containerd support (#4664)

* Add limited containerd support

Containerd support for Ubuntu + Calico

* Added CRI-O support for ubuntu

* containerd support.

* Reset  containerd support.

* fix lint.

* implemented feedback

* Change task name cri xx instead of cri-o in reset task and timeout condition.

* set crictl to fixed version

* Use docker-ce's container.io package for containerd.

* Add check containerd is installable or not.

* Avoid stop docker when use containerd and optimize retry for reset.

* Add config.toml.

* Fixed containerd for kubelet.env.

* Merge PR #4629

* Remove unused ubuntu variable for containerd

* Polish code for containerd and cri-o

* Refactoring cri socket configuration.

* Configurable conmon.

* Remove unused crictl/runc download

* Now crictl and runc is downloaded by common crictl.yml.

* fixed yamllint error

* Fixed brokenfiles by conflict.

* Remove commented line in config.toml

* Remove readded v1.12.x version

* Fixed broken set_docker_image_facts

* Fix yamllint errors.

* Remove unused apt source

* Fix crictl could not be installed

* Add containerd config from skolekonov's PR #4601

roles/container-engine/containerd/defaults/main.yml

@@ -0,0 +1,12 @@
+---
+kubelet_cgroup_driver: systemd
+
+containerd_config:
+  grpc:
+    max_recv_message_size: 16777216
+    max_send_message_size: 16777216
+  debug:
+    level: ""
+  registries:
+    "docker.io": "https://registry-1.docker.io"
+  max_container_log_line_size: -1

roles/container-engine/containerd/handlers/main.yml

@@ -0,0 +1,24 @@
+---
+- name: restart containerd
+  command: /bin/true
+  notify:
+    - Containerd | reload containerd
+    - Containerd | pause while containerd restarts
+    - Containerd | wait for containerd
+
+- name: Containerd | reload containerd
+  service:
+    name: containerd
+    state: restarted
+
+- name: Containerd | pause while containerd restarts
+  pause:
+    seconds: 5
+    prompt: "Waiting for containerd restart"
+
+- name: Containerd | wait for containerd
+  command: "{{ containerd_bin_dir }}/ctr images ls -q"
+  register: containerd_ready
+  retries: 10
+  delay: 5
+  until: containerd_ready.rc == 0

roles/container-engine/containerd/tasks/crictl.yml

@@ -0,0 +1,26 @@
+---
+- name: crictl | Download crictl
+  include_tasks: "roles/download/tasks/download_file.yml"
+  vars:
+    download: "{{ download_defaults | combine(downloads.crictl) }}"
+
+- name: Install crictl config
+  template:
+    src: ../templates/crictl.yaml.j2
+    dest: /etc/crictl.yaml
+    owner: bin
+    mode: 0644
+
+- name: Copy crictl binary from download dir
+  synchronize:
+    src: "{{ local_release_dir }}/crictl"
+    dest: "{{ bin_dir }}/crictl"
+    compress: no
+    perms: yes
+    owner: no
+    group: no
+  delegate_to: "{{ inventory_hostname }}"
+
+- name: Install crictl completion
+  shell: /usr/local/bin/crictl completion >/etc/bash_completion.d/crictl
+  ignore_errors: True

roles/container-engine/containerd/tasks/main.yml

@@ -0,0 +1,50 @@
+---
+- name: Fail containerd setup if distribution is not supported
+  fail:
+    msg: "{{ ansible_distribution }} is not supported by containerd."
+  when:
+    - not ansible_distribution in ["CentOS","RedHat", "Ubuntu", "Debian"]
+
+- name: Install Docker
+  include_role:
+    name: container-engine/docker
+
+- name: Install config.toml
+  template:
+    src: config.toml.j2
+    dest: /etc/containerd/config.toml
+    owner: bin
+    mode: 0644
+
+- name: Stop and disabled Docker
+  systemd:
+    name: docker
+    state: stopped
+    enabled: no
+
+- name: Restart containerd
+  systemd:
+    name: containerd
+    state: restarted
+
+- name: Install crictl config
+  template:
+    src: crictl.yaml.j2
+    dest: /etc/crictl.yaml
+    owner: bin
+    mode: 0644
+
+- name: Install crictl completion
+  shell: /usr/local/bin/crictl completion >/etc/bash_completion.d/crictl
+  ignore_errors: True
+  when: ansible_distribution in ["CentOS","RedHat", "Ubuntu", "Debian"]
+
+- name: Enable containerd
+  systemd:
+    name: containerd.service
+    state: started
+    enabled: yes
+    daemon-reload: yes
+
+- name: flush handlers so we can wait for containerd to come up
+  meta: flush_handlers

