Update roles and playbooks to split cri-o install types

- inventory: Split cri_o into package and system container
- container_runtime: Add package_crio task file
- openshift_use_crio: If True, and openshift_crio_use_rpm is False,
installs crio as a system container.
- openshift_crio_use_rpm: When openshift_use_crio is True and this is
True then crio will be installed as an rpm.
- BUGFIX: Use map_to_pairs on the node check
- Expand openshift_docker_alternative_creds var

inventory/hosts.example

@@ -150,10 +150,12 @@ debug_level=2
 # The following options must not be used
 # - openshift_docker_options
 #openshift_docker_use_system_container=False
-# Install and run cri-o along side docker
+# Install and run cri-o. By default this will install cri-o as a system container.
+#openshift_use_crio=False
+# You can install cri-o as an rpm by setting the following variable:
+#openshift_crio_use_rpm=False
 # NOTE: This uses openshift_docker_systemcontainer_image_registry_override as it's override
 # just as container-engine does.
-#openshift_use_crio=False
 # Force the registry to use for the container-engine/crio system container. By default the registry
 # will be built off of the deployment type and ansible_distribution. Only
 # use this option if you are sure you know what you are doing!

playbooks/container-runtime/private/config.yml

@@ -34,4 +34,12 @@
         tasks_from: systemcontainer_crio.yml
       when:
         - openshift_use_crio | bool
+        - not openshift_crio_use_rpm | bool
+        - openshift_docker_is_node_or_master | bool
+    - import_role:
+        name: container_runtime
+        tasks_from: package_crio.yml
+      when:
+        - openshift_use_crio | bool
+        - openshift_crio_use_rpm | bool
         - openshift_docker_is_node_or_master | bool

playbooks/init/basic_facts.yml

@@ -35,6 +35,12 @@
       openshift_is_atomic: "{{ ostree_booted.stat.exists }}"
       openshift_is_containerized: "{{ ostree_booted.stat.exists or (containerized | default(false) | bool) }}"
 
+  - name: Set use_crio to True if cri-o rpm is requested
+    set_fact:
+      openshift_use_crio: True
+    when:
+    - openshift_crio_use_rpm | default(False) | bool
+
   # TODO: Should this be moved into health checks??
   # Seems as though any check that happens with a corresponding fail should move into health_checks
   # Fail as early as possible if Atomic and old version of Docker

roles/container_runtime/README.md

@@ -12,6 +12,7 @@ Entry points
 * package_docker.yml - install and setup docker container runtime.
 * systemcontainer_docker.yml - utilize docker + systemcontainer
 * systemcontainer_crio.yml - utilize crio + systemcontainer
+* package_crio.yml - install and setup crio container runtime.
 * registry_auth.yml - place docker login credentials.
 
 Requirements

roles/container_runtime/defaults/main.yml

@@ -81,6 +81,7 @@ docker_https_proxy: "{{ openshift.common.https_proxy | default('') }}"
 docker_no_proxy: "{{ openshift.common.no_proxy | default('') }}"
 
 openshift_use_crio: False
+openshift_crio_use_rpm: False
 openshift_use_crio_only: False
 
 l_openshift_image_tag_default: "{{ openshift_release | default('latest') }}"

roles/container_runtime/tasks/package_crio.yml

@@ -0,0 +1,84 @@
+---
+- name: Fail if Atomic Host since this is an rpm request
+  fail: msg='Cannot use CRI-O as a package on Atomic Host'
+  when:
+    - openshift_is_atomic | bool
+
+- include_tasks: common/pre.yml
+
+- name: Check that overlay is in the kernel
+  shell: lsmod | grep overlay
+  register: l_has_overlay_in_kernel
+  ignore_errors: yes
+  failed_when: false
+
+- when: l_has_overlay_in_kernel.rc != 0
+  block:
+
+    - name: Add overlay to modprobe.d
+      template:
+        dest: /etc/modules-load.d/overlay.conf
+        src: overlay.conf.j2
+        backup: yes
+
+    - name: Manually modprobe overlay into the kernel
+      command: modprobe overlay
+
+    - name: Enable and start systemd-modules-load
+      service:
+        name: systemd-modules-load
+        enabled: yes
+        state: restarted
+
+- name: Install cri-o
+  package:
+    name: "cri-o"
+    state: present
+  register: result
+  until: result is succeeded
+
+- name: Remove CRI-O default configuration files
+  file:
+    path: "{{ item }}"
+    state: absent
+  with_items:
+    - /etc/cni/net.d/200-loopback.conf
+    - /etc/cni/net.d/100-crio-bridge.conf
+
+- name: Create the CRI-O configuration
+  template:
+    dest: /etc/crio/crio.conf
+    src: crio.conf.j2
+    backup: yes
+
+- name: Ensure CNI configuration directory exists
+  file:
+    path: /etc/cni/net.d/
+    state: directory
+
+- name: setup firewall for CRI-O
+  import_tasks: crio_firewall.yml
+
+- name: Configure the CNI network
+  template:
+    dest: /etc/cni/net.d/openshift-sdn.conf
+    src: 80-openshift-sdn.conf.j2
+
+- name: Create /etc/sysconfig/crio-network
+  template:
+    dest: /etc/sysconfig/crio-network
+    src: crio-network.j2
+
+- name: Start the CRI-O service
+  systemd:
+    name: "cri-o"
+    enabled: yes
+    state: restarted
+    daemon_reload: yes
+  register: start_result
+
+# If we are using crio only, docker.service might not be available for
+# 'docker login'
+- include_tasks: common/post.yml
+  vars:
+    openshift_docker_alternative_creds: "{{ (openshift_use_crio_only | bool) or (openshift_docker_use_system_container | bool) }}"

roles/container_runtime/tasks/systemcontainer_crio.yml

@@ -106,4 +106,4 @@
 # 'docker login'
 - include_tasks: common/post.yml
   vars:
-    openshift_docker_alternative_creds: "{{ openshift_use_crio_only | bool }}"
+    openshift_docker_alternative_creds: "{{ (openshift_use_crio_only | bool) or (openshift_docker_use_system_container | bool) }}"

roles/openshift_cli/defaults/main.yml

@@ -6,6 +6,7 @@ system_images_registry_dict:
 system_images_registry: "{{ system_images_registry_dict[openshift_deployment_type | default('origin')] }}"
 
 openshift_use_crio_only: False
+openshift_crio_use_rpm: False
 
 l_is_system_container_image: "{{ openshift_use_master_system_container | default(openshift_use_system_containers | default(False)) | bool }}"
-l_use_cli_atomic_image: "{{ (openshift_use_crio_only | bool) or (l_is_system_container_image | bool) }}"
+l_use_cli_atomic_image: "{{ (openshift_use_crio_only | bool and not openshift_crio_use_rpm | bool) or (l_is_system_container_image | bool) }}"