Fedora CoreOS support (#5657)

* fedora coreos support
- bootstrap and new fact for

* fedora coreos support
- fix bootstrap condition

* fedora coreos support
- allow customize packages for fedora coreos bootstrap

* fedora coreos support
- prevent install ptyhon3 and epel via dnf for fedora coreos

* fedora coreos support
- handle all ostree like os in same way

* fedora coreos support
- handle all ostree like os in same way for crio

* fedora coreos support
- add fcos documentations

roles/container-engine/cri-o/tasks/main.yaml

@@ -1,4 +1,15 @@
 ---
+
+- name: check if atomic host or fedora coreos
+  stat:
+    path: /run/ostree-booted
+  register: ostree
+
+- name: set is_ostree
+  set_fact:
+    is_ostree: "{{ ostree.stat.exists }}"
+
+
 - name: gather os specific variables
   include_vars: "{{ item }}"
   with_first_found:
@@ -22,7 +33,7 @@
     description: OpenShift Origin Repo
     baseurl: "{{ crio_rhel_repo_base_url }}"
     gpgcheck: no
-  when: ansible_distribution in ["CentOS","RedHat","OracleLinux"] and not is_atomic
+  when: ansible_distribution in ["CentOS","RedHat","OracleLinux"] and not is_ostree
 
 - name: Add CRI-O PPA
   apt_repository:
@@ -51,8 +62,25 @@
   package:
     name: "{{ item }}"
     state: present
+  when: not is_ostree
   with_items: "{{ crio_packages }}"
 
+- name: Check if already installed
+  stat:
+    path: "/bin/crio"
+  register: need_bootstrap_crio
+  when: is_ostree
+
+- name: Install cri-o packages with osttree
+  raw: "export http_proxy={{ http_proxy | default('') }} && rpm-ostree install {{ crio_packages|join(' ') }}"
+  when: is_ostree and not need_bootstrap_crio.stat.exists
+  become: true
+
+- name: Reboot immediately for updated ostree
+  reboot:
+  become: true
+  when: is_ostree and not need_bootstrap_crio.stat.exists
+
 - name: Install cri-o config
   template:
     src: crio.conf.j2

roles/container-engine/cri-o/templates/crio.conf.j2

@@ -104,7 +104,7 @@ selinux = {{ (preinstall_selinux_state == 'enforcing')|lower }}
 # for the runtime.
 {% if ansible_os_family == "ClearLinux" %}
 seccomp_profile = "/usr/share/defaults/crio/seccomp.json"
-{% elif ansible_distribution == "Ubuntu" %}
+{% elif ansible_distribution == "Ubuntu" or is_fedora_coreos %}
 seccomp_profile = ""
 {% else %}
 seccomp_profile = "/etc/crio/seccomp.json"
@@ -121,17 +121,17 @@ cgroup_manager = "cgroupfs"
 # only the capabilities defined in the containers json file by the user/kube
 # will be added.
 default_capabilities = [
-	"CHOWN", 
-	"DAC_OVERRIDE", 
-	"FSETID", 
-	"FOWNER", 
-	"NET_RAW", 
-	"SETGID", 
-	"SETUID", 
-	"SETPCAP", 
-	"NET_BIND_SERVICE", 
-	"SYS_CHROOT", 
-	"KILL", 
+	"CHOWN",
+	"DAC_OVERRIDE",
+	"FSETID",
+	"FOWNER",
+	"NET_RAW",
+	"SETGID",
+	"SETUID",
+	"SETPCAP",
+	"NET_BIND_SERVICE",
+	"SYS_CHROOT",
+	"KILL",
 ]
 
 # List of default sysctls. If it is empty or commented out, only the sysctls
@@ -154,7 +154,7 @@ hooks_dir = [
 # be removed in future versions in favor of default_mounts_file.
 default_mounts = [
 {% if ansible_os_family == "RedHat" %}
-	"/usr/share/rhel/secrets:/run/secrets", 
+	"/usr/share/rhel/secrets:/run/secrets",
 {% endif %}
 ]
 
@@ -216,7 +216,7 @@ ctr_stop_timeout = 0
   # The runtime to use is picked based on the runtime_handler provided by the CRI.
   # If no runtime_handler is provided, the runtime will be picked based on the level
   # of trust of the workload.
-  
+
   [crio.runtime.runtimes.runc]
 {% if ansible_os_family == "ClearLinux" or ansible_os_family == "RedHat" %}
   runtime_path = "/usr/bin/runc"
@@ -226,7 +226,7 @@ ctr_stop_timeout = 0
   runtime_path = "/usr/sbin/runc"
 {% endif %}
   runtime_type = "oci"
-  
+
 
 
 # The crio.image table contains settings pertaining to the management of OCI images.
@@ -242,7 +242,7 @@ ctr_stop_timeout = 0
 default_transport = "docker://"
 
