12 files changed, 351 insertions, 104 deletions

diff --git a/roles/docker/defaults/main.yml b/roles/docker/defaults/main.yml
index ed97d539c..f6f2bd77e 100644
--- a/roles/docker/defaults/main.yml
+++ b/roles/docker/defaults/main.yml
@@ -1 +1,35 @@
 ---
+docker_cli_auth_config_path: '/root/.docker'
+openshift_docker_signature_verification: False
+
+# oreg_url is defined by user input.
+oreg_host: "{{ oreg_url.split('/')[0] if (oreg_url is defined and '.' in oreg_url.split('/')[0]) else '' }}"
+oreg_auth_credentials_replace: False
+
+openshift_docker_additional_registries: []
+openshift_docker_blocked_registries: []
+openshift_docker_insecure_registries: []
+
+openshift_docker_ent_reg: 'registry.access.redhat.com'
+
+# The l2_docker_* variables convert csv strings to lists, if
+# necessary.  These variables should be used in place of their respective
+# openshift_docker_* counterparts to ensure the properly formatted lists are
+# utilized.
+l2_docker_additional_registries: "{% if openshift_docker_additional_registries is string %}{% if openshift_docker_additional_registries == '' %}[]{% elif ',' in openshift_docker_additional_registries %}{{ openshift_docker_additional_registries.split(',') | list }}{% else %}{{ [ openshift_docker_additional_registries ] }}{% endif %}{% else %}{{ openshift_docker_additional_registries }}{% endif %}"
+l2_docker_blocked_registries: "{% if openshift_docker_blocked_registries is string %}{% if openshift_docker_blocked_registries == '' %}[]{% elif ',' in openshift_docker_blocked_registries %}{{ openshift_docker_blocked_registries.split(',') | list }}{% else %}{{ [ openshift_docker_blocked_registries ] }}{% endif %}{% else %}{{ openshift_docker_blocked_registries }}{% endif %}"
+l2_docker_insecure_registries: "{% if openshift_docker_insecure_registries is string %}{% if openshift_docker_insecure_registries == '' %}[]{% elif ',' in openshift_docker_insecure_registries %}{{ openshift_docker_insecure_registries.split(',') | list }}{% else %}{{ [ openshift_docker_insecure_registries ] }}{% endif %}{% else %}{{ openshift_docker_insecure_registries }}{% endif %}"
+
+openshift_docker_use_etc_containers: False
+containers_registries_conf_path: /etc/containers/registries.conf
+
+r_crio_firewall_enabled: "{{ os_firewall_enabled | default(True) }}"
+r_crio_use_firewalld: "{{ os_firewall_use_firewalld | default(False) }}"
+
+r_crio_os_firewall_deny: []
+r_crio_os_firewall_allow:
+- service: crio
+  port: 10010/tcp
+
+
+openshift_docker_is_node_or_master: "{{ True if inventory_hostname in (groups['oo_masters_to_config']|default([])) or inventory_hostname in (groups['oo_nodes_to_config']|default([])) else False | bool }}"
diff --git a/roles/docker/handlers/main.yml b/roles/docker/handlers/main.yml
index 591367467..866ed0452 100644
--- a/roles/docker/handlers/main.yml
+++ b/roles/docker/handlers/main.yml
@@ -4,6 +4,7 @@
   systemd:
     name: "{{ openshift.docker.service_name }}"
     state: restarted
+    daemon_reload: yes
   register: r_docker_restart_docker_result
   until: not r_docker_restart_docker_result | failed
   retries: 3
diff --git a/roles/docker/meta/main.yml b/roles/docker/meta/main.yml
index b773a417c..62b8a2eb5 100644
--- a/roles/docker/meta/main.yml
+++ b/roles/docker/meta/main.yml
@@ -11,3 +11,4 @@ galaxy_info:
     - 7
 dependencies:
 - role: lib_openshift
+- role: lib_os_firewall
diff --git a/roles/docker/tasks/crio_firewall.yml b/roles/docker/tasks/crio_firewall.yml
new file mode 100644
index 000000000..fbd1ff515
--- /dev/null
+++ b/roles/docker/tasks/crio_firewall.yml
@@ -0,0 +1,40 @@
+---
+- when: r_crio_firewall_enabled | bool and not r_crio_use_firewalld | bool
+  block:
+  - name: Add iptables allow rules
+    os_firewall_manage_iptables:
+      name: "{{ item.service }}"
+      action: add
+      protocol: "{{ item.port.split('/')[1] }}"
+      port: "{{ item.port.split('/')[0] }}"
+    when: item.cond | default(True)
+    with_items: "{{ r_crio_os_firewall_allow }}"
+
+  - name: Remove iptables rules
+    os_firewall_manage_iptables:
+      name: "{{ item.service }}"
+      action: remove
+      protocol: "{{ item.port.split('/')[1] }}"
+      port: "{{ item.port.split('/')[0] }}"
+    when: item.cond | default(True)
+    with_items: "{{ r_crio_os_firewall_deny }}"
+
+- when: r_crio_firewall_enabled | bool and r_crio_use_firewalld | bool
+  block:
+  - name: Add firewalld allow rules
+    firewalld:
+      port: "{{ item.port }}"
+      permanent: true
+      immediate: true
+      state: enabled
+    when: item.cond | default(True)
+    with_items: "{{ r_crio_os_firewall_allow }}"
+
+  - name: Remove firewalld allow rules
+    firewalld:
+      port: "{{ item.port }}"
+      permanent: true
+      immediate: true
+      state: disabled
+    when: item.cond | default(True)
+    with_items: "{{ r_crio_os_firewall_deny }}"
diff --git a/roles/docker/tasks/main.yml b/roles/docker/tasks/main.yml
index 78c6671d8..1539af53f 100644
--- a/roles/docker/tasks/main.yml
+++ b/roles/docker/tasks/main.yml
@@ -10,19 +10,29 @@
     l_use_crio: "{{ openshift_use_crio | default(False) }}"
     l_use_crio_only: "{{ openshift_use_crio_only | default(False) }}"
 
