Split deploy steps in separate playbooks: part1 (#3451)

* Fix bootstrap_os/ubuntu idempotency

* Update bastion role

* move container_engine in sub-roles

* requires ansible 2.5

* ubuntu18 as first CI job

roles/container-engine/cri-o/defaults/main.yml

@@ -0,0 +1,2 @@
+---
+crio_rhel_repo_base_url: 'https://cbs.centos.org/repos/paas7-openshift-origin311-candidate/x86_64/os/'

roles/container-engine/cri-o/files/mounts.conf

@@ -0,0 +1 @@
+/usr/share/rhel/secrets:/run/secrets

roles/container-engine/cri-o/tasks/main.yaml

@@ -0,0 +1,56 @@
+---
+- name: gather os specific variables
+  include_vars: "{{ item }}"
+  with_first_found:
+    - files:
+        - "{{ ansible_distribution|lower }}-{{ ansible_distribution_version|lower|replace('/', '_') }}.yml"
+        - "{{ ansible_distribution|lower }}-{{ ansible_distribution_release }}.yml"
+        - "{{ ansible_distribution|lower }}-{{ ansible_distribution_major_version|lower|replace('/', '_') }}.yml"
+        - "{{ ansible_distribution|lower }}.yml"
+        - "{{ ansible_os_family|lower }}-{{ ansible_architecture }}.yml"
+        - "{{ ansible_os_family|lower }}.yml"
+        - defaults.yml
+      paths:
+        - ../vars
+      skip: true
+  tags:
+    - facts
+
+- name: Add OpenShift Origin repository
+  yum_repository:
+    name: origin
+    description: OpenShift Origin Repo
+    baseurl: "{{ crio_rhel_repo_base_url }}"
+    gpgcheck: no
+  when: ansible_distribution in ["CentOS","RedHat"] and not is_atomic
+
+- name: Install cri-o packages
+  package:
+    name: "{{ item }}"
+    state: present
+  with_items: "{{ crio_packages }}"
+
+- name: Install cri-o config
+  template:
+    src: crio.conf.j2
+    dest: /etc/crio/crio.conf
+
+- name: Copy mounts.conf
+  copy:
+    src: mounts.conf
+    dest: /etc/containers/mounts.conf
+  when:
+    - ansible_os_family == 'RedHat'
+
+- name: Create directory for oci hooks
+  file:
+    path: /etc/containers/oci/hooks.d
+    state: directory
+    owner: root
+    mode: 0755
+
+- name: Install cri-o service
+  service:
+    name: "{{ crio_service }}"
+    enabled: yes
+    state: restarted

roles/container-engine/cri-o/templates/crio.conf.j2

@@ -0,0 +1,234 @@
+
+# The "crio" table contains all of the server options.
+[crio]
+
+# CRI-O reads its storage defaults from the containers/storage configuration
+# file, /etc/containers/storage.conf. Modify storage.conf if you want to
+# change default storage for all tools that use containers/storage.  If you
+# want to modify just crio, you can change the storage configuration in this
+# file.
+
+# root is a path to the "root directory". CRIO stores all of its data,
+# including container images, in this directory.
+#root = "/var/lib/containers/storage"
+
+# run is a path to the "run directory". CRIO stores all of its state
+# in this directory.
+#runroot = "/var/run/containers/storage"
+
+# storage_driver select which storage driver is used to manage storage
+# of images and containers.
+storage_driver = "overlay2"
+
+# storage_option is used to pass an option to the storage driver.
+#storage_option = [
+#]
+
+# The "crio.api" table contains settings for the kubelet/gRPC interface.
+[crio.api]
+
+# listen is the path to the AF_LOCAL socket on which crio will listen.
+listen = "/var/run/crio/crio.sock"
+
+# stream_address is the IP address on which the stream server will listen
+stream_address = ""
+
+# stream_port is the port on which the stream server will listen
+stream_port = "10010"
+
+# stream_enable_tls enables encrypted tls transport of the stream server
+stream_enable_tls = false
+
+# stream_tls_cert is the x509 certificate file path used to serve the encrypted stream.
+# This file can change, and CRIO will automatically pick up the changes within 5 minutes.
+stream_tls_cert = ""
+
+# stream_tls_key is the key file path used to serve the encrypted stream.
+# This file can change, and CRIO will automatically pick up the changes within 5 minutes.
+stream_tls_key = ""
+
+# stream_tls_ca is the x509 CA(s) file used to verify and authenticate client
+# communication with the tls encrypted stream.
+# This file can change, and CRIO will automatically pick up the changes within 5 minutes.
+stream_tls_ca = ""
+
+# file_locking is whether file-based locking will be used instead of
+# in-memory locking
+file_locking = true
+
+# The "crio.runtime" table contains settings pertaining to the OCI
+# runtime used and options for how to set up and manage the OCI runtime.
+[crio.runtime]
+
+# runtime is the OCI compatible runtime used for trusted container workloads.
+# This is a mandatory setting as this runtime will be the default one
+# and will also be used for untrusted container workloads if
+# runtime_untrusted_workload is not set.
+runtime = "/usr/bin/runc"
+
+# runtime_untrusted_workload is the OCI compatible runtime used for untrusted
+# container workloads. This is an optional setting, except if
+# default_container_trust is set to "untrusted".
+runtime_untrusted_workload = ""
+
+# default_workload_trust is the default level of trust crio puts in container
+# workloads. It can either be "trusted" or "untrusted", and the default
+# is "trusted".
+# Containers can be run through different container runtimes, depending on
+# the trust hints we receive from kubelet:
+# - If kubelet tags a container workload as untrusted, crio will try first to
+# run it through the untrusted container workload runtime. If it is not set,
+# crio will use the trusted runtime.
+# - If kubelet does not provide any information about the container workload trust
+# level, the selected runtime will depend on the default_container_trust setting.
+# If it is set to "untrusted", then all containers except for the host privileged
+# ones, will be run by the runtime_untrusted_workload runtime. Host privileged
+# containers are by definition trusted and will always use the trusted container
+# runtime. If default_container_trust is set to "trusted", crio will use the trusted
+# container runtime for all containers.
+default_workload_trust = "trusted"
+
+# no_pivot instructs the runtime to not use pivot_root, but instead use MS_MOVE
+no_pivot = false
+
+# conmon is the path to conmon binary, used for managing the runtime.
+conmon = "/usr/libexec/crio/conmon"
+
+# conmon_env is the environment variable list for conmon process,
+# used for passing necessary environment variable to conmon or runtime.
+conmon_env = [
+	"PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin",
+]
+
+# selinux indicates whether or not SELinux will be used for pod
+# separation on the host. If you enable this flag, SELinux must be running
+# on the host.
+selinux = {{ (preinstall_selinux_state == 'enforcing')|lower }}
+
+# seccomp_profile is the seccomp json profile path which is used as the
+# default for the runtime.
+seccomp_profile = "/etc/crio/seccomp.json"
+
+# apparmor_profile is the apparmor profile name which is used as the
+# default for the runtime.
+apparmor_profile = "crio-default"
+
+# cgroup_manager is the cgroup management implementation to be used
+# for the runtime.
+cgroup_manager = "cgroupfs"
+
+# default_capabilities is the list of capabilities to add and can be modified here.
+# If capabilities below is commented out, the default list of capabilities defined in the
+# spec will be added.
+# If capabilities is empty below, only the capabilities defined in the container json
+# file by the user/kube will be added.
+default_capabilities = [
+	"CHOWN", 
+	"DAC_OVERRIDE", 
+	"FSETID", 
+	"FOWNER", 
+	"NET_RAW", 
+	"SETGID", 
+	"SETUID", 
+	"SETPCAP", 
+	"NET_BIND_SERVICE", 
+	"SYS_CHROOT", 
+	"KILL", 
+]
+
+# hooks_dir_path is the oci hooks directory for automatically executed hooks
+hooks_dir_path = "/usr/share/containers/oci/hooks.d"
+
+# default_mounts is the mounts list to be mounted for the container when created
+# deprecated, will be taken out in future versions, add default mounts to either
+# /usr/share/containers/mounts.conf or /etc/containers/mounts.conf
+default_mounts = [
+]
+
+# CRI-O reads its default mounts from the following two files:
+# 1) /etc/containers/mounts.conf - this is the override file, where users can
+# either add in their own default mounts, or override the default mounts shipped
+# with the package.
+# 2) /usr/share/containers/mounts.conf - this is the default file read for mounts.
+# If you want CRI-O to read from a different, specific mounts file, you can change
+# the default_mounts_file path right below. Note, if this is done, CRI-O will only add
+# mounts it finds in this file.
+
+# default_mounts_file is the file path holding the default mounts to be mounted for the
+# container when created.
+# default_mounts_file = ""
+
+# pids_limit is the number of processes allowed in a container
+pids_limit = 1024
+
+# log_size_max is the max limit for the container log size in bytes.
+# Negative values indicate that no limit is imposed.
+log_size_max = -1
+
+# read-only indicates whether all containers will run in read-only mode
+read_only = false
+
+# The "crio.image" table contains settings pertaining to the
+# management of OCI images.
+
+# uid_mappings specifies the UID mappings to have in the user namespace.
+# A range is specified in the form containerUID:HostUID:Size.  Multiple
+# ranges are separed by comma.
+uid_mappings = ""
+
+# gid_mappings specifies the GID mappings to have in the user namespace.
+# A range is specified in the form containerGID:HostGID:Size.  Multiple
+# ranges are separed by comma.
+gid_mappings = ""
+
+[crio.image]
+
+# default_transport is the prefix we try prepending to an image name if the
+# image name as we receive it can't be parsed as a valid source reference
+default_transport = "docker://"
+
+# pause_image is the image which we use to instantiate infra containers.
+pause_image = "docker://k8s.gcr.io/pause:3.1"
+
+# pause_command is the command to run in a pause_image to have a container just
+# sit there.  If the image contains the necessary information, this value need
+# not be specified.
+pause_command = "/pause"
+
+# signature_policy is the name of the file which decides what sort of policy we
+# use when deciding whether or not to trust an image that we've pulled.
+# Outside of testing situations, it is strongly advised that this be left
+# unspecified so that the default system-wide policy will be used.
+signature_policy = ""
+
+# image_volumes controls how image volumes are handled.
+# The valid values are mkdir and ignore.
+image_volumes = "mkdir"
+
+# CRI-O reads its configured registries defaults from the containers/image configuration
+# file, /etc/containers/registries.conf. Modify registries.conf if you want to
+# change default registries for all tools that use containers/image.  If you
+# want to modify just crio, you can change the registies configuration in this
+# file.
+
+# insecure_registries is used to skip TLS verification when pulling images.
+insecure_registries = [
+  "{{ kube_service_addresses }}"
+]
+
+# registries is used to specify a comma separated list of registries to be used
+# when pulling an unqualified image (e.g. fedora:rawhide).
+registries = [
+  "docker.io"
+]
+
+# The "crio.network" table contains settings pertaining to the
+# management of CNI plugins.
+[crio.network]
+
+# network_dir is where CNI network configuration
+# files are stored.
+network_dir = "/etc/cni/net.d/"
+
+# plugin_dir is where CNI plugin binaries are stored.
+plugin_dir = "/opt/cni/bin/"

