Merge pull request #4898 from giuseppe/cri-o

Merged by openshift-bot

inventory/byo/hosts.origin.example

@@ -108,10 +108,15 @@ openshift_release=v3.6
 # The following options must not be used
 # - openshift_docker_options
 #openshift_docker_use_system_container=False
-# Force the registry to use for the system container. By default the registry
+# Instead of using docker, replacec it with cri-o
+# NOTE: This uses openshift_docker_systemcontainer_image_registry_override as it's override
+# just as container-engine does.
+#openshift_docker_use_crio=False
+# Force the registry to use for the docker/crio system container. By default the registry
 # will be built off of the deployment type and ansible_distribution. Only
 # use this option if you are sure you know what you are doing!
 #openshift_docker_systemcontainer_image_registry_override="registry.example.com"
+#openshift_crio_systemcontainer_image_registry_override="registry.example.com"
 # Items added, as is, to end of /etc/sysconfig/docker OPTIONS
 # Default value: "--log-driver=journald"
 #openshift_docker_options="-l warn --ipv6=false"

inventory/byo/hosts.ose.example

@@ -108,10 +108,15 @@ openshift_release=v3.6
 # The following options must not be used
 # - openshift_docker_options
 #openshift_docker_use_system_container=False
-# Force the registry to use for the system container. By default the registry
+# Install and run cri-o along side docker
+# NOTE: This uses openshift_docker_systemcontainer_image_registry_override as it's override
+# just as container-engine does.
+#openshift_docker_use_crio=False
+# Force the registry to use for the container-engine/crio system container. By default the registry
 # will be built off of the deployment type and ansible_distribution. Only
 # use this option if you are sure you know what you are doing!
 #openshift_docker_systemcontainer_image_registry_override="registry.example.com"
+#openshift_crio_systemcontainer_image_registry_override="registry.example.com"
 # Items added, as is, to end of /etc/sysconfig/docker OPTIONS
 # Default value: "--log-driver=journald"
 #openshift_docker_options="-l warn --ipv6=false"

roles/docker/tasks/main.yml

@@ -7,11 +7,22 @@
 
 - set_fact:
     l_use_system_container: "{{ openshift.docker.use_system_container | default(False) }}"
+    l_use_crio: "{{ openshift.docker.use_crio | default(False) }}"
+    l_use_crio_only: "{{ openshift.docker.use_crio_only | default(False) }}"
 
 - name: Use Package Docker if Requested
   include: package_docker.yml
-  when: not l_use_system_container
+  when:
+  - not l_use_system_container
+  - not l_use_crio_only
 
 - name: Use System Container Docker if Requested
   include: systemcontainer_docker.yml
-  when: l_use_system_container
+  when:
+  - l_use_system_container
+  - not l_use_crio_only
+
+- name: Add CRI-O usage Requested
+  include: systemcontainer_crio.yml
+  when:
+  - l_use_crio

