Enable containerd to deploy vanilla containerd package (#4951)

* Enable containerd to deploy vanilla containerd package Fixes kubeadm references to CRI socket for containerd Fixes download role cache feature to work with containerd Change-Id: I2ab8f0031107e2f0d1a85c39b4beb66f08509a01 * use containerd for flannel-addons job Change-Id: Ied375c7d65e64a625ffbd995ff16f2374067dee6 * add containerd vars Change-Id: Ib9a8a04e501c481a86235413cbec63f3672baf91 * fixup vars Change-Id: Ibea64e4b18405a578b52a13da100384582aa24c2 * more fixes * fix rh repo Change-Id: I00575a77cfb7b81d6095db5d918a52023c8f13ba * Adjust helm host install for containerd
2026-03-18 17:37:32 -02:30 · 2019-07-11 09:46:54 +03:00
parent a038d62644
commit 29307740dd
24 changed files with 408 additions and 68 deletions
--- a/roles/container-engine/containerd/defaults/main.yml
+++ b/roles/container-engine/containerd/defaults/main.yml
@@ -10,3 +10,35 @@ containerd_config:
  registries:
    "docker.io": "https://registry-1.docker.io"
  max_container_log_line_size: -1
+
+containerd_version: '1.2.6'
+containerd_package: 'containerd.io'
+
+containerd_cfg_dir: /etc/containerd
+
+# Path to runc binray
+runc_binary: /usr/sbin/runc
+
+
+yum_repo_dir: /etc/yum.repos.d
+yum_conf: /etc/yum.conf
+containerd_yum_conf: /etc/yum_containerd.conf
+
+# Optional values for containerd apt repo
+containerd_package_info:
+  pkgs:
+
+containerd_repo_key_info:
+  repo_keys:
+
+containerd_repo_info:
+  repos:
+
+extras_rh_repo_base_url: "http://mirror.centos.org/centos/$releasever/extras/$basearch/"
+extras_rh_repo_gpgkey: "http://mirror.centos.org/centos/RPM-GPG-KEY-CentOS-7"
+
+# Ubuntu docker-ce repo
+containerd_ubuntu_repo_base_url: "https://download.docker.com/linux/ubuntu"
+containerd_ubuntu_repo_gpgkey: 'https://download.docker.com/linux/ubuntu/gpg'
+containerd_ubuntu_repo_repokey: '9DC858229FC7DD38854AE2D88D81803C0EBFCD88'
+containerd_ubuntu_repo_component: 'stable'
--- a/roles/container-engine/containerd/handlers/main.yml
+++ b/roles/container-engine/containerd/handlers/main.yml
@@ -2,23 +2,19 @@
 - name: restart containerd
  command: /bin/true
  notify:
-    - Containerd | reload containerd
-    - Containerd | pause while containerd restarts
+    - Containerd | restart containerd
    - Containerd | wait for containerd

- name: Containerd | reload containerd
-  service:
+- name: Containerd | restart containerd
+  systemd:
    name: containerd
    state: restarted
-
- name: Containerd | pause while containerd restarts
-  pause:
-    seconds: 5
-    prompt: "Waiting for containerd restart"
+    enabled: yes
+    daemon-reload: yes

