Commit Graph

417 Commits (master)

Author SHA1 Message Date
Victor Morales e88aa7c96b
Add youki runtime support (#8411) 2022-01-21 14:01:07 -08:00
Kenichi Omichi 73c889eb10
Fix failures of ansible-lint (#8401)
This fixes the following types of failures:
- empty-string-compare
- literal-compare
- risky-file-permissions
- risky-shell-pipe
- var-spacing

In addition, this changes .gitlab-ci/lint.yml to block the same issue
by using the same method at Kubespray CI.
2022-01-11 00:45:16 -08:00
Kenichi Omichi f80fd24a55
Fix risky-file-permissions (#8370)
When running ansible-lint directly, we can see a lot of warning
message like

  risky-file-permissions File permissions unset or incorrect

This fixes the warning messages.
2022-01-09 01:51:12 -08:00
Bart Sloeserwij 59f62473c9
Update configuration of registries in cri-o (#7852)
* Update configuration of registries in cri-o

* Update docs to match new registry configuration
2022-01-05 07:36:40 -08:00
Choi Yongbeom dda557ed23
Update config.toml.j2 (#8340)
* Update config.toml.j2

i think this commit code is not completed works

exam registry address : a.com:5000

insecure registry must be http://a.com:5000

but this code add insecure a.com:5000 (without http://)

If there is no http, containerd accesses with https even if insecure_skip_verify = true

solution is code edit

* Update config.toml.j2

* Update containerd.yml

* Update containerd.yml

* Update containerd.yml

* Update config.toml.j2
2022-01-05 02:56:33 -08:00
Cristian Calin 3eab1129b9
CI: Replace CentOS 8 with AlmaLinux 8 before CentOS 8 EOL end of 2021 (#8297) 2022-01-05 02:20:33 -08:00
Florian Ruynat 8d2b4ed4a9 Move min k8s version to 1.21 2022-01-04 10:25:00 -08:00
jbpratt e88a27790c
fix spelling error (#8342) 2022-01-02 23:55:00 -08:00
Cristian Calin c1954ff918
Support deploying kubernetes 1.23 (#8323)
* Ensure entries for 1.23 are added for supported_versions vars

* cri-o: add support for kubernetes 1.23 but still use cri-o 1.22

* kubescheduler-config: diferentiate config versions based on kube_version
2021-12-21 01:38:46 -08:00
Nicolas MASSE f01f7c54aa
Add support for CRI-O user namespaces (#8268)
* add support for cri-o user namespaces

* comply with yamllint rules
2021-12-20 06:37:25 -08:00
Marat Talipov 4f27c763af
containerd insecure registry support (#8298) 2021-12-13 00:41:58 -08:00
Cristian Calin 682c8a59c2
containerd: change default resolvconf_mode to host_resolvconf (#8247)
* containerd: change default resolvconf_mode to host_resolvconf

* Wait for kube-apiserver to come back after pod refresh

* Handle resolv.conf gracefully

* Retain currently configured DNS entries to ensure we don't break the resolvers

* Suse uses wickedd for network management so no dhcp hooks

* Molecule: increase ansible timeout

* CI: Increase ansible timeout to 120s for Packet jobs
2021-12-09 14:09:06 -08:00
Cristian Calin c98a07825b
Use cgroupsv2 where available (fedora) (#8237)
* Containerd: use cgroupsv2 where available (fedora)

* Docker: use cgroupsv2 where available (fedora)

* cri-o: use cgroupsv2 where available (fedora)
2021-12-06 11:19:33 -08:00
Cristian Calin 9d8a83314b
containerd: add hashes for 1.5.8 and 1.4.12 and make 1.5.8 the new default (#8239)
* containerd: add hashes for 1.5.8 and 1.4.12 and make 1.5.8 the new default

* containerd: make nerdctl mandatory for container_manager = containerd

* nerdctl: bump to version 0.14.0

* containerd: use nerdctl for image manipulation

* OpenSuSE: install basic nerdctl dependencies
2021-12-03 12:20:35 -08:00
Cristian Calin 9f052702e5
containerd: add support for suse distributions (#8261) 2021-12-02 07:51:33 -08:00
Florian Ruynat b38382a68f
Move cri-o default package to 1.22 (#8258) 2021-12-02 06:21:34 -08:00
Florian Ruynat 30ec03259d
Remove fedora33 - eol (#8246) 2021-11-30 15:53:17 -08:00
Florian Ruynat 0e22a90579
Update docker to 20.10.11 with containerd 1.4.12 (#8255) 2021-11-30 11:49:01 -08:00
zhengtianbao a6fcf2e066
Enable experimental modules when rpm-ostree version >= 2021.9 (#8202)
* Enable experimental modules when rpm-ostree version >= 2021.9

* cleanup code
2021-11-22 02:29:09 -08:00
Cristian Calin c74e1c9db3
CI: use images from quay.io to prevent being throttled by docker hub (#8209)
* CI: use netchecker images from quay to prevent throttling

* Molecule: use hello-world image from quay.io
2021-11-19 13:23:40 -08:00
Pasquale Toscano fe8c843cc8
Fix typo in Containerd configuration (#8206) 2021-11-19 08:40:53 -08:00
Cristian Calin b7ae4a2cfd
Kata-Containers: Fix kata-containers runtime (#8068)
* Kata-containes: Fix for ubuntu and centos sometimes kata containers fail to start because of access errors to /dev/vhost-vsock and /dev/vhost-net

* Kata-containers: use similar testing strategy as gvisor

* Kata-Containers: adjust values for 2.2.0 defaults

Make CI tests actually pass

* Kata-Containers: bump to 2.2.2 to fix sandbox_cgroup_only issue
2021-11-09 10:01:48 -08:00
Cristian Calin 4a8757161e
Docker: replace the use of containerd_version with docker_containerd_version to avoid causing conflicts when bumping containerd_version (#8130) 2021-11-08 15:56:49 -08:00
Pasquale Toscano 6e5b9e0ebf
Fix Kubelet and Containerd when using cgroupfs as cgroup driver (#8123) 2021-11-05 07:59:54 -07:00
Marcus Fenner c94291558d
Fix containerd install for fcos (#8107)
* Fix containerd install for fcos