roles/container-engine/cri-o/vars/fedora.yml

@@ -0,0 +1,5 @@
+---
+crio_packages:
+  - cri-o
+
+crio_service: cri-o

roles/container-engine/cri-o/vars/redhat.yml

@@ -0,0 +1,7 @@
+---
+crio_packages:
+  - cri-o
+  - cri-tools
+  - oci-systemd-hook
+
+crio_service: crio

roles/container-engine/defaults/main.yml

@@ -0,0 +1,6 @@
+---
+## DNS
+dns_domain: cluster.local
+dns_servers: []
+upstream_dns_servers: []
+searchdomains: []

roles/container-engine/docker/defaults/main.yml

@@ -0,0 +1,46 @@
+---
+docker_version: '18.06'
+docker_selinux_version: '17.03'
+
+docker_package_info:
+  pkgs:
+
+docker_repo_key_info:
+  repo_keys:
+
+docker_repo_info:
+  repos:
+
+dockerproject_repo_key_info:
+  repo_keys:
+
+dockerproject_repo_info:
+  repos:
+
+docker_dns_servers_strict: true
+
+docker_container_storage_setup: false
+
+# Used to override obsoletes=0
+yum_conf: /etc/yum.conf
+yum_repo_dir: /etc/yum.repos.d
+docker_yum_conf: /etc/yum_docker.conf
+
+# Fedora docker-ce repo
+docker_fedora_repo_base_url: 'https://download.docker.com/linux/fedora/$releasever/$basearch/stable'
+docker_fedora_repo_gpgkey: 'https://download.docker.com/linux/fedora/gpg'
+# CentOS/RedHat docker-ce repo
+docker_rh_repo_base_url: 'https://download.docker.com/linux/centos/7/$basearch/stable'
+docker_rh_repo_gpgkey: 'https://download.docker.com/linux/centos/gpg'
+# Ubuntu docker-ce repo
+docker_ubuntu_repo_base_url: "https://download.docker.com/linux/ubuntu"
+docker_ubuntu_repo_gpgkey: 'https://download.docker.com/linux/ubuntu/gpg'
+# Debian docker-ce repo
+docker_debian_repo_base_url: "https://download.docker.com/linux/debian"
+docker_debian_repo_gpgkey: 'https://download.docker.com/linux/debian/gpg'
+# dockerproject repo
+dockerproject_rh_repo_base_url: 'https://yum.dockerproject.org/repo/main/centos/7'
+dockerproject_rh_repo_gpgkey: 'https://yum.dockerproject.org/gpg'
+dockerproject_apt_repo_base_url: 'https://apt.dockerproject.org/repo'
+dockerproject_apt_repo_gpgkey: 'https://apt.dockerproject.org/gpg'
+docker_bin_dir: "/usr/bin"

roles/container-engine/docker/docker-storage/defaults/main.yml

@@ -0,0 +1,18 @@
+---
+docker_container_storage_setup_version: v0.6.0
+docker_container_storage_setup_profile_name: kubespray
+docker_container_storage_setup_storage_driver: devicemapper
+docker_container_storage_setup_container_thinpool: docker-pool
+# It must be define a disk path for docker_container_storage_setup_devs.
+# Otherwise docker-storage-setup will be executed incorrectly.
+# docker_container_storage_setup_devs: /dev/vdb
+docker_container_storage_setup_data_size: 40%FREE
+docker_container_storage_setup_min_data_size: 2G
+docker_container_storage_setup_chunk_size: 512K
+docker_container_storage_setup_growpart: "false"
+docker_container_storage_setup_auto_extend_pool: "yes"
+docker_container_storage_setup_pool_autoextend_threshold: 60
+docker_container_storage_setup_pool_autoextend_percent: 20
+docker_container_storage_setup_device_wait_timeout: 60
+docker_container_storage_setup_wipe_signatures: "false"
+docker_container_storage_setup_container_root_lv_size: 40%FREE

roles/container-engine/docker/docker-storage/files/install_container_storage_setup.sh

