Merge pull request #5995 from ashcrow/docker-gc-daemonset

Automatic merge from submit-queue.

openshift_hosted: Add docker-gc

Two new inventory variables have been created:

- ``openshift_crio_enable_docker_gc``: Enable docker_gc daemon set
- ``openshift_crio_docker_gc_node_selector``: Optional dictionary to use node
selector

When ``openshift_crio_enable_docker_gc`` and ``openshift_use_crio`` are both true
then ``docker_gc`` daemonset will be created along with adding a ``docker-gc``
sa.

4 files changed, 101 insertions, 0 deletions

diff --git a/roles/openshift_docker_gc/defaults/main.yml b/roles/openshift_docker_gc/defaults/main.yml
new file mode 100644
index 000000000..9d79de8a1
--- /dev/null
+++ b/roles/openshift_docker_gc/defaults/main.yml
@@ -0,0 +1,3 @@
+---
+r_enable_docker_gc: "{{ openshift_crio_enable_docker_gc | default(False) }}"
+r_docker_gc_node_selectors: "{{ openshift_crio_docker_gc_node_selector | default({}) }}"
diff --git a/roles/openshift_docker_gc/meta/main.yml b/roles/openshift_docker_gc/meta/main.yml
new file mode 100644
index 000000000..f88a7c533
--- /dev/null
+++ b/roles/openshift_docker_gc/meta/main.yml
@@ -0,0 +1,13 @@
+---
+galaxy_info:
+  author: OpenShift
+  description: docker garbage collection
+  company: Red Hat, Inc
+  license: ASL 2.0
+  min_ansible_version: 2.2
+  platforms:
+  - name: EL
+    versions:
+    - 7
+dependencies:
+- role: lib_openshift
diff --git a/roles/openshift_docker_gc/tasks/main.yaml b/roles/openshift_docker_gc/tasks/main.yaml
new file mode 100644
index 000000000..9ba551479
--- /dev/null
+++ b/roles/openshift_docker_gc/tasks/main.yaml
@@ -0,0 +1,27 @@
+---
+- name: Create docker-gc tempdir
+  command: mktemp -d
+  register: templates_tmpdir
+
+# NOTE: oc_adm_policy_user does not support -z (yet)
+- name: Add dockergc as priviledged
+  shell: oc adm policy add-scc-to-user -z dockergc privileged
+#  oc_adm_policy_user:
+#    user: dockergc
+#    resource_kind: scc
+#    resource_name: privileged
+#    state: present
+
+- name: Create dockergc DaemonSet
+  become: yes
+  template:
+    src: dockergc-ds.yaml.j2
+    dest: "{{ templates_tmpdir.stdout }}/dockergc-ds.yaml"
+
+- name: Apply dockergc DaemonSet
+  oc_obj:
+    state: present
+    kind: DaemonSet
+    name: "dockergc"
+    files:
+    - "{{ templates_tmpdir.stdout }}/dockergc-ds.yaml"
diff --git a/roles/openshift_docker_gc/templates/dockergc-ds.yaml.j2 b/roles/openshift_docker_gc/templates/dockergc-ds.yaml.j2
new file mode 100644
index 000000000..53e8b448b
--- /dev/null
+++ b/roles/openshift_docker_gc/templates/dockergc-ds.yaml.j2
@@ -0,0 +1,58 @@
+apiVersion: v1
+kind: List
+items:
+- apiVersion: v1
+  kind: ServiceAccount
+  metadata:
+    name: dockergc
+  # You must grant privileged via: oadm policy add-scc-to-user -z dockergc privileged
+  # in order for the dockergc to access the docker socket and root directory
+- apiVersion: extensions/v1beta1
+  kind: DaemonSet
+  metadata:
+    name: dockergc
+    labels:
+      app: dockergc
+  spec:
+    template:
+      metadata:
+        labels:
+          app: dockergc
+        name: dockergc
+      spec:
+{# Only set nodeSelector if the dict is not empty #}
+{% if r_docker_gc_node_selectors %}
+        nodeSelector:
+{% for k,v in r_docker_gc_node_selectors.items() %}
+          {{ k }}: {{ v }}{% endfor %}{% endif %}
+
+        serviceAccountName: dockergc
+        containers:
+        - image: openshift/origin:latest
+          args:
+          - "ex"
+          - "dockergc"
+          - "--image-gc-low-threshold=60"
+          - "--image-gc-high-threshold=80"
+          - "--minimum-ttl-duration=1h0m0s"
+          securityContext:
+            privileged: true
+          name: dockergc
+          resources:
+            requests:
+              memory: 30Mi
+              cpu: 50m
+          volumeMounts:
+          - name: docker-root
+            readOnly:  true
+            mountPath: /var/lib/docker
+          - name: docker-socket
+            readOnly:  false
+            mountPath: /var/run/docker.sock
+        volumes:
+        - name: docker-root
+          hostPath:
+            path: /var/lib/docker
+        - name: docker-socket
+          hostPath:
+            path: /var/run/docker.sock