Commit graph

188 commits

Author SHA1 Message Date
Victor Morales
01e527abf1 Add privileged_without_host_devices support (#7343)
When privileged is enabled for a container, all the `/dev/*` block
devices from the host are mounted into the guest. The
`privileged_without_host_devices` flag prevents host devices from
being passed to privileged containers.

More information:
* https://github.com/containerd/cri/pull/1225
* 1d0f68156b

(cherry picked from commit dc5df57c26)
2021-03-15 07:07:05 -07:00
Etienne Champetier
f26cc9f75b Only use stat get_checksum: yes when needed (#7270)
By default Ansible stat module compute checksum, list extended attributes and find mime type
To find all stat invocations that really use one of those:
git grep -F stat. | grep -vE 'stat.(islnk|exists|lnk_source|writeable)'

Signed-off-by: Etienne Champetier <e.champetier@ateme.com>
(cherry picked from commit de1d9df787)

Conflicts:
	roles/etcd/tasks/check_certs.yml
2021-03-15 07:07:05 -07:00
Etienne Champetier
176df83e02 Fixup cri-o metacopy mount options (#7287)
Ubuntu 18.04 crio package ships with 'mountopt = "nodev,metacopy=on"'
even if GA kernel is 4.15 (HWE Kernel can be more recent)

Fedora package ships without metacopy=on

Signed-off-by: Etienne Champetier <e.champetier@ateme.com>
(cherry picked from commit 5c04bdd52b)
2021-02-22 06:01:43 -08:00
Cristian Calin
d48a4bbc85 add containerd.io to dpkg_selection (#7273)
`containerd.io` is the companion package of `docker-ce` and is the
proper package name. This is needed to avoid apt upgrade/dist-upgrade
from breaking kubernetes.

(cherry picked from commit 6450207713)
2021-02-22 06:01:43 -08:00
Geonju Kim
5f06864582 Change the owner of /etc/crictl.yaml to root (#7254)
(cherry picked from commit 1a91792e7c)
2021-02-22 06:01:43 -08:00
petruha
754a54adfc Run containerd related tasks on OracleLinux. (#7250)
(cherry picked from commit fc8551bcba)
2021-02-22 06:01:43 -08:00
Arian van Putten
f8b15a714c
roles/docker: Make repokey fingerprint overrideable (#7263)
This makes the docker role work the same as the containerd role.
Being able to override this is needed when you have your own debian
repository. E.g. when performing an airgapped installation
2021-02-15 20:47:05 -08:00
Etienne Champetier
1727b3501f containerd,docker: stop installing extras repo on CentOS/RHEL
This was introduced in 143e2272ff
Extra repo is enabled by default in CentOS, and is not the right repo for EL8
Instead of adding a CentOS repo to RHEL, enable the needed RHEL repos with rhsm_repository

For RHEL 7, we need the "extras" repo for container-selinux
For RHEL 8, we need the "appstream" repo for container-selinux, ipvsadm and socat

Signed-off-by: Etienne Champetier <champetier.etienne@gmail.com>
(cherry picked from commit 8f2b0772f9)
2021-01-25 23:48:34 -08:00
Etienne Champetier
cf84a6bd3b containerd: ensure containerd is really started and enabled
Signed-off-by: Etienne Champetier <champetier.etienne@gmail.com>
(cherry picked from commit a5d2137ed9)
2021-01-25 23:48:34 -08:00
Etienne Champetier
b80f612d29 containerd,docker: use apt_repository instead of action
yum_repository expect really different params, so nothing to factor here
Ubuntu is not an ansible_os_family, the OS family for Ubuntu is Debian
Check for ansible_pkg_mgr == apt

Signed-off-by: Etienne Champetier <champetier.etienne@gmail.com>
(cherry picked from commit a8e51e686e)
2021-01-25 23:48:34 -08:00
Etienne Champetier
5e06ee6ea6 containerd,docker: use apt_key instead of action
we don't need rpm_key, so nothing to factor here
Ubuntu is not an ansible_os_family, the OS family for Ubuntu is Debian
Check for ansible_pkg_mgr == apt

Signed-off-by: Etienne Champetier <champetier.etienne@gmail.com>
(cherry picked from commit a2429ef64d)
2021-01-25 23:48:34 -08:00
Etienne Champetier
4de5a070e1 containerd: use package instead of action
Signed-off-by: Etienne Champetier <champetier.etienne@gmail.com>
(cherry picked from commit 1b88678cf3)
2021-01-25 23:48:34 -08:00
Etienne Champetier
b198cd23d0 docker: use package instead of action, cleanup
Signed-off-by: Etienne Champetier <champetier.etienne@gmail.com>
(cherry picked from commit 0e96852159)
2021-01-25 23:48:34 -08:00
Etienne Champetier
74e8f58c57 containerd: use copy to set apt pin
Signed-off-by: Etienne Champetier <champetier.etienne@gmail.com>
(cherry picked from commit 19a61d838f)
2021-01-25 23:48:34 -08:00
Etienne Champetier
a652a3b3b5 docker: stop using apt force
Here the desciption from Ansible docs
Corresponds to the --force-yes to apt-get and implies allow_unauthenticated: yes
This option will disable checking both the packages' signatures and the certificates of the web servers they are downloaded from.
This option *is not* the equivalent of passing the -f flag to apt-get on the command line
**This is a destructive operation with the potential to destroy your system, and it should almost never be used.** Please also see man apt-get for more information.

