summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorOpenShift Bot <eparis+openshiftbot@redhat.com>2017-08-04 18:32:23 -0400
committerGitHub <noreply@github.com>2017-08-04 18:32:23 -0400
commit3db2bb10c0ad5e7ed702bfccdec03562533e8539 (patch)
tree27e9493d9e5ed24ec1847678b76e02e10d61ce77
parent145c90c9eb58ae9ce25e7795fcf403a2595d3580 (diff)
parent31e708a5d440a6ad13f81c4b94ad26e0b2d9587a (diff)
downloadopenshift-3db2bb10c0ad5e7ed702bfccdec03562533e8539.tar.gz
openshift-3db2bb10c0ad5e7ed702bfccdec03562533e8539.tar.bz2
openshift-3db2bb10c0ad5e7ed702bfccdec03562533e8539.tar.xz
openshift-3db2bb10c0ad5e7ed702bfccdec03562533e8539.zip
Merge pull request #4898 from giuseppe/cri-o
Merged by openshift-bot
-rw-r--r--inventory/byo/hosts.origin.example7
-rw-r--r--inventory/byo/hosts.ose.example7
-rw-r--r--roles/docker/tasks/main.yml15
-rw-r--r--roles/docker/tasks/systemcontainer_crio.yml146
-rw-r--r--roles/docker/templates/80-openshift-sdn.conf.j25
-rw-r--r--roles/docker/templates/crio.conf.j2132
-rw-r--r--roles/docker/templates/overlay.conf.j22
-rw-r--r--roles/openshift_cli/library/openshift_container_binary_sync.py64
-rw-r--r--roles/openshift_cli/tasks/main.yml44
-rw-r--r--roles/openshift_docker_facts/tasks/main.yml1
-rw-r--r--roles/openshift_facts/tasks/main.yml2
-rw-r--r--roles/openshift_node/tasks/main.yml13
-rw-r--r--roles/openshift_node/tasks/openvswitch_system_container.yml13
-rw-r--r--roles/openshift_node/templates/node.service.j21
-rw-r--r--roles/openshift_node/templates/node.yaml.v1.j215
-rw-r--r--roles/openshift_node/templates/openshift.docker.node.dep.service2
-rw-r--r--roles/openshift_version/tasks/set_version_containerized.yml9
17 files changed, 444 insertions, 34 deletions
diff --git a/inventory/byo/hosts.origin.example b/inventory/byo/hosts.origin.example
index f09c3d255..239727c6e 100644
--- a/inventory/byo/hosts.origin.example
+++ b/inventory/byo/hosts.origin.example
@@ -108,10 +108,15 @@ openshift_release=v3.6
# The following options must not be used
# - openshift_docker_options
#openshift_docker_use_system_container=False
-# Force the registry to use for the system container. By default the registry
+# Instead of using docker, replacec it with cri-o
+# NOTE: This uses openshift_docker_systemcontainer_image_registry_override as it's override
+# just as container-engine does.
+#openshift_docker_use_crio=False
+# Force the registry to use for the docker/crio system container. By default the registry
# will be built off of the deployment type and ansible_distribution. Only
# use this option if you are sure you know what you are doing!
#openshift_docker_systemcontainer_image_registry_override="registry.example.com"
+#openshift_crio_systemcontainer_image_registry_override="registry.example.com"
# Items added, as is, to end of /etc/sysconfig/docker OPTIONS
# Default value: "--log-driver=journald"
#openshift_docker_options="-l warn --ipv6=false"
diff --git a/inventory/byo/hosts.ose.example b/inventory/byo/hosts.ose.example
index c4b5da5b8..837c54f27 100644
--- a/inventory/byo/hosts.ose.example
+++ b/inventory/byo/hosts.ose.example
@@ -108,10 +108,15 @@ openshift_release=v3.6
# The following options must not be used
# - openshift_docker_options
#openshift_docker_use_system_container=False
-# Force the registry to use for the system container. By default the registry
+# Install and run cri-o along side docker
+# NOTE: This uses openshift_docker_systemcontainer_image_registry_override as it's override
+# just as container-engine does.
