8 files changed, 118 insertions, 29 deletions

diff --git a/roles/docker/handlers/main.yml b/roles/docker/handlers/main.yml
index 591367467..866ed0452 100644
--- a/roles/docker/handlers/main.yml
+++ b/roles/docker/handlers/main.yml
@@ -4,6 +4,7 @@
   systemd:
     name: "{{ openshift.docker.service_name }}"
     state: restarted
+    daemon_reload: yes
   register: r_docker_restart_docker_result
   until: not r_docker_restart_docker_result | failed
   retries: 3
diff --git a/roles/docker/tasks/main.yml b/roles/docker/tasks/main.yml
index 7ece0e061..f73f90686 100644
--- a/roles/docker/tasks/main.yml
+++ b/roles/docker/tasks/main.yml
@@ -13,17 +13,17 @@
 - name: Use Package Docker if Requested
   include: package_docker.yml
   when:
-  - not l_use_system_container
-  - not l_use_crio_only
+    - not l_use_system_container
+    - not l_use_crio_only
 
 - name: Use System Container Docker if Requested
   include: systemcontainer_docker.yml
   when:
-  - l_use_system_container
-  - not l_use_crio_only
+    - l_use_system_container
+    - not l_use_crio_only
 
 - name: Add CRI-O usage Requested
   include: systemcontainer_crio.yml
   when:
-  - l_use_crio
-  - inventory_hostname in groups['oo_masters_to_config'] or inventory_hostname in groups['oo_nodes_to_config']
+    - l_use_crio
+    - inventory_hostname in groups['oo_masters_to_config'] or inventory_hostname in groups['oo_nodes_to_config']
diff --git a/roles/docker/tasks/package_docker.yml b/roles/docker/tasks/package_docker.yml
index 4215dc5bd..dbe0b0d28 100644
--- a/roles/docker/tasks/package_docker.yml
+++ b/roles/docker/tasks/package_docker.yml
@@ -48,7 +48,9 @@
     template:
       dest: "{{ docker_systemd_dir }}/custom.conf"
       src: custom.conf.j2
-  when: not os_firewall_use_firewalld | default(False) | bool
+    notify:
+    - restart docker
+  when: not (os_firewall_use_firewalld | default(False)) | bool
 
 - name: Add enterprise registry, if necessary
   set_fact:
@@ -61,19 +63,29 @@
 - stat: path=/etc/sysconfig/docker
   register: docker_check
 
-- name: Comment old registry params in /etc/sysconfig/docker
+- name: Set registry params
   lineinfile:
     dest: /etc/sysconfig/docker
     regexp: '^{{ item.reg_conf_var }}=.*$'
-    line: "#{{ item.reg_conf_var }}=''# Moved to {{ containers_registries_conf_path }}"
+    line: "{{ item.reg_conf_var }}='{{ item.reg_fact_val | oo_prepend_strings_in_list(item.reg_flag ~ ' ') | join(' ') }}'"
+  when:
+  - item.reg_fact_val != []
+  - docker_check.stat.isreg is defined
+  - docker_check.stat.isreg
   with_items:
   - reg_conf_var: ADD_REGISTRY
+    reg_fact_val: "{{ l2_docker_additional_registries }}"
+    reg_flag: --add-registry
   - reg_conf_var: BLOCK_REGISTRY
+    reg_fact_val: "{{ l2_docker_blocked_registries }}"
+    reg_flag: --block-registry
   - reg_conf_var: INSECURE_REGISTRY
+    reg_fact_val: "{{ l2_docker_insecure_registries }}"
+    reg_flag: --insecure-registry
   notify:
   - restart docker
 
-- name: Place additional/blocked/insecure registies in /etc/containers/registries.conf
+- name: Place additional/blocked/insecure registries in /etc/containers/registries.conf
   template:
     dest: "{{ containers_registries_conf_path }}"
     src: registries.conf
@@ -127,18 +139,6 @@
   notify:
   - restart docker
 
-- name: Check for credentials file for registry auth
-  stat:
-    path: "{{ docker_cli_auth_config_path }}/config.json"
-  when: oreg_auth_user is defined
-  register: docker_cli_auth_credentials_stat
-
-- name: Create credentials for docker cli registry auth
-  command: "docker --config={{ docker_cli_auth_config_path }} login -u {{ oreg_auth_user }} -p {{ oreg_auth_password }} {{ oreg_host }}"
-  when:
-  - oreg_auth_user is defined
-  - (not docker_cli_auth_credentials_stat.stat.exists or oreg_auth_credentials_replace) | bool
-
 - name: Start the Docker service
   systemd:
     name: docker
@@ -153,4 +153,16 @@
 - set_fact:
     docker_service_status_changed: "{{ r_docker_package_docker_start_result | changed }}"
 
