From e781e4cb8be85e201ad6e20ddd70401318846323 Mon Sep 17 00:00:00 2001 From: Steve Milner Date: Fri, 14 Jul 2017 10:37:48 -0400 Subject: cri-o: Allow cri-o usage. This change reuses the docker role to inject cri-o usage. --- roles/docker/tasks/main.yml | 5 ++ roles/docker/tasks/systemcontainer_crio.yml | 105 ++++++++++++++++++++++++++++ 2 files changed, 110 insertions(+) create mode 100644 roles/docker/tasks/systemcontainer_crio.yml diff --git a/roles/docker/tasks/main.yml b/roles/docker/tasks/main.yml index 0c2b16acf..fab1ac57a 100644 --- a/roles/docker/tasks/main.yml +++ b/roles/docker/tasks/main.yml @@ -7,6 +7,7 @@ - set_fact: l_use_system_container: "{{ openshift.docker.use_system_container | default(False) }}" + l_use_crio: "{{ openshift.docker.use_crio | default(False) }}" - name: Use Package Docker if Requested include: package_docker.yml @@ -15,3 +16,7 @@ - name: Use System Container Docker if Requested include: systemcontainer_docker.yml when: l_use_system_container + +- name: Add CRI-O usage Requested + include: systemcontainer_crio.yml + when: l_use_crio diff --git a/roles/docker/tasks/systemcontainer_crio.yml b/roles/docker/tasks/systemcontainer_crio.yml new file mode 100644 index 000000000..c67904873 --- /dev/null +++ b/roles/docker/tasks/systemcontainer_crio.yml @@ -0,0 +1,105 @@ +--- +# TODO: Much of this file is shared with container engine tasks + +- name: Ensure container-selinux is installed + package: + name: container-selinux + state: present + when: not openshift.common.is_atomic | bool + +# Used to pull and install the system container +- name: Ensure atomic is installed + package: + name: atomic + state: present + when: not openshift.common.is_atomic | bool + +# At the time of writing the atomic command requires runc for it's own use. This +# task is here in the even that the atomic package ever removes the dependency. +- name: Ensure runc is installed + package: + name: runc + state: present + when: not openshift.common.is_atomic | bool + +- block: + + - name: Add http_proxy to /etc/atomic.conf + lineinfile: + dest: /etc/atomic.conf + regexp: "^#?http_proxy[:=]{1}" + line: "http_proxy: {{ openshift.common.http_proxy | default('') }}" + when: + - openshift.common.http_proxy is defined + - openshift.common.http_proxy != '' + + - name: Add https_proxy to /etc/atomic.conf + lineinfile: + dest: /etc/atomic.conf + regexp: "^#?https_proxy[:=]{1}" + line: "https_proxy: {{ openshift.common.https_proxy | default('') }}" + when: + - openshift.common.https_proxy is defined + - openshift.common.https_proxy != '' + + - name: Add no_proxy to /etc/atomic.conf + lineinfile: + dest: /etc/atomic.conf + regexp: "^#?no_proxy[:=]{1}" + line: "no_proxy: {{ openshift.common.no_proxy | default('') }}" + when: + - openshift.common.no_proxy is defined + - openshift.common.no_proxy != '' + + +- block: + + - name: Set to default prepend + set_fact: + l_crio_image_prepend: "gscrivano" + + - name: Use Red Hat Registry for image when distribution is Red Hat + set_fact: + l_crio_image_prepend: "registry.access.redhat.com/openshift3" + when: ansible_distribution == 'RedHat' + + - name: Use Fedora Registry for image when distribution is Fedora + set_fact: + l_crio_image_prepend: "registry.fedoraproject.org/f25" + when: ansible_distribution == 'Fedora' + + # For https://github.com/openshift/openshift-ansible/pull/4049#discussion_r114478504 + - name: Use a testing registry if requested + set_fact: + l_crio_image_prepend: "{{ openshift_docker_systemcontainer_image_registry_override }}" + when: + - openshift_docker_systemcontainer_image_registry_override is defined + - openshift_docker_systemcontainer_image_registry_override != "" + + - name: Set the full image name + set_fact: + l_crio_image: "{{ l_crio_image_prepend }}/{{ openshift.docker.service_name }}:latest" + +# NOTE: no_proxy added as a workaround until https://github.com/projectatomic/atomic/pull/999 is released +- name: Pre-pull CRI-O System Container image + command: "atomic pull --storage ostree {{ l_crio_image }}" + changed_when: false + environment: + NO_PROXY: "{{ openshift.common.no_proxy | default('') }}" + + +- name: Install CRI-O System Container + oc_atomic_container: + name: "cri-o" + image: "{{ l_crio_image }}" + state: latest + +- name: Start the CRI-O service + systemd: + name: "cri-o" + enabled: yes + state: started + daemon_reload: yes + register: start_result + +- meta: flush_handlers -- cgit v1.2.3 From 19b32d2a2ba68655afed6ba3c2cda3050b9070b4 Mon Sep 17 00:00:00 2001 From: Steve Milner Date: Fri, 14 Jul 2017 12:33:14 -0400 Subject: inventory: Add use_crio example --- inventory/byo/hosts.origin.example | 6 +++++- inventory/byo/hosts.ose.example | 6 +++++- 2 files changed, 10 insertions(+), 2 deletions(-) diff --git a/inventory/byo/hosts.origin.example b/inventory/byo/hosts.origin.example index f09c3d255..c9f79d964 100644 --- a/inventory/byo/hosts.origin.example +++ b/inventory/byo/hosts.origin.example @@ -108,7 +108,11 @@ openshift_release=v3.6 # The following options must not be used # - openshift_docker_options #openshift_docker_use_system_container=False -# Force the registry to use for the system container. By default the registry +# Instead of using docker, replacec it with cri-o +# NOTE: This uses openshift_docker_systemcontainer_image_registry_override as it's override +# just as container-engine does. +#use_crio=False +# Force the registry to use for the docker/crio system container. By default the registry # will be built off of the deployment type and ansible_distribution. Only # use this option if you are sure you know what you are doing! #openshift_docker_systemcontainer_image_registry_override="registry.example.com" diff --git a/inventory/byo/hosts.ose.example b/inventory/byo/hosts.ose.example index c4b5da5b8..a4a9cca81 100644 --- a/inventory/byo/hosts.ose.example +++ b/inventory/byo/hosts.ose.example @@ -108,7 +108,11 @@ openshift_release=v3.6 # The following options must not be used # - openshift_docker_options #openshift_docker_use_system_container=False -# Force the registry to use for the system container. By default the registry +# Install and run cri-o along side docker +# NOTE: This uses openshift_docker_systemcontainer_image_registry_override