containerd: download containerd from upstream instead of using distro…

… specific packages split runc download to separate role pin container_manager=containerd for molecule test
kubernetes-sigs · Sep 17, 2021 · bf970a4 · bf970a4
1 parent 09af3ab
commit bf970a4
Show file tree

Hide file tree

Showing 27 changed files with 215 additions and 295 deletions.
diff --git a/roles/container-engine/containerd-common/defaults/main.yml b/roles/container-engine/containerd-common/defaults/main.yml
@@ -1,17 +1,3 @@
 ---
 containerd_package: 'containerd.io'
-
-# Fedora docker-ce repo
-docker_fedora_repo_base_url: 'https://download.docker.com/linux/fedora/{{ ansible_distribution_major_version }}/$basearch/stable'
-docker_fedora_repo_gpgkey: 'https://download.docker.com/linux/fedora/gpg'
-# CentOS/RedHat docker-ce repo
-docker_rh_repo_base_url: 'https://download.docker.com/linux/centos/{{ ansible_distribution_major_version }}/$basearch/stable'
-docker_rh_repo_gpgkey: 'https://download.docker.com/linux/centos/gpg'
-# Ubuntu docker-ce repo
-docker_ubuntu_repo_base_url: "https://download.docker.com/linux/ubuntu"
-docker_ubuntu_repo_gpgkey: 'https://download.docker.com/linux/ubuntu/gpg'
-docker_ubuntu_repo_repokey: '9DC858229FC7DD38854AE2D88D81803C0EBFCD88'
-# Debian docker-ce repo
-docker_debian_repo_base_url: "https://download.docker.com/linux/debian"
-docker_debian_repo_gpgkey: 'https://download.docker.com/linux/debian/gpg'
-docker_debian_repo_repokey: '9DC858229FC7DD38854AE2D88D81803C0EBFCD88'
+seccomp_package: 'libseccomp'
diff --git a/roles/container-engine/containerd-common/tasks/main.yml b/roles/container-engine/containerd-common/tasks/main.yml
@@ -1,5 +1,17 @@
 ---
-- name: gather os specific variables
+- name: containerd-common | check if fedora coreos
+  stat:
+    path: /run/ostree-booted
+    get_attributes: no
+    get_checksum: no
+    get_mime: no
+  register: ostree
+
+- name: containerd-common | set is_ostree
+  set_fact:
+    is_ostree: "{{ ostree.stat.exists }}"
+
+- name: containerd-common | gather os specific variables
   include_vars: "{{ item }}"
   with_first_found:
     - files:
@@ -17,3 +29,23 @@
       skip: true
   tags:
     - facts
+
+- name: containerd-common | remove any distribution specific containerd package
+  package:
+    name: "{{ containerd_package }}"
+    state: absent
+  when:
+    - not is_ostree
+
+- name: containerd-common | install container-selinux
+  package:
+    name: container-selinux
+    state: latest
+  when:
+    - preinstall_selinux_state != 'disabled'
+    - ansible_os_family in ['RedHat']
+
+- name: containerd-common | install libseccomp
+  package:
+    name: "{{ seccomp_package }}"
+    state: present
diff --git a/roles/container-engine/containerd-common/vars/amazon.yml b/roles/container-engine/containerd-common/vars/amazon.yml
@@ -1,10 +1,2 @@
 ---
 containerd_package: containerd
-containerd_versioned_pkg:
-  'latest': "{{ containerd_package }}"
-  '1.3.2': "{{ containerd_package }}-1.3.2-1.amzn{{ ansible_distribution_major_version }}"
-  '1.4.1': "{{ containerd_package }}-1.4.1-2.amzn{{ ansible_distribution_major_version }}"
-  '1.4.4': "{{ containerd_package }}-1.4.4-1.amzn{{ ansible_distribution_major_version }}"
-  '1.4.6': "{{ containerd_package }}-1.4.6-1.amzn{{ ansible_distribution_major_version }}"
-  'stable': "{{ containerd_package }}-1.4.6-1.amzn{{ ansible_distribution_major_version }}"
-  'edge': "{{ containerd_package }}-1.4.6-1.amzn{{ ansible_distribution_major_version }}"
diff --git a/roles/container-engine/containerd-common/vars/debian-stretch.yml b/roles/container-engine/containerd-common/vars/debian-stretch.yml
diff --git a/roles/container-engine/containerd-common/vars/debian.yml b/roles/container-engine/containerd-common/vars/debian.yml
@@ -1,11 +1,2 @@
 ---
-containerd_versioned_pkg:
-  'latest': "{{ containerd_package }}"
-  '1.3.7': "{{ containerd_package }}=1.3.7-1"
-  '1.3.9': "{{ containerd_package }}=1.3.9-1"
-  '1.4.3': "{{ containerd_package }}=1.4.3-2"
-  '1.4.4': "{{ containerd_package }}=1.4.4-1"
-  '1.4.6': "{{ containerd_package }}=1.4.6-1"
-  '1.4.9': "{{ containerd_package }}=1.4.9-1"
-  'stable': "{{ containerd_package }}=1.4.9-1"
-  'edge': "{{ containerd_package }}=1.4.9-1"
+seccomp_package: 'libseccomp2'
diff --git a/roles/container-engine/containerd-common/vars/fedora.yml b/roles/container-engine/containerd-common/vars/fedora.yml
diff --git a/roles/container-engine/containerd-common/vars/redhat.yml b/roles/container-engine/containerd-common/vars/redhat.yml
diff --git a/roles/container-engine/containerd-common/vars/suse.yml b/roles/container-engine/containerd-common/vars/suse.yml
@@ -0,0 +1,2 @@
+---
+containerd_package: containerd
diff --git a/roles/container-engine/containerd-common/vars/ubuntu.yml b/roles/container-engine/containerd-common/vars/ubuntu.yml
diff --git a/roles/container-engine/containerd/defaults/main.yml b/roles/container-engine/containerd/defaults/main.yml
@@ -35,39 +35,6 @@ containerd_max_container_log_line_size: -1
 