* rm orphaned runc and containerd binaries
2021-11-05 07:53:53 -07:00
Cristian Calin ea8e2fc651
containerd: download containerd from upstream instead of using distro specific packages (#7970)
* Containerd: download containerd from upstream instead of using distro specific packages

split runc download to separate role
make bootstrap-os role deploy container-selinux and seccomp libraries
clean up package manager provided containerd
move variables to docker role that are no longer common with containerd

* Containerd: make molecule testing more relevant

* replace ubuntu18 with ubuntu20
* add centos8 and debian11 to molecule tests
* run kubernetes/preinstall role to ensure relevancy
  of test including dependency packages

* CI: adjust test scenarios for downloaded containerd
2021-10-20 08:47:58 -07:00
Kenichi Omichi 19d07a4f2e
Fix ownership related to Calico (#8072)
kube-bench scan outputs warning related to Calico like:

* text: "Ensure that the Container Network Interface file
  permissions are set to 644 or more restrictive (Manual)"
* text: "Ensure that the Container Network Interface file
  ownership is set to root:root (Manual)"

This fixes these warnings.
2021-10-19 17:35:57 -07:00
Omar Aloraini 6aac59394e
Rocky Linux support (#8095)
* Add Rocky as a known OS

* Make sure Rocky includes bootstrap-centos.yml

* Update docs with Rocky Linux

* Rocky Linux wireguard and EPEL

* Rocky Linux in the list of supported distributions
2021-10-19 08:29:04 -07:00
Florian Ruynat 285983a555
Update docker version to 20.10.9 - CVE fixes (#8060) 2021-10-08 08:56:58 -07:00
Iago Santos 43958614e3
Fix kubespray flatcar ansible_os_family and ansible_distribution (#8029)
Closes https://github.com/kubernetes-sigs/kubespray/issues/8028

Signed-off-by: Iago Santos <iago.santos.pardo@adfinis.com>
2021-10-01 09:11:23 -07:00
Peter Pan f5885d05ea
In CentOS 8.x Docker install Step: remove podman when existing (#8016) 2021-09-29 06:32:48 -07:00
Victor Morales 9416c9aa86
Enable stable and edge Docker CLI versions (#8019) 2021-09-27 10:44:19 -07:00
Cristian Calin 3a6230af6b
Kata-Containers: update versions 2.2.0 (default) and 2.1.1 (#8017)
* Kata-Containers: add 2.2.0 hashes and make default

* Kata-Containers: replace 2.1.0 with bugfix version 2.1.1

* Kata-Containers: move to q35 a more modern VM architecture as 'pc' is removed in 2.2.0
2021-09-27 08:07:35 -07:00
Florian Ruynat 5d1b34bdcd Move min k8s version to 1.20 2021-09-22 09:50:01 -07:00
Florian Ruynat 8efde799e1 Update kubernetes version to 1.22.2 2021-09-22 09:50:01 -07:00
Florian Ruynat 30a7dfa4f8
Fix ubuntu16/centos8 CI jobs (#7972) 2021-09-16 23:39:01 -07:00
Bryan Hundven 35c928798d
Fix missing file mode (risky-file-permissions) (#7959)
* Fix missing file mode (risky-file-permissions)

Found this using ansible-lint.

Signed-off-by: Bryan Hundven <bryanhundven@gmail.com>

* Fix another missing file mode (risky-file-permissions)

This one fixes `/etc/crio/config.json`

Signed-off-by: Bryan Hundven <bryanhundven@gmail.com>
2021-09-09 23:35:59 -07:00
Cristian Calin d355b43dce
ContainerD: bump containerd version to 1.4.9 (#7940) 2021-09-06 04:50:29 -07:00
kranthi guttikonda 81bf4f9304
cri-o registry auth support (#7837)
* cri-o registry auth support

* yaml lint for comments

* crio_registry_auth from registry_auth

* crio_registry_auth as defaults
2021-09-01 10:20:59 -07:00
Florian Ruynat 1ccf32e08f
Update docker to 20.10.8 (#7918) 2021-08-30 08:25:06 -07:00
Samuel a040e521b4
feat(containerd): auth support (#7868)
* feat(containerd): auth support

* fix(registry-auth): rename variable
2021-08-23 06:40:00 -07:00
AnatomicJC 627a06e30d
CRI-O: Install libseccomp2 from backports on Debian 10 (#7816)
* CRI-O: Install libseccomp2 from backports on Debian 10

libseccomp2 is a required dependency of cri-o-runc package

The one provided in Debian 10 repositories is outdated

* 7816: Remove useless when condition

As this condition is handled by block
2021-07-23 07:07:16 -07:00
cola-zero f21a707e99
Add containerd on Flatcar Container Linux (#7681) 2021-07-21 06:28:07 -07:00
spaced c2cf0d9945
add containerd on fedora CoreOS (#7794)
* set selinux type t_etc if selinux state is enforcing

* workaround with update repo is no longer needed
remove comments about failing playbook

* grubby is not available in distros using ostree

* remove docker support because removed in fcos
update install script example with live rootfs

* do not call grubby on ostree based distro

* update docs enabling containerd on fedora coreos
2021-07-15 00:00:48 -07:00
jayonlau e61a9077f4
Clean up extra spaces about configuration-qemu.toml.j2 (#7795)
Clean up extra spaces, although these errors are not important, they affect the code specification.
2021-07-13 06:38:34 -07:00
Cristian Calin 7516fe142f
Move to Ansible 3.4.0 (#7672)
* Ansible: move to Ansible 3.4.0 which uses ansible-base 2.10.10

* Docs: add a note about ansible upgrade post 2.9.x

* CI: ensure ansible is removed before ansible 3.x is installed to avoid pip failures

* Ansible: use newer ansible-lint

* Fix ansible-lint 5.0.11 found issues

* syntax issues
* risky-file-permissions
* var-naming
* role-name
* molecule tests

* Mitogen: use 0.3.0rc1 which adds support for ansible 2.10+

* Pin ansible-base to 2.10.11 to get package fix on RHEL8
2021-07-12 00:00:47 -07:00
Sébastien Huss b0e4c375a7
Allow cri-o offline install (#7777) 2021-07-09 20:52:45 -07:00
Cristian Calin 282a27a07c
gVisor: initial support for gVisor container runtime (#7661)
* Docker/Containerd: move downloads urls to containerd-common

* gVisor: initial support for gVisor container runtime
2021-06-21 05:18:51 -07:00
Cristian Calin 1928dafc7e
Revert to conmon location override for Redhat and Fedora (#7701) 2021-06-16 09:07:59 -07:00
Marko Kohtala 85fe716d46
Drop "Server" from crio repo URL (#7698) (#7699)
$releasever can be 7Server, but there is no such CentOS path on
download.opensuse.org.

