have been seperated to avoid
-#       collision.
-- name: Configure Container Engine
-  template:
-    dest: "{{ docker_conf_dir }}/container-daemon.json"
-    src: daemon.json
-
-# Enable and start the container-engine service
-- name: Start the Container Engine service
-  systemd:
-    name: "{{ openshift.docker.service_name }}"
-    enabled: yes
-    state: started
-    daemon_reload: yes
-  register: r_docker_systemcontainer_docker_start_result
-  until: not r_docker_systemcontainer_docker_start_result | failed
-  retries: 3
-  delay: 30
-
-- set_fact:
-    docker_service_status_changed: "{{ r_docker_systemcontainer_docker_start_result | changed }}"
-
-- meta: flush_handlers
-
-# Since docker is running as a system container, docker login will fail to create
-# credentials.  Use alternate method if requiring authenticated registries.
-- include_tasks: registry_auth.yml
-  vars:
-    openshift_docker_alternative_creds: True
diff --git a/roles/docker/tasks/udev_workaround.yml b/roles/docker/tasks/udev_workaround.yml
deleted file mode 100644
index 257c3123d..000000000
--- a/roles/docker/tasks/udev_workaround.yml
+++ /dev/null
@@ -1,24 +0,0 @@
----
-
-- name: Getting current systemd-udevd exec command
-  command: grep -e "^ExecStart=" /lib/systemd/system/systemd-udevd.service
-  changed_when: false
-  register: udevw_udev_start_cmd
-
-- name: Assure systemd-udevd.service.d directory exists
-  file:
-    path: "{{ udevw_udevd_dir }}"
-    state: directory
-
-- name: Create systemd-udevd override file
-  copy:
-    content: |
-      [Service]
-      #Need blank ExecStart to "clear" pre-existing one
-      ExecStart=
-      {{ udevw_udev_start_cmd.stdout }} --event-timeout=300
-    dest: "{{ udevw_udevd_dir }}/override.conf"
-    owner: root
-    mode: "0644"
-  notify:
-    - restart udev
diff --git a/roles/docker/templates/80-openshift-sdn.conf.j2 b/roles/docker/templates/80-openshift-sdn.conf.j2
deleted file mode 100644
index a693aea5f..000000000
--- a/roles/docker/templates/80-openshift-sdn.conf.j2
+++ /dev/null
@@ -1,5 +0,0 @@
-{
-  "cniVersion": "0.1.0",
-  "name": "openshift-sdn",
-  "type": "openshift-sdn"
-}
diff --git a/roles/docker/templates/crio.conf.j2 b/roles/docker/templates/crio.conf.j2
deleted file mode 100644
index 3f066a17f..000000000
--- a/roles/docker/templates/crio.conf.j2
+++ /dev/null
@@ -1,164 +0,0 @@
-# {{ ansible_managed }}
-
-# The "crio" table contains all of the server options.
-[crio]
-
-# root is a path to the "root directory". CRIO stores all of its data,
-# including container images, in this directory.
-root = "/var/lib/containers/storage"
-
-# run is a path to the "run directory". CRIO stores all of its state
-# in this directory.
-runroot = "/var/run/containers/storage"
-
-# storage_driver select which storage driver is used to manage storage
-# of images and containers.
-storage_driver = "overlay"
-
-# storage_option is used to pass an option to the storage driver.
-storage_option = [
-{% if ansible_distribution in ['RedHat', 'CentOS'] %}
-	"overlay.override_kernel_check=1"
-{% endif %}
-]
-
-# The "crio.api" table contains settings for the kubelet/gRPC
-# interface (which is also used by crioctl).
-[crio.api]
-
-# listen is the path to the AF_LOCAL socket on which crio will listen.
-listen = "/var/run/crio.sock"
-
-# stream_address is the IP address on which the stream server will listen
-stream_address = ""
-
-# stream_port is the port on which the stream server will listen
-stream_port = "10010"
-
-# file_locking is whether file-based locking will be used instead of
-# in-memory locking
-file_locking = true
-
-# The "crio.runtime" table contains settings pertaining to the OCI
-# runtime used and options for how to set up and manage the OCI runtime.
-[crio.runtime]
-
-# runtime is the OCI compatible runtime used for trusted container workloads.
-# This is a mandatory setting as this runtime will be the default one
-# and will also be used for untrusted container workloads if
-# runtime_untrusted_workload is not set.
-runtime = "/usr/bin/runc"
-
-# runtime_untrusted_workload is the OCI compatible runtime used for untrusted
-# container workloads. This is an optional setting, except if
-# default_container_trust is set to "untrusted".
-runtime_untrusted_workload = ""
-
-# default_workload_trust is the default level of trust crio puts in container
-# workloads. It can either be "trusted" or "untrusted", and the default
-# is "trusted".
-# Containers can be run through different container runtimes, depending on
-# the trust hints we receive from kubelet:
-# - If kubelet tags a container workload as untrusted, crio will try first to
-# run it through the untrusted container workload runtime. If it is not set,
-# crio will use the trusted runtime.
-# - If kubelet does not provide any information about the container workload trust
-# level, the selected runtime will depend on the default_container_trust setting.
-# If it is set to "untrusted", then all containers except for the host privileged
-# ones, will be run by the runtime_untrusted_workload runtime. Host privileged
-# containers are by definition trusted and will always use the trusted container
-# runtime. If default_container_trust is set to "trusted", crio will use the trusted
-# container runtime for all containers.
-default_workload_trust = "trusted"
-
-# no_pivot instructs the runtime to not use pivot_root, but instead use MS_MOVE
-no_pivot = false
-
-# conmon is the path to conmon binary, used for managing the runtime.
-conmon = "/usr/libexec/crio/conmon"
-
-# conmon_env is the environment variable list for conmon process,
-# used for passing necessary environment variable to conmon or runtime.
-conmon_env = [
-	"PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin",
-]
-
-# selinux indicates whether or not SELinux will be used for pod
-# separation on the host. If you enable this flag, SELinux must be running
-# on the host.
-selinux = true
-
-# seccomp_profile is the seccomp json profile path which is used as the
-# default for the runtime.
-seccomp_profile = "/etc/crio/seccomp.json"
-
-# apparmor_profile is the apparmor profile name which is used as the
-# default for the runtime.
-apparmor_profile = "crio-default"
-
-# cgroup_manager is the cgroup management implementation to be used
-# for the runtime.
-cgroup_manager = "systemd"
-
-# hooks_dir_path is the oci hooks directory for automatically executed hooks
-hooks_dir_path = "/usr/share/containers/oci/hooks.d"
-
-# default_mounts is the mounts list to be mounted for the container when created
-default_mounts = [
-	"/usr/share/rhel/secrets:/run/secrets",
-]
-
