diff --git a/roles/bootstrap-os/tasks/bootstrap-clearlinux.yml b/roles/bootstrap-os/tasks/bootstrap-clearlinux.yml new file mode 100644 index 000000000..89859978d --- /dev/null +++ b/roles/bootstrap-os/tasks/bootstrap-clearlinux.yml @@ -0,0 +1,14 @@ +--- +- name: Install basic packages to run containers + package: + name: "{{ item }}" + state: present + with_items: + - containers-basic + +- name: Make sure docker service is enabled + systemd: + name: docker + enabled: yes + daemon_reload: yes + state: started diff --git a/roles/bootstrap-os/tasks/main.yml b/roles/bootstrap-os/tasks/main.yml index eb29be41a..5fbc4490d 100644 --- a/roles/bootstrap-os/tasks/main.yml +++ b/roles/bootstrap-os/tasks/main.yml @@ -20,6 +20,8 @@ centos {%- elif 'OpenSUSE' in os_release.stdout -%} opensuse + {%- elif 'Clear Linux OS' in os_release.stdout -%} + clearlinux {%- endif -%} - include_tasks: bootstrap-ubuntu.yml @@ -40,6 +42,9 @@ - include_tasks: bootstrap-opensuse.yml when: os_family == "opensuse" +- include_tasks: bootstrap-clearlinux.yml + when: os_family == "clearlinux" + - import_tasks: setup-pipelining.yml - name: Create remote_tmp for it is used by another module @@ -58,14 +63,14 @@ name: "{{inventory_hostname}}" when: - override_system_hostname - - ansible_os_family not in ['Suse', 'CoreOS', 'Container Linux by CoreOS'] + - ansible_os_family not in ['Suse', 'CoreOS', 'Container Linux by CoreOS', 'ClearLinux'] - name: Assign inventory name to unconfigured hostnames (CoreOS and Tumbleweed only) command: "hostnamectl set-hostname {{inventory_hostname}}" register: hostname_changed when: - override_system_hostname - - ansible_os_family in ['Suse', 'CoreOS', 'Container Linux by CoreOS'] + - ansible_os_family in ['Suse', 'CoreOS', 'Container Linux by CoreOS', 'ClearLinux'] - name: Update hostname fact (CoreOS and Tumbleweed only) setup: diff --git a/roles/container-engine/cri-o/tasks/main.yaml b/roles/container-engine/cri-o/tasks/main.yaml index 3d9e67c86..a85392993 100644 --- a/roles/container-engine/cri-o/tasks/main.yaml +++ b/roles/container-engine/cri-o/tasks/main.yaml @@ -24,6 +24,14 @@ gpgcheck: no when: ansible_distribution in ["CentOS","RedHat"] and not is_atomic +- name: Make sure needed folders exist in the system + with_items: + - /etc/crio + - /etc/containers + file: + path: "{{ item }}" + state: directory + - name: Install cri-o packages package: name: "{{ item }}" diff --git a/roles/container-engine/cri-o/templates/crio.conf.j2 b/roles/container-engine/cri-o/templates/crio.conf.j2 index ff716f85f..b7de5e66d 100644 --- a/roles/container-engine/cri-o/templates/crio.conf.j2 +++ b/roles/container-engine/cri-o/templates/crio.conf.j2 @@ -107,7 +107,11 @@ selinux = {{ (preinstall_selinux_state == 'enforcing')|lower }} # seccomp_profile is the seccomp json profile path which is used as the # default for the runtime. +{% if ansible_os_family == "ClearLinux" %} +seccomp_profile = "/usr/share/defaults/crio/seccomp.json" +{% else %} seccomp_profile = "/etc/crio/seccomp.json" +{% endif %} # apparmor_profile is the apparmor profile name which is used as the # default for the runtime. @@ -199,7 +203,11 @@ pause_command = "/pause" # use when deciding whether or not to trust an image that we've pulled. # Outside of testing situations, it is strongly advised that this be left # unspecified so that the default system-wide policy will be used. +{% if ansible_os_family == "ClearLinux" %} +signature_policy = "/usr/share/defaults/crio/policy.json" +{% else %} signature_policy = "" +{% endif %} # image_volumes controls how image volumes are handled. # The valid values are mkdir and ignore. diff --git a/roles/container-engine/cri-o/vars/clearlinux.yml b/roles/container-engine/cri-o/vars/clearlinux.yml new file mode 100644 index 000000000..4afc55079 --- /dev/null +++ b/roles/container-engine/cri-o/vars/clearlinux.yml @@ -0,0 +1,5 @@ +--- +crio_packages: + - containers-basic + +crio_service: crio diff --git a/roles/container-engine/docker/tasks/main.yml