+- name: Add enterprise registry, if necessary
+  set_fact:
+    l2_docker_additional_registries: "{{ l2_docker_additional_registries + [openshift_docker_ent_reg] }}"
+  when:
+    - openshift.common.deployment_type == 'openshift-enterprise'
+    - openshift_docker_ent_reg != ''
+    - openshift_docker_ent_reg not in l2_docker_additional_registries
+    - not l_use_crio_only
+
 - name: Use Package Docker if Requested
   include: package_docker.yml
   when:
-  - not l_use_system_container
-  - not l_use_crio_only
+    - not l_use_system_container
+    - not l_use_crio_only
 
 - name: Use System Container Docker if Requested
   include: systemcontainer_docker.yml
   when:
-  - l_use_system_container
-  - not l_use_crio_only
+    - l_use_system_container
+    - not l_use_crio_only
 
 - name: Add CRI-O usage Requested
   include: systemcontainer_crio.yml
   when:
-  - l_use_crio
+    - l_use_crio
+    - openshift_docker_is_node_or_master | bool
diff --git a/roles/docker/tasks/package_docker.yml b/roles/docker/tasks/package_docker.yml
index bc52ab60c..c1aedf879 100644
--- a/roles/docker/tasks/package_docker.yml
+++ b/roles/docker/tasks/package_docker.yml
@@ -3,6 +3,8 @@
   command: "{{ repoquery_cmd }} --installed --qf '%{version}' docker"
   when: not openshift.common.is_atomic | bool
   register: curr_docker_version
+  retries: 4
+  until: curr_docker_version | succeeded
   changed_when: false
 
 - name: Error out if Docker pre-installed but too old
@@ -46,7 +48,9 @@
     template:
       dest: "{{ docker_systemd_dir }}/custom.conf"
       src: custom.conf.j2
-  when: not os_firewall_use_firewalld | default(False) | bool
+    notify:
+    - restart docker
+  when: not (os_firewall_use_firewalld | default(False)) | bool
 
