From cf1566e8ed4c04fd82a848bdf5fe3545fe719443 Mon Sep 17 00:00:00 2001
From: spaced <spaced.wombat@gmail.com>
Date: Fri, 24 Apr 2020 10:18:07 +0200
Subject: [PATCH] Centos, debian and fedora CRI-O repo (#6008)
* replace removed repo with kubic repository for centos 7
* add crio configuration for centos8
* add crio configurations for debian
* use correct crio version for fedora
* simplify calulation of required crio version
- gives possibility to overwrite
* change default path for runc
* change default for seccomp path
* change default for conmon
---
.../container-engine/cri-o/defaults/main.yml | 16 ++++--
.../cri-o/molecule/default/molecule.yml | 26 +++++++++-
.../molecule/default/tests/test_default.py | 3 +-
roles/container-engine/cri-o/tasks/crictl.yml | 2 -
.../cri-o/tasks/crio_repo.yml | 50 ++++++++++++++-----
roles/container-engine/cri-o/tasks/main.yaml | 28 ++++++++++-
.../container-engine/cri-o/vars/centos-7.yml | 5 ++
.../container-engine/cri-o/vars/centos-8.yml | 4 ++
.../cri-o/vars/clearlinux.yml | 1 -
roles/container-engine/cri-o/vars/debian.yml | 7 +++
roles/container-engine/cri-o/vars/fedora.yml | 2 -
roles/container-engine/cri-o/vars/redhat.yml | 1 -
roles/container-engine/cri-o/vars/ubuntu.yml | 8 +--
13 files changed, 121 insertions(+), 32 deletions(-)
create mode 100644 roles/container-engine/cri-o/vars/centos-7.yml
create mode 100644 roles/container-engine/cri-o/vars/centos-8.yml
create mode 100644 roles/container-engine/cri-o/vars/debian.yml
diff --git a/roles/container-engine/cri-o/defaults/main.yml b/roles/container-engine/cri-o/defaults/main.yml
index dd75ec4fe..54d10aa6f 100644
--- a/roles/container-engine/cri-o/defaults/main.yml
+++ b/roles/container-engine/cri-o/defaults/main.yml
@@ -1,8 +1,16 @@
---
-crio_rhel_repo_base_url: 'https://cbs.centos.org/repos/paas7-crio-114-candidate/x86_64/os/'
-
-crio_seccomp_profile: "/etc/crio/seccomp.json"
crio_cgroup_manager: "{{ kubelet_cgroup_driver | default('cgroupfs') }}"
-crio_runc_path: "/usr/sbin/runc"
+crio_seccomp_profile: ""
+crio_runc_path: "/usr/bin/runc"
+crio_conmon: "/usr/bin/conmon"
+
+crio_required_version: "{{ kube_version | regex_replace('^v(?P<major>\\d+).(?P<minor>\\d+).(?P<patch>\\d+)$', '\\g<major>.\\g<minor>') }}"
+
+crio_kubernetes_version_matrix:
+ "1.18": "1.17"
+ "1.17": "1.17"
+ "1.16": "1.16"
+
+crio_version: "{{ crio_kubernetes_version_matrix[crio_required_version] | default('1.17') }}"
diff --git a/roles/container-engine/cri-o/molecule/default/molecule.yml b/roles/container-engine/cri-o/molecule/default/molecule.yml
index d544f57fb..c4a1af9c8 100644
--- a/roles/container-engine/cri-o/molecule/default/molecule.yml
+++ b/roles/container-engine/cri-o/molecule/default/molecule.yml
@@ -8,12 +8,36 @@ lint:
options:
config-file: ../../../.yamllint
platforms:
- - name: kubespray-crio
+ - name: kubespray-crio-ubuntu
box: generic/ubuntu1804
cpus: 2
memory: 1024
groups:
- kube-master
+ - name: kubespray-crio-centos7
+ box: centos/7
+ cpus: 2
+ memory: 1024
+ groups:
+ - kube-master
+ - name: kubespray-crio-centos8
