From 1945499e2f3c2b8f9e555405eac7896fd24d7e07 Mon Sep 17 00:00:00 2001
From: Etienne Champetier <champetier.etienne@gmail.com>
Date: Wed, 23 Dec 2020 16:12:26 -0500
Subject: [PATCH] Disable docker-ce yum repo by default / cleanups (#7080)

Upgrading docker / containerd without adapting the configuration might break the node,
so disable docker-ce repo by default.
We are already using dpkg hold for Debian.

All containerd.io packages provide /usr/bin/runc, so no need to check

yum_conf was never used for containerd

module_hotfixes should not be needed with the EL8 repo

Signed-off-by: Etienne Champetier <champetier.etienne@gmail.com>
---
 .../containerd/defaults/main.yml              |  2 +-
 .../containerd/tasks/containerd_repo.yml      | 15 -------------
 .../containerd/tasks/main.yml                 | 22 +------------------
 .../templates/fedora_containerd.repo.j2       |  2 +-
 .../templates/rh_containerd.repo.j2           |  5 +----
 .../containerd/vars/debian.yml                |  2 --
 .../containerd/vars/fedora.yml                |  2 --
 .../containerd/vars/redhat.yml                |  7 +-----
 .../containerd/vars/ubuntu-amd64.yml          |  2 --
 roles/container-engine/docker/tasks/main.yml  |  1 +
 .../docker/templates/rh_docker.repo.j2        |  5 +----
 roles/container-engine/docker/vars/redhat.yml |  5 +++++
 12 files changed, 12 insertions(+), 58 deletions(-)

diff --git a/roles/container-engine/containerd/defaults/main.yml b/roles/container-engine/containerd/defaults/main.yml
index bac182fc0..871994337 100644
--- a/roles/container-engine/containerd/defaults/main.yml
+++ b/roles/container-engine/containerd/defaults/main.yml
@@ -14,7 +14,7 @@ containerd_config:
 containerd_cfg_dir: /etc/containerd
 
 # Path to runc binary
-runc_binary: /usr/sbin/runc
+runc_binary: /usr/bin/runc
 
 
 yum_repo_dir: /etc/yum.repos.d
diff --git a/roles/container-engine/containerd/tasks/containerd_repo.yml b/roles/container-engine/containerd/tasks/containerd_repo.yml
index 5614b06d7..d4aa2167e 100644
--- a/roles/container-engine/containerd/tasks/containerd_repo.yml
+++ b/roles/container-engine/containerd/tasks/containerd_repo.yml
@@ -65,18 +65,3 @@
   when:
     - ansible_distribution in ["CentOS","RedHat"]
     - yum_result.results | length == 0
-
-- name: Copy yum.conf for editing
-  copy:
-    src: "{{ yum_conf }}"
-    dest: "{{ containerd_yum_conf }}"
-    remote_src: yes
-  when: ansible_distribution in ["CentOS","RedHat"]
-
-- name: Edit copy of yum.conf to set obsoletes=0
-  lineinfile:
-    path: "{{ containerd_yum_conf }}"
-    state: present
-    regexp: '^obsoletes='
-    line: 'obsoletes=0'
-  when: ansible_distribution in ["CentOS","RedHat"]
diff --git a/roles/container-engine/containerd/tasks/main.yml b/roles/container-engine/containerd/tasks/main.yml
index 9524e1097..82e7f7664 100644
--- a/roles/container-engine/containerd/tasks/main.yml
+++ b/roles/container-engine/containerd/tasks/main.yml
@@ -95,9 +95,9 @@
   args:
     pkg: "{{ item.name }}"
     force: "{{ item.force | default(omit) }}"
-    conf_file: "{{ item.yum_conf | default(omit) }}"
     state: present
     update_cache: "{{ omit if ansible_distribution == 'Fedora' else True }}"
+    enablerepo: "{{ item.repo | default(omit) }}"
   register: containerd_task_result
   until: containerd_task_result is succeeded
   retries: 4
@@ -109,26 +109,6 @@
     - containerd_package_info.pkgs|length > 0
   ignore_errors: true
 
