From c2cf0d994588036c24b4e505011993ac7b4e59d5 Mon Sep 17 00:00:00 2001
From: spaced <spaced.wombat@gmail.com>
Date: Thu, 15 Jul 2021 09:00:48 +0200
Subject: [PATCH] add containerd on fedora CoreOS (#7794)

* set selinux type t_etc if selinux state is enforcing

* workaround with update repo is no longer needed
remove comments about failing playbook

* grubby is not available in distros using ostree

* remove docker support because removed in fcos
update install script example with live rootfs

* do not call grubby on ostree based distro

* update docs enabling containerd on fedora coreos
---
 README.md                                     |  2 +-
 docs/coreos.md                                | 14 -------
 docs/fcos.md                                  | 37 ++++---------------
 .../tasks/bootstrap-fedora-coreos.yml         | 18 +--------
 .../containerd/tasks/main.yml                 |  2 +
 roles/container-engine/cri-o/tasks/main.yaml  |  2 +
 6 files changed, 14 insertions(+), 61 deletions(-)
 delete mode 100644 docs/coreos.md

diff --git a/README.md b/README.md
index 204c24801..31382fbdc 100644
--- a/README.md
+++ b/README.md
@@ -119,7 +119,7 @@ vagrant up
 - **Ubuntu** 16.04, 18.04, 20.04
 - **CentOS/RHEL** 7, [8](docs/centos8.md)
 - **Fedora** 33, 34
-- **Fedora CoreOS** (experimental: see [fcos Note](docs/fcos.md))
+- **Fedora CoreOS** (see [fcos Note](docs/fcos.md))
 - **openSUSE** Leap 15.x/Tumbleweed
 - **Oracle Linux** 7, [8](docs/centos8.md)
 - **Alma Linux** [8](docs/centos8.md)
diff --git a/docs/coreos.md b/docs/coreos.md
deleted file mode 100644
index a30c9dd66..000000000
--- a/docs/coreos.md
+++ /dev/null
@@ -1,14 +0,0 @@
-CoreOS bootstrap
-===============
-
-Example with Ansible:
-
-Before running the cluster playbook you must satisfy the following requirements:
-
-General CoreOS Pre-Installation Notes:
-
-- Ensure that the bin_dir is set to `/opt/bin`
-- ansible_python_interpreter should be `/opt/bin/python`. This will be laid down by the bootstrap task.
-- The default resolvconf_mode setting of `docker_dns` **does not** work for CoreOS. This is because we do not edit the systemd service file for docker on CoreOS nodes. Instead, just use the `host_resolvconf` mode. It should work out of the box.
-
-Then you can proceed to [cluster deployment](#run-deployment)
diff --git a/docs/fcos.md b/docs/fcos.md
index 0682879cc..c91d8b1d4 100644
--- a/docs/fcos.md
+++ b/docs/fcos.md
@@ -1,6 +1,6 @@
 # Fedora CoreOS
 
-Tested with stable version 31.20200223.3.0.
+Tested with stable version 34.20210611.3.0
 
 Because package installation with `rpm-ostree` requires a reboot, playbook may fail while bootstrap.
 Restart playbook again.
@@ -9,33 +9,9 @@ Restart playbook again.
 
 Tested with
 
-- docker
+- containerd
 - crio
 
-### docker
-
-OS base packages contains docker.
-
-### cri-o
-
-To use `cri-o` disable docker service with ignition:
-
-```yaml
-#workaround, see https://github.com/coreos/fedora-coreos-tracker/issues/229
-systemd:
-  units:
-    - name: docker.service
-      enabled: false
-      contents: |
-        [Unit]
-        Description=disable docker
-
-        [Service]
-
-        [Install]
-        WantedBy=multi-user.target
-```
-
 ## Network
 
