From 73aee004acfa404ce1cf110ef2a672d6dfebf6ff Mon Sep 17 00:00:00 2001
From: Ganesh Maharaj Mahalingam <ganeshmaharaj@users.noreply.github.com>
Date: Tue, 18 Dec 2018 01:39:25 -0800
Subject: [PATCH] Enable ClearLinux as a distro in kubespray (#3855)

Signed-off-by: Ganesh Maharaj Mahalingam <ganesh.mahalingam@intel.com>
---
 .../tasks/bootstrap-clearlinux.yml            | 14 ++++++++++
 roles/bootstrap-os/tasks/main.yml             |  9 ++++--
 roles/container-engine/cri-o/tasks/main.yaml  |  8 ++++++
 .../cri-o/templates/crio.conf.j2              |  8 ++++++
 .../cri-o/vars/clearlinux.yml                 |  5 ++++
 roles/container-engine/docker/tasks/main.yml  | 28 ++++++++++++++-----
 .../docker/vars/clearlinux.yml                |  5 ++++
 roles/etcd/meta/main.yml                      |  2 +-
 roles/etcd/tasks/upd_ca_trust.yml             |  6 ++++
 roles/kubernetes/node/tasks/main.yml          |  5 ++++
 .../preinstall/tasks/0020-verify-settings.yml |  2 +-
 .../preinstall/tasks/0070-system-packages.yml | 10 ++++++-
 .../tasks/0080-system-configurations.yml      |  5 ++++
 13 files changed, 95 insertions(+), 12 deletions(-)
 create mode 100644 roles/bootstrap-os/tasks/bootstrap-clearlinux.yml
 create mode 100644 roles/container-engine/cri-o/vars/clearlinux.yml
 create mode 100644 roles/container-engine/docker/vars/clearlinux.yml

diff --git a/roles/bootstrap-os/tasks/bootstrap-clearlinux.yml b/roles/bootstrap-os/tasks/bootstrap-clearlinux.yml
new file mode 100644
index 000000000..89859978d
--- /dev/null
+++ b/roles/bootstrap-os/tasks/bootstrap-clearlinux.yml
@@ -0,0 +1,14 @@
+---
+- name: Install basic packages to run containers
+  package:
+    name: "{{ item }}"
+    state: present
+  with_items:
+    - containers-basic
+
+- name: Make sure docker service is enabled
+  systemd:
+    name: docker
+    enabled: yes
+    daemon_reload: yes
+    state: started
diff --git a/roles/bootstrap-os/tasks/main.yml b/roles/bootstrap-os/tasks/main.yml
index eb29be41a..5fbc4490d 100644
--- a/roles/bootstrap-os/tasks/main.yml
+++ b/roles/bootstrap-os/tasks/main.yml
@@ -20,6 +20,8 @@
       centos
       {%- elif 'OpenSUSE' in os_release.stdout -%}
       opensuse
+      {%- elif 'Clear Linux OS' in os_release.stdout -%}
+      clearlinux
       {%- endif -%}
 
 - include_tasks: bootstrap-ubuntu.yml
@@ -40,6 +42,9 @@
 - include_tasks: bootstrap-opensuse.yml
   when: os_family == "opensuse"
 
+- include_tasks: bootstrap-clearlinux.yml
+  when: os_family == "clearlinux"
+
 - import_tasks: setup-pipelining.yml
 
 - name: Create remote_tmp for it is used by another module
@@ -58,14 +63,14 @@
     name: "{{inventory_hostname}}"
   when:
     - override_system_hostname
-    - ansible_os_family not in ['Suse', 'CoreOS', 'Container Linux by CoreOS']
+    - ansible_os_family not in ['Suse', 'CoreOS', 'Container Linux by CoreOS', 'ClearLinux']
 
 - name: Assign inventory name to unconfigured hostnames (CoreOS and Tumbleweed only)
   command: "hostnamectl set-hostname  {{inventory_hostname}}"
   register: hostname_changed
   when:
     - override_system_hostname
-    - ansible_os_family in ['Suse', 'CoreOS', 'Container Linux by CoreOS']
+    - ansible_os_family in ['Suse', 'CoreOS', 'Container Linux by CoreOS', 'ClearLinux']
 