+#openshift_docker_use_crio=False
+# Force the registry to use for the container-engine/crio system container. By default the registry
# will be built off of the deployment type and ansible_distribution. Only
# use this option if you are sure you know what you are doing!
#openshift_docker_systemcontainer_image_registry_override="registry.example.com"
+#openshift_crio_systemcontainer_image_registry_override="registry.example.com"
# Items added, as is, to end of /etc/sysconfig/docker OPTIONS
# Default value: "--log-driver=journald"
#openshift_docker_options="-l warn --ipv6=false"
diff --git a/roles/docker/tasks/main.yml b/roles/docker/tasks/main.yml
index 0c2b16acf..1f9ac5059 100644
--- a/roles/docker/tasks/main.yml
+++ b/roles/docker/tasks/main.yml
@@ -7,11 +7,22 @@
- set_fact:
l_use_system_container: "{{ openshift.docker.use_system_container | default(False) }}"
+ l_use_crio: "{{ openshift.docker.use_crio | default(False) }}"
+ l_use_crio_only: "{{ openshift.docker.use_crio_only | default(False) }}"
- name: Use Package Docker if Requested
include: package_docker.yml
- when: not l_use_system_container
+ when:
+ - not l_use_system_container
+ - not l_use_crio_only
- name: Use System Container Docker if Requested
include: systemcontainer_docker.yml
- when: l_use_system_container
+ when:
+ - l_use_system_container
+ - not l_use_crio_only
+
+- name: Add CRI-O usage Requested
+ include: systemcontainer_crio.yml
+ when:
+ - l_use_crio
diff --git a/roles/docker/tasks/systemcontainer_crio.yml b/roles/docker/tasks/systemcontainer_crio.yml
new file mode 100644
index 000000000..787f51f94
--- /dev/null
+++ b/roles/docker/tasks/systemcontainer_crio.yml
@@ -0,0 +1,146 @@
+---
+# TODO: Much of this file is shared with container engine tasks
+- set_fact:
+ l_insecure_crio_registries: "{{ '\"{}\"'.format('\", \"'.join(openshift.docker.insecure_registries)) }}"
+ when: openshift.docker.insecure_registries
+
+- name: Ensure container-selinux is installed
+ package:
+ name: container-selinux
+ state: present
+ when: not openshift.common.is_atomic | bool
+
+# Used to pull and install the system container
+- name: Ensure atomic is installed
+ package:
+ name: atomic
+ state: present
+ when: not openshift.common.is_atomic | bool
+
+# At the time of writing the atomic command requires runc for it's own use. This
+# task is here in the even that the atomic package ever removes the dependency.
+- name: Ensure runc is installed
+ package:
+ name: runc
+ state: present
+ when: not openshift.common.is_atomic | bool
+
+
+- name: Check that overlay is in the kernel
+ shell: lsmod | grep overlay
+ register: l_has_overlay_in_kernel
+ ignore_errors: yes
+
+
+- when: l_has_overlay_in_kernel.rc != 0
+ block:
+
+ - name: Add overlay to modprobe.d
+ template:
+ dest: /etc/modules-load.d/overlay.conf
+ src: overlay.conf.j2
+ backup: yes
+
+ - name: Manually modprobe overlay into the kernel
+ command: modprobe overlay
+
+ - name: Enable and start systemd-modules-load
+ service:
+ name: systemd-modules-load
+ enabled: yes
+ state: restarted
+
+
+- block:
+
+ - name: Add http_proxy to /etc/atomic.conf
+ lineinfile:
+ dest: /etc/atomic.conf
+ regexp: "^#?http_proxy[:=]{1}"
+ line: "http_proxy: {{ openshift.common.http_proxy | default('') }}"
+ when:
+ - openshift.common.http_proxy is defined
+ - openshift.common.http_proxy != ''
+
+ - name: Add https_proxy to /etc/atomic.conf
