summaryrefslogtreecommitdiffstats
path: root/roles/docker
diff options
context:
space:
mode:
Diffstat (limited to 'roles/docker')
-rw-r--r--roles/docker/README.md7
-rw-r--r--roles/docker/handlers/main.yml2
-rw-r--r--roles/docker/meta/main.yml1
-rw-r--r--roles/docker/tasks/main.yml121
-rw-r--r--roles/docker/tasks/package_docker.yml116
-rw-r--r--roles/docker/tasks/systemcontainer_docker.yml135
-rw-r--r--roles/docker/templates/daemon.json64
-rw-r--r--roles/docker/templates/systemcontainercustom.conf.j217
-rw-r--r--roles/docker/vars/main.yml3
9 files changed, 350 insertions, 116 deletions
diff --git a/roles/docker/README.md b/roles/docker/README.md
index ea06fd41a..f25ca03cd 100644
--- a/roles/docker/README.md
+++ b/roles/docker/README.md
@@ -1,7 +1,7 @@
Docker
=========
-Ensures docker package is installed, and optionally raises timeout for systemd-udevd.service to 5 minutes.
+Ensures docker package or system container is installed, and optionally raises timeout for systemd-udevd.service to 5 minutes.
Requirements
------------
@@ -11,8 +11,10 @@ Ansible 2.2
Role Variables
--------------
-udevw_udevd_dir: location of systemd config for systemd-udevd.service
+docker_conf_dir: location of the Docker configuration directory
+docker_systemd_dir location of the systemd directory for Docker
docker_udev_workaround: raises udevd timeout to 5 minutes (https://bugzilla.redhat.com/show_bug.cgi?id=1272446)
+udevw_udevd_dir: location of systemd config for systemd-udevd.service
Dependencies
------------
@@ -26,6 +28,7 @@ Example Playbook
roles:
- role: docker
docker_udev_workaround: "true"
+ docker_use_system_container: False
License
-------
diff --git a/roles/docker/handlers/main.yml b/roles/docker/handlers/main.yml
index 9ccb306fc..7f91afb37 100644
--- a/roles/docker/handlers/main.yml
+++ b/roles/docker/handlers/main.yml
@@ -2,7 +2,7 @@
- name: restart docker
systemd:
- name: docker
+ name: "{{ openshift.docker.service_name }}"
state: restarted
when: not docker_service_status_changed | default(false) | bool
diff --git a/roles/docker/meta/main.yml b/roles/docker/meta/main.yml
index ad28cece9..cd4083572 100644
--- a/roles/docker/meta/main.yml
+++ b/roles/docker/meta/main.yml
@@ -11,3 +11,4 @@ galaxy_info:
- 7
dependencies:
- role: os_firewall
+- role: lib_openshift
diff --git a/roles/docker/tasks/main.yml b/roles/docker/tasks/main.yml
index c34700aeb..e60dbe2d6 100644
--- a/roles/docker/tasks/main.yml
+++ b/roles/docker/tasks/main.yml
@@ -1,119 +1,16 @@
---
-- name: Get current installed Docker version
- command: "{{ repoquery_cmd }} --installed --qf '%{version}' docker"
- when: not openshift.common.is_atomic | bool
- register: curr_docker_version
- changed_when: false
-
-- name: Error out if Docker pre-installed but too old
- fail:
- msg: "Docker {{ curr_docker_version.stdout }} is installed, but >= 1.9.1 is required."
- when: not curr_docker_version | skipped and curr_docker_version.stdout != '' and curr_docker_version.stdout | version_compare('1.9.1', '<') and not docker_version is defined
-
-- name: Error out if requested Docker is too old
- fail:
- msg: "Docker {{ docker_version }} requested, but >= 1.9.1 is required."
- when: docker_version is defined and docker_version | version_compare('1.9.1', '<')
-
-# If a docker_version was requested, sanity check that we can install or upgrade to it, and
-# no downgrade is required.
-- name: Fail if Docker version requested but downgrade is required
- fail:
- msg: "Docker {{ curr_docker_version.stdout }} is installed, but version {{ docker_version }} was requested."