roles/docker/tasks/systemcontainer_crio.yml

@@ -0,0 +1,146 @@
+---
+# TODO: Much of this file is shared with container engine tasks
+- set_fact:
+    l_insecure_crio_registries: "{{ '\"{}\"'.format('\", \"'.join(openshift.docker.insecure_registries)) }}"
+  when: openshift.docker.insecure_registries
+
+- name: Ensure container-selinux is installed
+  package:
+    name: container-selinux
+    state: present
+  when: not openshift.common.is_atomic | bool
+
+# Used to pull and install the system container
+- name: Ensure atomic is installed
+  package:
+    name: atomic
+    state: present
+  when: not openshift.common.is_atomic | bool
+
+# At the time of writing the atomic command requires runc for it's own use. This
+# task is here in the even that the atomic package ever removes the dependency.
+- name: Ensure runc is installed
+  package:
+    name: runc
+    state: present
+  when: not openshift.common.is_atomic | bool
+
+
+- name: Check that overlay is in the kernel
+  shell: lsmod | grep overlay
+  register: l_has_overlay_in_kernel
+  ignore_errors: yes
+
+
+- when: l_has_overlay_in_kernel.rc != 0
+  block:
+
+    - name: Add overlay to modprobe.d
+      template:
+        dest: /etc/modules-load.d/overlay.conf
+        src: overlay.conf.j2
+        backup: yes
+
+    - name: Manually modprobe overlay into the kernel
+      command: modprobe overlay
+
+    - name: Enable and start systemd-modules-load
+      service:
+        name: systemd-modules-load
+        enabled: yes
+        state: restarted
+
+
+- block:
+
+    - name: Add http_proxy to /etc/atomic.conf
+      lineinfile:
+        dest: /etc/atomic.conf
+        regexp: "^#?http_proxy[:=]{1}"
+        line: "http_proxy: {{ openshift.common.http_proxy | default('') }}"
+      when:
+        - openshift.common.http_proxy is defined
+        - openshift.common.http_proxy != ''
+
+    - name: Add https_proxy to /etc/atomic.conf
+      lineinfile:
+        dest: /etc/atomic.conf
+        regexp: "^#?https_proxy[:=]{1}"
+        line: "https_proxy: {{ openshift.common.https_proxy | default('') }}"
+      when:
+        - openshift.common.https_proxy is defined
+        - openshift.common.https_proxy != ''
+
+    - name: Add no_proxy to /etc/atomic.conf
+      lineinfile:
+        dest: /etc/atomic.conf
+        regexp: "^#?no_proxy[:=]{1}"
+        line: "no_proxy: {{ openshift.common.no_proxy | default('') }}"
+      when:
+        - openshift.common.no_proxy is defined
+        - openshift.common.no_proxy != ''
+
+
+- block:
+
+    - name: Set to default prepend
+      set_fact:
+        l_crio_image_prepend: "docker.io/gscrivano"
+        l_crio_image_name: "crio-o-fedora"
+
+    - name: Use Centos based image when distribution is Red Hat or CentOS
+      set_fact:
+        l_crio_image_name: "cri-o-centos"
+      when: ansible_distribution in ['RedHat', 'CentOS']
+
+    # For https://github.com/openshift/openshift-ansible/pull/4049#discussion_r114478504
+    - name: Use a testing registry if requested
+      set_fact:
+        l_crio_image_prepend: "{{ openshift_crio_systemcontainer_image_registry_override }}"
+      when:
+        - openshift_crio_systemcontainer_image_registry_override is defined
+        - openshift_crio_systemcontainer_image_registry_override != ""
+
+    - name: Set the full image name
+      set_fact:
+        l_crio_image: "{{ l_crio_image_prepend }}/{{ l_crio_image_name }}:latest"
+
+# NOTE: no_proxy added as a workaround until https://github.com/projectatomic/atomic/pull/999 is released
+- name: Pre-pull CRI-O System Container image
+  command: "atomic pull --storage ostree {{ l_crio_image }}"
+  changed_when: false
+  environment:
+    NO_PROXY: "{{ openshift.common.no_proxy | default('') }}"
+
+
+- name: Install CRI-O System Container
+  oc_atomic_container:
+    name: "cri-o"
+    image: "{{ l_crio_image }}"
+    state: latest
+
+- name: Create the CRI-O configuration
+  template:
+    dest: /etc/crio/crio.conf
+    src: crio.conf.j2
+    backup: yes
+
+- name: Ensure CNI configuration directory exists
+  file:
+    path: /etc/cni/net.d/
+    state: directory
+
+- name: Configure the CNI network
+  template:
+    dest: /etc/cni/net.d/openshift-sdn.conf
+    src: 80-openshift-sdn.conf.j2
+
+- name: Start the CRI-O service
+  systemd:
+    name: "cri-o"
+    enabled: yes
+    state: started
+    daemon_reload: yes
+  register: start_result
+
+- meta: flush_handlers

roles/docker/templates/80-openshift-sdn.conf.j2

@@ -0,0 +1,5 @@
+{
+  "cniVersion": "0.1.0",
+  "name": "openshift-sdn",
+  "type": "openshift-sdn"
+}

