From 3003a54811227f5434a8a3d7c8d54c3accafd1e3 Mon Sep 17 00:00:00 2001 From: Giuseppe Scrivano Date: Wed, 19 Jul 2017 11:48:48 +0200 Subject: crio: use a template for the configuration Signed-off-by: Giuseppe Scrivano --- roles/docker/tasks/systemcontainer_crio.yml | 29 ++---- roles/docker/templates/crio.conf.j2 | 132 ++++++++++++++++++++++++++++ 2 files changed, 137 insertions(+), 24 deletions(-) create mode 100644 roles/docker/templates/crio.conf.j2 diff --git a/roles/docker/tasks/systemcontainer_crio.yml b/roles/docker/tasks/systemcontainer_crio.yml index f88f167c7..7c3ed90d8 100644 --- a/roles/docker/tasks/systemcontainer_crio.yml +++ b/roles/docker/tasks/systemcontainer_crio.yml @@ -1,7 +1,7 @@ --- # TODO: Much of this file is shared with container engine tasks - set_fact: - l_insecure_registries: "{{ '\"{}\"'.format('\", \"'.join(openshift.docker.insecure_registries)) }}" + l_insecure_crio_registries: "{{ '\"{}\"'.format('\", \"'.join(openshift.docker.insecure_registries)) }}" - name: Ensure container-selinux is installed package: @@ -96,30 +96,11 @@ image: "{{ l_crio_image }}" state: latest -- name: run CRI-O with overlay2 - replace: - regexp: 'storage_driver = ""' - replace: 'storage_driver = "overlay2"' - name: /etc/crio/crio.conf - backup: yes - -- name: Add overlay2 storage opts for CRI-O - lineinfile: +- name: Create the CRI-O configuration + template: dest: /etc/crio/crio.conf - line: '"overlay2.override_kernel_check=1"' - insertafter: 'storage_option = \[' - regexp: 'overlay2\.override_kernel_check=1' - state: present - when: ansible_distribution in ['RedHat', 'CentOS'] - -- name: Configure insecure registries for CRI-O - lineinfile: - dest: /etc/crio/crio.conf - line: "{{ l_insecure_registries }}" - insertafter: 'insecure_registries = \[' - regexp: "{{ l_insecure_registries }}" - state: present - when: openshift_docker_insecure_registries is defined + src: crio.conf.j2 + backup: yes - name: Start the CRI-O service systemd: diff --git a/roles/docker/templates/crio.conf.j2 b/roles/docker/templates/crio.conf.j2 new file mode 100644 index 000000000..f7049aa41 --- /dev/null +++ b/roles/docker/templates/crio.conf.j2 @@ -0,0 +1,132 @@ +# {{ ansible_managed }} + +# The "crio" table contains all of the server options. +[crio] + +# root is a path to the "root directory". CRIO stores all of its data, +# including container images, in this directory. +root = "/var/lib/containers/storage" + +# run is a path to the "run directory". CRIO stores all of its state +# in this directory. +runroot = "/var/run/containers/storage" + +# storage_driver select which storage driver is used to manage storage +# of images and containers. +storage_driver = "overlay2" + +# storage_option is used to pass an option to the storage driver. +storage_option = [ +{% if ansible_distribution in ['RedHat', 'CentOS'] %} + "overlay2.override_kernel_check=1" +{% endif %} +] + +# The "crio.api" table contains settings for the kubelet/gRPC +# interface (which is also used by crioctl). +[crio.api] + +# listen is the path to the AF_LOCAL socket on which crio will listen. +listen = "/var/run/crio.sock" + +# stream_address is the IP address on which the stream server will listen +stream_address = "" + +# stream_port is the port on which the stream server will listen +stream_port = "10010" + +# The "crio.runtime" table contains settings pertaining to the OCI +# runtime used and options for how to set up and manage the OCI runtime. +[crio.runtime] + +# runtime is the OCI compatible runtime used for trusted container workloads. +# This is a mandatory setting as this runtime will be the default one +# and will also be used for untrusted container workloads if +# runtime_untrusted_workload is not set. +runtime = "/usr/libexec/crio/runc" + +# runtime_untrusted_workload is the OCI compatible runtime used for untrusted +# container workloads. This is an optional setting, except if +# default_container_trust is set to "untrusted". +runtime_untrusted_workload = "" + +# default_workload_trust is the default level of trust crio puts in container +# workloads. It can either be "trusted" or "untrusted", and the default +# is "trusted". +# Containers can be run through different container runtimes, depending on +# the trust hints we receive from kubelet: +# - If kubelet tags a container workload as untrusted, crio will try first to +# run it through the untrusted container workload runtime. If it is not set, +# crio will use the trusted runtime. +# - If kubelet does not provide any information about the container workload trust +# level, the selected runtime will depend on the default_container_trust setting. +# If it is set to "untrusted", then all containers except for the host privileged +# ones, will be run by the runtime_untrusted_workload runtime. Host privileged +# containers are by definition trusted and will always use the trusted container +# runtime. If default_container_trust is set to "trusted", crio will use the trusted +# container runtime for all containers. +default_workload_trust = "trusted" + +# conmon is the path to conmon binary, used for managing the runtime. +conmon = "/usr/libexec/crio/conmon" + +# conmon_env is the environment variable list for conmon process, +# used for passing necessary environment variable to conmon or runtime. +conmon_env = [ + "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin", +] + +# selinux indicates whether or not SELinux will be used for pod +# separation on the host. If you enable this flag, SELinux must be running +# on the host. +selinux = true + +# seccomp_profile is the seccomp json profile path which is used as the +# default for the runtime. +seccomp_profile = "/etc/crio/seccomp.json" + +# apparmor_profile is the apparmor profile name which is used as the +# default for the runtime. +apparmor_profile = "crio-default" + +# cgroup_manager is the cgroup management implementation to be used +# for the runtime. +cgroup_manager = "systemd" + +# The "crio.image" table contains settings pertaining to the +# management of OCI images. +[crio.image] + +# default_transport is the prefix we try prepending to an image name if the +# image name as we receive it can't be parsed as a valid source reference +default_transport = "docker://" + +# pause_image is the image which we use to instantiate infra containers. +pause_image = "kubernetes/pause" + +# pause_command is the command to run in a pause_image to have a container just +# sit there. If the image contains the necessary information, this value need +# not be specified. +pause_command = "/pause" + +# signature_policy is the name of the file which decides what sort of policy we +# use when deciding whether or not to trust an image that we've pulled. +# Outside of testing situations, it is strongly advised that this be left +# unspecified so that the default system-wide policy will be used. +signature_policy = "" + +# insecure_registries is used to skip TLS verification when pulling images. +insecure_registries = [ +{{ l_insecure_crio_registries }} +] + +# The "crio.network" table contains settings pertaining to the +# management of CNI plugins. +[crio.network] + +# network_dir is is where CNI network configuration +# files are stored. +network_dir = "/etc/cni/net.d/" + +# plugin_dir is is where CNI plugin binaries are stored. +plugin_dir = "/opt/cni/bin/" -- cgit v1.2.3