+ lineinfile:
+ dest: /etc/atomic.conf
+ regexp: "^#?https_proxy[:=]{1}"
+ line: "https_proxy: {{ openshift.common.https_proxy | default('') }}"
+ when:
+ - openshift.common.https_proxy is defined
+ - openshift.common.https_proxy != ''
+
+ - name: Add no_proxy to /etc/atomic.conf
+ lineinfile:
+ dest: /etc/atomic.conf
+ regexp: "^#?no_proxy[:=]{1}"
+ line: "no_proxy: {{ openshift.common.no_proxy | default('') }}"
+ when:
+ - openshift.common.no_proxy is defined
+ - openshift.common.no_proxy != ''
+
+
+- block:
+
+ - name: Set to default prepend
+ set_fact:
+ l_crio_image_prepend: "docker.io/gscrivano"
+ l_crio_image_name: "crio-o-fedora"
+
+ - name: Use Centos based image when distribution is Red Hat or CentOS
+ set_fact:
+ l_crio_image_name: "cri-o-centos"
+ when: ansible_distribution in ['RedHat', 'CentOS']
+
+ # For https://github.com/openshift/openshift-ansible/pull/4049#discussion_r114478504
+ - name: Use a testing registry if requested
+ set_fact:
+ l_crio_image_prepend: "{{ openshift_crio_systemcontainer_image_registry_override }}"
+ when:
+ - openshift_crio_systemcontainer_image_registry_override is defined
+ - openshift_crio_systemcontainer_image_registry_override != ""
+
+ - name: Set the full image name
+ set_fact:
+ l_crio_image: "{{ l_crio_image_prepend }}/{{ l_crio_image_name }}:latest"
+
+# NOTE: no_proxy added as a workaround until https://github.com/projectatomic/atomic/pull/999 is released
+- name: Pre-pull CRI-O System Container image
+ command: "atomic pull --storage ostree {{ l_crio_image }}"
+ changed_when: false
+ environment:
+ NO_PROXY: "{{ openshift.common.no_proxy | default('') }}"
+
+
+- name: Install CRI-O System Container
+ oc_atomic_container:
+ name: "cri-o"
+ image: "{{ l_crio_image }}"
+ state: latest
+
+- name: Create the CRI-O configuration
+ template:
+ dest: /etc/crio/crio.conf
+ src: crio.conf.j2
+ backup: yes
+
+- name: Ensure CNI configuration directory exists
+ file:
+ path: /etc/cni/net.d/
+ state: directory
+
+- name: Configure the CNI network
+ template:
+ dest: /etc/cni/net.d/openshift-sdn.conf
+ src: 80-openshift-sdn.conf.j2
+
+- name: Start the CRI-O service
+ systemd:
+ name: "cri-o"
+ enabled: yes
+ state: started
+ daemon_reload: yes
+ register: start_result
+
+- meta: flush_handlers
diff --git a/roles/docker/templates/80-openshift-sdn.conf.j2 b/roles/docker/templates/80-openshift-sdn.conf.j2
new file mode 100644
index 000000000..a693aea5f
--- /dev/null
+++ b/roles/docker/templates/80-openshift-sdn.conf.j2
@@ -0,0 +1,5 @@
+{
+ "cniVersion": "0.1.0",
+ "name": "openshift-sdn",
+ "type": "openshift-sdn"
+}
diff --git a/roles/docker/templates/crio.conf.j2 b/roles/docker/templates/crio.conf.j2
new file mode 100644
index 000000000..eae1759ab
--- /dev/null
+++ b/roles/docker/templates/crio.conf.j2
@@ -0,0 +1,132 @@
+# {{ ansible_managed }}
+
+# The "crio" table contains all of the server options.
+[crio]
+
+# root is a path to the "root directory". CRIO stores all of its data,
+# including container images, in this directory.
+root = "/var/lib/containers/storage"
+
+# run is a path to the "run directory". CRIO stores all of its state
+# in this directory.
+runroot = "/var/run/containers/storage"
+
+# storage_driver select which storage driver is used to manage storage
+# of images and containers.
+storage_driver = "overlay2"
+
+# storage_option is used to pass an option to the storage driver.