roles/docker/templates/crio.conf.j2

@@ -0,0 +1,132 @@
+# {{ ansible_managed }}
+
+# The "crio" table contains all of the server options.
+[crio]
+
+# root is a path to the "root directory". CRIO stores all of its data,
+# including container images, in this directory.
+root = "/var/lib/containers/storage"
+
+# run is a path to the "run directory". CRIO stores all of its state
+# in this directory.
+runroot = "/var/run/containers/storage"
+
+# storage_driver select which storage driver is used to manage storage
+# of images and containers.
+storage_driver = "overlay2"
+
+# storage_option is used to pass an option to the storage driver.
+storage_option = [
+{% if ansible_distribution in ['RedHat', 'CentOS'] %}
+	"overlay2.override_kernel_check=1"
+{% endif %}
+]
+
+# The "crio.api" table contains settings for the kubelet/gRPC
+# interface (which is also used by crioctl).
+[crio.api]
+
+# listen is the path to the AF_LOCAL socket on which crio will listen.
+listen = "/var/run/crio.sock"
+
+# stream_address is the IP address on which the stream server will listen
+stream_address = ""
+
+# stream_port is the port on which the stream server will listen
+stream_port = "10010"
+
+# The "crio.runtime" table contains settings pertaining to the OCI
+# runtime used and options for how to set up and manage the OCI runtime.
+[crio.runtime]
+
+# runtime is the OCI compatible runtime used for trusted container workloads.
+# This is a mandatory setting as this runtime will be the default one
+# and will also be used for untrusted container workloads if
+# runtime_untrusted_workload is not set.
+runtime = "/usr/libexec/crio/runc"
+
+# runtime_untrusted_workload is the OCI compatible runtime used for untrusted
+# container workloads. This is an optional setting, except if
+# default_container_trust is set to "untrusted".
+runtime_untrusted_workload = ""
+
+# default_workload_trust is the default level of trust crio puts in container
+# workloads. It can either be "trusted" or "untrusted", and the default
+# is "trusted".
+# Containers can be run through different container runtimes, depending on
+# the trust hints we receive from kubelet:
+# - If kubelet tags a container workload as untrusted, crio will try first to
+# run it through the untrusted container workload runtime. If it is not set,
+# crio will use the trusted runtime.
+# - If kubelet does not provide any information about the container workload trust
+# level, the selected runtime will depend on the default_container_trust setting.
+# If it is set to "untrusted", then all containers except for the host privileged
+# ones, will be run by the runtime_untrusted_workload runtime. Host privileged
+# containers are by definition trusted and will always use the trusted container
+# runtime. If default_container_trust is set to "trusted", crio will use the trusted
+# container runtime for all containers.
+default_workload_trust = "trusted"
+
+# conmon is the path to conmon binary, used for managing the runtime.
+conmon = "/usr/libexec/crio/conmon"
+
+# conmon_env is the environment variable list for conmon process,
+# used for passing necessary environment variable to conmon or runtime.
+conmon_env = [
+	"PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin",
+]
+
+# selinux indicates whether or not SELinux will be used for pod
+# separation on the host. If you enable this flag, SELinux must be running
+# on the host.
+selinux = true
+
+# seccomp_profile is the seccomp json profile path which is used as the
+# default for the runtime.
+seccomp_profile = "/etc/crio/seccomp.json"
+
+# apparmor_profile is the apparmor profile name which is used as the
+# default for the runtime.
+apparmor_profile = "crio-default"
+
+# cgroup_manager is the cgroup management implementation to be used
+# for the runtime.
+cgroup_manager = "systemd"
+
+# The "crio.image" table contains settings pertaining to the
+# management of OCI images.
+[crio.image]
+
+# default_transport is the prefix we try prepending to an image name if the
+# image name as we receive it can't be parsed as a valid source reference
+default_transport = "docker://"
+
+# pause_image is the image which we use to instantiate infra containers.
+pause_image = "kubernetes/pause"
+
+# pause_command is the command to run in a pause_image to have a container just
+# sit there.  If the image contains the necessary information, this value need
+# not be specified.
+pause_command = "/pause"
+
+# signature_policy is the name of the file which decides what sort of policy we
+# use when deciding whether or not to trust an image that we've pulled.
+# Outside of testing situations, it is strongly advised that this be left
+# unspecified so that the default system-wide policy will be used.
+signature_policy = ""
+
+# insecure_registries is used to skip TLS verification when pulling images.
+insecure_registries = [
+{{ l_insecure_crio_registries|default("") }}
+]
+
+# The "crio.network" table contains settings pertaining to the
+# management of CNI plugins.
+[crio.network]
+
+# network_dir is is where CNI network configuration
+# files are stored.
+network_dir = "/etc/cni/net.d/"
+
+# plugin_dir is is where CNI plugin binaries are stored.
+plugin_dir = "/opt/cni/bin/"

roles/docker/templates/overlay.conf.j2

@@ -0,0 +1,2 @@
+### {{ ansible_managed }}
+overlay

roles/openshift_cli/library/openshift_container_binary_sync.py

@@ -24,23 +24,51 @@ class BinarySyncError(Exception):
         self.msg = msg
 
 
-# pylint: disable=too-few-public-methods
+# pylint: disable=too-few-public-methods,too-many-instance-attributes
 class BinarySyncer(object):
     """
     Syncs the openshift, oc, oadm, and kubectl binaries/symlinks out of
     a container onto the host system.
     """
 
