Merge pull request #4049 from ashcrow/system-container-docker

Merged by openshift-bot

inventory/byo/hosts.origin.example

@@ -78,6 +78,18 @@ openshift_release=v1.5
 #openshift_docker_blocked_registries=registry.hacker.com
 # Disable pushing to dockerhub
 #openshift_docker_disable_push_dockerhub=True
+# Use Docker inside a System Container. Note that this is a tech preview and should
+# not be used to upgrade!
+# The following options for docker are ignored:
+# - docker_version
+# - docker_upgrade
+# The following options must not be used
+# - openshift_docker_options
+#openshift_docker_use_system_container=False
+# Force the registry to use for the system container. By default the registry
+# will be built off of the deployment type and ansible_distribution. Only
+# use this option if you are sure you know what you are doing!
+#openshift_docker_systemcontainer_image_registry_override="registry.example.com"
 # Items added, as is, to end of /etc/sysconfig/docker OPTIONS
 # Default value: "--log-driver=journald"
 #openshift_docker_options="-l warn --ipv6=false"

inventory/byo/hosts.ose.example

@@ -78,6 +78,18 @@ openshift_release=v3.5
 #openshift_docker_blocked_registries=registry.hacker.com
 # Disable pushing to dockerhub
 #openshift_docker_disable_push_dockerhub=True
+# Use Docker inside a System Container. Note that this is a tech preview and should
+# not be used to upgrade!
+# The following options for docker are ignored:
+# - docker_version
+# - docker_upgrade
+# The following options must not be used
+# - openshift_docker_options
+#openshift_docker_use_system_container=False
+# Force the registry to use for the system container. By default the registry
+# will be built off of the deployment type and ansible_distribution. Only
+# use this option if you are sure you know what you are doing!
+#openshift_docker_systemcontainer_image_registry_override="registry.example.com"
 # Items added, as is, to end of /etc/sysconfig/docker OPTIONS
 # Default value: "--log-driver=journald"
 #openshift_docker_options="-l warn --ipv6=false"

roles/calico/handlers/main.yml

@@ -5,4 +5,6 @@
 
 - name: restart docker
   become: yes
-  systemd: name=docker state=restarted
+  systemd:
+    name: "{{ openshift.docker.service_name }}"
+    state: restarted

roles/contiv/tasks/netplugin.yml

@@ -105,7 +105,7 @@
 
 - name: Docker | Restart docker
   service:
-    name: docker
+    name: "{{ openshift.docker.service_name }}"
     state: restarted
   when: docker_updated|changed
 

roles/docker/README.md

@@ -1,7 +1,7 @@
 Docker
 =========
 
-Ensures docker package is installed, and optionally raises timeout for systemd-udevd.service to 5 minutes.
+Ensures docker package or system container is installed, and optionally raises timeout for systemd-udevd.service to 5 minutes.
 
 Requirements
 ------------
@@ -11,8 +11,10 @@ Ansible 2.2
 Role Variables
 --------------
 
-udevw_udevd_dir: location of systemd config for systemd-udevd.service
+docker_conf_dir: location of the Docker configuration directory
+docker_systemd_dir location of the systemd directory for Docker
 docker_udev_workaround: raises udevd timeout to 5 minutes (https://bugzilla.redhat.com/show_bug.cgi?id=1272446)
+udevw_udevd_dir: location of systemd config for systemd-udevd.service
 
 Dependencies
 ------------
@@ -26,6 +28,7 @@ Example Playbook
       roles:
       - role: docker
         docker_udev_workaround: "true"
+        docker_use_system_container: False
 
 License
 -------

roles/docker/handlers/main.yml

@@ -2,7 +2,7 @@
 
 - name: restart docker
   systemd:
-    name: docker
+    name: "{{ openshift.docker.service_name }}"
     state: restarted
   when: not docker_service_status_changed | default(false) | bool
 

roles/docker/meta/main.yml

@@ -11,3 +11,4 @@ galaxy_info:
     - 7
 dependencies:
 - role: os_firewall
+- role: lib_openshift

