diff options
author | OpenShift Bot <eparis+openshiftbot@redhat.com> | 2017-08-04 18:32:23 -0400 |
---|---|---|
committer | GitHub <noreply@github.com> | 2017-08-04 18:32:23 -0400 |
commit | 3db2bb10c0ad5e7ed702bfccdec03562533e8539 (patch) | |
tree | 27e9493d9e5ed24ec1847678b76e02e10d61ce77 | |
parent | 145c90c9eb58ae9ce25e7795fcf403a2595d3580 (diff) | |
parent | 31e708a5d440a6ad13f81c4b94ad26e0b2d9587a (diff) | |
download | openshift-3db2bb10c0ad5e7ed702bfccdec03562533e8539.tar.gz openshift-3db2bb10c0ad5e7ed702bfccdec03562533e8539.tar.bz2 openshift-3db2bb10c0ad5e7ed702bfccdec03562533e8539.tar.xz openshift-3db2bb10c0ad5e7ed702bfccdec03562533e8539.zip |
Merge pull request #4898 from giuseppe/cri-o
Merged by openshift-bot
-rw-r--r-- | inventory/byo/hosts.origin.example | 7 | ||||
-rw-r--r-- | inventory/byo/hosts.ose.example | 7 | ||||
-rw-r--r-- | roles/docker/tasks/main.yml | 15 | ||||
-rw-r--r-- | roles/docker/tasks/systemcontainer_crio.yml | 146 | ||||
-rw-r--r-- | roles/docker/templates/80-openshift-sdn.conf.j2 | 5 | ||||
-rw-r--r-- | roles/docker/templates/crio.conf.j2 | 132 | ||||
-rw-r--r-- | roles/docker/templates/overlay.conf.j2 | 2 | ||||
-rw-r--r-- | roles/openshift_cli/library/openshift_container_binary_sync.py | 64 | ||||
-rw-r--r-- | roles/openshift_cli/tasks/main.yml | 44 | ||||
-rw-r--r-- | roles/openshift_docker_facts/tasks/main.yml | 1 | ||||
-rw-r--r-- | roles/openshift_facts/tasks/main.yml | 2 | ||||
-rw-r--r-- | roles/openshift_node/tasks/main.yml | 13 | ||||
-rw-r--r-- | roles/openshift_node/tasks/openvswitch_system_container.yml | 13 | ||||
-rw-r--r-- | roles/openshift_node/templates/node.service.j2 | 1 | ||||
-rw-r--r-- | roles/openshift_node/templates/node.yaml.v1.j2 | 15 | ||||
-rw-r--r-- | roles/openshift_node/templates/openshift.docker.node.dep.service | 2 | ||||
-rw-r--r-- | roles/openshift_version/tasks/set_version_containerized.yml | 9 |
17 files changed, 444 insertions, 34 deletions
diff --git a/inventory/byo/hosts.origin.example b/inventory/byo/hosts.origin.example index f09c3d255..239727c6e 100644 --- a/inventory/byo/hosts.origin.example +++ b/inventory/byo/hosts.origin.example @@ -108,10 +108,15 @@ openshift_release=v3.6 # The following options must not be used # - openshift_docker_options #openshift_docker_use_system_container=False -# Force the registry to use for the system container. By default the registry +# Instead of using docker, replacec it with cri-o +# NOTE: This uses openshift_docker_systemcontainer_image_registry_override as it's override +# just as container-engine does. +#openshift_docker_use_crio=False +# Force the registry to use for the docker/crio system container. By default the registry # will be built off of the deployment type and ansible_distribution. Only # use this option if you are sure you know what you are doing! #openshift_docker_systemcontainer_image_registry_override="registry.example.com" +#openshift_crio_systemcontainer_image_registry_override="registry.example.com" # Items added, as is, to end of /etc/sysconfig/docker OPTIONS # Default value: "--log-driver=journald" #openshift_docker_options="-l warn --ipv6=false" diff --git a/inventory/byo/hosts.ose.example b/inventory/byo/hosts.ose.example index c4b5da5b8..837c54f27 100644 --- a/inventory/byo/hosts.ose.example +++ b/inventory/byo/hosts.ose.example @@ -108,10 +108,15 @@ openshift_release=v3.6 # The following options must not be used # - openshift_docker_options #openshift_docker_use_system_container=False -# Force the registry to use for the system container. By default the registry +# Install and run cri-o along side docker +# NOTE: This uses openshift_docker_systemcontainer_image_registry_override as it's override +# just as container-engine does. +#openshift_docker_use_crio=False +# Force the registry to use for the container-engine/crio system container. By default the registry # will be built off of the deployment type and ansible_distribution. Only # use this option if you are sure you know what you are doing! #openshift_docker_systemcontainer_image_registry_override="registry.example.com" +#openshift_crio_systemcontainer_image_registry_override="registry.example.com" # Items