 # The image used to instantiate infra containers.
-pause_image = "docker://k8s.gcr.io/pause:3.1"
+pause_image = "docker://{{kube_image_repo}}/pause:3.1"
 
 # If not empty, the path to a docker/config.json-like file containing credentials
 # necessary for pulling the image specified by pause_image above.

roles/container-engine/docker/handlers/main.yml

@@ -15,7 +15,7 @@
   service:
     name: docker.socket
     state: restarted
-  when: ansible_os_family in ['Coreos', 'CoreOS', 'Container Linux by CoreOS', 'Flatcar', 'Flatcar Container Linux by Kinvolk']
+  when: ansible_os_family in ['Coreos', 'CoreOS', 'Container Linux by CoreOS', 'Flatcar', 'Flatcar Container Linux by Kinvolk'] or is_fedora_coreos
 
 - name: Docker | reload docker
   service:

roles/container-engine/docker/tasks/main.yml

@@ -1,12 +1,12 @@
 ---
-- name: check if atomic host
+- name: check if atomic host or fedora coreos
   stat:
     path: /run/ostree-booted
   register: ostree
 
-- name: set is_atomic
+- name: set is_ostree
   set_fact:
-    is_atomic: "{{ ostree.stat.exists }}"
+    is_ostree: "{{ ostree.stat.exists }}"
 
 - name: gather os specific variables
   include_vars: "{{ item }}"
@@ -60,7 +60,7 @@
   retries: 4
   delay: "{{ retry_stagger | d(3) }}"
   with_items: "{{ docker_repo_key_info.repo_keys }}"
-  when: not (ansible_os_family in ["CoreOS", "Coreos", "Container Linux by CoreOS", "Flatcar", "Flatcar Container Linux by Kinvolk", "RedHat", "Suse", "ClearLinux"] or is_atomic)
+  when: not (ansible_os_family in ["CoreOS", "Coreos", "Container Linux by CoreOS", "Flatcar", "Flatcar Container Linux by Kinvolk", "RedHat", "Suse", "ClearLinux"] or is_ostree)
 
 - name: ensure docker-ce repository is enabled
   action: "{{ docker_repo_info.pkg_repo }}"
@@ -68,7 +68,7 @@
     repo: "{{ item }}"
     state: present
   with_items: "{{ docker_repo_info.repos }}"
-  when: not (ansible_os_family in ["CoreOS", "Coreos", "Container Linux by CoreOS", "Flatcar", "Flatcar Container Linux by Kinvolk", "RedHat", "Suse", "ClearLinux"] or is_atomic) and (docker_repo_info.repos|length > 0)
+  when: not (ansible_os_family in ["CoreOS", "Coreos", "Container Linux by CoreOS", "Flatcar", "Flatcar Container Linux by Kinvolk", "RedHat", "Suse", "ClearLinux"] or is_ostree) and (docker_repo_info.repos|length > 0)
 
 - name: ensure docker-engine repository public key is installed
   action: "{{ dockerproject_repo_key_info.pkg_key }}"
@@ -82,7 +82,7 @@
   delay: "{{ retry_stagger | d(3) }}"
   with_items: "{{ dockerproject_repo_key_info.repo_keys }}"
   when:
-    - not (ansible_os_family in ["CoreOS", "Coreos", "Container Linux by CoreOS", "Flatcar", "Flatcar Container Linux by Kinvolk", "RedHat", "Suse", "ClearLinux"] or is_atomic)
+    - not (ansible_os_family in ["CoreOS", "Coreos", "Container Linux by CoreOS", "Flatcar", "Flatcar Container Linux by Kinvolk", "RedHat", "Suse", "ClearLinux"] or is_ostree)
     - use_docker_engine is defined and use_docker_engine
 
 - name: ensure docker-engine repository is enabled
@@ -93,13 +93,13 @@
   with_items: "{{ dockerproject_repo_info.repos }}"
   when:
     - use_docker_engine is defined and use_docker_engine
-    - not (ansible_os_family in ["CoreOS", "Coreos", "Container Linux by CoreOS", "Flatcar", "Flatcar Container Linux by Kinvolk", "RedHat", "Suse", "ClearLinux"] or is_atomic) and (dockerproject_repo_info.repos|length > 0)
+    - not (ansible_os_family in ["CoreOS", "Coreos", "Container Linux by CoreOS", "Flatcar", "Flatcar Container Linux by Kinvolk", "RedHat", "Suse", "ClearLinux"] or is_ostree) and (dockerproject_repo_info.repos|length > 0)
 
 - name: Configure docker repository on Fedora
   template:
     src: "fedora_docker.repo.j2"
     dest: "{{ yum_repo_dir }}/docker.repo"
-  when: ansible_distribution == "Fedora" and not is_atomic
+  when: ansible_distribution == "Fedora" and not is_ostree
 