-# pids_limit is the number of processes allowed in a container
-pids_limit = 1024
-
-# log_size_max is the max limit for the container log size in bytes.
-# Negative values indicate that no limit is imposed.
-log_size_max = 52428800
-
-# The "crio.image" table contains settings pertaining to the
-# management of OCI images.
-[crio.image]
-
-# default_transport is the prefix we try prepending to an image name if the
-# image name as we receive it can't be parsed as a valid source reference
-default_transport = "docker://"
-
-# pause_image is the image which we use to instantiate infra containers.
-pause_image = "kubernetes/pause"
-
-# pause_command is the command to run in a pause_image to have a container just
-# sit there.  If the image contains the necessary information, this value need
-# not be specified.
-pause_command = "/pause"
-
-# signature_policy is the name of the file which decides what sort of policy we
-# use when deciding whether or not to trust an image that we've pulled.
-# Outside of testing situations, it is strongly advised that this be left
-# unspecified so that the default system-wide policy will be used.
-signature_policy = ""
-
-# image_volumes controls how image volumes are handled.
-# The valid values are mkdir and ignore.
-image_volumes = "mkdir"
-
-# insecure_registries is used to skip TLS verification when pulling images.
-insecure_registries = [
-{{ l_insecure_crio_registries|default("") }}
-]
-
-# registries is used to specify a comma separated list of registries to be used
-# when pulling an unqualified image (e.g. fedora:rawhide).
-registries = [
-{{ l_additional_crio_registries|default("") }}
-]
-
-# The "crio.network" table contains settings pertaining to the
-# management of CNI plugins.
-[crio.network]
-
-# network_dir is is where CNI network configuration
-# files are stored.
-network_dir = "/etc/cni/net.d/"
-
-# plugin_dir is is where CNI plugin binaries are stored.
-plugin_dir = "/opt/cni/bin/"
diff --git a/roles/docker/templates/custom.conf.j2 b/roles/docker/templates/custom.conf.j2
deleted file mode 100644
index 713412473..000000000
--- a/roles/docker/templates/custom.conf.j2
+++ /dev/null
@@ -1,11 +0,0 @@
-# {{ ansible_managed }}
-
-[Unit]
-Wants=iptables.service
-After=iptables.service
-
-# The following line is a work-around to ensure docker is restarted whenever
-# iptables is restarted.  This ensures the proper iptables rules will be in
-# place for docker.
-# Note:  This will also cause docker to be stopped if iptables is stopped.
-PartOf=iptables.service
diff --git a/roles/docker/templates/daemon.json b/roles/docker/templates/daemon.json
deleted file mode 100644
index a41b7cdbd..000000000
--- a/roles/docker/templates/daemon.json
+++ /dev/null
@@ -1,20 +0,0 @@
-{
-    "authorization-plugins": ["rhel-push-plugin"],
-    "default-runtime": "oci",
-    "containerd": "/run/containerd.sock",
-    "disable-legacy-registry": false,
-    "exec-opts": ["native.cgroupdriver=systemd"],
-    "insecure-registries": {{ l_docker_insecure_registries }},
-{% if docker_log_driver is defined  %}
-    "log-driver": "{{ docker_log_driver }}",
-{%- endif %}
-    "log-opts": {{ l_docker_log_options }},
-    "runtimes": {
-	"oci": {
-	    "path": "/usr/libexec/docker/docker-runc-current"
-	}
-    },
-    "selinux-enabled": {{ l_docker_selinux_enabled | lower }},
-    "add-registry": {{ l_docker_additional_registries }},
-    "block-registry": {{ l_docker_blocked_registries }}
-}
diff --git a/roles/docker/templates/overlay.conf.j2 b/roles/docker/templates/overlay.conf.j2
deleted file mode 100644
index 782f46c2e..000000000
--- a/roles/docker/templates/overlay.conf.j2
+++ /dev/null
@@ -1,2 +0,0 @@
-### {{ ansible_managed }}
-overlay
diff --git a/roles/docker/templates/registries.conf b/roles/docker/templates/registries.conf
deleted file mode 100644
index d379b2be0..000000000
--- a/roles/docker/templates/registries.conf
+++ /dev/null
@@ -1,46 +0,0 @@
-# {{ ansible_managed }}
-# This is a system-wide configuration file used to
-# keep track of registries for various container backends.
-# It adheres to YAML format and does not support recursive
-# lists of registries.
-
-# The default location for this configuration file is /etc/containers/registries.conf.
-
-# The only valid categories are: 'registries', 'insecure_registries',
-# and 'block_registries'.
-
-
-#registries:
-#  - registry.access.redhat.com
-
-{% if l2_docker_additional_registries %}
-registries:
-{% for reg in l2_docker_additional_registries %}
-  - {{ reg }}
-{% endfor %}
-{% endif %}
-
-# If you need to access insecure registries, uncomment the section below
-# and add the registries fully-qualified name. An insecure registry is one
-# that does not have a valid SSL certificate or only does HTTP.
-#insecure_registries:
-#  -
-
-{% if l2_docker_insecure_registries %}
-insecure_registries:
-{% for reg in l2_docker_insecure_registries %}
-  - {{ reg }}
-{% endfor %}
-{% endif %}
-
-# If you need to block pull access from a registry, uncomment the section below
-# and add the registries fully-qualified name.
-#block_registries:
-# -
-
-{% if l2_docker_blocked_registries %}
-block_registries:
-{% for reg in l2_docker_blocked_registries %}
-  - {{ reg }}
-{% endfor %}
-{% endif %}
diff --git a/roles/docker/templates/systemcontainercustom.conf.j2 b/roles/docker/templates/systemcontainercustom.conf.j2
deleted file mode 100644
index 86eebfba6..000000000
--- a/roles/docker/templates/systemcontainercustom.conf.j2
+++ /dev/null
@@ -1,17 +0,0 @@
-# {{ ansible_managed }}
-
-[Service]
-{% if "http_proxy" in openshift.common %}
-Environment=HTTP_PROXY={{ docker_http_proxy }}
-{% endif -%}
-{% if "https_proxy" in openshift.common %}
-Environment=HTTPS_PROXY={{ docker_http_proxy }}
-{% endif -%}
-{% if "no_proxy" in openshift.common %}
-Environment=NO_PROXY={{ docker_no_proxy }}
-{% endif %}
-{%- if os_firewall_use_firewalld|default(false) %}
-[Unit]
-Wants=iptables.service
-After=iptables.service
-{%- endif %}
diff --git a/roles/docker/vars/main.yml b/roles/docker/vars/main.yml
deleted file mode 100644
index 4e940b7f5..000000000
--- a/roles/docker/vars/main.yml
+++ /dev/null
@@ -1,5 +0,0 @@
----
-docker_systemd_dir: /etc/systemd/system/docker.service.d
-container_engine_systemd_dir: /etc/systemd/system/container-engine.service.d
-docker_conf_dir: /etc/docker/
-udevw_udevd_dir: /etc/systemd/system/systemd-udevd.service.d
diff --git a/roles/etcd/defaults/main.yaml b/roles/etcd/defaults/main.yaml
index a069e4d87..3038ed9f6 100644
--- a/roles/etcd/defaults/main.yaml
+++ b/roles/etcd/defaults/main.yaml
@@ -97,3 +97,5 @@ r_etcd_os_firewall_allow:
 
