Implement container runtime role

Author: michaelgugino

playbooks/common/openshift-cluster/upgrades/docker/tasks/restart.yml

@@ -6,10 +6,6 @@
   retries: 3
   delay: 30
 
-- name: Update docker facts
-  openshift_facts:
-    role: docker
-
 - name: Restart containerized services
   service: name={{ item }} state=started
   with_items:

playbooks/common/openshift-cluster/upgrades/pre/verify_upgrade_targets.yml

@@ -6,7 +6,7 @@
 
 - name: Update oreg_auth docker login credentials if necessary
   include_role:
-    name: docker
+    name: container_runtime
     tasks_from: registry_auth.yml
   when: oreg_auth_user is defined
 

playbooks/common/openshift-cluster/upgrades/upgrade_control_plane.yml

@@ -143,10 +143,6 @@
   roles:
   - { role: openshift_cli }
   vars:
-    openshift_docker_hosted_registry_network: "{{ hostvars[groups.oo_first_master.0].openshift.common.portal_net }}"
-    # Another spot where we assume docker is running and do not want to accidentally trigger an unsafe
-    # restart.
-    skip_docker_role: True
     __master_shared_resource_viewer_file: "shared_resource_viewer_role.yaml"
   tasks:
   - name: Reconcile Cluster Roles

playbooks/common/openshift-cluster/upgrades/v3_6/upgrade.yml

@@ -73,12 +73,6 @@
     openshift_release: "{{ openshift_upgrade_target }}"
     openshift_protect_installed_version: False
 
-    # We skip the docker role at this point in upgrade to prevent
-    # unintended package, container, or config upgrades which trigger
-    # docker restarts. At this early stage of upgrade we can assume
-    # docker is configured and running.
-    skip_docker_role: True
-
 - include: ../../../../openshift-master/private/validate_restart.yml
   tags:
   - pre_upgrade

playbooks/common/openshift-cluster/upgrades/v3_6/upgrade_control_plane.yml

@@ -77,12 +77,6 @@
     openshift_release: "{{ openshift_upgrade_target }}"
     openshift_protect_installed_version: False
 
-    # We skip the docker role at this point in upgrade to prevent
-    # unintended package, container, or config upgrades which trigger
-    # docker restarts. At this early stage of upgrade we can assume
-    # docker is configured and running.
-    skip_docker_role: True
-
 - include: ../../../../openshift-master/private/validate_restart.yml
   tags:
   - pre_upgrade

playbooks/common/openshift-cluster/upgrades/v3_6/upgrade_nodes.yml

@@ -66,12 +66,6 @@
     openshift_release: "{{ openshift_upgrade_target }}"
     openshift_protect_installed_version: False
 
-    # We skip the docker role at this point in upgrade to prevent
-    # unintended package, container, or config upgrades which trigger
-    # docker restarts. At this early stage of upgrade we can assume
-    # docker is configured and running.
-    skip_docker_role: True
-
 - name: Verify masters are already upgraded
   hosts: oo_masters_to_config
   tags:

playbooks/common/openshift-cluster/upgrades/v3_7/upgrade.yml

@@ -77,12 +77,6 @@
     openshift_release: "{{ openshift_upgrade_target }}"
     openshift_protect_installed_version: False
 
-    # We skip the docker role at this point in upgrade to prevent
-    # unintended package, container, or config upgrades which trigger
-    # docker restarts. At this early stage of upgrade we can assume
-    # docker is configured and running.
-    skip_docker_role: True
-
 - include: ../../../../openshift-master/private/validate_restart.yml
   tags:
   - pre_upgrade

playbooks/common/openshift-cluster/upgrades/v3_7/upgrade_control_plane.yml

@@ -81,12 +81,6 @@
     openshift_release: "{{ openshift_upgrade_target }}"
     openshift_protect_installed_version: False
 
-    # We skip the docker role at this point in upgrade to prevent
-    # unintended package, container, or config upgrades which trigger
-    # docker restarts. At this early stage of upgrade we can assume
-    # docker is configured and running.
-    skip_docker_role: True
-
 - include: ../../../../openshift-master/private/validate_restart.yml
   tags:
   - pre_upgrade

playbooks/common/openshift-cluster/upgrades/v3_7/upgrade_nodes.yml

@@ -66,12 +66,6 @@
     openshift_release: "{{ openshift_upgrade_target }}"
     openshift_protect_installed_version: False
 
-    # We skip the docker role at this point in upgrade to prevent
-    # unintended package, container, or config upgrades which trigger
-    # docker restarts. At this early stage of upgrade we can assume
-    # docker is configured and running.
-    skip_docker_role: True
-
 - name: Verify masters are already upgraded
   hosts: oo_masters_to_config
   tags:

playbooks/common/openshift-cluster/upgrades/v3_8/upgrade.yml

@@ -77,12 +77,6 @@
     openshift_release: "{{ openshift_upgrade_target }}"
     openshift_protect_installed_version: False
 