 - stat: path=/etc/sysconfig/docker
   register: docker_check
@@ -56,20 +60,31 @@
     dest: /etc/sysconfig/docker
     regexp: '^{{ item.reg_conf_var }}=.*$'
     line: "{{ item.reg_conf_var }}='{{ item.reg_fact_val | oo_prepend_strings_in_list(item.reg_flag ~ ' ') | join(' ') }}'"
-  when: item.reg_fact_val != '' and docker_check.stat.isreg is defined and docker_check.stat.isreg
+  when:
+  - item.reg_fact_val != []
+  - docker_check.stat.isreg is defined
+  - docker_check.stat.isreg
   with_items:
   - reg_conf_var: ADD_REGISTRY
-    reg_fact_val: "{{ docker_additional_registries | default(None, true)}}"
+    reg_fact_val: "{{ l2_docker_additional_registries }}"
     reg_flag: --add-registry
   - reg_conf_var: BLOCK_REGISTRY
-    reg_fact_val: "{{ docker_blocked_registries| default(None, true) }}"
+    reg_fact_val: "{{ l2_docker_blocked_registries }}"
     reg_flag: --block-registry
   - reg_conf_var: INSECURE_REGISTRY
-    reg_fact_val: "{{ docker_insecure_registries| default(None, true) }}"
+    reg_fact_val: "{{ l2_docker_insecure_registries }}"
     reg_flag: --insecure-registry
   notify:
   - restart docker
 
+- name: Place additional/blocked/insecure registries in /etc/containers/registries.conf
+  template:
+    dest: "{{ containers_registries_conf_path }}"
+    src: registries.conf
+  when: openshift_docker_use_etc_containers | bool
+  notify:
+  - restart docker
+
 - name: Set Proxy Settings
   lineinfile:
     dest: /etc/sysconfig/docker
@@ -93,11 +108,12 @@
     dest: /etc/sysconfig/docker
     regexp: '^OPTIONS=.*$'
     line: "OPTIONS='\
-      {% if ansible_selinux.status | default(None) == 'enabled' and docker_selinux_enabled | default(true) | bool %} --selinux-enabled {% endif %}\
-      {% if docker_log_driver is defined  %} --log-driver {{ docker_log_driver }}{% endif %}\
-      {% if docker_log_options is defined %} {{ docker_log_options |  oo_split() | oo_prepend_strings_in_list('--log-opt ') | join(' ')}}{% endif %}\
-      {% if docker_options is defined %} {{ docker_options }}{% endif %}\
-      {% if docker_disable_push_dockerhub is defined %} --confirm-def-push={{ docker_disable_push_dockerhub | bool }}{% endif %}'"
+      {% if ansible_selinux.status | default(None) == 'enabled' and docker_selinux_enabled | default(true) | bool %} --selinux-enabled {% endif %} \
+      {% if docker_log_driver is defined  %} --log-driver {{ docker_log_driver }}{% endif %} \
+      {% if docker_log_options is defined %} {{ docker_log_options |  oo_split() | oo_prepend_strings_in_list('--log-opt ') | join(' ')}}{% endif %} \
+      {% if docker_options is defined %} {{ docker_options }}{% endif %} \
+      {% if docker_disable_push_dockerhub is defined %} --confirm-def-push={{ docker_disable_push_dockerhub | bool }}{% endif %} \
+      --signature-verification={{ openshift_docker_signature_verification | bool }}'"
   when: docker_check.stat.isreg is defined and docker_check.stat.isreg
   notify:
   - restart docker
@@ -117,6 +133,13 @@
   notify:
   - restart docker
 
+# The following task is needed as the systemd module may report a change in
+# state even though docker is already running.
+- name: Detect if docker is already started
+  command: "systemctl show docker -p ActiveState"
+  changed_when: False
+  register: r_docker_already_running_result
+
 - name: Start the Docker service
   systemd:
     name: docker
@@ -129,6 +152,8 @@
   delay: 30
 