 - name: Update hostname fact (CoreOS and Tumbleweed only)
   setup:
diff --git a/roles/container-engine/cri-o/tasks/main.yaml b/roles/container-engine/cri-o/tasks/main.yaml
index 3d9e67c86..a85392993 100644
--- a/roles/container-engine/cri-o/tasks/main.yaml
+++ b/roles/container-engine/cri-o/tasks/main.yaml
@@ -24,6 +24,14 @@
     gpgcheck: no
   when: ansible_distribution in ["CentOS","RedHat"] and not is_atomic
 
+- name: Make sure needed folders exist in the system
+  with_items:
+    - /etc/crio
+    - /etc/containers
+  file:
+    path: "{{ item }}"
+    state: directory
+
 - name: Install cri-o packages
   package:
     name: "{{ item }}"
diff --git a/roles/container-engine/cri-o/templates/crio.conf.j2 b/roles/container-engine/cri-o/templates/crio.conf.j2
index ff716f85f..b7de5e66d 100644
--- a/roles/container-engine/cri-o/templates/crio.conf.j2
+++ b/roles/container-engine/cri-o/templates/crio.conf.j2
@@ -107,7 +107,11 @@ selinux = {{ (preinstall_selinux_state == 'enforcing')|lower }}
 
 # seccomp_profile is the seccomp json profile path which is used as the
 # default for the runtime.
+{% if ansible_os_family == "ClearLinux" %}
+seccomp_profile = "/usr/share/defaults/crio/seccomp.json"
+{% else %}
 seccomp_profile = "/etc/crio/seccomp.json"
+{% endif %}
 
 # apparmor_profile is the apparmor profile name which is used as the
 # default for the runtime.
@@ -199,7 +203,11 @@ pause_command = "/pause"
 # use when deciding whether or not to trust an image that we've pulled.
 # Outside of testing situations, it is strongly advised that this be left
 # unspecified so that the default system-wide policy will be used.
+{% if ansible_os_family == "ClearLinux" %}
+signature_policy = "/usr/share/defaults/crio/policy.json"
+{% else %}
 signature_policy = ""
+{% endif %}
 
 # image_volumes controls how image volumes are handled.
 # The valid values are mkdir and ignore.
diff --git a/roles/container-engine/cri-o/vars/clearlinux.yml b/roles/container-engine/cri-o/vars/clearlinux.yml
new file mode 100644
index 000000000..4afc55079
--- /dev/null
+++ b/roles/container-engine/cri-o/vars/clearlinux.yml
@@ -0,0 +1,5 @@
+---
+crio_packages:
+  - containers-basic
+
+crio_service: crio
diff --git a/roles/container-engine/docker/tasks/main.yml b/roles/container-engine/docker/tasks/main.yml
index 1b3c629bd..c1f501838 100644
--- a/roles/container-engine/docker/tasks/main.yml
+++ b/roles/container-engine/docker/tasks/main.yml
@@ -45,7 +45,7 @@
           docker requires a minimum kernel version of
           {{ docker_kernel_min_version }} on
           {{ ansible_distribution }}-{{ ansible_distribution_version }}
-  when: (not ansible_os_family in ["CoreOS", "Container Linux by CoreOS"]) and (ansible_kernel is version(docker_kernel_min_version, "<"))
+  when: (not ansible_os_family in ["CoreOS", "Container Linux by CoreOS", "ClearLinux"]) and (ansible_kernel is version(docker_kernel_min_version, "<"))
   tags:
     - facts
 
@@ -62,7 +62,7 @@
   retries: 4
   delay: "{{ retry_stagger | d(3) }}"
   with_items: "{{ docker_repo_key_info.repo_keys }}"
-  when: not (ansible_os_family in ["CoreOS", "Container Linux by CoreOS", "RedHat", "Suse"] or is_atomic)
+  when: not (ansible_os_family in ["CoreOS", "Container Linux by CoreOS", "RedHat", "Suse", "ClearLinux"] or is_atomic)
 
 - name: ensure docker-ce repository is enabled
   action: "{{ docker_repo_info.pkg_repo }}"
@@ -70,7 +70,7 @@
     repo: "{{item}}"
     state: present
   with_items: "{{ docker_repo_info.repos }}"
-  when: not (ansible_os_family in ["CoreOS", "Container Linux by CoreOS", "RedHat", "Suse"] or is_atomic) and (docker_repo_info.repos|length > 0)
+  when: not (ansible_os_family in ["CoreOS", "Container Linux by CoreOS", "RedHat", "Suse", "ClearLinux"] or is_atomic) and (docker_repo_info.repos|length > 0)
 