 - name: Containerd | wait for containerd
  command: "{{ containerd_bin_dir }}/ctr images ls -q"
  register: containerd_ready
-  retries: 10
-  delay: 5
+  retries: 8
+  delay: 4
  until: containerd_ready.rc == 0
--- a/roles/container-engine/containerd/tasks/containerd_repo.yml
+++ b/roles/container-engine/containerd/tasks/containerd_repo.yml
@@ -0,0 +1,106 @@
+---
+- name: ensure containerd repository public key is installed
+  action: "{{ containerd_repo_key_info.pkg_key }}"
+  args:
+    id: "{{ item }}"
+    url: "{{ containerd_repo_key_info.url }}"
+    state: present
+  register: keyserver_task_result
+  until: keyserver_task_result is succeeded
+  retries: 4
+  delay: "{{ retry_stagger | d(3) }}"
+  with_items: "{{ containerd_repo_key_info.repo_keys }}"
+  when:
+    - ansible_os_family in ['Ubuntu', 'Debian']
+    - not is_atomic
+
+- name: ensure containerd repository is enabled
+  action: "{{ containerd_repo_info.pkg_repo }}"
+  args:
+    repo: "{{ item }}"
+    state: present
+  with_items: "{{ containerd_repo_info.repos }}"
+  when:
+    - ansible_os_family in ['Ubuntu', 'Debian']
+    - not is_atomic
+    - containerd_repo_info.repos|length > 0
+
+# This is required to ensure any apt upgrade will not break kubernetes
+- name: Set containerd pin priority to apt_preferences on Debian family
+  template:
+    src: "apt_preferences.d/debian_containerd.j2"
+    dest: "/etc/apt/preferences.d/containerd"
+    owner: "root"
+    mode: 0644
+  when:
+    - ansible_os_family in ['Ubuntu', 'Debian']
+    - not is_atomic
+
+- name: ensure containerd repository public key is installed
+  action: "{{ containerd_repo_key_info.pkg_key }}"
+  args:
+    id: "{{ item }}"
+    url: "{{ containerd_repo_key_info.url }}"
+    state: present
+  register: keyserver_task_result
+  until: keyserver_task_result is succeeded
+  retries: 4
+  delay: "{{ retry_stagger | d(3) }}"
+  with_items: "{{ containerd_repo_key_info.repo_keys }}"
+  when: not (ansible_os_family in ["CoreOS", "Container Linux by CoreOS", "RedHat", "Suse", "ClearLinux"] or is_atomic)
+
+- name: ensure containerd repository is enabled
+  action: "{{ containerd_repo_info.pkg_repo }}"
+  args:
+    repo: "{{ item }}"
+    state: present
+  with_items: "{{ containerd_repo_info.repos }}"
+  when: not (ansible_os_family in ["CoreOS", "Container Linux by CoreOS", "RedHat", "Suse", "ClearLinux"] or is_atomic) and (containerd_repo_info.repos|length > 0)
+
+- name: Configure containerd repository on Fedora
+  template:
+    src: "fedora_containerd.repo.j2"
+    dest: "{{ yum_repo_dir }}/containerd.repo"
+  when: ansible_distribution == "Fedora" and not is_atomic
+
+- name: Configure containerd repository on RedHat/CentOS
+  template:
+    src: "rh_containerd.repo.j2"
+    dest: "{{ yum_repo_dir }}/containerd.repo"
+  when: ansible_distribution in ["CentOS","RedHat"] and not is_atomic
+
+- name: check if container-selinux is available
+  yum:
+    list: "container-selinux"
+  register: yum_result
+  when: ansible_distribution in ["CentOS","RedHat"] and not is_atomic
+
+- name: Configure extras repository on RedHat/CentOS if container-selinux is not available in current repos
+  yum_repository:
+    name: extras
+    description: "CentOS-7 - Extras"
+    state: present
+    baseurl: "{{ extras_rh_repo_base_url }}"
+    file: "extras"
+    gpgcheck: yes
+    gpgkey: "{{ extras_rh_repo_gpgkey }}"
+    keepcache: "{{ containerd_rpm_keepcache | default('1') }}"
+    proxy: " {{ http_proxy | default('_none_') }}"
+  when:
+    - ansible_distribution in ["CentOS","RedHat"] and not is_atomic
+    - yum_result.results | length == 0
+
+- name: Copy yum.conf for editing
+  copy:
+    src: "{{ yum_conf }}"
+    dest: "{{ containerd_yum_conf }}"
+    remote_src: yes
+  when: ansible_distribution in ["CentOS","RedHat"] and not is_atomic
+
+- name: Edit copy of yum.conf to set obsoletes=0
+  lineinfile:
+    path: "{{ containerd_yum_conf }}"
+    state: present
+    regexp: '^obsoletes='
+    line: 'obsoletes=0'
+  when: ansible_distribution in ["CentOS","RedHat"] and not is_atomic
--- a/roles/container-engine/containerd/tasks/crictl.yml
+++ b/roles/container-engine/containerd/tasks/crictl.yml
@@ -1,6 +1,6 @@
 ---
 - name: crictl | Download crictl
-  include_tasks: "roles/download/tasks/download_file.yml"
+  include_tasks: "../../../download/tasks/download_file.yml"
  vars:
    download: "{{ download_defaults | combine(downloads.crictl) }}"

--- a/roles/container-engine/containerd/tasks/main.yml
+++ b/roles/container-engine/containerd/tasks/main.yml
@@ -5,27 +5,119 @@
  when:
    - not ansible_distribution in ["CentOS","RedHat", "Ubuntu", "Debian"]

- name: Install Docker
-  include_role:
-    name: container-engine/docker
+- name: gather os specific variables
+  include_vars: "{{ item }}"
+  with_first_found:
+    - files:
+        - "{{ ansible_distribution|lower }}-{{ ansible_distribution_version|lower|replace('/', '_') }}.yml"
+        - "{{ ansible_distribution|lower }}-{{ ansible_distribution_release|lower }}-{{ host_architecture }}.yml"
+        - "{{ ansible_distribution|lower }}-{{ ansible_distribution_release|lower }}.yml"
+        - "{{ ansible_distribution|lower }}-{{ ansible_distribution_major_version|lower|replace('/', '_') }}.yml"
+        - "{{ ansible_distribution|lower }}-{{ host_architecture }}.yml"
+        - "{{ ansible_distribution|lower }}.yml"
+        - "{{ ansible_os_family|lower }}-{{ host_architecture }}.yml"
+        - "{{ ansible_os_family|lower }}.yml"
+        - defaults.yml
+      paths:
+        - ../vars
+      skip: true
+  tags:
+    - facts

