summaryrefslogtreecommitdiffstats
path: root/roles/docker
Commit message (Collapse)AuthorAgeFilesLines
* systemcontainers: Verify atomic.conf proxy is always configuredSteve Milner2017-10-192-62/+8
| | | | | | | | | | | A new openshift_atomic role has been created for atomic specific tasks. The first task added is proxy which handles updating /etc/atomic.conf to ensure the proper proxy configuration is configured. This task file is then included (via include_role) in system container related task files. Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1503903 Signed-off-by: Steve Milner <smilner@redhat.com>
* Merge pull request #5774 from mgugino-upstream-stage/docker-option-fixScott Dodson2017-10-182-5/+7
|\ | | | | Fix missing docker option signature-verification
| * Fix missing docker option signature-verificationMichael Gugino2017-10-162-5/+7
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Currently, docker 1.12 can be configured to use the run-time parameter of 'signature-verification' By default, rpm installation of docker results in '--signature-verification=false' being added to OPTIONS in /etc/sysconfig/docker Currently, openshift-ansible does not preserve that value. This can cause docker to be unable to pull images from a previously working source due to a change in configuration. This commit adds the option with the default as provided by the rpm installation. Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1502560
* | cri-o: error out when node is a Docker containerGiuseppe Scrivano2017-10-161-0/+6
|/ | | | | | Closes: https://bugzilla.redhat.com/show_bug.cgi?id=1489555 Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* Ensure docker service status actually changesMichael Gugino2017-10-111-1/+8
| | | | | | | | | | | | | | | | | | | | | Currently, docker is started during the docker role. If docker is started during the run of the role, the handler to restart docker is not triggered to prevent excess restarts of the docker service. The systemd docker that starts the docker service may report the result of the task as 'changed' even though docker is already running and the state of the service itself does not change. This commit checks the status of the docker service before starting it to ensure that docker was not in an 'active' state according to systemd. If the docker service is already in the 'active' state, the restart handler will trigger and restart docker at the end of the run of the role. Fixes: https://github.com/openshift/origin/issues/16709
* crio, docker: expect openshift_release to have 'v'Giuseppe Scrivano2017-10-102-2/+2
| | | | Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* Merge pull request #5695 from giuseppe/image_tag_default_to_releaseOpenShift Merge Robot2017-10-093-13/+35
|\ | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Automatic merge from submit-queue. docker, CRI-O: openshift_image_tag defaults to openshift_release Replace: commit c2c4ba7ec62d4dfd87d746d20991e10f2bd1bddf Author: Giuseppe Scrivano <gscrivan@redhat.com> Date: Tue Sep 26 09:01:59 2017 +0200 Require openshift_image_tag in the inventory with openshift-enterprise Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com> with using openshift_release for openshift_image_tag so we don't require users to include both in their inventory. Probably it is only a temporary solution until the openshift_image_tag vs openshift_release when using Docker/CRI-O is sorted out. Closes: https://bugzilla.redhat.com/show_bug.cgi?id=1493376
| * crio, docker: use openshift_release when openshift_image_tag is not usedGiuseppe Scrivano2017-10-093-12/+34
| | | | | | | | Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
| * crio: fix typoGiuseppe Scrivano2017-10-091-1/+1
| | | | | | | | Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* | Merge pull request #5705 from mgugino-upstream-stage/docker-partof-iptablesScott Dodson2017-10-091-0/+6
|\ \ | | | | | | Add PartOf to docker systemd service unit.
