diff options
Diffstat (limited to 'roles/container_runtime')
17 files changed, 141 insertions, 47 deletions
diff --git a/roles/container_runtime/README.md b/roles/container_runtime/README.md index 51f469aaf..665b1b012 100644 --- a/roles/container_runtime/README.md +++ b/roles/container_runtime/README.md @@ -5,7 +5,7 @@ Ensures docker package or system container is installed, and optionally raises t container-daemon.json items may be found at https://docs.docker.com/engine/reference/commandline/dockerd/#daemon-configuration-file -This role is designed to be used with include_role and tasks_from. +This role is designed to be used with import_role and tasks_from. Entry points ------------ @@ -30,7 +30,7 @@ Example Playbook - hosts: servers tasks: - - include_role: container_runtime + - import_role: container_runtime tasks_from: package_docker.yml License diff --git a/roles/container_runtime/defaults/main.yml b/roles/container_runtime/defaults/main.yml index d7eb8663f..d0e37e2f4 100644 --- a/roles/container_runtime/defaults/main.yml +++ b/roles/container_runtime/defaults/main.yml @@ -2,8 +2,6 @@ docker_cli_auth_config_path: '/root/.docker' openshift_docker_signature_verification: False -repoquery_cmd: "{{ 'dnf repoquery --latest-limit 1 -d 0' if ansible_pkg_mgr == 'dnf' else 'repoquery --plugins' }}" - openshift_docker_alternative_creds: False # oreg_url is defined by user input. @@ -13,7 +11,7 @@ oreg_auth_credentials_replace: False openshift_docker_use_system_container: False openshift_docker_disable_push_dockerhub: False # bool openshift_docker_selinux_enabled: True -openshift_docker_service_name: "{{ 'container-engine' if (openshift_docker_use_system_container | default(False)) else 'docker' }}" +openshift_docker_service_name: "{{ 'container-engine' if (openshift_docker_use_system_container | default(False) | bool) else 'docker' }}" openshift_docker_hosted_registry_insecure: False # bool @@ -55,11 +53,25 @@ openshift_docker_is_node_or_master: "{{ True if inventory_hostname in (groups['o docker_alt_storage_path: /var/lib/containers/docker docker_default_storage_path: /var/lib/docker +docker_storage_path: "{{ docker_default_storage_path }}" +docker_storage_size: 40G +docker_storage_setup_options: + vg: docker_vg + data_size: 99%VG + storage_driver: overlay2 + root_lv_name: docker-root-lv + root_lv_size: 100%FREE + root_lv_mount_path: "{{ docker_storage_path }}" +docker_storage_extra_options: +- "--storage-opt overlay2.override_kernel_check=true" +- "--storage-opt overlay2.size={{ docker_storage_size }}" +- "--graph={{ docker_storage_path}}" + # Set local versions of facts that must be in json format for container-daemon.json # NOTE: When jinja2.9+ is used the container-daemon.json file can move to using tojson l_docker_log_options: "{{ l2_docker_log_options | to_json }}" -l_docker_log_options_dict: "{{ l2_docker_log_options | oo_list_to_dict | to_json }}" +l_docker_log_options_dict: "{{ l2_docker_log_options | lib_utils_oo_list_to_dict | to_json }}" l_docker_additional_registries: "{{ l2_docker_additional_registries | to_json }}" l_docker_blocked_registries: "{{ l2_docker_blocked_registries | to_json }}" l_docker_insecure_registries: "{{ l2_docker_insecure_registries | to_json }}" @@ -115,7 +127,7 @@ l_crio_image: "{{ openshift_crio_systemcontainer_image_override | default(l_crio # systemcontainers_docker # # ----------------------- # l_crt_docker_image_prepend_dict: - Fedora: "registry.fedoraproject.org/f25" + Fedora: "registry.fedoraproject.org/latest" Centos: "docker.io/gscrivano" RedHat: "registry.access.redhat.com/openshift3" diff --git a/roles/container_runtime/handlers/main.yml b/roles/container_runtime/handlers/main.yml index 67cd6d782..87c5de0e9 100644 --- a/roles/container_runtime/handlers/main.yml +++ b/roles/container_runtime/handlers/main.yml @@ -6,7 +6,7 @@ state: restarted daemon_reload: yes register: r_docker_restart_docker_result - until: not r_docker_restart_docker_result | failed + until: not (r_docker_restart_docker_result is failed) retries: 3 delay: 30 when: not docker_service_status_changed | default(false) | bool diff --git a/roles/container_runtime/meta/main.yml b/roles/container_runtime/meta/main.yml index 02fceb745..3bc2607fb 100644 --- a/roles/container_runtime/meta/main.yml +++ b/roles/container_runtime/meta/main.yml @@ -11,5 +11,5 @@ galaxy_info: - 7 dependencies: - role: lib_openshift -- role: lib_os_firewall - role: lib_utils +- role: openshift_facts diff --git a/roles/container_runtime/tasks/common/post.yml b/roles/container_runtime/tasks/common/post.yml index d790eb2c0..23fd8528a 100644 --- a/roles/container_runtime/tasks/common/post.yml +++ b/roles/container_runtime/tasks/common/post.yml @@ -11,7 +11,7 @@ - meta: flush_handlers # This needs to run after docker is restarted to account for proxy settings. -# registry_auth is called directly with include_role in some places, so we +# registry_auth is called directly with import_role in some places, so we # have to put it in the root of the tasks/ directory. - include_tasks: ../registry_auth.yml @@ -22,5 +22,5 @@ - include_tasks: setup_docker_symlink.yml when: - - openshift_use_crio + - openshift_use_crio | bool - dockerstat.stat.islnk is defined and not (dockerstat.stat.islnk | bool) diff --git a/roles/container_runtime/tasks/common/syscontainer_packages.yml b/roles/container_runtime/tasks/common/syscontainer_packages.yml index 715ed492d..d429047e6 100644 --- a/roles/container_runtime/tasks/common/syscontainer_packages.yml +++ b/roles/container_runtime/tasks/common/syscontainer_packages.yml @@ -4,18 +4,18 @@ package: name: container-selinux state: present - when: not openshift.common.is_atomic | bool + when: not openshift_is_atomic | bool register: result - until: result | success + until: result is succeeded # Used to pull and install the system container - name: Ensure atomic is installed package: name: atomic state: present - when: not openshift.common.is_atomic | bool + when: not openshift_is_atomic | bool register: result - until: result | success + until: result is succeeded # At the time of writing the atomic command requires runc for it's own use. This # task is here in the even that the atomic package ever removes the dependency. @@ -23,6 +23,6 @@ package: name: runc state: present - when: not openshift.common.is_atomic | bool + when: not openshift_is_atomic | bool register: result - until: result | success + until: result is succeeded diff --git a/roles/container_runtime/tasks/docker_sanity.yml b/roles/container_runtime/tasks/docker_sanity.yml index e62cf5505..bc4da1cce 100644 --- a/roles/container_runtime/tasks/docker_sanity.yml +++ b/roles/container_runtime/tasks/docker_sanity.yml @@ -5,23 +5,38 @@ - name: Error out if Docker pre-installed but too old fail: msg: "Docker {{ curr_docker_version.stdout }} is installed, but >= 1.9.1 is required." - when: not curr_docker_version | skipped and curr_docker_version.stdout != '' and curr_docker_version.stdout | version_compare('1.9.1', '<') and not docker_version is defined + when: + - not (curr_docker_version is skipped) + - curr_docker_version.stdout != '' + - curr_docker_version.stdout is version_compare('1.9.1', '<') + - not (docker_version is defined) - name: Error out if requested Docker is too old fail: msg: "Docker {{ docker_version }} requested, but >= 1.9.1 is required." - when: docker_version is defined and docker_version | version_compare('1.9.1', '<') + when: + - docker_version is defined + - docker_version is version_compare('1.9.1', '<') # If a docker_version was requested, sanity check that we can install or upgrade to it, and # no downgrade is required. - name: Fail if Docker version requested but downgrade is required fail: msg: "Docker {{ curr_docker_version.stdout }} is installed, but version {{ docker_version }} was requested." - when: not curr_docker_version | skipped and curr_docker_version.stdout != '' and docker_version is defined and curr_docker_version.stdout | version_compare(docker_version, '>') + when: + - not (curr_docker_version is skipped) + - curr_docker_version.stdout != '' + - docker_version is defined + - curr_docker_version.stdout is version_compare(docker_version, '>') # This involves an extremely slow migration process, users should instead run the # Docker 1.10 upgrade playbook to accomplish this. - name: Error out if attempting to upgrade Docker across the 1.10 boundary fail: msg: "Cannot upgrade Docker to >= 1.10, please upgrade or remove Docker manually, or use the Docker upgrade playbook if OpenShift is already installed." - when: not curr_docker_version | skipped and curr_docker_version.stdout != '' and curr_docker_version.stdout | version_compare('1.10', '<') and docker_version is defined and docker_version | version_compare('1.10', '>=') + when: + - not (curr_docker_version is skipped) + - curr_docker_version.stdout != '' + - curr_docker_version.stdout is version_compare('1.10', '<') + - docker_version is defined + - docker_version is version_compare('1.10', '>=') diff --git a/roles/container_runtime/tasks/docker_storage_setup_overlay.yml b/roles/container_runtime/tasks/docker_storage_setup_overlay.yml new file mode 100644 index 000000000..782c002e3 --- /dev/null +++ b/roles/container_runtime/tasks/docker_storage_setup_overlay.yml @@ -0,0 +1,10 @@ +--- +- name: Setup the docker-storage for overlay + template: + src: docker_storage_setup.j2 + dest: /etc/sysconfig/docker-storage-setup + owner: root + group: root + mode: 0664 + when: + - container_runtime_docker_storage_type == 'overlay2' diff --git a/roles/container_runtime/tasks/docker_upgrade_check.yml b/roles/container_runtime/tasks/docker_upgrade_check.yml index f29619f42..8dd916e79 100644 --- a/roles/container_runtime/tasks/docker_upgrade_check.yml +++ b/roles/container_runtime/tasks/docker_upgrade_check.yml @@ -19,24 +19,31 @@ command: "{{ repoquery_installed }} --qf '%{version}' docker" register: curr_docker_version retries: 4 - until: curr_docker_version | succeeded + until: curr_docker_version is succeeded changed_when: false + when: not openshift_is_atomic | bool - name: Get latest available version of Docker command: > {{ repoquery_cmd }} --qf '%{version}' "docker" register: avail_docker_version retries: 4 - until: avail_docker_version | succeeded + until: avail_docker_version is succeeded # Don't expect docker rpm to be available on hosts that don't already have it installed: - when: pkg_check.rc == 0 + when: + - not openshift_is_atomic | bool + - pkg_check.rc == 0 failed_when: false changed_when: false - fail: msg: This playbook requires access to Docker 1.12 or later # Disable the 1.12 requirement if the user set a specific Docker version - when: docker_version is not defined and (docker_upgrade is not defined or docker_upgrade | bool == True) and (pkg_check.rc == 0 and (avail_docker_version.stdout == "" or avail_docker_version.stdout | version_compare('1.12','<'))) + when: + - not openshift_is_atomic | bool + - docker_version is not defined + - docker_upgrade is not defined or docker_upgrade | bool == True + - (pkg_check.rc == 0 and (avail_docker_version.stdout == "" or avail_docker_version.stdout is version_compare('1.12','<'))) # Default l_docker_upgrade to