+storage_option = [
+{% if ansible_distribution in ['RedHat', 'CentOS'] %}
+ "overlay2.override_kernel_check=1"
+{% endif %}
+]
+
+# The "crio.api" table contains settings for the kubelet/gRPC
+# interface (which is also used by crioctl).
+[crio.api]
+
+# listen is the path to the AF_LOCAL socket on which crio will listen.
+listen = "/var/run/crio.sock"
+
+# stream_address is the IP address on which the stream server will listen
+stream_address = ""
+
+# stream_port is the port on which the stream server will listen
+stream_port = "10010"
+
+# The "crio.runtime" table contains settings pertaining to the OCI
+# runtime used and options for how to set up and manage the OCI runtime.
+[crio.runtime]
+
+# runtime is the OCI compatible runtime used for trusted container workloads.
+# This is a mandatory setting as this runtime will be the default one
+# and will also be used for untrusted container workloads if
+# runtime_untrusted_workload is not set.
+runtime = "/usr/libexec/crio/runc"
+
+# runtime_untrusted_workload is the OCI compatible runtime used for untrusted
+# container workloads. This is an optional setting, except if
+# default_container_trust is set to "untrusted".
+runtime_untrusted_workload = ""
+
+# default_workload_trust is the default level of trust crio puts in container
+# workloads. It can either be "trusted" or "untrusted", and the default
+# is "trusted".
+# Containers can be run through different container runtimes, depending on
+# the trust hints we receive from kubelet:
+# - If kubelet tags a container workload as untrusted, crio will try first to
+# run it through the untrusted container workload runtime. If it is not set,
+# crio will use the trusted runtime.
+# - If kubelet does not provide any information about the container workload trust
+# level, the selected runtime will depend on the default_container_trust setting.
+# If it is set to "untrusted", then all containers except for the host privileged
+# ones, will be run by the runtime_untrusted_workload runtime. Host privileged
+# containers are by definition trusted and will always use the trusted container
+# runtime. If default_container_trust is set to "trusted", crio will use the trusted
+# container runtime for all containers.
+default_workload_trust = "trusted"
+
+# conmon is the path to conmon binary, used for managing the runtime.
+conmon = "/usr/libexec/crio/conmon"
+
+# conmon_env is the environment variable list for conmon process,
+# used for passing necessary environment variable to conmon or runtime.
+conmon_env = [
+ "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin",
+]
+
+# selinux indicates whether or not SELinux will be used for pod
+# separation on the host. If you enable this flag, SELinux must be running
+# on the host.
+selinux = true
+
+# seccomp_profile is the seccomp json profile path which is used as the
+# default for the runtime.
+seccomp_profile = "/etc/crio/seccomp.json"
+
+# apparmor_profile is the apparmor profile name which is used as the
+# default for the runtime.
+apparmor_profile = "crio-default"
+
+# cgroup_manager is the cgroup management implementation to be used
+# for the runtime.
+cgroup_manager = "systemd"
+
+# The "crio.image" table contains settings pertaining to the
+# management of OCI images.
+[crio.image]
+
+# default_transport is the prefix we try prepending to an image name if the
+# image name as we receive it can't be parsed as a valid source reference
+default_transport = "docker://"
+
+# pause_image is the image which we use to instantiate infra containers.
+pause_image = "kubernetes/pause"
+
+# pause_command is the command to run in a pause_image to have a container just
+# sit there. If the image contains the necessary information, this value need
+# not be specified.
+pause_command = "/pause"
+
+# signature_policy is the name of the file which decides what sort of policy we
+# use when deciding whether or not to trust an image that we've pulled.
+# Outside of testing situations, it is strongly advised that this be left
+# unspecified so that the default system-wide policy will be used.
+signature_policy = ""
+
+# insecure_registries is used to skip TLS verification when pulling images.
+insecure_registries = [
+{{ l_insecure_crio_registries|default("") }}
+]
+
+# The "crio.network" table contains settings pertaining to the
+# management of CNI plugins.
+[crio.network]
+
+# network_dir is is where CNI network configuration
+# files are stored.
