Move to Ansible 3.4.0 (#7672)

* Ansible: move to Ansible 3.4.0 which uses ansible-base 2.10.10

* Docs: add a note about ansible upgrade post 2.9.x

* CI: ensure ansible is removed before ansible 3.x is installed to avoid pip failures

* Ansible: use newer ansible-lint

* Fix ansible-lint 5.0.11 found issues

* syntax issues
* risky-file-permissions
* var-naming
* role-name
* molecule tests

* Mitogen: use 0.3.0rc1 which adds support for ansible 2.10+

* Pin ansible-base to 2.10.11 to get package fix on RHEL8

roles/container-engine/containerd/molecule/default/converge.yml

@@ -4,4 +4,4 @@
   become: true
   roles:
     - role: kubespray-defaults
-    - role: containerd
+    - role: container-engine/containerd

roles/container-engine/containerd/tasks/containerd_repo.yml

@@ -23,12 +23,14 @@
   template:
     src: "fedora_containerd.repo.j2"
     dest: "{{ yum_repo_dir }}/containerd.repo"
+    mode: 0644
   when: ansible_distribution == "Fedora"
 
 - name: Configure containerd repository on RedHat/OracleLinux/CentOS/AlmaLinux
   template:
     src: "rh_containerd.repo.j2"
     dest: "{{ yum_repo_dir }}/containerd.repo"
+    mode: 0644
   when:
     - ansible_os_family == "RedHat"
     - ansible_distribution not in ["Fedora", "Amazon"]

roles/container-engine/containerd/tasks/main.yml

@@ -58,11 +58,13 @@
   file:
     path: /etc/systemd/system/containerd.service.d
     state: directory
+    mode: 0755
 
 - name: Write containerd proxy drop-in
   template:
     src: http-proxy.conf.j2
     dest: /etc/systemd/system/containerd.service.d/http-proxy.conf
+    mode: 0644
   notify: restart containerd
   when: http_proxy is defined or https_proxy is defined
 
@@ -116,7 +118,7 @@
     - not is_ostree
     - containerd_package_info.pkgs|length > 0
 
-- include_role:
+- include_role:  # noqa unnamed-task
     name: container-engine/crictl
 
 # you can sometimes end up in a state where everything is installed

roles/container-engine/cri-o/molecule/default/converge.yml

@@ -4,4 +4,4 @@
   become: true
   roles:
     - role: kubespray-defaults
-    - role: cri-o
+    - role: container-engine/cri-o

roles/container-engine/cri-o/tasks/crio_repo.yml

@@ -53,6 +53,7 @@
     option: enabled
     value: "0"
     backup: yes
+    mode: 0644
   when:
     - ansible_distribution in ["Amazon"]
     - amzn2_extras_file_stat.stat.exists
@@ -119,6 +120,7 @@
     section: "{{ item.section }}"
     option: enabled
     value: 1
+    mode: 0644
   become: true
   when: is_ostree
   loop:

roles/container-engine/cri-o/tasks/main.yaml

@@ -46,7 +46,7 @@
   import_tasks: "crio_repo.yml"
   when: crio_add_repos
 
-- include_role:
+- include_role:  # noqa unnamed-task
     name: container-engine/crictl
 
 - name: Build a list of crio runtimes with Katacontainers runtimes
@@ -69,11 +69,13 @@
   file:
     path: "{{ item }}"
     state: directory
+    mode: 0755
 
 - name: Install cri-o config
   template:
     src: crio.conf.j2
     dest: /etc/crio/crio.conf
+    mode: 0644
   register: config_install
 
 - name: Add skopeo pkg to install
@@ -129,6 +131,7 @@
   copy:
     src: mounts.conf
     dest: /etc/containers/mounts.conf
+    mode: 0644
   when:
     - ansible_os_family == 'RedHat'
   notify: restart crio
@@ -147,6 +150,7 @@
     section: storage.options.overlay
     option: mountopt
     value: '{{ ''"nodev"'' if ansible_kernel is version_compare(("4.18" if ansible_os_family == "RedHat" else "4.19"), "<") else ''"nodev,metacopy=on"'' }}'
+    mode: 0644
 
 - name: Create directory registries configs
   file:
@@ -159,6 +163,7 @@
   template:
     src: registry-mirror.conf.j2
     dest: "/etc/containers/registries.conf.d/{{ item.prefix }}.conf"
+    mode: 0644
   loop: "{{ crio_registries_mirrors }}"
   notify: restart crio
 
