Centos, debian and fedora CRI-O repo (#6008)

* replace removed repo with kubic repository for centos 7 * add crio configuration for centos8 * add crio configurations for debian * use correct crio version for fedora * simplify calulation of required crio version - gives possibility to overwrite * change default path for runc * change default for seccomp path * change default for conmon
2020-04-24 10:18:07 +02:00 · 2020-04-24 10:18:07 +02:00 · cf1566e8ed
commit cf1566e8ed
parent c6d91b89d7
13 changed files with 121 additions and 32 deletions
--- a/roles/container-engine/cri-o/defaults/main.yml
+++ b/roles/container-engine/cri-o/defaults/main.yml
@ -1,8 +1,16 @@
 ---
-crio_rhel_repo_base_url: 'https://cbs.centos.org/repos/paas7-crio-114-candidate/x86_64/os/'
-
-crio_seccomp_profile: "/etc/crio/seccomp.json"

 crio_cgroup_manager: "{{ kubelet_cgroup_driver | default('cgroupfs') }}"

-crio_runc_path: "/usr/sbin/runc"
+crio_seccomp_profile: ""
+crio_runc_path: "/usr/bin/runc"
+crio_conmon: "/usr/bin/conmon"
+
+crio_required_version: "{{ kube_version | regex_replace('^v(?P<major>\\d+).(?P<minor>\\d+).(?P<patch>\\d+)$', '\\g<major>.\\g<minor>') }}"
+
+crio_kubernetes_version_matrix:
+  "1.18": "1.17"
+  "1.17": "1.17"
+  "1.16": "1.16"
+
+crio_version: "{{ crio_kubernetes_version_matrix[crio_required_version] | default('1.17') }}"
--- a/roles/container-engine/cri-o/molecule/default/molecule.yml
+++ b/roles/container-engine/cri-o/molecule/default/molecule.yml
@ -8,12 +8,36 @@ lint:
  options:
    config-file: ../../../.yamllint
 platforms:
-  - name: kubespray-crio
+  - name: kubespray-crio-ubuntu
    box: generic/ubuntu1804
    cpus: 2
    memory: 1024
    groups:
      - kube-master
+  - name: kubespray-crio-centos7
+    box: centos/7
+    cpus: 2
+    memory: 1024
+    groups:
+      - kube-master
+  - name: kubespray-crio-centos8
+    box: centos/8
+    cpus: 2
+    memory: 1024
+    groups:
+      - kube-master
+  - name: kubespray-crio-debian
+    box: generic/debian10
+    cpus: 2
+    memory: 1024
+    groups:
+      - kube-master
+  - name: kubespray-crio-fedora
+    box: fedora/31-cloud-base
+    cpus: 2
+    memory: 1024
+    groups:
+      - kube-master
 provisioner:
  name: ansible
  env:
--- a/roles/container-engine/cri-o/molecule/default/tests/test_default.py
+++ b/roles/container-engine/cri-o/molecule/default/tests/test_default.py
@ -13,8 +13,9 @@ def test_service(host):


 def test_run(host):
+    crictl = "/usr/local/bin/crictl"
    path = "unix:///var/run/crio/crio.sock"
    with host.sudo():
-        cmd = host.command("crictl --runtime-endpoint " + path + " version")
+        cmd = host.command(crictl + " --runtime-endpoint " + path + " version")
    assert cmd.rc == 0
    assert "RuntimeName:  cri-o" in cmd.stdout
--- a/roles/container-engine/cri-o/tasks/crictl.yml
+++ b/roles/container-engine/cri-o/tasks/crictl.yml
@ -23,7 +23,6 @@

 - name: Get crictl completion
  shell: "{{ bin_dir }}/crictl completion"
-  when: ansible_distribution in ["CentOS","RedHat", "Ubuntu", "Debian"]
  changed_when: False
  register: cri_completion

@ -32,4 +31,3 @@
    dest: /etc/bash_completion.d/crictl
    content: "{{ cri_completion.stdout }}"
  become: True
-  when: cri_completion is defined
--- a/roles/container-engine/cri-o/tasks/crio_repo.yml
+++ b/roles/container-engine/cri-o/tasks/crio_repo.yml
@ -1,34 +1,60 @@
 ---

