summaryrefslogtreecommitdiffstats
path: root/roles/docker/templates
diff options
context:
space:
mode:
authorMichael Gugino <mgugino@redhat.com>2017-11-16 14:56:14 -0500
committerMichael Gugino <mgugino@redhat.com>2017-12-01 12:32:39 -0500
commit5120f8e90c0178ac7f6d911159ceb278dd87b4c9 (patch)
tree1b1f51b242c259e659e1e09c439504b33d33f0c1 /roles/docker/templates
parente0e10698184c9a7cf4bf65787771686e46d26603 (diff)
downloadopenshift-5120f8e90c0178ac7f6d911159ceb278dd87b4c9.tar.gz
openshift-5120f8e90c0178ac7f6d911159ceb278dd87b4c9.tar.bz2
openshift-5120f8e90c0178ac7f6d911159ceb278dd87b4c9.tar.xz
openshift-5120f8e90c0178ac7f6d911159ceb278dd87b4c9.zip
Implement container runtime role
Diffstat (limited to 'roles/docker/templates')
-rw-r--r--roles/docker/templates/80-openshift-sdn.conf.j25
-rw-r--r--roles/docker/templates/crio.conf.j2164
-rw-r--r--roles/docker/templates/custom.conf.j211
-rw-r--r--roles/docker/templates/daemon.json20
-rw-r--r--roles/docker/templates/overlay.conf.j22
-rw-r--r--roles/docker/templates/registries.conf46
-rw-r--r--roles/docker/templates/systemcontainercustom.conf.j217
7 files changed, 0 insertions, 265 deletions
diff --git a/roles/docker/templates/80-openshift-sdn.conf.j2 b/roles/docker/templates/80-openshift-sdn.conf.j2
deleted file mode 100644
index a693aea5f..000000000
--- a/roles/docker/templates/80-openshift-sdn.conf.j2
+++ /dev/null
@@ -1,5 +0,0 @@
-{
- "cniVersion": "0.1.0",
- "name": "openshift-sdn",
- "type": "openshift-sdn"
-}
diff --git a/roles/docker/templates/crio.conf.j2 b/roles/docker/templates/crio.conf.j2
deleted file mode 100644
index 3f066a17f..000000000
--- a/roles/docker/templates/crio.conf.j2
+++ /dev/null
@@ -1,164 +0,0 @@
-# {{ ansible_managed }}
-
-# The "crio" table contains all of the server options.
-[crio]
-
-# root is a path to the "root directory". CRIO stores all of its data,
-# including container images, in this directory.
-root = "/var/lib/containers/storage"
-
-# run is a path to the "run directory". CRIO stores all of its state
-# in this directory.
-runroot = "/var/run/containers/storage"
-
-# storage_driver select which storage driver is used to manage storage
-# of images and containers.
-storage_driver = "overlay"
-
-# storage_option is used to pass an option to the storage driver.
-storage_option = [
-{% if ansible_distribution in ['RedHat', 'CentOS'] %}
- "overlay.override_kernel_check=1"
-{% endif %}
-]
-
-# The "crio.api" table contains settings for the kubelet/gRPC
-# interface (which is also used by crioctl).
-[crio.api]
-
-# listen is the path to the AF_LOCAL socket on which crio will listen.
-listen = "/var/run/crio.sock"
-
-# stream_address is the IP address on which the stream server will listen
-stream_address = ""
-
-# stream_port is the port on which the stream server will listen
-stream_port = "10010"
-
-# file_locking is whether file-based locking will be used instead of
-# in-memory locking
-file_locking = true
-
-# The "crio.runtime" table contains settings pertaining to the OCI
-# runtime used and options for how to set up and manage the OCI runtime.
-[crio.runtime]
-
-# runtime is the OCI compatible runtime used for trusted container workloads.
-# This is a mandatory setting as this runtime will be the default one
-# and will also be used for untrusted container workloads if
-# runtime_untrusted_workload is not set.
-runtime = "/usr/bin/runc"
-
-# runtime_untrusted_workload is the OCI compatible runtime used for untrusted
-# container workloads. This is an optional setting, except if
-# default_container_trust is set to "untrusted".
-runtime_untrusted_workload = ""
-
-# default_workload_trust is the default level of trust crio puts in container
-# workloads. It can either be "trusted" or "untrusted", and the default
-# is "trusted".