Use ansible_distribution_major_version instead of $releasever.
2021-06-11 05:10:59 -07:00
Florian Ruynat e55c359cf9
Updage docker packages to 20.10.7 (#7685) 2021-06-11 04:32:59 -07:00
jiriproX 1739b27231
Replace yum module with package module (#7621) 2021-06-05 04:16:39 -07:00
Sergey d9d29af87f
update containerd to version 1.4.6 (#7674) 2021-06-03 10:55:38 -07:00
Florian Ruynat 54cda80018
Fix debian docker available version (#7668) 2021-06-01 20:58:39 -07:00
Florian Ruynat 7896bc7831
Add Fedora 33 image and CI, remove Fedora 31 (EOL) + update docker packages (#7657)
* Update docker package to 20.10.6

* Add Fedora 33 image and CI, remove Fedora 31 (EOL)
2021-05-28 08:04:25 -07:00
Florian Ruynat fd8ae54fa7 Docker default version is now 20.10 2021-05-27 11:18:24 -07:00
Florian Ruynat 79fdee3979 Bump crio to default 1.21 2021-05-27 11:18:24 -07:00
Fatih Sarhan 59fc17f4e3
Override the default value of containerd's root, state, and oom_score (#7622)
* Override the default value of containerd's root, state, and oom_score configurations

* Add tests data for containerd_storage_dir, containerd_state_dir and containerd_oom_score variables
2021-05-19 08:24:53 -07:00
Cristian Calin d90baa8601
add containerd support for Amazon Linux 2 (#7595) 2021-05-10 19:25:36 -07:00
Cristian Calin 4c06aa98b5
crio: add supported versions 1.20 and 1.21 and align default with k8s version (#7562)
* crio: add supported versions 1.20 and 1.21 and align default with k8s version

* cri-o: drop versions 1.17 and 1.18 from version matrix

* update note on cri-o version alignment
2021-04-28 11:30:51 -07:00
Florian Ruynat 7c86734d2e
Add cri-o 1.20/1.21 (#7544) 2021-04-26 09:21:16 -07:00
Cristian Calin 8665e1de87
Fix cri-o support for Oracle and AlmaLinux (#7541) 2021-04-26 09:11:02 -07:00
muzi502 69806e0a46
Add nerdctl cli tool for containerd user (#7500)
* Add nerdctl cli tool for containerd user

* Add nerdctl enable option

* Add nerdctl enable option and update nerdctl version to 0.8.0
2021-04-25 23:47:01 -07:00
Cristian Calin 73db44b00c
Initial AlmaLinux support (#7538)
* AlmaLinux: ansible>2.9.19 is needed to know about AlmaLinux

* AlmaLinux: identify as a centos derrivative

* AlmaLinux: add AlmaLinux to checks for CentOS

* Use ansible_os_family to compare family and not distribution
2021-04-22 23:50:03 -07:00
Cristian Calin 384d30b675
add support for configuring cri-o pids_limit (#7525) 2021-04-21 10:55:51 -07:00
Xachman a7493e26e1
add enablerepo: amzn2extra-docker for docker install on aws 2 (#7507) 2021-04-21 07:24:10 -07:00
Kenichi Omichi ae3a1d7c01
Fix keepcache values of yum_repository (#7506)
As the official document[1], the parameter keepcache should be
'0' or '1' as string. To avoid the following warning message,
this fixes the parameter value:

  [WARNING]: The value False (type bool) in a string field was
  converted to u'False' (type string). If this does not look
  like what you expect, quote the entire value to ensure it
  does not change.

https://docs.ansible.com/ansible/latest/collections/ansible/builtin/yum_repository_module.html
2021-04-21 07:20:11 -07:00
Florian Ruynat cd9a03f86c
Update some docker defaults (#7499) 2021-04-14 15:13:07 -07:00
Krystian Młynek 2a2fb68b2f
Add missing proxy environment in crio_repo.yml (#7492) 2021-04-13 01:20:51 -07:00
Zhong Jianxin 420a412234
Add containerd_extra_args (#7461)
* Add containerd_extra_args

This is useful for custom containerd config, e.g. auth

Signed-off-by: Zhong Jianxin <azuwis@gmail.com>

* Make containerd config.toml mode 0640

It may contain sensitive information like password

Signed-off-by: Zhong Jianxin <azuwis@gmail.com>
2021-04-12 01:02:00 -07:00
Daniil Muidinov 2257181ca8
Set containerd version to 1.4.4 (#7398)
* Set containerd version to 1.4.3

* Set containerd version to 1.4.4

Co-authored-by: Barry Melbourne <9964974+bmelbourne@users.noreply.github.com>
2021-04-01 23:20:11 -07:00
Kenichi Omichi 486b223e01
Replace kube-master with kube_control_plane (#7256)
This replaces kube-master with kube_control_plane because of [1]:

  The Kubernetes project is moving away from wording that is
  considered offensive. A new working group WG Naming was created
  to track this work, and the word "master" was declared as offensive.
  A proposal was formalized for replacing the word "master" with
  "control plane". This means it should be removed from source code,
  documentation, and user-facing configuration from Kubernetes and
  its sub-projects.

NOTE: The reason why this changes it to kube_control_plane not
      kube-control-plane is for valid group names on ansible.

[1]: https://github.com/kubernetes/enhancements/blob/master/keps/sig-cluster-lifecycle/kubeadm/2067-rename-master-label-taint/README.md#motivation
2021-03-23 17:26:05 -07:00
Samuel Liu 12873f916b
download_file for kata (#7393) 2021-03-23 01:39:36 -07:00
Necatican Yıldırım 811f546ea6
Download crun using download_file.yml (#7370)
* Add crun download_url and checksum

* Change versioning format to crun native versioning

* Download crun using download_file.yml

* Get crun version from download defaults

* Delegate crun binary copy task to crun role
2021-03-19 08:40:33 -07:00
Florian Ruynat 14511053aa Update docker to 20.10.5 2021-03-18 17:20:36 -07:00
LuciferInLove 8353532a09
Added experimental cri-o support for Amazon Linux 2 (#7353)
* Added experimental cri-o support for Amazon Linux 2

* Fixed dependencies order
2021-03-18 17:16:37 -07:00
Victor Morales 2bcd9eb9e9
Bump crun to 0.18 version (#7364) 2021-03-11 00:00:24 -08:00
Victor Morales dc5df57c26
Add privileged_without_host_devices support (#7343)
When privileged is enabled for a container, all the `/dev/*` block
devices from the host are mounted into the guest. The
`privileged_without_host_devices` flag prevents host devices from
being passed to privileged containers.