+- name: Check for credentials file for registry auth
+  stat:
+    path: "{{ docker_cli_auth_config_path }}/config.json"
+  when: oreg_auth_user is defined
+  register: docker_cli_auth_credentials_stat
+
+- name: Create credentials for docker cli registry auth
+  command: "docker --config={{ docker_cli_auth_config_path }} login -u {{ oreg_auth_user }} -p {{ oreg_auth_password }} {{ oreg_host }}"
+  when:
+  - oreg_auth_user is defined
+  - (not docker_cli_auth_credentials_stat.stat.exists or oreg_auth_credentials_replace) | bool
+
 - meta: flush_handlers
diff --git a/roles/docker/tasks/systemcontainer_crio.yml b/roles/docker/tasks/systemcontainer_crio.yml
index 66ce475e1..fdc6cd24a 100644
--- a/roles/docker/tasks/systemcontainer_crio.yml
+++ b/roles/docker/tasks/systemcontainer_crio.yml
@@ -1,4 +1,5 @@
 ---
+
 # TODO: Much of this file is shared with container engine tasks
 - set_fact:
     l_insecure_crio_registries: "{{ '\"{}\"'.format('\", \"'.join(l2_docker_insecure_registries)) }}"
@@ -13,6 +14,22 @@
     l_additional_crio_registries: "{{ '\"{}\"'.format('\", \"'.join(l_crio_registries)) }}"
   when: l2_docker_additional_registries
 
+- set_fact:
+    l_openshift_image_tag: "{{ openshift_image_tag | string }}"
+  when: openshift_image_tag is defined
+
+- set_fact:
+    l_openshift_image_tag: "latest"
+  when:
+    - openshift_image_tag is not defined
+    - openshift_release == "latest"
+
+- set_fact:
+    l_openshift_image_tag: "{{ openshift_release | string }}"
+  when:
+    - openshift_image_tag is not defined
+    - openshift_release != "latest"
+
 - name: Ensure container-selinux is installed
   package:
     name: container-selinux
@@ -92,16 +109,23 @@
 
 - block:
 
-    - name: Set to default prepend
+    - name: Set CRI-O image defaults
       set_fact:
         l_crio_image_prepend: "docker.io/gscrivano"
         l_crio_image_name: "cri-o-fedora"
+        l_crio_image_tag: "latest"
 
     - name: Use Centos based image when distribution is CentOS
       set_fact:
         l_crio_image_name: "cri-o-centos"
       when: ansible_distribution == "CentOS"
 
+    - name: Set CRI-O image tag
+      set_fact:
+        l_crio_image_tag: "{{ l_openshift_image_tag }}"
+      when:
+        - openshift_deployment_type == 'openshift-enterprise'
+
     - name: Use RHEL based image when distribution is Red Hat
       set_fact:
         l_crio_image_prepend: "registry.access.redhat.com/openshift3"
@@ -110,7 +134,7 @@
 
     - name: Set the full image name
       set_fact:
-        l_crio_image: "{{ l_crio_image_prepend }}/{{ l_crio_image_name }}:latest"
+        l_crio_image: "{{ l_crio_image_prepend }}/{{ l_crio_image_name }}:{{ l_crio_image_tag }}"
 
     # For https://github.com/openshift/aos-cd-jobs/pull/624#pullrequestreview-61816548
     - name: Use a specific image if requested
@@ -138,7 +162,7 @@
     image: "{{ l_crio_image }}"
     state: latest
 
-- name: Remove CRI-o default configuration files
+- name: Remove CRI-O default configuration files
   file:
     path: "{{ item }}"
     state: absent
diff --git a/roles/docker/tasks/systemcontainer_docker.yml b/roles/docker/tasks/systemcontainer_docker.yml
index 8b43393cb..15c6a55db 100644
--- a/roles/docker/tasks/systemcontainer_docker.yml
+++ b/roles/docker/tasks/systemcontainer_docker.yml
@@ -1,4 +1,21 @@
 ---
+
+- set_fact:
+    l_openshift_image_tag: "{{ openshift_image_tag | string }}"
+  when: openshift_image_tag is defined
+
+- set_fact:
+    l_openshift_image_tag: "latest"
+  when:
+    - openshift_image_tag is not defined
+    - openshift_release == "latest"
+
+- set_fact:
+    l_openshift_image_tag: "{{ openshift_release | string }}"
+  when:
+    - openshift_image_tag is not defined
+    - openshift_release != "latest"
+
 # If docker_options are provided we should fail. We should not install docker and ignore
 # the users configuration. NOTE: docker_options == inventory:openshift_docker_options
 - name: Fail quickly if openshift_docker_options are set
@@ -89,6 +106,13 @@
     - name: Set to default prepend
       set_fact:
         l_docker_image_prepend: "gscrivano"
+        l_docker_image_tag: "latest"
+
+    - name: Set container engine image tag
+      set_fact:
+        l_docker_image_tag: "{{ l_openshift_image_tag }}"
+      when:
+        - openshift_deployment_type == 'openshift-enterprise'
 