-- name: Check if runc is installed
-  stat:
-    path: "{{ runc_binary }}"
-  register: runc_stat
-
-- name: Install runc package if necessary
-  action: "{{ containerd_package_info.pkg_mgr }}"
-  args:
-    pkg: runc
-    state: present
-    update_cache: "{{ omit if ansible_distribution == 'Fedora' else True }}"
-  register: runc_task_result
-  until: runc_task_result is succeeded
-  retries: 4
-  delay: "{{ retry_stagger | d(3) }}"
-  notify: restart containerd
-  when:
-    - not is_ostree
-    - not runc_stat.stat.exists
-
 - name: Ensure latest version of libseccomp installed  # noqa 403
   package:
     name: libseccomp
diff --git a/roles/container-engine/containerd/templates/fedora_containerd.repo.j2 b/roles/container-engine/containerd/templates/fedora_containerd.repo.j2
index a76b469a1..8422664a6 100644
--- a/roles/container-engine/containerd/templates/fedora_containerd.repo.j2
+++ b/roles/container-engine/containerd/templates/fedora_containerd.repo.j2
@@ -1,7 +1,7 @@
 [docker-ce]
 name=Docker-CE Repository
 baseurl={{ containerd_fedora_repo_base_url }}
-enabled=1
+enabled=0
 gpgcheck={{ '1' if containerd_fedora_repo_gpgkey else '0' }}
 gpgkey={{ containerd_fedora_repo_gpgkey }}
 {% if http_proxy is defined %}proxy={{ http_proxy }}{% endif %}
diff --git a/roles/container-engine/containerd/templates/rh_containerd.repo.j2 b/roles/container-engine/containerd/templates/rh_containerd.repo.j2
index a8a04f60f..178bbc2cd 100644
--- a/roles/container-engine/containerd/templates/rh_containerd.repo.j2
+++ b/roles/container-engine/containerd/templates/rh_containerd.repo.j2
@@ -1,13 +1,10 @@
 [docker-ce]
 name=Docker-CE Repository
 baseurl={{ docker_rh_repo_base_url }}
-enabled=1
+enabled=0
 gpgcheck={{ '1' if docker_rh_repo_gpgkey else '0' }}
 keepcache={{ docker_rpm_keepcache | default('1') }}
 gpgkey={{ docker_rh_repo_gpgkey }}
 {% if http_proxy is defined %}
 proxy={{ http_proxy }}
 {% endif %}
-{% if ansible_os_family == "RedHat" and ansible_distribution_major_version|int == 8 %}
-module_hotfixes=True
-{% endif %}
diff --git a/roles/container-engine/containerd/vars/debian.yml b/roles/container-engine/containerd/vars/debian.yml
index 108625d32..a1a9adab4 100644
--- a/roles/container-engine/containerd/vars/debian.yml
+++ b/roles/container-engine/containerd/vars/debian.yml
@@ -18,5 +18,3 @@ containerd_repo_info:
       deb {{ containerd_debian_repo_base_url }}
       {{ ansible_distribution_release|lower }}
       {{ containerd_debian_repo_component }}
-
-runc_binary: /usr/bin/runc
diff --git a/roles/container-engine/containerd/vars/fedora.yml b/roles/container-engine/containerd/vars/fedora.yml
index dbbbee722..4f7703f50 100644
--- a/roles/container-engine/containerd/vars/fedora.yml
+++ b/roles/container-engine/containerd/vars/fedora.yml
@@ -3,5 +3,3 @@ containerd_package_info:
   pkg_mgr: dnf
   pkgs:
     - name: "{{ containerd_versioned_pkg[containerd_version | string] }}"
-
-runc_binary: /usr/bin/runc
diff --git a/roles/container-engine/containerd/vars/redhat.yml b/roles/container-engine/containerd/vars/redhat.yml
index d375d1493..c2cc3c267 100644
--- a/roles/container-engine/containerd/vars/redhat.yml
+++ b/roles/container-engine/containerd/vars/redhat.yml
@@ -3,10 +3,7 @@ containerd_package_info:
   pkg_mgr: yum
   pkgs:
     - name: "{{ containerd_versioned_pkg[containerd_version | string] }}"
-
-containerd_pkgs:
-  - name: "{{ containerd_versioned_pkg[containerd_version | string] }}"
-    yum_conf: "{{ containerd_yum_conf }}"
+      repo: "docker-ce"
 