roles/docker/tasks/main.yml

@@ -1,119 +1,16 @@
 ---
-- name: Get current installed Docker version
-  command: "{{ repoquery_cmd }} --installed --qf '%{version}' docker"
-  when: not openshift.common.is_atomic | bool
-  register: curr_docker_version
-  changed_when: false
-
-- name: Error out if Docker pre-installed but too old
-  fail:
-    msg: "Docker {{ curr_docker_version.stdout }} is installed, but >= 1.9.1 is required."
-  when: not curr_docker_version | skipped and curr_docker_version.stdout != '' and curr_docker_version.stdout | version_compare('1.9.1', '<') and not docker_version is defined
-
-- name: Error out if requested Docker is too old
-  fail:
-    msg: "Docker {{ docker_version }} requested, but >= 1.9.1 is required."
-  when: docker_version is defined and docker_version | version_compare('1.9.1', '<')
-
-# If a docker_version was requested, sanity check that we can install or upgrade to it, and
-# no downgrade is required.
-- name: Fail if Docker version requested but downgrade is required
-  fail:
-    msg: "Docker {{ curr_docker_version.stdout }} is installed, but version {{ docker_version }} was requested."
-  when: not curr_docker_version | skipped and curr_docker_version.stdout != '' and docker_version is defined and curr_docker_version.stdout | version_compare(docker_version, '>')
-
-# This involves an extremely slow migration process, users should instead run the
-# Docker 1.10 upgrade playbook to accomplish this.
-- name: Error out if attempting to upgrade Docker across the 1.10 boundary
-  fail:
-    msg: "Cannot upgrade Docker to >= 1.10, please upgrade or remove Docker manually, or use the Docker upgrade playbook if OpenShift is already installed."
-  when: not curr_docker_version | skipped and curr_docker_version.stdout != '' and curr_docker_version.stdout | version_compare('1.10', '<') and docker_version is defined and docker_version | version_compare('1.10', '>=')
-
-# Make sure Docker is installed, but does not update a running version.
-# Docker upgrades are handled by a separate playbook.
-- name: Install Docker
-  package: name=docker{{ '-' + docker_version if docker_version is defined else '' }} state=present
-  when: not openshift.common.is_atomic | bool
-
-- block:
-  # Extend the default Docker service unit file when using iptables-services
-  - name: Ensure docker.service.d directory exists
-    file:
-      path: "{{ docker_systemd_dir }}"
-      state: directory
-
-  - name: Configure Docker service unit file
-    template:
-      dest: "{{ docker_systemd_dir }}/custom.conf"
-      src: custom.conf.j2
-  when: not os_firewall_use_firewalld | default(True) | bool
+# These tasks dispatch to the proper set of docker tasks based on the
+# inventory:openshift_docker_use_system_container variable
 
 - include: udev_workaround.yml
   when: docker_udev_workaround | default(False) | bool
 
-- stat: path=/etc/sysconfig/docker
-  register: docker_check
-
-- name: Set registry params
-  lineinfile:
-    dest: /etc/sysconfig/docker
-    regexp: '^{{ item.reg_conf_var }}=.*$'
-    line: "{{ item.reg_conf_var }}='{{ item.reg_fact_val | oo_prepend_strings_in_list(item.reg_flag ~ ' ') | join(' ') }}'"
-  when: item.reg_fact_val != '' and docker_check.stat.isreg is defined and docker_check.stat.isreg
-  with_items:
-  - reg_conf_var: ADD_REGISTRY
-    reg_fact_val: "{{ docker_additional_registries | default(None, true)}}"
-    reg_flag: --add-registry
-  - reg_conf_var: BLOCK_REGISTRY
-    reg_fact_val: "{{ docker_blocked_registries| default(None, true) }}"
-    reg_flag: --block-registry
-  - reg_conf_var: INSECURE_REGISTRY
-    reg_fact_val: "{{ docker_insecure_registries| default(None, true) }}"
-    reg_flag: --insecure-registry
-  notify:
-  - restart docker
+- name: Use Package Docker if Requested
+  include: package_docker.yml
+  when: openshift.docker.use_system_container is not defined or openshift.docker.use_system_container == False
 