More information:
* https://github.com/containerd/cri/pull/1225
* 1d0f68156b
2021-03-08 00:17:44 -08:00
Florian Ruynat e045a45e48 Update docker & docker-cli to 20.10.4 2021-03-02 08:33:19 -08:00
Etienne Champetier 5c04bdd52b
Fixup cri-o metacopy mount options (#7287)
Ubuntu 18.04 crio package ships with 'mountopt = "nodev,metacopy=on"'
even if GA kernel is 4.15 (HWE Kernel can be more recent)

Fedora package ships without metacopy=on

Signed-off-by: Etienne Champetier <e.champetier@ateme.com>
2021-02-15 20:51:07 -08:00
Etienne Champetier de1d9df787
Only use stat get_checksum: yes when needed (#7270)
By default Ansible stat module compute checksum, list extended attributes and find mime type
To find all stat invocations that really use one of those:
git grep -F stat. | grep -vE 'stat.(islnk|exists|lnk_source|writeable)'

Signed-off-by: Etienne Champetier <e.champetier@ateme.com>
2021-02-10 05:36:59 -08:00
Cristian Calin 6450207713
add containerd.io to dpkg_selection (#7273)
`containerd.io` is the companion package of `docker-ce` and is the
proper package name. This is needed to avoid apt upgrade/dist-upgrade
from breaking kubernetes.
2021-02-10 04:48:59 -08:00
Geonju Kim 1a91792e7c
Change the owner of `/etc/crictl.yaml` to `root` (#7254) 2021-02-05 09:28:53 -08:00
Arian van Putten 040dacd5cd
roles/docker: Make repokey fingerprint overrideable (#7247)
This makes the docker role work the same as the containerd role.
Being able to override this is needed when you have your own debian
repository. E.g. when performing an airgapped installation
2021-02-05 07:44:52 -08:00
petruha fc8551bcba
Run containerd related tasks on OracleLinux. (#7250) 2021-02-05 00:46:52 -08:00
Florian Ruynat ba731ed145
Update docker packages to 19.03.15 and 20.10.3 (#7243) 2021-02-04 13:20:53 -08:00
Etienne Champetier 8f2b0772f9
containerd,docker: stop installing extras repo on CentOS/RHEL (#7203)
This was introduced in 143e2272ff
Extra repo is enabled by default in CentOS, and is not the right repo for EL8
Instead of adding a CentOS repo to RHEL, enable the needed RHEL repos with rhsm_repository

For RHEL 7, we need the "extras" repo for container-selinux
For RHEL 8, we need the "appstream" repo for container-selinux, ipvsadm and socat

Signed-off-by: Etienne Champetier <champetier.etienne@gmail.com>
2021-01-25 03:12:54 -08:00
Etienne Champetier a5d2137ed9 containerd: ensure containerd is really started and enabled
Signed-off-by: Etienne Champetier <champetier.etienne@gmail.com>
2021-01-19 05:55:45 -08:00
Etienne Champetier a8e51e686e containerd,docker: use apt_repository instead of action
yum_repository expect really different params, so nothing to factor here
Ubuntu is not an ansible_os_family, the OS family for Ubuntu is Debian
Check for ansible_pkg_mgr == apt

Signed-off-by: Etienne Champetier <champetier.etienne@gmail.com>
2021-01-19 05:55:45 -08:00
Etienne Champetier a2429ef64d containerd,docker: use apt_key instead of action
we don't need rpm_key, so nothing to factor here
Ubuntu is not an ansible_os_family, the OS family for Ubuntu is Debian
Check for ansible_pkg_mgr == apt

Signed-off-by: Etienne Champetier <champetier.etienne@gmail.com>
2021-01-19 05:55:45 -08:00
Etienne Champetier 1b88678cf3 containerd: use package instead of action
Signed-off-by: Etienne Champetier <champetier.etienne@gmail.com>
2021-01-19 05:55:45 -08:00
Etienne Champetier 0e96852159 docker: use package instead of action, cleanup
Signed-off-by: Etienne Champetier <champetier.etienne@gmail.com>
2021-01-19 05:55:45 -08:00
Etienne Champetier 19a61d838f containerd: use copy to set apt pin
Signed-off-by: Etienne Champetier <champetier.etienne@gmail.com>
2021-01-19 05:55:45 -08:00
Etienne Champetier f3885aa589 docker: stop using apt force
Here the desciption from Ansible docs
Corresponds to the --force-yes to apt-get and implies allow_unauthenticated: yes
This option will disable checking both the packages' signatures and the certificates of the web servers they are downloaded from.
This option *is not* the equivalent of passing the -f flag to apt-get on the command line
**This is a destructive operation with the potential to destroy your system, and it should almost never be used.** Please also see man apt-get for more information.

Signed-off-by: Etienne Champetier <champetier.etienne@gmail.com>
2021-01-19 05:55:45 -08:00
Etienne Champetier 82af8e455e docker: remove old versions
Signed-off-by: Etienne Champetier <champetier.etienne@gmail.com>
2021-01-14 09:39:05 -08:00
Etienne Champetier 1baee488ab containerd: remove duplicate package pining task
Leave it with the install instead of the repo config

Signed-off-by: Etienne Champetier <champetier.etienne@gmail.com>
2021-01-14 09:39:05 -08:00
Etienne Champetier 7433b70d95 docker: remove kernel check
Only CentOS 7 uses Linux 3.10, all other OSs have more recent kernels