-    # We skip the docker role at this point in upgrade to prevent
-    # unintended package, container, or config upgrades which trigger
-    # docker restarts. At this early stage of upgrade we can assume
-    # docker is configured and running.
-    skip_docker_role: True
-
 - include: ../../../../openshift-master/private/validate_restart.yml
   tags:
   - pre_upgrade

playbooks/common/openshift-cluster/upgrades/v3_8/upgrade_control_plane.yml

@@ -81,12 +81,6 @@
     openshift_release: "{{ openshift_upgrade_target }}"
     openshift_protect_installed_version: False
 
-    # We skip the docker role at this point in upgrade to prevent
-    # unintended package, container, or config upgrades which trigger
-    # docker restarts. At this early stage of upgrade we can assume
-    # docker is configured and running.
-    skip_docker_role: True
-
 - include: ../../../../openshift-master/private/validate_restart.yml
   tags:
   - pre_upgrade

playbooks/common/openshift-cluster/upgrades/v3_8/upgrade_nodes.yml

@@ -66,12 +66,6 @@
     openshift_release: "{{ openshift_upgrade_target }}"
     openshift_protect_installed_version: False
 
-    # We skip the docker role at this point in upgrade to prevent
-    # unintended package, container, or config upgrades which trigger
-    # docker restarts. At this early stage of upgrade we can assume
-    # docker is configured and running.
-    skip_docker_role: True
-
 - name: Verify masters are already upgraded
   hosts: oo_masters_to_config
   tags:

playbooks/init/facts.yml

@@ -135,11 +135,13 @@
     - openshift_http_proxy is defined or openshift_https_proxy is defined
     - openshift_generate_no_proxy_hosts | default(True) | bool
 
+  - name: Initialize openshift.node.sdn_mtu
+    openshift_facts:
+      role: node
+      local_facts:
+        sdn_mtu: "{{ openshift_node_sdn_mtu | default(None) }}"
+
   - name: initialize_facts set_fact repoquery command
     set_fact:
       repoquery_cmd: "{{ 'dnf repoquery --latest-limit 1 -d 0' if ansible_pkg_mgr == 'dnf' else 'repoquery --plugins' }}"
       repoquery_installed: "{{ 'dnf repoquery --latest-limit 1 -d 0 --disableexcludes=all --installed' if ansible_pkg_mgr == 'dnf' else 'repoquery --plugins --installed' }}"
-
-  - name: initialize_facts set_fact on openshift_docker_hosted_registry_network
-    set_fact:
-      openshift_docker_hosted_registry_network: "{{ '' if 'oo_first_master' not in groups else hostvars[groups.oo_first_master.0].openshift.common.portal_net }}"

playbooks/init/main.yml

@@ -24,6 +24,7 @@
 - import_playbook: repos.yml
 
 - import_playbook: version.yml
+  when: not (skip_verison | default(False))
 
 - name: Initialization Checkpoint End
   hosts: all

playbooks/openshift-hosted/private/cockpit-ui.yml

@@ -5,4 +5,4 @@
   - role: cockpit-ui
     when:
     - openshift_hosted_manage_registry | default(true) | bool
-    - not openshift.docker.hosted_registry_insecure | default(false) | bool
+    - not (openshift_docker_hosted_registry_insecure | default(false)) | bool

playbooks/openshift-loadbalancer/private/config.yml

@@ -11,14 +11,12 @@
           status: "In Progress"
           start: "{{ lookup('pipe', 'date +%Y%m%d%H%M%SZ') }}"
 
-- name: Configure firewall and docker for load balancers
+- name: Configure firewall load balancers
   hosts: oo_lb_to_config:!oo_masters_to_config:!oo_nodes_to_config
   vars:
     openshift_image_tag: "{{ hostvars[groups.oo_first_master.0].openshift_image_tag }}"
   roles:
   - role: os_firewall
-  - role: openshift_docker
-    when: openshift.common.is_containerized | default(False) | bool and not skip_docker_role | default(False) | bool
 