-- name: Set Proxy Settings
-  lineinfile:
-    dest: /etc/sysconfig/docker
-    regexp: '^{{ item.reg_conf_var }}=.*$'
-    line: "{{ item.reg_conf_var }}='{{ item.reg_fact_val }}'"
-    state: "{{ 'present' if item.reg_fact_val != '' else 'absent'}}"
-  with_items:
-  - reg_conf_var: HTTP_PROXY
-    reg_fact_val: "{{ docker_http_proxy | default('') }}"
-  - reg_conf_var: HTTPS_PROXY
-    reg_fact_val: "{{ docker_https_proxy | default('') }}"
-  - reg_conf_var: NO_PROXY
-    reg_fact_val: "{{ docker_no_proxy | default('') }}"
-  notify:
-  - restart docker
+- name: Use System Container Docker if Requested
+  include: systemcontainer_docker.yml
   when:
-  - docker_check.stat.isreg is defined and docker_check.stat.isreg and '"http_proxy" in openshift.common or "https_proxy" in openshift.common'
-
-- name: Set various Docker options
-  lineinfile:
-    dest: /etc/sysconfig/docker
-    regexp: '^OPTIONS=.*$'
-    line: "OPTIONS='\
-      {% if ansible_selinux.status | default(None) == '''enabled''' and docker_selinux_enabled | default(true) %} --selinux-enabled {% endif %}\
-      {% if docker_log_driver is defined  %} --log-driver {{ docker_log_driver }}{% endif %}\
-      {% if docker_log_options is defined %} {{ docker_log_options |  oo_split() | oo_prepend_strings_in_list('--log-opt ') | join(' ')}}{% endif %}\
-      {% if docker_options is defined %} {{ docker_options }}{% endif %}\
-      {% if docker_disable_push_dockerhub is defined %} --confirm-def-push={{ docker_disable_push_dockerhub | bool }}{% endif %}'"
-  when: docker_check.stat.isreg is defined and docker_check.stat.isreg
-  notify:
-  - restart docker
-
-- name: Start the Docker service
-  systemd:
-    name: docker
-    enabled: yes
-    state: started
-    daemon_reload: yes
-  register: start_result
-
-- set_fact:
-    docker_service_status_changed: start_result | changed
-
-- meta: flush_handlers
+  - openshift.docker.use_system_container is defined
+  - openshift.docker.use_system_container is True