+ box: centos/8
+ cpus: 2
+ memory: 1024
+ groups:
+ - kube-master
+ - name: kubespray-crio-debian
+ box: generic/debian10
+ cpus: 2
+ memory: 1024
+ groups:
+ - kube-master
+ - name: kubespray-crio-fedora
+ box: fedora/31-cloud-base
+ cpus: 2
+ memory: 1024
+ groups:
+ - kube-master
provisioner:
name: ansible
env:
diff --git a/roles/container-engine/cri-o/molecule/default/tests/test_default.py b/roles/container-engine/cri-o/molecule/default/tests/test_default.py
index 1f01b5ab5..b7f3bd6db 100644
--- a/roles/container-engine/cri-o/molecule/default/tests/test_default.py
+++ b/roles/container-engine/cri-o/molecule/default/tests/test_default.py
@@ -13,8 +13,9 @@ def test_service(host):
def test_run(host):
+ crictl = "/usr/local/bin/crictl"
path = "unix:///var/run/crio/crio.sock"
with host.sudo():
- cmd = host.command("crictl --runtime-endpoint " + path + " version")
+ cmd = host.command(crictl + " --runtime-endpoint " + path + " version")
assert cmd.rc == 0
assert "RuntimeName: cri-o" in cmd.stdout
diff --git a/roles/container-engine/cri-o/tasks/crictl.yml b/roles/container-engine/cri-o/tasks/crictl.yml
index fd6a4c348..e96980533 100644
--- a/roles/container-engine/cri-o/tasks/crictl.yml
+++ b/roles/container-engine/cri-o/tasks/crictl.yml
@@ -23,7 +23,6 @@
- name: Get crictl completion
shell: "{{ bin_dir }}/crictl completion"
- when: ansible_distribution in ["CentOS","RedHat", "Ubuntu", "Debian"]
changed_when: False
register: cri_completion
@@ -32,4 +31,3 @@
dest: /etc/bash_completion.d/crictl
content: "{{ cri_completion.stdout }}"
become: True
- when: cri_completion is defined
\ No newline at end of file
diff --git a/roles/container-engine/cri-o/tasks/crio_repo.yml b/roles/container-engine/cri-o/tasks/crio_repo.yml
index 9518e00ec..d3f700dae 100644
--- a/roles/container-engine/cri-o/tasks/crio_repo.yml
+++ b/roles/container-engine/cri-o/tasks/crio_repo.yml
@@ -1,34 +1,60 @@
---
+- name: CRI-O kubic repo name for debian os family
+ set_fact:
+ crio_kubic_debian_repo_name: "{{ ((ansible_distribution == 'Ubuntu') | ternary('x','')) ~ ansible_distribution ~ '_' ~ ansible_distribution_version }}"
+ when: ansible_os_family == "Debian"
+
- name: Add CRI-O kubic repo key
apt_key:
- url: "https://download.opensuse.org/repositories/devel:kubic:libcontainers:stable/x{{ ansible_distribution }}_{{ ansible_distribution_version }}/Release.key"
+ url: "https://download.opensuse.org/repositories/devel:kubic:libcontainers:stable/{{ crio_kubic_debian_repo_name }}/Release.key"
state: present
- when: ansible_distribution in ["Ubuntu"]
+ when: crio_kubic_debian_repo_name is defined
- name: Add CRI-O kubic repo
apt_repository:
- repo: "deb http://download.opensuse.org/repositories/devel:/kubic:/libcontainers:/stable/x{{ ansible_distribution }}_{{ ansible_distribution_version }}/ /"
+ repo: "deb http://download.opensuse.org/repositories/devel:/kubic:/libcontainers:/stable/{{ crio_kubic_debian_repo_name }}/ /"
state: present
filename: devel:kubic:libcontainers:stable
- when: ansible_distribution in ["Ubuntu"]
+ when: crio_kubic_debian_repo_name is defined
