Commit graph

232 commits

Author SHA1 Message Date
Florian Ruynat
ba731ed145
Update docker packages to 19.03.15 and 20.10.3 (#7243) 2021-02-04 13:20:53 -08:00
Etienne Champetier
8f2b0772f9
containerd,docker: stop installing extras repo on CentOS/RHEL (#7203)
This was introduced in 143e2272ff
Extra repo is enabled by default in CentOS, and is not the right repo for EL8
Instead of adding a CentOS repo to RHEL, enable the needed RHEL repos with rhsm_repository

For RHEL 7, we need the "extras" repo for container-selinux
For RHEL 8, we need the "appstream" repo for container-selinux, ipvsadm and socat

Signed-off-by: Etienne Champetier <champetier.etienne@gmail.com>
2021-01-25 03:12:54 -08:00
Etienne Champetier
a5d2137ed9 containerd: ensure containerd is really started and enabled
Signed-off-by: Etienne Champetier <champetier.etienne@gmail.com>
2021-01-19 05:55:45 -08:00
Etienne Champetier
a8e51e686e containerd,docker: use apt_repository instead of action
yum_repository expect really different params, so nothing to factor here
Ubuntu is not an ansible_os_family, the OS family for Ubuntu is Debian
Check for ansible_pkg_mgr == apt

Signed-off-by: Etienne Champetier <champetier.etienne@gmail.com>
2021-01-19 05:55:45 -08:00
Etienne Champetier
a2429ef64d containerd,docker: use apt_key instead of action
we don't need rpm_key, so nothing to factor here
Ubuntu is not an ansible_os_family, the OS family for Ubuntu is Debian
Check for ansible_pkg_mgr == apt

Signed-off-by: Etienne Champetier <champetier.etienne@gmail.com>
2021-01-19 05:55:45 -08:00
Etienne Champetier
1b88678cf3 containerd: use package instead of action
Signed-off-by: Etienne Champetier <champetier.etienne@gmail.com>
2021-01-19 05:55:45 -08:00
Etienne Champetier
0e96852159 docker: use package instead of action, cleanup
Signed-off-by: Etienne Champetier <champetier.etienne@gmail.com>
2021-01-19 05:55:45 -08:00
Etienne Champetier
19a61d838f containerd: use copy to set apt pin
Signed-off-by: Etienne Champetier <champetier.etienne@gmail.com>
2021-01-19 05:55:45 -08:00
Etienne Champetier
f3885aa589 docker: stop using apt force
Here the desciption from Ansible docs
Corresponds to the --force-yes to apt-get and implies allow_unauthenticated: yes
This option will disable checking both the packages' signatures and the certificates of the web servers they are downloaded from.
This option *is not* the equivalent of passing the -f flag to apt-get on the command line
**This is a destructive operation with the potential to destroy your system, and it should almost never be used.** Please also see man apt-get for more information.

Signed-off-by: Etienne Champetier <champetier.etienne@gmail.com>
2021-01-19 05:55:45 -08:00
Etienne Champetier
82af8e455e docker: remove old versions
Signed-off-by: Etienne Champetier <champetier.etienne@gmail.com>
2021-01-14 09:39:05 -08:00
Etienne Champetier
1baee488ab containerd: remove duplicate package pining task
Leave it with the install instead of the repo config

Signed-off-by: Etienne Champetier <champetier.etienne@gmail.com>
2021-01-14 09:39:05 -08:00
Etienne Champetier
7433b70d95 docker: remove kernel check
Only CentOS 7 uses Linux 3.10, all other OSs have more recent kernels

Signed-off-by: Etienne Champetier <champetier.etienne@gmail.com>
2021-01-14 09:39:05 -08:00
Etienne Champetier
de6c71a426 docker: remove dockerproject repo reference
Signed-off-by: Etienne Champetier <champetier.etienne@gmail.com>
2021-01-14 09:39:05 -08:00
Etienne Champetier
16a34548ea docker: remove checks for docker 1.12
Signed-off-by: Etienne Champetier <champetier.etienne@gmail.com>
2021-01-14 09:39:05 -08:00
Etienne Champetier
b2f3ab77cd docker: remove some old debug code
Signed-off-by: Etienne Champetier <champetier.etienne@gmail.com>
2021-01-14 09:39:05 -08:00
Etienne Champetier
b2f6ed7dee docker: remove obsoletes=0 in yum.conf
This was introduced in ef7f5edbb3
obsoletes=0 is not present in the official repo config
https://download.docker.com/linux/centos/docker-ce.repo
so it might not be needed for some time