- when: not curr_docker_version | skipped and curr_docker_version.stdout != '' and docker_version is defined and curr_docker_version.stdout | version_compare(docker_version, '>')
-
-# This involves an extremely slow migration process, users should instead run the
-# Docker 1.10 upgrade playbook to accomplish this.
-- name: Error out if attempting to upgrade Docker across the 1.10 boundary
- fail:
- msg: "Cannot upgrade Docker to >= 1.10, please upgrade or remove Docker manually, or use the Docker upgrade playbook if OpenShift is already installed."
- when: not curr_docker_version | skipped and curr_docker_version.stdout != '' and curr_docker_version.stdout | version_compare('1.10', '<') and docker_version is defined and docker_version | version_compare('1.10', '>=')
-
-# Make sure Docker is installed, but does not update a running version.
-# Docker upgrades are handled by a separate playbook.
-- name: Install Docker
- package: name=docker{{ '-' + docker_version if docker_version is defined else '' }} state=present
- when: not openshift.common.is_atomic | bool
-
-- block:
- # Extend the default Docker service unit file when using iptables-services
- - name: Ensure docker.service.d directory exists
- file:
- path: "{{ docker_systemd_dir }}"
- state: directory
-
- - name: Configure Docker service unit file
- template:
- dest: "{{ docker_systemd_dir }}/custom.conf"
- src: custom.conf.j2
- when: not os_firewall_use_firewalld | default(True) | bool
+# These tasks dispatch to the proper set of docker tasks based on the
+# inventory:openshift_docker_use_system_container variable
- include: udev_workaround.yml
when: docker_udev_workaround | default(False) | bool
-- stat: path=/etc/sysconfig/docker
- register: docker_check
-
-- name: Set registry params
- lineinfile:
- dest: /etc/sysconfig/docker
- regexp: '^{{ item.reg_conf_var }}=.*$'
- line: "{{ item.reg_conf_var }}='{{ item.reg_fact_val | oo_prepend_strings_in_list(item.reg_flag ~ ' ') | join(' ') }}'"
- when: item.reg_fact_val != '' and docker_check.stat.isreg is defined and docker_check.stat.isreg
- with_items:
- - reg_conf_var: ADD_REGISTRY
- reg_fact_val: "{{ docker_additional_registries | default(None, true)}}"
- reg_flag: --add-registry
- - reg_conf_var: BLOCK_REGISTRY
- reg_fact_val: "{{ docker_blocked_registries| default(None, true) }}"
- reg_flag: --block-registry
- - reg_conf_var: INSECURE_REGISTRY
- reg_fact_val: "{{ docker_insecure_registries| default(None, true) }}"
- reg_flag: --insecure-registry
- notify:
- - restart docker
+- name: Use Package Docker if Requested
+ include: package_docker.yml
+ when: openshift.docker.use_system_container is not defined or openshift.docker.use_system_container == False
-- name: Set Proxy Settings
- lineinfile:
- dest: /etc/sysconfig/docker
- regexp: '^{{ item.reg_conf_var }}=.*$'
- line: "{{ item.reg_conf_var }}='{{ item.reg_fact_val }}'"
- state: "{{ 'present' if item.reg_fact_val != '' else 'absent'}}"
- with_items:
- - reg_conf_var: HTTP_PROXY
- reg_fact_val: "{{ docker_http_proxy | default('') }}"
- - reg_conf_var: HTTPS_PROXY
- reg_fact_val: "{{ docker_https_proxy | default('') }}"
- - reg_conf_var: NO_PROXY
- reg_fact_val: "{{ docker_no_proxy | default('') }}"
- notify:
- - restart docker
+- name: Use System Container Docker if Requested
+ include: systemcontainer_docker.yml
when:
- - docker_check.stat.isreg is defined and docker_check.stat.isreg and '"http_proxy" in openshift.common or "https_proxy" in openshift.common'