as it's override +# just as container-engine does. +#use_crio=False +# Force the registry to use for the container-engine/crio system container. By default the registry # will be built off of the deployment type and ansible_distribution. Only # use this option if you are sure you know what you are doing! #openshift_docker_systemcontainer_image_registry_override="registry.example.com" -- cgit v1.2.3 From 55f6b3879d770d756963564a5894c09806a31003 Mon Sep 17 00:00:00 2001 From: Giuseppe Scrivano Date: Sat, 15 Jul 2017 21:45:13 +0200 Subject: node.yaml: configure node to use cri-o when openshift.common.use_crio Signed-off-by: Giuseppe Scrivano --- roles/openshift_node/templates/node.yaml.v1.j2 | 15 +++++++++++++++ 1 file changed, 15 insertions(+) diff --git a/roles/openshift_node/templates/node.yaml.v1.j2 b/roles/openshift_node/templates/node.yaml.v1.j2 index 351c8c9f6..a400dd8d9 100644 --- a/roles/openshift_node/templates/node.yaml.v1.j2 +++ b/roles/openshift_node/templates/node.yaml.v1.j2 @@ -16,6 +16,21 @@ imageConfig: latest: false kind: NodeConfig kubeletArguments: {{ openshift.node.kubelet_args | default(None) | to_padded_yaml(level=1) }} +{% if use_crio | default(False) %} + container-runtime: + - remote + container-runtime-endpoint: + - /var/run/crio.sock + enable-cri: + - 'true' + image-service-endpoint: + - /var/run/crio.sock + node-labels: + - router=true + - registry=true + runtime-request-timeout: + - 10m +{% endif %} {% if openshift.common.version_gte_3_3_or_1_3 | bool %} masterClientConnectionOverrides: acceptContentTypes: application/vnd.kubernetes.protobuf,application/json -- cgit v1.2.3 From ba71fba1dc64a05b9cc26b72263255a915601c84 Mon Sep 17 00:00:00 2001 From: Giuseppe Scrivano Date: Sun, 16 Jul 2017 00:25:26 +0200 Subject: cri-o: configure storage and insecure registries Signed-off-by: Giuseppe Scrivano --- roles/docker/tasks/main.yml | 10 +++++++--- roles/docker/tasks/systemcontainer_crio.yml | 27 +++++++++++++++++++++++++++ 2 files changed, 34 insertions(+), 3 deletions(-) diff --git a/roles/docker/tasks/main.yml b/roles/docker/tasks/main.yml index fab1ac57a..61230fa3d 100644 --- a/roles/docker/tasks/main.yml +++ b/roles/docker/tasks/main.yml @@ -7,7 +7,7 @@ - set_fact: l_use_system_container: "{{ openshift.docker.use_system_container | default(False) }}" - l_use_crio: "{{ openshift.docker.use_crio | default(False) }}" + l_use_crio: "{{ use_crio | default(False) }}" - name: Use Package Docker if Requested include: package_docker.yml @@ -15,8 +15,12 @@ - name: Use System Container Docker if Requested include: systemcontainer_docker.yml - when: l_use_system_container + when: + - l_use_system_container + - not l_use_crio - name: Add CRI-O usage Requested include: systemcontainer_crio.yml - when: l_use_crio + when: + - l_use_system_container + - l_use_crio diff --git a/roles/docker/tasks/systemcontainer_crio.yml b/roles/docker/tasks/systemcontainer_crio.yml index c67904873..f3c03df2c 100644 --- a/roles/docker/tasks/systemcontainer_crio.yml +++ b/roles/docker/tasks/systemcontainer_crio.yml @@ -1,5 +1,7 @@ --- # TODO: Much of this file is shared with container engine tasks +- set_fact: + l_insecure_registries: "{{ '\"{}\"'.format('\", \"'.join(openshift.docker.insecure_registries)) }}" - name: Ensure container-selinux is installed package: @@ -94,6 +96,31 @@ image: "{{ l_crio_image }}" state: latest +- name: run CRI-O with overlay2 + replace: + regexp: 'storage_driver = ""' + replace: 'storage_driver = "overlay2"' + name: /etc/crio/crio.conf + backup: yes + +- name: Add overlay2 storage opts for CRI-O + lineinfile: + dest: /etc/crio/crio.conf + line: '"overlay2.override_kernel_check=1"' + insertafter: 'storage_option = \[' + regexp: 'overlay2\.override_kernel_check=1' + state: present + when: ansible_distribution in ['RedHat', 'CentOS'] + +- name: Configure insecure registries for CRI-O + lineinfile: + dest: /etc/crio/crio.conf + line: "{{ l_insecure_registries }}" + insertafter: 'insecure_registries = \[' + regexp: "{{ l_insecure_registries }}" + state: present + when: openshift_docker_insecure_registries is defined + - name: Start the CRI-O service systemd: name: "cri-o" -- cgit v1.2.3 From 85b9622751913619e57b9380b6051dc612e990b9 Mon Sep 17 00:00:00 2001 From: Steve Milner Date: Mon, 17 Jul 2017 14:28:46 -0400 Subject: cri-o: Add cri-o as a Wants in node units --- roles/openshift_node/templates/node.service.j2 | 1 + roles/openshift_node/templates/openshift.docker.node.dep.service | 2 +- 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/roles/openshift_node/templates/node.service.j2 b/roles/openshift_node/templates/node.service.j2 index e12a52c15..3d0ae3bbd 100644 --- a/roles/openshift_node/templates/node.service.j2 +++ b/roles/openshift_node/templates/node.service.j2 @@ -8,6 +8,7 @@ Wants={{ openshift.docker.service_name }}.service Documentation=https://github.com/openshift/origin Requires=dnsmasq.service After=dnsmasq.service +{% if openshift.docker.use_crio %}Wants=cri-o.service{% endif %} [Service] Type=notify diff --git a/roles/openshift_node/templates/openshift.docker.node.dep.service b/roles/openshift_node/templates/openshift.docker.node.dep.service index 4c47f8c0d..c4580be1f 100644 --- a/roles/openshift_node/templates/openshift.docker.node.dep.service +++ b/roles/openshift_node/templates/openshift.docker.node.dep.service @@ -3,7 +3,7 @@ Requires={{ openshift.docker.service_name }}.service After={{ openshift.docker.service_name }}.service PartOf={{ openshift.common.service_type }}-node.service Before={{ openshift.common.service_type }}-node.service - +{% if openshift.docker.use_crio %}Wants=cri-o.service{% endif %} [Service] ExecStart=/bin/bash -c "if [[ -f /usr/bin/docker-current ]]; then echo \"DOCKER_ADDTL_BIND_MOUNTS=--volume=/usr/bin/docker-current:/usr/bin/docker-current:ro --volume=/etc/sysconfig/docker:/etc/sysconfig/docker:ro\" > /etc/sysconfig/{{ openshift.common.service_type }}-node-dep; else echo \"#DOCKER_ADDTL_BIND_MOUNTS=\" > /etc/sysconfig/{{ openshift.common.service_type }}-node-dep; fi" -- cgit v1.2.3 From 0622da00a835fb431654cf997adc08e87b563efa Mon Sep 17 00:00:00 2001 From: Steve Milner Date: Mon, 17 Jul 2017 17:10:50 -0400 Subject: cri-o: Hardcode image name to cri-o --- roles/docker/tasks/systemcontainer_crio.