Signed-off-by: Etienne Champetier <champetier.etienne@gmail.com>
2021-01-14 09:39:05 -08:00
Etienne Champetier
09e34d29cd containerd: remove docker_yum_conf / yum_conf
leftover from 1945499e2f

Signed-off-by: Etienne Champetier <champetier.etienne@gmail.com>
2021-01-14 09:39:05 -08:00
Etienne Champetier
55b03a41b2 containerd-common,containerd,docker: remove ubuntu arch specific vars
By removing ancient version we don't need arch specific vars

Signed-off-by: Etienne Champetier <champetier.etienne@gmail.com>
2021-01-14 09:39:05 -08:00
Etienne Champetier
a790935d02
Only setup *_PROXY env variables where needed (#7095)
no_proxy is a pain to get right, and having proxy variables present causes issues
(k8s components get proxy configuration after upgrade, see #7100)

It's better to only configure what require proxy:
- the runtime (containerd/docker/crio)
- the package manager + apt_key
- the download tasks

Tested with the following clusters
- 4 CentOS 8 nodes
- 1 Ubuntu 20.04 node

Signed-off-by: Etienne Champetier <champetier.etienne@gmail.com>
2021-01-11 07:21:08 -08:00
Florian Ruynat
837fca1368
Add docker 20.10 to available packages (#7106) 2021-01-06 09:23:51 -08:00
Florian Ruynat
e0195da80d
Allow containerd root and state path to be configured (#7098) 2021-01-05 07:13:58 -08:00
Etienne Champetier
c0fe32c4ec
Add repo name for Fedora (#7093)
This fixes 1945499e2f

Signed-off-by: Etienne Champetier <champetier.etienne@gmail.com>
2021-01-04 10:39:57 -08:00
Etienne Champetier
e9f93a1de9
Remove libseccomp install tasks (#7074)
All packages have proper dependencies in latest versions

Signed-off-by: Etienne Champetier <champetier.etienne@gmail.com>
2021-01-04 09:17:57 -08:00
Etienne Champetier
1945499e2f
Disable docker-ce yum repo by default / cleanups (#7080)
Upgrading docker / containerd without adapting the configuration might break the node,
so disable docker-ce repo by default.
We are already using dpkg hold for Debian.

All containerd.io packages provide /usr/bin/runc, so no need to check

yum_conf was never used for containerd

module_hotfixes should not be needed with the EL8 repo

Signed-off-by: Etienne Champetier <champetier.etienne@gmail.com>
2020-12-23 13:12:26 -08:00
Sergey
096bcdd078
Download once for crio (#6998)
* download run once feature for CRI-O

* fix typo

* fix test
2020-12-21 01:54:25 -08:00
bac-w
87eea16d7b
Fix config containerd template (#7051) 2020-12-17 07:13:09 -08:00
Sergey
85982dc8e9
add support crio version for varios k8s vers (#7003)
* add support crio version for various k8s vers

* regexp in pkg versions
2020-12-09 01:22:50 -08:00
Hans Feldt
878fe80ca3
add and use common crictl role (#6978) 2020-12-05 09:43:25 -08:00
Sander Klein
8331c1f858
Hold the docker-ce-cli (#6995)
This will make sure an upgrade doesn't upgrade the docker cli.
2020-12-04 18:21:25 -08:00
Florian Ruynat
f4a69d2827
Update docker to 19.03.14 and containerd to 1.3.9 (#6980) 2020-12-03 16:33:25 -08:00
Sergey
ed6cef85d8
add crio registry mirror support (#6977)
* add crio registry mirror support

* mdlint fix
2020-12-03 13:57:25 -08:00
OwenTuz
d315f73080
Ensure libseccomp is installed before starting containerd on CentOS 8 (#6922)
* Ensure libseccomp is installed before starting containerd on CentOS 8