 - name: Configure docker repository on RedHat/CentOS/Oracle Linux
   yum_repository:
@@ -110,13 +110,13 @@
     gpgkey: "{{ docker_rh_repo_gpgkey }}"
     keepcache: "{{ docker_rpm_keepcache | default('1') }}"
     proxy: " {{ http_proxy | default('_none_') }}"
-  when: ansible_distribution in ["CentOS","RedHat","OracleLinux"] and not is_atomic
+  when: ansible_distribution in ["CentOS","RedHat","OracleLinux"] and not is_ostree
 
 - name: check if container-selinux is available
   yum:
     list: "container-selinux"
   register: yum_result
-  when: ansible_distribution in ["CentOS","RedHat"] and not is_atomic
+  when: ansible_distribution in ["CentOS","RedHat"] and not is_ostree
 
 - name: Configure extras repository on RedHat/CentOS if container-selinux is not available in current repos
   yum_repository:
@@ -130,7 +130,7 @@
     keepcache: "{{ docker_rpm_keepcache | default('1') }}"
     proxy: " {{ http_proxy | default('_none_') }}"
   when:
-    - ansible_distribution in ["CentOS","RedHat"] and not is_atomic
+    - ansible_distribution in ["CentOS","RedHat"] and not is_ostree
     - yum_result.results | length == 0
 
 - name: Copy yum.conf for editing
@@ -138,7 +138,7 @@
     src: "{{ yum_conf }}"
     dest: "{{ docker_yum_conf }}"
     remote_src: yes
-  when: ansible_distribution in ["CentOS","RedHat","OracleLinux"] and not is_atomic
+  when: ansible_distribution in ["CentOS","RedHat","OracleLinux"] and not is_ostree
 
 - name: Edit copy of yum.conf to set obsoletes=0
   lineinfile:
@@ -146,7 +146,7 @@
     state: present
     regexp: '^obsoletes='
     line: 'obsoletes=0'
-  when: ansible_distribution in ["CentOS","RedHat","OracleLinux"] and not is_atomic
+  when: ansible_distribution in ["CentOS","RedHat","OracleLinux"] and not is_ostree
 
 - name: ensure docker packages are installed
   action: "{{ docker_package_info.pkg_mgr }}"
@@ -162,7 +162,7 @@
   delay: "{{ retry_stagger | d(3) }}"
   with_items: "{{ docker_package_info.pkgs }}"
   notify: restart docker
-  when: not (ansible_os_family in ["CoreOS", "Coreos", "Container Linux by CoreOS", "Flatcar", "Flatcar Container Linux by Kinvolk", "ClearLinux"] or is_atomic) and (docker_package_info.pkgs|length > 0)
+  when: not (ansible_os_family in ["CoreOS", "Coreos", "Container Linux by CoreOS", "Flatcar", "Flatcar Container Linux by Kinvolk", "ClearLinux"] or is_ostree) and (docker_package_info.pkgs|length > 0)
   ignore_errors: true
 
 - name: Ensure docker packages are installed

roles/container-engine/docker/tasks/pre-upgrade.yml

@@ -5,7 +5,7 @@
     state: absent
   when:
     - ansible_distribution in ["CentOS","RedHat","OracleLinux"]
-    - not is_atomic
+    - not is_ostree
 
 - name: Ensure old versions of Docker are not installed. | Debian
   apt:
@@ -22,4 +22,4 @@
   when:
     - ansible_os_family == 'RedHat'
     - (docker_versioned_pkg[docker_version | string] is search('docker-ce'))
-    - not is_atomic
+    - not is_ostree

roles/container-engine/docker/tasks/systemd.yml

@@ -15,7 +15,7 @@
   # noqa 303 - systemctl is called intentionally here
   shell: systemctl --version | head -n 1 | cut -d " " -f 2
   register: systemd_version
-  when: not is_atomic
+  when: not is_ostree
   changed_when: false
 
 - name: Write docker.service systemd file
@@ -24,7 +24,7 @@
     dest: /etc/systemd/system/docker.service
   register: docker_service_file
   notify: restart docker
-  when: not (ansible_os_family in ["CoreOS", "Coreos", "Container Linux by CoreOS", "Flatcar", "Flatcar Container Linux by Kinvolk"] or is_atomic)
+  when: not (ansible_os_family in ["CoreOS", "Coreos", "Container Linux by CoreOS", "Flatcar", "Flatcar Container Linux by Kinvolk"] or is_ostree)
 
 - name: Write docker options systemd drop-in
   template:

roles/container-engine/docker/templates/docker.service.j2

@@ -32,7 +32,7 @@ ExecStart={{ docker_bin_dir }}/docker{% if installed_docker_version.stdout is ve
           $DOCKER_NETWORK_OPTIONS \
           $DOCKER_DNS_OPTIONS \
           $INSECURE_REGISTRY
-{% if not is_atomic and systemd_version.stdout|int >= 226 %}
+{% if not is_ostree and systemd_version.stdout|int >= 226 %}
 TasksMax=infinity
 {% endif %}
 LimitNOFILE=1048576