 - name: Configure load balancers
   hosts: oo_lb_to_config

playbooks/openshift-node/private/configure_nodes.yml

@@ -4,7 +4,6 @@
   vars:
     openshift_node_master_api_url: "{{ hostvars[groups.oo_first_master.0].openshift.master.api_url }}"
     openshift_node_first_master_ip: "{{ hostvars[groups.oo_first_master.0].openshift.common.ip }}"
-    openshift_docker_hosted_registry_network: "{{ hostvars[groups.oo_first_master.0].openshift.common.portal_net }}"
     openshift_no_proxy_internal_hostnames: "{{ hostvars | oo_select_keys(groups['oo_nodes_to_config']
                                                     | union(groups['oo_masters_to_config'])
                                                     | union(groups['oo_etcd_to_config'] | default([])))

playbooks/openshift-node/private/containerized_nodes.yml

@@ -5,7 +5,6 @@
   vars:
     openshift_node_master_api_url: "{{ hostvars[groups.oo_first_master.0].openshift.master.api_url }}"
     openshift_node_first_master_ip: "{{ hostvars[groups.oo_first_master.0].openshift.common.ip }}"
-    openshift_docker_hosted_registry_network: "{{ hostvars[groups.oo_first_master.0].openshift.common.portal_net }}"
     openshift_no_proxy_internal_hostnames: "{{ hostvars | oo_select_keys(groups['oo_nodes_to_config']
                                                     | union(groups['oo_masters_to_config'])
                                                     | union(groups['oo_etcd_to_config'] | default([])))

playbooks/openshift-node/private/restart.yml

@@ -16,10 +16,6 @@
     retries: 3
     delay: 30
 
-  - name: Update docker facts
-    openshift_facts:
-      role: docker
-
   - name: Restart containerized services
     service:
       name: "{{ item }}"

playbooks/prerequisites.yml

@@ -1,7 +1,12 @@
 ---
-- name: Place holder for prerequisites
-  hosts: localhost
-  gather_facts: false
+- include: init/main.yml
+  vars:
+    skip_verison: True
+
+- hosts: "{{ l_containerized_host_groups }}"
+  vars:
+    l_chg_temp: "{{ openshift_containerized_host_groups | default([]) }}"
+    l_containerized_host_groups: "{{ (['oo_nodes_to_config'] | union(l_chg_temp)) | join(':') }}"
   tasks:
-  - name: Debug placeholder
-    debug: msg="Prerequisites ran."
+    - include_role:
+        name: container_runtime

playbooks/roles

@@ -0,0 +1 @@
+../roles

roles/calico/handlers/main.yml

@@ -3,10 +3,10 @@
   become: yes
   systemd: name=calico state=restarted
 
-- name: restart docker
+- name: restart container runtime
   become: yes
   systemd:
-    name: "{{ openshift.docker.service_name }}"
+    name: "{{ openshift_docker_service_name }}"
     state: restarted
   register: l_docker_restart_docker_in_calico_result
   until: not l_docker_restart_docker_in_calico_result | failed

roles/calico/templates/calico.service.j2

@@ -1,7 +1,7 @@
 [Unit]
 Description=calico
-After={{ openshift.docker.service_name }}.service
-Requires={{ openshift.docker.service_name }}.service
+After={{ openshift_docker_service_name }}.service
+Requires={{ openshift_docker_service_name }}.service
 
 [Service]
 Restart=always

roles/docker/README.md roles/container_runtime/README.md

@@ -10,27 +10,23 @@ Requirements
 
 Ansible 2.2
 
-Role Variables
+Mandator Role Variables
 --------------
 
-docker_conf_dir: location of the Docker configuration directory
-docker_systemd_dir location of the systemd directory for Docker
-docker_udev_workaround: raises udevd timeout to 5 minutes (https://bugzilla.redhat.com/show_bug.cgi?id=1272446)
-udevw_udevd_dir: location of systemd config for systemd-udevd.service
+
 
 Dependencies
 ------------
 
-Depends on the os_firewall role.
+Depends on openshift_facts having already been run.
 
 Example Playbook
 ----------------
 
     - hosts: servers
       roles:
-      - role: docker
+      - role: container_runtime
         docker_udev_workaround: "true"
-        docker_use_system_container: False
 
 License
 -------

roles/docker/defaults/main.yml roles/container_runtime/defaults/main.yml

@@ -2,25 +2,42 @@
 docker_cli_auth_config_path: '/root/.docker'
 openshift_docker_signature_verification: False
 
+repoquery_cmd: "{{ 'dnf repoquery --latest-limit 1 -d 0' if ansible_pkg_mgr == 'dnf' else 'repoquery --plugins' }}"
+
 openshift_docker_alternative_creds: False
 
 # oreg_url is defined by user input.
 oreg_host: "{{ oreg_url.split('/')[0] if (oreg_url is defined and '.' in oreg_url.split('/')[0]) else '' }}"
 oreg_auth_credentials_replace: False
 
+openshift_docker_use_system_container: False
+openshift_docker_disable_push_dockerhub: False  # bool
+openshift_docker_selinux_enabled: True
+openshift_docker_service_name: "{{ 'container-engine' if (openshift_docker_use_system_container | default(False)) else 'docker' }}"
+
+openshift_docker_hosted_registry_insecure: False  # bool
+
+openshift_docker_hosted_registry_network_default: "{{ openshift_portal_net | default(False) }}"
+openshift_docker_hosted_registry_network: "{{ openshift_docker_hosted_registry_network_default }}"
+
 openshift_docker_additional_registries: []
 openshift_docker_blocked_registries: []
 openshift_docker_insecure_registries: []
 
 openshift_docker_ent_reg: 'registry.access.redhat.com'
 