-    def __init__(self, module, image, tag):
+    def __init__(self, module, image, tag, backend):
         self.module = module
         self.changed = False
         self.output = []
         self.bin_dir = '/usr/local/bin'
         self.image = image
         self.tag = tag
+        self.backend = backend
         self.temp_dir = None  # TBD
 
     def sync(self):
+        if self.backend == 'atomic':
+            return self._sync_atomic()
+
+        return self._sync_docker()
+
+    def _sync_atomic(self):
+        self.temp_dir = tempfile.mkdtemp()
+        temp_dir_mount = tempfile.mkdtemp()
+        try:
+            image_spec = '%s:%s' % (self.image, self.tag)
+            rc, stdout, stderr = self.module.run_command(['atomic', 'mount',
+                                                          '--storage', "ostree",
+                                                          image_spec, temp_dir_mount])
+            if rc:
+                raise BinarySyncError("Error mounting image. stdout=%s, stderr=%s" %
+                                      (stdout, stderr))
+            for i in ["openshift", "oc"]:
+                src_file = os.path.join(temp_dir_mount, "usr/bin", i)
+                shutil.copy(src_file, self.temp_dir)
+
+            self._sync_binaries()
+        finally:
+            self.module.run_command(['atomic', 'umount', temp_dir_mount])
+            shutil.rmtree(temp_dir_mount)
+            shutil.rmtree(self.temp_dir)
+
+    def _sync_docker(self):
         container_name = "openshift-cli-%s" % random.randint(1, 100000)
         rc, stdout, stderr = self.module.run_command(['docker', 'create', '--name',
                                                       container_name, '%s:%s' % (self.image, self.tag)])
@@ -64,21 +92,24 @@ class BinarySyncer(object):
                 raise BinarySyncError("Error copying file from docker container: stdout=%s, stderr=%s" %
                                       (stdout, stderr))
 
-            self._sync_binary('openshift')
-
-            # In older versions, oc was a symlink to openshift:
-            if os.path.islink(os.path.join(self.temp_dir, 'oc')):
-                self._sync_symlink('oc', 'openshift')
-            else:
-                self._sync_binary('oc')
-
-            # Ensure correct symlinks created:
-            self._sync_symlink('kubectl', 'openshift')
-            self._sync_symlink('oadm', 'openshift')
+            self._sync_binaries()
         finally:
             shutil.rmtree(self.temp_dir)
             self.module.run_command(['docker', 'rm', container_name])
 
+    def _sync_binaries(self):
+        self._sync_binary('openshift')
+
+        # In older versions, oc was a symlink to openshift:
+        if os.path.islink(os.path.join(self.temp_dir, 'oc')):
+            self._sync_symlink('oc', 'openshift')
+        else:
+            self._sync_binary('oc')
+
+        # Ensure correct symlinks created:
+        self._sync_symlink('kubectl', 'openshift')
+        self._sync_symlink('oadm', 'openshift')
+
     def _sync_symlink(self, binary_name, link_to):
         """ Ensure the given binary name exists and links to the expected binary. """
 
@@ -112,14 +143,19 @@ def main():
         argument_spec=dict(
             image=dict(required=True),
             tag=dict(required=True),
+            backend=dict(required=True),
         ),
         supports_check_mode=True
     )
 
     image = module.params['image']
     tag = module.params['tag']
+    backend = module.params['backend']
+
+    if backend not in ["docker", "atomic"]:
+        module.fail_json(msg="unknown backend")
 
-    binary_syncer = BinarySyncer(module, image, tag)
+    binary_syncer = BinarySyncer(module, image, tag, backend)
 
     try:
         binary_syncer.sync()

roles/openshift_cli/tasks/main.yml

@@ -1,20 +1,42 @@
 ---
+- set_fact:
+    l_use_crio: "{{ openshift_docker_use_crio | default(false) }}"
+
 - name: Install clients
   package: name={{ openshift.common.service_type }}-clients state=present
   when: not openshift.common.is_containerized | bool
 