-# Containers can be run through different container runtimes, depending on
-# the trust hints we receive from kubelet:
-# - If kubelet tags a container workload as untrusted, crio will try first to
-# run it through the untrusted container workload runtime. If it is not set,
-# crio will use the trusted runtime.
-# - If kubelet does not provide any information about the container workload trust
-# level, the selected runtime will depend on the default_container_trust setting.
-# If it is set to "untrusted", then all containers except for the host privileged
-# ones, will be run by the runtime_untrusted_workload runtime. Host privileged
-# containers are by definition trusted and will always use the trusted container
-# runtime. If default_container_trust is set to "trusted", crio will use the trusted
-# container runtime for all containers.
-default_workload_trust = "trusted"
-
-# no_pivot instructs the runtime to not use pivot_root, but instead use MS_MOVE
-no_pivot = false
-
-# conmon is the path to conmon binary, used for managing the runtime.
-conmon = "/usr/libexec/crio/conmon"
-
-# conmon_env is the environment variable list for conmon process,
-# used for passing necessary environment variable to conmon or runtime.
-conmon_env = [
- "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin",
-]
-
-# selinux indicates whether or not SELinux will be used for pod
-# separation on the host. If you enable this flag, SELinux must be running
-# on the host.
-selinux = true
-
-# seccomp_profile is the seccomp json profile path which is used as the
-# default for the runtime.
-seccomp_profile = "/etc/crio/seccomp.json"
-
-# apparmor_profile is the apparmor profile name which is used as the
-# default for the runtime.
-apparmor_profile = "crio-default"
-
-# cgroup_manager is the cgroup management implementation to be used
-# for the runtime.
-cgroup_manager = "systemd"
-
-# hooks_dir_path is the oci hooks directory for automatically executed hooks
-hooks_dir_path = "/usr/share/containers/oci/hooks.d"
-
-# default_mounts is the mounts list to be mounted for the container when created
-default_mounts = [
- "/usr/share/rhel/secrets:/run/secrets",
-]
-
-# pids_limit is the number of processes allowed in a container
-pids_limit = 1024
-
-# log_size_max is the max limit for the container log size in bytes.
-# Negative values indicate that no limit is imposed.
-log_size_max = 52428800
-
-# The "crio.image" table contains settings pertaining to the
-# management of OCI images.
-[crio.image]
-
-# default_transport is the prefix we try prepending to an image name if the
-# image name as we receive it can't be parsed as a valid source reference
-default_transport = "docker://"
-
-# pause_image is the image which we use to instantiate infra containers.
-pause_image = "kubernetes/pause"
-
-# pause_command is the command to run in a pause_image to have a container just
-# sit there. If the image contains the necessary information, this value need
-# not be specified.
-pause_command = "/pause"
-
-# signature_policy is the name of the file which decides what sort of policy we
-# use when deciding whether or not to trust an image that we've pulled.
-# Outside of testing situations, it is strongly advised that this be left
-# unspecified so that the default system-wide policy will be used.
-signature_policy = ""
-
-# image_volumes controls how image volumes are handled.
-# The valid values are mkdir and ignore.
-image_volumes = "mkdir"
-
-# insecure_registries is used to skip TLS verification when pulling images.
-insecure_registries = [
-{{ l_insecure_crio_registries|default("") }}
-]
-
-# registries is used to specify a comma separated list of registries to be used
-# when pulling an unqualified image (e.g. fedora:rawhide).
-registries = [
-{{ l_additional_crio_registries|default("") }}
-]
-
-# The "crio.network" table contains settings pertaining to the
-# management of CNI plugins.
-[crio.network]
-
-# network_dir is is where CNI network configuration
-# files are stored.
-network_dir = "/etc/cni/net.d/"
-
-# plugin_dir is is where CNI plugin binaries are stored.
-plugin_dir = "/opt/cni/bin/"
diff --git a/roles/docker/templates/custom.conf.j2 b/roles/docker/templates/custom.conf.j2
deleted file mode 100644
index 713412473..000000000
--- a/roles/docker/templates/custom.conf.j2
+++ /dev/null
@@ -1,11 +0,0 @@
-# {{ ansible_managed }}
-
-[Unit]
-Wants=iptables.service
-After=iptables.service
-
-# The following line is a work-around to ensure docker is restarted whenever
-# iptables is restarted. This ensures the proper iptables rules will be in
-# place for docker.