+network_dir = "/etc/cni/net.d/"
+
+# plugin_dir is is where CNI plugin binaries are stored.
+plugin_dir = "/opt/cni/bin/"
diff --git a/roles/docker/templates/overlay.conf.j2 b/roles/docker/templates/overlay.conf.j2
new file mode 100644
index 000000000..782f46c2e
--- /dev/null
+++ b/roles/docker/templates/overlay.conf.j2
@@ -0,0 +1,2 @@
+### {{ ansible_managed }}
+overlay
diff --git a/roles/openshift_cli/library/openshift_container_binary_sync.py b/roles/openshift_cli/library/openshift_container_binary_sync.py
index 57ac16602..c47203211 100644
--- a/roles/openshift_cli/library/openshift_container_binary_sync.py
+++ b/roles/openshift_cli/library/openshift_container_binary_sync.py
@@ -24,23 +24,51 @@ class BinarySyncError(Exception):
self.msg = msg
-# pylint: disable=too-few-public-methods
+# pylint: disable=too-few-public-methods,too-many-instance-attributes
class BinarySyncer(object):
"""
Syncs the openshift, oc, oadm, and kubectl binaries/symlinks out of
a container onto the host system.
"""
- def __init__(self, module, image, tag):
+ def __init__(self, module, image, tag, backend):
self.module = module
self.changed = False
self.output = []
self.bin_dir = '/usr/local/bin'
self.image = image
self.tag = tag
+ self.backend = backend
self.temp_dir = None # TBD
def sync(self):
+ if self.backend == 'atomic':
+ return self._sync_atomic()
+
+ return self._sync_docker()
+
+ def _sync_atomic(self):
+ self.temp_dir = tempfile.mkdtemp()
+ temp_dir_mount = tempfile.mkdtemp()
+ try:
+ image_spec = '%s:%s' % (self.image, self.tag)
+ rc, stdout, stderr = self.module.run_command(['atomic', 'mount',
+ '--storage', "ostree",
+ image_spec, temp_dir_mount])
+ if rc:
+ raise BinarySyncError("Error mounting image. stdout=%s, stderr=%s" %
+ (stdout, stderr))
+ for i in ["openshift", "oc"]:
+ src_file = os.path.join(temp_dir_mount, "usr/bin", i)
+ shutil.copy(src_file, self.temp_dir)
+
+ self._sync_binaries()
+ finally:
+ self.module.run_command(['atomic', 'umount', temp_dir_mount])
+ shutil.rmtree(temp_dir_mount)
+ shutil.rmtree(self.temp_dir)
+
+ def _sync_docker(self):
container_name = "openshift-cli-%s" % random.randint(1, 100000)
rc, stdout, stderr = self.module.run_command(['docker', 'create', '--name',
container_name, '%s:%s' % (self.image, self.tag)])
@@ -64,21 +92,24 @@ class BinarySyncer(object):
raise BinarySyncError("Error copying file from docker container: stdout=%s, stderr=%s" %
(stdout, stderr))
- self._sync_binary('openshift')
-
- # In older versions, oc was a symlink to openshift:
- if os.path.islink(os.path.join(self.temp_dir, 'oc')):
- self._sync_symlink('oc', 'openshift')
- else:
- self._sync_binary('oc')
-
- # Ensure correct symlinks created:
- self._sync_symlink('kubectl', 'openshift')
- self._sync_symlink('oadm', 'openshift')
+ self._sync_binaries()
finally:
shutil.rmtree(self.temp_dir)
self.module.run_command(['docker', 'rm', container_name])
+ def _sync_binaries(self):
+ self._sync_binary('openshift')
+
+ # In older versions, oc was a symlink to openshift:
+ if os.path.islink(os.path.join(self.temp_dir, 'oc')):
+ self._sync_symlink('oc', 'openshift')
+ else:
+ self._sync_binary('oc')
+
+ # Ensure correct symlinks created:
+ self._sync_symlink('kubectl', 'openshift')
+ self._sync_symlink('oadm', 'openshift')
+
def _sync_symlink(self, binary_name, link_to):
""" Ensure the given binary name exists and links to the expected binary. """