b/roles/container-engine/docker/tasks/main.yml index 1b3c629bd..c1f501838 100644 --- a/roles/container-engine/docker/tasks/main.yml +++ b/roles/container-engine/docker/tasks/main.yml @@ -45,7 +45,7 @@ docker requires a minimum kernel version of {{ docker_kernel_min_version }} on {{ ansible_distribution }}-{{ ansible_distribution_version }} - when: (not ansible_os_family in ["CoreOS", "Container Linux by CoreOS"]) and (ansible_kernel is version(docker_kernel_min_version, "<")) + when: (not ansible_os_family in ["CoreOS", "Container Linux by CoreOS", "ClearLinux"]) and (ansible_kernel is version(docker_kernel_min_version, "<")) tags: - facts @@ -62,7 +62,7 @@ retries: 4 delay: "{{ retry_stagger | d(3) }}" with_items: "{{ docker_repo_key_info.repo_keys }}" - when: not (ansible_os_family in ["CoreOS", "Container Linux by CoreOS", "RedHat", "Suse"] or is_atomic) + when: not (ansible_os_family in ["CoreOS", "Container Linux by CoreOS", "RedHat", "Suse", "ClearLinux"] or is_atomic) - name: ensure docker-ce repository is enabled action: "{{ docker_repo_info.pkg_repo }}" @@ -70,7 +70,7 @@ repo: "{{item}}" state: present with_items: "{{ docker_repo_info.repos }}" - when: not (ansible_os_family in ["CoreOS", "Container Linux by CoreOS", "RedHat", "Suse"] or is_atomic) and (docker_repo_info.repos|length > 0) + when: not (ansible_os_family in ["CoreOS", "Container Linux by CoreOS", "RedHat", "Suse", "ClearLinux"] or is_atomic) and (docker_repo_info.repos|length > 0) - name: ensure docker-engine repository public key is installed action: "{{ dockerproject_repo_key_info.pkg_key }}" @@ -84,7 +84,7 @@ delay: "{{ retry_stagger | d(3) }}" with_items: "{{ dockerproject_repo_key_info.repo_keys }}" when: - - not (ansible_os_family in ["CoreOS", "Container Linux by CoreOS", "RedHat", "Suse"] or is_atomic) + - not (ansible_os_family in ["CoreOS", "Container Linux by CoreOS", "RedHat", "Suse", "ClearLinux"] or is_atomic) - use_docker_engine is defined and use_docker_engine - name: ensure docker-engine repository is enabled @@ -95,7 +95,7 @@ with_items: "{{ dockerproject_repo_info.repos }}" when: - use_docker_engine is defined and use_docker_engine - - not (ansible_os_family in ["CoreOS", "Container Linux by CoreOS", "RedHat", "Suse"] or is_atomic) and (dockerproject_repo_info.repos|length > 0) + - not (ansible_os_family in ["CoreOS", "Container Linux by CoreOS", "RedHat", "Suse", "ClearLinux"] or is_atomic) and (dockerproject_repo_info.repos|length > 0) - name: Configure docker repository on Fedora template: @@ -138,9 +138,23 @@ delay: "{{ retry_stagger | d(3) }}" with_items: "{{ docker_package_info.pkgs }}" notify: restart docker - when: not (ansible_os_family in ["CoreOS", "Container Linux by CoreOS"] or is_atomic) and (docker_package_info.pkgs|length > 0) + when: not (ansible_os_family in ["CoreOS", "Container Linux by CoreOS", "ClearLinux"] or is_atomic) and (docker_package_info.pkgs|length > 0) ignore_errors: true +- name: Ensure docker packages are installed + action: "{{ docker_package_info.pkg_mgr }}" + args: + name: "{{ item.name }}" + state: present + with_items: "{{ docker_package_info.pkgs }}" + register: docker_task_result + until: docker_task_result is succeeded + retries: 4 + delay: "{{ retry_stagger | d(3) }}" + notify: restart docker + ignore_errors: true + when: ansible_os_family in ["ClearLinux"] + - name: get available packages on Ubuntu command: apt-cache policy docker-ce when: @@ -162,7 +176,7 @@ dest: "/etc/apt/preferences.d/docker" owner: "root" mode: 0644 - when: not (ansible_os_family in ["CoreOS", "Container Linux by CoreOS", "RedHat", "Suse"] or is_atomic) + when: not (ansible_os_family in ["CoreOS", "Container Linux by CoreOS", "ClearLinux", "RedHat", "Suse"] or is_atomic) - name: ensure service is started if docker packages are already present service: diff --git a/roles/container-engine/docker/vars/clearlinux.yml b/roles/container-engine/docker/vars/clearlinux.yml new file mode 100644 index 