Merge pull request #11261 from jstuever/byoh216

[devel-40] Add cri-o tasks to openshift_node40 and drop container_runtime role

playbooks/deploy_cluster_40.yml

@@ -10,19 +10,8 @@
 # TODO(michaelgugino): break up the rest of this file into reusable chunks.
 - name: Install nodes
   hosts: nodes
-  roles:
-  - role: container_runtime
   tasks:
   - import_role:
-      name: container_runtime
-      tasks_from: docker_storage_setup_overlay.yml
-  - import_role:
-      name: container_runtime
-      tasks_from: extra_storage_setup.yml
-  - import_role:
-      name: container_runtime
-      tasks_from: package_crio.yml
-  - import_role:
       name: openshift_node40
       tasks_from: install.yml
 

playbooks/openshift-node/scaleup.yml

@@ -45,19 +45,8 @@
 
 - name: install nodes
   hosts: new_workers
-  roles:
-  - role: container_runtime
   tasks:
   - import_role:
-      name: container_runtime
-      tasks_from: docker_storage_setup_overlay.yml
-  - import_role:
-      name: container_runtime
-      tasks_from: extra_storage_setup.yml
-  - import_role:
-      name: container_runtime
-      tasks_from: package_crio.yml
-  - import_role:
       name: openshift_node40
       tasks_from: install.yml
   - name: Wait for bootstrap endpoint to show up

roles/container_runtime/README.md

@@ -1,45 +0,0 @@
-Container Runtime
-=========
-
-Ensures docker package or system container is installed, and optionally raises timeout for systemd-udevd.service to 5 minutes.
-
-container-daemon.json items may be found at https://docs.docker.com/engine/reference/commandline/dockerd/#daemon-configuration-file
-
-This role is designed to be used with import_role and tasks_from.
-
-Entry points
-------------
-* package_docker.yml - install and setup docker container runtime.
-* systemcontainer_docker.yml - utilize docker + systemcontainer
-* systemcontainer_crio.yml - utilize crio + systemcontainer
-* package_crio.yml - install and setup crio container runtime.
-* registry_auth.yml - place docker login credentials.
-
-Requirements
-------------
-
-Ansible 2.4
-
-
-Dependencies
-------------
-
-Depends on openshift_facts having already been run.
-
-Example Playbook
-----------------
-
-    - hosts: servers
-      tasks:
-      - import_role: container_runtime
-        tasks_from: package_docker.yml
-
-License
--------
-
-ASL 2.0
-
-Author Information
-------------------
-
-Red Hat, Inc

roles/container_runtime/defaults/main.yml

@@ -1,52 +0,0 @@
----
-docker_cli_auth_config_path: '/root/.docker'
-
-openshift_docker_service_name: "docker"
-
-openshift_docker_additional_registries: []
-openshift_docker_blocked_registries: []
-openshift_docker_insecure_registries: []
-
-openshift_docker_ent_reg: 'registry.redhat.io'
-
-# The l2_docker_* variables convert csv strings to lists, if
-# necessary.  These variables should be used in place of their respective
-# openshift_docker_* counterparts to ensure the properly formatted lists are
-# utilized.
-l2_docker_additional_registries: "{% if openshift_docker_additional_registries is string %}{% if openshift_docker_additional_registries == '' %}[]{% elif ',' in openshift_docker_additional_registries %}{{ openshift_docker_additional_registries.split(',') | list }}{% else %}{{ [ openshift_docker_additional_registries ] }}{% endif %}{% else %}{{ openshift_docker_additional_registries }}{% endif %}"
-l2_docker_blocked_registries: "{% if openshift_docker_blocked_registries is string %}{% if openshift_docker_blocked_registries == '' %}[]{% elif ',' in openshift_docker_blocked_registries %}{{ openshift_docker_blocked_registries.split(',') | list }}{% else %}{{ [ openshift_docker_blocked_registries ] }}{% endif %}{% else %}{{ openshift_docker_blocked_registries }}{% endif %}"
-l2_docker_insecure_registries: "{% if openshift_docker_insecure_registries is string %}{% if openshift_docker_insecure_registries == '' %}[]{% elif ',' in openshift_docker_insecure_registries %}{{ openshift_docker_insecure_registries.split(',') | list }}{% else %}{{ [ openshift_docker_insecure_registries ] }}{% endif %}{% else %}{{ openshift_docker_insecure_registries }}{% endif %}"
-
-containers_registries_conf_path: /etc/containers/registries.conf
-
-r_crio_firewall_enabled: "{{ os_firewall_enabled | default(True) }}"
-r_crio_use_firewalld: "{{ os_firewall_use_firewalld | default(False) }}"
-
-r_crio_os_firewall_deny: []
-r_crio_os_firewall_allow:
-- service: crio
-  port: 10010/tcp
-
-r_crio_use_openshift_sdn: "{{ openshift_use_openshift_sdn | default(True) }}"
-
-docker_alt_storage_path: /var/lib/containers/docker
-docker_default_storage_path: /var/lib/docker
-docker_storage_path: "{{ docker_default_storage_path }}"
-docker_storage_size: 40G
-docker_storage_setup_options:
-  vg: docker_vg
-  data_size: 99%VG
-  storage_driver: overlay2
-  root_lv_name: docker-root-lv
-  root_lv_size: 100%FREE
-  root_lv_mount_path: "{{ docker_storage_path }}"
-docker_storage_extra_options:
-- "--storage-opt overlay2.override_kernel_check=true"
-- "{{ '--storage-opt overlay2.size=' ~ docker_storage_size if container_runtime_docker_storage_setup_device is defined and container_runtime_docker_storage_setup_device != '' else '' }}"
-- "--graph={{ docker_storage_path}}"
-
-container_runtime_extra_storage: []
-
-l_insecure_crio_registries: "{{ '\"{}\"'.format('\", \"'.join(l2_docker_insecure_registries)) }}"
-l_crio_registries: "{{ l2_docker_additional_registries + ['docker.io'] }}"
-l_additional_crio_registries: "{{ '\"{}\"'.format('\", \"'.join(l_crio_registries)) }}"