roles/docker/tasks/package_docker.yml

@@ -0,0 +1,116 @@
+---
+- name: Get current installed Docker version
+  command: "{{ repoquery_cmd }} --installed --qf '%{version}' docker"
+  when: not openshift.common.is_atomic | bool
+  register: curr_docker_version
+  changed_when: false
+
+- name: Error out if Docker pre-installed but too old
+  fail:
+    msg: "Docker {{ curr_docker_version.stdout }} is installed, but >= 1.9.1 is required."
+  when: not curr_docker_version | skipped and curr_docker_version.stdout != '' and curr_docker_version.stdout | version_compare('1.9.1', '<') and not docker_version is defined
+
+- name: Error out if requested Docker is too old
+  fail:
+    msg: "Docker {{ docker_version }} requested, but >= 1.9.1 is required."
+  when: docker_version is defined and docker_version | version_compare('1.9.1', '<')
+
+# If a docker_version was requested, sanity check that we can install or upgrade to it, and
+# no downgrade is required.
+- name: Fail if Docker version requested but downgrade is required
+  fail:
+    msg: "Docker {{ curr_docker_version.stdout }} is installed, but version {{ docker_version }} was requested."
+  when: not curr_docker_version | skipped and curr_docker_version.stdout != '' and docker_version is defined and curr_docker_version.stdout | version_compare(docker_version, '>')
+
+# This involves an extremely slow migration process, users should instead run the
+# Docker 1.10 upgrade playbook to accomplish this.
+- name: Error out if attempting to upgrade Docker across the 1.10 boundary
+  fail:
+    msg: "Cannot upgrade Docker to >= 1.10, please upgrade or remove Docker manually, or use the Docker upgrade playbook if OpenShift is already installed."
+  when: not curr_docker_version | skipped and curr_docker_version.stdout != '' and curr_docker_version.stdout | version_compare('1.10', '<') and docker_version is defined and docker_version | version_compare('1.10', '>=')
+
+# Make sure Docker is installed, but does not update a running version.
+# Docker upgrades are handled by a separate playbook.
+- name: Install Docker
+  package: name=docker{{ '-' + docker_version if docker_version is defined else '' }} state=present
+  when: not openshift.common.is_atomic | bool
+
+- block:
+  # Extend the default Docker service unit file when using iptables-services
+  - name: Ensure docker.service.d directory exists
+    file:
+      path: "{{ docker_systemd_dir }}"
+      state: directory
+
+  - name: Configure Docker service unit file
+    template:
+      dest: "{{ docker_systemd_dir }}/custom.conf"
+      src: custom.conf.j2
+  when: not os_firewall_use_firewalld | default(True) | bool
+
+- stat: path=/etc/sysconfig/docker
+  register: docker_check
+
+- name: Set registry params
+  lineinfile:
+    dest: /etc/sysconfig/docker
+    regexp: '^{{ item.reg_conf_var }}=.*$'
+    line: "{{ item.reg_conf_var }}='{{ item.reg_fact_val | oo_prepend_strings_in_list(item.reg_flag ~ ' ') | join(' ') }}'"
+  when: item.reg_fact_val != '' and docker_check.stat.isreg is defined and docker_check.stat.isreg
+  with_items:
+  - reg_conf_var: ADD_REGISTRY
+    reg_fact_val: "{{ docker_additional_registries | default(None, true)}}"
+    reg_flag: --add-registry
+  - reg_conf_var: BLOCK_REGISTRY
+    reg_fact_val: "{{ docker_blocked_registries| default(None, true) }}"
+    reg_flag: --block-registry
+  - reg_conf_var: INSECURE_REGISTRY
+    reg_fact_val: "{{ docker_insecure_registries| default(None, true) }}"
+    reg_flag: --insecure-registry
+  notify:
+  - restart docker
+
+- name: Set Proxy Settings
+  lineinfile:
+    dest: /etc/sysconfig/docker
+    regexp: '^{{ item.reg_conf_var }}=.*$'
+    line: "{{ item.reg_conf_var }}='{{ item.reg_fact_val }}'"
+    state: "{{ 'present' if item.reg_fact_val != '' else 'absent'}}"
+  with_items:
+  - reg_conf_var: HTTP_PROXY
+    reg_fact_val: "{{ docker_http_proxy | default('') }}"
+  - reg_conf_var: HTTPS_PROXY
+    reg_fact_val: "{{ docker_https_proxy | default('') }}"
+  - reg_conf_var: NO_PROXY
+    reg_fact_val: "{{ docker_no_proxy | default('') }}"
+  notify:
+  - restart docker
+  when:
+  - docker_check.stat.isreg is defined and docker_check.stat.isreg and '"http_proxy" in openshift.common or "https_proxy" in openshift.common'
+
+- name: Set various Docker options
+  lineinfile:
+    dest: /etc/sysconfig/docker
+    regexp: '^OPTIONS=.*$'
+    line: "OPTIONS='\
+      {% if ansible_selinux.status | default(None) == '''enabled''' and docker_selinux_enabled | default(true) %} --selinux-enabled {% endif %}\
+      {% if docker_log_driver is defined  %} --log-driver {{ docker_log_driver }}{% endif %}\
+      {% if docker_log_options is defined %} {{ docker_log_options |  oo_split() | oo_prepend_strings_in_list('--log-opt ') | join(' ')}}{% endif %}\
+      {% if docker_options is defined %} {{ docker_options }}{% endif %}\
+      {% if docker_disable_push_dockerhub is defined %} --confirm-def-push={{ docker_disable_push_dockerhub | bool }}{% endif %}'"
+  when: docker_check.stat.isreg is defined and docker_check.stat.isreg
+  notify:
+  - restart docker
+
+- name: Start the Docker service
+  systemd:
+    name: docker
+    enabled: yes
+    state: started
+    daemon_reload: yes
+  register: start_result
+
+- set_fact:
+    docker_service_status_changed: start_result | changed
+
+- meta: flush_handlers