 - set_fact:
-    docker_service_status_changed: "{{ r_docker_package_docker_start_result | changed }}"
+    docker_service_status_changed: "{{ (r_docker_package_docker_start_result | changed) and (r_docker_already_running_result.stdout != 'ActiveState=active' ) }}"
+
+- include: registry_auth.yml
 
 - meta: flush_handlers
diff --git a/roles/docker/tasks/registry_auth.yml b/roles/docker/tasks/registry_auth.yml
new file mode 100644
index 000000000..d05b7f2b8
--- /dev/null
+++ b/roles/docker/tasks/registry_auth.yml
@@ -0,0 +1,16 @@
+---
+- name: Check for credentials file for registry auth
+  stat:
+    path: "{{ docker_cli_auth_config_path }}/config.json"
+  when: oreg_auth_user is defined
+  register: docker_cli_auth_credentials_stat
+
+- name: Create credentials for docker cli registry auth
+  command: "docker --config={{ docker_cli_auth_config_path }} login -u {{ oreg_auth_user }} -p {{ oreg_auth_password }} {{ oreg_host }}"
+  register: openshift_docker_credentials_create_res
+  retries: 3
+  delay: 5
+  until: openshift_docker_credentials_create_res.rc == 0
+  when:
+  - oreg_auth_user is defined
+  - (not docker_cli_auth_credentials_stat.stat.exists or oreg_auth_credentials_replace) | bool
diff --git a/roles/docker/tasks/systemcontainer_crio.yml b/roles/docker/tasks/systemcontainer_crio.yml
index 787f51f94..67ede0d21 100644
--- a/roles/docker/tasks/systemcontainer_crio.yml
+++ b/roles/docker/tasks/systemcontainer_crio.yml
@@ -1,8 +1,34 @@
 ---
+
 # TODO: Much of this file is shared with container engine tasks
 - set_fact:
-    l_insecure_crio_registries: "{{ '\"{}\"'.format('\", \"'.join(openshift.docker.insecure_registries)) }}"
-  when: openshift.docker.insecure_registries
+    l_insecure_crio_registries: "{{ '\"{}\"'.format('\", \"'.join(l2_docker_insecure_registries)) }}"
+  when: l2_docker_insecure_registries | bool
+- set_fact:
+    l_crio_registries: "{{ l2_docker_additional_registries + ['docker.io'] }}"
+  when: l2_docker_additional_registries | bool
+- set_fact:
+    l_crio_registries: "{{ ['docker.io'] }}"
+  when: not (l2_docker_additional_registries | bool)
+- set_fact:
+    l_additional_crio_registries: "{{ '\"{}\"'.format('\", \"'.join(l_crio_registries)) }}"
+  when: l2_docker_additional_registries | bool
+
+- set_fact:
+    l_openshift_image_tag: "{{ openshift_image_tag | string }}"
+  when: openshift_image_tag is defined
+
+- set_fact:
+    l_openshift_image_tag: "latest"
+  when:
+    - openshift_image_tag is not defined
+    - openshift_release == "latest"
+
+- set_fact:
+    l_openshift_image_tag: "{{ openshift_release | string }}"
+  when:
+    - openshift_image_tag is not defined
+    - openshift_release != "latest"
 
 - name: Ensure container-selinux is installed
   package:
@@ -10,6 +36,12 @@
     state: present
   when: not openshift.common.is_atomic | bool
 
+- name: Check we are not using node as a Docker container with CRI-O
+  fail: msg='Cannot use CRI-O with node configured as a Docker container'
+  when:
+    - openshift.common.is_containerized | bool
+    - not openshift.common.is_node_system_container | bool
+
 # Used to pull and install the system container
 - name: Ensure atomic is installed
   package:
@@ -30,7 +62,7 @@
   shell: lsmod | grep overlay
   register: l_has_overlay_in_kernel
   ignore_errors: yes
-
+  failed_when: false
 