Signed-off-by: Etienne Champetier <champetier.etienne@gmail.com>
(cherry picked from commit f3885aa589)
2021-01-25 23:48:34 -08:00
Etienne Champetier
82af8e455e docker: remove old versions
Signed-off-by: Etienne Champetier <champetier.etienne@gmail.com>
2021-01-14 09:39:05 -08:00
Etienne Champetier
1baee488ab containerd: remove duplicate package pining task
Leave it with the install instead of the repo config

Signed-off-by: Etienne Champetier <champetier.etienne@gmail.com>
2021-01-14 09:39:05 -08:00
Etienne Champetier
7433b70d95 docker: remove kernel check
Only CentOS 7 uses Linux 3.10, all other OSs have more recent kernels

Signed-off-by: Etienne Champetier <champetier.etienne@gmail.com>
2021-01-14 09:39:05 -08:00
Etienne Champetier
de6c71a426 docker: remove dockerproject repo reference
Signed-off-by: Etienne Champetier <champetier.etienne@gmail.com>
2021-01-14 09:39:05 -08:00
Etienne Champetier
16a34548ea docker: remove checks for docker 1.12
Signed-off-by: Etienne Champetier <champetier.etienne@gmail.com>
2021-01-14 09:39:05 -08:00
Etienne Champetier
b2f3ab77cd docker: remove some old debug code
Signed-off-by: Etienne Champetier <champetier.etienne@gmail.com>
2021-01-14 09:39:05 -08:00
Etienne Champetier
b2f6ed7dee docker: remove obsoletes=0 in yum.conf
This was introduced in ef7f5edbb3
obsoletes=0 is not present in the official repo config
https://download.docker.com/linux/centos/docker-ce.repo
so it might not be needed for some time

Signed-off-by: Etienne Champetier <champetier.etienne@gmail.com>
2021-01-14 09:39:05 -08:00
Etienne Champetier
09e34d29cd containerd: remove docker_yum_conf / yum_conf
leftover from 1945499e2f

Signed-off-by: Etienne Champetier <champetier.etienne@gmail.com>
2021-01-14 09:39:05 -08:00
Etienne Champetier
55b03a41b2 containerd-common,containerd,docker: remove ubuntu arch specific vars
By removing ancient version we don't need arch specific vars

Signed-off-by: Etienne Champetier <champetier.etienne@gmail.com>
2021-01-14 09:39:05 -08:00
Etienne Champetier
a790935d02
Only setup *_PROXY env variables where needed (#7095)
no_proxy is a pain to get right, and having proxy variables present causes issues
(k8s components get proxy configuration after upgrade, see #7100)

It's better to only configure what require proxy:
- the runtime (containerd/docker/crio)
- the package manager + apt_key
- the download tasks

Tested with the following clusters
- 4 CentOS 8 nodes
- 1 Ubuntu 20.04 node

Signed-off-by: Etienne Champetier <champetier.etienne@gmail.com>
2021-01-11 07:21:08 -08:00
Florian Ruynat
837fca1368
Add docker 20.10 to available packages (#7106) 2021-01-06 09:23:51 -08:00
Florian Ruynat
e0195da80d
Allow containerd root and state path to be configured (#7098) 2021-01-05 07:13:58 -08:00
Etienne Champetier
c0fe32c4ec
Add repo name for Fedora (#7093)
This fixes 1945499e2f

Signed-off-by: Etienne Champetier <champetier.etienne@gmail.com>
2021-01-04 10:39:57 -08:00
Etienne Champetier
e9f93a1de9
Remove libseccomp install tasks (#7074)
All packages have proper dependencies in latest versions

Signed-off-by: Etienne Champetier <champetier.etienne@gmail.com>
2021-01-04 09:17:57 -08:00
Etienne Champetier
1945499e2f
Disable docker-ce yum repo by default / cleanups (#7080)
Upgrading docker / containerd without adapting the configuration might break the node,
so disable docker-ce repo by default.
We are already using dpkg hold for Debian.