added, as is, to end of /etc/sysconfig/docker OPTIONS # Default value: "--log-driver=journald" #openshift_docker_options="-l warn --ipv6=false" diff --git a/roles/docker/tasks/main.yml b/roles/docker/tasks/main.yml index 0c2b16acf..1f9ac5059 100644 --- a/roles/docker/tasks/main.yml +++ b/roles/docker/tasks/main.yml @@ -7,11 +7,22 @@ - set_fact: l_use_system_container: "{{ openshift.docker.use_system_container | default(False) }}" + l_use_crio: "{{ openshift.docker.use_crio | default(False) }}" + l_use_crio_only: "{{ openshift.docker.use_crio_only | default(False) }}" - name: Use Package Docker if Requested include: package_docker.yml - when: not l_use_system_container + when: + - not l_use_system_container + - not l_use_crio_only - name: Use System Container Docker if Requested include: systemcontainer_docker.yml - when: l_use_system_container + when: + - l_use_system_container + - not l_use_crio_only + +- name: Add CRI-O usage Requested + include: systemcontainer_crio.yml + when: + - l_use_crio diff --git a/roles/docker/tasks/systemcontainer_crio.yml b/roles/docker/tasks/systemcontainer_crio.yml new file mode 100644 index 000000000..787f51f94 --- /dev/null +++ b/roles/docker/tasks/systemcontainer_crio.yml @@ -0,0 +1,146 @@ +--- +# TODO: Much of this file is shared with container engine tasks +- set_fact: + l_insecure_crio_registries: "{{ '\"{}\"'.format('\", \"'.join(openshift.docker.insecure_registries)) }}" + when: openshift.docker.insecure_registries + +- name: Ensure container-selinux is installed + package: + name: container-selinux + state: present + when: not openshift.common.is_atomic | bool + +# Used to pull and install the system container +- name: Ensure atomic is installed + package: + name: atomic + state: present + when: not openshift.common.is_atomic | bool + +# At the time of writing the atomic command requires runc for it's own use. This +# task is here in the even that the atomic package ever removes the dependency. +- name: Ensure runc is installed + package: + name: runc + state: present + when: not openshift.common.is_atomic | bool + + +- name: Check that overlay is in the kernel + shell: lsmod | grep overlay + register: l_has_overlay_in_kernel + ignore_errors: yes + + +- when: l_has_overlay_in_kernel.rc != 0 + block: + + - name: Add overlay to modprobe.d + template: + dest: /etc/modules-load.d/overlay.conf + src: overlay.conf.j2 + backup: yes + + - name: Manually modprobe overlay into the kernel + command: modprobe overlay + + - name: Enable and start systemd-modules-load + service: + name: systemd-modules-load + enabled: yes + state: restarted + + +- block: + + - name: Add http_proxy to /etc/atomic.conf + lineinfile: + dest: /etc/atomic.conf + regexp: "^#?http_proxy[:=]{1}" + line: "http_proxy: {{ openshift.common.http_proxy | default('') }}" + when: + - openshift.common.http_proxy is defined + - openshift.common.http_proxy != '' + + - name: Add https_proxy to /etc/atomic.conf + lineinfile: + dest: /etc/atomic.conf + regexp: "^#?https_proxy[:=]{1}" + line: "https_proxy: {{ openshift.common.https_proxy | default('') }}" + when: + - openshift.common.https_proxy is defined + - openshift.common.https_proxy != '' + + - name: Add no_proxy to /etc/atomic.conf + lineinfile: + dest: /etc/atomic.conf + regexp: "^#?no_proxy[:=]{1}" + line: "no_proxy: {{ openshift.common.no_proxy | default('') }}" + when: + - openshift.common.no_proxy is defined + - openshift.common.no_proxy != '' + + +- block: + + - name: Set to default prepend + set_fact: + l_crio_image_prepend: "docker.io/gscrivano" + l_crio_image_name: "crio-o-fedora" + + - name: Use Centos based image when distribution is Red Hat or CentOS + set_fact: + l_crio_image_name: "cri-o-centos" + when: ansible_distribution in ['RedHat', 'CentOS'] + + # For https://github.com/openshift/openshift-ansible/pull/4049#discussion_r114478504 + - name: Use a testing registry if requested + set_fact: + l_crio_image_prepend: "{{ openshift_crio_systemcontainer_image_registry_override }}" + when: + - openshift_crio_systemcontainer_image_registry_override is defined + - openshift_crio_systemcontainer_image_registry_override != "" + + - name: Set the full image name + set_fact: + l_crio_image: "{{ l_crio_image_prepend }}/{{ l_crio_image_name }}:latest" + +# NOTE: no_proxy added as a workaround until https://github.com/projectatomic/atomic/pull/999 is released +- name: Pre-pull CRI-O System Container image + command: "atomic pull --storage ostree {{ l_crio_image }}" + changed_when: false + environment: + NO_PROXY: "{{ openshift.common.no_proxy | default('') }}" + + +- name: Install CRI-O System Container + oc_atomic_container: + name: "cri-o" + image: "{{ l_crio_image }}" + state: latest + +- name: Create the CRI-O configuration + template: + dest: /etc/crio/crio.conf + src: crio.conf.j2 + backup: yes + +- name: Ensure CNI configuration directory exists + file: + path: /etc/cni/net.d/ + state: directory + +- name: Configure the CNI network + template: + dest: /etc/cni/net.d/openshift-sdn.conf + src: 80-openshift-sdn.conf.j2 + +- name: Start the CRI-O service + systemd: + name: "cri-o" + enabled: yes + state: started + daemon_reload: yes + register: start_result + +- meta: flush_handlers diff --git a/roles/docker/templates/80-openshift-sdn.conf.j2 b/roles/docker/templates/80-openshift-sdn.conf.j2 new file mode 100644 index 000000000..a693aea5f --- /dev/null +++ b/roles/docker/templates/80-openshift-sdn.conf.j2 @@ -0,0 +1,5 @@ +{ + "cniVersion": "0.1.0", + "name": "openshift-sdn", + "type": "openshift-sdn" +} diff --git a/roles/docker/templates/crio.conf.j2 b/roles/docker/templates/crio.conf.j2 new file mode 100644 index 000000000..eae1759ab --- /dev/null +++ b/roles/docker/templates/crio.conf.j2 @@ -0,0 +1,132 @@ +# {{ ansible_managed }} + +# The "crio" table contains all of the server options. +[crio] + +# root is a path to the "root directory". CRIO stores all of its data, +# including container images, in this directory. +root = "/var/lib/containers/storage" + +# run is a path to the "run directory". CRIO stores all of its state +# in this directory. +runroot = "/var/run/containers/storage" + +# storage_driver select which storage driver is used to manage storage +# of images and containers. +storage_driver = "overlay2" + +# storage_option is used to pass an option to the storage driver. +storage_option = [ +{% if ansible_distribution in ['RedHat', 'CentOS'] %} + "overlay2.override_kernel_check=1" +{% endif %} +] + +# The "crio.api" table contains settings for the kubelet/gRPC +# interface (which is also used by crioctl). +[crio.api] + +# listen is the path to the AF_LOCAL socket on which crio will listen. +listen = "/var/run/crio.sock" + +# stream_address is the IP address on which the stream server will listen +stream_address = "" + +# stream_port is the port on which the stream server will listen +stream_port = "10010" + +# The "crio.runtime" table contains settings pertaining to the OCI +# runtime used and options for how to set up and manage the OCI runtime. +[crio.runtime] + +# runtime is the OCI compatible runtime used for trusted container workloads. +# This is a mandatory setting as this runtime will be the default one +# and will also be used for untrusted container workloads if +# runtime_untrusted_workload is not set. +runtime = "/usr/libexec/crio/runc" + +# runtime_untrusted_workload is the OCI compatible runtime used for untrusted +# container workloads. This is an optional setting, except if +# default_container_trust is set to "untrusted". +runtime_untrusted_workload = "" + +# default_workload_trust is the default level of trust crio puts in container +# workloads. It can either be "trusted" or "untrusted", and the default +# is "trusted". +# Containers can be run through different container runtimes, depending on +# the trust hints we receive from kubelet: +# - If kubelet tags a container workload as untrusted, crio will try first to +# run it through the untrusted container workload runtime. If it is not set, +# crio will use the trusted runtime. +# - If kubelet does not provide