@@ -166,6 +171,7 @@
   template:
     src: http-proxy.conf.j2
     dest: /etc/systemd/system/crio.service.d/http-proxy.conf
+    mode: 0644
   notify: restart crio
   when: http_proxy is defined or https_proxy is defined
 

roles/container-engine/docker/molecule/default/converge.yml

@@ -4,4 +4,4 @@
   become: true
   roles:
     - role: kubespray-defaults
-    - role: docker
+    - role: container-engine/docker

roles/container-engine/docker/tasks/main.yml

@@ -80,12 +80,14 @@
   template:
     src: "fedora_docker.repo.j2"
     dest: "{{ yum_repo_dir }}/docker.repo"
+    mode: 0644
   when: ansible_distribution == "Fedora" and not is_ostree
 
 - name: Configure docker repository on RedHat/CentOS/Oracle/AlmaLinux Linux
   template:
     src: "rh_docker.repo.j2"
     dest: "{{ yum_repo_dir }}/docker-ce.repo"
+    mode: 0644
   when:
     - ansible_os_family == "RedHat"
     - ansible_distribution != "Fedora"
@@ -145,7 +147,7 @@
         state: started
       when: docker_task_result is not changed
   rescue:
-    - debug:
+    - debug:  # noqa unnamed-task
         msg: "Docker start failed. Try to remove our config"
     - name: remove kubespray generated config
       file:

roles/container-engine/docker/tasks/systemd.yml

@@ -3,11 +3,13 @@
   file:
     path: /etc/systemd/system/docker.service.d
     state: directory
+    mode: 0755
 
 - name: Write docker proxy drop-in
   template:
     src: http-proxy.conf.j2
     dest: /etc/systemd/system/docker.service.d/http-proxy.conf
+    mode: 0644
   notify: restart docker
   when: http_proxy is defined or https_proxy is defined
 
@@ -25,6 +27,7 @@
   template:
     src: docker.service.j2
     dest: /etc/systemd/system/docker.service
+    mode: 0644
   register: docker_service_file
   notify: restart docker
   when:
@@ -35,12 +38,14 @@
   template:
     src: docker-options.conf.j2
     dest: "/etc/systemd/system/docker.service.d/docker-options.conf"
+    mode: 0644
   notify: restart docker
 
 - name: Write docker dns systemd drop-in
   template:
     src: docker-dns.conf.j2
     dest: "/etc/systemd/system/docker.service.d/docker-dns.conf"
+    mode: 0644
   notify: restart docker
   when: dns_mode != 'none' and resolvconf_mode == 'docker_dns'
 
@@ -55,7 +60,9 @@
   template:
     src: docker-orphan-cleanup.conf.j2
     dest: "/etc/systemd/system/docker.service.d/docker-orphan-cleanup.conf"
+    mode: 0644
   notify: restart docker
   when: docker_orphan_clean_up | bool
 
-- meta: flush_handlers
+- name: Flush handlers
+  meta: flush_handlers

roles/container-engine/gvisor/molecule/default/converge.yml

@@ -7,5 +7,5 @@
     container_manager: containerd
   roles:
     - role: kubespray-defaults
-    - role: containerd
-    - role: gvisor
+    - role: container-engine/containerd
+    - role: container-engine/gvisor

roles/container-engine/gvisor/molecule/default/prepare.yml

@@ -5,7 +5,7 @@
   roles:
     - role: kubespray-defaults
     - role: bootstrap-os
-    - role: ../adduser
+    - role: adduser
       user: "{{ addusers.kube }}"
   tasks:
     - include_tasks: "../../../../download/tasks/download_file.yml"
@@ -20,8 +20,8 @@
     kube_network_plugin: cni
   roles:
     - role: kubespray-defaults
-    - role: ../network_plugin/cni
-    - role: crictl
+    - role: network_plugin/cni
+    - role: container-engine/crictl
   tasks:
     - name: Copy test container files
       copy:

roles/container-engine/kata-containers/molecule/default/converge.yml

@@ -6,5 +6,5 @@
     kata_containers_enabled: true
   roles:
     - role: kubespray-defaults
-    - role: containerd
-    - role: kata-containers
+    - role: container-engine/containerd
+    - role: container-engine/kata-containers

roles/container-engine/kata-containers/tasks/main.yml

@@ -15,11 +15,13 @@
   file:
     path: "{{ kata_containers_config_dir }}"
     state: directory
+    mode: 0755
 
 - name: kata-containers | Set configuration
   template:
     src: "{{ item }}.j2"
     dest: "{{ kata_containers_config_dir }}/{{ item }}"
+    mode: 0644
   with_items:
     - configuration-qemu.toml
 

roles/container-engine/meta/main.yml

@@ -1,3 +1,4 @@
+# noqa role-name - this is a meta role that doesn't need a name
 ---
 dependencies:
   - role: container-engine/kata-containers