All containerd.io packages provide /usr/bin/runc, so no need to check

yum_conf was never used for containerd

module_hotfixes should not be needed with the EL8 repo

Signed-off-by: Etienne Champetier <champetier.etienne@gmail.com>
2020-12-23 13:12:26 -08:00
Sergey
096bcdd078
Download once for crio (#6998)
* download run once feature for CRI-O

* fix typo

* fix test
2020-12-21 01:54:25 -08:00
bac-w
87eea16d7b
Fix config containerd template (#7051) 2020-12-17 07:13:09 -08:00
Sergey
85982dc8e9
add support crio version for varios k8s vers (#7003)
* add support crio version for various k8s vers

* regexp in pkg versions
2020-12-09 01:22:50 -08:00
Hans Feldt
878fe80ca3
add and use common crictl role (#6978) 2020-12-05 09:43:25 -08:00
Sander Klein
8331c1f858
Hold the docker-ce-cli (#6995)
This will make sure an upgrade doesn't upgrade the docker cli.
2020-12-04 18:21:25 -08:00
Florian Ruynat
f4a69d2827
Update docker to 19.03.14 and containerd to 1.3.9 (#6980) 2020-12-03 16:33:25 -08:00
Sergey
ed6cef85d8
add crio registry mirror support (#6977)
* add crio registry mirror support

* mdlint fix
2020-12-03 13:57:25 -08:00
OwenTuz
d315f73080
Ensure libseccomp is installed before starting containerd on CentOS 8 (#6922)
* Ensure libseccomp is installed before starting containerd on CentOS 8

* Simplify libseccomp install on CentOS 8

- Uses `package` module
- Replaces complex version check with 'state: latest'. The version must
  be > 2.3 when using with cri-o.
- Removes unnecessary `not is_ostree` condition as CentOS 8 does not use
  ostree
2020-12-03 13:43:26 -08:00
Sergey
06ec5393d7
up vagrant box to fedora/33-cloud-base in cri-o molecule tests (#6992) 2020-12-03 11:25:26 -08:00
Pasquale Toscano
488db81e36
Add pasqualet to approvers (#6976) 2020-12-03 00:58:59 -08:00
Victor Morales
4f7a760a94
Add crun support (#6864)
Signed-off-by: Victor Morales <v.morales@samsung.com>
2020-12-01 11:00:50 -08:00
Pasquale Toscano
f1231bb97d
Add molecule for Kata Containers with Containerd (#6905) 2020-11-30 23:34:49 -08:00
Hans Feldt
80eb1ad936
fix ansible password authentication (#6907)
* copying ssh key no longer required, works with password auth
* use copy module instead of synchronize (which requires sshpass)
* less tasks and always changed tasks
2020-11-30 15:12:50 -08:00
Danilo Riecken P. de Morais
cc5303e1c8
Add test for Fedora CoreOS before creating Docker service file (#6940) 2020-11-30 09:20:49 -08:00
Sergey
4a8a52bad9
containerd docker hub registry mirror support (#6962)
* containerd docker hub registry mirror support

* add docs

* fix typo

* fix yamllint

* fix indent in sample
and ansible-playbook param in testcases_run

* fix md

* mv common vars to tests/common/_docker_hub_registry_mirror.yml

* checkout vars to upgrade tests
2020-11-30 00:22:49 -08:00
Bas van den Brink
17fb1ceed8
Allow airgapped CRI-O installation (#6927) 2020-11-28 08:38:47 -08:00
Barry Melbourne
eb16986f32
Add RHEL support subscription registration (#6572) 2020-11-24 08:33:00 -08:00
Hans Feldt
ee23b947aa
fix flake8 errors in Kubespray CI - tox-inventory-builder (#6910)
* fix flake8 errors in Kubespray CI - tox-inventory-builder

* Invalidate CRI-O kubic repo's cache

Signed-off-by: Victor Morales <v.morales@samsung.com>

* add support to configure pkg install retries

and use in CI job tf-ovh_ubuntu18-calico (due to it failing often)

* Switch Calico, Cilium and MetalLB image repos to Quay.io

Co-authored-by: Victor Morales <v.morales@samsung.com>
Co-authored-by: Barry Melbourne <9964974+bmelbourne@users.noreply.github.com>
2020-11-22 23:47:35 -08:00
Hans Feldt
fc22453618
crio: avoid extra restart after install and upgrade (#6882)
Package upgrade restarts crio. By creating/updating config first,
an extra restart can be avoided.
2020-11-03 08:54:03 -08:00
Victor Morales
9cf5dd0291
Use cgroup v1 in Fedora +31 (#6862)
Fedora 31 uses Cgroups v2 by default. This change by passes the kernel
parameter systemd.unified_cgroup_hierarchy=0.

Signed-off-by: Victor Morales <v.morales@samsung.com>
2020-11-02 06:32:53 -08:00