@@ -0,0 +1,22 @@
+#!/bin/sh
+
+set -e
+
+version=${1:-master}
+profile_name=${2:-kubespray}
+dir=`mktemp -d`
+export GIT_DIR=$dir/.git
+export GIT_WORK_TREE=$dir
+
+git init
+git fetch --depth 1 https://github.com/projectatomic/container-storage-setup.git $version
+git merge FETCH_HEAD
+make -C $dir install
+rm -rf /var/lib/container-storage-setup/$profile_name $dir
+
+set +e
+
+/usr/bin/container-storage-setup create $profile_name /etc/sysconfig/docker-storage-setup && /usr/bin/container-storage-setup activate $profile_name
+# FIXME: exit status can be 1 for both fatal and non fatal errors in current release, 
+# could be improved by matching error strings 
+exit 0

roles/container-engine/docker/docker-storage/tasks/main.yml

@@ -0,0 +1,43 @@
+---
+
+- name: docker-storage-setup | install git and make
+  with_items: [git, make]
+  package:
+    pkg: "{{ item }}"
+    state: present
+
+- name: docker-storage-setup | docker-storage-setup sysconfig template
+  template:
+    src: docker-storage-setup.j2
+    dest: /etc/sysconfig/docker-storage-setup
+
+- name: docker-storage-override-directory | docker service storage-setup override dir
+  file:
+    dest: /etc/systemd/system/docker.service.d
+    mode: 0755
+    owner: root
+    group: root
+    state: directory
+
+- name: docker-storage-override | docker service storage-setup override file
+  copy:
+    dest: /etc/systemd/system/docker.service.d/override.conf
+    content: |-
+      ### This file is managed by Ansible
+      [Service]
+      EnvironmentFile=-/etc/sysconfig/docker-storage
+
+    owner: root
+    group: root
+    mode: 0644
+
+# https://docs.docker.com/engine/installation/linux/docker-ce/centos/#install-using-the-repository
+- name: docker-storage-setup | install lvm2
+  yum:
+    name: lvm2
+    state: present
+
+- name: docker-storage-setup | install and run container-storage-setup
+  become: yes
+  script: install_container_storage_setup.sh {{ docker_container_storage_setup_version }} {{ docker_container_storage_setup_profile_name }}
+  notify: Docker | reload systemd

roles/container-engine/docker/docker-storage/templates/docker-storage-setup.j2

@@ -0,0 +1,35 @@
+{%if docker_container_storage_setup_storage_driver is defined%}STORAGE_DRIVER={{docker_container_storage_setup_storage_driver}}{%endif%}
+
+{%if docker_container_storage_setup_extra_storage_options is defined%}EXTRA_STORAGE_OPTIONS={{docker_container_storage_setup_extra_storage_options}}{%endif%}
+
+{%if docker_container_storage_setup_devs is defined%}DEVS={{docker_container_storage_setup_devs}}{%endif%}
+
+{%if docker_container_storage_setup_container_thinpool is defined%}CONTAINER_THINPOOL={{docker_container_storage_setup_container_thinpool}}{%endif%}
+
+{%if docker_container_storage_setup_vg is defined%}VG={{docker_container_storage_setup_vg}}{%endif%}
+
+{%if docker_container_storage_setup_root_size is defined%}ROOT_SIZE={{docker_container_storage_setup_root_size}}{%endif%}
+
+{%if docker_container_storage_setup_data_size is defined%}DATA_SIZE={{docker_container_storage_setup_data_size}}{%endif%}
+
+{%if docker_container_storage_setup_min_data_size is defined%}MIN_DATA_SIZE={{docker_container_storage_setup_min_data_size}}{%endif%}
+
+{%if docker_container_storage_setup_chunk_size is defined%}CHUNK_SIZE={{docker_container_storage_setup_chunk_size}}{%endif%}
+
+{%if docker_container_storage_setup_growpart is defined%}GROWPART={{docker_container_storage_setup_growpart}}{%endif%}
+
+{%if docker_container_storage_setup_auto_extend_pool is defined%}AUTO_EXTEND_POOL={{docker_container_storage_setup_auto_extend_pool}}{%endif%}
+
+{%if docker_container_storage_setup_pool_autoextend_threshold is defined%}POOL_AUTOEXTEND_THRESHOLD={{docker_container_storage_setup_pool_autoextend_threshold}}{%endif%}
+
+{%if docker_container_storage_setup_pool_autoextend_percent is defined%}POOL_AUTOEXTEND_PERCENT={{docker_container_storage_setup_pool_autoextend_percent}}{%endif%}
+
+{%if docker_container_storage_setup_device_wait_timeout is defined%}DEVICE_WAIT_TIMEOUT={{docker_container_storage_setup_device_wait_timeout}}{%endif%}
+
+{%if docker_container_storage_setup_wipe_signatures is defined%}WIPE_SIGNATURES={{docker_container_storage_setup_wipe_signatures}}{%endif%}
+
+{%if docker_container_storage_setup_container_root_lv_name is defined%}CONTAINER_ROOT_LV_NAME={{docker_container_storage_setup_container_root_lv_name}}{%endif%}
+
+{%if docker_container_storage_setup_container_root_lv_size is defined%}CONTAINER_ROOT_LV_SIZE={{docker_container_storage_setup_container_root_lv_size}}{%endif%}
+
+{%if docker_container_storage_setup_container_root_lv_mount_path is defined%}CONTAINER_ROOT_LV_MOUNT_PATH={{docker_container_storage_setup_container_root_lv_mount_path}}{%endif%}

roles/container-engine/docker/handlers/main.yml

@@ -0,0 +1,35 @@
+---
+- name: restart docker
+  command: /bin/true
+  notify:
+    - Docker | reload systemd
+    - Docker | reload docker.socket
+    - Docker | reload docker
+    - Docker | pause while Docker restarts
+    - Docker | wait for docker
+
+- name: Docker | reload systemd
+  shell: systemctl daemon-reload
+
+- name: Docker | reload docker.socket
+  service:
+    name: docker.socket
+    state: restarted
+  when: ansible_os_family in ['CoreOS', 'Container Linux by CoreOS']
+
+- name: Docker | reload docker
+  service:
+    name: docker
+    state: restarted
+
+- name: Docker | pause while Docker restarts
+  pause:
+    seconds: 10
+    prompt: "Waiting for docker restart"
+
+- name: Docker | wait for docker
+  command: "{{ docker_bin_dir }}/docker images"
+  register: docker_ready
+  retries: 10
+  delay: 5
+  until: docker_ready.rc == 0

