atomic-openshift: install as a system container

Use use_system_containers=true in the inventory file

alternatively you can select each component as:

use_openvswitch_system_container=true
use_node_system_container=true
use_master_system_container=true

system_images_registry holds the registry from where to fetch system
containers.

Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>

roles/openshift_facts/defaults/main.yml

@@ -0,0 +1,2 @@
+---
+use_system_containers: false

roles/openshift_facts/library/openshift_facts.py

@@ -1785,11 +1785,14 @@ def set_container_facts_if_unset(facts):
         facts['etcd']['etcd_image'] = etcd_image
     if 'master' in facts and 'master_image' not in facts['master']:
         facts['master']['master_image'] = master_image
+        facts['master']['master_system_image'] = master_image
     if 'node' in facts:
         if 'node_image' not in facts['node']:
             facts['node']['node_image'] = node_image
+            facts['node']['node_system_image'] = node_image
         if 'ovs_image' not in facts['node']:
             facts['node']['ovs_image'] = ovs_image
+            facts['node']['ovs_system_image'] = ovs_image
 
     if safe_get_bool(facts['common']['is_containerized']):
         facts['common']['admin_binary'] = '/usr/local/bin/oadm'

roles/openshift_facts/tasks/main.yml

@@ -9,6 +9,9 @@
     l_is_atomic: "{{ ostree_booted.stat.exists }}"
 - set_fact:
     l_is_containerized: "{{ (l_is_atomic | bool) or (containerized | default(false) | bool) }}"
+    l_is_openvswitch_system_container: "{{ (use_openvswitch_system_container | default(use_system_containers) | bool) }}"
+    l_is_node_system_container: "{{ (use_node_system_container | default(use_system_containers) | bool) }}"
+    l_is_master_system_container: "{{ (use_master_system_container | default(use_system_containers) | bool) }}"
 
 - name: Ensure various deps are installed
   package: name={{ item }} state=present
@@ -27,6 +30,10 @@
       hostname: "{{ openshift_hostname | default(None) }}"
       ip: "{{ openshift_ip | default(None) }}"
       is_containerized: "{{ l_is_containerized | default(None) }}"
+      is_openvswitch_system_container: "{{ l_is_openvswitch_system_container | default(false) }}"
+      is_node_system_container: "{{ l_is_node_system_container | default(false) }}"
+      is_master_system_container: "{{ l_is_master_system_container | default(false) }}"
+      system_images_registry: "{{ system_images_registry | default('') }}"
       public_hostname: "{{ openshift_public_hostname | default(None) }}"
       public_ip: "{{ openshift_public_ip | default(None) }}"
       portal_net: "{{ openshift_portal_net | default(openshift_master_portal_net) | default(None) }}"

roles/openshift_master/tasks/main.yml

@@ -131,6 +131,10 @@
 - name: Install the systemd units
   include: systemd_units.yml
 
+- name: Install Master system container
+  include: system_container.yml
+  when: openshift.common.is_containerized | bool and openshift.common.is_master_system_container | bool
+
 - name: Create session secrets file
   template:
     dest: "{{ openshift.master.session_secrets_file }}"

roles/openshift_master/tasks/system_container.yml

@@ -0,0 +1,17 @@
+---
+- name: Pre-pull master system container image
+  command: >
+    atomic pull --storage=ostree {{ openshift.common.system_images_registry }}/{{ openshift.master.master_system_image }}:{{ openshift_image_tag }}
+  register: pull_result
+  changed_when: "'Pulling layer' in pull_result.stdout"
+
+- name: Uninstall Master system container package
+  command: >
+    atomic uninstall {{ openshift.common.service_type }}-master
+  failed_when: False
+  when: openshift.common.version != openshift_version
+
+- name: Install Master system container package
+  command: >
+    atomic install --system --name={{ openshift.common.service_type }}-master {{ openshift.common.system_images_registry }}/{{ openshift.master.master_system_image }}:{{ openshift_image_tag }}
+  when: openshift.common.version != openshift_version

roles/openshift_master/tasks/systemd_units.yml

@@ -20,14 +20,14 @@
     docker pull {{ openshift.master.master_image }}:{{ openshift_image_tag }}
   register: pull_result
   changed_when: "'Downloaded newer image' in pull_result.stdout"
-  when: openshift.common.is_containerized | bool
+  when: openshift.common.is_containerized | bool and not openshift.common.is_master_system_container | bool
 
 # workaround for missing systemd unit files
 - name: Create the systemd unit files
   template:
     src: "master_docker/master.docker.service.j2"
     dest: "{{ containerized_svc_dir }}/{{ openshift.common.service_type }}-master.service"
-  when: openshift.common.is_containerized | bool and (openshift.master.ha is not defined or not openshift.master.ha | bool)
+  when: openshift.common.is_containerized | bool and (openshift.master.ha is not defined or not openshift.master.ha | bool and not openshift.common.is_master_system_container | bool)
   register: create_master_unit_file
 
 - command: systemctl daemon-reload
@@ -132,7 +132,7 @@
     dest: "/etc/systemd/system/{{ openshift.common.service_type }}-master.service"
     src: master_docker/master.docker.service.j2
   register: install_result
-  when: openshift.common.is_containerized | bool and openshift.master.ha is defined and not openshift.master.ha | bool
+  when: openshift.common.is_containerized | bool and openshift.master.ha is defined and not openshift.master.ha | bool and not openshift.common.is_master_system_container | bool
 