-
-- name: Set various Docker options
- lineinfile:
- dest: /etc/sysconfig/docker
- regexp: '^OPTIONS=.*$'
- line: "OPTIONS='\
- {% if ansible_selinux.status | default(None) == '''enabled''' and docker_selinux_enabled | default(true) %} --selinux-enabled {% endif %}\
- {% if docker_log_driver is defined %} --log-driver {{ docker_log_driver }}{% endif %}\
- {% if docker_log_options is defined %} {{ docker_log_options | oo_split() | oo_prepend_strings_in_list('--log-opt ') | join(' ')}}{% endif %}\
- {% if docker_options is defined %} {{ docker_options }}{% endif %}\
- {% if docker_disable_push_dockerhub is defined %} --confirm-def-push={{ docker_disable_push_dockerhub | bool }}{% endif %}'"
- when: docker_check.stat.isreg is defined and docker_check.stat.isreg
- notify:
- - restart docker
-
-- name: Start the Docker service
- systemd:
- name: docker
- enabled: yes
- state: started
- daemon_reload: yes
- register: start_result
-
-- set_fact:
- docker_service_status_changed: start_result | changed
-
-- meta: flush_handlers
+ - openshift.docker.use_system_container is defined
+ - openshift.docker.use_system_container is True
diff --git a/roles/docker/tasks/package_docker.yml b/roles/docker/tasks/package_docker.yml
new file mode 100644
index 000000000..10fb5772c
--- /dev/null
+++ b/roles/docker/tasks/package_docker.yml
@@ -0,0 +1,116 @@
+---
+- name: Get current installed Docker version
+ command: "{{ repoquery_cmd }} --installed --qf '%{version}' docker"
+ when: not openshift.common.is_atomic | bool
+ register: curr_docker_version
+ changed_when: false
+
+- name: Error out if Docker pre-installed but too old
+ fail:
+ msg: "Docker {{ curr_docker_version.stdout }} is installed, but >= 1.9.1 is required."
+ when: not curr_docker_version | skipped and curr_docker_version.stdout != '' and curr_docker_version.stdout | version_compare('1.9.1', '<') and not docker_version is defined
+
+- name: Error out if requested Docker is too old
+ fail:
+ msg: "Docker {{ docker_version }} requested, but >= 1.9.1 is required."
+ when: docker_version is defined and docker_version | version_compare('1.9.1', '<')
+
+# If a docker_version was requested, sanity check that we can install or upgrade to it, and
+# no downgrade is required.
+- name: Fail if Docker version requested but downgrade is required
+ fail:
+ msg: "Docker {{ curr_docker_version.stdout }} is installed, but version {{ docker_version }} was requested."
+ when: not curr_docker_version | skipped and curr_docker_version.stdout != '' and docker_version is defined and curr_docker_version.stdout | version_compare(docker_version, '>')
+
+# This involves an extremely slow migration process, users should instead run the
+# Docker 1.10 upgrade playbook to accomplish this.
+- name: Error out if attempting to upgrade Docker across the 1.10 boundary
+ fail:
+ msg: "Cannot upgrade Docker to >= 1.10, please upgrade or remove Docker manually, or use the Docker upgrade playbook if OpenShift is already installed."
+ when: not curr_docker_version | skipped and curr_docker_version.stdout != '' and curr_docker_version.stdout | version_compare('1.10', '<') and docker_version is defined and docker_version | version_compare('1.10', '>=')
+
+# Make sure Docker is installed, but does not update a running version.
+# Docker upgrades are handled by a separate playbook.