roles/container-engine/docker/meta/main.yml

@@ -0,0 +1,4 @@
+---
+dependencies:
+  - role: container-engine/docker/docker-storage
+    when: docker_container_storage_setup and ansible_os_family == "RedHat"

roles/container-engine/docker/tasks/main.yml

@@ -0,0 +1,199 @@
+---
+- name: check if atomic host
+  stat:
+    path: /run/ostree-booted
+  register: ostree
+
+- set_fact:
+    is_atomic: "{{ ostree.stat.exists }}"
+
+- name: gather os specific variables
+  include_vars: "{{ item }}"
+  with_first_found:
+    - files:
+        - "{{ ansible_distribution|lower }}-{{ ansible_distribution_version|lower|replace('/', '_') }}.yml"
+        - "{{ ansible_distribution|lower }}-{{ ansible_distribution_release|lower }}-{{ host_architecture }}.yml"
+        - "{{ ansible_distribution|lower }}-{{ ansible_distribution_release|lower }}.yml"
+        - "{{ ansible_distribution|lower }}-{{ ansible_distribution_major_version|lower|replace('/', '_') }}.yml"
+        - "{{ ansible_distribution|lower }}-{{ host_architecture }}.yml"
+        - "{{ ansible_distribution|lower }}.yml"
+        - "{{ ansible_os_family|lower }}-{{ host_architecture }}.yml"
+        - "{{ ansible_os_family|lower }}.yml"
+        - defaults.yml
+      paths:
+        - ../vars
+      skip: true
+  tags:
+    - facts
+
+# https://yum.dockerproject.org/repo/main/opensuse/ contains packages for an EOL
+# openSUSE version so we can't use it. The only alternative is to use the docker
+# packages from the distribution repositories.
+- name: Warn about Docker version on SUSE
+  debug:
+    msg: "SUSE distributions always install Docker from the distro repos"
+  when: ansible_pkg_mgr == 'zypper'
+
+- include_tasks: set_facts_dns.yml
+  when: dns_mode != 'none' and resolvconf_mode == 'docker_dns'
+  tags:
+    - facts
+
+- name: check for minimum kernel version
+  fail:
+    msg: >
+          docker requires a minimum kernel version of
+          {{ docker_kernel_min_version }} on
+          {{ ansible_distribution }}-{{ ansible_distribution_version }}
+  when: (not ansible_os_family in ["CoreOS", "Container Linux by CoreOS"]) and (ansible_kernel|version_compare(docker_kernel_min_version, "<"))
+  tags:
+    - facts
+
+- import_tasks: pre-upgrade.yml
+
+- name: ensure docker-ce repository public key is installed
+  action: "{{ docker_repo_key_info.pkg_key }}"
+  args:
+    id: "{{item}}"
+    url: "{{docker_repo_key_info.url}}"
+    state: present
+  register: keyserver_task_result
+  until: keyserver_task_result|succeeded
+  retries: 4
+  delay: "{{ retry_stagger | d(3) }}"
+  with_items: "{{ docker_repo_key_info.repo_keys }}"
+  when: not (ansible_os_family in ["CoreOS", "Container Linux by CoreOS", "RedHat", "Suse"] or is_atomic)
+
+- name: ensure docker-ce repository is enabled
+  action: "{{ docker_repo_info.pkg_repo }}"
+  args:
+    repo: "{{item}}"
+    state: present
+  with_items: "{{ docker_repo_info.repos }}"
+  when: not (ansible_os_family in ["CoreOS", "Container Linux by CoreOS", "RedHat", "Suse"] or is_atomic) and (docker_repo_info.repos|length > 0)
+
+- name: ensure docker-engine repository public key is installed
+  action: "{{ dockerproject_repo_key_info.pkg_key }}"
+  args:
+    id: "{{item}}"
+    url: "{{dockerproject_repo_key_info.url}}"
+    state: present
+  register: keyserver_task_result
+  until: keyserver_task_result|succeeded
+  retries: 4
+  delay: "{{ retry_stagger | d(3) }}"
+  with_items: "{{ dockerproject_repo_key_info.repo_keys }}"
+  when:
+    - not (ansible_os_family in ["CoreOS", "Container Linux by CoreOS", "RedHat", "Suse"] or is_atomic)
+    - use_docker_engine is defined and use_docker_engine
+
+- name: ensure docker-engine repository is enabled
+  action: "{{ dockerproject_repo_info.pkg_repo }}"
+  args:
+    repo: "{{item}}"
+    state: present
+  with_items: "{{ dockerproject_repo_info.repos }}"
+  when:
+    - use_docker_engine is defined and use_docker_engine
+    - not (ansible_os_family in ["CoreOS", "Container Linux by CoreOS", "RedHat", "Suse"] or is_atomic) and (dockerproject_repo_info.repos|length > 0)
+
+- name: Configure docker repository on Fedora
+  template:
+    src: "fedora_docker.repo.j2"
+    dest: "{{ yum_repo_dir }}/docker.repo"
+  when: ansible_distribution == "Fedora" and not is_atomic
+
+- name: Configure docker repository on RedHat/CentOS
+  template:
+    src: "rh_docker.repo.j2"
+    dest: "{{ yum_repo_dir }}/docker.repo"
+  when: ansible_distribution in ["CentOS","RedHat"] and not is_atomic
+
+- name: Copy yum.conf for editing
+  copy:
+    src: "{{ yum_conf }}"
+    dest: "{{ docker_yum_conf }}"
+    remote_src: yes
+  when: ansible_distribution in ["CentOS","RedHat"] and not is_atomic
+
+- name: Edit copy of yum.conf to set obsoletes=0
+  lineinfile:
+    path: "{{ docker_yum_conf }}"
+    state: present
+    regexp: '^obsoletes='
+    line: 'obsoletes=0'
+  when: ansible_distribution in ["CentOS","RedHat"] and not is_atomic
+
+
+- name: ensure docker packages are installed
+  action: "{{ docker_package_info.pkg_mgr }}"
+  args:
+    pkg: "{{item.name}}"
+    force: "{{item.force|default(omit)}}"
+    conf_file: "{{item.yum_conf|default(omit)}}"
+    state: present
+    update_cache: "{{ omit if ansible_distribution == 'Fedora' else True }}"
+  register: docker_task_result
+  until: docker_task_result|succeeded
+  retries: 4
+  delay: "{{ retry_stagger | d(3) }}"
+  with_items: "{{ docker_package_info.pkgs }}"
+  notify: restart docker
+  when: not (ansible_os_family in ["CoreOS", "Container Linux by CoreOS"] or is_atomic) and (docker_package_info.pkgs|length > 0)
+  ignore_errors: true
+
+- name: get available packages on Ubuntu
+  command: apt-cache policy docker-ce
+  when:
+    - docker_task_result|failed
+    - ansible_distribution == 'Ubuntu'
+  register: available_packages
+
+- name: show available packages on ubuntu
+  fail:
+    msg: "{{available_packages}}"
+  when:
+    - docker_task_result|failed
+    - ansible_distribution == 'Ubuntu'
+
+# This is required to ensure any apt upgrade will not break kubernetes
+- name: Set docker pin priority to apt_preferences on Debian family
+  template:
+    src: "apt_preferences.d/debian_docker.j2"
+    dest: "/etc/apt/preferences.d/docker"
+    owner: "root"
+    mode: 0644
+  when: not (ansible_os_family in ["CoreOS", "Container Linux by CoreOS", "RedHat", "Suse"] or is_atomic)
+
+- name: ensure service is started if docker packages are already present
+  service:
+    name: docker
+    state: started
+  when: docker_task_result is not changed
+
+- name: flush handlers so we can wait for docker to come up
+  meta: flush_handlers
+
+- name: set fact for docker_version
+  command: "docker version -f '{{ '{{' }}.Client.Version{{ '}}' }}'"
+  register: installed_docker_version
+  changed_when: false
+
+- name: check minimum docker version for docker_dns mode. You need at least docker version >= 1.12 for resolvconf_mode=docker_dns
+  fail:
+    msg: "You need at least docker version >= 1.12 for resolvconf_mode=docker_dns"
+  when: >
+        dns_mode != 'none' and
+        resolvconf_mode == 'docker_dns' and
+        installed_docker_version.stdout|version_compare('1.12', '<')
+
+- name: Set docker systemd config
+  import_tasks: systemd.yml
+
+- name: ensure docker service is started and enabled
+  service:
+    name: "{{ item }}"
+    enabled: yes
+    state: started
+  with_items:
+    - docker