+openshift_docker_options: False  # str
+openshift_docker_log_driver: False  # str
+openshift_docker_log_options: []
+
 # The l2_docker_* variables convert csv strings to lists, if
 # necessary.  These variables should be used in place of their respective
 # openshift_docker_* counterparts to ensure the properly formatted lists are
 # utilized.
 l2_docker_additional_registries: "{% if openshift_docker_additional_registries is string %}{% if openshift_docker_additional_registries == '' %}[]{% elif ',' in openshift_docker_additional_registries %}{{ openshift_docker_additional_registries.split(',') | list }}{% else %}{{ [ openshift_docker_additional_registries ] }}{% endif %}{% else %}{{ openshift_docker_additional_registries }}{% endif %}"
 l2_docker_blocked_registries: "{% if openshift_docker_blocked_registries is string %}{% if openshift_docker_blocked_registries == '' %}[]{% elif ',' in openshift_docker_blocked_registries %}{{ openshift_docker_blocked_registries.split(',') | list }}{% else %}{{ [ openshift_docker_blocked_registries ] }}{% endif %}{% else %}{{ openshift_docker_blocked_registries }}{% endif %}"
 l2_docker_insecure_registries: "{% if openshift_docker_insecure_registries is string %}{% if openshift_docker_insecure_registries == '' %}[]{% elif ',' in openshift_docker_insecure_registries %}{{ openshift_docker_insecure_registries.split(',') | list }}{% else %}{{ [ openshift_docker_insecure_registries ] }}{% endif %}{% else %}{{ openshift_docker_insecure_registries }}{% endif %}"
+l2_docker_log_options: "{% if openshift_docker_log_options is string %}{% if ',' in openshift_docker_log_options %}{{ openshift_docker_log_options.split(',') | list }}{% else %}{{ [ openshift_docker_log_options ] }}{% endif %}{% else %}{{ openshift_docker_log_options }}{% endif %}"
 
 openshift_docker_use_etc_containers: False
 containers_registries_conf_path: /etc/containers/registries.conf
@@ -38,3 +55,26 @@ openshift_docker_is_node_or_master: "{{ True if inventory_hostname in (groups['o
 
 docker_alt_storage_path: /var/lib/containers/docker
 docker_default_storage_path: /var/lib/docker
+
+# Set local versions of facts that must be in json format for container-daemon.json
+# NOTE: When jinja2.9+ is used the container-daemon.json file can move to using tojson
+l_docker_log_options: "{{ l2_docker_log_options | to_json }}"
+l_docker_additional_registries: "{{ l2_docker_additional_registries | to_json }}"
+l_docker_blocked_registries: "{{ l2_docker_blocked_registries | to_json }}"
+l_docker_insecure_registries: "{{ l2_docker_insecure_registries | to_json }}"
+l_docker_selinux_enabled: "{{ openshift_docker_selinux_enabled | to_json }}"
+
+docker_http_proxy: "{{ openshift_http_proxy | default('') }}"
+docker_https_proxy: "{{ openshift.common.https_proxy | default('') }}"
+docker_no_proxy: "{{ openshift.common.no_proxy | default('') }}"
+
+openshift_use_crio: False
+openshift_use_crio_only: False
+
+
+l_insecure_crio_registries: "{{ '\"{}\"'.format('\", \"'.join(l2_docker_insecure_registries)) }}"
+l_crio_registries: "{{ l2_docker_additional_registries + ['docker.io'] }}"
+l_additional_crio_registries: "{{ '\"{}\"'.format('\", \"'.join(l_crio_registries)) }}"
+
+l_openshift_image_tag_default: "{{ openshift_release }}"
+l_openshift_image_tag: "{{ openshift_image_tag | default(l_openshift_image_tag_default) | string}}"

roles/docker/handlers/main.yml roles/container_runtime/handlers/main.yml

@@ -1,8 +1,8 @@
 ---
 
-- name: restart docker
+- name: restart container runtime
   systemd:
-    name: "{{ openshift.docker.service_name }}"
+    name: "{{ openshift_docker_service_name }}"
     state: restarted
     daemon_reload: yes
   register: r_docker_restart_docker_result

roles/docker/meta/main.yml roles/container_runtime/meta/main.yml

@@ -1,7 +1,7 @@
 ---
 galaxy_info:
   author: OpenShift
-  description: docker package install
+  description: container runtime install and configure
   company: Red Hat, Inc
   license: ASL 2.0
   min_ansible_version: 2.2