 - name: Preserve Master Proxy Config options
   command: grep PROXY /etc/sysconfig/{{ openshift.common.service_type }}-master

roles/openshift_node/tasks/main.yml

@@ -69,7 +69,7 @@
 - name: Persist net.ipv4.ip_forward sysctl entry
   sysctl: name="net.ipv4.ip_forward" value=1 sysctl_set=yes state=present reload=yes
 
-- name: Start and enable openvswitch docker service
+- name: Start and enable openvswitch service
   systemd:
     name: openvswitch.service
     enabled: yes

roles/openshift_node/tasks/node_system_container.yml

@@ -0,0 +1,19 @@
+---
+- name: Pre-pull node system container image
+  command: >
+    atomic pull --storage=ostree {{ openshift.common.system_images_registry }}/{{ openshift.node.node_system_image }}:{{ openshift_image_tag }}
+  register: pull_result
+  changed_when: "'Pulling layer' in pull_result.stdout"
+
+- name: Uninstall Node system container package
+  command: >
+    atomic uninstall {{ openshift.common.service_type }}-node
+  failed_when: False
+  when: openshift.common.version != openshift_version | bool
+
+- name: Install Node system container package
+  command: >
+    atomic install --system --name={{ openshift.common.service_type }}-node {{ openshift.common.system_images_registry }}/{{ openshift.node.node_system_image }}:{{ openshift_image_tag }}
+  register: install_node_result
+  changed_when: "'Extracting' in pull_result.stdout"
+  when: openshift.common.version != openshift_version | bool

roles/openshift_node/tasks/openvswitch_system_container.yml

@@ -0,0 +1,19 @@
+---
+- name: Pre-pull OpenVSwitch system container image
+  command: >
+    atomic pull --storage=ostree {{ openshift.common.system_images_registry }}/{{ openshift.node.ovs_system_image }}:{{ openshift_image_tag }}
+  register: pull_result
+  changed_when: "'Pulling layer' in pull_result.stdout"
+
+- name: Uninstall OpenvSwitch system container package
+  command: >
+    atomic uninstall openvswitch
+  failed_when: False
+  when: openshift.common.version != openshift_version | bool
+
+- name: Install OpenvSwitch system container package
+  command: >
+    atomic install --system --name=openvswitch {{ openshift.common.system_images_registry }}/{{ openshift.node.ovs_system_image }}:{{ openshift_image_tag }}
+  when: openshift.common.version != openshift_version | bool
+  notify:
+    - restart docker

roles/openshift_node/tasks/systemd_units.yml

@@ -7,14 +7,14 @@
     docker pull {{ openshift.node.node_image }}:{{ openshift_image_tag }}
   register: pull_result
   changed_when: "'Downloaded newer image' in pull_result.stdout"
-  when: openshift.common.is_containerized | bool
+  when: openshift.common.is_containerized | bool and not openshift.common.is_node_system_container | bool
 
 - name: Pre-pull openvswitch image
   command: >
     docker pull {{ openshift.node.ovs_image }}:{{ openshift_image_tag }}
   register: pull_result
   changed_when: "'Downloaded newer image' in pull_result.stdout"
-  when: openshift.common.is_containerized | bool and openshift.common.use_openshift_sdn | bool
+  when: openshift.common.is_containerized | bool and openshift.common.use_openshift_sdn | bool and not openshift.common.is_node_system_container | bool
 
 - name: Install Node dependencies docker service file
   template:
@@ -28,7 +28,9 @@
     dest: "/etc/systemd/system/{{ openshift.common.service_type }}-node.service"
     src: openshift.docker.node.service
   register: install_node_result
-  when: openshift.common.is_containerized | bool
+  when:
+  - openshift.common.is_containerized | bool
+  - not openshift.common.is_node_system_container | bool
 
 - name: Create the openvswitch service env file
   template:
@@ -39,6 +41,19 @@
   notify:
   - restart openvswitch
 
+- name: Install Node system container
+  include: node_system_container.yml
+  when:
+  - openshift.common.is_containerized | bool
+  - openshift.common.is_node_system_container | bool
+
+- name: Install OpenvSwitch system containers
+  include: openvswitch_system_container.yml
+  when:
+  - openshift.common.use_openshift_sdn | default(true) | bool
+  - openshift.common.is_containerized | bool
+  - openshift.common.is_openvswitch_system_container | bool
+
 # May be a temporary workaround.
 # https://bugzilla.redhat.com/show_bug.cgi?id=1331590
 - name: Create OpenvSwitch service.d directory
@@ -58,7 +73,10 @@
   template:
     dest: "/etc/systemd/system/openvswitch.service"
     src: openvswitch.docker.service
-  when: openshift.common.is_containerized | bool and openshift.common.use_openshift_sdn | default(true) | bool
+  when:
+  - openshift.common.is_containerized | bool
+  - openshift.common.use_openshift_sdn | default(true) | bool
+  - not openshift.common.is_openvswitch_system_container | bool
   notify:
   - restart openvswitch