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/docker/tasks/systemcontainer_crio.yml b/roles/docker/tasks/systemcontainer_crio.yml index f3c03df2c..f88f167c7 100644 --- a/roles/docker/tasks/systemcontainer_crio.yml +++ b/roles/docker/tasks/systemcontainer_crio.yml @@ -80,7 +80,7 @@ - name: Set the full image name set_fact: - l_crio_image: "{{ l_crio_image_prepend }}/{{ openshift.docker.service_name }}:latest" + l_crio_image: "{{ l_crio_image_prepend }}/cri-o:latest" # NOTE: no_proxy added as a workaround until https://github.com/projectatomic/atomic/pull/999 is released - name: Pre-pull CRI-O System Container image -- cgit v1.2.3 From d27fe5a5513649d34c7f208975b2ada5ea459d9b Mon Sep 17 00:00:00 2001 From: Steve Milner Date: Tue, 18 Jul 2017 16:48:22 -0400 Subject: cri-o: Minor fixes for tasks --- roles/docker/tasks/main.yml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/roles/docker/tasks/main.yml b/roles/docker/tasks/main.yml index 61230fa3d..5f9e4cf8a 100644 --- a/roles/docker/tasks/main.yml +++ b/roles/docker/tasks/main.yml @@ -7,7 +7,7 @@ - set_fact: l_use_system_container: "{{ openshift.docker.use_system_container | default(False) }}" - l_use_crio: "{{ use_crio | default(False) }}" + l_use_crio: "{{ openshift.docker.use_crio | default(False) }}" - name: Use Package Docker if Requested include: package_docker.yml @@ -22,5 +22,4 @@ - name: Add CRI-O usage Requested include: systemcontainer_crio.yml when: - - l_use_system_container - l_use_crio -- cgit v1.2.3 From f863a5bcffdcdbc4e54d7551a752b5a6f1253024 Mon Sep 17 00:00:00 2001 From: Steve Milner Date: Tue, 18 Jul 2017 16:48:51 -0400 Subject: openshift_docker_facts: Add use_crio --- roles/openshift_docker_facts/tasks/main.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/roles/openshift_docker_facts/tasks/main.yml b/roles/openshift_docker_facts/tasks/main.yml index 95e94171d..516d7dc29 100644 --- a/roles/openshift_docker_facts/tasks/main.yml +++ b/roles/openshift_docker_facts/tasks/main.yml @@ -17,6 +17,7 @@ hosted_registry_insecure: "{{ openshift_docker_hosted_registry_insecure | default(openshift.docker.hosted_registry_insecure | default(False)) }}" hosted_registry_network: "{{ openshift_docker_hosted_registry_network | default(None) }}" use_system_container: "{{ openshift_docker_use_system_container | default(False) }}" + use_crio: "{{ openshift_docker_use_crio | default(False) }}" - role: node local_facts: sdn_mtu: "{{ openshift_node_sdn_mtu | default(None) }}" -- cgit v1.2.3 From 3003a54811227f5434a8a3d7c8d54c3accafd1e3 Mon Sep 17 00:00:00 2001 From: Giuseppe Scrivano Date: Wed, 19 Jul 2017 11:48:48 +0200 Subject: crio: use a template for the configuration Signed-off-by: Giuseppe Scrivano --- roles/docker/tasks/systemcontainer_crio.yml | 29 ++---- roles/docker/templates/crio.conf.j2 | 132 ++++++++++++++++++++++++++++ 2 files changed, 137 insertions(+), 24 deletions(-) create mode 100644 roles/docker/templates/crio.conf.j2 diff --git a/roles/docker/tasks/systemcontainer_crio.yml b/roles/docker/tasks/systemcontainer_crio.yml index f88f167c7..7c3ed90d8 100644 --- a/roles/docker/tasks/systemcontainer_crio.yml +++ b/roles/docker/tasks/systemcontainer_crio.yml @@ -1,7 +1,7 @@ --- # TODO: Much of this file is shared with container engine tasks - set_fact: - l_insecure_registries: "{{ '\"{}\"'.format('\", \"'.join(openshift.docker.insecure_registries)) }}" + l_insecure_crio_registries: "{{ '\"{}\"'.format('\", \"'.join(openshift.docker.insecure_registries)) }}" - name: Ensure container-selinux is installed package: @@ -96,30 +96,11 @@ image: "{{ l_crio_image }}" state: latest -- name: run CRI-O with overlay2 - replace: - regexp: 'storage_driver = ""' - replace: 'storage_driver = "overlay2"' - name: /etc/crio/crio.conf - backup: yes - -- name: Add overlay2 storage opts for CRI-O - lineinfile: +- name: Create the CRI-O configuration + template: dest: /etc/crio/crio.conf - line: '"overlay2.override_kernel_check=1"' - insertafter: 'storage_option = \[' - regexp: 'overlay2\.override_kernel_check=1' - state: present - when: ansible_distribution in ['RedHat', 'CentOS'] - -- name: Configure insecure registries for CRI-O - lineinfile: - dest: /etc/crio/crio.conf - line: "{{ l_insecure_registries }}" - insertafter: 'insecure_registries = \[' - regexp: "{{ l_insecure_registries }}" - state: present - when: openshift_docker_insecure_registries is defined + src: crio.conf.j2 + backup: yes - name: Start the CRI-O service systemd: diff --git a/roles/docker/templates/crio.conf.j2 b/roles/docker/templates/crio.conf.j2 new file mode 100644 index 000000000..f7049aa41 --- /dev/null +++ b/roles/docker/templates/crio.conf.j2 @@ -0,0 +1,132 @@ +# {{ ansible_managed }} + +# The "crio" table contains all of the server options. +[crio] + +# root is a path to the "root directory". CRIO stores all of its data, +# including container images, in this directory. +root = "/var/lib/containers/storage" + +# run is a path to the "run directory". CRIO stores all of its state +# in this directory. +runroot = "/var/run/containers/storage" + +# storage_driver select which storage driver is used to manage storage +# of images and containers. +storage_driver = "overlay2" + +# storage_option is used to pass an option to the storage driver. +storage_option = [ +{% if ansible_distribution in ['RedHat', 'CentOS'] %} + "overlay2.override_kernel_check=1" +{% endif %} +] + +# The "crio.api" table contains settings for the kubelet/gRPC +# interface (which is also used by crioctl). +[crio.api] + +# listen is the path to the AF_LOCAL socket on which crio will listen. +listen = "/var/run/crio.sock" + +# stream_address is the IP address on which the stream server will listen +stream_address = "" + +# stream_port is the port on which the stream server will listen +stream_port = "10010" + +# The "crio.runtime" table contains settings pertaining to the OCI +# runtime used and options for how to set up and manage the OCI runtime. +[crio.runtime] + +# runtime is the OCI compatible runtime used for trusted container workloads. +# This is a mandatory setting as this runtime will be the default one +# and will also be used for untrusted container workloads if +# runtime_untrusted_workload