containerd: download containerd from upstream instead of using distro specific packages (#7970)

* Containerd: download containerd from upstream instead of using distro specific packages split runc download to separate role make bootstrap-os role deploy container-selinux and seccomp libraries clean up package manager provided containerd move variables to docker role that are no longer common with containerd * Containerd: make molecule testing more relevant * replace ubuntu18 with ubuntu20 * add centos8 and debian11 to molecule tests * run kubernetes/preinstall role to ensure relevancy of test including dependency packages * CI: adjust test scenarios for downloaded containerd
2026-01-31 17:19:17 -03:30 · 2021-10-20 18:47:58 +03:00
parent 10c30ea5b1
commit ea8e2fc651
55 changed files with 397 additions and 312 deletions
--- a/roles/container-engine/containerd/defaults/main.yml
+++ b/roles/container-engine/containerd/defaults/main.yml
@@ -1,6 +1,7 @@
 ---
 containerd_storage_dir: "/var/lib/containerd"
 containerd_state_dir: "/run/containerd"
+containerd_systemd_dir: "/etc/systemd/system/containerd.service.d"
 containerd_oom_score: 0

 containerd_default_runtime: "runc"
@@ -35,39 +36,6 @@ containerd_max_container_log_line_size: -1

 containerd_cfg_dir: /etc/containerd

-# Path to runc binary
-runc_binary: /usr/bin/runc
-
-yum_repo_dir: /etc/yum.repos.d
-
-# Optional values for containerd apt repo
-containerd_package_info:
-  pkgs:
-
-containerd_repo_key_info:
-  repo_keys:
-
-containerd_repo_info:
-  repos:
-
-# Ubuntu docker-ce repo
-containerd_ubuntu_repo_base_url: "https://download.docker.com/linux/ubuntu"
-containerd_ubuntu_repo_gpgkey: "https://download.docker.com/linux/ubuntu/gpg"
-containerd_ubuntu_repo_repokey: "9DC858229FC7DD38854AE2D88D81803C0EBFCD88"
-containerd_ubuntu_repo_component: "stable"
-
-# Debian docker-ce repo
-containerd_debian_repo_base_url: "https://download.docker.com/linux/debian"
-containerd_debian_repo_gpgkey: "https://download.docker.com/linux/debian/gpg"
-containerd_debian_repo_repokey: "9DC858229FC7DD38854AE2D88D81803C0EBFCD88"
-containerd_debian_repo_component: "stable"
-
-# Fedora docker-ce repo
-containerd_fedora_repo_base_url: "https://download.docker.com/linux/fedora/{{ ansible_distribution_major_version }}/$basearch/stable"
-containerd_fedora_repo_gpgkey: "https://download.docker.com/linux/fedora/gpg"
-containerd_fedora_repo_repokey: "9DC858229FC7DD38854AE2D88D81803C0EBFCD88"
-containerd_fedora_repo_component: "stable"
-
 # Extra config to be put in {{ containerd_cfg_dir }}/config.toml literally
 containerd_extra_args: ''