roles/container-engine/containerd/templates/config.toml.j2

@@ -0,0 +1,40 @@
+# Kubernetes doesn't use containerd restart manager.
+disabled_plugins = ["restart"]
+
+[debug]
+  level = "{{ containerd_config.debug.level | default("") }}"
+
+{% if 'grpc' in containerd_config %}
+[grpc]
+{% for param, value in containerd_config.grpc.items() %}
+  {{ param }} = {{ value }}
+{% endfor %}
+{% endif %}
+
+[plugins.linux]
+  shim = "/usr/bin/containerd-shim"
+  runtime = "/usr/sbin/runc"
+
+[plugins.cri]
+  stream_server_address = "127.0.0.1"
+  max_container_log_line_size = {{ containerd_config.max_container_log_line_size }}
+  sandbox_image = "{{ pod_infra_image_repo }}:{{ pod_infra_image_tag }}"
+
+[plugins.cri.cni]
+  bin_dir = "/opt/cni/bin"
+  conf_dir = "/etc/cni/net.d"
+  conf_template = ""
+
+[plugins.cri.containerd.untrusted_workload_runtime]
+  runtime_type = ""
+  runtime_engine = ""
+  runtime_root = ""
+
+{% if 'registries' in containerd_config %}
+[plugins.cri.registry]
+[plugins.cri.registry.mirrors]
+{% for registry, addr in containerd_config.registries.items() %}
+[plugins.cri.registry.mirrors."{{ registry }}"]
+  endpoint = ["{{ addr }}"]
+{% endfor %}
+{% endif %}

roles/container-engine/containerd/templates/crictl.yaml.j2

@@ -0,0 +1,4 @@
+runtime-endpoint: unix://{{ cri_socket }}
+image-endpoint: unix://{{ cri_socket }}
+timeout: 30
+debug: false

roles/container-engine/cri-o/tasks/main.yaml

@@ -24,6 +24,12 @@
     gpgcheck: no
   when: ansible_distribution in ["CentOS","RedHat"] and not is_atomic
 
+- name: Add CRI-O PPA
+  apt_repository:
+    repo: ppa:projectatomic/ppa
+    state: present
+  when: ansible_distribution in ["Ubuntu"]
+
 - name: Make sure needed folders exist in the system
   with_items:
     - /etc/crio

roles/container-engine/cri-o/templates/crio.conf.j2

@@ -64,7 +64,7 @@ file_locking = true
 # This is a mandatory setting as this runtime will be the default one
 # and will also be used for untrusted container workloads if
 # runtime_untrusted_workload is not set.
-{% if ansible_os_family == "ClearLinux" or ansible_os_family == "RedHat" %}
+{% if ansible_os_family == "ClearLinux" or ansible_os_family == "RedHat" or ansible_distribution == "Ubuntu" %}
 runtime = "/usr/bin/runc"
 {% else %}
 runtime = "/usr/sbin/runc"
@@ -96,7 +96,7 @@ default_workload_trust = "trusted"
 no_pivot = false
 
 # conmon is the path to conmon binary, used for managing the runtime.
-conmon = "/usr/libexec/crio/conmon"
+conmon = "{{ crio_conmon }}"
 
 # conmon_env is the environment variable list for conmon process,
 # used for passing necessary environment variable to conmon or runtime.

roles/container-engine/cri-o/vars/clearlinux.yml

@@ -3,3 +3,4 @@ crio_packages:
   - containers-basic
 
 crio_service: crio
+crio_conmon: /usr/libexec/crio/conmon

roles/container-engine/cri-o/vars/fedora.yml

@@ -4,3 +4,4 @@ crio_packages:
   - cri-tools
 
 crio_service: cri-o
+crio_conmon: /usr/libexec/crio/conmon

roles/container-engine/cri-o/vars/redhat.yml

@@ -4,4 +4,5 @@ crio_packages:
   - cri-tools
   - oci-systemd-hook
 
-crio_service: crio
+crio_service: crio
+crio_conmon: /usr/libexec/crio/conmon

roles/container-engine/cri-o/vars/ubuntu.yml

@@ -0,0 +1,6 @@
+---
+crio_packages:
+  - "cri-o-{{ kube_version | regex_replace('^v(?P<major>\\d+).(?P<minor>\\d+).(?P<patch>\\d+)$', '\\g<major>.\\g<minor>') }}"
+
+crio_service: crio
+crio_conmon: /usr/lib/crio/bin/conmon

roles/container-engine/meta/main.yml

@@ -7,9 +7,23 @@ dependencies:
       - container-engine
       - crio
 
+  - role: container-engine/containerd
+    when:
+      - container_manager == 'containerd'
+    tags:
+      - container-engine
+      - containerd
+
   - role: container-engine/docker
     when:
       - container_manager == 'docker'
     tags:
       - container-engine
       - docker
+
+  - role: container-engine/containerd
+    when:
+      - container_manager == 'containerd'
+    tags:
+      - container-engine
+      - containerd