-- name: Pull CLI Image
-  command: >
-    docker pull {{ openshift.common.cli_image }}:{{ openshift_image_tag }}
-  register: pull_result
-  changed_when: "'Downloaded newer image' in pull_result.stdout"
-  when: openshift.common.is_containerized | bool
+- block:
+  - name: Pull CLI Image
+    command: >
+      docker pull {{ openshift.common.cli_image }}:{{ openshift_image_tag }}
+    register: pull_result
+    changed_when: "'Downloaded newer image' in pull_result.stdout"
+
+  - name: Copy client binaries/symlinks out of CLI image for use on the host
+    openshift_container_binary_sync:
+      image: "{{ openshift.common.cli_image }}"
+      tag: "{{ openshift_image_tag }}"
+      backend: "docker"
+  when:
+  - openshift.common.is_containerized | bool
+  - not l_use_crio
+
+- block:
+  - name: Pull CLI Image
+    command: >
+      atomic pull --storage ostree {{ openshift.common.system_images_registry }}/{{ openshift.common.cli_image }}:{{ openshift_image_tag }}
+    register: pull_result
+    changed_when: "'Pulling layer' in pull_result.stdout"
 
-- name: Copy client binaries/symlinks out of CLI image for use on the host
-  openshift_container_binary_sync:
-    image: "{{ openshift.common.cli_image }}"
-    tag: "{{ openshift_image_tag }}"
-  when: openshift.common.is_containerized | bool
+  - name: Copy client binaries/symlinks out of CLI image for use on the host
+    openshift_container_binary_sync:
+      image: "{{ openshift.common.system_images_registry }}/{{ openshift.common.cli_image }}"
+      tag: "{{ openshift_image_tag }}"
+      backend: "atomic"
+  when:
+  - openshift.common.is_containerized | bool
+  - l_use_crio
 
 - name: Reload facts to pick up installed OpenShift version
   openshift_facts:

roles/openshift_docker_facts/tasks/main.yml

@@ -17,6 +17,7 @@
       hosted_registry_insecure: "{{ openshift_docker_hosted_registry_insecure | default(openshift.docker.hosted_registry_insecure | default(False)) }}"
       hosted_registry_network: "{{ openshift_docker_hosted_registry_network | default(None) }}"
       use_system_container: "{{ openshift_docker_use_system_container | default(False) }}"
+      use_crio: "{{ openshift_docker_use_crio | default(False) }}"
   - role: node
     local_facts:
       sdn_mtu: "{{ openshift_node_sdn_mtu | default(None) }}"

roles/openshift_facts/tasks/main.yml

@@ -7,6 +7,7 @@
 # Locally setup containerized facts for now
 - set_fact:
     l_is_atomic: "{{ ostree_booted.stat.exists }}"
+    l_use_crio: "{{ openshift_docker_use_crio | default(false) }}"
 - set_fact:
     l_is_containerized: "{{ (l_is_atomic | bool) or (containerized | default(false) | bool) }}"
     l_is_openvswitch_system_container: "{{ (openshift_use_openvswitch_system_container | default(openshift_use_system_containers) | bool) }}"
@@ -55,6 +56,7 @@
       - l_atomic_docker_version.stdout | replace('"', '') | version_compare('1.12','>=')
 
   when:
+  - not l_use_crio
   - l_is_atomic | bool
   - r_openshift_facts_ran is not defined
 

roles/openshift_node/tasks/main.yml

@@ -2,9 +2,9 @@
 # TODO: allow for overriding default ports where possible
 - fail:
     msg: "SELinux is disabled, This deployment type requires that SELinux is enabled."
-  when: >
-    (not ansible_selinux or ansible_selinux.status != 'enabled') and
-    deployment_type in ['enterprise', 'online', 'atomic-enterprise', 'openshift-enterprise']
+  when:
+    - (not ansible_selinux or ansible_selinux.status != 'enabled') and deployment_type in ['enterprise', 'online', 'atomic-enterprise', 'openshift-enterprise']
+    - not openshift_docker_use_crio | default(false)
 
 # https://docs.openshift.com/container-platform/3.4/admin_guide/overcommit.html#disabling-swap-memory
 - name: Check for swap usage
@@ -66,6 +66,13 @@
     - openshift.common.use_openshift_sdn | default(true) | bool
     - not openshift.common.is_containerized | bool
 