roles/container-engine/docker/tasks/pre-upgrade.yml

@@ -0,0 +1,32 @@
+---
+- name: Ensure old versions of Docker are not installed. | Debian
+  package:
+    name: '{{ item }}'
+    state: absent
+  with_items:
+    - docker
+    - docker-engine
+    - docker.io
+  when:
+    - ansible_os_family == 'Debian'
+    - (docker_versioned_pkg[docker_version | string] | search('docker-ce'))
+
+- name: Ensure old versions of Docker are not installed. | RedHat
+  package:
+    name: '{{ item }}'
+    state: absent
+  with_items:
+    - docker
+    - docker-common
+    - docker-engine
+    - docker-selinux
+    - docker-client
+    - docker-client-latest
+    - docker-latest
+    - docker-latest-logrotate
+    - docker-logrotate
+    - docker-engine-selinux
+  when:
+    - ansible_os_family == 'RedHat'
+    - (docker_versioned_pkg[docker_version | string] | search('docker-ce'))
+    - not is_atomic

roles/container-engine/docker/tasks/set_facts_dns.yml

@@ -0,0 +1,71 @@
+---
+
+- name: set dns server for docker
+  set_fact:
+    docker_dns_servers: "{{dns_servers}}"
+
+- name: show docker_dns_servers
+  debug:
+    msg: "{{docker_dns_servers}}"
+
+- name: set base docker dns facts
+  set_fact:
+    docker_dns_search_domains:
+      - 'default.svc.{{ dns_domain }}'
+      - 'svc.{{ dns_domain }}'
+    docker_dns_options:
+      - ndots:{{ ndots }}
+      - timeout:2
+      - attempts:2
+
+
+- name: add upstream dns servers (only when dnsmasq is not used)
+  set_fact:
+    docker_dns_servers: "{{ docker_dns_servers + upstream_dns_servers|default([]) }}"
+  when: dns_mode in ['kubedns', 'coredns', 'coredns_dual']
+
+- name: add global searchdomains
+  set_fact:
+    docker_dns_search_domains: "{{ docker_dns_search_domains + searchdomains|default([]) }}"
+
+- name: check system nameservers
+  shell: grep "^nameserver" /etc/resolv.conf | sed 's/^nameserver\s*//'
+  changed_when: False
+  register: system_nameservers
+  check_mode: no
+
+- name: check system search domains
+  shell: grep "^search" /etc/resolv.conf | sed 's/^search\s*//'
+  changed_when: False
+  register: system_search_domains
+  check_mode: no
+
+- name: add system nameservers to docker options
+  set_fact:
+    docker_dns_servers: "{{ docker_dns_servers | union(system_nameservers.stdout_lines) | unique }}"
+  when: system_nameservers.stdout != ""
+
+- name: add system search domains to docker options
+  set_fact:
+    docker_dns_search_domains: "{{ docker_dns_search_domains | union(system_search_domains.stdout.split()|default([])) | unique }}"
+  when: system_search_domains.stdout != ""
+
+- name: check number of nameservers
+  fail:
+    msg: "Too many nameservers. You can relax this check by set docker_dns_servers_strict=false in all.yml and we will only use the first 3."
+  when: docker_dns_servers|length > 3 and docker_dns_servers_strict|bool
+
+- name: rtrim number of nameservers to 3
+  set_fact:
+    docker_dns_servers: "{{ docker_dns_servers[0:3] }}"
+  when: docker_dns_servers|length > 3 and not docker_dns_servers_strict|bool
+
+- name: check number of search domains
+  fail:
+    msg: "Too many search domains"
+  when: docker_dns_search_domains|length > 6
+
+- name: check length of search domains
+  fail:
+    msg: "Search domains exceeded limit of 256 characters"
+  when: docker_dns_search_domains|join(' ')|length > 256

roles/container-engine/docker/tasks/systemd.yml

@@ -0,0 +1,41 @@
+---
+- name: Create docker service systemd directory if it doesn't exist
+  file:
+    path: /etc/systemd/system/docker.service.d
+    state: directory
+
+- name: Write docker proxy drop-in
+  template:
+    src: http-proxy.conf.j2
+    dest: /etc/systemd/system/docker.service.d/http-proxy.conf
+  notify: restart docker
+  when: http_proxy is defined or https_proxy is defined
+
+- name: get systemd version
+  shell: systemctl --version | head -n 1 | cut -d " " -f 2
+  register: systemd_version
+  when: not is_atomic
+  changed_when: false
+
+- name: Write docker.service systemd file
+  template:
+    src: docker.service.j2
+    dest: /etc/systemd/system/docker.service
+  register: docker_service_file
+  notify: restart docker
+  when: not (ansible_os_family in ["CoreOS", "Container Linux by CoreOS"] or is_atomic)
+
+- name: Write docker options systemd drop-in
+  template:
+    src: docker-options.conf.j2
+    dest: "/etc/systemd/system/docker.service.d/docker-options.conf"
+  notify: restart docker
+
+- name: Write docker dns systemd drop-in
+  template:
+    src: docker-dns.conf.j2
+    dest: "/etc/systemd/system/docker.service.d/docker-dns.conf"
+  notify: restart docker
+  when: dns_mode != 'none' and resolvconf_mode == 'docker_dns'
+
+- meta: flush_handlers

roles/container-engine/docker/templates/apt_preferences.d/debian_docker.j2

@@ -0,0 +1,3 @@
+Package: docker-ce
+Pin: version {{ docker_version }}.*
+Pin-Priority: 1001