+- name: CRI-O kubic repo name for debian os family
+  set_fact:
+    crio_kubic_debian_repo_name: "{{ ((ansible_distribution == 'Ubuntu') | ternary('x','')) ~ ansible_distribution ~ '_' ~ ansible_distribution_version }}"
+  when: ansible_os_family == "Debian"
+
 - name: Add CRI-O kubic repo key
  apt_key:
-    url: "https://download.opensuse.org/repositories/devel:kubic:libcontainers:stable/x{{ ansible_distribution }}_{{ ansible_distribution_version }}/Release.key"
+    url: "https://download.opensuse.org/repositories/devel:kubic:libcontainers:stable/{{ crio_kubic_debian_repo_name }}/Release.key"
    state: present
-  when: ansible_distribution in ["Ubuntu"]
+  when: crio_kubic_debian_repo_name is defined

 - name: Add CRI-O kubic repo
  apt_repository:
-    repo: "deb http://download.opensuse.org/repositories/devel:/kubic:/libcontainers:/stable/x{{ ansible_distribution }}_{{ ansible_distribution_version }}/ /"
+    repo: "deb http://download.opensuse.org/repositories/devel:/kubic:/libcontainers:/stable/{{ crio_kubic_debian_repo_name }}/ /"
    state: present
    filename: devel:kubic:libcontainers:stable
-  when: ansible_distribution in ["Ubuntu"]
+  when: crio_kubic_debian_repo_name is defined

- name: Add CRI-O OpenShift Origin repository
+- name: Add CRI-O kubic repo
  yum_repository:
-    name: origin
-    description: OpenShift Origin Repo
-    baseurl: "{{ crio_rhel_repo_base_url }}"
-    gpgcheck: no
-  when: ansible_distribution in ["CentOS","RedHat","OracleLinux"] and not is_ostree
+    name: devel_kubic_libcontainers_stable
+    description: Stable Releases of Upstream github.com/containers packages (CentOS_$releasever)
+    baseurl: http://download.opensuse.org/repositories/devel:/kubic:/libcontainers:/stable/CentOS_$releasever/
+    gpgcheck: yes
+    gpgkey: http://download.opensuse.org/repositories/devel:/kubic:/libcontainers:/stable/CentOS_$releasever/repodata/repomd.xml.key
+  when: ansible_distribution in ["CentOS"]

- name: Enable modular repos for crio
+- name: Add CRI-O kubic repo
+  yum_repository:
+    name: "devel_kubic_libcontainers_stable_cri-o_{{ crio_version }}"
+    description: 1.17 (CentOS_$releasever)
+    baseurl: "http://download.opensuse.org/repositories/devel:/kubic:/libcontainers:/stable:/cri-o:/{{ crio_version }}/CentOS_$releasever/"
+    gpgcheck: yes
+    gpgkey: "http://download.opensuse.org/repositories/devel:/kubic:/libcontainers:/stable:/cri-o:/{{ crio_version }}/CentOS_$releasever/repodata/repomd.xml.key"
+  when: ansible_distribution in ["CentOS"]
+
+- name: Enable modular repos for CRI-O
  ini_file:
    path: "/etc/yum.repos.d/{{ item }}.repo"
    section: "{{ item }}"
    option: enabled
    value: 1
  become: true
-  when: ansible_distribution in ["Fedora"]
+  when: is_ostree
  loop:
    - "fedora-updates-modular"
    - "fedora-modular"
+
+- name: Enable CRI-O module
+  command: "dnf -y module enable cri-o:{{ crio_version }}"
+  args:
+    warn: False
+  register: crio_dnf_result
+  changed_when: "'Enabling' in crio_dnf_result.stdout"
+  become: true
+  when:
+    - ansible_distribution in ["Fedora"]
+    - not is_ostree
--- a/roles/container-engine/cri-o/tasks/main.yaml
+++ b/roles/container-engine/cri-o/tasks/main.yaml
@ -48,6 +48,21 @@
  with_items: "{{ crio_packages }}"
  notify: restart crio