+- name: Restart cri-o
+  systemd:
+    name: cri-o
+    enabled: yes
+    state: restarted
+  when: openshift_docker_use_crio | default(false)
+
 - name: Install conntrack-tools package
   package:
     name: "conntrack-tools"

roles/openshift_node/tasks/openvswitch_system_container.yml

@@ -1,4 +1,15 @@
 ---
+- set_fact:
+    l_use_crio: "{{ openshift_docker_use_crio | default(false) }}"
+
+- set_fact:
+    l_service_name: "cri-o"
+  when: l_use_crio
+
+- set_fact:
+    l_service_name: "{{ openshift.docker.service_name }}"
+  when: not l_use_crio
+
 - name: Pre-pull OpenVSwitch system container image
   command: >
     atomic pull --storage=ostree {{ 'docker:' if openshift.common.system_images_registry == 'docker' else openshift.common.system_images_registry + '/' }}{{ openshift.node.ovs_system_image }}:{{ openshift_image_tag }}
@@ -11,4 +22,4 @@
     image: "{{ 'docker:' if openshift.common.system_images_registry == 'docker' else openshift.common.system_images_registry + '/' }}{{ openshift.node.ovs_system_image }}:{{ openshift_image_tag }}"
     state: latest
     values:
-      - "DOCKER_SERVICE={{ openshift.docker.service_name }}.service"
+      - "DOCKER_SERVICE={{ l_service_name }}"

roles/openshift_node/templates/node.service.j2

@@ -8,6 +8,7 @@ Wants={{ openshift.docker.service_name }}.service
 Documentation=https://github.com/openshift/origin
 Requires=dnsmasq.service
 After=dnsmasq.service
+{% if openshift.docker.use_crio %}Wants=cri-o.service{% endif %}
 
 [Service]
 Type=notify

roles/openshift_node/templates/node.yaml.v1.j2

@@ -16,6 +16,21 @@ imageConfig:
   latest: false
 kind: NodeConfig
 kubeletArguments: {{ openshift.node.kubelet_args | default(None) | to_padded_yaml(level=1) }}
+{% if openshift.docker.use_crio | default(False) %}
+  container-runtime:
+  - remote
+  container-runtime-endpoint:
+  - /var/run/crio.sock
+  experimental-cri:
+  - 'true'
+  image-service-endpoint:
+  - /var/run/crio.sock
+  node-labels:
+  - router=true
+  - registry=true
+  runtime-request-timeout:
+  - 10m
+{% endif %}
 {% if openshift.common.version_gte_3_3_or_1_3 | bool %}
 masterClientConnectionOverrides:
   acceptContentTypes: application/vnd.kubernetes.protobuf,application/json

roles/openshift_node/templates/openshift.docker.node.dep.service

@@ -3,7 +3,7 @@ Requires={{ openshift.docker.service_name }}.service
 After={{ openshift.docker.service_name }}.service
 PartOf={{ openshift.common.service_type }}-node.service
 Before={{ openshift.common.service_type }}-node.service
-
+{% if openshift.docker.use_crio %}Wants=cri-o.service{% endif %}
 
 [Service]
 ExecStart=/bin/bash -c "if [[ -f /usr/bin/docker-current ]]; then echo \"DOCKER_ADDTL_BIND_MOUNTS=--volume=/usr/bin/docker-current:/usr/bin/docker-current:ro --volume=/etc/sysconfig/docker:/etc/sysconfig/docker:ro\" > /etc/sysconfig/{{ openshift.common.service_type }}-node-dep; else echo \"#DOCKER_ADDTL_BIND_MOUNTS=\" > /etc/sysconfig/{{ openshift.common.service_type }}-node-dep; fi"

roles/openshift_version/tasks/set_version_containerized.yml

@@ -1,4 +1,7 @@
 ---
+- set_fact:
+    l_use_crio: "{{ openshift_docker_use_crio | default(false) }}"
+
 - name: Set containerized version to configure if openshift_image_tag specified
   set_fact:
     # Expects a leading "v" in inventory, strip it off here unless
@@ -42,12 +45,18 @@
   when:
   - openshift_version is defined
   - openshift_version.split('.') | length == 2
+  - not l_use_crio
 
 - set_fact:
     openshift_version: "{{ cli_image_version.stdout_lines[0].split(' ')[1].split('-')[0:2][1:] | join('-') if openshift.common.deployment_type == 'origin' else cli_image_version.stdout_lines[0].split(' ')[1].split('-')[0][1:] }}"
   when:
   - openshift_version is defined
   - openshift_version.split('.') | length == 2
+  - not l_use_crio
+
+# TODO: figure out a way to check for the openshift_version when using CRI-O.
+# We should do that using the images in the ostree storage so we don't have
+# to pull them again.
 
 # We finally have the specific version. Now we clean up any strange
 # dangly +c0mm1t-offset tags in the version. See also,