any information about the container workload trust +# level, the selected runtime will depend on the default_container_trust setting. +# If it is set to "untrusted", then all containers except for the host privileged +# ones, will be run by the runtime_untrusted_workload runtime. Host privileged +# containers are by definition trusted and will always use the trusted container +# runtime. If default_container_trust is set to "trusted", crio will use the trusted +# container runtime for all containers. +default_workload_trust = "trusted" + +# conmon is the path to conmon binary, used for managing the runtime. +conmon = "/usr/libexec/crio/conmon" + +# conmon_env is the environment variable list for conmon process, +# used for passing necessary environment variable to conmon or runtime. +conmon_env = [ + "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin", +] + +# selinux indicates whether or not SELinux will be used for pod +# separation on the host. If you enable this flag, SELinux must be running +# on the host. +selinux = true + +# seccomp_profile is the seccomp json profile path which is used as the +# default for the runtime. +seccomp_profile = "/etc/crio/seccomp.json" + +# apparmor_profile is the apparmor profile name which is used as the +# default for the runtime. +apparmor_profile = "crio-default" + +# cgroup_manager is the cgroup management implementation to be used +# for the runtime. +cgroup_manager = "systemd" + +# The "crio.image" table contains settings pertaining to the +# management of OCI images. +[crio.image] + +# default_transport is the prefix we try prepending to an image name if the +# image name as we receive it can't be parsed as a valid source reference +default_transport = "docker://" + +# pause_image is the image which we use to instantiate infra containers. +pause_image = "kubernetes/pause" + +# pause_command is the command to run in a pause_image to have a container just +# sit there. If the image contains the necessary information, this value need +# not be specified. +pause_command = "/pause" + +# signature_policy is the name of the file which decides what sort of policy we +# use when deciding whether or not to trust an image that we've pulled. +# Outside of testing situations, it is strongly advised that this be left +# unspecified so that the default system-wide policy will be used. +signature_policy = "" + +# insecure_registries is used to skip TLS verification when pulling images. +insecure_registries = [ +{{ l_insecure_crio_registries|default("") }} +] + +# The "crio.network" table contains settings pertaining to the +# management of CNI plugins. +[crio.network] + +# network_dir is is where CNI network configuration +# files are stored. +network_dir = "/etc/cni/net.d/" + +# plugin_dir is is where CNI plugin binaries are stored. +plugin_dir = "/opt/cni/bin/" diff --git a/roles/docker/templates/overlay.conf.j2 b/roles/docker/templates/overlay.conf.j2 new file mode 100644 index 000000000..782f46c2e --- /dev/null +++ b/roles/docker/templates/overlay.conf.j2 @@ -0,0 +1,2 @@ +### {{ ansible_managed }} +overlay diff --git a/roles/openshift_cli/library/openshift_container_binary_sync.py b/roles/openshift_cli/library/openshift_container_binary_sync.py index 57ac16602..c47203211 100644 --- a/roles/openshift_cli/library/openshift_container_binary_sync.py +++ b/roles/openshift_cli/library/openshift_container_binary_sync.py @@ -24,23 +24,51 @@ class BinarySyncError(Exception): self.msg = msg -# pylint: disable=too-few-public-methods +# pylint: disable=too-few-public-methods,too-many-instance-attributes class BinarySyncer(object): """ Syncs the openshift, oc, oadm, and kubectl binaries/symlinks out of a container onto the host system. """ - def __init__(self, module, image, tag): + def __init__(self, module, image, tag, backend): self.module = module self.changed = False self.output = [] self.bin_dir = '/usr/local/bin' self.image = image self.tag = tag + self.backend = backend self.temp_dir = None # TBD def sync(self): + if self.backend == 'atomic': + return self._sync_atomic() + + return