@@ -112,14 +143,19 @@ def main():
argument_spec=dict(
image=dict(required=True),
tag=dict(required=True),
+ backend=dict(required=True),
),
supports_check_mode=True
)
image = module.params['image']
tag = module.params['tag']
+ backend = module.params['backend']
+
+ if backend not in ["docker", "atomic"]:
+ module.fail_json(msg="unknown backend")
- binary_syncer = BinarySyncer(module, image, tag)
+ binary_syncer = BinarySyncer(module, image, tag, backend)
try:
binary_syncer.sync()
diff --git a/roles/openshift_cli/tasks/main.yml b/roles/openshift_cli/tasks/main.yml
index 07a00189c..c716a0860 100644
--- a/roles/openshift_cli/tasks/main.yml
+++ b/roles/openshift_cli/tasks/main.yml
@@ -1,20 +1,42 @@
---
+- set_fact:
+ l_use_crio: "{{ openshift_docker_use_crio | default(false) }}"
+
- name: Install clients
package: name={{ openshift.common.service_type }}-clients state=present
when: not openshift.common.is_containerized | bool
-- name: Pull CLI Image
- command: >
- docker pull {{ openshift.common.cli_image }}:{{ openshift_image_tag }}
- register: pull_result
- changed_when: "'Downloaded newer image' in pull_result.stdout"
- when: openshift.common.is_containerized | bool
+- block:
+ - name: Pull CLI Image
+ command: >
+ docker pull {{ openshift.common.cli_image }}:{{ openshift_image_tag }}
+ register: pull_result
+ changed_when: "'Downloaded newer image' in pull_result.stdout"
+
+ - name: Copy client binaries/symlinks out of CLI image for use on the host
+ openshift_container_binary_sync:
+ image: "{{ openshift.common.cli_image }}"
+ tag: "{{ openshift_image_tag }}"
+ backend: "docker"
+ when:
+ - openshift.common.is_containerized | bool
+ - not l_use_crio
+
+- block:
+ - name: Pull CLI Image
+ command: >
+ atomic pull --storage ostree {{ openshift.common.system_images_registry }}/{{ openshift.common.cli_image }}:{{ openshift_image_tag }}
+ register: pull_result
+ changed_when: "'Pulling layer' in pull_result.stdout"
-- name: Copy client binaries/symlinks out of CLI image for use on the host
- openshift_container_binary_sync:
- image: "{{ openshift.common.cli_image }}"
- tag: "{{ openshift_image_tag }}"
- when: openshift.common.is_containerized | bool
+ - name: Copy client binaries/symlinks out of CLI image for use on the host
+ openshift_container_binary_sync:
+ image: "{{ openshift.common.system_images_registry }}/{{ openshift.common.cli_image }}"
+ tag: "{{ openshift_image_tag }}"
+ backend: "atomic"
+ when:
+ - openshift.common.is_containerized | bool
+ - l_use_crio
- name: Reload facts to pick up installed OpenShift version
openshift_facts:
diff --git a/roles/openshift_docker_facts/tasks/main.yml b/roles/openshift_docker_facts/tasks/main.yml
index 95e94171d..516d7dc29 100644
--- a/roles/openshift_docker_facts/tasks/main.yml
+++ b/roles/openshift_docker_facts/tasks/main.yml
@@ -17,6 +17,7 @@
hosted_registry_insecure: "{{ openshift_docker_hosted_registry_insecure | default(openshift.docker.hosted_registry_insecure | default(False)) }}"
hosted_registry_network: "{{ openshift_docker_hosted_registry_network | default(None) }}"
use_system_container: "{{ openshift_docker_use_system_container | default(False) }}"
+ use_crio: "{{ openshift_docker_use_crio | default(False) }}"
- role: node
local_facts:
sdn_mtu: "{{ openshift_node_sdn_mtu | default(None) }}"
diff --git a/roles/openshift_facts/tasks/main.yml b/roles/openshift_facts/tasks/main.yml
index 451386bf1..4af02ab96 100644