 - when: l_has_overlay_in_kernel.rc != 0
   block:
@@ -50,60 +82,51 @@
         enabled: yes
         state: restarted
 
+- name: Ensure proxies are in the atomic.conf
+  include_role:
+    name: openshift_atomic
+    tasks_from: proxy
 
 - block:
 
-    - name: Add http_proxy to /etc/atomic.conf
-      lineinfile:
-        dest: /etc/atomic.conf
-        regexp: "^#?http_proxy[:=]{1}"
-        line: "http_proxy: {{ openshift.common.http_proxy | default('') }}"
-      when:
-        - openshift.common.http_proxy is defined
-        - openshift.common.http_proxy != ''
-
-    - name: Add https_proxy to /etc/atomic.conf
-      lineinfile:
-        dest: /etc/atomic.conf
-        regexp: "^#?https_proxy[:=]{1}"
-        line: "https_proxy: {{ openshift.common.https_proxy | default('') }}"
-      when:
-        - openshift.common.https_proxy is defined
-        - openshift.common.https_proxy != ''
-
-    - name: Add no_proxy to /etc/atomic.conf
-      lineinfile:
-        dest: /etc/atomic.conf
-        regexp: "^#?no_proxy[:=]{1}"
-        line: "no_proxy: {{ openshift.common.no_proxy | default('') }}"
-      when:
-        - openshift.common.no_proxy is defined
-        - openshift.common.no_proxy != ''
-
-
-- block:
-
-    - name: Set to default prepend
+    - name: Set CRI-O image defaults
       set_fact:
         l_crio_image_prepend: "docker.io/gscrivano"
-        l_crio_image_name: "crio-o-fedora"
+        l_crio_image_name: "cri-o-fedora"
+        l_crio_image_tag: "latest"
 
-    - name: Use Centos based image when distribution is Red Hat or CentOS
+    - name: Use Centos based image when distribution is CentOS
       set_fact:
         l_crio_image_name: "cri-o-centos"
-      when: ansible_distribution in ['RedHat', 'CentOS']
+      when: ansible_distribution == "CentOS"
 
-    # For https://github.com/openshift/openshift-ansible/pull/4049#discussion_r114478504
-    - name: Use a testing registry if requested
+    - name: Set CRI-O image tag
       set_fact:
-        l_crio_image_prepend: "{{ openshift_crio_systemcontainer_image_registry_override }}"
+        l_crio_image_tag: "{{ l_openshift_image_tag }}"
       when:
-        - openshift_crio_systemcontainer_image_registry_override is defined
-        - openshift_crio_systemcontainer_image_registry_override != ""
+        - openshift_deployment_type == 'openshift-enterprise'
+
+    - name: Use RHEL based image when distribution is Red Hat
+      set_fact:
+        l_crio_image_prepend: "registry.access.redhat.com/openshift3"
+        l_crio_image_name: "cri-o"
+      when: ansible_distribution == "RedHat"
 
     - name: Set the full image name
       set_fact:
-        l_crio_image: "{{ l_crio_image_prepend }}/{{ l_crio_image_name }}:latest"
+        l_crio_image: "{{ l_crio_image_prepend }}/{{ l_crio_image_name }}:{{ l_crio_image_tag }}"
+
+    # For https://github.com/openshift/aos-cd-jobs/pull/624#pullrequestreview-61816548
+    - name: Use a specific image if requested
+      set_fact:
+        l_crio_image: "{{ openshift_crio_systemcontainer_image_override }}"
+      when:
+        - openshift_crio_systemcontainer_image_override is defined
+        - openshift_crio_systemcontainer_image_override != ""
+
+    # Be nice and let the user see the variable result
+    - debug:
+        var: l_crio_image
 
 # NOTE: no_proxy added as a workaround until https://github.com/projectatomic/atomic/pull/999 is released
 - name: Pre-pull CRI-O System Container image
@@ -119,6 +142,14 @@
     image: "{{ l_crio_image }}"
     state: latest
 