is not set. +runtime = "/usr/libexec/crio/runc" + +# runtime_untrusted_workload is the OCI compatible runtime used for untrusted +# container workloads. This is an optional setting, except if +# default_container_trust is set to "untrusted". +runtime_untrusted_workload = "" + +# default_workload_trust is the default level of trust crio puts in container +# workloads. It can either be "trusted" or "untrusted", and the default +# is "trusted". +# Containers can be run through different container runtimes, depending on +# the trust hints we receive from kubelet: +# - If kubelet tags a container workload as untrusted, crio will try first to +# run it through the untrusted container workload runtime. If it is not set, +# crio will use the trusted runtime. +# - If kubelet does not provide any information about the container workload trust +# level, the selected runtime will depend on the default_container_trust setting. +# If it is set to "untrusted", then all containers except for the host privileged +# ones, will be run by the runtime_untrusted_workload runtime. Host privileged +# containers are by definition trusted and will always use the trusted container +# runtime. If default_container_trust is set to "trusted", crio will use the trusted +# container runtime for all containers. +default_workload_trust = "trusted" + +# conmon is the path to conmon binary, used for managing the runtime. +conmon = "/usr/libexec/crio/conmon" + +# conmon_env is the environment variable list for conmon process, +# used for passing necessary environment variable to conmon or runtime. +conmon_env = [ + "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin", +] + +# selinux indicates whether or not SELinux will be used for pod +# separation on the host. If you enable this flag, SELinux must be running +# on the host. +selinux = true + +# seccomp_profile is the seccomp json profile path which is used as the +# default for the runtime. +seccomp_profile = "/etc/crio/seccomp.json" + +# apparmor_profile is the apparmor profile name which is used as the +# default for the runtime. +apparmor_profile = "crio-default" + +# cgroup_manager is the cgroup management implementation to be used +# for the runtime. +cgroup_manager = "systemd" + +# The "crio.image" table contains settings pertaining to the +# management of OCI images. +[crio.image] + +# default_transport is the prefix we try prepending to an image name if the +# image name as we receive it can't be parsed as a valid source reference +default_transport = "docker://" + +# pause_image is the image which we use to instantiate infra containers. +pause_image = "kubernetes/pause" + +# pause_command is the command to run in a pause_image to have a container just +# sit there. If the image contains the necessary information, this value need +# not be specified. +pause_command = "/pause" + +# signature_policy is the name of the file which decides what sort of policy we +# use when deciding whether or not to trust an image that we've pulled. +# Outside of testing situations, it is strongly advised that this be left +# unspecified so that the default system-wide policy will be used. +signature_policy = "" + +# insecure_registries is used to skip TLS verification when pulling images. +insecure_registries = [ +{{ l_insecure_crio_registries }} +] + +# The "crio.network" table contains settings pertaining to the +# management of CNI plugins. +[crio.network] + +# network_dir is is where CNI network configuration +# files are stored. +network_dir = "/etc/cni/net.d/" + +# plugin_dir is is where CNI plugin binaries are stored. +plugin_dir = "/opt/cni/bin/" -- cgit v1.2.3 From c66d51f519acf2958a378c109750b86620e32122 Mon Sep 17 00:00:00 2001 From: Steve Milner Date: Wed, 19 Jul 2017 09:55:59 -0400 Subject: cri-o: Default insecure registries to "" --- roles/docker/tasks/systemcontainer_crio.yml | 1 + roles/docker/templates/crio.conf.j2 | 2 +- 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/roles/docker/tasks/systemcontainer_crio.yml b/roles/docker/tasks/systemcontainer_crio.yml index 7c3ed90d8..651a20ea2 100644 --- a/roles/docker/tasks/systemcontainer_crio.yml +++ b/roles/docker/tasks/systemcontainer_crio.yml @@ -2,6 +2,7 @@ # TODO: Much of this file is shared with container engine tasks - set_fact: l_insecure_crio_registries: "{{ '\"{}\"'.format('\", \"'.join(openshift.docker.insecure_registries)) }}" + when: openshift.docker.insecure_registries - name: Ensure container-selinux is installed package: diff --git a/roles/docker/templates/crio.conf.j2 b/roles/docker/templates/crio.conf.j2 index f7049aa41..eae1759ab 100644 --- a/roles/docker/templates/crio.conf.j2 +++ b/roles/docker/templates/crio.conf.j2 @@ -117,7 +117,7 @@ signature_policy = "" # insecure_registries is used to skip TLS verification when pulling images. insecure_registries = [ -{{ l_insecure_crio_registries }} +{{ l_insecure_crio_registries|default("") }} ] # The "crio.network" table contains settings pertaining to the -- cgit v1.2.3 From 941b8905feb30f2537360b002ae4b9a457b0f3e2 Mon Sep 17 00:00:00 2001 From: Steve Milner Date: Wed, 19 Jul 2017 10:22:40 -0400 Subject: cri-o: Ensure overlay is available Some distro releases may not have overlay loaded into the kernel. This change looks for overlay via lsmod and, if it isn't already there, uses modprobe to load it in and then drops a load config into /etc/modules-load.d/overlay.conf. --- roles/docker/tasks/systemcontainer_crio.yml | 20 ++++++++++++++++++++ roles/docker/templates/overlay.conf.j2 | 2 ++ 2 files changed, 22 insertions(+) create mode 100644 roles/docker/templates/overlay.conf.j2 diff --git a/roles/docker/tasks/systemcontainer_crio.yml b/roles/docker/tasks/systemcontainer_crio.yml index 651a20ea2..68f9d9649 100644 --- a/roles/docker/tasks/systemcontainer_crio.yml +++ b/roles/docker/tasks/systemcontainer_crio.yml @@ -25,6 +25,26 @@ state: present when: not openshift.common.is_atomic | bool + +- name: Check that overlay is in the kernel + shell: lsmod | grep overlay + register: l_has_overlay_in_kernel + ignore_errors: yes + + +- when: l_has_overlay_in_kernel.rc != 0 + block: + + - name: Add overlay to modprobe.d + template: + dest: /etc/modules-load.d/overlay.conf + src: overlay.conf.j2 + backup: yes + + - name: Manually modprobe overlay into the kernel + command: modprobe overlay + + - block: - name: Add http_proxy to /etc/atomic.conf diff --git a/roles/docker/templates/overlay.conf.j2 b/roles/docker/templates/overlay.conf.j2 new file mode 100644 index 000000000..782f46c2e --- /dev/null +++ b/roles/docker/templates/overlay.conf.j2 @@ -0,0 +1,2 @@ +### {{ ansible_managed }} +overlay -- cgit v1.2.3 From 4588260e27e0e139690d0219f6e57b125dce116a Mon Sep 17 00:00:00 2001 From: Steve Milner Date: Wed, 19 Jul 2017 10:36:24 -0400 Subject: cri-o: Fix node template to use full variable --- roles/openshift_node/templates/node.yaml.v1.j2 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/openshift_node/templates/node.yaml.v1.j2 b/roles/openshift_node/templates/node.yaml.v1.j2 index a400dd8d9..2a664790f 100644 --- a/roles/openshift_node/templates/node.yaml.v1.j2 +++ b/roles/openshift_node/templates/node.yaml.v1.j2 @@ -16,7 +16,7 @@ imageConfig: latest: false kind: NodeConfig kubeletArguments: {{ openshift.node.kubelet_args | default(None) | to_padded_yaml(level=1) }} -{% if use_crio | default(False) %} +{% if openshift.docker.use_crio | default(False) %} container-runtime: - remote container-runtime-endpoint: -- cgit v1.2.3 From a4be4c390a5eca18ef2cec8af57c24dfc162e6d2 Mon Sep 17 00:00:00 2001 From: Steve Milner Date: Wed, 19 Jul 2017 16:40:04 -0400 Subject: openshift_node: fix typo for experimental-cri --- roles/openshift_node/templates/node.yaml.v1.j2 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/openshift_node/templates/node.yaml.v1.j2 b/roles/openshift_node/templates/node.yaml.v1.j2 index 2a664790f..93f8658b4 100644 --- a/roles/openshift_node/templates/node.yaml.v1.j2 +++ b/roles/openshift_node/templates/node.yaml.v1.j2 @@ -21,7 +21,7 @@ kubeletArguments: {{ openshift.node.kubelet_args | default(None) | to_padded_yam - remote container-runtime-endpoint: - /var/run/crio.sock - enable-cri: + experimental-cri: - 'true' image-service-endpoint: - /var/run/crio.sock -- cgit v1.2.3 From 5e218e1a1df44897b46f5467e14c97d0155bae97 Mon Sep 17 00:00:00 2001 From: Steve Milner Date: Thu, 20 Jul 2017 12:38:56 -0400 Subject: cri-o: Enable systemd-modules-load if required If we had to drop the overlay file in /etc/modules-load.d/ then enable the systemd-modules-load service and make sure it runs. --- roles/docker/tasks/systemcontainer_crio.yml | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/roles/docker/tasks/systemcontainer_crio.yml b/roles/docker/tasks/systemcontainer_crio.yml index 68f9d9649..21fc703fe 100644 --- a/roles/docker/tasks/systemcontainer_crio.yml +++ b/roles/docker/tasks/systemcontainer_crio.yml @@ -44,6 +44,12 @@ - name: Manually modprobe overlay into the kernel command: modprobe overlay + - name: Enable and start systemd-modules-load + service: + name: systemd-modules-load + enabled: yes + state: restarted + - block: -- cgit v1.2.3 From 72eaf22e58299e6584b026afb609266835177175 Mon Sep 17 00:00:00 2001 From: Giuseppe Scrivano Date: Thu, 27 Jul 2017 09:20:10 +0200 Subject: cri-o: use only images from Docker Hub For the time being it won't be added to the Red Hat registry, so use only what is available on Docker Hub. Signed-off-by: Giuseppe Scrivano --- roles/docker/tasks/systemcontainer_crio.yml | 16 ++++++---------- 1 file changed, 6 insertions(+), 10 deletions(-) diff --git a/roles/docker/tasks/systemcontainer_crio.yml b/roles/docker/tasks/systemcontainer_crio.yml index 21fc703fe..cfc9157cc 100644 --- a/roles/docker/tasks/systemcontainer_crio.yml +++ b/roles/docker/tasks/systemcontainer_crio.yml @@ -85,17 +85,13 @@ - name: Set to default prepend set_fact: - l_crio_image_prepend: "gscrivano" + l_crio_image_prepend: "docker.io/gscrivano" + l_crio_image_name: "crio-o-fedora" - - name: Use Red Hat Registry for image when distribution is Red Hat + - name: Use Centos based image when distribution is Red Hat or CentOS set_fact: - l_crio_image_prepend: "registry.access.redhat.com/openshift3" - when: ansible_distribution == 'RedHat' - - - name: Use Fedora Registry for image when distribution is Fedora - set_fact: - l_crio_image_prepend: "registry.fedoraproject.org/f25" - when: ansible_distribution == 'Fedora' + l_crio_image_name: "cri-o-centos" + when: ansible_distribution in ['RedHat', 'CentOS'] # For https://github.com/openshift/openshift-ansible/pull/4049#discussion_r114478504 - name: Use a testing registry if requested @@ -107,7 +103,7 @@ - name: Set the full image name set_fact: - l_crio_image: "{{ l_crio_image_prepend }}/cri-o:latest" + l_crio_image: "{{ l_crio_image_prepend }}/{{ l_crio_image_name }}:latest" # NOTE: no_proxy added as a workaround until https://github.com/projectatomic/atomic/pull/999 is released - name: Pre-pull CRI-O System Container image -- cgit v1.2.3 From 8926c30ecb60a95eb5a9611810657d100a4a6b18 Mon Sep 17 00:00:00 2001 From: Giuseppe Scrivano Date: Thu, 27 Jul 2017 10:56:07 +0200 Subject: cri-o: skip Docker version test Signed-off-by: Giuseppe Scrivano --- roles/openshift_facts/tasks/main.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/roles/openshift_facts/tasks/main.yml b/roles/openshift_facts/tasks/main.yml index 451386bf1..4af02ab96 100644 --- a/roles/openshift_facts/tasks/main.yml +++ b/roles/openshift_facts/tasks/main.yml @@ -7,6 +7,7 @@ # Locally setup containerized facts for now - set_fact: l_is_atomic: "{{ ostree_booted.stat.exists }}" + l_use_crio: "{{ openshift_docker_use_crio | default(false) }}" - set_fact: l_is_containerized: "{{ (l_is_atomic | bool) or (containerized | default(false) | bool) }}" l_is_openvswitch_system_container: "{{ (openshift_use_openvswitch_system_container | default(openshift_use_system_containers) | bool) }}" @@ -55,6 +56,7 @@ - l_atomic_docker_version.stdout | replace('"', '') | version_compare('1.12','>=') when: + - not l_use_crio - l_is_atomic | bool - r_openshift_facts_ran is not defined -- cgit v1.2.3 From 398d5963d57a2022f18c4ded2b85619accb34b1e Mon Sep 17 00:00:00 2001 From: Giuseppe Scrivano Date: Thu, 27 Jul 2017 10:57:46 +0200 Subject: cri-o: skip Set precise containerized version check Signed-off-by: Giuseppe Scrivano --- roles/openshift_version/tasks/set_version_containerized.yml | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/roles/openshift_version/tasks/set_version_containerized.yml b/roles/openshift_version/tasks/set_version_containerized.yml index 0ec4c49d6..4d9f72f01 100644 --- a/roles/openshift_version/tasks/set_version_containerized.yml +++ b/roles/openshift_version/tasks/set_version_containerized.yml @@ -1,4 +1,7 @@ --- +- set_fact: + l_use_crio: "{{ openshift_docker_use_crio | default(false) }}" + - name: Set containerized version to configure if openshift_image_tag specified set_fact: # Expects a leading "v" in inventory, strip it off here unless @@ -42,12 +45,18 @@ when: - openshift_version is defined - openshift_version.split('.') | length == 2 + - not l_use_crio - set_fact: openshift_version: "{{ cli_image_version.stdout_lines[0].split(' ')[1].split('-')[0:2][1:] | join('-') if openshift.common.deployment_type == 'origin' else cli_image_version.stdout_lines[0].split(' ')[1].split('-')[0][1:] }}" when: - openshift_version is defined - openshift_version.split('.') | length == 2 + - not l_use_crio + +# TODO: figure out a way to check for the openshift_version when using CRI-O. +# We should do that using the images in the ostree storage so we don't have +# to pull them again. # We finally have the specific version. Now we clean up any strange # dangly +c0mm1t-offset tags in the version. See also, -- cgit v1.2.3 From 2ea7c0d02d7bc10b3bb6313b13c3bbf37ca4a67c Mon Sep 17 00:00:00 2001 From: Giuseppe Scrivano Date: Wed, 26 Jul 2017 17:59:44 +0200 Subject: cli_image: do not require Docker when using CRI-O Use atomic to copy the CLI binaries to the host. Signed-off-by: Giuseppe Scrivano --- .../library/openshift_container_binary_sync.py | 64 +++++++++++++++++----- roles/openshift_cli/tasks/main.yml | 44 +++++++++++---- 2 files changed, 83 insertions(+), 25 deletions(-) diff --git a/roles/openshift_cli/library/openshift_container_binary_sync.py b/roles/openshift_cli/library/openshift_container_binary_sync.py index 57ac16602..c47203211 100644 --- a/roles/openshift_cli/library/openshift_container_binary_sync.py +++ b/roles/openshift_cli/library/openshift_container_binary_sync.py @@ -24,23 +24,51 @@ class BinarySyncError(Exception): self.msg = msg -# pylint: disable=too-few-public-methods +# pylint: disable=too-few-public-methods,too-many-instance-attributes class BinarySyncer(object): """ Syncs the openshift, oc, oadm, and kubectl binaries/symlinks out of a container onto the host system. """ - def __init__(self, module, image, tag): + def __init__(self, module, image, tag, backend): self.module = module self.changed = False self.output = [] self.bin_dir = '/usr/local/bin' self.image = image self.tag = tag + self.backend = backend self.temp_dir = None # TBD def sync(self): + if self.backend == 'atomic': + return self._sync_atomic() + + return self._sync_docker() + + def _sync_atomic(self): + self.temp_dir = tempfile.mkdtemp() + temp_dir_mount = tempfile.mkdtemp() + try: + image_spec = '%s:%s' % (self.image, self.tag) + rc, stdout, stderr = self.module.run_command(['atomic', 'mount', + '--storage', "ostree", + image_spec, temp_dir_mount]) + if rc: + raise BinarySyncError("Error mounting image. stdout=%s, stderr=%s" % + (stdout, stderr)) + for i in ["openshift", "oc"]: + src_file = os.path.join(temp_dir_mount, "usr/bin", i) + shutil.copy(src_file, self.temp_dir) + + self._sync_binaries() + finally: + self.module.run_command(['atomic', 'umount', temp_dir_mount]) + shutil.rmtree(temp_dir_mount) + shutil.rmtree(self.temp_dir) + + def _sync_docker(self): container_name = "openshift-cli-%s" % random.randint(1, 100000) rc, stdout, stderr = self.module.run_command(['docker', 'create', '--name', container_name, '%s:%s' % (self.image, self.tag)]) @@ -64,21 +92,24 @@ class BinarySyncer(object): raise BinarySyncError("Error copying file from docker container: stdout=%s, stderr=%s" % (stdout, stderr)) - self._sync_binary('openshift') - - # In older versions, oc was a symlink to openshift: - if os.path.islink(os.path.join(self.temp_dir, 'oc')): - self._sync_symlink('oc', 'openshift') - else: - self._sync_binary('oc') - - # Ensure correct symlinks created: - self._sync_symlink('kubectl', 'openshift') - self._sync_symlink('oadm', 'openshift') + self._sync_binaries() finally: shutil.rmtree(self.temp_dir) self.module.run_command(['docker', 'rm', container_name]) + def _sync_binaries(self): + self._sync_binary('openshift') + + # In older versions, oc was a symlink to openshift: + if os.path.islink(os.path.join(self.temp_dir, 'oc')): + self._sync_symlink('oc', 'openshift') + else: + self._sync_binary('oc') + + # Ensure correct symlinks created: + self._sync_symlink('kubectl', 'openshift') + self._sync_symlink('oadm', 'openshift') + def _sync_symlink(self, binary_name, link_to): """ Ensure the given binary name exists and links to the expected binary. """ @@ -112,14 +143,19 @@ def main(): argument_spec=dict( image=dict(required=True), tag=dict(required=True), + backend=dict(required=True), ), supports_check_mode=True ) image = module.params['image'] tag = module.params['tag'] + backend = module.params['backend'] + + if backend not in ["docker", "atomic"]: + module.fail_json(msg="unknown backend") - binary_syncer = BinarySyncer(module, image, tag) + binary_syncer = BinarySyncer(module, image, tag, backend) try: binary_syncer.sync() diff --git a/roles/openshift_cli/tasks/main.yml b/roles/openshift_cli/tasks/main.yml index 07a00189c..c716a0860 100644 --- a/roles/openshift_cli/tasks/main.yml +++ b/roles/openshift_cli/tasks/main.yml @@ -1,20 +1,42 @@ --- +- set_fact: + l_use_crio: "{{ openshift_docker_use_crio | default(false) }}" + - name: Install clients package: name={{ openshift.common.service_type }}-clients state=present when: not openshift.common.is_containerized | bool -- name: Pull CLI Image - command: > - docker pull {{ openshift.common.cli_image }}:{{ openshift_image_tag }} - register: pull_result - changed_when: "'Downloaded newer image' in pull_result.stdout" - when: openshift.common.is_containerized | bool +- block: + - name: Pull CLI Image + command: > + docker pull {{ openshift.common.cli_image }}:{{ openshift_image_tag }} + register: pull_result + changed_when: "'Downloaded newer image' in pull_result.stdout" + + - name: Copy client