- name: Install config.toml
+- include_tasks: containerd_repo.yml
+
+- name: ensure containerd config directory
+  file:
+    dest: "{{ containerd_cfg_dir }}"
+    state: directory
+    mode: 0755
+    owner: root
+    group: root
+
+- name: Copy containerd config file
  template:
    src: config.toml.j2
-    dest: /etc/containerd/config.toml
-    owner: bin
+    dest: "{{ containerd_cfg_dir }}/config.toml"
+    owner: "root"
    mode: 0644
+  notify: restart containerd

- name: Stop and disabled Docker
-  systemd:
-    name: docker
-    state: stopped
-    enabled: no

- name: Restart containerd
-  systemd:
-    name: containerd
-    state: restarted
+- name: ensure containerd repository public key is installed
+  action: "{{ containerd_repo_key_info.pkg_key }}"
+  args:
+    id: "{{ item }}"
+    url: "{{ containerd_repo_key_info.url }}"
+    state: present
+  register: keyserver_task_result
+  until: keyserver_task_result is succeeded
+  retries: 4
+  delay: "{{ retry_stagger | d(3) }}"
+  with_items: "{{ containerd_repo_key_info.repo_keys }}"
+  when:
+    - ansible_os_family in ['Ubuntu', 'Debian']
+    - not is_atomic
+
+- name: ensure containerd repository is enabled
+  action: "{{ containerd_repo_info.pkg_repo }}"
+  args:
+    repo: "{{ item }}"
+    state: present
+  with_items: "{{ containerd_repo_info.repos }}"
+  when:
+    - ansible_os_family in ['Ubuntu', 'Debian']
+    - not is_atomic
+    - containerd_repo_info.repos|length > 0
+
+# This is required to ensure any apt upgrade will not break kubernetes
+- name: Set containerd pin priority to apt_preferences on Debian family
+  template:
+    src: "apt_preferences.d/debian_containerd.j2"
+    dest: "/etc/apt/preferences.d/containerd"
+    owner: "root"
+    mode: 0644
+  when:
+    - ansible_os_family in ['Ubuntu', 'Debian']
+    - not is_atomic
+
+- name: ensure containerd packages are installed
+  action: "{{ containerd_package_info.pkg_mgr }}"
+  args:
+    pkg: "{{ item.name }}"
+    force: "{{ item.force | default(omit) }}"
+    conf_file: "{{ item.yum_conf | default(omit) }}"
+    state: present
+    update_cache: "{{ omit if ansible_distribution == 'Fedora' else True }}"
+  register: containerd_task_result
+  until: containerd_task_result is succeeded
+  retries: 4
+  delay: "{{ retry_stagger | d(3) }}"
+  with_items: "{{ containerd_package_info.pkgs }}"
+  notify: restart containerd
+  when:
+    - not is_atomic
+    - containerd_package_info.pkgs|length > 0
+  ignore_errors: true
+
+- name: Check if runc is installed
+  stat:
+    path: /usr/sbin/runc
+  register: runc_stat
+
+- name: Install runc package if necessary
+  action: "{{ containerd_package_info.pkg_mgr }}"
+  args:
+    pkg: runc
+    state: present
+    update_cache: "{{ omit if ansible_distribution == 'Fedora' else True }}"
+  register: runc_task_result
+  until: runc_task_result is succeeded
+  retries: 4
+  delay: "{{ retry_stagger | d(3) }}"
+  notify: restart containerd
+  when:
+    - not is_atomic
+    - not runc_stat.stat.exists

 - name: Install crictl config
  template:
@@ -35,16 +127,6 @@
    mode: 0644

 - name: Install crictl completion
-  shell: /usr/local/bin/crictl completion >/etc/bash_completion.d/crictl
+  shell: "{{ bin_dir }}/crictl completion >/etc/bash_completion.d/crictl"
  ignore_errors: True
  when: ansible_distribution in ["CentOS","RedHat", "Ubuntu", "Debian"]
-
- name: Enable containerd
-  systemd:
-    name: containerd.service
-    state: started
-    enabled: yes
-    daemon-reload: yes
-
- name: flush handlers so we can wait for containerd to come up
-  meta: flush_handlers
--- a/roles/container-engine/containerd/templates/apt_preferences.d/debian_containerd.j2
+++ b/roles/container-engine/containerd/templates/apt_preferences.d/debian_containerd.j2
@@ -0,0 +1,3 @@
+Package: {{ containerd_package }}
+Pin: version {{ containerd_version }}.*
+Pin-Priority: 1001
--- a/roles/container-engine/containerd/templates/config.toml.j2
+++ b/roles/container-engine/containerd/templates/config.toml.j2
@@ -13,7 +13,7 @@ disabled_plugins = ["restart"]