 # set the backend quota to 4GB by default
 etcd_quota_backend_bytes: 4294967296
+
+openshift_docker_service_name: "{{ 'container-engine' if (openshift_docker_use_system_container | default(False)) else 'docker' }}"
diff --git a/roles/etcd/templates/etcd.docker.service b/roles/etcd/templates/etcd.docker.service
index 99ae37319..4c25a9955 100644
--- a/roles/etcd/templates/etcd.docker.service
+++ b/roles/etcd/templates/etcd.docker.service
@@ -1,8 +1,8 @@
 [Unit]
 Description=The Etcd Server container
-After={{ openshift.docker.service_name }}.service
-Requires={{ openshift.docker.service_name }}.service
-PartOf={{ openshift.docker.service_name }}.service
+After={{ openshift_docker_service_name }}.service
+Requires={{ openshift_docker_service_name }}.service
+PartOf={{ openshift_docker_service_name }}.service
 
 [Service]
 EnvironmentFile={{ etcd_conf_file }}
@@ -14,4 +14,4 @@ Restart=always
 RestartSec=5s
 
 [Install]
-WantedBy={{ openshift.docker.service_name }}.service
+WantedBy={{ openshift_docker_service_name }}.service
diff --git a/roles/flannel/defaults/main.yaml b/roles/flannel/defaults/main.yaml
index 988731ef2..488b6b0bc 100644
--- a/roles/flannel/defaults/main.yaml
+++ b/roles/flannel/defaults/main.yaml
@@ -5,3 +5,5 @@ etcd_hosts: "{{ etcd_urls }}"
 etcd_peer_ca_file: "{{ openshift.common.config_base }}/node/{{ 'ca' if (embedded_etcd | bool) else 'flannel.etcd-ca' }}.crt"
 etcd_peer_cert_file: "{{ openshift.common.config_base }}/node/{{ 'system:node:' + openshift.common.hostname if (embedded_etcd | bool) else 'flannel.etcd-client' }}.crt"
 etcd_peer_key_file: "{{ openshift.common.config_base }}/node/{{ 'system:node:' + openshift.common.hostname if (embedded_etcd | bool) else 'flannel.etcd-client' }}.key"
+
+openshift_docker_service_name: "{{ 'container-engine' if (openshift_docker_use_system_container | default(False)) else 'docker' }}"
diff --git a/roles/flannel/handlers/main.yml b/roles/flannel/handlers/main.yml
index 889069485..80e4d391d 100644
--- a/roles/flannel/handlers/main.yml
+++ b/roles/flannel/handlers/main.yml
@@ -6,7 +6,7 @@
 - name: restart docker
   become: yes
   systemd:
-    name: "{{ openshift.docker.service_name }}"
+    name: "{{ openshift_docker_service_name }}"
     state: restarted
   register: l_docker_restart_docker_in_flannel_result
   until: not l_docker_restart_docker_in_flannel_result | failed
diff --git a/roles/openshift_cli/defaults/main.yml b/roles/openshift_cli/defaults/main.yml
index 82da0639e..631a0455e 100644
--- a/roles/openshift_cli/defaults/main.yml
+++ b/roles/openshift_cli/defaults/main.yml
@@ -4,3 +4,8 @@ system_images_registry_dict:
   origin: "docker.io"
 