Signed-off-by: Etienne Champetier <champetier.etienne@gmail.com>
2021-01-14 09:39:05 -08:00
Etienne Champetier de6c71a426 docker: remove dockerproject repo reference
Signed-off-by: Etienne Champetier <champetier.etienne@gmail.com>
2021-01-14 09:39:05 -08:00
Etienne Champetier 16a34548ea docker: remove checks for docker 1.12
Signed-off-by: Etienne Champetier <champetier.etienne@gmail.com>
2021-01-14 09:39:05 -08:00
Etienne Champetier b2f3ab77cd docker: remove some old debug code
Signed-off-by: Etienne Champetier <champetier.etienne@gmail.com>
2021-01-14 09:39:05 -08:00
Etienne Champetier b2f6ed7dee docker: remove obsoletes=0 in yum.conf
This was introduced in ef7f5edbb3
obsoletes=0 is not present in the official repo config
https://download.docker.com/linux/centos/docker-ce.repo
so it might not be needed for some time

Signed-off-by: Etienne Champetier <champetier.etienne@gmail.com>
2021-01-14 09:39:05 -08:00
Etienne Champetier 09e34d29cd containerd: remove docker_yum_conf / yum_conf
leftover from 1945499e2f

Signed-off-by: Etienne Champetier <champetier.etienne@gmail.com>
2021-01-14 09:39:05 -08:00
Etienne Champetier 55b03a41b2 containerd-common,containerd,docker: remove ubuntu arch specific vars
By removing ancient version we don't need arch specific vars

Signed-off-by: Etienne Champetier <champetier.etienne@gmail.com>
2021-01-14 09:39:05 -08:00
Etienne Champetier a790935d02
Only setup *_PROXY env variables where needed (#7095)
no_proxy is a pain to get right, and having proxy variables present causes issues
(k8s components get proxy configuration after upgrade, see #7100)

It's better to only configure what require proxy:
- the runtime (containerd/docker/crio)
- the package manager + apt_key
- the download tasks

Tested with the following clusters
- 4 CentOS 8 nodes
- 1 Ubuntu 20.04 node

Signed-off-by: Etienne Champetier <champetier.etienne@gmail.com>
2021-01-11 07:21:08 -08:00
Florian Ruynat 837fca1368
Add docker 20.10 to available packages (#7106) 2021-01-06 09:23:51 -08:00
Florian Ruynat e0195da80d
Allow containerd root and state path to be configured (#7098) 2021-01-05 07:13:58 -08:00
Etienne Champetier c0fe32c4ec
Add repo name for Fedora (#7093)
This fixes 1945499e2f

Signed-off-by: Etienne Champetier <champetier.etienne@gmail.com>
2021-01-04 10:39:57 -08:00
Etienne Champetier e9f93a1de9
Remove libseccomp install tasks (#7074)
All packages have proper dependencies in latest versions

Signed-off-by: Etienne Champetier <champetier.etienne@gmail.com>
2021-01-04 09:17:57 -08:00
Etienne Champetier 1945499e2f
Disable docker-ce yum repo by default / cleanups (#7080)
Upgrading docker / containerd without adapting the configuration might break the node,
so disable docker-ce repo by default.
We are already using dpkg hold for Debian.

All containerd.io packages provide /usr/bin/runc, so no need to check

yum_conf was never used for containerd

module_hotfixes should not be needed with the EL8 repo

Signed-off-by: Etienne Champetier <champetier.etienne@gmail.com>
2020-12-23 13:12:26 -08:00
Sergey 096bcdd078
Download once for crio (#6998)
* download run once feature for CRI-O

* fix typo

* fix test
2020-12-21 01:54:25 -08:00
bac-w 87eea16d7b
Fix config containerd template (#7051) 2020-12-17 07:13:09 -08:00
Sergey 85982dc8e9
add support crio version for varios k8s vers (#7003)
* add support crio version for various k8s vers

* regexp in pkg versions
2020-12-09 01:22:50 -08:00
Hans Feldt 878fe80ca3
add and use common crictl role (#6978) 2020-12-05 09:43:25 -08:00
Sander Klein 8331c1f858
Hold the docker-ce-cli (#6995)
This will make sure an upgrade doesn't upgrade the docker cli.
2020-12-04 18:21:25 -08:00
Florian Ruynat f4a69d2827
Update docker to 19.03.14 and containerd to 1.3.9 (#6980) 2020-12-03 16:33:25 -08:00
Sergey ed6cef85d8
add crio registry mirror support (#6977)
* add crio registry mirror support

* mdlint fix
2020-12-03 13:57:25 -08:00
OwenTuz d315f73080
Ensure libseccomp is installed before starting containerd on CentOS 8 (#6922)
* Ensure libseccomp is installed before starting containerd on CentOS 8

* Simplify libseccomp install on CentOS 8

- Uses `package` module
- Replaces complex version check with 'state: latest'. The version must
  be > 2.3 when using with cri-o.
- Removes unnecessary `not is_ostree` condition as CentOS 8 does not use
  ostree
2020-12-03 13:43:26 -08:00
Sergey 06ec5393d7
up vagrant box to fedora/33-cloud-base in cri-o molecule tests (#6992) 2020-12-03 11:25:26 -08:00
Pasquale Toscano 488db81e36
Add pasqualet to approvers (#6976) 2020-12-03 00:58:59 -08:00
Victor Morales 4f7a760a94
Add crun support (#6864)
Signed-off-by: Victor Morales <v.morales@samsung.com>
2020-12-01 11:00:50 -08:00
Pasquale Toscano f1231bb97d
Add molecule for Kata Containers with Containerd (#6905) 2020-11-30 23:34:49 -08:00
Hans Feldt 80eb1ad936
fix ansible password authentication (#6907)
* copying ssh key no longer required, works with password auth
* use copy module instead of synchronize (which requires sshpass)
* less tasks and always changed tasks
2020-11-30 15:12:50 -08:00
Danilo Riecken P. de Morais cc5303e1c8
Add test for Fedora CoreOS before creating Docker service file (#6940) 2020-11-30 09:20:49 -08:00
Sergey 4a8a52bad9
containerd docker hub registry mirror support (#6962)
* containerd docker hub registry mirror support

* add docs

* fix typo

* fix yamllint

* fix indent in sample
and ansible-playbook param in testcases_run

* fix md

* mv common vars to tests/common/_docker_hub_registry_mirror.yml

* checkout vars to upgrade tests
2020-11-30 00:22:49 -08:00
Bas van den Brink 17fb1ceed8
Allow airgapped CRI-O installation (#6927) 2020-11-28 08:38:47 -08:00
Barry Melbourne eb16986f32
Add RHEL support subscription registration (#6572) 2020-11-24 08:33:00 -08:00
Hans Feldt ee23b947aa
fix flake8 errors in Kubespray CI - tox-inventory-builder (#6910)
* fix flake8 errors in Kubespray CI - tox-inventory-builder