binaries/symlinks out of CLI image for use on the host + openshift_container_binary_sync: + image: "{{ openshift.common.cli_image }}" + tag: "{{ openshift_image_tag }}" + backend: "docker" + when: + - openshift.common.is_containerized | bool + - not l_use_crio + +- block: + - name: Pull CLI Image + command: > + atomic pull --storage ostree {{ openshift.common.system_images_registry }}/{{ openshift.common.cli_image }}:{{ openshift_image_tag }} + register: pull_result + changed_when: "'Pulling layer' in pull_result.stdout" -- name: Copy client binaries/symlinks out of CLI image for use on the host - openshift_container_binary_sync: - image: "{{ openshift.common.cli_image }}" - tag: "{{ openshift_image_tag }}" - when: openshift.common.is_containerized | bool + - name: Copy client binaries/symlinks out of CLI image for use on the host + openshift_container_binary_sync: + image: "{{ openshift.common.system_images_registry }}/{{ openshift.common.cli_image }}" + tag: "{{ openshift_image_tag }}" + backend: "atomic" + when: + - openshift.common.is_containerized | bool + - l_use_crio - name: Reload facts to pick up installed OpenShift version openshift_facts: -- cgit v1.2.3 From 0a020bae8b93a53271c940714c8701d5e63db5f0 Mon Sep 17 00:00:00 2001 From: Giuseppe Scrivano Date: Fri, 28 Jul 2017 11:24:12 +0200 Subject: openvswitch: system container depends on the cri-o service Signed-off-by: Giuseppe Scrivano --- roles/openshift_node/tasks/openvswitch_system_container.yml | 13 ++++++++++++- 1 file changed, 12 insertions(+), 1 deletion(-) diff --git a/roles/openshift_node/tasks/openvswitch_system_container.yml b/roles/openshift_node/tasks/openvswitch_system_container.yml index c8d653880..3254b35d6 100644 --- a/roles/openshift_node/tasks/openvswitch_system_container.yml +++ b/roles/openshift_node/tasks/openvswitch_system_container.yml @@ -1,4 +1,15 @@ --- +- set_fact: + l_use_crio: "{{ openshift_docker_use_crio | default(false) }}" + +- set_fact: + l_service_name: "cri-o" + when: l_use_crio + +- set_fact: + l_service_name: "{{ openshift.docker.service_name }}" + when: not l_use_crio + - name: Pre-pull OpenVSwitch system container image command: > atomic pull --storage=ostree {{ openshift.common.system_images_registry }}/{{ openshift.node.ovs_system_image }}:{{ openshift_image_tag }} @@ -11,4 +22,4 @@ image: "{{ openshift.common.system_images_registry }}/{{ openshift.node.ovs_system_image }}:{{ openshift_image_tag }}" state: latest values: - - "DOCKER_SERVICE={{ openshift.docker.service_name }}.service" + - "DOCKER_SERVICE={{ l_service_name }}" -- cgit v1.2.3 From 0898ff62d1b17c5102d394bf5fbf7ca54b266b75 Mon Sep 17 00:00:00 2001 From: Giuseppe Scrivano Date: Fri, 28 Jul 2017 12:10:18 +0200 Subject: docker: skip Docker setup when using CRI-O Signed-off-by: Giuseppe Scrivano --- roles/docker/tasks/main.yml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/roles/docker/tasks/main.yml b/roles/docker/tasks/main.yml index 5f9e4cf8a..aecb289d5 100644 --- a/roles/docker/tasks/main.yml +++ b/roles/docker/tasks/main.yml @@ -11,7 +11,9 @@ - name: Use Package Docker if Requested include: package_docker.yml - when: not l_use_system_container + when: + - not l_use_system_container + - not l_use_crio - name: Use System Container Docker if Requested include: systemcontainer_docker.yml -- cgit v1.2.3 From f0a0e8466a917f0bf40c8b7f3076a1e8a2c8ed68 Mon Sep 17 00:00:00 2001 From: Giuseppe Scrivano Date: Fri, 28 Jul 2017 18:37:58 +0200 Subject: docker: introduce use_crio_only Introduce a new variable that disable the installation of Docker. For the time being we will still need Docker for building images, so by default leave it installed. Signed-off-by: Giuseppe Scrivano --- roles/docker/tasks/main.yml | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/roles/docker/tasks/main.yml b/roles/docker/tasks/main.yml index aecb289d5..1f9ac5059 100644 --- a/roles/docker/tasks/main.yml +++ b/roles/docker/tasks/main.yml @@ -8,18 +8,19 @@ - set_fact: l_use_system_container: "{{ openshift.docker.use_system_container | default(False) }}" l_use_crio: "{{ openshift.docker.use_crio | default(False) }}" + l_use_crio_only: "{{ openshift.docker.use_crio_only | default(False) }}" - name: Use Package Docker if Requested include: package_docker.yml when: - not l_use_system_container - - not l_use_crio + - not l_use_crio_only - name: Use System Container Docker if Requested include: systemcontainer_docker.yml when: - l_use_system_container - - not l_use_crio + - not l_use_crio_only - name: Add CRI-O usage Requested include: systemcontainer_crio.yml -- cgit v1.2.3 From 59c9668c314518762cceb5845998bc9466fa5722 Mon Sep 17 00:00:00 2001 From: Giuseppe Scrivano Date: Mon, 31 Jul 2017 08:29:40 +0200 Subject: cri-o: allow to override CRI-O image indipendently from Docker Signed-off-by: Giuseppe Scrivano --- inventory/byo/hosts.origin.example | 1 + inventory/byo/hosts.ose.example | 1 + roles/docker/tasks/systemcontainer_crio.yml | 6 +++--- 3 files changed, 5 insertions(+), 3 deletions(-) diff --git a/inventory/byo/hosts.origin.example b/inventory/byo/hosts.origin.example index c9f79d964..9237427b5 100644 --- a/inventory/byo/hosts.origin.example +++ b/inventory/byo/hosts.origin.example @@ -116,6 +116,7 @@ openshift_release=v3.6 # will be built off of the deployment type and ansible_distribution. Only # use this option if you are sure you know what you are doing! #openshift_docker_systemcontainer_image_registry_override="registry.example.com" +#openshift_crio_systemcontainer_image_registry_override="registry.example.com" # Items added, as is, to end of /etc/sysconfig/docker OPTIONS # Default value: "--log-driver=journald" #openshift_docker_options="-l warn --ipv6=false" diff --git a/inventory/byo/hosts.ose.example b/inventory/byo/hosts.ose.example index a4a9cca81..9c710bb0a 100644 --- a/inventory/byo/hosts.ose.example +++ b/inventory/byo/hosts.ose.example @@ -116,6 +116,7 @@ openshift_release=v3.6 # will be built off of the deployment type and ansible_distribution. Only # use this option if you are sure you know what you are doing! #openshift_docker_systemcontainer_image_registry_override="registry.example.com" +#openshift_crio_systemcontainer_image_registry_override="registry.example.com" # Items