From b88adec6c15157c2894ccfe2ac855e67fb48ca33 Mon Sep 17 00:00:00 2001
From: Steve Milner <smilner@redhat.com>
Date: Thu, 2 Nov 2017 16:41:47 -0400
Subject: openshift_hosted: Add docker-gc

Two new inventory variables have been created:

- openshift_crio_enable_docker_gc: Enable docker_gc daemon set
- openshift_crio_docker_gc_node_selector: Optional dictionary to use node
selector

When openshift_crio_enable_docker_gc and openshift_use_crio are both true
then dockergc daemonset will be created along with adding a dockergc
sa.

Signed-off-by: Steve Milner <smilner@redhat.com>
---
 roles/openshift_docker_gc/defaults/main.yml        |  3 ++
 roles/openshift_docker_gc/meta/main.yml            | 13 +++++
 roles/openshift_docker_gc/tasks/main.yaml          | 27 ++++++++++
 .../templates/dockergc-ds.yaml.j2                  | 58 ++++++++++++++++++++++
 4 files changed, 101 insertions(+)
 create mode 100644 roles/openshift_docker_gc/defaults/main.yml
 create mode 100644 roles/openshift_docker_gc/meta/main.yml
 create mode 100644 roles/openshift_docker_gc/tasks/main.yaml
 create mode 100644 roles/openshift_docker_gc/templates/dockergc-ds.yaml.j2

(limited to 'roles')

diff --git a/roles/openshift_docker_gc/defaults/main.yml b/roles/openshift_docker_gc/defaults/main.yml
new file mode 100644
index 000000000..9d79de8a1
--- /dev/null
+++ b/roles/openshift_docker_gc/defaults/main.yml
@@ -0,0 +1,3 @@
+---
+r_enable_docker_gc: "{{ openshift_crio_enable_docker_gc | default(False) }}"
+r_docker_gc_node_selectors: "{{ openshift_crio_docker_gc_node_selector | default({}) }}"
diff --git a/roles/openshift_docker_gc/meta/main.yml b/roles/openshift_docker_gc/meta/main.yml
new file mode 100644
index 000000000..f88a7c533
--- /dev/null
+++ b/roles/openshift_docker_gc/meta/main.yml
@@ -0,0 +1,13 @@
+---
+galaxy_info:
+  author: OpenShift
+  description: docker garbage collection
+  company: Red Hat, Inc
+  license: ASL 2.0
+  min_ansible_version: 2.2
+  platforms:
+  - name: EL
+    versions:
+    - 7
+dependencies:
+- role: lib_openshift
diff --git a/roles/openshift_docker_gc/tasks/main.yaml b/roles/openshift_docker_gc/tasks/main.yaml
new file mode 100644
index 000000000..9ba551479
--- /dev/null
+++ b/roles/openshift_docker_gc/tasks/main.yaml
@@ -0,0 +1,27 @@
+---
+- name: Create docker-gc tempdir
+  command: mktemp -d
+  register: templates_tmpdir
+
+# NOTE: oc_adm_policy_user does not support -z (yet)
+- name: Add dockergc as priviledged
+  shell: oc adm policy add-scc-to-user -z dockergc privileged
+#  oc_adm_policy_user:
+#    user: dockergc
+#    resource_kind: scc
+#    resource_name: privileged
+#    state: present
+
+- name: Create dockergc DaemonSet
+  become: yes
+  template:
+    src: dockergc-ds.yaml.j2
+    dest: "{{ templates_tmpdir.stdout }}/dockergc-ds.yaml"
+
+- name: Apply dockergc DaemonSet
+  oc_obj:
+    state: present
+    kind: DaemonSet
+    name: "dockergc"
+    files:
+    - "{{ templates_tmpdir.stdout }}/dockergc-ds.yaml"
diff --git a/roles/openshift_docker_gc/templates/dockergc-ds.yaml.j2 b/roles/openshift_docker_gc/templates/dockergc-ds.yaml.j2
new file mode 100644
index 000000000..53e8b448b
--- /dev/null
+++ b/roles/openshift_docker_gc/templates/dockergc-ds.yaml.j2
@@ -0,0 +1,58 @@
+apiVersion: v1
+kind: List
+items:
+- apiVersion: v1
+  kind: ServiceAccount
+  metadata:
+    name: dockergc
+  # You must grant privileged via: oadm policy add-scc-to-user -z dockergc privileged
+  # in order for the dockergc to access the docker socket and root directory
+- apiVersion: extensions/v1beta1
+  kind: DaemonSet
+  metadata:
+    name: dockergc
+    labels:
+      app: dockergc
+  spec:
+    template:
+      metadata:
+        labels:
+          app: dockergc
+        name: dockergc
+      spec:
+{# Only set nodeSelector if the dict is not empty #}
+{% if r_docker_gc_node_selectors %}
+        nodeSelector:
+{% for k,v in r_docker_gc_node_selectors.items() %}
+          {{ k }}: {{ v }}{% endfor %}{% endif %}
+
+        serviceAccountName: dockergc
+        containers:
+        - image: openshift/origin:latest
+          args:
+          - "ex"
+          - "dockergc"
+          - "--image-gc-low-threshold=60"
+          - "--image-gc-high-threshold=80"
+          - "--minimum-ttl-duration=1h0m0s"
+          securityContext:
+            privileged: true
+          name: dockergc
+          resources:
+            requests:
+              memory: 30Mi
+              cpu: 50m
+          volumeMounts:
+          - name: docker-root
+            readOnly:  true
+            mountPath: /var/lib/docker
+          - name: docker-socket
+            readOnly:  false
+            mountPath: /var/run/docker.sock
+        volumes:
+        - name: docker-root
+          hostPath:
+            path: /var/lib/docker
+        - name: docker-socket
+          hostPath:
+            path: /var/run/docker.sock
-- 
cgit v1.2.3