* Simplify libseccomp install on CentOS 8

- Uses `package` module
- Replaces complex version check with 'state: latest'. The version must
  be > 2.3 when using with cri-o.
- Removes unnecessary `not is_ostree` condition as CentOS 8 does not use
  ostree
2020-12-03 13:43:26 -08:00
Sergey
06ec5393d7
up vagrant box to fedora/33-cloud-base in cri-o molecule tests (#6992) 2020-12-03 11:25:26 -08:00
Pasquale Toscano
488db81e36
Add pasqualet to approvers (#6976) 2020-12-03 00:58:59 -08:00
Victor Morales
4f7a760a94
Add crun support (#6864)
Signed-off-by: Victor Morales <v.morales@samsung.com>
2020-12-01 11:00:50 -08:00
Pasquale Toscano
f1231bb97d
Add molecule for Kata Containers with Containerd (#6905) 2020-11-30 23:34:49 -08:00
Hans Feldt
80eb1ad936
fix ansible password authentication (#6907)
* copying ssh key no longer required, works with password auth
* use copy module instead of synchronize (which requires sshpass)
* less tasks and always changed tasks
2020-11-30 15:12:50 -08:00
Danilo Riecken P. de Morais
cc5303e1c8
Add test for Fedora CoreOS before creating Docker service file (#6940) 2020-11-30 09:20:49 -08:00
Sergey
4a8a52bad9
containerd docker hub registry mirror support (#6962)
* containerd docker hub registry mirror support

* add docs

* fix typo

* fix yamllint

* fix indent in sample
and ansible-playbook param in testcases_run

* fix md

* mv common vars to tests/common/_docker_hub_registry_mirror.yml

* checkout vars to upgrade tests
2020-11-30 00:22:49 -08:00
Bas van den Brink
17fb1ceed8
Allow airgapped CRI-O installation (#6927) 2020-11-28 08:38:47 -08:00
Barry Melbourne
eb16986f32
Add RHEL support subscription registration (#6572) 2020-11-24 08:33:00 -08:00
Hans Feldt
ee23b947aa
fix flake8 errors in Kubespray CI - tox-inventory-builder (#6910)
* fix flake8 errors in Kubespray CI - tox-inventory-builder

* Invalidate CRI-O kubic repo's cache

Signed-off-by: Victor Morales <v.morales@samsung.com>

* add support to configure pkg install retries

and use in CI job tf-ovh_ubuntu18-calico (due to it failing often)

* Switch Calico, Cilium and MetalLB image repos to Quay.io

Co-authored-by: Victor Morales <v.morales@samsung.com>
Co-authored-by: Barry Melbourne <9964974+bmelbourne@users.noreply.github.com>
2020-11-22 23:47:35 -08:00
Hans Feldt
fc22453618
crio: avoid extra restart after install and upgrade (#6882)
Package upgrade restarts crio. By creating/updating config first,
an extra restart can be avoided.
2020-11-03 08:54:03 -08:00
Victor Morales
9cf5dd0291
Use cgroup v1 in Fedora +31 (#6862)
Fedora 31 uses Cgroups v2 by default. This change by passes the kernel
parameter systemd.unified_cgroup_hierarchy=0.

Signed-off-by: Victor Morales <v.morales@samsung.com>
2020-11-02 06:32:53 -08:00
Hans Feldt
d36b5d7d55
Install cri-o with package version (#6853)
and thereby support upgrade from e.g. 1.18.x to 1.19.y

Included OSes:
- Centos7/8
- Ubuntu18/20

New variables for overriding by default installed packages:
- centos_crio_packages
- ubuntu_crio_packages
2020-10-26 08:35:02 -07:00
Victor Morales
e03e3c4582
Add Kata Containers support to CRI-O runtime (#6830)
* Enable Kata Containers for CRI-O runtime

Kata Containers is an OCI runtime where containers are run inside
lightweight VMs. This runtime has been enabled for containerd runtime
thru the kata_containers_enabled variable. This change enables Kata
Containers to CRI-O container runtime.