added, as is, to end of /etc/sysconfig/docker OPTIONS # Default value: "--log-driver=journald" #openshift_docker_options="-l warn --ipv6=false" diff --git a/roles/docker/tasks/systemcontainer_crio.yml b/roles/docker/tasks/systemcontainer_crio.yml index cfc9157cc..f18a5b117 100644 --- a/roles/docker/tasks/systemcontainer_crio.yml +++ b/roles/docker/tasks/systemcontainer_crio.yml @@ -96,10 +96,10 @@ # For https://github.com/openshift/openshift-ansible/pull/4049#discussion_r114478504 - name: Use a testing registry if requested set_fact: - l_crio_image_prepend: "{{ openshift_docker_systemcontainer_image_registry_override }}" + l_crio_image_prepend: "{{ openshift_crio_systemcontainer_image_registry_override }}" when: - - openshift_docker_systemcontainer_image_registry_override is defined - - openshift_docker_systemcontainer_image_registry_override != "" + - openshift_crio_systemcontainer_image_registry_override is defined + - openshift_crio_systemcontainer_image_registry_override != "" - name: Set the full image name set_fact: -- cgit v1.2.3 From 6245045546024ea1dbd4635ab4d1d58783c3aa34 Mon Sep 17 00:00:00 2001 From: Giuseppe Scrivano Date: Mon, 31 Jul 2017 08:31:00 +0200 Subject: examples: use the correct variable name Signed-off-by: Giuseppe Scrivano --- inventory/byo/hosts.origin.example | 2 +- inventory/byo/hosts.ose.example | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/inventory/byo/hosts.origin.example b/inventory/byo/hosts.origin.example index 9237427b5..239727c6e 100644 --- a/inventory/byo/hosts.origin.example +++ b/inventory/byo/hosts.origin.example @@ -111,7 +111,7 @@ openshift_release=v3.6 # Instead of using docker, replacec it with cri-o # NOTE: This uses openshift_docker_systemcontainer_image_registry_override as it's override # just as container-engine does. -#use_crio=False +#openshift_docker_use_crio=False # Force the registry to use for the docker/crio system container. By default the registry # will be built off of the deployment type and ansible_distribution. Only # use this option if you are sure you know what you are doing! diff --git a/inventory/byo/hosts.ose.example b/inventory/byo/hosts.ose.example index 9c710bb0a..837c54f27 100644 --- a/inventory/byo/hosts.ose.example +++ b/inventory/byo/hosts.ose.example @@ -111,7 +111,7 @@ openshift_release=v3.6 # Install and run cri-o along side docker # NOTE: This uses openshift_docker_systemcontainer_image_registry_override as it's override # just as container-engine does. -#use_crio=False +#openshift_docker_use_crio=False # Force the registry to use for the container-engine/crio system container. By default the registry # will be built off of the deployment type and ansible_distribution. Only # use this option if you are sure you know what you are doing! -- cgit v1.2.3 From 302171a630655f943f581634a7b8283160feb564 Mon Sep 17 00:00:00 2001 From: Steve Milner Date: Tue, 1 Aug 2017 12:15:04 -0400 Subject: cri-o: Continue node without SELinux check cri-o currently requires SELinux to be off. This change disables the SELinux check in the openshift_node role when cri-o is in use. --- roles/openshift_node/tasks/main.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/roles/openshift_node/tasks/main.yml b/roles/openshift_node/tasks/main.yml index 87b1f6537..6c3d10134 100644 --- a/roles/openshift_node/tasks/main.yml +++ b/roles/openshift_node/tasks/main.yml @@ -2,9 +2,9 @@ # TODO: allow for overriding default ports where possible - fail: msg: "SELinux is disabled, This deployment type requires that SELinux is enabled." - when: > - (not ansible_selinux or ansible_selinux.status != 'enabled') and - deployment_type in ['enterprise', 'online', 'atomic-enterprise', 'openshift-enterprise'] + when: + - (not ansible_selinux or ansible_selinux.status != 'enabled') and deployment_type in ['enterprise', 'online', 'atomic-enterprise', 'openshift-enterprise'] + - not openshift_docker_use_crio | default(false) # https://docs.openshift.com/container-platform/3.4/admin_guide/overcommit.html#disabling-swap-memory - name: Check for swap usage -- cgit v1.2.3 From 39cf5084f18e2e0adca46b925660a6f2c38d227c Mon Sep 17 00:00:00 2001 From: Steve Milner Date: Tue, 1 Aug 2017 12:16:11 -0400 Subject: cri-o: Restart cri-o after openshift sdn installation --- roles/openshift_node/tasks/main.yml | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/roles/openshift_node/tasks/main.yml b/roles/openshift_node/tasks/main.yml index 6c3d10134..ca4fef360 100644 --- a/roles/openshift_node/tasks/main.yml +++ b/roles/openshift_node/tasks/main.yml @@ -66,6 +66,13 @@ - openshift.common.use_openshift_sdn | default(true) | bool - not openshift.common.is_containerized | bool +- name: Restart cri-o + systemd: + name: cri-o + enabled: yes + state: restarted + when: openshift_docker_use_crio | default(false) + - name: Install conntrack-tools package package: name: "conntrack-tools" -- cgit v1.2.3 From 31e708a5d440a6ad13f81c4b94ad26e0b2d9587a Mon Sep 17 00:00:00 2001 From: Giuseppe Scrivano Date: Wed, 2 Aug 2017 18:44:08 +0200 Subject: cri-o: configure the CNI network Signed-off-by: Giuseppe Scrivano --- roles/docker/tasks/systemcontainer_crio.yml | 10 ++++++++++ roles/docker/templates/80-openshift-sdn.conf.j2 | 5 +++++ 2 files changed, 15 insertions(+) create mode 100644 roles/docker/templates/80-openshift-sdn.conf.j2 diff --git a/roles/docker/tasks/systemcontainer_crio.yml b/roles/docker/tasks/systemcontainer_crio.yml index f18a5b117..787f51f94 100644 --- a/roles/docker/tasks/systemcontainer_crio.yml +++ b/roles/docker/tasks/systemcontainer_crio.yml @@ -125,6 +125,16 @@ src: crio.conf.j2 backup: yes +- name: Ensure CNI configuration directory exists + file: + path: /etc/cni/net.d/ + state: directory + +- name: Configure the CNI network + template: + dest: /etc/cni/net.d/openshift-sdn.conf + src: 80-openshift-sdn.conf.j2 + - name: Start the CRI-O service systemd: name: "cri-o" diff --git a/roles/docker/templates/80-openshift-sdn.conf.j2 b/roles/docker/templates/80-openshift-sdn.conf.j2 new file mode 100644 index 000000000..a693aea5f --- /dev/null +++ b/roles/docker/templates/80-openshift-sdn.conf.j2 @@ -0,0 +1,5 @@ +{ + "cniVersion": "0.1.0", + "name": "openshift-sdn", + "type": "openshift-sdn" +} -- cgit v1.2.3