-- name: Add CRI-O OpenShift Origin repository
+- name: Add CRI-O kubic repo
yum_repository:
- name: origin
- description: OpenShift Origin Repo
- baseurl: "{{ crio_rhel_repo_base_url }}"
- gpgcheck: no
- when: ansible_distribution in ["CentOS","RedHat","OracleLinux"] and not is_ostree
+ name: devel_kubic_libcontainers_stable
+ description: Stable Releases of Upstream github.com/containers packages (CentOS_$releasever)
+ baseurl: http://download.opensuse.org/repositories/devel:/kubic:/libcontainers:/stable/CentOS_$releasever/
+ gpgcheck: yes
+ gpgkey: http://download.opensuse.org/repositories/devel:/kubic:/libcontainers:/stable/CentOS_$releasever/repodata/repomd.xml.key
+ when: ansible_distribution in ["CentOS"]
-- name: Enable modular repos for crio
+- name: Add CRI-O kubic repo
+ yum_repository:
+ name: "devel_kubic_libcontainers_stable_cri-o_{{ crio_version }}"
+ description: 1.17 (CentOS_$releasever)
+ baseurl: "http://download.opensuse.org/repositories/devel:/kubic:/libcontainers:/stable:/cri-o:/{{ crio_version }}/CentOS_$releasever/"
+ gpgcheck: yes
+ gpgkey: "http://download.opensuse.org/repositories/devel:/kubic:/libcontainers:/stable:/cri-o:/{{ crio_version }}/CentOS_$releasever/repodata/repomd.xml.key"
+ when: ansible_distribution in ["CentOS"]
+
+- name: Enable modular repos for CRI-O
ini_file:
path: "/etc/yum.repos.d/{{ item }}.repo"
section: "{{ item }}"
option: enabled
value: 1
become: true
- when: ansible_distribution in ["Fedora"]
+ when: is_ostree
loop:
- "fedora-updates-modular"
- "fedora-modular"
+
+- name: Enable CRI-O module
+ command: "dnf -y module enable cri-o:{{ crio_version }}"
+ args:
+ warn: False
+ register: crio_dnf_result
+ changed_when: "'Enabling' in crio_dnf_result.stdout"
+ become: true
+ when:
+ - ansible_distribution in ["Fedora"]
+ - not is_ostree
diff --git a/roles/container-engine/cri-o/tasks/main.yaml b/roles/container-engine/cri-o/tasks/main.yaml
index 6ffc259e4..095206270 100644
--- a/roles/container-engine/cri-o/tasks/main.yaml
+++ b/roles/container-engine/cri-o/tasks/main.yaml
@@ -48,6 +48,21 @@
with_items: "{{ crio_packages }}"
notify: restart crio
+- name: Gather the rpm package facts
+ package_facts:
+ manager: auto
+ when:
+ - ansible_distribution == "CentOS"
+ - ansible_distribution_major_version == "8"
+
+- name: Ensure latest version of libseccom installed
+ command: "yum update -y libseccomp"
+ when:
+ - ansible_distribution == "CentOS"
+ - ansible_distribution_major_version == "8"
+ - ansible_facts.packages['libseccomp'] | map(attribute='version') | map('regex_replace','^(?P<major>\\d+).(?P<minor>\\d+).(?P<patch>\\d+)$', '\\g<major>.\\g<minor>') | list | first == '2.3'
+ notify: restart crio
+
- name: Check if already installed
stat:
path: "/bin/crio"
@@ -96,9 +111,20 @@
owner: root
mode: 0755
+- name: Remove metacopy mount options for older kernels
+ ini_file:
+ dest: /etc/containers/storage.conf
+ section: storage.options.overlay
+ option: mountopt
+ value: "\"nodev\""
+ when:
+ - ansible_distribution == "CentOS"