roles/docker/tasks/systemcontainer_docker.yml

@@ -0,0 +1,135 @@
+---
+# If docker_options are provided we should fail. We should not install docker and ignore
+# the users configuration. NOTE: docker_options == inventory:openshift_docker_options
+- name: Fail quickly if openshift_docker_options are set
+  assert:
+    that:
+      - docker_options is defined
+      - docker_options != ""
+    msg: |
+      Docker via System Container does not allow for the use of the openshift_docker_options
+      variable. If you want to use openshift_docker_options you will need to use the
+      traditional docker package install. Otherwise, comment out openshift_docker_options
+      in your inventory file.
+
+# Used to pull and install the system container
+- name: Ensure atomic is installed
+  package:
+    name: atomic
+    state: present
+  when: not openshift.common.is_atomic | bool
+
+# At the time of writing the atomic command requires runc for it's own use. This
+# task is here in the even that the atomic package ever removes the dependency.
+- name: Ensure runc is installed
+  package:
+    name: runc
+    state: present
+  when: not openshift.common.is_atomic | bool
+
+# If we are on atomic, set http_proxy and https_proxy in /etc/atomic.conf
+- block:
+
+    - name: Add http_proxy to /etc/atomic.conf
+      lineinfile:
+        path: /etc/atomic.conf
+        line: "http_proxy={{ openshift.common.http_proxy | default('') }}"
+      when:
+        - openshift.common.http_proxy is defined
+        - openshift.common.http_proxy != ''
+
+    - name: Add https_proxy to /etc/atomic.conf
+      lineinfile:
+        path: /etc/atomic.conf
+        line: "https_proxy={{ openshift.common.https_proxy | default('') }}"
+      when:
+        - openshift.common.https_proxy is defined
+        - openshift.common.https_proxy != ''
+
+  when: openshift.common.is_atomic | bool
+
+
+- block:
+
+    - name: Set to default prepend
+      set_fact:
+        l_docker_image_prepend: "gscrivano/"
+
+    - name: Use Red Hat Registry for image when distribution is Red Hat
+      set_fact:
+        l_docker_image_prepend: "registry.access.redhat.com/openshift3/"
+      when: ansible_distribution == 'RedHat'
+
+    - name: Use Fedora Registry for image when distribution is Fedora
+      set_fact:
+        l_docker_image_prepend: "registry.fedoraproject.org/"
+      when: ansible_distribution == 'Fedora'
+
+    # For https://github.com/openshift/openshift-ansible/pull/4049#discussion_r114478504
+    - name: Use a testing registry if requested
+      set_fact:
+        l_docker_image_prepend: "{{ openshift.docker.systemcontainer_image_registry_override }}/"
+      when:
+        - openshift.docker.systemcontainer_image_registry_override is defined
+        - openshift.docker.systemcontainer_image_registry_override != ""
+
+    - name: Set the full image name
+      set_fact:
+        l_docker_image: "{{ l_docker_image_prepend }}container-engine-docker:latest"
+
+- name: Pre-pull Container Enginer System Container image
+  command: "atomic pull --storage ostree {{ l_docker_image }}"
+  changed_when: false
+
+# Make sure docker is disabled Errors are ignored as docker may not
+# be installed.
+- name: Disable Docker
+  systemd:
+    name: docker
+    enabled: no
+    state: stopped
+    daemon_reload: yes
+  ignore_errors: True
+
+- name: Ensure docker.service.d directory exists
+  file:
+    path: "{{ docker_systemd_dir }}"
+    state: directory
+
+- name: Ensure /etc/docker directory exists
+  file:
+    path: "{{ docker_conf_dir }}"
+    state: directory
+
+- name: Install Container Enginer System Container
+  oc_atomic_container:
+    name: container-engine-docker
+    image: "container-engine-docker"
+    state: latest
+    values:
+      - "system-package no"
+
+- name: Configure Container Engine Service File
+  template:
+    dest: "{{ docker_systemd_dir }}/custom.conf"
+    src: systemcontainercustom.conf.j2
+
+# Configure container-engine using the daemon.json file
+- name: Configure Container Engine
+  template:
+    dest: "{{ docker_conf }}/daemon.json"
+    src: daemon.json
+
+# Enable and start the container-engine service
+- name: Start the Container Engine service
+  systemd:
+    name: "{{ openshift.docker.service_name }}"
+    enabled: yes
+    state: started
+    daemon_reload: yes
+  register: start_result
+
+- set_fact:
+    docker_service_status_changed: start_result | changed
+
+- meta: flush_handlers

roles/docker/templates/daemon.json

@@ -0,0 +1,64 @@
+
+{
+    "api-cors-header": "",
+    "authorization-plugins": ["rhel-push-plugin"],
+    "bip": "",
+    "bridge": "",
+    "cgroup-parent": "",
+    "cluster-store": "",
+    "cluster-store-opts": {},
+    "cluster-advertise": "",
+    "debug": true,
+    "default-gateway": "",
+    "default-gateway-v6": "",
+    "default-runtime": "oci",
+    "containerd": "/var/run/containerd.sock",
+    "default-ulimits": {},
+    "disable-legacy-registry": false,
+    "dns": [],
+    "dns-opts": [],
+    "dns-search": [],
+    "exec-opts": ["native.cgroupdriver=systemd"],
+    "exec-root": "",
+    "fixed-cidr": "",
+    "fixed-cidr-v6": "",
+    "graph": "",
+    "group": "",
+    "hosts": [],
+    "icc": false,
+    "insecure-registries": {{ docker_insecure_registries|default([]) }},
+    "ip": "0.0.0.0",
+    "iptables": false,
+    "ipv6": false,
+    "ip-forward": false,
+    "ip-masq": false,
+    "labels": [],
+    "live-restore": true,
+    "log-driver": "{{ docker_log_driver }}",
+    "log-level": "",
+    "log-opts": {{ docker_log_options|default({}) }},
+    "max-concurrent-downloads": 3,
+    "max-concurrent-uploads": 5,
+    "mtu": 0,
+    "oom-score-adjust": -500,
+    "pidfile": "",
+    "raw-logs": false,
+    "registry-mirrors": [],
+    "runtimes": {
+	"oci": {
+	    "path": "/usr/libexec/docker/docker-runc-current"
+	}
+    },
+    "selinux-enabled": {{ docker_selinux_enabled|default(true) }},
+    "storage-driver": "",
+    "storage-opts": [],
+    "tls": true,
+    "tlscacert": "",
+    "tlscert": "",
+    "tlskey": "",
+    "tlsverify": true,
+    "userns-remap": "",
+    "add-registry": {{  docker_additional_registries|default([]) }},
+    "blocked-registries": {{ docker_blocked_registries|defaukt([]) }},
+    "userland-proxy-path": "/usr/libexec/docker/docker-proxy-current"
+}