 system_images_registry: "{{ system_images_registry_dict[openshift_deployment_type | default('origin')] }}"
+
+openshift_use_crio_only: False
+
+l_is_system_container_image: "{{ openshift_use_master_system_container | default(openshift_use_system_containers | default(False)) | bool }}"
+l_use_cli_atomic_image: "{{ openshift_use_crio_only or l_is_system_container_image }}"
diff --git a/roles/openshift_cli/meta/main.yml b/roles/openshift_cli/meta/main.yml
index 29ed82783..5d2b6abed 100644
--- a/roles/openshift_cli/meta/main.yml
+++ b/roles/openshift_cli/meta/main.yml
@@ -12,6 +12,4 @@ galaxy_info:
   categories:
   - cloud
 dependencies:
-- role: openshift_docker
-  when: not skip_docker_role | default(False) | bool
 - role: openshift_facts
diff --git a/roles/openshift_cli/tasks/main.yml b/roles/openshift_cli/tasks/main.yml
index 7b046b2c4..140c6ea26 100644
--- a/roles/openshift_cli/tasks/main.yml
+++ b/roles/openshift_cli/tasks/main.yml
@@ -1,10 +1,4 @@
 ---
-- set_fact:
-    l_use_crio_only: "{{ openshift_use_crio_only | default(false) }}"
-    l_is_system_container_image: "{{ openshift_use_master_system_container | default(openshift_use_system_containers | default(false)) | bool }}"
-- set_fact:
-    l_use_cli_atomic_image: "{{ l_use_crio_only or l_is_system_container_image }}"
-
 - name: Install clients
   package: name={{ openshift.common.service_type }}-clients state=present
   when: not openshift.common.is_containerized | bool
diff --git a/roles/openshift_docker/defaults/main.yml b/roles/openshift_docker/defaults/main.yml
deleted file mode 100644
index ed97d539c..000000000
--- a/roles/openshift_docker/defaults/main.yml
+++ /dev/null
@@ -1 +0,0 @@
----
diff --git a/roles/openshift_docker/meta/main.yml b/roles/openshift_docker/meta/main.yml
deleted file mode 100644
index 60efd4e45..000000000
--- a/roles/openshift_docker/meta/main.yml
+++ /dev/null
@@ -1,16 +0,0 @@
----
-galaxy_info:
-  author: Jason DeTiberus
-  description: OpenShift Docker
-  company: Red Hat, Inc.
-  license: Apache License, Version 2.0
-  min_ansible_version: 1.9
-  platforms:
-  - name: EL
-    versions:
-    - 7
-  categories:
-  - cloud
-dependencies:
-- role: openshift_docker_facts
-- role: docker
diff --git a/roles/openshift_docker/tasks/main.yml b/roles/openshift_docker/tasks/main.yml
deleted file mode 100644
index ed97d539c..000000000
--- a/roles/openshift_docker/tasks/main.yml
+++ /dev/null
@@ -1 +0,0 @@
----
diff --git a/roles/openshift_docker_facts/defaults/main.yml b/roles/openshift_docker_facts/defaults/main.yml
deleted file mode 100644
index ed97d539c..000000000
--- a/roles/openshift_docker_facts/defaults/main.yml
+++ /dev/null
@@ -1 +0,0 @@
----
diff --git a/roles/openshift_docker_facts/meta/main.yml b/roles/openshift_docker_facts/meta/main.yml
deleted file mode 100644
index 5b1be7a8d..000000000
--- a/roles/openshift_docker_facts/meta/main.yml
+++ /dev/null
@@ -1,15 +0,0 @@
----
-galaxy_info:
-  author: Jason DeTiberus
-  description: OpenShift Docker Facts
-  company: Red Hat, Inc.
-  license: Apache License, Version 2.0
-  min_ansible_version: 1.9
-  platforms:
-  - name: EL
-    versions:
-    - 7
-  categories:
-  - cloud
-dependencies:
-- { role: openshift_facts }
diff --git a/roles/openshift_docker_facts/tasks/main.yml b/roles/openshift_docker_facts/tasks/main.yml
deleted file mode 100644
index 5a3e50678..000000000
--- a/roles/openshift_docker_facts/tasks/main.yml
+++ /dev/null
@@ -1,39 +0,0 @@
----
-- name: Set docker facts
-  openshift_facts:
-    role: "{{ item.role }}"
-    local_facts: "{{ item.local_facts }}"
-  with_items:
-  - role: docker
-    local_facts:
-      selinux_enabled: "{{ openshift_docker_selinux_enabled | default(None) }}"
-      log_driver: "{{ openshift_docker_log_driver | default(None) }}"
-      log_options: "{{ openshift_docker_log_options | default(None) }}"
-      options: "{{ openshift_docker_options | default(None) }}"
-      disable_push_dockerhub: "{{ openshift_disable_push_dockerhub | default(None) }}"
-      hosted_registry_insecure: "{{ openshift_docker_hosted_registry_insecure | default(openshift.docker.hosted_registry_insecure | default(False)) }}"
-      hosted_registry_network: "{{ openshift_docker_hosted_registry_network | default(None) }}"
-      use_system_container: "{{ openshift_docker_use_system_container | default(False) }}"
-      use_crio: "{{ openshift_use_crio | default(False) }}"
-  - role: node
-    local_facts:
-      sdn_mtu: "{{ openshift_node_sdn_mtu | default(None) }}"
-
-- set_fact:
-    docker_selinux_enabled: "{{ openshift.docker.selinux_enabled | default(omit) }}"
-    docker_log_driver: "{{ openshift.docker.log_driver | default(omit) }}"
-    docker_log_options: "{{ openshift.docker.log_options | default(omit) }}"
-    docker_push_dockerhub: "{{ openshift.docker.disable_push_dockerhub
-                               | default(omit) }}"
-    docker_http_proxy: "{{ openshift.common.http_proxy | default(omit) }}"
-    docker_https_proxy: "{{ openshift.common.https_proxy | default(omit) }}"
-    docker_no_proxy: "{{ openshift.common.no_proxy | default(omit) }}"
-
-- set_fact:
-    docker_options: "--insecure-registry={{ openshift.docker.hosted_registry_network }} {{ openshift.docker.options | default ('') }}"
-  when: openshift.docker.hosted_registry_insecure | default(False) | bool and openshift.docker.hosted_registry_network is defined
-  register: hosted_registry_options
-
-- set_fact:
-    docker_options: "{{ openshift.docker.options | default(omit) }}"
-  when: hosted_registry_options | skipped
diff --git a/roles/openshift_docker_facts/vars/main.yml b/roles/openshift_docker_facts/vars/main.yml
deleted file mode 100644
index 55c04b0c1..000000000
--- a/roles/openshift_docker_facts/vars/main.yml
+++ /dev/null
@@ -1,2 +0,0 @@
----
-repoquery_cmd: "{{ 'dnf repoquery --latest-limit 1 -d 0' if ansible_pkg_mgr == 'dnf' else 'repoquery --plugins' }}"
diff --git a/roles/openshift_etcd/meta/main.yml b/roles/openshift_etcd/meta/main.yml
index 7cc548f69..0e28fec03 100644
--- a/roles/openshift_etcd/meta/main.yml
+++ b/roles/openshift_etcd/meta/main.yml
@@ -13,6 +13,4 @@ galaxy_info:
   - cloud
 dependencies:
 - role: openshift_etcd_facts
-- role: openshift_docker
-  when: openshift.common.is_containerized | bool
 - role: etcd
diff --git a/roles/openshift_facts/library/openshift_facts.py b/roles/openshift_facts/library/openshift_facts.py
index bbcdbadd8..d72731a02 100755
--- a/roles/openshift_facts/library/openshift_facts.py
+++ b/roles/openshift_facts/library/openshift_facts.py
@@ -51,39 +51,6 @@ EXAMPLES = '''
 '''
 
 
-def migrate_docker_facts(facts):
-    """ Apply migrations for docker facts """
-    params = {
-        'common': (
-            'options'
-        ),
-        'node': (
-            'log_driver',
-            'log_options'
-        )
-    }
-    if 'docker' not in facts:
-        facts['docker'] = {}
-    # pylint: disable=consider-iterating-dictionary
-    for role in params.keys():
-        if role in facts:
-            for param in params[role]:
-                old_param = 'docker_' + param
-                if old_param in facts[role]:
-                    facts['docker'][param] = facts[role].pop(old_param)
-
-    if 'node' in facts and 'portal_net' in facts['node']:
-        facts['docker']['hosted_registry_network'] = facts['node'].pop('portal_net')
-
-    # log_options was originally meant to be a comma separated string, but
-    # we now prefer an actual list, with backward compatibility:
-    if 'log_options' in facts['docker'] and \
-            isinstance(facts['docker']['log_options'], string_types):
-        facts['docker']['log_options'] = facts['docker']['log_options'].split(",")
-
-    return facts
-
-
 # TODO: We should add a generic migration function that takes source and destination
 # paths and does the right thing rather than one function for common, one for node, etc.
 def migrate_common_facts(facts):
@@ -156,7 +123,6 @@ def migrate_admission_plugin_facts(facts):
 def migrate_local_facts(facts):
     """ Apply migrations of local facts """
     migrated_facts = copy.deepcopy(facts)
-    migrated_facts = migrate_docker_facts(migrated_facts)
     migrated_facts = migrate_common_facts(migrated_facts)
     migrated_facts = migrate_node_facts(migrated_facts)
     migrated_facts = migrate_hosted_facts(migrated_facts)
@@ -1100,6 +1066,7 @@ def get_version_output(binary, version_cmd):
     return output
 