self._sync_docker() + + def _sync_atomic(self): + self.temp_dir = tempfile.mkdtemp() + temp_dir_mount = tempfile.mkdtemp() + try: + image_spec = '%s:%s' % (self.image, self.tag) + rc, stdout, stderr = self.module.run_command(['atomic', 'mount', + '--storage', "ostree", + image_spec, temp_dir_mount]) + if rc: + raise BinarySyncError("Error mounting image. stdout=%s, stderr=%s" % + (stdout, stderr)) + for i in ["openshift", "oc"]: + src_file = os.path.join(temp_dir_mount, "usr/bin", i) + shutil.copy(src_file, self.temp_dir) + + self._sync_binaries() + finally: + self.module.run_command(['atomic', 'umount', temp_dir_mount]) + shutil.rmtree(temp_dir_mount) + shutil.rmtree(self.temp_dir) + + def _sync_docker(self): container_name = "openshift-cli-%s" % random.randint(1, 100000) rc, stdout, stderr = self.module.run_command(['docker', 'create', '--name', container_name, '%s:%s' % (self.image, self.tag)]) @@ -64,21 +92,24 @@ class BinarySyncer(object): raise BinarySyncError("Error copying file from docker container: stdout=%s, stderr=%s" % (stdout, stderr)) - self._sync_binary('openshift') - - # In older versions, oc was a symlink to openshift: - if os.path.islink(os.path.join(self.temp_dir, 'oc')): - self._sync_symlink('oc', 'openshift') - else: - self._sync_binary('oc') - - # Ensure correct symlinks created: - self._sync_symlink('kubectl', 'openshift') - self._sync_symlink('oadm', 'openshift') + self._sync_binaries() finally: shutil.rmtree(self.temp_dir) self.module.run_command(['docker', 'rm', container_name]) + def _sync_binaries(self): + self._sync_binary('openshift') + + # In older versions, oc was a symlink to openshift: + if os.path.islink(os.path.join(self.temp_dir, 'oc')): + self._sync_symlink('oc', 'openshift') + else: + self._sync_binary('oc') + + # Ensure correct symlinks created: + self._sync_symlink('kubectl', 'openshift') + self._sync_symlink('oadm', 'openshift') + def _sync_symlink(self, binary_name, link_to): """ Ensure the given binary name exists and links to the expected binary. """ @@ -112,14 +143,19 @@ def main(): argument_spec=dict( image=dict(required=True), tag=dict(required=True), + backend=dict(required=True), ), supports_check_mode=True ) image = module.params['image'] tag = module.params['tag'] + backend = module.params['backend'] + + if backend not in ["docker", "atomic"]: + module.fail_json(msg="unknown backend") - binary_syncer = BinarySyncer(module, image, tag) + binary_syncer = BinarySyncer(module, image, tag, backend) try: binary_syncer.sync() diff --git a/roles/openshift_cli/tasks/main.yml b/roles/openshift_cli/tasks/main.yml index 07a00189c..c716a0860 100644 --- a/roles/openshift_cli/tasks/main.yml +++ b/roles/openshift_cli/tasks/main.yml @@ -1,20 +1,42 @@ --- +- set_fact: + l_use_crio: "{{ openshift_docker_use_crio | default(false) }}" + - name: Install clients package: name={{ openshift.common.service_type }}-clients state=present when: not openshift.common.is_containerized | bool -- name: Pull CLI Image - command: > - docker pull {{ openshift.common.cli_image }}:{{ openshift_image_tag }} - register: pull_result - changed_when: "'Downloaded newer image' in pull_result.stdout" - when: openshift.common.is_containerized | bool +- block: + - name: Pull CLI Image + command: > + docker pull {{ openshift.common.cli_image }}:{{ openshift_image_tag }} + register: pull_result + changed_when: "'Downloaded newer image' in pull_result.stdout" + + - name: Copy client binaries/symlinks out of CLI image for use on the host + openshift_container_binary_sync: + image: "{{ openshift.common.cli_image }}" + tag: "{{ openshift_image_tag }}" + backend: "docker" + when: + - openshift.common.is_containerized | bool + - not l_use_crio + +- block: + - name: Pull CLI Image + command: > + atomic pull --storage ostree {{ openshift.common.system_images_registry }}/{{ openshift.common.cli_image }}:{{ openshift_image_tag }} + register: pull_result + changed_when: "'Pulling layer' in pull_result.stdout" -- name: Copy client binaries/symlinks out of CLI image for use on the host - openshift_container_binary_sync: - image: "{{ openshift.common.cli_image }}" - tag: "{{ openshift_image_tag }}" - when: openshift.common.is_containerized | bool + - name: Copy client binaries/symlinks out of CLI image for use on the host + openshift_container_binary_sync: + image: "{{ openshift.common.system_images_registry }}/{{ openshift.common.cli_image }}" + tag: "{{ openshift_image_tag }}" + backend: "atomic" + when: + - openshift.common.is_containerized | bool + - l_use_crio - name: Reload facts to pick up installed OpenShift version openshift_facts: diff --git a/roles/openshift_docker_facts/tasks/main.yml b/roles/openshift_docker_facts/tasks/main.yml index 95e94171d..516d7dc29 100644 --- a/roles/openshift_docker_facts/tasks/main.yml +++ b/roles/openshift_docker_facts/tasks/main.yml @@ -17,6 +17,7 @@ hosted_registry_insecure: "{{ openshift_docker_hosted_registry_insecure | default(openshift.docker.hosted_registry_insecure | default(False)) }}" hosted_registry_network: "{{ openshift_docker_hosted_registry_network | default(None) }}" use_system_container: "{{ openshift_docker_use_system_container | default(False) }}" + use_crio: "{{ openshift_docker_use_crio | default(False) }}" - role: node local_facts: sdn_mtu: "{{ openshift_node_sdn_mtu | default(None) }}" diff --git a/roles/openshift_facts/tasks/main.yml b/roles/openshift_facts/tasks/main.yml index 451386bf1..4af02ab96 100644 --- a/roles/openshift_facts/tasks/main.yml +++ b/roles/openshift_facts/tasks/main.yml @@ -7,6 +7,7 @@ # Locally setup containerized facts for now - set_fact: l_is_atomic: "{{ ostree_booted.stat.exists }}" + l_use_crio: "{{ openshift_docker_use_crio | default(false) }}" - set_fact: l_is_containerized: "{{ (l_is_atomic | bool) or (containerized | default(false) | bool) }}" l_is_openvswitch_system_container: "{{ (openshift_use_openvswitch_system_container | default(openshift_use_system_containers) | bool) }}" @@ -55,6 +56,7 @@ - l_atomic_docker_version.stdout | replace('"', '') | version_compare('1.12','>=') when: + - not l_use_crio - l_is_atomic | bool - r_openshift_facts_ran is not defined diff --git a/roles/openshift_node/tasks/main.yml b/roles/openshift_node/tasks/main.yml index 87b1f6537..ca4fef360 100644 --- a/roles/openshift_node/tasks/main.yml +++ b/roles/openshift_node/tasks/main.yml @@ -2,9 +2,9 @@ # TODO: allow for overriding default ports where possible - fail: msg: "SELinux is disabled, This deployment type requires that SELinux is enabled." - when: > - (not ansible_selinux or ansible_selinux.status != 'enabled') and - deployment_type in ['enterprise', 'online', 'atomic-enterprise', 'openshift-enterprise'] + when: + - (not ansible_selinux or ansible_selinux.status != 'enabled') and deployment_type in ['enterprise', 'online', 'atomic-enterprise', 'openshift-enterprise'] + - not openshift_docker_use_crio | default(false) # https://docs.openshift.com/container-platform/3.4/admin_guide/overcommit.html#disabling-swap-memory - name: Check for swap usage @@ -66,6 +66,13 @@ - openshift.common.use_openshift_sdn | default(true) | bool - not openshift.common.is_containerized | bool +- name: Restart cri-o + systemd: + name: cri-o + enabled: yes + state: restarted + when: openshift_docker_use_crio | default(false) + - name: Install conntrack-tools package package: name: "conntrack-tools" diff --git a/roles/openshift_node/tasks/openvswitch_system_container.yml b/roles/openshift_node/tasks/openvswitch_system_container.yml index 34c2334d8..dc1df9185 100644 --- a/roles/openshift_node/tasks/openvswitch_system_container.yml +++ b/roles/openshift_node/tasks/openvswitch_system_container.yml @@ -1,4 +1,15 @@ --- +- set_fact: + l_use_crio: "{{ openshift_docker_use_crio | default(false) }}" + +- set_fact: + l_service_name: "cri-o" + when: l_use_crio + +- set_fact: + l_service_name: "{{ openshift.docker.service_name }}" + when: not l_use_crio + - name: Pre-pull OpenVSwitch system container image command: > atomic pull --storage=ostree {{ 'docker:' if openshift.common.system_images_registry == 'docker' else openshift.common.system_images_registry + '/' }}{{ openshift.node.ovs_system_image }}:{{ openshift_image_tag }} @@ -11,4 +22,4 @@ image: "{{ 'docker:' if openshift.common.system_images_registry == 'docker' else openshift.common.system_images_registry + '/' }}{{ openshift.node.ovs_system_image }}:{{ openshift_image_tag }}" state: latest values: - - "DOCKER_SERVICE={{ openshift.docker.service_name }}.service" + - "DOCKER_SERVICE={{ l_service_name }}" diff --git a/roles/openshift_node/templates/node.service.j2 b/roles/openshift_node/templates/node.service.j2 index e12a52c15..3d0ae3bbd 100644 --- a/roles/openshift_node/templates/node.service.j2 +++ b/roles/openshift_node/templates/node.service.j2 @@ -8,6 +8,7 @@ Wants={{ openshift.docker.service_name }}.service Documentation=https://github.com/openshift/origin Requires=dnsmasq.service After=dnsmasq.service +{% if openshift.docker.use_crio %}Wants=cri-o.service{% endif %} [Service] Type=notify diff --git a/roles/openshift_node/templates/node.yaml.v1.j2 b/roles/openshift_node/templates/node.yaml.v1.j2 index 351c8c9f6..93f8658b4 100644 --- a/roles/openshift_node/templates/node.yaml.v1.j2 +++ b/roles/openshift_node/templates/node.yaml.v1.j2 @@ -16,6 +16,21 @@ imageConfig: latest: false kind: NodeConfig kubeletArguments: {{ openshift.node.kubelet_args | default(None) | to_padded_yaml(level=1) }} +{% if openshift.docker.use_crio | default(False) %} + container-runtime: + - remote + container-runtime-endpoint: + - /var/run/crio.sock + experimental-cri: + - 'true' + image-service-endpoint: + - /var/run/crio.sock + node-labels: + - router=true + - registry=true + runtime-request-timeout: + - 10m +{% endif %} {% if openshift.common.version_gte_3_3_or_1_3 | bool %} masterClientConnectionOverrides: acceptContentTypes: application/vnd.kubernetes.protobuf,application/json diff --git a/roles/openshift_node/templates/openshift.docker.node.dep.service b/roles/openshift_node/templates/openshift.docker.node.dep.service index 4c47f8c0d..c4580be1f 100644 --- a/roles/openshift_node/templates/openshift.docker.node.dep.service +++ b/roles/openshift_node/templates/openshift.docker.node.dep.service @@ -3,7 +3,7 @@ Requires={{ openshift.docker.service_name }}.service After={{ openshift.docker.service_name }}.service PartOf={{ openshift.common.service_type }}-node.service Before={{ openshift.common.service_type }}-node.service - +{% if openshift.docker.use_crio %}Wants=cri-o.service{% endif %} [Service] ExecStart=/bin/bash -c "if [[ -f /usr/bin/docker-current ]]; then echo \"DOCKER_ADDTL_BIND_MOUNTS=--volume=/usr/bin/docker-current:/usr/bin/docker-current:ro --volume=/etc/sysconfig/docker:/etc/sysconfig/docker:ro\" > /etc/sysconfig/{{ openshift.common.service_type }}-node-dep; else echo \"#DOCKER_ADDTL_BIND_MOUNTS=\" > /etc/sysconfig/{{ openshift.common.service_type }}-node-dep; fi" diff --git a/roles/openshift_version/tasks/set_version_containerized.yml b/roles/openshift_version/tasks/set_version_containerized.yml index 0ec4c49d6..4d9f72f01 100644 --- a/roles/openshift_version/tasks/set_version_containerized.yml +++ b/roles/openshift_version/tasks/set_version_containerized.yml @@ -1,4 +1,7 @@ --- +- set_fact: + l_use_crio: "{{ openshift_docker_use_crio | default(false) }}" + - name: Set containerized version to configure if openshift_image_tag specified set_fact: # Expects a leading "v" in inventory, strip it off here unless @@ -42,12 +45,18 @@ when: - openshift_version is defined - openshift_version.split('.') | length == 2 + - not l_use_crio - set_fact: openshift_version: "{{ cli_image_version.stdout_lines[0].split(' ')[1].split('-')[0:2][1:] | join('-') if openshift.common.deployment_type == 'origin' else cli_image_version.stdout_lines[0].split(' ')[1].split('-')[0][1:] }}" when: - openshift_version is defined - openshift_version.split('.') | length == 2 + - not l_use_crio + +# TODO: figure out a way to check for the openshift_version when using CRI-O. +# We should do that using the images in the ostree storage so we don't have +# to pull them again. # We finally have the specific version. Now we clean up any strange # dangly +c0mm1t-offset tags in the version. See also, |