 [plugins.linux]
  shim = "/usr/bin/containerd-shim"
-  runtime = "/usr/sbin/runc"
+  runtime = "{{ runc_binary }}"

 [plugins.cri]
  stream_server_address = "127.0.0.1"
--- a/roles/container-engine/containerd/templates/rh_containerd.repo.j2
+++ b/roles/container-engine/containerd/templates/rh_containerd.repo.j2
@@ -0,0 +1,17 @@
+[docker-ce]
+name=Docker-CE Repository
+baseurl={{ docker_rh_repo_base_url }}
+enabled=1
+gpgcheck=1
+keepcache={{ docker_rpm_keepcache | default('1') }}
+gpgkey={{ docker_rh_repo_gpgkey }}
+{% if http_proxy is defined %}proxy={{ http_proxy }}{% endif %}
+
+[docker-engine]
+name=Docker-Engine Repository
+baseurl={{ dockerproject_rh_repo_base_url }}
+enabled=1
+gpgcheck=1
+keepcache={{ docker_rpm_keepcache | default('1') }}
+gpgkey={{ dockerproject_rh_repo_gpgkey }}
+{% if http_proxy is defined %}proxy={{ http_proxy }}{% endif %}
--- a/roles/container-engine/containerd/vars/redhat.yml
+++ b/roles/container-engine/containerd/vars/redhat.yml
@@ -0,0 +1,28 @@
+---
+
+containerd_versioned_pkg:
+  'latest': "{{ containerd_package }}"
+  '1.2.4': "{{ containerd_package }}-1.2.4-3.1.el7"
+  '1.2.5': "{{ containerd_package }}-1.2.5-3.1.el7"
+  '1.2.6': "{{ containerd_package }}-1.2.6-3.3.el7"
+  'stable': "{{ containerd_package }}-1.2.6-3.3.el7"
+  'edge': "{{ containerd_package }}-1.2.6-3.3.el7"
+
+containerd_package_info:
+  pkg_mgr: yum
+  pkgs:
+    - name: "{{ containerd_versioned_pkg[containerd_version | string] }}"
+
+containerd_pkgs:
+  - name: "{{ containerd_versioned_pkg[containerd_version | string] }}"
+    yum_conf: "{{ containerd_yum_conf }}"
+
+containerd_repo_key_info:
+  pkg_key: ''
+  repo_keys: []
+
+containerd_repo_info:
+  pkg_repo: ''
+  repos: []
+
+runc_binary: /bin/runc
--- a/roles/container-engine/containerd/vars/suse.yml
+++ b/roles/container-engine/containerd/vars/suse.yml
@@ -0,0 +1,17 @@
+---
+# docker-ce containerd.io does not contain daemon
+containerd_package: containerd
+
+containerd_package_info:
+  pkg_mgr: zypper
+  pkgs:
+    - name: "{{ containerd_package }}"
+      state: latest
+
+containerd_repo_key_info:
+  pkg_key: ''
+  repo_keys: []
+
+containerd_repo_info:
+  pkg_repo: ''
+  repos: []
--- a/roles/container-engine/containerd/vars/ubuntu-amd64.yml
+++ b/roles/container-engine/containerd/vars/ubuntu-amd64.yml
@@ -0,0 +1,27 @@
+---
+
+containerd_versioned_pkg:
+  'latest': "{{ containerd_package }}"
+  '1.2.4': "{{ containerd_package }}=1.2.4-1"
+  'stable': "{{ containerd_package }}=1.2.4-1"
+  'edge': "{{ containerd_package }}=1.2.4-1"
+
+containerd_package_info:
+  pkg_mgr: apt
+  pkgs:
+    - name: "{{ containerd_versioned_pkg[containerd_version | string] }}"
+      force: true
+
+containerd_repo_key_info:
+  pkg_key: apt_key
+  url: '{{ containerd_ubuntu_repo_gpgkey }}'
+  repo_keys:
+    - '{{ containerd_ubuntu_repo_repokey }}'
+
+containerd_repo_info:
+  pkg_repo: apt_repository
+  repos:
+    - >
+       deb {{ containerd_ubuntu_repo_base_url }}
+       {{ ansible_distribution_release|lower }}
+       {{ containerd_ubuntu_repo_component }}
--- a/roles/container-engine/meta/main.yml
+++ b/roles/container-engine/meta/main.yml
@@ -20,10 +20,3 @@ dependencies:
    tags:
      - container-engine
      - docker
-
-  - role: container-engine/containerd
-    when:
-      - container_manager == 'containerd'
-    tags:
-      - container-engine
-      - containerd