 
+# We may need this in the future.
 def get_docker_version_info():
     """ Parses and returns the docker version info """
     result = None
@@ -1113,25 +1080,6 @@ def get_docker_version_info():
     return result
 
 
-def get_hosted_registry_insecure():
-    """ Parses OPTIONS from /etc/sysconfig/docker to determine if the
-        registry is currently insecure.
-    """
-    hosted_registry_insecure = None
-    if os.path.exists('/etc/sysconfig/docker'):
-        try:
-            ini_str = text_type('[root]\n' + open('/etc/sysconfig/docker', 'r').read(), 'utf-8')
-            ini_fp = io.StringIO(ini_str)
-            config = configparser.RawConfigParser()
-            config.readfp(ini_fp)
-            options = config.get('root', 'OPTIONS')
-            if 'insecure-registry' in options:
-                hosted_registry_insecure = True
-        except Exception:  # pylint: disable=broad-except
-            pass
-    return hosted_registry_insecure
-
-
 def get_openshift_version(facts):
     """ Get current version of openshift on the host.
 
@@ -1583,13 +1531,6 @@ def set_container_facts_if_unset(facts):
         deployer_image = 'openshift/origin-deployer'
 
     facts['common']['is_atomic'] = os.path.isfile('/run/ostree-booted')
-    # If openshift_docker_use_system_container is set and is True ....
-    if 'use_system_container' in list(facts['docker'].keys()):
-        # use safe_get_bool as the inventory variable may not be a
-        # valid boolean on it's own.
-        if safe_get_bool(facts['docker']['use_system_container']):
-            # ... set the service name to container-engine
-            facts['docker']['service_name'] = 'container-engine'
 
     if 'is_containerized' not in facts['common']:
         facts['common']['is_containerized'] = facts['common']['is_atomic']
@@ -1684,7 +1625,6 @@ class OpenShiftFacts(object):
                    'buildoverrides',
                    'cloudprovider',
                    'common',
-                   'docker',
                    'etcd',
                    'hosted',
                    'master',
@@ -1845,25 +1785,6 @@ class OpenShiftFacts(object):
                                     local_quota_per_fsgroup="",
                                     set_node_ip=False)
 
-        if 'docker' in roles:
-            docker = dict(disable_push_dockerhub=False,
-                          options='--log-driver=journald')
-            # NOTE: This is a workaround for a dnf output racecondition that can occur in
-            # some situations. See https://bugzilla.redhat.com/show_bug.cgi?id=918184
-            if self.system_facts['ansible_pkg_mgr'] == 'dnf':
-                rpm_rebuilddb()
-
-            version_info = get_docker_version_info()
-            if version_info is not None:
-                docker['api_version'] = version_info['api_version']
-                docker['version'] = version_info['version']
-                docker['gte_1_10'] = LooseVersion(version_info['version']) >= LooseVersion('1.10')
-            hosted_registry_insecure = get_hosted_registry_insecure()
-            if hosted_registry_insecure is not None:
-                docker['hosted_registry_insecure'] = hosted_registry_insecure
-            docker['service_name'] = 'docker'
-            defaults['docker'] = docker
-
         if 'cloudprovider' in roles:
             defaults['cloudprovider'] = dict(kind=None)
 
@@ -2221,12 +2142,6 @@ class OpenShiftFacts(object):
                                       additive_facts_to_overwrite,
                                       protected_facts_to_overwrite)
 
-        if 'docker' in new_local_facts:
-            # Convert legacy log_options comma sep string to a list if present:
-            if 'log_options' in new_local_facts['docker'] and \
-                    isinstance(new_local_facts['docker']['log_options'], string_types):
-                new_local_facts['docker']['log_options'] = new_local_facts['docker']['log_options'].split(',')
-
         new_local_facts = self.remove_empty_facts(new_local_facts)
 
         if new_local_facts != local_facts:
diff --git a/roles/openshift_hosted/tasks/registry.yml b/roles/openshift_hosted/tasks/registry.yml
index 9f2ef4e40..e2e06594b 100644
--- a/roles/openshift_hosted/tasks/registry.yml
+++ b/roles/openshift_hosted/tasks/registry.yml
@@ -101,7 +101,7 @@
   static: no
   run_once: true
   when:
-  - not (openshift.docker.hosted_registry_insecure | default(false) | bool)
+  - not (openshift_docker_hosted_registry_insecure | default(False)) | bool
 
 - include: storage/object_storage.yml
   static: no
diff --git a/roles/openshift_loadbalancer/defaults/main.yml b/roles/openshift_loadbalancer/defaults/main.yml
index 239b16427..f9c16ba40 100644
--- a/roles/openshift_loadbalancer/defaults/main.yml
+++ b/roles/openshift_loadbalancer/defaults/main.yml
@@ -26,6 +26,8 @@ r_openshift_loadbalancer_os_firewall_allow:
   port: "{{ nuage_mon_rest_server_port | default(9443) }}/tcp"
   cond: "{{ r_openshift_lb_use_nuage | bool }}"
 
+openshift_docker_service_name: "{{ 'container-engine' if (openshift_docker_use_system_container | default(False)) else 'docker' }}"
+
 # NOTE
 # r_openshift_lb_use_nuage_default may be defined external to this role.
 # openshift_use_nuage, if defined, may affect other roles or play behavior.
diff --git a/roles/openshift_loadbalancer/templates/haproxy.docker.service.j2 b/roles/openshift_loadbalancer/templates/haproxy.docker.service.j2
index 72182fcdd..57121447d 100644
--- a/roles/openshift_loadbalancer/templates/haproxy.docker.service.j2
+++ b/roles/openshift_loadbalancer/templates/haproxy.docker.service.j2
@@ -1,7 +1,7 @@
 [Unit]
-After={{ openshift.docker.service_name }}.service
-Requires={{ openshift.docker.service_name }}.service
-PartOf={{ openshift.docker.service_name }}.service
+After={{ openshift_docker_service_name }}.service
+Requires={{ openshift_docker_service_name }}.service
+PartOf={{ openshift_docker_service_name }}.service
 
 [Service]
 ExecStartPre=-/usr/bin/docker rm -f openshift_loadbalancer
@@ -14,4 +14,4 @@ Restart=always
 RestartSec=5s
 
 [Install]
-WantedBy={{ openshift.docker.service_name }}.service
+WantedBy={{ openshift_docker_service_name }}.service
diff --git a/roles/openshift_master/defaults/main.yml b/roles/openshift_master/defaults/main.yml
index 8e4a46ebb..38b2fd8b8 100644
--- a/roles/openshift_master/defaults/main.yml
+++ b/roles/openshift_master/defaults/main.yml
@@ -52,6 +52,8 @@ openshift_docker_alternative_creds: "{{ (openshift_docker_use_system_container |
 containerized_svc_dir: "/usr/lib/systemd/system"
 ha_svc_template_path: "native-cluster"
 