 - name: ensure docker-engine repository public key is installed
   action: "{{ dockerproject_repo_key_info.pkg_key }}"
@@ -84,7 +84,7 @@
   delay: "{{ retry_stagger | d(3) }}"
   with_items: "{{ dockerproject_repo_key_info.repo_keys }}"
   when:
-    - not (ansible_os_family in ["CoreOS", "Container Linux by CoreOS", "RedHat", "Suse"] or is_atomic)
+    - not (ansible_os_family in ["CoreOS", "Container Linux by CoreOS", "RedHat", "Suse", "ClearLinux"] or is_atomic)
     - use_docker_engine is defined and use_docker_engine
 
 - name: ensure docker-engine repository is enabled
@@ -95,7 +95,7 @@
   with_items: "{{ dockerproject_repo_info.repos }}"
   when:
     - use_docker_engine is defined and use_docker_engine
-    - not (ansible_os_family in ["CoreOS", "Container Linux by CoreOS", "RedHat", "Suse"] or is_atomic) and (dockerproject_repo_info.repos|length > 0)
+    - not (ansible_os_family in ["CoreOS", "Container Linux by CoreOS", "RedHat", "Suse", "ClearLinux"] or is_atomic) and (dockerproject_repo_info.repos|length > 0)
 
 - name: Configure docker repository on Fedora
   template:
@@ -138,9 +138,23 @@
   delay: "{{ retry_stagger | d(3) }}"
   with_items: "{{ docker_package_info.pkgs }}"
   notify: restart docker
-  when: not (ansible_os_family in ["CoreOS", "Container Linux by CoreOS"] or is_atomic) and (docker_package_info.pkgs|length > 0)
+  when: not (ansible_os_family in ["CoreOS", "Container Linux by CoreOS", "ClearLinux"] or is_atomic) and (docker_package_info.pkgs|length > 0)
   ignore_errors: true
 
+- name: Ensure docker packages are installed
+  action: "{{ docker_package_info.pkg_mgr }}"
+  args:
+    name: "{{ item.name }}"
+    state: present
+  with_items: "{{ docker_package_info.pkgs }}"
+  register: docker_task_result
+  until: docker_task_result is succeeded
+  retries: 4
+  delay: "{{ retry_stagger | d(3) }}"
+  notify: restart docker
+  ignore_errors: true
+  when: ansible_os_family in ["ClearLinux"]
+
 - name: get available packages on Ubuntu
   command: apt-cache policy docker-ce
   when:
@@ -162,7 +176,7 @@
     dest: "/etc/apt/preferences.d/docker"
     owner: "root"
     mode: 0644
-  when: not (ansible_os_family in ["CoreOS", "Container Linux by CoreOS", "RedHat", "Suse"] or is_atomic)
+  when: not (ansible_os_family in ["CoreOS", "Container Linux by CoreOS", "ClearLinux", "RedHat", "Suse"] or is_atomic)
 
 - name: ensure service is started if docker packages are already present
   service:
diff --git a/roles/container-engine/docker/vars/clearlinux.yml b/roles/container-engine/docker/vars/clearlinux.yml
new file mode 100644
index 000000000..c0306f1ed
--- /dev/null
+++ b/roles/container-engine/docker/vars/clearlinux.yml
@@ -0,0 +1,5 @@
+---
+docker_package_info:
+  pkg_mgr: swupd
+  pkgs:
+    - name: "containers-basic"
diff --git a/roles/etcd/meta/main.yml b/roles/etcd/meta/main.yml
index 62ece6e99..813ee39dd 100644
--- a/roles/etcd/meta/main.yml
+++ b/roles/etcd/meta/main.yml
@@ -2,4 +2,4 @@
 dependencies:
   - role: adduser
     user: "{{ addusers.etcd }}"
-    when: not (ansible_os_family in ['CoreOS', 'Container Linux by CoreOS'] or is_atomic)
+    when: not (ansible_os_family in ['CoreOS', 'Container Linux by CoreOS', "ClearLinux"] or is_atomic)
diff --git a/roles/etcd/tasks/upd_ca_trust.yml b/roles/etcd/tasks/upd_ca_trust.yml
index 0ff363860..bd32cbe1a 100644
--- a/roles/etcd/tasks/upd_ca_trust.yml
+++ b/roles/etcd/tasks/upd_ca_trust.yml
@@ -10,6 +10,8 @@
       /etc/ssl/certs/etcd-ca.pem
       {%- elif ansible_os_family == "Suse" -%}
       /etc/pki/trust/anchors/etcd-ca.pem
+      {%- elif ansible_os_family == "ClearLinux" -%}
+      /usr/share/ca-certs/etcd-ca.pem
       {%- endif %}
   tags:
     - facts
@@ -28,3 +30,7 @@
 - name: Gen_certs | update ca-certificates (RedHat)
   command: update-ca-trust extract
   when: etcd_ca_cert.changed and ansible_os_family == "RedHat"
+
+- name: Gen_certs | update ca-certificates (ClearLinux)
+  command: clrtrust add "{{ ca_cert_path }}"
+  when: etcd_ca_cert.changed and ansible_os_family == "ClearLinux"
diff --git a/roles/kubernetes/node/tasks/main.yml b/roles/kubernetes/node/tasks/main.yml
index 41410cf70..edf0b29e1 100644
--- a/roles/kubernetes/node/tasks/main.yml
+++ b/roles/kubernetes/node/tasks/main.yml
@@ -59,6 +59,11 @@
   failed_when: modinfo_br_netfilter.rc not in [0, 1]
   changed_when: false
 
