diff options
Diffstat (limited to 'roles/docker')
-rw-r--r-- | roles/docker/defaults/main.yml | 2 | ||||
-rw-r--r-- | roles/docker/meta/main.yml | 1 | ||||
-rw-r--r-- | roles/docker/tasks/package_docker.yml | 5 | ||||
-rw-r--r-- | roles/docker/tasks/registry_auth.yml | 16 | ||||
-rw-r--r-- | roles/docker/tasks/systemcontainer_crio.yml | 6 | ||||
-rw-r--r-- | roles/docker/tasks/systemcontainer_docker.yml | 8 | ||||
-rw-r--r-- | roles/docker/templates/crio.conf.j2 | 5 |
7 files changed, 39 insertions, 4 deletions
diff --git a/roles/docker/defaults/main.yml b/roles/docker/defaults/main.yml index c086c28df..224844a06 100644 --- a/roles/docker/defaults/main.yml +++ b/roles/docker/defaults/main.yml @@ -2,6 +2,8 @@ docker_cli_auth_config_path: '/root/.docker' openshift_docker_signature_verification: False +openshift_docker_alternative_creds: False + # oreg_url is defined by user input. oreg_host: "{{ oreg_url.split('/')[0] if (oreg_url is defined and '.' in oreg_url.split('/')[0]) else '' }}" oreg_auth_credentials_replace: False diff --git a/roles/docker/meta/main.yml b/roles/docker/meta/main.yml index 62b8a2eb5..d5faae8df 100644 --- a/roles/docker/meta/main.yml +++ b/roles/docker/meta/main.yml @@ -12,3 +12,4 @@ galaxy_info: dependencies: - role: lib_openshift - role: lib_os_firewall +- role: lib_utils diff --git a/roles/docker/tasks/package_docker.yml b/roles/docker/tasks/package_docker.yml index c1aedf879..8121163a6 100644 --- a/roles/docker/tasks/package_docker.yml +++ b/roles/docker/tasks/package_docker.yml @@ -154,6 +154,7 @@ - set_fact: docker_service_status_changed: "{{ (r_docker_package_docker_start_result | changed) and (r_docker_already_running_result.stdout != 'ActiveState=active' ) }}" -- include: registry_auth.yml - - meta: flush_handlers + +# This needs to run after docker is restarted to account for proxy settings. +- include: registry_auth.yml diff --git a/roles/docker/tasks/registry_auth.yml b/roles/docker/tasks/registry_auth.yml index d05b7f2b8..2c7bc5711 100644 --- a/roles/docker/tasks/registry_auth.yml +++ b/roles/docker/tasks/registry_auth.yml @@ -12,5 +12,21 @@ delay: 5 until: openshift_docker_credentials_create_res.rc == 0 when: + - not openshift_docker_alternative_creds | bool + - oreg_auth_user is defined + - (not docker_cli_auth_credentials_stat.stat.exists or oreg_auth_credentials_replace) | bool + +# docker_creds is a custom module from lib_utils +# 'docker login' requires a docker.service running on the local host, this is an +# alternative implementation for non-docker hosts. This implementation does not +# check the registry to determine whether or not the credentials will work. +- name: Create credentials for docker cli registry auth (alternative) + docker_creds: + path: "{{ docker_cli_auth_config_path }}" + registry: "{{ oreg_host }}" + username: "{{ oreg_auth_user }}" + password: "{{ oreg_auth_password }}" + when: + - openshift_docker_alternative_creds | bool - oreg_auth_user is defined - (not docker_cli_auth_credentials_stat.stat.exists or oreg_auth_credentials_replace) | bool diff --git a/roles/docker/tasks/systemcontainer_crio.yml b/roles/docker/tasks/systemcontainer_crio.yml index 1e2d64293..3fe10454d 100644 --- a/roles/docker/tasks/systemcontainer_crio.yml +++ b/roles/docker/tasks/systemcontainer_crio.yml @@ -179,3 +179,9 @@ register: start_result - meta: flush_handlers + +# If we are using crio only, docker.service might not be available for +# 'docker login' +- include: registry_auth.yml + vars: + openshift_docker_alternative_creds: "{{ l_use_crio_only }}" diff --git a/roles/docker/tasks/systemcontainer_docker.yml b/roles/docker/tasks/systemcontainer_docker.yml index aa3b35ddd..84220fa66 100644 --- a/roles/docker/tasks/systemcontainer_docker.yml +++ b/roles/docker/tasks/systemcontainer_docker.yml @@ -173,6 +173,10 @@ - set_fact: docker_service_status_changed: "{{ r_docker_systemcontainer_docker_start_result | changed }}" -- include: registry_auth.yml - - meta: flush_handlers + +# Since docker is running as a system container, docker login will fail to create +# credentials. Use alternate method if requiring authenticated registries. +- include: registry_auth.yml + vars: + openshift_docker_alternative_creds: True diff --git a/roles/docker/templates/crio.conf.j2 b/roles/docker/templates/crio.conf.j2 index 93014a80d..3f066a17f 100644 --- a/roles/docker/templates/crio.conf.j2 +++ b/roles/docker/templates/crio.conf.j2 @@ -103,6 +103,11 @@ cgroup_manager = "systemd" # hooks_dir_path is the oci hooks directory for automatically executed hooks hooks_dir_path = "/usr/share/containers/oci/hooks.d" +# default_mounts is the mounts list to be mounted for the container when created +default_mounts = [ + "/usr/share/rhel/secrets:/run/secrets", +] + # pids_limit is the number of processes allowed in a container pids_limit = 1024 |