--- a/roles/container-engine/containerd/meta/main.yml
+++ b/roles/container-engine/containerd/meta/main.yml
@@ -1,3 +1,5 @@
 ---
 dependencies:
  - role: container-engine/containerd-common
+  - role: container-engine/runc
+  - role: container-engine/crictl
--- a/roles/container-engine/containerd/molecule/default/converge.yml
+++ b/roles/container-engine/containerd/molecule/default/converge.yml
@@ -2,6 +2,8 @@
 - name: Converge
  hosts: all
  become: true
+  vars:
+    container_manager: containerd
  roles:
    - role: kubespray-defaults
    - role: container-engine/containerd
--- a/roles/container-engine/containerd/molecule/default/molecule.yml
+++ b/roles/container-engine/containerd/molecule/default/molecule.yml
@@ -7,12 +7,30 @@ lint: |
  set -e
  yamllint -c ../../../.yamllint .
 platforms:
-  - name: ubuntu18
-    box: generic/ubuntu1804
-    cpus: 2
+  - name: ubuntu20
+    box: generic/ubuntu2004
+    cpus: 1
    memory: 1024
    groups:
      - kube_control_plane
+      - kube_node
+      - k8s_cluster
+  - name: debian11
+    box: generic/debian11
+    cpus: 1
+    memory: 1024
+    groups:
+      - kube_control_plane
+      - kube_node
+      - k8s_cluster
+  - name: centos8
+    box: generic/centos8
+    cpus: 1
+    memory: 1024
+    groups:
+      - kube_control_plane
+      - kube_node
+      - k8s_cluster
 provisioner:
  name: ansible
  env:
--- a/roles/container-engine/containerd/molecule/default/prepare.yml
+++ b/roles/container-engine/containerd/molecule/default/prepare.yml
@@ -2,5 +2,10 @@
 - name: Prepare
  hosts: all
  gather_facts: False
+  become: true
+  vars:
+    ignore_assert_errors: true
  roles:
+    - role: kubespray-defaults
    - role: bootstrap-os
+    - { role: kubernetes/preinstall, tags: ["bootstrap-os"] }
--- a/roles/container-engine/containerd/tasks/containerd_repo.yml
+++ b/roles/container-engine/containerd/tasks/containerd_repo.yml
@@ -1,36 +0,0 @@
---
- name: ensure containerd repository public key is installed
-  apt_key:
-    id: "{{ item }}"
-    url: "{{ containerd_repo_key_info.url }}"
-    state: present
-  register: keyserver_task_result
-  until: keyserver_task_result is succeeded
-  retries: 4
-  delay: "{{ retry_stagger | d(3) }}"
-  with_items: "{{ containerd_repo_key_info.repo_keys }}"
-  environment: "{{ proxy_env }}"
-  when: ansible_pkg_mgr == 'apt'
-
- name: ensure containerd repository is enabled
-  apt_repository:
-    repo: "{{ item }}"
-    state: present
-  with_items: "{{ containerd_repo_info.repos }}"
-  when: ansible_pkg_mgr == 'apt'
-
- name: Configure containerd repository on Fedora
-  template:
-    src: "fedora_containerd.repo.j2"
-    dest: "{{ yum_repo_dir }}/containerd.repo"
-    mode: 0644
-  when: ansible_distribution == "Fedora"
-
- name: Configure containerd repository on RedHat/OracleLinux/CentOS/AlmaLinux
-  template:
-    src: "rh_containerd.repo.j2"
-    dest: "{{ yum_repo_dir }}/containerd.repo"
-    mode: 0644
-  when:
-    - ansible_os_family == "RedHat"
-    - ansible_distribution not in ["Fedora", "Amazon"]
--- a/roles/container-engine/containerd/tasks/main.yml
+++ b/roles/container-engine/containerd/tasks/main.yml
@@ -1,41 +1,10 @@
 ---
- name: check if fedora coreos
-  stat:
-    path: /run/ostree-booted
-    get_attributes: no
-    get_checksum: no
-    get_mime: no
-  register: ostree
-
- name: set is_ostree
-  set_fact:
-    is_ostree: "{{ ostree.stat.exists }}"
-
 - name: Fail containerd setup if distribution is not supported
  fail:
    msg: "{{ ansible_distribution }} is not supported by containerd."
  when:
    - not ansible_distribution in ["CentOS", "OracleLinux", "RedHat", "Ubuntu", "Debian", "Fedora", "AlmaLinux", "Rocky", "Amazon", "Flatcar", "Flatcar Container Linux by Kinvolk"]

- name: gather os specific variables
-  include_vars: "{{ item }}"
-  with_first_found:
-    - files:
-        - "{{ ansible_distribution|lower }}-{{ ansible_distribution_version|lower|replace('/', '_') }}.yml"
-        - "{{ ansible_distribution|lower }}-{{ ansible_distribution_release|lower }}-{{ host_architecture }}.yml"
-        - "{{ ansible_distribution|lower }}-{{ ansible_distribution_release|lower }}.yml"
-        - "{{ ansible_distribution|lower }}-{{ ansible_distribution_major_version|lower|replace('/', '_') }}.yml"
-        - "{{ ansible_distribution|lower }}-{{ host_architecture }}.yml"
-        - "{{ ansible_distribution|lower }}.yml"
-        - "{{ ansible_os_family|lower }}-{{ host_architecture }}.yml"
-        - "{{ ansible_os_family|lower }}.yml"
-        - defaults.yml
-      paths:
-        - ../vars
-      skip: true
-  tags:
-    - facts
-
 - name: disable unified_cgroup_hierarchy in Fedora 31+
  command: grubby --update-kernel=ALL --args="systemd.unified_cgroup_hierarchy=0"
  when:
@@ -52,32 +21,71 @@
    - ansible_proc_cmdline['systemd.unified_cgroup_hierarchy'] is not defined or ansible_proc_cmdline['systemd.unified_cgroup_hierarchy'] != '0'
    - not is_ostree