Signed-off-by: Victor Morales <v.morales@samsung.com>

* Set appropiate conmon_cgroup when crio_cgroup_manager is 'cgroupfs'

* Set manage_ns_lifecycle=true when KataContainers is enabed

* Add preinstall check for katacontainers

Signed-off-by: Victor Morales <v.morales@samsung.com>

Co-authored-by: Pasquale Toscano <pasqualetoscano90@gmail.com>
2020-10-23 03:07:46 -07:00
Etienne Champetier
03f316e7a2
Fix proxy and module_hotfixes (#6837)
This fixes the Containerd + EL8 case that was missed in 7d1ab3374e

On CentOS 8 with proxy ansible render inline `proxy` and `module_hotfixes` options.

For example:
```
proxy=http://127.0.0.1:3128module_hotfixes=True
```

But expected result:
```
proxy=http://127.0.0.1:3128
module_hotfixes=True
```

Signed-off-by: Etienne Champetier <champetier.etienne@gmail.com>
2020-10-19 23:06:07 -07:00
Hans Feldt
4781df587c
bump crio version to 1.19 (#6758)
* bump crio version to 1.19

* crio package name has changed for debian/ubuntu
* crio upgrade does not work, see #6757

* update crio info in docs
2020-10-13 02:08:26 -07:00
Hans Feldt
99b8f0902e
crio: ensure service is started and enabled (#6753) 2020-10-07 00:10:42 -07:00
Florian Ruynat
c2ac3b51c1
Update containerd to 1.3.7 - add fedora32/centos8 containerd packages (#6749) 2020-09-25 08:15:11 -07:00
Florian Ruynat
55d8ed093a
Add centos8 docker repo (#6747) 2020-09-25 06:11:11 -07:00
Florian Ruynat
2eae207435
Update docker packages to 19.03.13 + add docker f32 (#6712) 2020-09-23 08:32:19 -07:00
Pasquale Toscano
04932f496f
Updated KataContainers version to 1.11.3 (#6694) 2020-09-17 02:32:45 -07:00
Florian Ruynat
dffbd58671
Move from widehat.opensuse to download.opensuse for crio centos (#6682) 2020-09-15 06:28:07 -07:00
Hans Feldt
a2d4dbeee4
crio: use system default for storage driver by default (#6637)
After host reboot kubelet and crio goes into a loop and no container is started.

storage_driver in crio.conf overrides system defaults in etc/containers/storage.conf

/etc/containers/storage.conf is installed by package containers-common dependency
installed from cri-o (centos7) and contains "overlay".

Hosts already configured with overlay2 should be reconfigured and the
/var/lib/containers content removed.
2020-09-10 05:29:45 -07:00
Barry Melbourne
03c9c091f2
Docker: Set Cgroup driver by default to systemd (#6563)
* Set Docker Cgroup driver to systemd

* Add docker_cgroup_driver in Docker defaults
2020-08-31 04:56:20 -07:00
Barry Melbourne
058438a25d
Remove support for CoreOS Container Linux (#6576) 2020-08-28 02:28:53 -07:00
Maxime Guyot
6e938a3106
Fix E306 in other roles (#6517) 2020-08-28 01:20:53 -07:00
Hans Feldt
9e2d282709
cri-o: add variable to configure unsecure pull (#6568)
By default do not allow "unqualified" (without a registry) images
because it is considered unsecure and subject to mitm attacks.

To enable insecure pull configure for example:

crio_registries:
  - "docker.io"
  - "quay.io"
2020-08-27 09:09:53 -07:00
*=0=1=4=*
a8e2110b2d
#6552 Update extras_rh_repo_base_url (#6556) 2020-08-21 00:09:55 -07:00
Bernard Landon
b0210567aa
Fixed Kubespray container-engine/docker role to populate docker.service (#6518) 2020-08-18 00:39:30 -07:00
Victor Morales
bdf0238328
Upgrade molecule to v3 (#6468)
Signed-off-by: Victor Morales <v.morales@samsung.com>
2020-08-04 05:24:19 -07:00
Hans Feldt
c6e5be91e9
crio: align template crio.conf with upstream (#6432)
* log level by default increased to 'info'
* cgroup manager by default set to 'systemd'
* stream port (used by kubelet) bound to 127.0.0.1 for security reasons
* metrics can be enabled and port specified
2020-08-01 00:33:48 -07:00
Cristian Chiru
94df580674
Moved docker_dns_options to defaults so it can be overridden (#6394)
* Moved docker_dns_options to defaults so it can be overridden