+- name: Install Docker
+ package: name=docker{{ '-' + docker_version if docker_version is defined else '' }} state=present
+ when: not openshift.common.is_atomic | bool
+
+- block:
+ # Extend the default Docker service unit file when using iptables-services
+ - name: Ensure docker.service.d directory exists
+ file:
+ path: "{{ docker_systemd_dir }}"
+ state: directory
+
+ - name: Configure Docker service unit file
+ template:
+ dest: "{{ docker_systemd_dir }}/custom.conf"
+ src: custom.conf.j2
+ when: not os_firewall_use_firewalld | default(True) | bool
+
+- stat: path=/etc/sysconfig/docker
+ register: docker_check
+
+- name: Set registry params
+ lineinfile:
+ dest: /etc/sysconfig/docker
+ regexp: '^{{ item.reg_conf_var }}=.*$'
+ line: "{{ item.reg_conf_var }}='{{ item.reg_fact_val | oo_prepend_strings_in_list(item.reg_flag ~ ' ') | join(' ') }}'"
+ when: item.reg_fact_val != '' and docker_check.stat.isreg is defined and docker_check.stat.isreg
+ with_items:
+ - reg_conf_var: ADD_REGISTRY
+ reg_fact_val: "{{ docker_additional_registries | default(None, true)}}"
+ reg_flag: --add-registry
+ - reg_conf_var: BLOCK_REGISTRY
+ reg_fact_val: "{{ docker_blocked_registries| default(None, true) }}"
+ reg_flag: --block-registry
+ - reg_conf_var: INSECURE_REGISTRY
+ reg_fact_val: "{{ docker_insecure_registries| default(None, true) }}"
+ reg_flag: --insecure-registry
+ notify:
+ - restart docker
+
+- name: Set Proxy Settings
+ lineinfile:
+ dest: /etc/sysconfig/docker
+ regexp: '^{{ item.reg_conf_var }}=.*$'
+ line: "{{ item.reg_conf_var }}='{{ item.reg_fact_val }}'"
+ state: "{{ 'present' if item.reg_fact_val != '' else 'absent'}}"
+ with_items:
+ - reg_conf_var: HTTP_PROXY
+ reg_fact_val: "{{ docker_http_proxy | default('') }}"
+ - reg_conf_var: HTTPS_PROXY
+ reg_fact_val: "{{ docker_https_proxy | default('') }}"
+ - reg_conf_var: NO_PROXY
+ reg_fact_val: "{{ docker_no_proxy | default('') }}"
+ notify:
+ - restart docker
+ when:
+ - docker_check.stat.isreg is defined and docker_check.stat.isreg and '"http_proxy" in openshift.common or "https_proxy" in openshift.common'
+
+- name: Set various Docker options
+ lineinfile:
+ dest: /etc/sysconfig/docker
+ regexp: '^OPTIONS=.*$'
+ line: "OPTIONS='\
+ {% if ansible_selinux.status | default(None) == '''enabled''' and docker_selinux_enabled | default(true) %} --selinux-enabled {% endif %}\
+ {% if docker_log_driver is defined %} --log-driver {{ docker_log_driver }}{% endif %}\
+ {% if docker_log_options is defined %} {{ docker_log_options | oo_split() | oo_prepend_strings_in_list('--log-opt ') | join(' ')}}{% endif %}\
+ {% if docker_options is defined %} {{ docker_options }}{% endif %}\
+ {% if docker_disable_push_dockerhub is defined %} --confirm-def-push={{ docker_disable_push_dockerhub | bool }}{% endif %}'"
+ when: docker_check.stat.isreg is defined and docker_check.stat.isreg
+ notify:
+ - restart docker
+
+- name: Start the Docker service
+ systemd:
+ name: docker
+ enabled: yes
+ state: started
+ daemon_reload: yes
+ register: start_result
+
+- set_fact:
+ docker_service_status_changed: start_result | changed
+
+- meta: flush_handlers
diff --git a/roles/docker/tasks/systemcontainer_docker.yml b/roles/docker/tasks/systemcontainer_docker.yml
new file mode 100644
index 000000000..6db95bf12
--- /dev/null
+++ b/roles/docker/tasks/systemcontainer_docker.yml
@@ -0,0 +1,135 @@
+---
+# If docker_options are provided we should fail. We should not install docker and ignore
+# the users configuration. NOTE: docker_options == inventory:openshift_docker_options
+- name: Fail quickly if openshift_docker_options are set
+ assert:
+ that:
+ - docker_options is defined
+ - docker_options != ""
+ msg: |
+ Docker via System Container does not allow for the use of the openshift_docker_options
+ variable. If you want to use openshift_docker_options you will need to use the
+ traditional docker package install. Otherwise, comment out openshift_docker_options
+ in your inventory file.