roles/container_runtime/handlers/main.yml

@@ -1,6 +0,0 @@
----
-- name: restart udev
-  systemd:
-    name: systemd-udevd
-    state: restarted
-    daemon_reload: yes

roles/container_runtime/meta/main.yml

@@ -1,15 +0,0 @@
----
-galaxy_info:
-  author: OpenShift
-  description: container runtime install and configure
-  company: Red Hat, Inc
-  license: ASL 2.0
-  min_ansible_version: 2.2
-  platforms:
-  - name: EL
-    versions:
-    - 7
-dependencies:
-- role: lib_openshift
-- role: lib_utils
-- role: openshift_facts

roles/container_runtime/tasks/common/post.yml

@@ -1,28 +0,0 @@
----
-- name: Ensure /var/lib/containers exists
-  file:
-    path: /var/lib/containers
-    state: directory
-
-- name: Fix SELinux Permissions on /var/lib/containers
-  command: "restorecon -R /var/lib/containers/"
-  changed_when: false
-
-- meta: flush_handlers
-
-# This needs to run after docker is restarted to account for proxy settings.
-# registry_auth is called directly with import_role in some places, so we
-# have to put it in the root of the tasks/ directory.
-- import_tasks: ../registry_auth.yml
-
-- name: stat the docker data dir
-  stat:
-    path: "{{ docker_default_storage_path }}"
-    get_checksum: false
-    get_mime: false
-  register: dockerstat
-
-- import_tasks: setup_docker_symlink.yml
-  when:
-    - openshift_use_crio | bool
-    - dockerstat.stat.islnk is defined and not (dockerstat.stat.islnk | bool)

roles/container_runtime/tasks/common/pre.yml

@@ -1,12 +0,0 @@
----
-- import_tasks: udev_workaround.yml
-  when: docker_udev_workaround | default(False) | bool
-
-- name: Add enterprise registry, if necessary
-  set_fact:
-    l2_docker_additional_registries: "{{ l2_docker_additional_registries + [openshift_docker_ent_reg] }}"
-  when:
-    - openshift_deployment_type == 'openshift-enterprise'
-    - openshift_docker_ent_reg != ''
-    - openshift_docker_ent_reg not in l2_docker_additional_registries
-    - not openshift_use_crio_only | bool

roles/container_runtime/tasks/common/setup_docker_symlink.yml

@@ -1,45 +0,0 @@
----
-- block:
-    - name: stop the current running docker
-      systemd:
-        state: stopped
-        name: "{{ openshift_docker_service_name }}"
-
-    - name: copy "{{ docker_default_storage_path }}" to "{{ docker_alt_storage_path }}"
-      command: "cp -r {{ docker_default_storage_path }} {{ docker_alt_storage_path }}"
-      register: results
-      failed_when:
-        - results.rc != 0
-
-    - name: "Set the selinux context on {{ docker_alt_storage_path }}"
-      command: "semanage fcontext -a -e {{ docker_default_storage_path }} {{ docker_alt_storage_path }}"
-      environment:
-        LANG: C
-      register: results
-      failed_when:
-        - results.rc == 1
-        - "'already exists' not in results.stderr"
-
-    - name: "restorecon the {{ docker_alt_storage_path }}"
-      command: "restorecon -r {{ docker_alt_storage_path }}"
-
-    - name: ensure the unmount of top level mount point
-      mount:
-        path: "{{ docker_default_storage_path }}"
-        state: unmounted
-
-    - name: Remove the old docker location
-      file:
-        state: absent
-        path: "{{ docker_default_storage_path }}"
-
-    - name: Setup the link
-      file:
-        state: link
-        src: "{{ docker_alt_storage_path }}"
-        path: "{{ docker_default_storage_path }}"
-
-    - name: start docker
-      systemd:
-        state: started
-        name: "{{ openshift_docker_service_name }}"