False, we'll set to True if an upgrade is required: - set_fact: @@ -45,23 +52,30 @@ # Make sure a docker_version is set if none was requested: - set_fact: docker_version: "{{ avail_docker_version.stdout }}" - when: pkg_check.rc == 0 and docker_version is not defined + when: + - not openshift_is_atomic | bool + - pkg_check.rc == 0 and docker_version is not defined - name: Flag for Docker upgrade if necessary set_fact: l_docker_upgrade: True - when: pkg_check.rc == 0 and curr_docker_version.stdout | version_compare(docker_version,'<') + when: + - not openshift_is_atomic | bool + - pkg_check.rc == 0 + - curr_docker_version.stdout is version_compare(docker_version,'<') # Additional checks for Atomic hosts: - name: Determine available Docker shell: "rpm -q --queryformat '---\ncurr_version: %{VERSION}\navail_version: \n' docker" register: g_atomic_docker_version_result - when: openshift.common.is_atomic | bool + when: openshift_is_atomic | bool - set_fact: l_docker_version: "{{ g_atomic_docker_version_result.stdout | from_yaml }}" - when: openshift.common.is_atomic | bool + when: openshift_is_atomic | bool - fail: msg: This playbook requires access to Docker 1.12 or later - when: openshift.common.is_atomic | bool and l_docker_version.avail_version | default(l_docker_version.curr_version, true) | version_compare('1.12','<') + when: + - openshift_is_atomic | bool + - l_docker_version.avail_version | default(l_docker_version.curr_version, true) is version_compare('1.12','<') diff --git a/roles/container_runtime/tasks/main.yml b/roles/container_runtime/tasks/main.yml index 96d8606c6..07da831c4 100644 --- a/roles/container_runtime/tasks/main.yml +++ b/roles/container_runtime/tasks/main.yml @@ -1,2 +1,2 @@ --- -# This role is meant to be used with include_role and tasks_from. +# This role is meant to be used with import_role and tasks_from. diff --git a/roles/container_runtime/tasks/package_docker.yml b/roles/container_runtime/tasks/package_docker.yml index 89899c9cf..d6e7e7fed 100644 --- a/roles/container_runtime/tasks/package_docker.yml +++ b/roles/container_runtime/tasks/package_docker.yml @@ -3,10 +3,10 @@ - name: Get current installed Docker version command: "{{ repoquery_installed }} --qf '%{version}' docker" - when: not openshift.common.is_atomic | bool + when: not openshift_is_atomic | bool register: curr_docker_version retries: 4 - until: curr_docker_version | succeeded + until: curr_docker_version is succeeded changed_when: false # Some basic checks to ensure the role will complete @@ -19,9 +19,12 @@ package: name: "docker{{ '-' + docker_version if docker_version is defined else '' }}" state: present - when: not openshift.common.is_atomic | bool and not curr_docker_version | skipped and not curr_docker_version.stdout != '' + when: + - not (openshift_is_atomic | bool) + - not (curr_docker_version is skipped) + - not (curr_docker_version.stdout != '') register: result - until: result | success + until: result is succeeded - block: # Extend the default Docker service unit file when using iptables-services @@ -45,7 +48,7 @@ lineinfile: dest: /etc/sysconfig/docker regexp: '^{{ item.reg_conf_var }}=.*$' - line: "{{ item.reg_conf_var }}='{{ item.reg_fact_val | oo_prepend_strings_in_list(item.reg_flag ~ ' ') | join(' ') }}'" + line: "{{ item.reg_conf_var }}='{{ item.reg_fact_val | lib_utils_oo_prepend_strings_in_list(item.reg_flag ~ ' ') | join(' ') }}'" when: - item.reg_fact_val != [] - docker_check.stat.isreg is defined @@ -98,7 +101,7 @@ line: "OPTIONS='\ {% if ansible_selinux.status | default(None) == 'enabled' and openshift_docker_selinux_enabled | default(true) | bool %} --selinux-enabled {% endif %} \ {% if openshift_docker_log_driver | bool %} --log-driver {{ openshift_docker_log_driver }}{% endif %} \ - {% if l2_docker_log_options != [] %} {{ l2_docker_log_options | oo_split() | oo_prepend_strings_in_list('--log-opt ') | join(' ')}}{% endif %} \ + {% if l2_docker_log_options != [] %} {{ l2_docker_log_options | lib_utils_oo_split() | lib_utils_oo_prepend_strings_in_list('--log-opt ') | join(' ')}}{% endif %} \ {% if openshift_docker_hosted_registry_insecure and (openshift_docker_hosted_registry_network | bool) %} --insecure-registry={{ openshift_docker_hosted_registry_network }} {% endif %} \ {% if docker_options is defined %} {{ docker_options }}{% endif %} \ {% if openshift_docker_options %} {{ openshift_docker_options }}{% endif %} \ @@ -137,11 +140,11 @@ state: started daemon_reload: yes register: r_docker_package_docker_start_result - until: not r_docker_package_docker_start_result | failed + until: not (r_docker_package_docker_start_result is failed) retries: 3 delay: 30 - set_fact: - docker_service_status_changed: "{{ (r_docker_package_docker_start_result | changed) and (r_docker_already_running_result.stdout != 'ActiveState=active' ) }}" + docker_service_status_changed: "{{ (r_docker_package_docker_start_result is changed) and (r_docker_already_running_result.stdout != 'ActiveState=active' ) }}" - include_tasks: common/post.yml diff --git a/roles/container_runtime/tasks/registry_auth.yml b/roles/container_runtime/tasks/registry_auth.yml index 2c7bc5711..4f1abd59a 100644 --- a/roles/container_runtime/tasks/registry_auth.yml +++ b/roles/container_runtime/tasks/registry_auth.yml @@ -15,6 +15,7 @@ - not openshift_docker_alternative_creds | bool - oreg_auth_user is defined - (not docker_cli_auth_credentials_stat.stat.exists or oreg_auth_credentials_replace) | bool + no_log: True # docker_creds is a custom module from lib_utils # 'docker login' requires a docker.service running on the local host, this is an @@ -30,3 +31,4 @@ - openshift_docker_alternative_creds | bool - oreg_auth_user is defined - (not docker_cli_auth_credentials_stat.stat.exists or oreg_auth_credentials_replace) | bool + no_log: True diff --git a/roles/container_runtime/tasks/systemcontainer_crio.yml b/roles/container_runtime/tasks/systemcontainer_crio.yml index 61f122f3c..d588f2618 100644 --- a/roles/container_runtime/tasks/systemcontainer_crio.yml +++ b/roles/container_runtime/tasks/systemcontainer_crio.yml @@ -3,7 +3,7 @@ - name: Check we are not using node as a Docker container with CRI-O fail: msg='Cannot use CRI-O with node configured as a Docker container' when: - - openshift.common.is_containerized | bool + - openshift_is_containerized | bool - not l_is_node_system_container | bool - include_tasks: common/pre.yml @@ -81,6 +81,17 @@ dest: /etc/cni/net.d/openshift-sdn.conf src: 80-openshift-sdn.conf.j2 +- name: Create /etc/sysconfig/crio-storage + copy: + content: "" + dest: /etc/sysconfig/crio-storage + force: no + +- name: Create /etc/sysconfig/crio-network + template: + dest: /etc/sysconfig/crio-network + src: crio-network.j2 + - name: Start the CRI-O service systemd: name: "cri-o" @@ -93,4 +104,4 @@ # 'docker login' - include_tasks: common/post.yml vars: - openshift_docker_alternative_creds: "{{ openshift_use_crio_only }}" + openshift_docker_alternative_creds: "{{ openshift_use_crio_only | bool }}" diff --git a/roles/container_runtime/tasks/systemcontainer_docker.yml b/roles/container_runtime/tasks/systemcontainer_docker.yml index 10570fe34..5f715cd21 100644 --- a/roles/container_runtime/tasks/systemcontainer_docker.yml +++ b/roles/container_runtime/tasks/systemcontainer_docker.yml @@ -18,9 +18,9 @@ # Make sure Docker is installed so we are able to use the client - name: Install Docker so we can use the client package: name=docker{{ '-' + docker_version if