+openshift_docker_service_name: "{{ 'container-engine' if (openshift_docker_use_system_container | default(False)) else 'docker' }}"
+
 # NOTE
 # r_openshift_master_*_default may be defined external to this role.
 # openshift_use_*, if defined, may affect other roles or play behavior.
diff --git a/roles/openshift_master/templates/docker-cluster/atomic-openshift-master-api.service.j2 b/roles/openshift_master/templates/docker-cluster/atomic-openshift-master-api.service.j2
index 5d4a99c97..cec3d3fb1 100644
--- a/roles/openshift_master/templates/docker-cluster/atomic-openshift-master-api.service.j2
+++ b/roles/openshift_master/templates/docker-cluster/atomic-openshift-master-api.service.j2
@@ -4,9 +4,9 @@ Documentation=https://github.com/openshift/origin
 After=etcd_container.service
 Wants=etcd_container.service
 Before={{ openshift.common.service_type }}-node.service
-After={{ openshift.docker.service_name }}.service
-PartOf={{ openshift.docker.service_name }}.service
-Requires={{ openshift.docker.service_name }}.service
+After={{ openshift_docker_service_name }}.service
+PartOf={{ openshift_docker_service_name }}.service
+Requires={{ openshift_docker_service_name }}.service
 
 [Service]
 EnvironmentFile=/etc/sysconfig/{{ openshift.common.service_type }}-master-api
@@ -33,5 +33,5 @@ Restart=always
 RestartSec=5s
 
 [Install]
-WantedBy={{ openshift.docker.service_name }}.service
+WantedBy={{ openshift_docker_service_name }}.service
 WantedBy={{ openshift.common.service_type }}-node.service
diff --git a/roles/openshift_master/templates/docker-cluster/atomic-openshift-master-controllers.service.j2 b/roles/openshift_master/templates/docker-cluster/atomic-openshift-master-controllers.service.j2
index f93f3b565..a0248151d 100644
--- a/roles/openshift_master/templates/docker-cluster/atomic-openshift-master-controllers.service.j2
+++ b/roles/openshift_master/templates/docker-cluster/atomic-openshift-master-controllers.service.j2
@@ -3,9 +3,9 @@ Description=Atomic OpenShift Master Controllers
 Documentation=https://github.com/openshift/origin
 Wants={{ openshift.common.service_type }}-master-api.service
 After={{ openshift.common.service_type }}-master-api.service
-After={{ openshift.docker.service_name }}.service
-Requires={{ openshift.docker.service_name }}.service
-PartOf={{ openshift.docker.service_name }}.service
+After={{ openshift_docker_service_name }}.service
+Requires={{ openshift_docker_service_name }}.service
+PartOf={{ openshift_docker_service_name }}.service
 
 [Service]
 EnvironmentFile=/etc/sysconfig/{{ openshift.common.service_type }}-master-controllers
@@ -32,4 +32,4 @@ Restart=always
 RestartSec=5s
 
 [Install]
-WantedBy={{ openshift.docker.service_name }}.service
+WantedBy={{ openshift_docker_service_name }}.service
diff --git a/roles/openshift_node/defaults/main.yml b/roles/openshift_node/defaults/main.yml
index 5a0c09f5c..f3867fe4a 100644
--- a/roles/openshift_node/defaults/main.yml
+++ b/roles/openshift_node/defaults/main.yml
@@ -101,8 +101,11 @@ oreg_host: "{{ oreg_url.split('/')[0] if (oreg_url is defined and '.' in oreg_ur
 oreg_auth_credentials_path: "{{ openshift_node_data_dir }}/.docker"
 oreg_auth_credentials_replace: False
 l_bind_docker_reg_auth: False
+openshift_use_crio: False
 openshift_docker_alternative_creds: "{{ (openshift_docker_use_system_container | default(False)) or (openshift_use_crio_only | default(False)) }}"
 
+openshift_docker_service_name: "{{ 'container-engine' if (openshift_docker_use_system_container | default(False)) else 'docker' }}"
+
 # NOTE
 # r_openshift_node_*_default may be defined external to this role.
 # openshift_use_*, if defined, may affect other roles or play behavior.
diff --git a/roles/openshift_node/meta/main.yml b/roles/openshift_node/meta/main.yml
index 927d107c6..70057c7f3 100644
--- a/roles/openshift_node/meta/main.yml
+++ b/roles/openshift_node/meta/main.yml
@@ -17,7 +17,6 @@ dependencies:
 - role: lib_openshift
 - role: lib_os_firewall
   when: not (openshift_node_upgrade_in_progress | default(False))
-- role: openshift_docker
 - role: openshift_cloud_provider
   when: not (openshift_node_upgrade_in_progress | default(False))
 - role: lib_utils
diff --git a/roles/openshift_node/tasks/main.yml b/roles/openshift_node/tasks/main.yml
index d46b1f9c3..e60d96760 100644
--- a/roles/openshift_node/tasks/main.yml
+++ b/roles/openshift_node/tasks/main.yml
@@ -4,7 +4,7 @@
   when:
     - (not ansible_selinux or ansible_selinux.status != 'enabled')
     - deployment_type == 'openshift-enterprise'
-    - not openshift_use_crio | default(false)
+    - not openshift_use_crio
 
 - include: dnsmasq.yml
 
@@ -49,7 +49,7 @@
     name: cri-o
     enabled: yes
     state: restarted
-  when: openshift_use_crio | default(false)
+  when: openshift_use_crio
 
 - name: restart NetworkManager to ensure resolv.conf is present
   systemd:
diff --git a/roles/openshift_node/tasks/node_system_container.yml b/roles/openshift_node/tasks/node_system_container.yml
index 73dc9e130..eb8d9a6a5 100644
--- a/roles/openshift_node/tasks/node_system_container.yml
+++ b/roles/openshift_node/tasks/node_system_container.yml
@@ -16,6 +16,6 @@
     image: "{{ 'docker:' if system_images_registry == 'docker' else system_images_registry + '/' }}{{ openshift.node.node_system_image }}:{{ openshift_image_tag }}"
     values:
     - "DNS_DOMAIN={{ openshift.common.dns_domain }}"
-    - "DOCKER_SERVICE={{ openshift.docker.service_name }}.service"
+    - "DOCKER_SERVICE={{ openshift_docker_service_name }}.service"
     - "MASTER_SERVICE={{ openshift.common.service_type }}.service"
     state: latest
diff --git a/roles/openshift_node/tasks/openvswitch_system_container.yml b/roles/openshift_node/tasks/openvswitch_system_container.yml
index 8c3548475..d33e172c1 100644
--- a/roles/openshift_node/tasks/openvswitch_system_container.yml
+++ b/roles/openshift_node/tasks/openvswitch_system_container.yml
@@ -1,14 +1,11 @@
 ---
-- set_fact:
-    l_use_crio: "{{ openshift_use_crio | default(false) }}"
-
 - set_fact:
     l_service_name: "cri-o"
-  when: l_use_crio
+  when: openshift_use_crio
 