* Fixed yaml indentation and markdown

* Moved docker_dns_search_domains to defaults
2020-08-01 00:29:41 -07:00
Florian Ruynat
bf6168fca8
Move fedora30 jobs to fedora32 (#6426) 2020-07-30 23:31:07 -07:00
Maxime Guyot
214e08f8c9
Fix ansible-lint E305 (#6459) 2020-07-28 01:39:08 -07:00
Maxime Guyot
8bd3b50e31
Fix ansible-lint E404 (#6417) 2020-07-28 01:21:08 -07:00
Maxime Guyot
e70f27dd79
Add noqa and disable .ansible-lint global exclusions (#6410) 2020-07-27 06:24:17 -07:00
Florian Ruynat
aa21edeb53
Update docker package to 19.03.12 (#6439) 2020-07-22 09:26:06 -07:00
Daniel Schade
b347aefd61
Fixed fedora modular repos activation for fcos (#6300)
* Enable fedora modular repos for fcos #6299

* Fixed fedora modular repos activation for fcos #6300
2020-07-13 07:18:32 -07:00
Hans Feldt
75ad868cbd
crio: harden downloads with retry (#6374)
CI job 624031102 failed with:

fatal: [ubuntu1804]: FAILED! => {"changed": false, "msg": "Failed to download key at https://download.opensuse.org/repositories/devel:kubic:libcontainers:stable/xUbuntu_18.04/Release.key: Request failed: <urlopen error [Errno -3] Temporary failure in name resolution>"}

Assuming its a temporary problem it should get more robust with a
couple of retries like in other roles.

Co-authored-by: Hans Feldt <hafe@users.noreply.github.com>
2020-07-07 12:32:01 -07:00
Joel Seguillon
4c1e0b188d
Add .editorconfig file (#6307) 2020-06-29 12:39:59 -07:00
Pasquale Toscano
8f5c4dcd2e
Add support for Kata Containers (#6256)
* Install Kata Containers as additional container runtime

* Create RuntimeClasses for Kata Containers

* Updated Vagrant to optionally run without Docker as container manager

* Updated Vagrant to optionally use Libvirt nested virtualization

* Add Kata Containers documentation

* Fix lint errors

* Add kata_containers_enabled to kubespray-defaults

* Fixed typo error

* Fixed typo error
2020-06-22 00:28:39 -07:00
Florian Ruynat
953bc8dee2
Update docker & docker-cli to 19.03.11 (#6225) 2020-06-07 23:55:46 -07:00
Lovro Seder
5dd85197af
Manage containerd.io package with docker CRI. (#6218)
* Manage containerd.io package with docker CRI.

* Refactor common containerd stuff to separate role

* Fix check mode and unnecessary shell.
2020-06-05 05:55:44 -07:00
spaced
750db9139a
fix CRI-O repos for centos distributions (#6224)
* fix CRI-O repos for centos distributions

* fix CRI-O repos for centos distributions
- revert workarounds

* fix CRI-O repos for centos distributions
- use https for centos repos

* avoid 302 redirects for centos repos
2020-06-04 01:08:44 -07:00
petruha
54816f1217
Update containerd package to 1.2.13-3.2.el7 (#6162)
* Update containerd package to 1.2.13-3.2.el7

* Update Fedora containerd package versions.

