diff options
author | Michael Gugino <mgugino@redhat.com> | 2017-11-16 14:56:14 -0500 |
---|---|---|
committer | Michael Gugino <mgugino@redhat.com> | 2017-12-01 12:32:39 -0500 |
commit | 5120f8e90c0178ac7f6d911159ceb278dd87b4c9 (patch) | |
tree | 1b1f51b242c259e659e1e09c439504b33d33f0c1 /roles/docker/templates | |
parent | e0e10698184c9a7cf4bf65787771686e46d26603 (diff) | |
download | openshift-5120f8e90c0178ac7f6d911159ceb278dd87b4c9.tar.gz openshift-5120f8e90c0178ac7f6d911159ceb278dd87b4c9.tar.bz2 openshift-5120f8e90c0178ac7f6d911159ceb278dd87b4c9.tar.xz openshift-5120f8e90c0178ac7f6d911159ceb278dd87b4c9.zip |
Implement container runtime role
Diffstat (limited to 'roles/docker/templates')
-rw-r--r-- | roles/docker/templates/80-openshift-sdn.conf.j2 | 5 | ||||
-rw-r--r-- | roles/docker/templates/crio.conf.j2 | 164 | ||||
-rw-r--r-- | roles/docker/templates/custom.conf.j2 | 11 | ||||
-rw-r--r-- | roles/docker/templates/daemon.json | 20 | ||||
-rw-r--r-- | roles/docker/templates/overlay.conf.j2 | 2 | ||||
-rw-r--r-- | roles/docker/templates/registries.conf | 46 | ||||
-rw-r--r-- | roles/docker/templates/systemcontainercustom.conf.j2 | 17 |
7 files changed, 0 insertions, 265 deletions
diff --git a/roles/docker/templates/80-openshift-sdn.conf.j2 b/roles/docker/templates/80-openshift-sdn.conf.j2 deleted file mode 100644 index a693aea5f..000000000 --- a/roles/docker/templates/80-openshift-sdn.conf.j2 +++ /dev/null @@ -1,5 +0,0 @@ -{ - "cniVersion": "0.1.0", - "name": "openshift-sdn", - "type": "openshift-sdn" -} diff --git a/roles/docker/templates/crio.conf.j2 b/roles/docker/templates/crio.conf.j2 deleted file mode 100644 index 3f066a17f..000000000 --- a/roles/docker/templates/crio.conf.j2 +++ /dev/null @@ -1,164 +0,0 @@ -# {{ ansible_managed }} - -# The "crio" table contains all of the server options. -[crio] - -# root is a path to the "root directory". CRIO stores all of its data, -# including container images, in this directory. -root = "/var/lib/containers/storage" - -# run is a path to the "run directory". CRIO stores all of its state -# in this directory. -runroot = "/var/run/containers/storage" - -# storage_driver select which storage driver is used to manage storage -# of images and containers. -storage_driver = "overlay" - -# storage_option is used to pass an option to the storage driver. -storage_option = [ -{% if ansible_distribution in ['RedHat', 'CentOS'] %} - "overlay.override_kernel_check=1" -{% endif %} -] - -# The "crio.api" table contains settings for the kubelet/gRPC -# interface (which is also used by crioctl). -[crio.api] - -# listen is the path to the AF_LOCAL socket on which crio will listen. -listen = "/var/run/crio.sock" - -# stream_address is the IP address on which the stream server will listen -stream_address = "" - -# stream_port is the port on which the stream server will listen -stream_port = "10010" - -# file_locking is whether file-based locking will be used instead of -# in-memory locking -file_locking = true - -# The "crio.runtime" table contains settings pertaining to the OCI -# runtime used and options for how to set up and manage the OCI runtime. -[crio.runtime] - -# runtime is the OCI compatible runtime used for trusted container workloads. -# This is a mandatory setting as this runtime will be the default one -# and will also be used for untrusted container workloads if -# runtime_untrusted_workload is not set. -runtime = "/usr/bin/runc" - -# runtime_untrusted_workload is the OCI compatible runtime used for untrusted -# container workloads. This is an optional setting, except if -# default_container_trust is set to "untrusted". -runtime_untrusted_workload = "" - -# default_workload_trust is the default level of trust crio puts in container -# workloads. It can either be "trusted" or "untrusted", and the default -# is "trusted". -# Containers can be run through different container runtimes, depending on -# the trust hints we receive from kubelet: -# - If kubelet tags a container