- include_tasks: containerd_repo.yml
-  when: not (is_ostree or (ansible_distribution == "Flatcar Container Linux by Kinvolk") or (ansible_distribution == "Flatcar"))
+- name: containerd | Remove any package manager controlled containerd package
+  package:
+    name: "{{ containerd_package }}"
+    state: absent
+  when:
+    - not (is_ostree or (ansible_distribution == "Flatcar Container Linux by Kinvolk") or (ansible_distribution == "Flatcar"))

- name: Create containerd service systemd directory if it doesn't exist
+- name: containerd | Remove containerd repository
  file:
-    path: /etc/systemd/system/containerd.service.d
-    state: directory
-    mode: 0755
+    path: "{{ yum_repo_dir }}/containerd.repo"
+    state: absent
+  when:
+    - ansible_os_family in ['RedHat']

- name: Write containerd proxy drop-in
+- name: containerd | Remove containerd repository
+  apt_repository:
+    repo: "{{ item }}"
+    state: absent
+  with_items: "{{ containerd_repo_info.repos }}"
+  when: ansible_pkg_mgr == 'apt'
+
+- name: containerd | Download containerd
+  include_tasks: "../../../download/tasks/download_file.yml"
+  vars:
+    download: "{{ download_defaults | combine(downloads.containerd) }}"
+
+- name: containerd | Unpack containerd archive
+  unarchive:
+    src: "{{ downloads.containerd.dest }}"
+    dest: "{{ containerd_bin_dir }}"
+    mode: 0755
+    remote_src: yes
+    extra_opts:
+      - --strip-components=1
+  notify: restart containerd
+
+- name: containerd | Generate systemd service for containerd
  template:
-    src: http-proxy.conf.j2
-    dest: /etc/systemd/system/containerd.service.d/http-proxy.conf
+    src: containerd.service.j2
+    dest: /etc/systemd/system/containerd.service
    mode: 0644
  notify: restart containerd
-  when: http_proxy is defined or https_proxy is defined

- name: ensure containerd config directory
+- name: containerd | Ensure containerd directories exist
  file:
-    dest: "{{ containerd_cfg_dir }}"
+    dest: "{{ item }}"
    state: directory
    mode: 0755
    owner: root
    group: root
+  with_items:
+    - "{{ containerd_systemd_dir }}"
+    - "{{ containerd_cfg_dir }}"
+    - "{{ containerd_storage_dir }}"
+    - "{{ containerd_state_dir }}"

- name: Copy containerd config file
+- name: containerd | Write containerd proxy drop-in
+  template:
+    src: http-proxy.conf.j2
+    dest: "{{ containerd_systemd_dir }}/http-proxy.conf"
+    mode: 0644
+  notify: restart containerd
+  when: http_proxy is defined or https_proxy is defined
+
+- name: containerd | Copy containerd config file
  template:
    src: config.toml.j2
    dest: "{{ containerd_cfg_dir }}/config.toml"
@@ -85,49 +93,12 @@
    mode: 0640
  notify: restart containerd

-# This is required to ensure any apt upgrade will not break kubernetes
- name: Set containerd pin priority to apt_preferences on Debian family
-  copy:
-    content: |
-      Package: {{ containerd_package }}
-      Pin: version {{ containerd_version }}*
-      Pin-Priority: 1001
-    dest: "/etc/apt/preferences.d/containerd"
-    owner: "root"
-    mode: 0644
-  when: ansible_pkg_mgr == 'apt'
-
- name: ensure containerd packages are installed
-  package:
-    name: "{{ containerd_package_info.pkgs }}"
-    state: present
-  module_defaults:
-    apt:
-      update_cache: true
-    dnf:
-      enablerepo: "{{ containerd_package_info.enablerepo | default(omit) }}"
-    yum:
-      enablerepo: "{{ containerd_package_info.enablerepo | default(omit) }}"
-    zypper:
-      update_cache: true
-  register: containerd_task_result
-  until: containerd_task_result is succeeded
-  retries: 4
-  delay: "{{ retry_stagger | d(3) }}"
-  notify: restart containerd
-  when:
-    - not (is_ostree or (ansible_distribution == "Flatcar Container Linux by Kinvolk") or (ansible_distribution == "Flatcar"))
-    - containerd_package_info.pkgs|length > 0
-
- include_role:  # noqa unnamed-task
-    name: container-engine/crictl
-
 # you can sometimes end up in a state where everything is installed
 # but containerd was not started / enabled
- name: flush handlers
+- name: containerd | Flush handlers
  meta: flush_handlers