* Invalidate CRI-O kubic repo's cache

Signed-off-by: Victor Morales <v.morales@samsung.com>

* add support to configure pkg install retries

and use in CI job tf-ovh_ubuntu18-calico (due to it failing often)

* Switch Calico, Cilium and MetalLB image repos to Quay.io

Co-authored-by: Victor Morales <v.morales@samsung.com>
Co-authored-by: Barry Melbourne <9964974+bmelbourne@users.noreply.github.com>
2020-11-22 23:47:35 -08:00
Hans Feldt fc22453618
crio: avoid extra restart after install and upgrade (#6882)
Package upgrade restarts crio. By creating/updating config first,
an extra restart can be avoided.
2020-11-03 08:54:03 -08:00
Victor Morales 9cf5dd0291
Use cgroup v1 in Fedora +31 (#6862)
Fedora 31 uses Cgroups v2 by default. This change by passes the kernel
parameter systemd.unified_cgroup_hierarchy=0.

Signed-off-by: Victor Morales <v.morales@samsung.com>
2020-11-02 06:32:53 -08:00
Hans Feldt d36b5d7d55
Install cri-o with package version (#6853)
and thereby support upgrade from e.g. 1.18.x to 1.19.y

Included OSes:
- Centos7/8
- Ubuntu18/20

New variables for overriding by default installed packages:
- centos_crio_packages
- ubuntu_crio_packages
2020-10-26 08:35:02 -07:00
Victor Morales e03e3c4582
Add Kata Containers support to CRI-O runtime (#6830)
* Enable Kata Containers for CRI-O runtime

Kata Containers is an OCI runtime where containers are run inside
lightweight VMs. This runtime has been enabled for containerd runtime
thru the kata_containers_enabled variable. This change enables Kata
Containers to CRI-O container runtime.

Signed-off-by: Victor Morales <v.morales@samsung.com>

* Set appropiate conmon_cgroup when crio_cgroup_manager is 'cgroupfs'

* Set manage_ns_lifecycle=true when KataContainers is enabed

* Add preinstall check for katacontainers

Signed-off-by: Victor Morales <v.morales@samsung.com>

Co-authored-by: Pasquale Toscano <pasqualetoscano90@gmail.com>
2020-10-23 03:07:46 -07:00
Etienne Champetier 03f316e7a2
Fix proxy and module_hotfixes (#6837)
This fixes the Containerd + EL8 case that was missed in 7d1ab3374e

On CentOS 8 with proxy ansible render inline `proxy` and `module_hotfixes` options.

For example:
```
proxy=http://127.0.0.1:3128module_hotfixes=True
```

But expected result:
```
proxy=http://127.0.0.1:3128
module_hotfixes=True
```

Signed-off-by: Etienne Champetier <champetier.etienne@gmail.com>
2020-10-19 23:06:07 -07:00
Hans Feldt 4781df587c
bump crio version to 1.19 (#6758)
* bump crio version to 1.19

* crio package name has changed for debian/ubuntu
* crio upgrade does not work, see #6757

* update crio info in docs
2020-10-13 02:08:26 -07:00
Hans Feldt 99b8f0902e
crio: ensure service is started and enabled (#6753) 2020-10-07 00:10:42 -07:00
Florian Ruynat c2ac3b51c1
Update containerd to 1.3.7 - add fedora32/centos8 containerd packages (#6749) 2020-09-25 08:15:11 -07:00
Florian Ruynat 55d8ed093a
Add centos8 docker repo (#6747) 2020-09-25 06:11:11 -07:00
Florian Ruynat 2eae207435
Update docker packages to 19.03.13 + add docker f32 (#6712) 2020-09-23 08:32:19 -07:00
Pasquale Toscano 04932f496f
Updated KataContainers version to 1.11.3 (#6694) 2020-09-17 02:32:45 -07:00
Florian Ruynat dffbd58671
Move from widehat.opensuse to download.opensuse for crio centos (#6682) 2020-09-15 06:28:07 -07:00
Hans Feldt a2d4dbeee4
crio: use system default for storage driver by default (#6637)
After host reboot kubelet and crio goes into a loop and no container is started.

storage_driver in crio.conf overrides system defaults in etc/containers/storage.conf

/etc/containers/storage.conf is installed by package containers-common dependency
installed from cri-o (centos7) and contains "overlay".

Hosts already configured with overlay2 should be reconfigured and the
/var/lib/containers content removed.
2020-09-10 05:29:45 -07:00
Barry Melbourne 03c9c091f2
Docker: Set Cgroup driver by default to systemd (#6563)
* Set Docker Cgroup driver to systemd

* Add docker_cgroup_driver in Docker defaults
2020-08-31 04:56:20 -07:00
Barry Melbourne 058438a25d
Remove support for CoreOS Container Linux (#6576) 2020-08-28 02:28:53 -07:00
Maxime Guyot 6e938a3106
Fix E306 in other roles (#6517) 2020-08-28 01:20:53 -07:00
Hans Feldt 9e2d282709
cri-o: add variable to configure unsecure pull (#6568)
By default do not allow "unqualified" (without a registry) images
because it is considered unsecure and subject to mitm attacks.

To enable insecure pull configure for example:

crio_registries:
  - "docker.io"
  - "quay.io"
2020-08-27 09:09:53 -07:00
*=0=1=4=* a8e2110b2d
#6552 Update extras_rh_repo_base_url (#6556) 2020-08-21 00:09:55 -07:00
Bernard Landon b0210567aa
Fixed Kubespray container-engine/docker role to populate docker.service (#6518) 2020-08-18 00:39:30 -07:00
Victor Morales bdf0238328
Upgrade molecule to v3 (#6468)
Signed-off-by: Victor Morales <v.morales@samsung.com>
2020-08-04 05:24:19 -07:00
Hans Feldt c6e5be91e9
crio: align template crio.conf with upstream (#6432)
* log level by default increased to 'info'
* cgroup manager by default set to 'systemd'
* stream port (used by kubelet) bound to 127.0.0.1 for security reasons
* metrics can be enabled and port specified
2020-08-01 00:33:48 -07:00
Cristian Chiru 94df580674
Moved docker_dns_options to defaults so it can be overridden (#6394)
* Moved docker_dns_options to defaults so it can be overridden

* Fixed yaml indentation and markdown

* Moved docker_dns_search_domains to defaults
2020-08-01 00:29:41 -07:00
Florian Ruynat bf6168fca8
Move fedora30 jobs to fedora32 (#6426) 2020-07-30 23:31:07 -07:00
Maxime Guyot 214e08f8c9
Fix ansible-lint E305 (#6459) 2020-07-28 01:39:08 -07:00
Maxime Guyot 8bd3b50e31
Fix ansible-lint E404 (#6417) 2020-07-28 01:21:08 -07:00
Maxime Guyot e70f27dd79
Add noqa and disable .ansible-lint global exclusions (#6410) 2020-07-27 06:24:17 -07:00
Florian Ruynat aa21edeb53
Update docker package to 19.03.12 (#6439) 2020-07-22 09:26:06 -07:00
Daniel Schade b347aefd61
Fixed fedora modular repos activation for fcos (#6300)
* Enable fedora modular repos for fcos #6299

* Fixed fedora modular repos activation for fcos #6300
2020-07-13 07:18:32 -07:00
Hans Feldt 75ad868cbd
crio: harden downloads with retry (#6374)
CI job 624031102 failed with:

fatal: [ubuntu1804]: FAILED! => {"changed": false, "msg": "Failed to download key at https://download.opensuse.org/repositories/devel:kubic:libcontainers:stable/xUbuntu_18.04/Release.key: Request failed: <urlopen error [Errno -3] Temporary failure in name resolution>"}

Assuming its a temporary problem it should get more robust with a
couple of retries like in other roles.

Co-authored-by: Hans Feldt <hafe@users.noreply.github.com>
2020-07-07 12:32:01 -07:00
Joel Seguillon 4c1e0b188d
Add .editorconfig file (#6307) 2020-06-29 12:39:59 -07:00
Pasquale Toscano 8f5c4dcd2e
Add support for Kata Containers (#6256)
* Install Kata Containers as additional container runtime

* Create RuntimeClasses for Kata Containers

* Updated Vagrant to optionally run without Docker as container manager

* Updated Vagrant to optionally use Libvirt nested virtualization

* Add Kata Containers documentation

* Fix lint errors

* Add kata_containers_enabled to kubespray-defaults

* Fixed typo error

* Fixed typo error
2020-06-22 00:28:39 -07:00
Florian Ruynat 953bc8dee2
Update docker & docker-cli to 19.03.11 (#6225) 2020-06-07 23:55:46 -07:00
Lovro Seder 5dd85197af
Manage containerd.io package with docker CRI. (#6218)
* Manage containerd.io package with docker CRI.

* Refactor common containerd stuff to separate role

* Fix check mode and unnecessary shell.
2020-06-05 05:55:44 -07:00
spaced 750db9139a
fix CRI-O repos for centos distributions (#6224)
* fix CRI-O repos for centos distributions

* fix CRI-O repos for centos distributions
- revert workarounds

* fix CRI-O repos for centos distributions
- use https for centos repos

* avoid 302 redirects for centos repos
2020-06-04 01:08:44 -07:00
petruha 54816f1217
Update containerd package to 1.2.13-3.2.el7 (#6162)
* Update containerd package to 1.2.13-3.2.el7

* Update Fedora containerd package versions.

* Update Redhat containerd stable and edge packages.
2020-05-29 05:11:16 -07:00
Florian Ruynat 6179405e84
Update docker default to 19.03 - cleanup docker docs & refs (#6153) 2020-05-28 00:52:02 -07:00
spaced 1be15a0864
Enable crio 1.18 (#6197) 2020-05-28 00:42:15 -07:00
Florian Ruynat e9ce7243b8
Match docker-cli version with docker-engine version (when available) (#6163) 2020-05-25 05:37:11 -07:00
Maxime Guyot 35ad57674e
Update containerd to 1.2.13-2 (#6156) 2020-05-18 07:57:36 -07:00
jeanfabrice 3997aa9a0f
Use OS packaging default value for apparmor_profile in crio.conf (#6125) 2020-05-14 21:47:00 -07:00
tasekida 81292f9cf3
Fix apt update don't access Docker’s official repository for Ubuntu (#6106) 2020-05-13 07:06:26 -07:00
Hector S a3131e271a
Removed env vars DOCKER_NETWORK_OPTIONS and INSECURE_REGISTRY from docker.service.j2 (#6126) 2020-05-12 13:46:21 -07:00
Florian Ruynat 0bd23f720d
Fix docker fedora packages (#6097) 2020-05-08 15:39:51 -07:00
Florian Ruynat c44f13114f
Allow containerd runtime with fedora os (30/31) - add CI test (#6094) 2020-05-08 07:55:43 -07:00
Florent Monbillard 218b2a5992
Workaround about inconsistent CRI-O YUM repo path on Kubic repos (#6101) 2020-05-07 12:59:42 -07:00
Maxime Guyot 641a2a8bb4
Skip molecule tests for Ubuntu 18.04 (#6077) 2020-05-05 07:17:09 -07:00
Maxime Guyot e4c820c35e
Add molecule tests to containerd role (#6037) 2020-04-29 09:08:25 -07:00
Maxime Guyot 28333d4513
Fix crio runc path on Ubuntu (#6035) 2020-04-28 05:28:06 -07:00
spaced cf1566e8ed
Centos, debian and fedora CRI-O repo (#6008)
* replace removed repo with kubic repository for centos 7

* add crio configuration for centos8

* add crio configurations for debian

* use correct crio version for fedora

* simplify calulation of required crio version
- gives possibility to overwrite

* change default path for runc

* change default for seccomp path

* change default for conmon
2020-04-24 01:18:07 -07:00
spaced b0484fe3e5
Ubuntu crio repo (#5994)
* declare kubic repo for ubuntu

* do not install crictl twice

* move fedora repo modular tasks to crio_repo file

* move centos repo tasks to crio_repo

* declare crio version matrix for ubuntu

* update documentation crio support for ubuntu
2020-04-22 13:29:45 -07:00
Maxime Guyot 09bccc97ba
Add CRI-O CI (#5460) 2020-04-22 06:09:52 -07:00
Victor Morales 2bec26dba5
Add proxy support to CRI-O service (#4607)
* Add proxy support to CRI-O service

The crio.service requires proxy environment variables when it's
deployed behind a corporated network. This change creates a systemd
configuration file when the proxy variables are defined.

* Remove unnecesary crio's tasks
2020-04-21 04:12:55 -07:00
Maxime Guyot 3134dd4c0d
Drop support for Fedora 28 and add Fedora 30 and 31 (#5969) 2020-04-18 06:35:36 -07:00
aharrisson b6341287bb
Add Molecule to Docker role (#5129)
* Add Molecule for container-engine/docker

* Add bootstrap-os to Molecule prepare stage
2020-04-15 23:28:45 -07:00
Christopher Randles d316b02d28
else condition required otherwise AnsibleUndefinedVariable is triggered (#5722) 2020-04-14 07:06:12 -07:00
spaced 9c3b573f8e
Cleanup fedora coreos with crio container (#5887)
* fix upgrade of crio on fcos
- update documents

* install conntrack required by kube-proxy
- like commit 48c41bcbe7

* enable fedora modular repo for crio

* allow to override crio configuration
- set cgroup manager same to kubelet_cgroup_driver if defined
- path of seccomp_profile depends on distribution

* allow to override crio configuration
- fix path for ubuntu

* allow to override crio configuration
- fix cni path for fcos
2020-04-10 23:51:47 -07:00
Denis Kadyshev 7d1ab3374e
Proxy fixes (#5869)
* Fix proxy and module_hotfixes

On CentOS 8 with proxy ansible render inline `proxy` and `module_hotfixes` options.

For example:

`proxy=http://127.0.0.1:3128module_hotfixes=True`

But expected result:

```
proxy=http://127.0.0.1:3128
module_hotfixes=True
```

* Use ini_file module for work with ini files

* Prevent duplicates proxy= option in /etc/yum.conf

Module `lineinfile` is weak, use most powerful module `ini_file` and add or remove `proxy=` when `http_proxy` is defined or not.
2020-04-09 01:25:44 -07:00
Alexander Kross c33a049292
Update docker RHEL/CentOS versions to the latest patch versions available. (#5872) 2020-04-08 10:09:45 -07:00
Maxime Guyot 7eaa7c957a
Fix conntrack for opensuse and docker support (#5880) 2020-04-08 07:37:44 -07:00
matjazp bce3f282f1
fix systemd cgroup driver for containerd (#5220) 2020-04-01 00:43:26 -07:00
Christopher Randles d439564a7e
disable gpgcheck if gpgkey is empty (#5621)
Signed-off-by: Chris Randles <randles.chris@gmail.com>
2020-03-30 01:13:53 -07:00
Etienne Champetier 47849b8ff7
docker: Fix docker install on CentOS/RHEL 8 (#5820)
we can't set module_hotfixes=True using yum_repository ansible module
Fixes 38688a4486
(keep docker-ce.repo name)

Signed-off-by: Etienne Champetier <champetier.etienne@gmail.com>
2020-03-25 01:03:03 -07:00
Pierre Gaxatte f90926389a
Fix wrong Docker ubuntu repo URL (#5815) 2020-03-24 04:36:46 -07:00
spaced 8ce5a9dd19
remove atomic support because reached end of live (#5783) 2020-03-17 14:31:27 -07:00
spaced 876d4de6be
Fedora CoreOS support (#5657)
* fedora coreos support
- bootstrap and new fact for

* fedora coreos support
- fix bootstrap condition

* fedora coreos support
- allow customize packages for fedora coreos bootstrap

* fedora coreos support
- prevent install ptyhon3 and epel via dnf for fedora coreos

* fedora coreos support
- handle all ostree like os in same way

* fedora coreos support
- handle all ostree like os in same way for crio

* fedora coreos support
- add fcos documentations
2020-03-17 03:12:21 -07:00
Pasquale Toscano 4b5299bb7a
Add variables to configure Containerd default runtime, untrusted runt… (#5497)
* Add variables to configure Containerd default runtime, untrusted runtime and additional runtimes

* Add containerd settings to sample inventory

* Empty commit
2020-03-16 03:48:36 -07:00
Xiaodu 980a4fa401
Add docker-ce 19.03 packages for Debian & Ubuntu (#5729)
* Add docker-ce 19.03 packages for Debian & Ubuntu

K8s has updated the recommended Docker version to 19.03. More
specifically it should be 19.03.4, but since we used 18.06.7 instead of
.2, I'm assuming the latest patch version should be used here as well.

* Add docker 19.03 for redhat
2020-03-14 06:24:35 -07:00
Danilo Riecken P. de Morais dc00b96f47
Add missing Coreos OS family string (#5759) 2020-03-13 04:24:39 -07:00
Etienne Champetier e2ec7c76a4
containerd: bump to 1.2.13 (#5727)
https://github.com/containerd/containerd/releases/tag/v1.2.11
CVE-2019-16884 / CVE-2019-17596

https://github.com/containerd/containerd/releases/tag/v1.2.12
CVE-2019-19921 / CVE-2019-16884 / CVE-2019-11253

https://github.com/containerd/containerd/releases/tag/v1.2.13

Signed-off-by: Etienne Champetier <champetier.etienne@gmail.com>
2020-03-11 05:39:36 -07:00
Kubernetes Prow Robot be12164290
Add option and defaults to configure metrics exporting in containerd (#5466)
* Add metrics exporting in containerd config

* Add containerd.yml with containerd configuration example to the sample group_vars
2020-03-04 14:46:38 -08:00
Victor Morales 82efd95901
Remove dockerproject_.+_repo_.+ variables (#5662)
This 38688a4486 change replaces the
value for dockerproject_.+_repo_.+ docker variables but their new
value was previously defined in other variables. This change removes
the dockerproject_.+_repo_.+ docker variables in favor of the older
ones.
2020-02-22 13:28:47 -08:00
Sylvain Chateau 0ca7aa126b
added "Flatcar", "Flatcar Container Linux by Kinvolk" for all coreOS role (#5607) 2020-02-18 00:15:29 -08:00
Manuel Cintron b51b52ac0e
Fixing and issue where if the pids in the orphan list no longer exist then all systemd child processes would be killed. (#5636) 2020-02-17 09:33:29 -08:00