 containerd_repo_key_info:
   pkg_key: ''
@@ -15,5 +12,3 @@ containerd_repo_key_info:
 containerd_repo_info:
   pkg_repo: ''
   repos: []
-
-runc_binary: /bin/runc
diff --git a/roles/container-engine/containerd/vars/ubuntu-amd64.yml b/roles/container-engine/containerd/vars/ubuntu-amd64.yml
index 013df1537..0d247f841 100644
--- a/roles/container-engine/containerd/vars/ubuntu-amd64.yml
+++ b/roles/container-engine/containerd/vars/ubuntu-amd64.yml
@@ -18,5 +18,3 @@ containerd_repo_info:
       deb {{ containerd_ubuntu_repo_base_url }}
       {{ ansible_distribution_release|lower }}
       {{ containerd_ubuntu_repo_component }}
-
-runc_binary: /usr/bin/runc
diff --git a/roles/container-engine/docker/tasks/main.yml b/roles/container-engine/docker/tasks/main.yml
index 94d314f32..bfdc2ebe6 100644
--- a/roles/container-engine/docker/tasks/main.yml
+++ b/roles/container-engine/docker/tasks/main.yml
@@ -166,6 +166,7 @@
     conf_file: "{{ item.yum_conf|default(omit) }}"
     state: "{{ item.state | default('present') }}"
     update_cache: "{{ omit if ansible_distribution == 'Fedora' else True }}"
+    enablerepo: "{{ item.repo | default(omit) }}"
   register: docker_task_result
   until: docker_task_result is succeeded
   retries: 4
diff --git a/roles/container-engine/docker/templates/rh_docker.repo.j2 b/roles/container-engine/docker/templates/rh_docker.repo.j2
index a8a04f60f..178bbc2cd 100644
--- a/roles/container-engine/docker/templates/rh_docker.repo.j2
+++ b/roles/container-engine/docker/templates/rh_docker.repo.j2
@@ -1,13 +1,10 @@
 [docker-ce]
 name=Docker-CE Repository
 baseurl={{ docker_rh_repo_base_url }}
-enabled=1
+enabled=0
 gpgcheck={{ '1' if docker_rh_repo_gpgkey else '0' }}
 keepcache={{ docker_rpm_keepcache | default('1') }}
 gpgkey={{ docker_rh_repo_gpgkey }}
 {% if http_proxy is defined %}
 proxy={{ http_proxy }}
 {% endif %}
-{% if ansible_os_family == "RedHat" and ansible_distribution_major_version|int == 8 %}
-module_hotfixes=True
-{% endif %}
diff --git a/roles/container-engine/docker/vars/redhat.yml b/roles/container-engine/docker/vars/redhat.yml
index fb12b67ac..f9e2fe606 100644
--- a/roles/container-engine/docker/vars/redhat.yml
+++ b/roles/container-engine/docker/vars/redhat.yml
@@ -30,16 +30,21 @@ docker_selinux_versioned_pkg:
 docker_pkgs_use_docker_ce:
   - name: "{{ docker_selinux_versioned_pkg[docker_selinux_version | string] }}"
     yum_conf: "{{ docker_yum_conf }}"
+    repo: "docker-ce"
   - name: "{{ docker_versioned_pkg[docker_version | string] }}"
     yum_conf: "{{ docker_yum_conf }}"
+    repo: "docker-ce"
 
 docker_pkgs:
   - name: "{{ containerd_versioned_pkg[containerd_version | string] }}"
     yum_conf: "{{ docker_yum_conf }}"
+    repo: "docker-ce"
   - name: "{{ docker_cli_versioned_pkg[docker_cli_version | string] }}"
     yum_conf: "{{ docker_yum_conf }}"
+    repo: "docker-ce"
   - name: "{{ docker_versioned_pkg[docker_version | string] }}"
     yum_conf: "{{ docker_yum_conf }}"
+    repo: "docker-ce"
 
 docker_package_info:
   pkg_mgr: yum
-- 
GitLab