| * | Add PartOf to docker systemd service unit.Michael Gugino2017-10-091-0/+6
| |/ | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Currently, if iptables service is restarted, existing iptables rules are removed. Docker adds iptables rules dyanmically upon startup and container creation. Restarting the iptables service results in a loss of these needed iptables rules. This commit ensures that if iptables service is restarted by anisble or the user, docker is also restarted. This ensures the proper dynamic iptables rules are in place for docker. Fixes: openshift/origin#16709
* / crio: use systemd managerGiuseppe Scrivano2017-10-091-1/+1
|/ | | | Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* Merge pull request #5661 from giuseppe/crio-use-overlay-instead-of-overlay2OpenShift Merge Robot2017-10-071-3/+25
|\ | | | | | | | | | | | | | | | | | | Automatic merge from submit-queue. cri-o: use overlay instead of overlay2 overlay2 and overlay are the same driver. Upstream CRI-O is going to drop any reference to overlay2 and use only overlay. Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
| * crio.conf.j2: sync from upstreamGiuseppe Scrivano2017-10-061-1/+23
| | | | | | | | Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
| * cri-o: use overlay instead of overlay2Giuseppe Scrivano2017-10-061-2/+2
| | | | | | | | | | | | | | overlay2 and overlay are the same driver. Upstream CRI-O is going to drop any reference to overlay2 and use only overlay. Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* | Ensure docker is restarted when iptables is restartedMichael Gugino2017-10-062-1/+4
|/ | | | | | | | | | | Currently, os_firewall role may run after docker role, and iptables.service may be restarted. When restarted, this negatively impacts docker's iptables rules. This commit ensures that if iptables is restarted, docker is restarted as well (by systemd) Fixes: https://github.com/openshift/origin/issues/16709
* Ensure docker service started prior to credentialsMichael Gugino2017-10-031-12/+12
| | | | | | | | | | | Currently, authenticated registry credentials are requested before docker might be started in the docker role. This commit moves the relevant registry credential tasks to after docker is started. Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1316341
* Merge pull request #5490 from giuseppe/set-crio-docker-tag-for-oseOpenShift Merge Robot2017-10-033-9/+35
|\ | | | | | | | | | | | | Automatic merge from submit-queue. CRI-O, Docker: set the tag to the OpenShift release on RHEL Closes: https://bugzilla.redhat.com/show_bug.cgi?id=1493376
| * docker: fix some tox warningsGiuseppe Scrivano2017-09-271-6/+6
| | | | | | | | Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
| * Require openshift_image_tag in the inventory with openshift-enterpriseGiuseppe Scrivano2017-09-271-0/+8
| | | | | | | | Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
| * crio: use the image_tag on RHELGiuseppe Scrivano2017-09-271-2/+11
| | | | | | | | | | | | Closes: https://bugzilla.redhat.com/show_bug.cgi?id=1493376 Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
| * docker: use the image_tag on RHELGiuseppe Scrivano2017-09-271-1/+10
| | | | | | | | Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* | Restore registires to /etc/sysconfig/dockerMichael Gugino2017-10-021-2/+12
| | | | | | | | | | | | | | | | | | | | | | | | | | Previously, a commit was added to migrate registires from /etc/sysconfig/docker to /etc/containers/registries.conf We are not currently enforcing a minimum version of docker to consume from this new file, thus some installations are not utilizing the correct repositories. This commit duplicates the registires in both locations to ensure additional/blocked/insecure registries are honored.
* | Fix typo in files (Docker registries)William Burton2017-09-292-2/+2
| |
* | Migrate enterprise registry logic to docker roleMichael Gugino2017-09-274-9/+19
|/ | | | | | | | | | | | | Currently, the enterprise registry to forcefully added in openshift_facts. Recently, the docker role has been modified to consume registry variables directly, bypassing openshift_facts. This commit cleans up unused code in openshift_facts, and migrates enterprise registry logic to the docker role. Fixes: https://github.com/openshift/openshift-ansible/issues/5557
* Merge pull request #5519 from giuseppe/crio-set-proper-tagOpenShift Merge Robot2017-09-261-1/+1
|\ | | | | | | | | | | | | Automatic merge from submit-queue Detect the proper version of the images when using CRI-O Closes: https://bugzilla.redhat.com/show_bug.cgi?id=1494357
| * crio: set the correct image name with OSEGiuseppe Scrivano2017-09-251-1/+1
| | | | | | | | Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* | Merge pull request #5205 from mgugino-upstream-stage/docker-etc-containers-regsOpenShift Merge Robot2017-09-253-9/+69
|\ \ | |/ |/| | | | | | | | | | | | | | | | | | | | | Automatic merge from submit-queue Move additional/block/insecure registires to /etc/containers/... Move additional/block/insecure registires to /etc/containers/registries.conf This commit moves additional/block/insecure registries to /etc/containers/registries.conf and comments existing lines in /etc/sysconfig/docker. Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1460930
| * Move additional/block/insecure registires to /etc/containers/registries.confMichael Gugino2017-09-213-9/+69
| | | | | | | | | | | | | | | | This commit moves additional/block/insecure registries to /etc/containers/registries.conf and comments existing lines in /etc/sysconfig/docker. Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1460930
* | Merge pull request #5501 from giuseppe/crio-skip-nfs-and-lbOpenShift Merge Robot2017-09-241-0/+1