000000000..c0306f1ed --- /dev/null +++ b/roles/container-engine/docker/vars/clearlinux.yml @@ -0,0 +1,5 @@ +--- +docker_package_info: + pkg_mgr: swupd + pkgs: + - name: "containers-basic" diff --git a/roles/etcd/meta/main.yml b/roles/etcd/meta/main.yml index 62ece6e99..813ee39dd 100644 --- a/roles/etcd/meta/main.yml +++ b/roles/etcd/meta/main.yml @@ -2,4 +2,4 @@ dependencies: - role: adduser user: "{{ addusers.etcd }}" - when: not (ansible_os_family in ['CoreOS', 'Container Linux by CoreOS'] or is_atomic) + when: not (ansible_os_family in ['CoreOS', 'Container Linux by CoreOS', "ClearLinux"] or is_atomic) diff --git a/roles/etcd/tasks/upd_ca_trust.yml b/roles/etcd/tasks/upd_ca_trust.yml index 0ff363860..bd32cbe1a 100644 --- a/roles/etcd/tasks/upd_ca_trust.yml +++ b/roles/etcd/tasks/upd_ca_trust.yml @@ -10,6 +10,8 @@ /etc/ssl/certs/etcd-ca.pem {%- elif ansible_os_family == "Suse" -%} /etc/pki/trust/anchors/etcd-ca.pem + {%- elif ansible_os_family == "ClearLinux" -%} + /usr/share/ca-certs/etcd-ca.pem {%- endif %} tags: - facts @@ -28,3 +30,7 @@ - name: Gen_certs | update ca-certificates (RedHat) command: update-ca-trust extract when: etcd_ca_cert.changed and ansible_os_family == "RedHat" + +- name: Gen_certs | update ca-certificates (ClearLinux) + command: clrtrust add "{{ ca_cert_path }}" + when: etcd_ca_cert.changed and ansible_os_family == "ClearLinux" diff --git a/roles/kubernetes/node/tasks/main.yml b/roles/kubernetes/node/tasks/main.yml index 41410cf70..edf0b29e1 100644 --- a/roles/kubernetes/node/tasks/main.yml +++ b/roles/kubernetes/node/tasks/main.yml @@ -59,6 +59,11 @@ failed_when: modinfo_br_netfilter.rc not in [0, 1] changed_when: false +- name: Verify br_netfilter module path exists + file: + path: /etc/modules-load.d + state: directory + - name: Enable br_netfilter module modprobe: name: br_netfilter diff --git a/roles/kubernetes/preinstall/tasks/0020-verify-settings.yml b/roles/kubernetes/preinstall/tasks/0020-verify-settings.yml index 0369c094f..ff8d6ffc8 100644 --- a/roles/kubernetes/preinstall/tasks/0020-verify-settings.yml +++ b/roles/kubernetes/preinstall/tasks/0020-verify-settings.yml @@ -21,7 +21,7 @@ - name: Stop if unknown OS assert: - that: ansible_distribution in ['RedHat', 'CentOS', 'Fedora', 'Ubuntu', 'Debian', 'CoreOS', 'Container Linux by CoreOS', 'openSUSE Leap', 'openSUSE Tumbleweed'] + that: ansible_os_family in ['RedHat', 'CentOS', 'Fedora', 'Ubuntu', 'Debian', 'CoreOS', 'Container Linux by CoreOS', 'openSUSE Leap', 'openSUSE Tumbleweed', 'ClearLinux'] ignore_errors: "{{ ignore_assert_errors }}" - name: Stop if unknown network plugin diff --git a/roles/kubernetes/preinstall/tasks/0070-system-packages.yml b/roles/kubernetes/preinstall/tasks/0070-system-packages.yml index e24aebadb..62e963613 100644 --- a/roles/kubernetes/preinstall/tasks/0070-system-packages.yml +++ b/roles/kubernetes/preinstall/tasks/0070-system-packages.yml @@ -95,6 +95,14 @@ retries: 4 delay: "{{ retry_stagger | random + 3 }}" with_items: "{{required_pkgs | default([]) | union(common_required_pkgs|default([]))}}" - when: not (ansible_os_family in ["CoreOS", "Container Linux by CoreOS"] or is_atomic) + when: not (ansible_os_family in ["CoreOS", "Container Linux by CoreOS", "ClearLinux"] or is_atomic) tags: - bootstrap-os + +- name: Install ipvsadm for ClearLinux + swupd: + name: ipvsadm + state: present + when: + - ansible_os_family in ["ClearLinux"] + - kube_proxy_mode == 'ipvs' diff --git a/roles/kubernetes/preinstall/tasks/0080-system-configurations.yml b/roles/kubernetes/preinstall/tasks/0080-system-configurations.yml index cc74e624a..b355b6d30 100644 --- a/roles/kubernetes/preinstall/tasks/0080-system-configurations.yml +++ b/roles/kubernetes/preinstall/tasks/0080-system-configurations.yml @@ -45,6 +45,11 @@ tags: - bootstrap-os +- name: Make sure sysctl file path folder exists + file: + name: "{{ sysctl_file_path | dirname }}" + state: directory + - name: Enable ip forwarding sysctl: sysctl_file: "{{sysctl_file_path}}"