roles/container-engine/docker/templates/docker-dns.conf.j2

@@ -0,0 +1,6 @@
+[Service]
+Environment="DOCKER_DNS_OPTIONS=\
+    {% for d in docker_dns_servers %}--dns {{ d }} {% endfor %} \
+    {% for d in docker_dns_search_domains %}--dns-search {{ d }} {% endfor %} \
+    {% for o in docker_dns_options %}--dns-opt {{ o }} {% endfor %} \
+"

roles/container-engine/docker/templates/docker-options.conf.j2

@@ -0,0 +1,5 @@
+[Service]
+Environment="DOCKER_OPTS={{ docker_options|default('') }} --iptables={{ docker_iptables_enabled | default('false') }}"
+{% if docker_mount_flags is defined and docker_mount_flags != "" %}
+MountFlags={{ docker_mount_flags }}
+{% endif %}

roles/container-engine/docker/templates/docker.service.j2

@@ -0,0 +1,46 @@
+[Unit]
+Description=Docker Application Container Engine
+Documentation=http://docs.docker.com
+{% if ansible_os_family == "RedHat" %}
+After=network.target docker-storage-setup.service
+Wants=docker-storage-setup.service
+{% elif ansible_os_family == "Debian" %}
+After=network.target docker.socket
+Wants=docker.socket
+{% elif ansible_os_family == "Suse" %}
+After=network.target containerd.socket containerd.service
+Requires=containerd.socket containerd.service
+{% endif %}
+
+[Service]
+Type=notify
+{% if docker_storage_options is defined %}
+Environment="DOCKER_STORAGE_OPTIONS={{ docker_storage_options }}"
+{% endif %}
+Environment=GOTRACEBACK=crash
+ExecReload=/bin/kill -s HUP $MAINPID
+Delegate=yes
+KillMode=process
+ExecStart={{ docker_bin_dir }}/docker{% if installed_docker_version.stdout|version_compare('17.03', '<') %} daemon{% else %}d{% endif %} \
+{% if ansible_os_family == "Suse" %}
+          --containerd /run/containerd/containerd.sock --add-runtime oci=/usr/bin/docker-runc \
+{% endif %}
+          $DOCKER_OPTS \
+          $DOCKER_STORAGE_OPTIONS \
+          $DOCKER_NETWORK_OPTIONS \
+          $DOCKER_DNS_OPTIONS \
+          $INSECURE_REGISTRY
+{% if not is_atomic and systemd_version.stdout|int >= 226 %}
+TasksMax=infinity
+{% endif %}
+LimitNOFILE=1048576
+LimitNPROC=1048576
+LimitCORE=infinity
+TimeoutStartSec=1min
+# restart the docker process if it exits prematurely
+Restart=on-failure
+StartLimitBurst=3
+StartLimitInterval=60s
+
+[Install]
+WantedBy=multi-user.target

roles/container-engine/docker/templates/fedora_docker.repo.j2

@@ -0,0 +1,7 @@
+[docker-ce]
+name=Docker-CE Repository
+baseurl={{ docker_fedora_repo_base_url }}
+enabled=1
+gpgcheck=1
+gpgkey={{ docker_fedora_repo_gpgkey }}
+{% if http_proxy is defined %}proxy={{ http_proxy }}{% endif %}

roles/container-engine/docker/templates/http-proxy.conf.j2

@@ -0,0 +1,2 @@
+[Service]
+Environment={% if http_proxy is defined %}"HTTP_PROXY={{ http_proxy }}"{% endif %} {% if https_proxy is defined %}"HTTPS_PROXY={{ https_proxy }}"{% endif %} {% if no_proxy is defined %}"NO_PROXY={{ no_proxy }}"{% endif %}

roles/container-engine/docker/templates/rh_docker.repo.j2

@@ -0,0 +1,15 @@
+[docker-ce]
+name=Docker-CE Repository
+baseurl={{ docker_rh_repo_base_url }}
+enabled=1
+gpgcheck=1
+gpgkey={{ docker_rh_repo_gpgkey }}
+{% if http_proxy is defined %}proxy={{ http_proxy }}{% endif %}
+
+[docker-engine]
+name=Docker-Engine Repository
+baseurl={{ dockerproject_rh_repo_base_url }}
+enabled=1
+gpgcheck=1
+gpgkey={{ dockerproject_rh_repo_gpgkey }}
+{% if http_proxy is defined %}proxy={{ http_proxy }}{% endif %}

roles/container-engine/docker/vars/debian.yml

@@ -0,0 +1,52 @@
+---
+docker_kernel_min_version: '3.10'
+
+# https://download.docker.com/linux/debian/
+# https://apt.dockerproject.org/repo/dists/debian-wheezy/main/filelist
+docker_versioned_pkg:
+  'latest': docker-ce
+  '1.11': docker-engine=1.11.2-0~{{ ansible_distribution_release|lower }}
+  '1.12': docker-engine=1.12.6-0~debian-{{ ansible_distribution_release|lower }}
+  '1.13': docker-engine=1.13.1-0~debian-{{ ansible_distribution_release|lower }}
+  '17.03': docker-ce=17.03.2~ce-0~debian-{{ ansible_distribution_release|lower }}
+  '17.06': docker-ce=17.06.2~ce-0~debian
+  '17.09': docker-ce=17.09.0~ce-0~debian
+  '17.12': docker-ce=17.12.1~ce-0~debian
+  '18.03': docker-ce=18.03.1~ce-0~debian
+  '18.06': docker-ce=18.06.1~ce~3-0~debian
+  'stable': docker-ce=18.06.1~ce~3-0~debian
+  'edge': docker-ce=17.12.1~ce-0~debian
+
+docker_package_info:
+  pkg_mgr: apt
+  pkgs:
+    - name: "{{ docker_versioned_pkg[docker_version | string] }}"
+      force: yes
+
+docker_repo_key_info:
+  pkg_key: apt_key
+  url: '{{ docker_debian_repo_gpgkey }}'
+  repo_keys:
+    - 9DC858229FC7DD38854AE2D88D81803C0EBFCD88
+
+docker_repo_info:
+  pkg_repo: apt_repository
+  repos:
+    - >
+       deb {{ docker_debian_repo_base_url }}
+       {{ ansible_distribution_release|lower }}
+       stable
+
+dockerproject_repo_key_info:
+  pkg_key: apt_key
+  url: '{{ dockerproject_apt_repo_gpgkey }}'
+  repo_keys:
+    - 58118E89F3A912897C070ADBF76221572C52609D
+
+dockerproject_repo_info:
+  pkg_repo: apt_repository
+  repos:
+    - >
+       deb {{ dockerproject_apt_repo_base_url }}
+       {{ ansible_distribution|lower }}-{{ ansible_distribution_release|lower }}
+       main

roles/container-engine/docker/vars/fedora.yml

@@ -0,0 +1,20 @@
+---
+docker_kernel_min_version: '0'
+
+# https://docs.docker.com/install/linux/docker-ce/fedora/
+
+docker_versioned_pkg:
+  'latest': docker-ce
+  '18.03': docker-ce-18.03.1.ce-3.fc28
+  '18.06': docker-ce-18.06.1.ce-3.fc28
+
+#
+# This is due to the fact that the docker
+# packages available on Fedora are too recent
+#
+docker_version: "latest"
+
+docker_package_info:
+  pkg_mgr: dnf
+  pkgs:
+    - name: "{{ docker_versioned_pkg[docker_version | string] }}"