docker_version is defined else '' }} state=present - when: not openshift.common.is_atomic | bool + when: not openshift_is_atomic | bool register: result - until: result | success + until: result is succeeded # Make sure docker is disabled. Errors are ignored. - name: Disable Docker @@ -31,7 +31,7 @@ daemon_reload: yes ignore_errors: True register: r_docker_systemcontainer_docker_stop_result - until: not r_docker_systemcontainer_docker_stop_result | failed + until: not (r_docker_systemcontainer_docker_stop_result is failed) retries: 3 delay: 30 @@ -42,6 +42,12 @@ - debug: var: l_docker_image +# Do the authentication before pulling the container engine system container +# as the pull might be from an authenticated registry. +- include_tasks: registry_auth.yml + vars: + openshift_docker_alternative_creds: True + # NOTE: no_proxy added as a workaround until https://github.com/projectatomic/atomic/pull/999 is released - name: Pre-pull Container Engine System Container image command: "atomic pull --storage ostree {{ l_docker_image }}" @@ -87,12 +93,12 @@ state: started daemon_reload: yes register: r_docker_systemcontainer_docker_start_result - until: not r_docker_systemcontainer_docker_start_result | failed + until: not (r_docker_systemcontainer_docker_start_result is failed) retries: 3 delay: 30 - set_fact: - docker_service_status_changed: "{{ r_docker_systemcontainer_docker_start_result | changed }}" + docker_service_status_changed: "{{ r_docker_systemcontainer_docker_start_result is changed }}" # Since docker is running as a system container, docker login will fail to create # credentials. Use alternate method if requiring authenticated registries. diff --git a/roles/container_runtime/templates/crio-network.j2 b/roles/container_runtime/templates/crio-network.j2 new file mode 100644 index 000000000..763be97d7 --- /dev/null +++ b/roles/container_runtime/templates/crio-network.j2 @@ -0,0 +1,9 @@ +{% if 'http_proxy' in openshift.common %} +HTTP_PROXY={{ openshift.common.http_proxy }} +{% endif %} +{% if 'https_proxy' in openshift.common %} +HTTPS_PROXY={{ openshift.common.https_proxy }} +{% endif %} +{% if 'no_proxy' in openshift.common %} +NO_PROXY={{ openshift.common.no_proxy }} +{% endif %} diff --git a/roles/container_runtime/templates/crio.conf.j2 b/roles/container_runtime/templates/crio.conf.j2 index 3f066a17f..0a1ff2e0a 100644 --- a/roles/container_runtime/templates/crio.conf.j2 +++ b/roles/container_runtime/templates/crio.conf.j2 @@ -27,7 +27,7 @@ storage_option = [ [crio.api] # listen is the path to the AF_LOCAL socket on which crio will listen. -listen = "/var/run/crio.sock" +listen = "/var/run/crio/crio.sock" # stream_address is the IP address on which the stream server will listen stream_address = "" diff --git a/roles/container_runtime/templates/docker_storage_setup.j2 b/roles/container_runtime/templates/docker_storage_setup.j2 new file mode 100644 index 000000000..b056087e0 --- /dev/null +++ b/roles/container_runtime/templates/docker_storage_setup.j2 @@ -0,0 +1,12 @@ +# Edit this file to override any configuration options specified in +# /usr/lib/docker-storage-setup/docker-storage-setup. +# +# For more details refer to "man docker-storage-setup" +DEVS={{ container_runtime_docker_storage_setup_device }} +VG={{ docker_storage_setup_options.vg }} +DATA_SIZE={{ docker_storage_setup_options.data_size }} +STORAGE_DRIVER="{{ docker_storage_setup_options.storage_driver }}" +CONTAINER_ROOT_LV_NAME="{{ docker_storage_setup_options.root_lv_name }}" +CONTAINER_ROOT_LV_SIZE="{{ docker_storage_setup_options.root_lv_size }}" +CONTAINER_ROOT_LV_MOUNT_PATH="{{ docker_storage_setup_options.root_lv_mount_path }}" +EXTRA_STORAGE_OPTIONS="{{ docker_storage_extra_options | join(' ') }}" |