+ - ansible_distribution_major_version == "7"
+
+
- name: Write cri-o proxy drop-in
template:
src: http-proxy.conf.j2
dest: /etc/systemd/system/crio.service.d/http-proxy.conf
notify: restart crio
- when: http_proxy is defined or https_proxy is defined
\ No newline at end of file
+ when: http_proxy is defined or https_proxy is defined
diff --git a/roles/container-engine/cri-o/vars/centos-7.yml b/roles/container-engine/cri-o/vars/centos-7.yml
new file mode 100644
index 000000000..740adbc6b
--- /dev/null
+++ b/roles/container-engine/cri-o/vars/centos-7.yml
@@ -0,0 +1,5 @@
+---
+
+crio_packages:
+ - cri-o
+ - oci-systemd-hook
diff --git a/roles/container-engine/cri-o/vars/centos-8.yml b/roles/container-engine/cri-o/vars/centos-8.yml
new file mode 100644
index 000000000..121180879
--- /dev/null
+++ b/roles/container-engine/cri-o/vars/centos-8.yml
@@ -0,0 +1,4 @@
+---
+
+crio_packages:
+ - cri-o
diff --git a/roles/container-engine/cri-o/vars/clearlinux.yml b/roles/container-engine/cri-o/vars/clearlinux.yml
index c2060224e..e150b84a6 100644
--- a/roles/container-engine/cri-o/vars/clearlinux.yml
+++ b/roles/container-engine/cri-o/vars/clearlinux.yml
@@ -4,4 +4,3 @@ crio_packages:
crio_conmon: /usr/libexec/crio/conmon
crio_seccomp_profile: /usr/share/defaults/crio/seccomp.json
-crio_runc_path: /usr/bin/runc
diff --git a/roles/container-engine/cri-o/vars/debian.yml b/roles/container-engine/cri-o/vars/debian.yml
new file mode 100644
index 000000000..62c966a11
--- /dev/null
+++ b/roles/container-engine/cri-o/vars/debian.yml
@@ -0,0 +1,7 @@
+---
+
+crio_packages:
+ - "cri-o-{{ crio_version }}"
+ - runc
+
+crio_runc_path: /usr/sbin/runc
diff --git a/roles/container-engine/cri-o/vars/fedora.yml b/roles/container-engine/cri-o/vars/fedora.yml
index a2a6ad286..e8efe8ac8 100644
--- a/roles/container-engine/cri-o/vars/fedora.yml
+++ b/roles/container-engine/cri-o/vars/fedora.yml
@@ -4,5 +4,3 @@ crio_packages:
- cri-tools
crio_conmon: /usr/libexec/crio/conmon
-crio_runc_path: "/usr/bin/runc"
-crio_seccomp_profile: ""
\ No newline at end of file
diff --git a/roles/container-engine/cri-o/vars/redhat.yml b/roles/container-engine/cri-o/vars/redhat.yml
index 8f617c318..c78f6a1d7 100644
--- a/roles/container-engine/cri-o/vars/redhat.yml
+++ b/roles/container-engine/cri-o/vars/redhat.yml
@@ -4,4 +4,3 @@ crio_packages:
- oci-systemd-hook
crio_conmon: /usr/libexec/crio/conmon
-crio_runc_path: /usr/bin/runc
diff --git a/roles/container-engine/cri-o/vars/ubuntu.yml b/roles/container-engine/cri-o/vars/ubuntu.yml
index 3bccbe3ef..ee162aed4 100644
--- a/roles/container-engine/cri-o/vars/ubuntu.yml
+++ b/roles/container-engine/cri-o/vars/ubuntu.yml
@@ -1,12 +1,6 @@
---
-crio_kubic_versions:
- "1.18": "1.17"
- "1.17": "1.17"
- "1.16": "1.16"
crio_packages:
- - "cri-o-{{ crio_kubic_versions[ kube_version | regex_replace('^v(?P<major>\\d+).(?P<minor>\\d+).(?P<patch>\\d+)$', '\\g<major>.\\g<minor>') ] | default('1.17') }}"
+ - "cri-o-{{ crio_version }}"
-crio_conmon: /usr/bin/conmon
-crio_seccomp_profile: ""
crio_runc_path: /usr/lib/cri-o-runc/sbin/runc
--
GitLab