+
+# Used to pull and install the system container
+- name: Ensure atomic is installed
+ package:
+ name: atomic
+ state: present
+ when: not openshift.common.is_atomic | bool
+
+# At the time of writing the atomic command requires runc for it's own use. This
+# task is here in the even that the atomic package ever removes the dependency.
+- name: Ensure runc is installed
+ package:
+ name: runc
+ state: present
+ when: not openshift.common.is_atomic | bool
+
+# If we are on atomic, set http_proxy and https_proxy in /etc/atomic.conf
+- block:
+
+ - name: Add http_proxy to /etc/atomic.conf
+ lineinfile:
+ path: /etc/atomic.conf
+ line: "http_proxy={{ openshift.common.http_proxy | default('') }}"
+ when:
+ - openshift.common.http_proxy is defined
+ - openshift.common.http_proxy != ''
+
+ - name: Add https_proxy to /etc/atomic.conf
+ lineinfile:
+ path: /etc/atomic.conf
+ line: "https_proxy={{ openshift.common.https_proxy | default('') }}"
+ when:
+ - openshift.common.https_proxy is defined
+ - openshift.common.https_proxy != ''
+
+ when: openshift.common.is_atomic | bool
+
+
+- block:
+
+ - name: Set to default prepend
+ set_fact:
+ l_docker_image_prepend: "gscrivano/"
+
+ - name: Use Red Hat Registry for image when distribution is Red Hat
+ set_fact:
+ l_docker_image_prepend: "registry.access.redhat.com/openshift3/"
+ when: ansible_distribution == 'RedHat'
+
+ - name: Use Fedora Registry for image when distribution is Fedora
+ set_fact:
+ l_docker_image_prepend: "registry.fedoraproject.org/"
+ when: ansible_distribution == 'Fedora'
+
+ # For https://github.com/openshift/openshift-ansible/pull/4049#discussion_r114478504
+ - name: Use a testing registry if requested
+ set_fact:
+ l_docker_image_prepend: "{{ openshift.docker.systemcontainer_image_registry_override }}/"
+ when:
+ - openshift.docker.systemcontainer_image_registry_override is defined
+ - openshift.docker.systemcontainer_image_registry_override != ""
+
+ - name: Set the full image name
+ set_fact:
+ l_docker_image: "{{ l_docker_image_prepend }}container-engine-docker:latest"
+
+- name: Pre-pull Container Enginer System Container image
+ command: "atomic pull --storage ostree {{ l_docker_image }}"
+ changed_when: false
+
+# Make sure docker is disabled Errors are ignored as docker may not
+# be installed.
+- name: Disable Docker
+ systemd:
+ name: docker
+ enabled: no
+ state: stopped
+ daemon_reload: yes
+ ignore_errors: True
+
+- name: Ensure docker.service.d directory exists
+ file:
+ path: "{{ docker_systemd_dir }}"
+ state: directory
+
+- name: Ensure /etc/docker directory exists
+ file:
+ path: "{{ docker_conf_dir }}"
+ state: directory
+
+- name: Install Container Enginer System Container
+ oc_atomic_container:
+ name: container-engine-docker
+ image: "container-engine-docker"
+ state: latest
+ values:
+ - "system-package no"
+
+- name: Configure Container Engine Service File
+ template:
+ dest: "{{ docker_systemd_dir }}/custom.conf"
+ src: systemcontainercustom.conf.j2
+
+# Configure container-engine using the daemon.json file
+- name: Configure Container Engine
+ template:
+ dest: "{{ docker_conf }}/daemon.json"
+ src: daemon.json
+
+# Enable and start the container-engine service
+- name: Start the Container Engine service