+- name: Verify br_netfilter module path exists
+  file:
+    path: /etc/modules-load.d
+    state: directory
+
 - name: Enable br_netfilter module
   modprobe:
     name: br_netfilter
diff --git a/roles/kubernetes/preinstall/tasks/0020-verify-settings.yml b/roles/kubernetes/preinstall/tasks/0020-verify-settings.yml
index 0369c094f..ff8d6ffc8 100644
--- a/roles/kubernetes/preinstall/tasks/0020-verify-settings.yml
+++ b/roles/kubernetes/preinstall/tasks/0020-verify-settings.yml
@@ -21,7 +21,7 @@
 
 - name: Stop if unknown OS
   assert:
-    that: ansible_distribution in ['RedHat', 'CentOS', 'Fedora', 'Ubuntu', 'Debian', 'CoreOS', 'Container Linux by CoreOS', 'openSUSE Leap', 'openSUSE Tumbleweed']
+    that: ansible_os_family in ['RedHat', 'CentOS', 'Fedora', 'Ubuntu', 'Debian', 'CoreOS', 'Container Linux by CoreOS', 'openSUSE Leap', 'openSUSE Tumbleweed', 'ClearLinux']
   ignore_errors: "{{ ignore_assert_errors }}"
 
 - name: Stop if unknown network plugin
diff --git a/roles/kubernetes/preinstall/tasks/0070-system-packages.yml b/roles/kubernetes/preinstall/tasks/0070-system-packages.yml
index e24aebadb..62e963613 100644
--- a/roles/kubernetes/preinstall/tasks/0070-system-packages.yml
+++ b/roles/kubernetes/preinstall/tasks/0070-system-packages.yml
@@ -95,6 +95,14 @@
   retries: 4
   delay: "{{ retry_stagger | random + 3 }}"
   with_items: "{{required_pkgs | default([]) | union(common_required_pkgs|default([]))}}"
-  when: not (ansible_os_family in ["CoreOS", "Container Linux by CoreOS"] or is_atomic)
+  when: not (ansible_os_family in ["CoreOS", "Container Linux by CoreOS", "ClearLinux"] or is_atomic)
   tags:
     - bootstrap-os
+
+- name: Install ipvsadm for ClearLinux
+  swupd:
+    name: ipvsadm
+    state: present
+  when:
+    - ansible_os_family in ["ClearLinux"]
+    - kube_proxy_mode == 'ipvs'
diff --git a/roles/kubernetes/preinstall/tasks/0080-system-configurations.yml b/roles/kubernetes/preinstall/tasks/0080-system-configurations.yml
index cc74e624a..b355b6d30 100644
--- a/roles/kubernetes/preinstall/tasks/0080-system-configurations.yml
+++ b/roles/kubernetes/preinstall/tasks/0080-system-configurations.yml
@@ -45,6 +45,11 @@
   tags:
     - bootstrap-os
 
+- name: Make sure sysctl file path folder exists
+  file:
+    name: "{{ sysctl_file_path | dirname }}"
+    state: directory
+
 - name: Enable ip forwarding
   sysctl:
     sysctl_file: "{{sysctl_file_path}}"
-- 
GitLab