roles/container-engine/docker/vars/redhat-aarch64.yml

@@ -0,0 +1,28 @@
+---
+docker_kernel_min_version: '0'
+
+# overide defaults, missing 17.03 for aarch64
+docker_version: '1.13'
+
+# http://mirror.centos.org/altarch/7/extras/aarch64/Packages/
+# or do 'yum --showduplicates list docker'
+docker_versioned_pkg:
+  'latest': docker
+  '1.12': docker-1.12.6-48.git0fdc778.el7
+  '1.13': docker-1.13.1-63.git94f4240.el7
+
+# https://docs.docker.com/engine/installation/linux/centos/#install-from-a-package
+# http://mirror.centos.org/altarch/7/extras/aarch64/Packages/
+
+docker_package_info:
+  pkg_mgr: yum
+  pkgs:
+    - name: "{{ docker_versioned_pkg[docker_version | string] }}"
+
+docker_repo_key_info:
+  pkg_key: ''
+  repo_keys: []
+
+docker_repo_info:
+  pkg_repo: ''
+  repos: []

roles/container-engine/docker/vars/redhat.yml

@@ -0,0 +1,56 @@
+---
+docker_kernel_min_version: '0'
+
+# https://docs.docker.com/engine/installation/linux/centos/#install-from-a-package
+# https://download.docker.com/linux/centos/7/x86_64/stable/Packages/
+# https://yum.dockerproject.org/repo/main/centos/7
+# or do 'yum --showduplicates list docker-engine'
+docker_versioned_pkg:
+  'latest': docker-ce
+  '1.11': docker-engine-1.11.2-1.el7.centos
+  '1.12': docker-engine-1.12.6-1.el7.centos
+  '1.13': docker-engine-1.13.1-1.el7.centos
+  '17.03': docker-ce-17.03.2.ce-1.el7.centos
+  '17.09': docker-ce-17.09.0.ce-1.el7.centos
+  '17.12': docker-ce-17.12.1.ce-1.el7.centos
+  '18.03': docker-ce-18.03.1.ce-1.el7.centos
+  '18.06': docker-ce-18.06.1.ce-3.el7
+  'stable': docker-ce-18.06.1.ce-3.el7
+  'edge': docker-ce-17.12.1.ce-1.el7.centos
+
+docker_selinux_versioned_pkg:
+  'latest': docker-ce-selinux
+  '1.11': docker-engine-selinux-1.11.2-1.el7.centos
+  '1.12': docker-engine-selinux-1.12.6-1.el7.centos
+  '1.13': docker-engine-selinux-1.13.1-1.el7.centos
+  '17.03': docker-ce-selinux-17.03.2.ce-1.el7.centos
+  'stable': docker-ce-selinux-17.03.2.ce-1.el7.centos
+  'edge': docker-ce-selinux-17.03.2.ce-1.el7.centos
+
+
+docker_pkgs_use_docker_ce:
+  - name: "{{ docker_selinux_versioned_pkg[docker_selinux_version | string] }}"
+    yum_conf: "{{ docker_yum_conf }}"
+  - name: "{{ docker_versioned_pkg[docker_version | string] }}"
+    yum_conf: "{{ docker_yum_conf }}"
+
+docker_pkgs:
+  - name: "{{ docker_versioned_pkg[docker_version | string] }}"
+    yum_conf: "{{ docker_yum_conf }}"
+
+docker_package_info:
+  pkg_mgr: yum
+  pkgs: |-
+    {%- if docker_version | version_compare('17.04', '<') -%}
+    {{ docker_pkgs_use_docker_ce }}
+    {%- else -%}
+    {{ docker_pkgs }}
+    {%- endif %}
+
+docker_repo_key_info:
+  pkg_key: ''
+  repo_keys: []
+
+docker_repo_info:
+  pkg_repo: ''
+  repos: []

roles/container-engine/docker/vars/suse.yml

@@ -0,0 +1,15 @@
+---
+docker_kernel_min_version: '0'
+
+docker_package_info:
+  pkg_mgr: zypper
+  pkgs:
+    - name: docker
+
+docker_repo_key_info:
+  pkg_key: ''
+  repo_keys: []
+
+docker_repo_info:
+  pkg_repo: ''
+  repos: []

roles/container-engine/docker/vars/ubuntu-amd64.yml

@@ -0,0 +1,49 @@
+---
+docker_kernel_min_version: '3.10'
+
+# https://download.docker.com/linux/ubuntu/
+docker_versioned_pkg:
+  'latest': docker-ce
+  '1.11': docker-engine=1.11.2-0~{{ ansible_distribution_release|lower }}
+  '1.12': docker-engine=1.12.6-0~ubuntu-{{ ansible_distribution_release|lower }}
+  '1.13': docker-engine=1.13.1-0~ubuntu-{{ ansible_distribution_release|lower }}
+  '17.03': docker-ce=17.03.2~ce-0~ubuntu-{{ ansible_distribution_release|lower }}
+  '17.09': docker-ce=17.09.0~ce-0~ubuntu-{{ ansible_distribution_release|lower }}
+  '17.12': docker-ce=17.12.1~ce-0~ubuntu-{{ ansible_distribution_release|lower }}
+  '18.06': docker-ce=18.06.1~ce~3-0~ubuntu
+  'stable': docker-ce=18.06.1~ce~3-0~ubuntu
+  'edge': docker-ce=18.06.1~ce~3-0~ubuntu
+
+docker_package_info:
+  pkg_mgr: apt
+  pkgs:
+    - name: "{{ docker_versioned_pkg[docker_version | string] }}"
+      force: yes
+
+docker_repo_key_info:
+  pkg_key: apt_key
+  url: '{{ docker_ubuntu_repo_gpgkey }}'
+  repo_keys:
+    - 9DC858229FC7DD38854AE2D88D81803C0EBFCD88
+
+docker_repo_info:
+  pkg_repo: apt_repository
+  repos:
+    - >
+       deb {{ docker_ubuntu_repo_base_url }}
+       {{ ansible_distribution_release|lower }}
+       stable
+
+dockerproject_repo_key_info:
+  pkg_key: apt_key
+  url: '{{ dockerproject_apt_repo_gpgkey }}'
+  repo_keys:
+    - 58118E89F3A912897C070ADBF76221572C52609D
+
+dockerproject_repo_info:
+  pkg_repo: apt_repository
+  repos:
+    - >
+       deb {{ dockerproject_apt_repo_base_url }}
+       {{ ansible_distribution|lower }}-{{ ansible_distribution_release|lower }}
+       main