roles/container_runtime/tasks/common/udev_workaround.yml

@@ -1,24 +0,0 @@
----
-
-- name: Getting current systemd-udevd exec command
-  command: grep -e "^ExecStart=" /lib/systemd/system/systemd-udevd.service
-  changed_when: false
-  register: udevw_udev_start_cmd
-
-- name: Assure systemd-udevd.service.d directory exists
-  file:
-    path: "{{ udevw_udevd_dir }}"
-    state: directory
-
-- name: Create systemd-udevd override file
-  copy:
-    content: |
-      [Service]
-      #Need blank ExecStart to "clear" pre-existing one
-      ExecStart=
-      {{ udevw_udev_start_cmd.stdout }} --event-timeout=300
-    dest: "{{ udevw_udevd_dir }}/override.conf"
-    owner: root
-    mode: "0644"
-  notify:
-    - restart udev

roles/container_runtime/tasks/crio_firewall.yml

@@ -1,45 +0,0 @@
----
-- when: r_crio_firewall_enabled | bool and not r_crio_use_firewalld | bool
-  block:
-  - name: Make sure iptables-services is installed
-    package:
-      name: iptables-services
-      state: present
-
-  - name: Add iptables allow rules
-    os_firewall_manage_iptables:
-      name: "{{ item.service }}"
-      action: add
-      protocol: "{{ item.port.split('/')[1] }}"
-      port: "{{ item.port.split('/')[0] }}"
-    when: item.cond | default(True)
-    with_items: "{{ r_crio_os_firewall_allow }}"
-
-  - name: Remove iptables rules
-    os_firewall_manage_iptables:
-      name: "{{ item.service }}"
-      action: remove
-      protocol: "{{ item.port.split('/')[1] }}"
-      port: "{{ item.port.split('/')[0] }}"
-    when: item.cond | default(True)
-    with_items: "{{ r_crio_os_firewall_deny }}"
-
-- when: r_crio_firewall_enabled | bool and r_crio_use_firewalld | bool
-  block:
-  - name: Add firewalld allow rules
-    firewalld:
-      port: "{{ item.port }}"
-      permanent: true
-      immediate: true
-      state: enabled
-    when: item.cond | default(True)
-    with_items: "{{ r_crio_os_firewall_allow }}"
-
-  - name: Remove firewalld allow rules
-    firewalld:
-      port: "{{ item.port }}"
-      permanent: true
-      immediate: true
-      state: disabled
-    when: item.cond | default(True)
-    with_items: "{{ r_crio_os_firewall_deny }}"

roles/container_runtime/tasks/docker_storage_setup_overlay.yml

@@ -1,8 +0,0 @@
----
-- name: Setup the docker-storage for overlay
-  template:
-    src: docker_storage_setup.j2
-    dest: /etc/sysconfig/docker-storage-setup
-    owner: root
-    group: root
-    mode: 0664

roles/container_runtime/tasks/extra_storage_setup.yml

@@ -1,18 +0,0 @@
----
-- name: Create file system on extra volume device
-  filesystem:
-    fstype: "{{ item.filesystem }}"
-    dev: "{{ item.device }}"
-    force: "{{ item.force|default(omit) }}"
-    opts: "{{ item.mkfs_opts|default(omit) }}"
-  with_items: "{{ container_runtime_extra_storage }}"
-
-
-- name: Create mount entry for extra volume
-  mount:
-    path: "{{ item.path }}"
-    src: "{{ item.device }}"
-    fstype: "{{ item.filesystem }}"
-    opts: "{{ item.options|default(omit) }}"
-    state: mounted
-  with_items: "{{ container_runtime_extra_storage }}"

roles/container_runtime/tasks/main.yml

@@ -1,2 +0,0 @@
----
-# This role is meant to be used with import_role and tasks_from.