|\ \ | | | | | | | | | | | | | | | | | | | | | | | | Automatic merge from submit-queue crio: skip installation on lbs and nfs nodes Closes: https://bugzilla.redhat.com/show_bug.cgi?id=1494461 Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
| * | crio: skip installation on lbs and nfs nodesGiuseppe Scrivano2017-09-221-0/+1
| | | | | | | | | | | | | | | | | | Closes: https://bugzilla.redhat.com/show_bug.cgi?id=1494461 Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* | | Merge pull request #5354 from ashcrow/crio-systemcontainer-image-overrideOpenShift Merge Robot2017-09-221-8/+12
|\ \ \ | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Automatic merge from submit-queue cri-o: Allow full image override ``openshift_crio_systemcontainer_image_registry_override`` has been replaced with ``openshift_crio_systemcontainer_image_override``. The difference is ``openshift_crio_systemcontainer_image_override`` takes a full image path including the tag. Example: ``` openshift_crio_systemcontainer_image_override=gscrivano/cri-o-centos:latest ```
| * | | cri-o: Allow full image overrideSteve Milner2017-09-121-8/+12
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | openshift_crio_systemcontainer_image_registry_override has been replaced with openshift_crio_systemcontainer_image_override. The difference is openshift_crio_systemcontainer_image_override takes a full image path including the tag. Example: openshift_crio_systemcontainer_image_override=gscrivano/cri-o-centos:latest
* | | | Merge pull request #5477 from mgugino-upstream-stage/hot-fix-oreg_urlOpenShift Merge Robot2017-09-211-2/+2
|\ \ \ \ | |_|/ / |/| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Automatic merge from submit-queue Remove default value for oreg_url Due to some plays importing variables from roles directly, oreg_url was being set to a default value when it otherwise shouldn't be. This commit removes the default values for oreg_url to ensure existing logic works as desired. Fixes: https://github.com/openshift/openshift-ansible/issues/5455
| * | | Remove default value for oreg_urlMichael Gugino2017-09-201-2/+2
| | |/ | |/| | | | | | | | | | | | | | | | | | | | | | | | | | | | Due to some plays importing variables from roles directly, oreg_url was being set to a default value when it otherwise shouldn't be. This commit removes the default values for oreg_url to ensure existing logic works as desired. Fixes: https://github.com/openshift/openshift-ansible/issues/5455
* / | crio: ensure no default CNI configuration files are leftGiuseppe Scrivano2017-09-201-0/+8
|/ / | | | | | | Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* | more retries on repoquery_cmdLuke Meyer2017-09-191-1/+1
| |
* | Merge pull request #5401 from sosiouxme/20170913-retries-subsetLuke Meyer2017-09-141-0/+2
|\ \ | | | | | | add retries on repoquery
| * | add retry on repoquery_cmdLuke Meyer2017-09-131-0/+2
| |/
* | Merge pull request #5359 from mgugino-upstream-stage/version-docker-auth-configOpenShift Bot2017-09-132-0/+17
|\ \ | | | | | | Merged by openshift-bot
| * | Fix: authenticated registry support for containerized hostsMichael Gugino2017-09-112-0/+17
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Currently, openshift-anisble supports authentication to container registries to pull down openshift container images. The openshift_verison role uses the docker cli to gather image information from container registries before authentication credentials are provided by openshift-ansible. This commit creates the necessary token to authenticate to private registries during openshift_version. The token is generated by the role 'docker' on all hosts where docker is installed/configured when oreg_auth_users is defined. This commit also adds a read-only mount into the openshift master and node container services. This mount is '/var/lib/origin/.docker:/root/.docker:ro'. This is because the container images do not currently read the values in '/var/lib/origin/.docker' as this may be a bug upstream. Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1316341
* | | cri-o: Fix Fedora image nameSteve Milner2017-09-131-1/+1
| |/ |/| | | | | Signed-off-by: Steve Milner <smilner@redhat.com>
* | container-engine: Allow full image overrideSteve Milner2017-09-111-8/+12
|/ | | | | | | | | | | | | openshift_docker_systemcontainer_image_registry_override has been replaced with openshift_docker_systemcontainer_image_override. The difference is openshift_docker_systemcontainer_image_override takes a full image path including the tag. Example: openshift_docker_systemcontainer_image_override=gscrivano/container-engine:latest Signed-off-by: Steve Milner <smilner@redhat.com>
* Merge pull request #5310 from ashcrow/split-rhel-centos-crioOpenShift Bot2017-09-071-2/+8
|\ | | | | Merged by openshift-bot
| * cri-o: Split RHEL and CentOS imagesSteve Milner2017-09-061-2/+8
| |
* | Merge pull request #5202 from giuseppe/crio-additional-registriesOpenShift Bot2017-09-062-0/+14
|\ \ | |/ |/| Merged by openshift-bot
| * cri-o: add support for additional registriesGiuseppe Scrivano2017-08-242-0/+14
| | | | | | | | | | | | | | Support added to CRI-O with: https://github.com/kubernetes-incubator/cri-o/commit/a35727c80bd2a26613aae21db00628045cb9be24 Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* | roles: use openshift_use_crioGiuseppe Scrivano2017-08-251-2/+2
| | | | | | | | Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* | cri-o: change to system runcGiuseppe Scrivano2017-08-251-1/+1
|/ | | | | | | Newer versions of cri-o do not carry runc but use the one from the system. Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
* First attempt at refactor of os_firewallKenny Woodson2017-08-081-1/+0
|