     - name: Use Red Hat Registry for image when distribution is Red Hat
       set_fact:
@@ -102,7 +126,7 @@
 
     - name: Set the full image name
       set_fact:
-        l_docker_image: "{{ l_docker_image_prepend }}/{{ openshift.docker.service_name }}:latest"
+        l_docker_image: "{{ l_docker_image_prepend }}/{{ openshift.docker.service_name }}:{{ l_docker_image_tag }}"
 
     # For https://github.com/openshift/openshift-ansible/pull/5354#issuecomment-328552959
     - name: Use a specific image if requested
diff --git a/roles/docker/templates/crio.conf.j2 b/roles/docker/templates/crio.conf.j2
index b4ee84fd0..b715c2ffa 100644
--- a/roles/docker/templates/crio.conf.j2
+++ b/roles/docker/templates/crio.conf.j2
@@ -13,12 +13,12 @@ runroot = "/var/run/containers/storage"
 
 # storage_driver select which storage driver is used to manage storage
 # of images and containers.
-storage_driver = "overlay2"
+storage_driver = "overlay"
 
 # storage_option is used to pass an option to the storage driver.
 storage_option = [
 {% if ansible_distribution in ['RedHat', 'CentOS'] %}
-	"overlay2.override_kernel_check=1"
+	"overlay.override_kernel_check=1"
 {% endif %}
 ]
 
@@ -35,6 +35,10 @@ stream_address = ""
 # stream_port is the port on which the stream server will listen
 stream_port = "10010"
 
+# file_locking is whether file-based locking will be used instead of
+# in-memory locking
+file_locking = true
+
 # The "crio.runtime" table contains settings pertaining to the OCI
 # runtime used and options for how to set up and manage the OCI runtime.
 [crio.runtime]
@@ -67,6 +71,9 @@ runtime_untrusted_workload = ""
 # container runtime for all containers.
 default_workload_trust = "trusted"
 
+# no_pivot instructs the runtime to not use pivot_root, but instead use MS_MOVE
+no_pivot = false
+
 # conmon is the path to conmon binary, used for managing the runtime.
 conmon = "/usr/libexec/crio/conmon"
 
@@ -93,6 +100,16 @@ apparmor_profile = "crio-default"
 # for the runtime.
 cgroup_manager = "systemd"
 
+# hooks_dir_path is the oci hooks directory for automatically executed hooks
+hooks_dir_path = "/usr/share/containers/oci/hooks.d"
+
+# pids_limit is the number of processes allowed in a container
+pids_limit = 1024
+
+# log_size_max is the max limit for the container log size in bytes.
+# Negative values indicate that no limit is imposed.
+log_size_max = -1
+
 # The "crio.image" table contains settings pertaining to the
 # management of OCI images.
 [crio.image]
@@ -115,6 +132,10 @@ pause_command = "/pause"
 # unspecified so that the default system-wide policy will be used.
 signature_policy = ""
 
+# image_volumes controls how image volumes are handled.
+# The valid values are mkdir and ignore.
+image_volumes = "mkdir"
+
 # insecure_registries is used to skip TLS verification when pulling images.
 insecure_registries = [
 {{ l_insecure_crio_registries|default("") }}
@@ -125,6 +146,7 @@ insecure_registries = [
 registries = [
 {{ l_additional_crio_registries|default("") }}
 ]
+
 # The "crio.network" table contains settings pertaining to the
 # management of CNI plugins.
 [crio.network]
diff --git a/roles/docker/templates/custom.conf.j2 b/roles/docker/templates/custom.conf.j2
index 9b47cb6ab..713412473 100644
--- a/roles/docker/templates/custom.conf.j2
+++ b/roles/docker/templates/custom.conf.j2
@@ -3,3 +3,9 @@
 [Unit]
 Wants=iptables.service
 After=iptables.service
+
+# The following line is a work-around to ensure docker is restarted whenever
+# iptables is restarted.  This ensures the proper iptables rules will be in
+# place for docker.
+# Note:  This will also cause docker to be stopped if iptables is stopped.
+PartOf=iptables.service
diff --git a/roles/docker/templates/registries.conf b/roles/docker/templates/registries.conf
index c55dbd84f..d379b2be0 100644
--- a/roles/docker/templates/registries.conf
+++ b/roles/docker/templates/registries.conf
@@ -6,7 +6,7 @@
 
 # The default location for this configuration file is /etc/containers/registries.conf.
 
-# The only valid categories are: 'registries', 'insecure_registies',
+# The only valid categories are: 'registries', 'insecure_registries',
 # and 'block_registries'.