--- a/roles/openshift_facts/tasks/main.yml
+++ b/roles/openshift_facts/tasks/main.yml
@@ -7,6 +7,7 @@
# Locally setup containerized facts for now
- set_fact:
l_is_atomic: "{{ ostree_booted.stat.exists }}"
+ l_use_crio: "{{ openshift_docker_use_crio | default(false) }}"
- set_fact:
l_is_containerized: "{{ (l_is_atomic | bool) or (containerized | default(false) | bool) }}"
l_is_openvswitch_system_container: "{{ (openshift_use_openvswitch_system_container | default(openshift_use_system_containers) | bool) }}"
@@ -55,6 +56,7 @@
- l_atomic_docker_version.stdout | replace('"', '') | version_compare('1.12','>=')
when:
+ - not l_use_crio
- l_is_atomic | bool
- r_openshift_facts_ran is not defined
diff --git a/roles/openshift_node/tasks/main.yml b/roles/openshift_node/tasks/main.yml
index 87b1f6537..ca4fef360 100644
--- a/roles/openshift_node/tasks/main.yml
+++ b/roles/openshift_node/tasks/main.yml
@@ -2,9 +2,9 @@
# TODO: allow for overriding default ports where possible
- fail:
msg: "SELinux is disabled, This deployment type requires that SELinux is enabled."
- when: >
- (not ansible_selinux or ansible_selinux.status != 'enabled') and
- deployment_type in ['enterprise', 'online', 'atomic-enterprise', 'openshift-enterprise']
+ when:
+ - (not ansible_selinux or ansible_selinux.status != 'enabled') and deployment_type in ['enterprise', 'online', 'atomic-enterprise', 'openshift-enterprise']
+ - not openshift_docker_use_crio | default(false)
# https://docs.openshift.com/container-platform/3.4/admin_guide/overcommit.html#disabling-swap-memory
- name: Check for swap usage
@@ -66,6 +66,13 @@
- openshift.common.use_openshift_sdn | default(true) | bool
- not openshift.common.is_containerized | bool
+- name: Restart cri-o
+ systemd:
+ name: cri-o
+ enabled: yes
+ state: restarted
+ when: openshift_docker_use_crio | default(false)
+
- name: Install conntrack-tools package
package:
name: "conntrack-tools"
diff --git a/roles/openshift_node/tasks/openvswitch_system_container.yml b/roles/openshift_node/tasks/openvswitch_system_container.yml
index 34c2334d8..dc1df9185 100644
--- a/roles/openshift_node/tasks/openvswitch_system_container.yml
+++ b/roles/openshift_node/tasks/openvswitch_system_container.yml
@@ -1,4 +1,15 @@
---
+- set_fact:
+ l_use_crio: "{{ openshift_docker_use_crio | default(false) }}"
+
+- set_fact:
+ l_service_name: "cri-o"
+ when: l_use_crio
+
+- set_fact:
+ l_service_name: "{{ openshift.docker.service_name }}"
+ when: not l_use_crio
+
- name: Pre-pull OpenVSwitch system container image
command: >
atomic pull --storage=ostree {{ 'docker:' if openshift.common.system_images_registry == 'docker' else openshift.common.system_images_registry + '/' }}{{ openshift.node.ovs_system_image }}:{{ openshift_image_tag }}
@@ -11,4 +22,4 @@
image: "{{ 'docker:' if openshift.common.system_images_registry == 'docker' else openshift.common.system_images_registry + '/' }}{{ openshift.node.ovs_system_image }}:{{ openshift_image_tag }}"
state: latest
values:
- - "DOCKER_SERVICE={{ openshift.docker.service_name }}.service"
+ - "DOCKER_SERVICE={{ l_service_name }}"
diff --git a/roles/openshift_node/templates/node.service.j2 b/roles/openshift_node/templates/node.service.j2
index e12a52c15..3d0ae3bbd 100644
--- a/roles/openshift_node/templates/node.service.j2
+++ b/roles/openshift_node/templates/node.service.j2
@@ -8,6 +8,7 @@ Wants={{ openshift.docker.service_name }}.service