roles/container_runtime/tasks/package_crio.yml

@@ -1,115 +0,0 @@
----
-- import_tasks: common/pre.yml
-
-- name: Check that overlay is in the kernel
-  shell: lsmod | grep overlay
-  register: l_has_overlay_in_kernel
-  ignore_errors: yes
-  failed_when: false
-
-- when: l_has_overlay_in_kernel.rc != 0
-  block:
-
-    - name: Add overlay to modprobe.d
-      template:
-        dest: /etc/modules-load.d/overlay.conf
-        src: overlay.conf.j2
-        backup: yes
-
-    - name: Manually modprobe overlay into the kernel
-      command: modprobe overlay
-
-    - name: Enable and start systemd-modules-load
-      service:
-        name: systemd-modules-load
-        enabled: yes
-        state: restarted
-
-- name: Install cri-o
-  package:
-    name: "{{ pkg_list | join(',') }}"
-    state: latest
-  register: result
-  until: result is succeeded
-  vars:
-    pkg_list:
-      - cri-o
-      - cri-tools
-      - skopeo
-      - podman
-
-- name: Remove CRI-O default configuration files
-  file:
-    path: "{{ item }}"
-    state: absent
-  with_items:
-    - /etc/cni/net.d/200-loopback.conf
-    - /etc/cni/net.d/100-crio-bridge.conf
-
-- name: Set pause_image to pod image
-  ini_file:
-    dest: /etc/crio/crio.conf
-    section: "crio.image"
-    option: pause_image
-    value: '"{{ openshift_crio_pause_image }}"'
-
-- name: Set pause_command to pod cmd
-  ini_file:
-    dest: /etc/crio/crio.conf
-    section: "crio.image"
-    option: pause_command
-    value: ' "/usr/bin/pod"'
-
-- name: Update crictl.yaml runtime-endpoint
-  yedit:
-    src: /etc/crictl.yaml
-    key: runtime-endpoint
-    value: "{{ openshift_crio_var_sock }}"
-
-- name: Ensure CNI configuration directory exists
-  file:
-    path: /etc/cni/net.d/
-    state: directory
-
-- name: setup firewall for CRI-O
-  import_tasks: crio_firewall.yml
-
-- name: Configure the CNI network
-  template:
-    dest: /etc/cni/net.d/openshift-sdn.conf
-    src: 80-openshift-sdn.conf.j2
-  when: r_crio_use_openshift_sdn | bool
-
-- name: Create /etc/sysconfig/crio-network
-  template:
-    dest: /etc/sysconfig/crio-network
-    src: crio-network.j2
-
-- name: Place registries.conf in /etc/containers/registries.conf
-  template:
-    dest: "{{ containers_registries_conf_path }}"
-    src: registries.conf.j2
-
-- name: Start the CRI-O service
-  systemd:
-    name: "cri-o"
-    enabled: yes
-    state: restarted
-    daemon_reload: yes
-  register: start_result
-  ignore_errors: true
-
-- when: start_result is failed
-  block:
-    - name: Get crio logs
-      command: journalctl --no-pager -u crio
-      register: crio_logs
-      ignore_errors: true
-    - debug:
-        msg: "{{ crio_logs.stdout_lines }}"
-    - fail:
-        msg: crio start failed.
-
-# If we are using crio only, docker.service might not be available for
-# 'docker login'
-- import_tasks: common/post.yml

roles/container_runtime/tasks/registry_auth.yml

@@ -1,40 +0,0 @@
----
-# docker_creds is a custom module from lib_utils
-# 'docker login' requires a docker.service running on the local host, this is an
-# alternative implementation that operates directly on config.json
-- name: Create credentials for oreg_url
-  docker_creds:
-    path: "{{ docker_cli_auth_config_path }}"
-    registry: "{{ oreg_host }}"
-    username: "{{ oreg_auth_user }}"
-    password: "{{ oreg_auth_password }}"
-    # Test that we can actually connect with provided info
-    test_login: "{{ oreg_test_login | default(True) }}"
-    proxy_vars: "{{ l_docker_creds_proxy_vars }}"
-    test_image: "{{ l_docker_creds_test_image }}"
-  when:
-  - oreg_auth_user is defined
-  register: crt_oreg_auth_credentials_create
-  retries: 3
-  delay: 5
-  until: crt_oreg_auth_credentials_create is succeeded
-
-- name: Create for any additional registries
-  docker_creds:
-    path: "{{ docker_cli_auth_config_path }}"
-    registry: "{{ item.host }}"
-    username: "{{ item.user | default('openshift') }}"
-    password: "{{ item.password }}"
-    # Test that we can actually connect with provided info
-    test_login: "{{ item.test_login | default(omit) }}"
-    proxy_vars: "{{ l_docker_creds_proxy_vars }}"
-    test_image: "{{ item.test_image | default('openshift3/ose-pod') }}"
-    tls_verify: "{{ item.tls_verify | default(omit) }}"
-  when:
-  - openshift_additional_registry_credentials != []
-  register: crt_addl_credentials_create
-  retries: 3
-  delay: 5
-  until: crt_addl_credentials_create is succeeded
-  with_items:
-    "{{ openshift_additional_registry_credentials }}"