+ systemd:
+ name: "{{ openshift.docker.service_name }}"
+ enabled: yes
+ state: started
+ daemon_reload: yes
+ register: start_result
+
+- set_fact:
+ docker_service_status_changed: start_result | changed
+
+- meta: flush_handlers
diff --git a/roles/docker/templates/daemon.json b/roles/docker/templates/daemon.json
new file mode 100644
index 000000000..bd085d2be
--- /dev/null
+++ b/roles/docker/templates/daemon.json
@@ -0,0 +1,64 @@
+
+{
+ "api-cors-header": "",
+ "authorization-plugins": ["rhel-push-plugin"],
+ "bip": "",
+ "bridge": "",
+ "cgroup-parent": "",
+ "cluster-store": "",
+ "cluster-store-opts": {},
+ "cluster-advertise": "",
+ "debug": true,
+ "default-gateway": "",
+ "default-gateway-v6": "",
+ "default-runtime": "oci",
+ "containerd": "/var/run/containerd.sock",
+ "default-ulimits": {},
+ "disable-legacy-registry": false,
+ "dns": [],
+ "dns-opts": [],
+ "dns-search": [],
+ "exec-opts": ["native.cgroupdriver=systemd"],
+ "exec-root": "",
+ "fixed-cidr": "",
+ "fixed-cidr-v6": "",
+ "graph": "",
+ "group": "",
+ "hosts": [],
+ "icc": false,
+ "insecure-registries": {{ docker_insecure_registries|default([]) }},
+ "ip": "0.0.0.0",
+ "iptables": false,
+ "ipv6": false,
+ "ip-forward": false,
+ "ip-masq": false,
+ "labels": [],
+ "live-restore": true,
+ "log-driver": "{{ docker_log_driver }}",
+ "log-level": "",
+ "log-opts": {{ docker_log_options|default({}) }},
+ "max-concurrent-downloads": 3,
+ "max-concurrent-uploads": 5,
+ "mtu": 0,
+ "oom-score-adjust": -500,
+ "pidfile": "",
+ "raw-logs": false,
+ "registry-mirrors": [],
+ "runtimes": {
+ "oci": {
+ "path": "/usr/libexec/docker/docker-runc-current"
+ }
+ },
+ "selinux-enabled": {{ docker_selinux_enabled|default(true) }},
+ "storage-driver": "",
+ "storage-opts": [],
+ "tls": true,
+ "tlscacert": "",
+ "tlscert": "",
+ "tlskey": "",
+ "tlsverify": true,
+ "userns-remap": "",
+ "add-registry": {{ docker_additional_registries|default([]) }},
+ "blocked-registries": {{ docker_blocked_registries|defaukt([]) }},
+ "userland-proxy-path": "/usr/libexec/docker/docker-proxy-current"
+}
diff --git a/roles/docker/templates/systemcontainercustom.conf.j2 b/roles/docker/templates/systemcontainercustom.conf.j2
new file mode 100644
index 000000000..a2cfed8a9
--- /dev/null
+++ b/roles/docker/templates/systemcontainercustom.conf.j2
@@ -0,0 +1,17 @@
+# {{ ansible_managed }}
+
+[Service]
+{%- if docker_http_proxy %}
+ENVIRONMENT=HTTP_PROXY={{ docker_http_proxy }}
+{%- endif -%}
+{%- if docker_https_proxy %}
+ENVIRONMENT=HTTPS_PROXY={{ docker_http_proxy }}
+{%- endif -%}
+{%- if docker_no_proxy %}
+ENVIRONMENT=NO_PROXY={{ docker_no_proxy }}
+{%- endif %}
+{%- if os_firewall_use_firewalld|default(true) %}
+[Unit]
+Wants=iptables.service
+After=iptables.service
+{%- endif %}
diff --git a/roles/docker/vars/main.yml b/roles/docker/vars/main.yml
index 5237ed8f2..0082ded1e 100644
--- a/roles/docker/vars/main.yml
+++ b/roles/docker/vars/main.yml
@@ -1,3 +1,4 @@
---
-udevw_udevd_dir: /etc/systemd/system/systemd-udevd.service.d
docker_systemd_dir: /etc/systemd/system/docker.service.d
+docker_conf_dir: /etc/docker/
+udevw_udevd_dir: /etc/systemd/system/systemd-udevd.service.d
generated by cgit v1.2.3 (git 2.25.1) at 2025-10-31 05:54:36 +0000