Documentation=https://github.com/openshift/origin
Requires=dnsmasq.service
After=dnsmasq.service
+{% if openshift.docker.use_crio %}Wants=cri-o.service{% endif %}
[Service]
Type=notify
diff --git a/roles/openshift_node/templates/node.yaml.v1.j2 b/roles/openshift_node/templates/node.yaml.v1.j2
index 351c8c9f6..93f8658b4 100644
--- a/roles/openshift_node/templates/node.yaml.v1.j2
+++ b/roles/openshift_node/templates/node.yaml.v1.j2
@@ -16,6 +16,21 @@ imageConfig:
latest: false
kind: NodeConfig
kubeletArguments: {{ openshift.node.kubelet_args | default(None) | to_padded_yaml(level=1) }}
+{% if openshift.docker.use_crio | default(False) %}
+ container-runtime:
+ - remote
+ container-runtime-endpoint:
+ - /var/run/crio.sock
+ experimental-cri:
+ - 'true'
+ image-service-endpoint:
+ - /var/run/crio.sock
+ node-labels:
+ - router=true
+ - registry=true
+ runtime-request-timeout:
+ - 10m
+{% endif %}
{% if openshift.common.version_gte_3_3_or_1_3 | bool %}
masterClientConnectionOverrides:
acceptContentTypes: application/vnd.kubernetes.protobuf,application/json
diff --git a/roles/openshift_node/templates/openshift.docker.node.dep.service b/roles/openshift_node/templates/openshift.docker.node.dep.service
index 4c47f8c0d..c4580be1f 100644
--- a/roles/openshift_node/templates/openshift.docker.node.dep.service
+++ b/roles/openshift_node/templates/openshift.docker.node.dep.service
@@ -3,7 +3,7 @@ Requires={{ openshift.docker.service_name }}.service
After={{ openshift.docker.service_name }}.service
PartOf={{ openshift.common.service_type }}-node.service
Before={{ openshift.common.service_type }}-node.service
-
+{% if openshift.docker.use_crio %}Wants=cri-o.service{% endif %}
[Service]
ExecStart=/bin/bash -c "if [[ -f /usr/bin/docker-current ]]; then echo \"DOCKER_ADDTL_BIND_MOUNTS=--volume=/usr/bin/docker-current:/usr/bin/docker-current:ro --volume=/etc/sysconfig/docker:/etc/sysconfig/docker:ro\" > /etc/sysconfig/{{ openshift.common.service_type }}-node-dep; else echo \"#DOCKER_ADDTL_BIND_MOUNTS=\" > /etc/sysconfig/{{ openshift.common.service_type }}-node-dep; fi"
diff --git a/roles/openshift_version/tasks/set_version_containerized.yml b/roles/openshift_version/tasks/set_version_containerized.yml
index 0ec4c49d6..4d9f72f01 100644
--- a/roles/openshift_version/tasks/set_version_containerized.yml
+++ b/roles/openshift_version/tasks/set_version_containerized.yml
@@ -1,4 +1,7 @@
---
+- set_fact:
+ l_use_crio: "{{ openshift_docker_use_crio | default(false) }}"
+
- name: Set containerized version to configure if openshift_image_tag specified
set_fact:
# Expects a leading "v" in inventory, strip it off here unless
@@ -42,12 +45,18 @@
when:
- openshift_version is defined
- openshift_version.split('.') | length == 2
+ - not l_use_crio
- set_fact:
openshift_version: "{{ cli_image_version.stdout_lines[0].split(' ')[1].split('-')[0:2][1:] | join('-') if openshift.common.deployment_type == 'origin' else cli_image_version.stdout_lines[0].split(' ')[1].split('-')[0][1:] }}"
when:
- openshift_version is defined
- openshift_version.split('.') | length == 2
+ - not l_use_crio
+
+# TODO: figure out a way to check for the openshift_version when using CRI-O.
+# We should do that using the images in the ostree storage so we don't have
+# to pull them again.
# We finally have the specific version. Now we clean up any strange
# dangly +c0mm1t-offset tags in the version. See also,