roles/docker/templates/systemcontainercustom.conf.j2

@@ -0,0 +1,17 @@
+# {{ ansible_managed }}
+
+[Service]
+{%- if docker_http_proxy %}
+ENVIRONMENT=HTTP_PROXY={{ docker_http_proxy }}
+{%- endif -%}
+{%- if docker_https_proxy %}
+ENVIRONMENT=HTTPS_PROXY={{ docker_http_proxy }}
+{%- endif -%}
+{%- if docker_no_proxy %}
+ENVIRONMENT=NO_PROXY={{ docker_no_proxy }}
+{%- endif %}
+{%- if os_firewall_use_firewalld|default(true) %}
+[Unit]
+Wants=iptables.service
+After=iptables.service
+{%- endif %}

roles/docker/vars/main.yml

@@ -1,3 +1,4 @@
 ---
-udevw_udevd_dir: /etc/systemd/system/systemd-udevd.service.d
 docker_systemd_dir: /etc/systemd/system/docker.service.d
+docker_conf_dir: /etc/docker/
+udevw_udevd_dir: /etc/systemd/system/systemd-udevd.service.d

roles/flannel/handlers/main.yml

@@ -5,4 +5,6 @@
 
 - name: restart docker
   become: yes
-  systemd: name=docker state=restarted
+  systemd:
+    name: "{{ openshift.docker.service_name }}"
+    state: restarted

roles/openshift_facts/library/openshift_facts.py

@@ -59,7 +59,8 @@ def migrate_docker_facts(facts):
             'additional_registries',
             'insecure_registries',
             'blocked_registries',
-            'options'
+            'options',
+            'use_system_container',
         ),
         'node': (
             'log_driver',
@@ -1792,6 +1793,12 @@ def set_container_facts_if_unset(facts):
         deployer_image = 'openshift/origin-deployer'
 
     facts['common']['is_atomic'] = os.path.isfile('/run/ostree-booted')
+    # If openshift_docker_use_system_container is set and is True ....
+    if 'use_system_container' in list(facts['docker'].keys()):
+        if facts['docker']['use_system_container'] is True:
+            # ... set the service name to container-engine-docker
+            facts['docker']['service_name'] = 'container-engine-docker'
+
     if 'is_containerized' not in facts['common']:
         facts['common']['is_containerized'] = facts['common']['is_atomic']
     if 'cli_image' not in facts['common']:
@@ -2074,6 +2081,7 @@ class OpenShiftFacts(object):
             hosted_registry_insecure = get_hosted_registry_insecure()
             if hosted_registry_insecure is not None:
                 docker['hosted_registry_insecure'] = hosted_registry_insecure
+            docker['service_name'] = 'docker'
             defaults['docker'] = docker
 
         if 'clock' in roles:

roles/openshift_node_certificates/handlers/main.yml

@@ -6,6 +6,6 @@
 
 - name: restart docker after updating ca trust
   systemd:
-    name: docker
+    name: "{{ openshift.docker.service_name }}"
     state: restarted
   when: not openshift_certificates_redeploy | default(false) | bool

roles/openshift_node_upgrade/tasks/restart.yml

@@ -6,7 +6,9 @@
 # - openshift.master.api_port
 
 - name: Restart docker
-  service: name=docker state=restarted
+  service:
+    name: "{{ openshift.docker.service_name }}"
+    state: restarted
 
 - name: Update docker facts
   openshift_facts: