Centos, debian and fedora CRI-O repo (kubernetes-sigs#6008)

* replace removed repo with kubic repository for centos 7 * add crio configuration for centos8 * add crio configurations for debian * use correct crio version for fedora * simplify calulation of required crio version - gives possibility to overwrite * change default path for runc * change default for seccomp path * change default for conmon
southbridgeio · Apr 24, 2020 · 4d75005 · 4d75005
1 parent 37b5eea
commit 4d75005
Show file tree

Hide file tree

Showing 13 changed files with 121 additions and 32 deletions.
diff --git a/roles/container-engine/cri-o/defaults/main.yml b/roles/container-engine/cri-o/defaults/main.yml
@@ -1,8 +1,16 @@
 ---
-crio_rhel_repo_base_url: 'https://cbs.centos.org/repos/paas7-crio-114-candidate/x86_64/os/'
-
-crio_seccomp_profile: "/etc/crio/seccomp.json"
 
 crio_cgroup_manager: "{{ kubelet_cgroup_driver | default('cgroupfs') }}"
 
-crio_runc_path: "/usr/sbin/runc"
+crio_seccomp_profile: ""
+crio_runc_path: "/usr/bin/runc"
+crio_conmon: "/usr/bin/conmon"
+
+crio_required_version: "{{ kube_version | regex_replace('^v(?P<major>\\d+).(?P<minor>\\d+).(?P<patch>\\d+)$', '\\g<major>.\\g<minor>') }}"
+
+crio_kubernetes_version_matrix:
+  "1.18": "1.17"
+  "1.17": "1.17"
+  "1.16": "1.16"
+
+crio_version: "{{ crio_kubernetes_version_matrix[crio_required_version] | default('1.17') }}"
diff --git a/roles/container-engine/cri-o/molecule/default/molecule.yml b/roles/container-engine/cri-o/molecule/default/molecule.yml
@@ -8,12 +8,36 @@ lint:
   options:
     config-file: ../../../.yamllint
 platforms:
-  - name: kubespray-crio
+  - name: kubespray-crio-ubuntu
     box: generic/ubuntu1804
     cpus: 2
     memory: 1024
     groups:
       - kube-master
+  - name: kubespray-crio-centos7
+    box: centos/7
+    cpus: 2
+    memory: 1024
+    groups:
+      - kube-master
+  - name: kubespray-crio-centos8
+    box: centos/8
+    cpus: 2
+    memory: 1024
+    groups:
+      - kube-master
+  - name: kubespray-crio-debian
+    box: generic/debian10
+    cpus: 2
+    memory: 1024
+    groups:
+      - kube-master
+  - name: kubespray-crio-fedora
+    box: fedora/31-cloud-base
+    cpus: 2
+    memory: 1024
+    groups:
+      - kube-master
 provisioner:
   name: ansible
   env:

diff --git a/roles/container-engine/cri-o/molecule/default/tests/test_default.py b/roles/container-engine/cri-o/molecule/default/tests/test_default.py
@@ -13,8 +13,9 @@ def test_service(host):
 
 
 def test_run(host):
+    crictl = "/usr/local/bin/crictl"
     path = "unix:///var/run/crio/crio.sock"
     with host.sudo():
-        cmd = host.command("crictl --runtime-endpoint " + path + " version")
+        cmd = host.command(crictl + " --runtime-endpoint " + path + " version")
     assert cmd.rc == 0
     assert "RuntimeName:  cri-o" in cmd.stdout
diff --git a/roles/container-engine/cri-o/tasks/crictl.yml b/roles/container-engine/cri-o/tasks/crictl.yml
@@ -23,7 +23,6 @@
 
 - name: Get crictl completion
   shell: "{{ bin_dir }}/crictl completion"
-  when: ansible_distribution in ["CentOS","RedHat", "Ubuntu", "Debian"]
   changed_when: False
   register: cri_completion
 
@@ -32,4 +31,3 @@
     dest: /etc/bash_completion.d/crictl
     content: "{{ cri_completion.stdout }}"
   become: True
-  when: cri_completion is defined
diff --git a/roles/container-engine/cri-o/tasks/crio_repo.yml b/roles/container-engine/cri-o/tasks/crio_repo.yml
@@ -1,34 +1,60 @@
 ---
 
+- name: CRI-O kubic repo name for debian os family
+  set_fact:
+    crio_kubic_debian_repo_name: "{{ ((ansible_distribution == 'Ubuntu') | ternary('x','')) ~ ansible_distribution ~ '_' ~ ansible_distribution_version }}"
+  when: ansible_os_family == "Debian"
+
 - name: Add CRI-O kubic repo key
   apt_key:
-    url: "https://download.opensuse.org/repositories/devel:kubic:libcontainers:stable/x{{ ansible_distribution }}_{{ ansible_distribution_version }}/Release.key"
+    url: "https://download.opensuse.org/repositories/devel:kubic:libcontainers:stable/{{ crio_kubic_debian_repo_name }}/Release.key"
     state: present
-  when: ansible_distribution in ["Ubuntu"]
+  when: crio_kubic_debian_repo_name is defined
 
 - name: Add CRI-O kubic repo
   apt_repository:
-    repo: "deb http://download.opensuse.org/repositories/devel:/kubic:/libcontainers:/stable/x{{ ansible_distribution }}_{{ ansible_distribution_version }}/ /"
+    repo: "deb http://download.opensuse.org/repositories/devel:/kubic:/libcontainers:/stable/{{ crio_kubic_debian_repo_name }}/ /"
     state: present
     filename: devel:kubic:libcontainers:stable
-  when: ansible_distribution in ["Ubuntu"]
+  when: crio_kubic_debian_repo_name is defined
 
-- name: Add CRI-O OpenShift Origin repository
+- name: Add CRI-O kubic repo
   yum_repository:
-    name: origin
-    description: OpenShift Origin Repo
-    baseurl: "{{ crio_rhel_repo_base_url }}"
-    gpgcheck: no
-  when: ansible_distribution in ["CentOS","RedHat","OracleLinux"] and not is_ostree
+    name: devel_kubic_libcontainers_stable
+    description: Stable Releases of Upstream github.com/containers packages (CentOS_$releasever)
+    baseurl: http://download.opensuse.org/repositories/devel:/kubic:/libcontainers:/stable/CentOS_$releasever/
+    gpgcheck: yes
+    gpgkey: http://download.opensuse.org/repositories/devel:/kubic:/libcontainers:/stable/CentOS_$releasever/repodata/repomd.xml.key
+  when: ansible_distribution in ["CentOS"]
 
-- name: Enable modular repos for crio
+- name: Add CRI-O kubic repo
+  yum_repository:
+    name: "devel_kubic_libcontainers_stable_cri-o_{{ crio_version }}"
+    description: 1.17 (CentOS_$releasever)
+    baseurl: "http://download.opensuse.org/repositories/devel:/kubic:/libcontainers:/stable:/cri-o:/{{ crio_version }}/CentOS_$releasever/"
+    gpgcheck: yes
+    gpgkey: "http://download.opensuse.org/repositories/devel:/kubic:/libcontainers:/stable:/cri-o:/{{ crio_version }}/CentOS_$releasever/repodata/repomd.xml.key"
+  when: ansible_distribution in ["CentOS"]
+
+- name: Enable modular repos for CRI-O
   ini_file:
     path: "/etc/yum.repos.d/{{ item }}.repo"
     section: "{{ item }}"
     option: enabled
     value: 1
   become: true
-  when: ansible_distribution in ["Fedora"]
+  when: is_ostree
   loop:
     - "fedora-updates-modular"
     - "fedora-modular"
+
+- name: Enable CRI-O module
+  command: "dnf -y module enable cri-o:{{ crio_version }}"
+  args:
+    warn: False
+  register: crio_dnf_result
+  changed_when: "'Enabling' in crio_dnf_result.stdout"
+  become: true
+  when:
+    - ansible_distribution in ["Fedora"]
+    - not is_ostree
diff --git a/roles/container-engine/cri-o/tasks/main.yaml b/roles/container-engine/cri-o/tasks/main.yaml
@@ -48,6 +48,21 @@
   with_items: "{{ crio_packages }}"
   notify: restart crio
 
+- name: Gather the rpm package facts
+  package_facts:
+    manager: auto
+  when:
+    - ansible_distribution == "CentOS"
+    - ansible_distribution_major_version == "8"
+
+- name: Ensure latest version of libseccom installed
+  command: "yum update -y libseccomp"
+  when:
+    - ansible_distribution == "CentOS"
+    - ansible_distribution_major_version == "8"
+    - ansible_facts.packages['libseccomp'] | map(attribute='version') | map('regex_replace','^(?P<major>\\d+).(?P<minor>\\d+).(?P<patch>\\d+)$', '\\g<major>.\\g<minor>') | list | first == '2.3'
+  notify: restart crio
+
 - name: Check if already installed
   stat:
     path: "/bin/crio"
@@ -96,9 +111,20 @@
     owner: root
     mode: 0755
 
+- name: Remove metacopy mount options for older kernels
+  ini_file:
+    dest: /etc/containers/storage.conf
+    section: storage.options.overlay
+    option: mountopt
+    value: "\"nodev\""
+  when:
+    - ansible_distribution == "CentOS"
+    - ansible_distribution_major_version == "7"
+
+
 - name: Write cri-o proxy drop-in
   template:
     src: http-proxy.conf.j2
     dest: /etc/systemd/system/crio.service.d/http-proxy.conf
   notify: restart crio
-  when: http_proxy is defined or https_proxy is defined
+  when: http_proxy is defined or https_proxy is defined
diff --git a/roles/container-engine/cri-o/vars/centos-7.yml b/roles/container-engine/cri-o/vars/centos-7.yml
@@ -0,0 +1,5 @@
+---
+
+crio_packages:
+  - cri-o
+  - oci-systemd-hook
diff --git a/roles/container-engine/cri-o/vars/centos-8.yml b/roles/container-engine/cri-o/vars/centos-8.yml
@@ -0,0 +1,4 @@
+---
+
+crio_packages:
+  - cri-o
diff --git a/roles/container-engine/cri-o/vars/clearlinux.yml b/roles/container-engine/cri-o/vars/clearlinux.yml
@@ -4,4 +4,3 @@ crio_packages:
 
 crio_conmon: /usr/libexec/crio/conmon
 crio_seccomp_profile: /usr/share/defaults/crio/seccomp.json
-crio_runc_path: /usr/bin/runc
diff --git a/roles/container-engine/cri-o/vars/debian.yml b/roles/container-engine/cri-o/vars/debian.yml
@@ -0,0 +1,7 @@
+---
+
+crio_packages:
+  - "cri-o-{{ crio_version }}"
+  - runc
+
+crio_runc_path: /usr/sbin/runc
diff --git a/roles/container-engine/cri-o/vars/fedora.yml b/roles/container-engine/cri-o/vars/fedora.yml
@@ -4,5 +4,3 @@ crio_packages:
   - cri-tools
 
 crio_conmon: /usr/libexec/crio/conmon
-crio_runc_path: "/usr/bin/runc"
-crio_seccomp_profile: ""
diff --git a/roles/container-engine/cri-o/vars/redhat.yml b/roles/container-engine/cri-o/vars/redhat.yml
@@ -4,4 +4,3 @@ crio_packages:
   - oci-systemd-hook
 
 crio_conmon: /usr/libexec/crio/conmon
-crio_runc_path: /usr/bin/runc
diff --git a/roles/container-engine/cri-o/vars/ubuntu.yml b/roles/container-engine/cri-o/vars/ubuntu.yml
@@ -1,12 +1,6 @@
 ---
-crio_kubic_versions:
-  "1.18": "1.17"
-  "1.17": "1.17"
-  "1.16": "1.16"
 
 crio_packages:
-  - "cri-o-{{ crio_kubic_versions[ kube_version | regex_replace('^v(?P<major>\\d+).(?P<minor>\\d+).(?P<patch>\\d+)$', '\\g<major>.\\g<minor>') ] | default('1.17') }}"
+  - "cri-o-{{ crio_version }}"
 
-crio_conmon: /usr/bin/conmon
-crio_seccomp_profile: ""
 crio_runc_path: /usr/lib/cri-o-runc/sbin/runc