roles/container_runtime/templates/80-openshift-sdn.conf.j2

@@ -1,5 +0,0 @@
-{
-  "cniVersion": "0.1.0",
-  "name": "openshift-sdn",
-  "type": "openshift-sdn"
-}

roles/container_runtime/templates/crio-network.j2

@@ -1 +0,0 @@
-CRIO_NETWORK_OPTIONS="--cni-config-dir=/etc/kubernetes/cni/net.d --cni-plugin-dir=/var/lib/cni/bin"

roles/container_runtime/templates/docker_storage_setup.j2

@@ -1,16 +0,0 @@
-# Edit this file to override any configuration options specified in
-# /usr/lib/docker-storage-setup/docker-storage-setup.
-#
-# For more details refer to "man docker-storage-setup"
-{% if container_runtime_docker_storage_setup_device is defined and container_runtime_docker_storage_setup_device != '' %}
-DEVS={{ container_runtime_docker_storage_setup_device }}
-VG={{ docker_storage_setup_options.vg }}
-DATA_SIZE={{ docker_storage_setup_options.data_size }}
-STORAGE_DRIVER="{{ docker_storage_setup_options.storage_driver }}"
-CONTAINER_ROOT_LV_NAME="{{ docker_storage_setup_options.root_lv_name }}"
-CONTAINER_ROOT_LV_SIZE="{{ docker_storage_setup_options.root_lv_size }}"
-CONTAINER_ROOT_LV_MOUNT_PATH="{{ docker_storage_setup_options.root_lv_mount_path }}"
-{% else %}
-STORAGE_DRIVER="{{ docker_storage_setup_options.storage_driver }}"
-{% endif %}
-EXTRA_STORAGE_OPTIONS="{{ docker_storage_extra_options | join(' ') }}"

roles/container_runtime/templates/overlay.conf.j2

@@ -1,2 +0,0 @@
-### {{ ansible_managed }}
-overlay

roles/container_runtime/templates/registries.conf.j2

@@ -1,27 +0,0 @@
-# {{ ansible_managed }}
-# This is a system-wide configuration file used to
-# keep track of registries for various container backends.
-# It adheres to TOML format and does not support recursive
-# lists of registries.
-
-# The default location for this configuration file is /etc/containers/registries.conf.
-
-# The only valid categories are: 'registries.search', 'registries.insecure',
-# and 'registries.block'.
-
-[registries.search]
-registries = [{{ l_additional_crio_registries|default("") }}]
-
-
-# If you need to access insecure registries, add the registry's fully-qualified name.
-# An insecure registry is one that does not have a valid SSL certificate or only does HTTP.
-[registries.insecure]
-registries = [{{ l_insecure_crio_registries|default("") }}]
-
-
-# If you need to block pull access from a registry, uncomment the section below
-# and add the registries fully-qualified name.
-#
-# Docker only
-[registries.block]
-registries = {{ l2_docker_blocked_registries | to_json }}

roles/openshift_node40/defaults/main.yml

@@ -3,3 +3,7 @@ openshift_release_image: "registry.svc.ci.openshift.org/openshift/origin-release
 ign_file: "/tmp/bootstrap.ign"
 pull_secret: "{{ files_dir }}/pull-secret"
 tls_verify: false
+openshift_node_install_packages:
+  - cri-o
+  - cri-tools
+  - podman

roles/openshift_node40/tasks/install.yml

@@ -1,13 +1,21 @@
 ---
+- name: Install openshift packages
+  package:
+    name: "{{ openshift_node_install_packages | join(',') }}"
+    update_cache: true
+  async: 3600
+  poll: 30
+
+- name: Enable the CRI-O service
+  systemd:
+    name: "cri-o"
+    enabled: yes
 
 - name: Install openshift packages
   package:
     name: "{{ l_node_packages | join(',') }}"
-    update_cache: true
-  register: install_openshift
-  until: install_openshift.rc == 0
-  retries: 3
-  delay: 1
+  async: 3600
+  poll: 30
   vars:
     l_node_packages:
     - "{{ openshift_service_type }}-node{{ (openshift_pkg_version | default('')) | lib_utils_oo_image_tag_to_rpm_version(include_dash=True) }}"