 - set_fact:
-    l_service_name: "{{ openshift.docker.service_name }}"
-  when: not l_use_crio
+    l_service_name: "{{ openshift_docker_service_name }}"
+  when: not openshift_use_crio
 
 - name: Ensure proxies are in the atomic.conf
   include_role:
diff --git a/roles/openshift_node/tasks/upgrade/restart.yml b/roles/openshift_node/tasks/upgrade/restart.yml
index a4fa51172..3f1abceab 100644
--- a/roles/openshift_node/tasks/upgrade/restart.yml
+++ b/roles/openshift_node/tasks/upgrade/restart.yml
@@ -13,19 +13,15 @@
 - name: Reload systemd to ensure latest unit files
   command: systemctl daemon-reload
 
-- name: Restart docker
+- name: Restart container runtime
   service:
-    name: "{{ openshift.docker.service_name }}"
+    name: "{{ openshift_docker_service_name }}"
     state: started
   register: docker_start_result
   until: not docker_start_result | failed
   retries: 3
   delay: 30
 
-- name: Update docker facts
-  openshift_facts:
-    role: docker
-
 - name: Start services
   service: name={{ item }} state=started
   with_items:
diff --git a/roles/openshift_node/templates/node.service.j2 b/roles/openshift_node/templates/node.service.j2
index 7602d8ee6..da751bd65 100644
--- a/roles/openshift_node/templates/node.service.j2
+++ b/roles/openshift_node/templates/node.service.j2
@@ -1,14 +1,14 @@
 [Unit]
 Description=OpenShift Node
-After={{ openshift.docker.service_name }}.service
+After={{ openshift_docker_service_name }}.service
 Wants=openvswitch.service
 After=ovsdb-server.service
 After=ovs-vswitchd.service
-Wants={{ openshift.docker.service_name }}.service
+Wants={{ openshift_docker_service_name }}.service
 Documentation=https://github.com/openshift/origin
 Requires=dnsmasq.service
 After=dnsmasq.service
-{% if openshift_use_crio|default(false) %}Wants=cri-o.service{% endif %}
+{% if openshift_use_crio %}Wants=cri-o.service{% endif %}
 
 [Service]
 Type=notify
diff --git a/roles/openshift_node/templates/node.yaml.v1.j2 b/roles/openshift_node/templates/node.yaml.v1.j2
index d452cc45c..16fdde02e 100644
--- a/roles/openshift_node/templates/node.yaml.v1.j2
+++ b/roles/openshift_node/templates/node.yaml.v1.j2
@@ -16,7 +16,7 @@ imageConfig:
   latest: {{ openshift_node_image_config_latest }}
 kind: NodeConfig
 kubeletArguments: {{ openshift.node.kubelet_args | default(None) | to_padded_yaml(level=1) }}
-{% if openshift_use_crio | default(False) %}
+{% if openshift_use_crio %}
   container-runtime:
   - remote
   container-runtime-endpoint:
diff --git a/roles/openshift_node/templates/openshift.docker.node.dep.service b/roles/openshift_node/templates/openshift.docker.node.dep.service
index fa7238849..5964ac095 100644
--- a/roles/openshift_node/templates/openshift.docker.node.dep.service
+++ b/roles/openshift_node/templates/openshift.docker.node.dep.service
@@ -1,9 +1,9 @@
 [Unit]
-Requires={{ openshift.docker.service_name }}.service
-After={{ openshift.docker.service_name }}.service
+Requires={{ openshift_docker_service_name }}.service
+After={{ openshift_docker_service_name }}.service
 PartOf={{ openshift.common.service_type }}-node.service
 Before={{ openshift.common.service_type }}-node.service
-{% if openshift_use_crio|default(false) %}Wants=cri-o.service{% endif %}
+{% if openshift_use_crio %}Wants=cri-o.service{% endif %}
 
 [Service]
 ExecStart=/bin/bash -c "if [[ -f /usr/bin/docker-current ]]; then echo \"DOCKER_ADDTL_BIND_MOUNTS=--volume=/usr/bin/docker-current:/usr/bin/docker-current:ro --volume=/etc/sysconfig/docker:/etc/sysconfig/docker:ro --volume=/etc/containers/registries:/etc/containers/registries:ro\" > /etc/sysconfig/{{ openshift.common.service_type }}-node-dep; else echo \"#DOCKER_ADDTL_BIND_MOUNTS=\" > /etc/sysconfig/{{ openshift.common.service_type }}-node-dep; fi"
diff --git a/roles/openshift_node/templates/openshift.docker.node.service b/roles/openshift_node/templates/openshift.docker.node.service
index 561aa01f4..3b33ca542 100644
--- a/roles/openshift_node/templates/openshift.docker.node.service
+++ b/roles/openshift_node/templates/openshift.docker.node.service
@@ -1,9 +1,9 @@
 [Unit]
 After={{ openshift.common.service_type }}-master.service
-After={{ openshift.docker.service_name }}.service
+After={{ openshift_docker_service_name }}.service
 After=openvswitch.service
-PartOf={{ openshift.docker.service_name }}.service
-Requires={{ openshift.docker.service_name }}.service
+PartOf={{ openshift_docker_service_name }}.service
+Requires={{ openshift_docker_service_name }}.service
 {% if openshift_node_use_openshift_sdn %}
 Wants=openvswitch.service
 PartOf=openvswitch.service
@@ -26,7 +26,7 @@ ExecStart=/usr/bin/docker run --name {{ openshift.common.service_type }}-node \
   --rm --privileged --net=host --pid=host --env-file=/etc/sysconfig/{{ openshift.common.service_type }}-node \
   -v /:/rootfs:ro,rslave -e CONFIG_FILE=${CONFIG_FILE} -e OPTIONS=${OPTIONS} \
   -e HOST=/rootfs -e HOST_ETC=/host-etc \
-  -v {{ openshift_node_data_dir }}:{{ openshift_node_data_dir }}{{ ':rslave' if openshift.docker.gte_1_10 | default(False) | bool else '' }} \
+  -v {{ openshift_node_data_dir }}:{{ openshift_node_data_dir }}:rslave \
   -v {{ openshift.common.config_base }}/node:{{ openshift.common.config_base }}/node \
   {% if openshift_cloudprovider_kind | default('') != '' -%} -v {{ openshift.common.config_base }}/cloudprovider:{{ openshift.common.config_base}}/cloudprovider {% endif -%} \
   -v /etc/localtime:/etc/localtime:ro -v /etc/machine-id:/etc/machine-id:ro \
@@ -48,4 +48,4 @@ Restart=always
 RestartSec=5s
 
 [Install]
-WantedBy={{ openshift.docker.service_name }}.service
+WantedBy={{ openshift_docker_service_name }}.service
diff --git a/roles/openshift_node/templates/openvswitch.docker.service b/roles/openshift_node/templates/openvswitch.docker.service
index 34aaaabd6..37f091c76 100644
--- a/roles/openshift_node/templates/openvswitch.docker.service
+++ b/roles/openshift_node/templates/openvswitch.docker.service
@@ -1,7 +1,7 @@
 [Unit]
-After={{ openshift.docker.service_name }}.service
-Requires={{ openshift.docker.service_name }}.service
-PartOf={{ openshift.docker.service_name }}.service
+After={{ openshift_docker_service_name }}.service
+Requires={{ openshift_docker_service_name }}.service
+PartOf={{ openshift_docker_service_name }}.service
 
 [Service]
 EnvironmentFile=/etc/sysconfig/openvswitch
@@ -14,4 +14,4 @@ Restart=always
 RestartSec=5s
 
 [Install]
-WantedBy={{ openshift.docker.service_name }}.service
+WantedBy={{ openshift_docker_service_name }}.service
diff --git a/roles/openshift_node_certificates/defaults/main.yml b/roles/openshift_node_certificates/defaults/main.yml
index 455f26f30..b42b75be9 100644
--- a/roles/openshift_node_certificates/defaults/main.yml
+++ b/roles/openshift_node_certificates/defaults/main.yml
@@ -1,3 +1,5 @@
 ---
 openshift_node_cert_expire_days: 730
 openshift_ca_host: ''
+
+openshift_docker_service_name: "{{ 'container-engine' if (openshift_docker_use_system_container | default(False)) else 'docker' }}"
diff --git a/roles/openshift_node_certificates/handlers/main.yml b/roles/openshift_node_certificates/handlers/main.yml
index ef66bf9ca..0686ac101 100644
--- a/roles/openshift_node_certificates/handlers/main.yml
+++ b/roles/openshift_node_certificates/handlers/main.yml
@@ -6,7 +6,7 @@
 
 - name: check for container runtime after updating ca trust
   command: >
-    systemctl -q is-active {{ openshift.docker.service_name }}.service
+    systemctl -q is-active {{ openshift_docker_service_name }}.service
   register: l_docker_installed
   # An rc of 0 indicates that the container runtime service is
   # running. We will restart it by notifying the restart handler since
@@ -18,7 +18,7 @@
 
 - name: restart container runtime after updating ca trust
   systemd:
-    name: "{{ openshift.docker.service_name }}"
+    name: "{{ openshift_docker_service_name }}"
     state: restarted
   when: not openshift_certificates_redeploy | default(false) | bool
   register: l_docker_restart_docker_in_cert_result
diff --git a/roles/openshift_node_facts/tasks/main.yml b/roles/openshift_node_facts/tasks/main.yml
index d33d09980..c234a3000 100644
--- a/roles/openshift_node_facts/tasks/main.yml
+++ b/roles/openshift_node_facts/tasks/main.yml
@@ -15,7 +15,6 @@
       kubelet_args: "{{ openshift_node_kubelet_args | default(None) }}"
       labels: "{{ openshift_node_labels | default(None) }}"
       registry_url: "{{ oreg_url_node | default(oreg_url) | default(None) }}"
-      sdn_mtu: "{{ openshift_node_sdn_mtu | default(None) }}"
       storage_plugin_deps: "{{ osn_storage_plugin_deps | default(None) }}"
       set_node_ip: "{{ openshift_set_node_ip | default(None) }}"
       node_image: "{{ osn_image | default(None) }}"
diff --git a/roles/openshift_version/meta/main.yml b/roles/openshift_version/meta/main.yml
index 38b398343..5d7683120 100644
--- a/roles/openshift_version/meta/main.yml
+++ b/roles/openshift_version/meta/main.yml
@@ -12,7 +12,4 @@ galaxy_info:
   categories:
   - cloud
 dependencies:
-- role: openshift_docker_facts
-- role: docker
-  when: openshift.common.is_containerized | default(False) | bool and not skip_docker_role | default(False) | bool
 - role: lib_utils
diff --git a/roles/openshift_version/tasks/set_version_containerized.yml b/roles/openshift_version/tasks/set_version_containerized.yml
index 574e89899..71f957b78 100644
--- a/roles/openshift_version/tasks/set_version_containerized.yml
+++ b/roles/openshift_version/tasks/set_version_containerized.yml
@@ -1,7 +1,4 @@
 ---
-- set_fact:
-    l_use_crio_only: "{{ openshift_use_crio_only | default(false) }}"
-
 - name: Set containerized version to configure if openshift_image_tag specified
   set_fact:
     # Expects a leading "v" in inventory, strip it off here unless
@@ -24,7 +21,7 @@
   register: cli_image_version
   when:
   - openshift_version is not defined
-  - not l_use_crio_only
+  - not openshift_use_crio_only
 
 # Origin latest = pre-release version (i.e. v1.3.0-alpha.1-321-gb095e3a)
 - set_fact:
@@ -33,7 +30,7 @@
   - openshift_version is not defined
   - openshift.common.deployment_type == 'origin'
   - cli_image_version.stdout_lines[0].split('-') | length > 1
-  - not l_use_crio_only
+  - not openshift_use_crio_only
 
 - set_fact:
     openshift_version: "{{ cli_image_version.stdout_lines[0].split(' ')[1].split('-')[0][1:] }}"
@@ -48,14 +45,14 @@
   when:
   - openshift_version is defined
   - openshift_version.split('.') | length == 2
-  - not l_use_crio_only
+  - not openshift_use_crio_only
 
 - set_fact:
     openshift_version: "{{ cli_image_version.stdout_lines[0].split(' ')[1].split('-')[0:2][1:] | join('-') if openshift.common.deployment_type == 'origin' else cli_image_version.stdout_lines[0].split(' ')[1].split('-')[0][1:] }}"
   when:
   - openshift_version is defined
   - openshift_version.split('.') | length == 2
-  - not l_use_crio_only
+  - not openshift_use_crio_only
 
 # TODO: figure out a way to check for the openshift_version when using CRI-O.
 # We should do that using the images in the ostree storage so we don't have
-- 
cgit v1.2.3