- name: ensure containerd is started and enabled
+- name: containerd | Ensure containerd is started and enabled
  service:
    name: containerd
    enabled: yes
--- a/roles/container-engine/containerd/templates/containerd.service.j2
+++ b/roles/container-engine/containerd/templates/containerd.service.j2
@@ -0,0 +1,40 @@
+# Copyright The containerd Authors.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+[Unit]
+Description=containerd container runtime
+Documentation=https://containerd.io
+After=network.target local-fs.target
+
+[Service]
+ExecStartPre=-/sbin/modprobe overlay
+ExecStart={{ containerd_bin_dir }}/containerd
+
+Type=notify
+Delegate=yes
+KillMode=process
+Restart=always
+RestartSec=5
+# Having non-zero Limit*s causes performance problems due to accounting overhead
+# in the kernel. We recommend using cgroups to do container-local accounting.
+LimitNPROC=infinity
+LimitCORE=infinity
+LimitNOFILE=infinity
+# Comment TasksMax if your systemd version does not supports it.
+# Only systemd 226 and above support this version.
+TasksMax=infinity
+OOMScoreAdjust=-999
+
+[Install]
+WantedBy=multi-user.target
--- a/roles/container-engine/containerd/templates/fedora_containerd.repo.j2
+++ b/roles/container-engine/containerd/templates/fedora_containerd.repo.j2
@@ -1,7 +0,0 @@
-[docker-ce]
-name=Docker-CE Repository
-baseurl={{ containerd_fedora_repo_base_url }}
-enabled=0
-gpgcheck={{ '1' if containerd_fedora_repo_gpgkey else '0' }}
-gpgkey={{ containerd_fedora_repo_gpgkey }}
-{% if http_proxy is defined %}proxy={{ http_proxy }}{% endif %}
--- a/roles/container-engine/containerd/templates/rh_containerd.repo.j2
+++ b/roles/container-engine/containerd/templates/rh_containerd.repo.j2
@@ -1,10 +0,0 @@
-[docker-ce]
-name=Docker-CE Repository
-baseurl={{ docker_rh_repo_base_url }}
-enabled=0
-gpgcheck={{ '1' if docker_rh_repo_gpgkey else '0' }}
-keepcache={{ docker_rpm_keepcache | default('1') }}
-gpgkey={{ docker_rh_repo_gpgkey }}
-{% if http_proxy is defined %}
-proxy={{ http_proxy }}
-{% endif %}
--- a/roles/container-engine/containerd/vars/amazon.yml
+++ b/roles/container-engine/containerd/vars/amazon.yml
@@ -1,5 +0,0 @@
---
-containerd_package_info:
-  enablerepo: "amzn2extra-docker"
-  pkgs:
-    - "{{ containerd_versioned_pkg[containerd_version | string] }}"
--- a/roles/container-engine/containerd/vars/debian.yml
+++ b/roles/container-engine/containerd/vars/debian.yml
@@ -1,13 +1,4 @@
 ---
-containerd_package_info:
-  pkgs:
-    - "{{ containerd_versioned_pkg[containerd_version | string] }}"
-
-containerd_repo_key_info:
-  url: '{{ containerd_debian_repo_gpgkey }}'
-  repo_keys:
-    - '{{ containerd_debian_repo_repokey }}'
-
 containerd_repo_info:
  repos:
    - >
--- a/roles/container-engine/containerd/vars/fedora.yml
+++ b/roles/container-engine/containerd/vars/fedora.yml
@@ -1,5 +0,0 @@
---
-containerd_package_info:
-  enablerepo: "docker-ce"
-  pkgs:
-    - "{{ containerd_versioned_pkg[containerd_version | string] }}"
--- a/roles/container-engine/containerd/vars/redhat.yml
+++ b/roles/container-engine/containerd/vars/redhat.yml
@@ -1,5 +0,0 @@
---
-containerd_package_info:
-  enablerepo: "docker-ce"
-  pkgs:
-    - "{{ containerd_versioned_pkg[containerd_version | string] }}"
--- a/roles/container-engine/containerd/vars/suse.yml
+++ b/roles/container-engine/containerd/vars/suse.yml
@@ -1,7 +0,0 @@
---
-# docker-ce containerd.io does not contain daemon
-containerd_package: containerd
-
-containerd_package_info:
-  pkgs:
-    - "{{ containerd_package }}"
--- a/roles/container-engine/containerd/vars/ubuntu.yml
+++ b/roles/container-engine/containerd/vars/ubuntu.yml
@@ -1,13 +1,4 @@
 ---
-containerd_package_info:
-  pkgs:
-    - "{{ containerd_versioned_pkg[containerd_version | string] }}"
-
-containerd_repo_key_info:
-  url: '{{ containerd_ubuntu_repo_gpgkey }}'
-  repo_keys:
-    - '{{ containerd_ubuntu_repo_repokey }}'
-
 containerd_repo_info:
  repos:
    - >