roles/container-engine/docker/vars/ubuntu-arm64.yml

@@ -0,0 +1,45 @@
+---
+docker_kernel_min_version: '3.10'
+docker_version: 18.06
+# https://download.docker.com/linux/ubuntu/
+docker_versioned_pkg:
+  'latest': docker-ce
+  '17.09': docker-ce=17.09.1~ce-0~ubuntu
+  '17.12': docker-ce=17.12.1~ce-0~ubuntu-{{ ansible_distribution_release|lower }}
+  '18.06': docker-ce=18.06.1~ce~3-0~ubuntu
+  'stable': docker-ce=18.06.1~ce~3-0~ubuntu
+  'edge': docker-ce=18.06.1~ce~3-0~ubuntu
+
+docker_package_info:
+  pkg_mgr: apt
+  pkgs:
+    - name: "{{ docker_versioned_pkg[docker_version | string] }}"
+      force: yes
+
+docker_repo_key_info:
+  pkg_key: apt_key
+  url: '{{ docker_ubuntu_repo_gpgkey }}'
+  repo_keys:
+    - 9DC858229FC7DD38854AE2D88D81803C0EBFCD88
+
+docker_repo_info:
+  pkg_repo: apt_repository
+  repos:
+    - >
+       deb {{ docker_ubuntu_repo_base_url }}
+       {{ ansible_distribution_release|lower }}
+       stable
+
+dockerproject_repo_key_info:
+  pkg_key: apt_key
+  url: '{{ dockerproject_apt_repo_gpgkey }}'
+  repo_keys:
+    - 58118E89F3A912897C070ADBF76221572C52609D
+
+dockerproject_repo_info:
+  pkg_repo: apt_repository
+  repos:
+    - >
+       deb {{ dockerproject_apt_repo_base_url }}
+       {{ ansible_distribution|lower }}-{{ ansible_distribution_release|lower }}
+       main

roles/container-engine/docker/vars/ubuntu-bionic.yml

@@ -0,0 +1,31 @@
+---
+docker_kernel_min_version: '3.10'
+
+use_docker_engine: false
+
+docker_versioned_pkg:
+  'latest': docker-ce
+  '18.03': docker-ce=18.03.1~ce-3-0~ubuntu
+  '18.06': docker-ce=18.06.1~ce~3-0~ubuntu
+  'stable': docker-ce=18.06.1~ce~3-0~ubuntu
+  'edge': docker-ce=18.06.1~ce~3-0~ubuntu
+
+docker_package_info:
+  pkg_mgr: apt
+  pkgs:
+    - name: "{{ docker_versioned_pkg[docker_version | string] }}"
+      force: yes
+
+docker_repo_key_info:
+  pkg_key: apt_key
+  url: '{{ docker_ubuntu_repo_gpgkey }}'
+  repo_keys:
+    - 9DC858229FC7DD38854AE2D88D81803C0EBFCD88
+
+docker_repo_info:
+  pkg_repo: apt_repository
+  repos:
+    - >
+       deb [arch=amd64] {{ docker_ubuntu_repo_base_url }}
+       bionic
+       stable

roles/container-engine/meta/main.yml

@@ -0,0 +1,23 @@
+---
+dependencies:
+  - role: container-engine/cri-o
+    when:
+      - container_manager == 'crio'
+    tags:
+      - container-engine
+      - crio
+
+  - role: container-engine/rkt
+    when:
+      - container_manager == 'rkt'
+    tags:
+      - container-engine
+      - rkt
+
+  - role: container-engine/docker
+    when:
+      - container_manager == 'docker' or container_manager == "rkt"
+    tags:
+      - container-engine
+      - docker
+      - rkt

roles/container-engine/rkt/defaults/main.yml

@@ -0,0 +1,6 @@
+---
+
+rkt_version: 1.21.0
+rkt_pkg_version: "{{ rkt_version }}-1"
+rkt_download_src: https://github.com/coreos/rkt
+rkt_download_url: "{{ rkt_download_src }}/releases/download/v{{ rkt_version }}"

roles/container-engine/rkt/files/rkt-gc.sh

@@ -0,0 +1,2 @@
+#!/bin/bash
+rkt gc

roles/container-engine/rkt/tasks/install.yml

@@ -0,0 +1,54 @@
+---
+- name: gather os specific variables for rkt
+  include_vars: "{{ item }}"
+  with_first_found:
+    - files:
+        - "{{ ansible_distribution|lower }}-{{ ansible_distribution_version|lower|replace('/', '_') }}.yml"
+        - "{{ ansible_distribution|lower }}-{{ ansible_distribution_release }}.yml"
+        - "{{ ansible_distribution|lower }}-{{ ansible_distribution_major_version|lower|replace('/', '_') }}.yml"
+        - "{{ ansible_distribution|lower }}.yml"
+        - "{{ ansible_os_family|lower }}.yml"
+        - defaults.yml
+      paths:
+        - ../vars
+      skip: true
+  tags:
+    - facts
+
+- name: install rkt pkg on ubuntu
+  apt:
+    deb: "{{ rkt_download_url }}/{{ rkt_pkg_name }}"
+    state: present
+  register: rkt_task_result
+  until: rkt_task_result|succeeded
+  retries: 4
+  delay: "{{ retry_stagger | random + 3 }}"
+  when: ansible_os_family == "Debian"
+
+- name: install rkt pkg on fedora
+  dnf:
+    name: rkt
+    state: present
+  when: ansible_distribution == "Fedora"
+
+- name: install rkt pkg on centos
+  yum:
+    pkg: "{{ rkt_download_url }}/{{ rkt_pkg_name }}"
+    state: present
+  register: rkt_task_result
+  until: rkt_task_result|succeeded
+  retries: 4
+  delay: "{{ retry_stagger | random + 3 }}"
+  when:
+    - ansible_os_family == "RedHat"
+    - ansible_distribution != "Fedora"
+
+- name: install rkt pkg on openSUSE
+  zypper:
+    name: "{{ rkt_download_url }}/{{ rkt_pkg_name }}"
+    state: present
+  register: rkt_task_result
+  until: rkt_task_result|succeeded
+  retries: 4
+  delay: "{{ retry_stagger | random + 3 }}"
+  when: ansible_os_family == "Suse"

roles/container-engine/rkt/tasks/main.yml

@@ -0,0 +1,13 @@
+---
+- name: Install rkt
+  import_tasks: install.yml
+  when: not ansible_os_family in ["CoreOS", "Container Linux by CoreOS"]
+
+- name: Set up cron job to do garbage cleanup
+  copy:
+    src: rkt-gc.sh
+    dest: /etc/cron.hourly/rkt-gc.sh
+    owner: root
+    group: root
+    mode: 0750
+  when: not ansible_os_family in ["CoreOS", "Container Linux by CoreOS"]

roles/container-engine/rkt/vars/debian.yml

@@ -0,0 +1,2 @@
+---
+rkt_pkg_name: "rkt_{{ rkt_pkg_version }}_amd64.deb"

roles/container-engine/rkt/vars/fedora.yml

@@ -0,0 +1,2 @@
+---
+rkt_pkg_name: "rkt-{{ rkt_pkg_version }}.x86_64.rpm"

roles/container-engine/rkt/vars/redhat.yml

@@ -0,0 +1,2 @@
+---
+rkt_pkg_name: "rkt-{{ rkt_pkg_version }}.x86_64.rpm"

roles/container-engine/rkt/vars/suse.yml

@@ -0,0 +1,2 @@
+---
+rkt_pkg_name: "rkt-{{ rkt_pkg_version }}.x86_64.rpm"