From d315f73080377064216f766a91aac81610eb9b09 Mon Sep 17 00:00:00 2001
From: OwenTuz <owentuz@gmail.com>
Date: Thu, 3 Dec 2020 21:43:26 +0000
Subject: [PATCH] Ensure libseccomp is installed before starting containerd on
 CentOS 8 (#6922)

* Ensure libseccomp is installed before starting containerd on CentOS 8

* Simplify libseccomp install on CentOS 8

- Uses `package` module
- Replaces complex version check with 'state: latest'. The version must
  be > 2.3 when using with cri-o.
- Removes unnecessary `not is_ostree` condition as CentOS 8 does not use
  ostree
---
 roles/container-engine/containerd/tasks/main.yml |  9 +++++++++
 roles/container-engine/cri-o/tasks/main.yaml     | 14 ++++----------
 roles/container-engine/docker/tasks/main.yml     |  9 +++++++++
 3 files changed, 22 insertions(+), 10 deletions(-)

diff --git a/roles/container-engine/containerd/tasks/main.yml b/roles/container-engine/containerd/tasks/main.yml
index 41b8df674..c2369daad 100644
--- a/roles/container-engine/containerd/tasks/main.yml
+++ b/roles/container-engine/containerd/tasks/main.yml
@@ -129,4 +129,13 @@
     - not is_ostree
     - not runc_stat.stat.exists
 
+- name: Ensure latest version of libseccomp installed  # noqa 403
+  package:
+    name: libseccomp
+    state: latest
+  when:
+    - ansible_distribution == "CentOS"
+    - ansible_distribution_major_version == "8"
+  notify: restart containerd
+
 - include_tasks: crictl.yml
diff --git a/roles/container-engine/cri-o/tasks/main.yaml b/roles/container-engine/cri-o/tasks/main.yaml
index 2707a3432..92ef26ad6 100644
--- a/roles/container-engine/cri-o/tasks/main.yaml
+++ b/roles/container-engine/cri-o/tasks/main.yaml
@@ -83,19 +83,13 @@
   retries: 4
   delay: "{{ retry_stagger | d(3) }}"
 
-- name: Gather the rpm package facts
-  package_facts:
-    manager: auto
-  when:
-    - ansible_distribution == "CentOS"
-    - ansible_distribution_major_version == "8"
-
-- name: Ensure latest version of libseccom installed  # noqa 303
-  command: "yum update -y libseccomp"
+- name: Ensure latest version of libseccomp installed  # noqa 403
+  package:
+    name: libseccomp
+    state: latest
   when:
     - ansible_distribution == "CentOS"
     - ansible_distribution_major_version == "8"
-    - ansible_facts.packages['libseccomp'] | map(attribute='version') | map('regex_replace','^(?P<major>\\d+).(?P<minor>\\d+).(?P<patch>\\d+)$', '\\g<major>.\\g<minor>') | list | first == '2.3'
   notify: restart crio
 
 - name: Check if already installed
diff --git a/roles/container-engine/docker/tasks/main.yml b/roles/container-engine/docker/tasks/main.yml
index d6bc6f555..67a22b42d 100644
--- a/roles/container-engine/docker/tasks/main.yml
+++ b/roles/container-engine/docker/tasks/main.yml
@@ -211,6 +211,15 @@
     selection: hold
   when: ansible_os_family in ["Debian"]
 
+- name: Ensure latest version of libseccomp installed  # noqa 403
+  package:
+    name: libseccomp
+    state: latest
+  when:
+    - ansible_distribution == "CentOS"
+    - ansible_distribution_major_version == "8"
+  notify: restart docker
+
 - name: ensure docker started, remove our config if docker start failed and try again
   block:
     - name: ensure service is started if docker packages are already present
-- 
GitLab