-# Note: This will also cause docker to be stopped if iptables is stopped.
-PartOf=iptables.service
diff --git a/roles/docker/templates/daemon.json b/roles/docker/templates/daemon.json
deleted file mode 100644
index a41b7cdbd..000000000
--- a/roles/docker/templates/daemon.json
+++ /dev/null
@@ -1,20 +0,0 @@
-{
- "authorization-plugins": ["rhel-push-plugin"],
- "default-runtime": "oci",
- "containerd": "/run/containerd.sock",
- "disable-legacy-registry": false,
- "exec-opts": ["native.cgroupdriver=systemd"],
- "insecure-registries": {{ l_docker_insecure_registries }},
-{% if docker_log_driver is defined %}
- "log-driver": "{{ docker_log_driver }}",
-{%- endif %}
- "log-opts": {{ l_docker_log_options }},
- "runtimes": {
- "oci": {
- "path": "/usr/libexec/docker/docker-runc-current"
- }
- },
- "selinux-enabled": {{ l_docker_selinux_enabled | lower }},
- "add-registry": {{ l_docker_additional_registries }},
- "block-registry": {{ l_docker_blocked_registries }}
-}
diff --git a/roles/docker/templates/overlay.conf.j2 b/roles/docker/templates/overlay.conf.j2
deleted file mode 100644
index 782f46c2e..000000000
--- a/roles/docker/templates/overlay.conf.j2
+++ /dev/null
@@ -1,2 +0,0 @@
-### {{ ansible_managed }}
-overlay
diff --git a/roles/docker/templates/registries.conf b/roles/docker/templates/registries.conf
deleted file mode 100644
index d379b2be0..000000000
--- a/roles/docker/templates/registries.conf
+++ /dev/null
@@ -1,46 +0,0 @@
-# {{ ansible_managed }}
-# This is a system-wide configuration file used to
-# keep track of registries for various container backends.
-# It adheres to YAML format and does not support recursive
-# lists of registries.
-
-# The default location for this configuration file is /etc/containers/registries.conf.
-
-# The only valid categories are: 'registries', 'insecure_registries',
-# and 'block_registries'.
-
-
-#registries:
-# - registry.access.redhat.com
-
-{% if l2_docker_additional_registries %}
-registries:
-{% for reg in l2_docker_additional_registries %}
- - {{ reg }}
-{% endfor %}
-{% endif %}
-
-# If you need to access insecure registries, uncomment the section below
-# and add the registries fully-qualified name. An insecure registry is one
-# that does not have a valid SSL certificate or only does HTTP.
-#insecure_registries:
-# -
-
-{% if l2_docker_insecure_registries %}
-insecure_registries:
-{% for reg in l2_docker_insecure_registries %}
- - {{ reg }}
-{% endfor %}
-{% endif %}
-
-# If you need to block pull access from a registry, uncomment the section below
-# and add the registries fully-qualified name.
-#block_registries:
-# -
-
-{% if l2_docker_blocked_registries %}
-block_registries:
-{% for reg in l2_docker_blocked_registries %}
- - {{ reg }}
-{% endfor %}
-{% endif %}
diff --git a/roles/docker/templates/systemcontainercustom.conf.j2 b/roles/docker/templates/systemcontainercustom.conf.j2
deleted file mode 100644
index 86eebfba6..000000000
--- a/roles/docker/templates/systemcontainercustom.conf.j2
+++ /dev/null
@@ -1,17 +0,0 @@
-# {{ ansible_managed }}
-
-[Service]
-{% if "http_proxy" in openshift.common %}
-Environment=HTTP_PROXY={{ docker_http_proxy }}
-{% endif -%}
-{% if "https_proxy" in openshift.common %}
-Environment=HTTPS_PROXY={{ docker_http_proxy }}
-{% endif -%}
-{% if "no_proxy" in openshift.common %}
-Environment=NO_PROXY={{ docker_no_proxy }}
-{% endif %}
-{%- if os_firewall_use_firewalld|default(false) %}
-[Unit]
-Wants=iptables.service
-After=iptables.service
-{%- endif %}