+- name: Remove CRI-O default configuration files
+  file:
+    path: "{{ item }}"
+    state: absent
+  with_items:
+    - /etc/cni/net.d/200-loopback.conf
+    - /etc/cni/net.d/100-crio-bridge.conf
+
 - name: Create the CRI-O configuration
   template:
     dest: /etc/crio/crio.conf
@@ -130,11 +161,19 @@
     path: /etc/cni/net.d/
     state: directory
 
+- name: setup firewall for CRI-O
+  include: crio_firewall.yml
+  static: yes
+
 - name: Configure the CNI network
   template:
     dest: /etc/cni/net.d/openshift-sdn.conf
     src: 80-openshift-sdn.conf.j2
 
+- name: Fix SELinux Permissions on /var/lib/containers
+  command: "restorecon -R /var/lib/containers/"
+  changed_when: false
+
 - name: Start the CRI-O service
   systemd:
     name: "cri-o"
diff --git a/roles/docker/tasks/systemcontainer_docker.yml b/roles/docker/tasks/systemcontainer_docker.yml
index 57a84bc2c..aa3b35ddd 100644
--- a/roles/docker/tasks/systemcontainer_docker.yml
+++ b/roles/docker/tasks/systemcontainer_docker.yml
@@ -1,4 +1,21 @@
 ---
+
+- set_fact:
+    l_openshift_image_tag: "{{ openshift_image_tag | string }}"
+  when: openshift_image_tag is defined
+
+- set_fact:
+    l_openshift_image_tag: "latest"
+  when:
+    - openshift_image_tag is not defined
+    - openshift_release == "latest"
+
+- set_fact:
+    l_openshift_image_tag: "{{ openshift_release | string }}"
+  when:
+    - openshift_image_tag is not defined
+    - openshift_release != "latest"
+
 # If docker_options are provided we should fail. We should not install docker and ignore
 # the users configuration. NOTE: docker_options == inventory:openshift_docker_options
 - name: Fail quickly if openshift_docker_options are set
@@ -51,44 +68,23 @@
   retries: 3
   delay: 30
 
-
-# Set http_proxy, https_proxy, and no_proxy in /etc/atomic.conf
-# regexp: the line starts with or without #, followed by the string
-#         http_proxy, then either : or =
-- block:
-
-    - name: Add http_proxy to /etc/atomic.conf
-      lineinfile:
-        dest: /etc/atomic.conf
-        regexp: "^#?http_proxy[:=]{1}"
-        line: "http_proxy: {{ openshift.common.http_proxy | default('') }}"
-      when:
-        - openshift.common.http_proxy is defined
-        - openshift.common.http_proxy != ''
-
-    - name: Add https_proxy to /etc/atomic.conf
-      lineinfile:
-        dest: /etc/atomic.conf
-        regexp: "^#?https_proxy[:=]{1}"
-        line: "https_proxy: {{ openshift.common.https_proxy | default('') }}"
-      when:
-        - openshift.common.https_proxy is defined
-        - openshift.common.https_proxy != ''
-
-    - name: Add no_proxy to /etc/atomic.conf
-      lineinfile:
-        dest: /etc/atomic.conf
-        regexp: "^#?no_proxy[:=]{1}"
-        line: "no_proxy: {{ openshift.common.no_proxy | default('') }}"
-      when:
-        - openshift.common.no_proxy is defined
-        - openshift.common.no_proxy != ''
+- name: Ensure proxies are in the atomic.conf
+  include_role:
+    name: openshift_atomic
+    tasks_from: proxy
 
 - block:
 
     - name: Set to default prepend
       set_fact:
         l_docker_image_prepend: "gscrivano"
+        l_docker_image_tag: "latest"
+
+    - name: Set container engine image tag
+      set_fact:
+        l_docker_image_tag: "{{ l_openshift_image_tag }}"
+      when:
+        - openshift_deployment_type == 'openshift-enterprise'
 