+- name: Gather the rpm package facts
+  package_facts:
+    manager: auto
+  when:
+    - ansible_distribution == "CentOS"
+    - ansible_distribution_major_version == "8"
+
+- name: Ensure latest version of libseccom installed
+  command: "yum update -y libseccomp"
+  when:
+    - ansible_distribution == "CentOS"
+    - ansible_distribution_major_version == "8"
+    - ansible_facts.packages['libseccomp'] | map(attribute='version') | map('regex_replace','^(?P<major>\\d+).(?P<minor>\\d+).(?P<patch>\\d+)$', '\\g<major>.\\g<minor>') | list | first == '2.3'
+  notify: restart crio
+
 - name: Check if already installed
  stat:
    path: "/bin/crio"
@ -96,6 +111,17 @@
    owner: root
    mode: 0755

+- name: Remove metacopy mount options for older kernels
+  ini_file:
+    dest: /etc/containers/storage.conf
+    section: storage.options.overlay
+    option: mountopt
+    value: "\"nodev\""
+  when:
+    - ansible_distribution == "CentOS"
+    - ansible_distribution_major_version == "7"
+
+
 - name: Write cri-o proxy drop-in
  template:
    src: http-proxy.conf.j2
--- a/roles/container-engine/cri-o/vars/centos-7.yml
+++ b/roles/container-engine/cri-o/vars/centos-7.yml
@ -0,0 +1,5 @@
+---
+
+crio_packages:
+  - cri-o
+  - oci-systemd-hook
--- a/roles/container-engine/cri-o/vars/centos-8.yml
+++ b/roles/container-engine/cri-o/vars/centos-8.yml
@ -0,0 +1,4 @@
+---
+
+crio_packages:
+  - cri-o
--- a/roles/container-engine/cri-o/vars/clearlinux.yml
+++ b/roles/container-engine/cri-o/vars/clearlinux.yml
@ -4,4 +4,3 @@ crio_packages:

 crio_conmon: /usr/libexec/crio/conmon
 crio_seccomp_profile: /usr/share/defaults/crio/seccomp.json
-crio_runc_path: /usr/bin/runc
--- a/roles/container-engine/cri-o/vars/debian.yml
+++ b/roles/container-engine/cri-o/vars/debian.yml
@ -0,0 +1,7 @@
+---
+
+crio_packages:
+  - "cri-o-{{ crio_version }}"
+  - runc
+
+crio_runc_path: /usr/sbin/runc
--- a/roles/container-engine/cri-o/vars/fedora.yml
+++ b/roles/container-engine/cri-o/vars/fedora.yml
@ -4,5 +4,3 @@ crio_packages:
  - cri-tools

 crio_conmon: /usr/libexec/crio/conmon
-crio_runc_path: "/usr/bin/runc"
-crio_seccomp_profile: ""
--- a/roles/container-engine/cri-o/vars/redhat.yml
+++ b/roles/container-engine/cri-o/vars/redhat.yml
@ -4,4 +4,3 @@ crio_packages:
  - oci-systemd-hook

 crio_conmon: /usr/libexec/crio/conmon
-crio_runc_path: /usr/bin/runc
--- a/roles/container-engine/cri-o/vars/ubuntu.yml
+++ b/roles/container-engine/cri-o/vars/ubuntu.yml
@ -1,12 +1,6 @@
 ---
-crio_kubic_versions:
-  "1.18": "1.17"
-  "1.17": "1.17"
-  "1.16": "1.16"

 crio_packages:
-  - "cri-o-{{ crio_kubic_versions[ kube_version | regex_replace('^v(?P<major>\\d+).(?P<minor>\\d+).(?P<patch>\\d+)$', '\\g<major>.\\g<minor>') ] | default('1.17') }}"
+  - "cri-o-{{ crio_version }}"

-crio_conmon: /usr/bin/conmon
-crio_seccomp_profile: ""
 crio_runc_path: /usr/lib/cri-o-runc/sbin/runc