workload as untrusted, crio will try first to -# run it through the untrusted container workload runtime. If it is not set, -# crio will use the trusted runtime. -# - If kubelet does not provide any information about the container workload trust -# level, the selected runtime will depend on the default_container_trust setting. -# If it is set to "untrusted", then all containers except for the host privileged -# ones, will be run by the runtime_untrusted_workload runtime. Host privileged -# containers are by definition trusted and will always use the trusted container -# runtime. If default_container_trust is set to "trusted", crio will use the trusted -# container runtime for all containers. -default_workload_trust = "trusted" - -# no_pivot instructs the runtime to not use pivot_root, but instead use MS_MOVE -no_pivot = false - -# conmon is the path to conmon binary, used for managing the runtime. -conmon = "/usr/libexec/crio/conmon" - -# conmon_env is the environment variable list for conmon process, -# used for passing necessary environment variable to conmon or runtime. -conmon_env = [ - "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin", -] - -# selinux indicates whether or not SELinux will be used for pod -# separation on the host. If you enable this flag, SELinux must be running -# on the host. -selinux = true - -# seccomp_profile is the seccomp json profile path which is used as the -# default for the runtime. -seccomp_profile = "/etc/crio/seccomp.json" - -# apparmor_profile is the apparmor profile name which is used as the -# default for the runtime. -apparmor_profile = "crio-default" - -# cgroup_manager is the cgroup management implementation to be used -# for the runtime. -cgroup_manager = "systemd" - -# hooks_dir_path is the oci hooks directory for automatically executed hooks -hooks_dir_path = "/usr/share/containers/oci/hooks.d" - -# default_mounts is the mounts list to be mounted for the container when created -default_mounts = [ - "/usr/share/rhel/secrets:/run/secrets", -] - -# pids_limit is the number of processes allowed in a container -pids_limit = 1024 - -# log_size_max is the max limit for the container log size in bytes. -# Negative values indicate that no limit is imposed. -log_size_max = 52428800 - -# The "crio.image" table contains settings pertaining to the -# management of OCI images. -[crio.image] - -# default_transport is the prefix we try prepending to an image name if the -# image name as we receive it can't be parsed as a valid source reference -default_transport = "docker://" - -# pause_image is the image which we use to instantiate infra containers. -pause_image = "kubernetes/pause" - -# pause_command is the command to run in a pause_image to have a container just -# sit there. If the image contains the necessary information, this value need -# not be specified. -pause_command = "/pause" - -# signature_policy is the name of the file which decides what sort of policy we -# use when deciding whether or not to trust an image that we've pulled. -# Outside of testing situations, it is strongly advised that this be left -# unspecified so that the default system-wide policy will be used. -signature_policy = "" - -# image_volumes controls how image volumes are handled. -# The valid values are mkdir and ignore. -image_volumes = "mkdir" - -# insecure_registries is used to skip TLS verification when pulling images. -insecure_registries = [ -{{ l_insecure_crio_registries|default("") }} -] - -# registries is used to specify a comma separated list of registries to be used -# when pulling an unqualified image (e.g. fedora:rawhide). -registries = [ -{{ l_additional_crio_registries|default("") }} -] - -# The "crio.network" table contains settings pertaining to the -# management of CNI plugins. -[crio.network] - -# network_dir is is where CNI network configuration -# files are stored. -network_dir = "/etc/cni/net.d/" - -# plugin_dir is is where CNI plugin binaries are stored. -plugin_dir = "/opt/cni/bin/" diff --git a/roles/docker/templates/custom.conf.j2 b/roles/docker/templates/custom.conf.j2 deleted file mode 100644 index 713412473..000000000 --- a/roles/docker/templates/custom.conf.j2 +++ /dev/null @@ -1,11 +0,0 @@ -# {{ ansible_managed }} - -[Unit] -Wants=iptables.service -After=iptables.service - -# The following line is a work-around to ensure docker is restarted whenever -# iptables is restarted. This ensures the proper iptables rules will be in -# place for docker. -# Note: This will also cause docker to be stopped if iptables is stopped. -PartOf=iptables.service diff --git a/roles/docker/templates/daemon.json b/roles/docker/templates/daemon.json deleted file mode 100644 index a41b7cdbd..000000000 --- a/roles/docker/templates/daemon.json +++ /dev/null @@ -1,20 +0,0 @@ -{ - "authorization-plugins": ["rhel-push-plugin"], - "default-runtime": "oci", - "containerd": "/run/containerd.sock", - "disable-legacy-registry": false, - "exec-opts": ["native.cgroupdriver=systemd"], - "insecure-registries": {{ l_docker_insecure_registries }}, -{% if docker_log_driver is defined %} - "log-driver": "{{ docker_log_driver }}", -{%- endif %} - "log-opts": {{ l_docker_log_options }}, - "runtimes": { - "oci": { - "path": "/usr/libexec/docker/docker-runc-current" - } - }, - "selinux-enabled": {{ l_docker_selinux_enabled | lower }}, - "add-registry": {{ l_docker_additional_registries }}, - "block-registry": {{ l_docker_blocked_registries }} -} diff --git a/roles/docker/templates/overlay.conf.j2 b/roles/docker/templates/overlay.conf.j2 deleted file mode 100644 index 782f46c2e..000000000 --- a/roles/docker/templates/overlay.conf.j2 +++ /dev/null @@ -1,2 +0,0 @@ -### {{ ansible_managed }} -overlay diff --git a/roles/docker/templates/registries.conf b/roles/docker/templates/registries.conf deleted file mode 100644 index d379b2be0..000000000 --- a/roles/docker/templates/registries.conf +++ /dev/null @@ -1,46 +0,0 @@ -# {{ ansible_managed }} -# This is a system-wide configuration file used to -# keep track of registries for various container backends. -# It adheres to YAML format and does not support recursive -# lists of registries. - -# The default location for this configuration file is /etc/containers/registries.conf. - -# The only valid categories are: 'registries', 'insecure_registries', -# and 'block_registries'. - - -#registries: -# - registry.access.redhat.com - -{% if l2_docker_additional_registries %} -registries: -{% for reg in l2_docker_additional_registries %} - - {{ reg }} -{% endfor %} -{% endif %} - -# If you need to access insecure registries, uncomment the section below -# and add the registries fully-qualified name. An insecure registry is one -# that does not have a valid SSL certificate or only does HTTP. -#insecure_registries: -# - - -{% if l2_docker_insecure_registries %} -insecure_registries: -{% for reg in l2_docker_insecure_registries %} - - {{ reg }} -{% endfor %} -{% endif %} - -# If you need to block pull access from a registry, uncomment the section below -# and add the registries fully-qualified name. -#block_registries: -# - - -{% if l2_docker_blocked_registries %} -block_registries: -{% for reg in l2_docker_blocked_registries %} - - {{ reg }} -{% endfor %} -{% endif %} diff --git a/roles/docker/templates/systemcontainercustom.conf.j2 b/roles/docker/templates/systemcontainercustom.conf.j2 deleted file mode 100644 index 86eebfba6..000000000 --- a/roles/docker/templates/systemcontainercustom.conf.j2 +++ /dev/null @@ -1,17 +0,0 @@ -# {{ ansible_managed }} - -[Service] -{% if "http_proxy" in openshift.common %} -Environment=HTTP_PROXY={{ docker_http_proxy }} -{% endif -%} -{% if "https_proxy" in openshift.common %} -Environment=HTTPS_PROXY={{ docker_http_proxy }} -{% endif -%} -{% if "no_proxy" in openshift.common %} -Environment=NO_PROXY={{ docker_no_proxy }} -{% endif %} -{%- if os_firewall_use_firewalld|default(false) %} -[Unit] -Wants=iptables.service -After=iptables.service -{%- endif %} |