     - name: Use Red Hat Registry for image when distribution is Red Hat
       set_fact:
@@ -100,17 +96,21 @@
         l_docker_image_prepend: "registry.fedoraproject.org/f25"
       when: ansible_distribution == 'Fedora'
 
-    # For https://github.com/openshift/openshift-ansible/pull/4049#discussion_r114478504
-    - name: Use a testing registry if requested
+    - name: Set the full image name
       set_fact:
-        l_docker_image_prepend: "{{ openshift_docker_systemcontainer_image_registry_override }}"
-      when:
-        - openshift_docker_systemcontainer_image_registry_override is defined
-        - openshift_docker_systemcontainer_image_registry_override != ""
+        l_docker_image: "{{ l_docker_image_prepend }}/{{ openshift.docker.service_name }}:{{ l_docker_image_tag }}"
 
-    - name: Set the full image name
+    # For https://github.com/openshift/openshift-ansible/pull/5354#issuecomment-328552959
+    - name: Use a specific image if requested
       set_fact:
-        l_docker_image: "{{ l_docker_image_prepend }}/{{ openshift.docker.service_name }}:latest"
+        l_docker_image: "{{ openshift_docker_systemcontainer_image_override }}"
+      when:
+        - openshift_docker_systemcontainer_image_override is defined
+        - openshift_docker_systemcontainer_image_override != ""
+
+    # Be nice and let the user see the variable result
+    - debug:
+        var: l_docker_image
 
 # NOTE: no_proxy added as a workaround until https://github.com/projectatomic/atomic/pull/999 is released
 - name: Pre-pull Container Engine System Container image
@@ -144,10 +144,10 @@
 # Set local versions of facts that must be in json format for container-daemon.json
 # NOTE: When jinja2.9+ is used the container-daemon.json file can move to using tojson
 - set_fact:
-    l_docker_insecure_registries: "{{ docker_insecure_registries | default([]) | to_json }}"
+    l_docker_insecure_registries: "{{ l2_docker_insecure_registries | default([]) | to_json }}"
     l_docker_log_options: "{{ docker_log_options | default({}) | to_json }}"
-    l_docker_additional_registries: "{{ docker_additional_registries | default([]) | to_json }}"
-    l_docker_blocked_registries: "{{ docker_blocked_registries | default([]) | to_json }}"
+    l_docker_additional_registries: "{{ l2_docker_additional_registries | default([]) | to_json }}"
+    l_docker_blocked_registries: "{{ l2_docker_blocked_registries | default([]) | to_json }}"
     l_docker_selinux_enabled: "{{ docker_selinux_enabled | default(true) | to_json }}"
 
 # Configure container-engine using the container-daemon.json file
@@ -173,4 +173,6 @@
 - set_fact:
     docker_service_status_changed: "{{ r_docker_systemcontainer_docker_start_result | changed }}"
 
+- include: registry_auth.yml
+
 - meta: flush_handlers
diff --git a/roles/docker/templates/crio.conf.j2 b/roles/docker/templates/crio.conf.j2
index 5b31932b1..93014a80d 100644
--- a/roles/docker/templates/crio.conf.j2
+++ b/roles/docker/templates/crio.conf.j2
@@ -13,12 +13,12 @@ runroot = "/var/run/containers/storage"
 
 # storage_driver select which storage driver is used to manage storage
 # of images and containers.
-storage_driver = "overlay2"
+storage_driver = "overlay"
 
 # storage_option is used to pass an option to the storage driver.
 storage_option = [
 {% if ansible_distribution in ['RedHat', 'CentOS'] %}
-	"overlay2.override_kernel_check=1"
+	"overlay.override_kernel_check=1"
 {% endif %}
 ]
 
@@ -35,6 +35,10 @@ stream_address = ""
 # stream_port is the port on which the stream server will listen
 stream_port = "10010"
 
+# file_locking is whether file-based locking will be used instead of
+# in-memory locking
+file_locking = true
+
 # The "crio.runtime" table contains settings pertaining to the OCI
 # runtime used and options for how to set up and manage the OCI runtime.
 [crio.runtime]
@@ -67,6 +71,9 @@ runtime_untrusted_workload = ""
 # container runtime for all containers.
 default_workload_trust = "trusted"
 