 ### calico
@@ -79,11 +55,14 @@ Prepare ignition and serve via http (a.e. python -m http.server )
 ### create guest
 
 ```shell script
-fcos_version=31.20200223.3.0
+machine_name=myfcos1
+ignition_url=http://mywebserver/fcos.ign
+
+fcos_version=34.20210611.3.0
 kernel=https://builds.coreos.fedoraproject.org/prod/streams/stable/builds/${fcos_version}/x86_64/fedora-coreos-${fcos_version}-live-kernel-x86_64
 initrd=https://builds.coreos.fedoraproject.org/prod/streams/stable/builds/${fcos_version}/x86_64/fedora-coreos-${fcos_version}-live-initramfs.x86_64.img
-ignition_url=http://mywebserver/fcos.ign
-kernel_args="ip=dhcp rd.neednet=1 console=tty0 coreos.liveiso=/ console=ttyS0 coreos.inst.install_dev=/dev/sda coreos.inst.stream=stable coreos.inst.ignition_url=${ignition_url}"
+rootfs=https://builds.coreos.fedoraproject.org/prod/streams/stable/builds/${fcos_version}/x86_64/fedora-coreos-${fcos_version}-live-rootfs.x86_64.img
+kernel_args="console=ttyS0 coreos.live.rootfs_url=${rootfs} coreos.inst.install_dev=/dev/sda coreos.inst.stream=stable coreos.inst.ignition_url=${ignition_url}"
 sudo virt-install --name ${machine_name} --ram 4048 --graphics=none --vcpus 2 --disk size=20 \
                 --network bridge=virbr0 \
                 --install kernel=${kernel},initrd=${initrd},kernel_args_overwrite=yes,kernel_args="${kernel_args}"
diff --git a/roles/bootstrap-os/tasks/bootstrap-fedora-coreos.yml b/roles/bootstrap-os/tasks/bootstrap-fedora-coreos.yml
index 1a222f664..d3fd1c942 100644
--- a/roles/bootstrap-os/tasks/bootstrap-fedora-coreos.yml
+++ b/roles/bootstrap-os/tasks/bootstrap-fedora-coreos.yml
@@ -19,28 +19,12 @@
   become: true
   when: need_bootstrap.rc != 0
 
-  # Because the package "python3-libselinux" has a dependency on libselinux,
-  # which is a base package in Fedora CoreOS and cannot be upgraded.
-  # Temporary disabling update repo allows to install python3-libselinux
-  # see https://github.com/coreos/fedora-coreos-tracker/issues/592
-- name: Temporary disable fedora updates repo because of base packages conflicts
-  raw: "sed -i 's|^enabled=1|enabled=0|g' /etc/yum.repos.d/fedora-updates.repo"
-  become: true
-  when: need_bootstrap.rc != 0
-
 - name: Install required packages on fedora coreos
   raw: "export http_proxy={{ http_proxy | default('') }};rpm-ostree install --allow-inactive {{ fedora_coreos_packages|join(' ') }}"
   become: true
   when: need_bootstrap.rc != 0
 
-  # see https://github.com/coreos/fedora-coreos-tracker/issues/592
-- name: Enable fedora updates repo
-  raw: "sed -i 's|^enabled=0|enabled=1|g' /etc/yum.repos.d/fedora-updates.repo"
-  become: true
-  when: need_bootstrap.rc != 0
-
-  # playbook fails because connection lost
-- name: Reboot immediately for updated ostree, please run playbook again if failed first time.
+- name: Reboot immediately for updated ostree
   raw: "nohup bash -c 'sleep 5s && shutdown -r now'"
   become: true
   ignore_errors: true  # noqa ignore-errors
diff --git a/roles/container-engine/containerd/tasks/main.yml b/roles/container-engine/containerd/tasks/main.yml
index e4ba9983b..504be3aec 100644
--- a/roles/container-engine/containerd/tasks/main.yml
+++ b/roles/container-engine/containerd/tasks/main.yml
@@ -43,6 +43,7 @@
     - ansible_distribution == "Fedora"
     - (ansible_distribution_major_version | int) >= 31
     - ansible_proc_cmdline['systemd.unified_cgroup_hierarchy'] is not defined or ansible_proc_cmdline['systemd.unified_cgroup_hierarchy'] != '0'
+    - not is_ostree
 
 - name: reboot in Fedora 31+
   reboot:
@@ -50,6 +51,7 @@
     - ansible_distribution == "Fedora"
     - (ansible_distribution_major_version | int) >= 31
     - ansible_proc_cmdline['systemd.unified_cgroup_hierarchy'] is not defined or ansible_proc_cmdline['systemd.unified_cgroup_hierarchy'] != '0'
+    - not is_ostree
 
 - include_tasks: containerd_repo.yml
   when: not is_ostree
diff --git a/roles/container-engine/cri-o/tasks/main.yaml b/roles/container-engine/cri-o/tasks/main.yaml
index 3fda1aeb4..cde3552f9 100644
--- a/roles/container-engine/cri-o/tasks/main.yaml
+++ b/roles/container-engine/cri-o/tasks/main.yaml
@@ -34,6 +34,7 @@
     - ansible_distribution == "Fedora"
     - (ansible_distribution_major_version | int) >= 31
     - ansible_proc_cmdline['systemd.unified_cgroup_hierarchy'] is not defined or ansible_proc_cmdline['systemd.unified_cgroup_hierarchy'] != '0'
+    - not is_ostree
 
 - name: reboot in Fedora 31+
   reboot:
@@ -41,6 +42,7 @@
     - ansible_distribution == "Fedora"
     - (ansible_distribution_major_version | int) >= 31
     - ansible_proc_cmdline['systemd.unified_cgroup_hierarchy'] is not defined or ansible_proc_cmdline['systemd.unified_cgroup_hierarchy'] != '0'
+    - not is_ostree
 
 - name: import crio repo
   import_tasks: "crio_repo.yml"
-- 
GitLab