* Update Redhat containerd stable and edge packages.
2020-05-29 05:11:16 -07:00
Florian Ruynat
6179405e84
Update docker default to 19.03 - cleanup docker docs & refs (#6153) 2020-05-28 00:52:02 -07:00
spaced
1be15a0864
Enable crio 1.18 (#6197) 2020-05-28 00:42:15 -07:00
Florian Ruynat
e9ce7243b8
Match docker-cli version with docker-engine version (when available) (#6163) 2020-05-25 05:37:11 -07:00
Maxime Guyot
35ad57674e
Update containerd to 1.2.13-2 (#6156) 2020-05-18 07:57:36 -07:00
jeanfabrice
3997aa9a0f
Use OS packaging default value for apparmor_profile in crio.conf (#6125) 2020-05-14 21:47:00 -07:00
tasekida
81292f9cf3
Fix apt update don't access Docker’s official repository for Ubuntu (#6106) 2020-05-13 07:06:26 -07:00
Hector S
a3131e271a
Removed env vars DOCKER_NETWORK_OPTIONS and INSECURE_REGISTRY from docker.service.j2 (#6126) 2020-05-12 13:46:21 -07:00
Florian Ruynat
0bd23f720d
Fix docker fedora packages (#6097) 2020-05-08 15:39:51 -07:00
Florian Ruynat
c44f13114f
Allow containerd runtime with fedora os (30/31) - add CI test (#6094) 2020-05-08 07:55:43 -07:00
Florent Monbillard
218b2a5992
Workaround about inconsistent CRI-O YUM repo path on Kubic repos (#6101) 2020-05-07 12:59:42 -07:00
Maxime Guyot
641a2a8bb4
Skip molecule tests for Ubuntu 18.04 (#6077) 2020-05-05 07:17:09 -07:00
Maxime Guyot
e4c820c35e
Add molecule tests to containerd role (#6037) 2020-04-29 09:08:25 -07:00
Maxime Guyot
28333d4513
Fix crio runc path on Ubuntu (#6035) 2020-04-28 05:28:06 -07:00
spaced
cf1566e8ed
Centos, debian and fedora CRI-O repo (#6008)
* replace removed repo with kubic repository for centos 7

* add crio configuration for centos8

* add crio configurations for debian

* use correct crio version for fedora

* simplify calulation of required crio version
- gives possibility to overwrite

* change default path for runc

* change default for seccomp path

* change default for conmon
2020-04-24 01:18:07 -07:00
spaced
b0484fe3e5
Ubuntu crio repo (#5994)
* declare kubic repo for ubuntu

* do not install crictl twice

* move fedora repo modular tasks to crio_repo file

* move centos repo tasks to crio_repo

* declare crio version matrix for ubuntu

* update documentation crio support for ubuntu
2020-04-22 13:29:45 -07:00
Maxime Guyot
09bccc97ba
Add CRI-O CI (#5460) 2020-04-22 06:09:52 -07:00
Victor Morales
2bec26dba5
Add proxy support to CRI-O service (#4607)
* Add proxy support to CRI-O service

The crio.service requires proxy environment variables when it's
deployed behind a corporated network. This change creates a systemd
configuration file when the proxy variables are defined.

* Remove unnecesary crio's tasks
2020-04-21 04:12:55 -07:00
Maxime Guyot
3134dd4c0d
Drop support for Fedora 28 and add Fedora 30 and 31 (#5969) 2020-04-18 06:35:36 -07:00
aharrisson
b6341287bb
Add Molecule to Docker role (#5129)
* Add Molecule for container-engine/docker

* Add bootstrap-os to Molecule prepare stage
2020-04-15 23:28:45 -07:00
Christopher Randles
d316b02d28
else condition required otherwise AnsibleUndefinedVariable is triggered (#5722) 2020-04-14 07:06:12 -07:00
spaced
9c3b573f8e
Cleanup fedora coreos with crio container (#5887)
* fix upgrade of crio on fcos
- update documents

* install conntrack required by kube-proxy
- like commit 48c41bcbe7

* enable fedora modular repo for crio

* allow to override crio configuration
- set cgroup manager same to kubelet_cgroup_driver if defined
- path of seccomp_profile depends on distribution

* allow to override crio configuration
- fix path for ubuntu

* allow to override crio configuration
- fix cni path for fcos
2020-04-10 23:51:47 -07:00
Denis Kadyshev
7d1ab3374e
Proxy fixes (#5869)
* Fix proxy and module_hotfixes

On CentOS 8 with proxy ansible render inline `proxy` and `module_hotfixes` options.

For example:

`proxy=http://127.0.0.1:3128module_hotfixes=True`

But expected result:

```
proxy=http://127.0.0.1:3128
module_hotfixes=True
```

* Use ini_file module for work with ini files

* Prevent duplicates proxy= option in /etc/yum.conf

Module `lineinfile` is weak, use most powerful module `ini_file` and add or remove `proxy=` when `http_proxy` is defined or not.
2020-04-09 01:25:44 -07:00
Alexander Kross
c33a049292
Update docker RHEL/CentOS versions to the latest patch versions available. (#5872) 2020-04-08 10:09:45 -07:00