+# no_pivot instructs the runtime to not use pivot_root, but instead use MS_MOVE
+no_pivot = false
+
 # conmon is the path to conmon binary, used for managing the runtime.
 conmon = "/usr/libexec/crio/conmon"
 
@@ -93,6 +100,16 @@ apparmor_profile = "crio-default"
 # for the runtime.
 cgroup_manager = "systemd"
 
+# hooks_dir_path is the oci hooks directory for automatically executed hooks
+hooks_dir_path = "/usr/share/containers/oci/hooks.d"
+
+# pids_limit is the number of processes allowed in a container
+pids_limit = 1024
+
+# log_size_max is the max limit for the container log size in bytes.
+# Negative values indicate that no limit is imposed.
+log_size_max = 52428800
+
 # The "crio.image" table contains settings pertaining to the
 # management of OCI images.
 [crio.image]
@@ -115,11 +132,21 @@ pause_command = "/pause"
 # unspecified so that the default system-wide policy will be used.
 signature_policy = ""
 
+# image_volumes controls how image volumes are handled.
+# The valid values are mkdir and ignore.
+image_volumes = "mkdir"
+
 # insecure_registries is used to skip TLS verification when pulling images.
 insecure_registries = [
 {{ l_insecure_crio_registries|default("") }}
 ]
 
+# registries is used to specify a comma separated list of registries to be used
+# when pulling an unqualified image (e.g. fedora:rawhide).
+registries = [
+{{ l_additional_crio_registries|default("") }}
+]
+
 # The "crio.network" table contains settings pertaining to the
 # management of CNI plugins.
 [crio.network]
diff --git a/roles/docker/templates/custom.conf.j2 b/roles/docker/templates/custom.conf.j2
index 9b47cb6ab..713412473 100644
--- a/roles/docker/templates/custom.conf.j2
+++ b/roles/docker/templates/custom.conf.j2
@@ -3,3 +3,9 @@
 [Unit]
 Wants=iptables.service
 After=iptables.service
+
+# The following line is a work-around to ensure docker is restarted whenever
+# iptables is restarted.  This ensures the proper iptables rules will be in
+# place for docker.
+# Note:  This will also cause docker to be stopped if iptables is stopped.
+PartOf=iptables.service
diff --git a/roles/docker/templates/registries.conf b/roles/docker/templates/registries.conf
new file mode 100644
index 000000000..d379b2be0
--- /dev/null
+++ b/roles/docker/templates/registries.conf
@@ -0,0 +1,46 @@
+# {{ ansible_managed }}
+# This is a system-wide configuration file used to
+# keep track of registries for various container backends.
+# It adheres to YAML format and does not support recursive
+# lists of registries.
+
+# The default location for this configuration file is /etc/containers/registries.conf.
+
+# The only valid categories are: 'registries', 'insecure_registries',
+# and 'block_registries'.
+
+
+#registries:
+#  - registry.access.redhat.com
+
+{% if l2_docker_additional_registries %}
+registries:
+{% for reg in l2_docker_additional_registries %}
+  - {{ reg }}
+{% endfor %}
+{% endif %}
+
+# If you need to access insecure registries, uncomment the section below
+# and add the registries fully-qualified name. An insecure registry is one
+# that does not have a valid SSL certificate or only does HTTP.
+#insecure_registries:
+#  -
+
+{% if l2_docker_insecure_registries %}
+insecure_registries:
+{% for reg in l2_docker_insecure_registries %}
+  - {{ reg }}
+{% endfor %}
+{% endif %}
+
+# If you need to block pull access from a registry, uncomment the section below
+# and add the registries fully-qualified name.
+#block_registries:
+# -
+
+{% if l2_docker_blocked_registries %}
+block_registries:
+{% for reg in l2_docker_blocked_registries %}
+  - {{ reg }}
+{% endfor %}
+{% endif %}