 containerd_cfg_dir: /etc/containerd
 
-# Path to runc binary
-runc_binary: /usr/bin/runc
-
-yum_repo_dir: /etc/yum.repos.d
-
-# Optional values for containerd apt repo
-containerd_package_info:
-  pkgs:
-
-containerd_repo_key_info:
-  repo_keys:
-
-containerd_repo_info:
-  repos:
-
-# Ubuntu docker-ce repo
-containerd_ubuntu_repo_base_url: "https://download.docker.com/linux/ubuntu"
-containerd_ubuntu_repo_gpgkey: "https://download.docker.com/linux/ubuntu/gpg"
-containerd_ubuntu_repo_repokey: "9DC858229FC7DD38854AE2D88D81803C0EBFCD88"
-containerd_ubuntu_repo_component: "stable"
-
-# Debian docker-ce repo
-containerd_debian_repo_base_url: "https://download.docker.com/linux/debian"
-containerd_debian_repo_gpgkey: "https://download.docker.com/linux/debian/gpg"
-containerd_debian_repo_repokey: "9DC858229FC7DD38854AE2D88D81803C0EBFCD88"
-containerd_debian_repo_component: "stable"
-
-# Fedora docker-ce repo
-containerd_fedora_repo_base_url: "https://download.docker.com/linux/fedora/{{ ansible_distribution_major_version }}/$basearch/stable"
-containerd_fedora_repo_gpgkey: "https://download.docker.com/linux/fedora/gpg"
-containerd_fedora_repo_repokey: "9DC858229FC7DD38854AE2D88D81803C0EBFCD88"
-containerd_fedora_repo_component: "stable"
-
 # Extra config to be put in {{ containerd_cfg_dir }}/config.toml literally
 containerd_extra_args: ''
 

diff --git a/roles/container-engine/containerd/meta/main.yml b/roles/container-engine/containerd/meta/main.yml
@@ -1,3 +1,5 @@
 ---
 dependencies:
   - role: container-engine/containerd-common
+  - role: container-engine/runc
+  - role: container-engine/crictl
diff --git a/roles/container-engine/containerd/molecule/default/converge.yml b/roles/container-engine/containerd/molecule/default/converge.yml
@@ -2,6 +2,8 @@
 - name: Converge
   hosts: all
   become: true
+  vars:
+    container_manager: containerd
   roles:
     - role: kubespray-defaults
     - role: container-engine/containerd
diff --git a/roles/container-engine/containerd/tasks/containerd_repo.yml b/roles/container-engine/containerd/tasks/containerd_repo.yml
diff --git a/roles/container-engine/containerd/tasks/main.yml b/roles/container-engine/containerd/tasks/main.yml
@@ -1,41 +1,10 @@
 ---
-- name: check if fedora coreos
-  stat:
-    path: /run/ostree-booted
-    get_attributes: no
-    get_checksum: no
-    get_mime: no
-  register: ostree
-
-- name: set is_ostree
-  set_fact:
-    is_ostree: "{{ ostree.stat.exists }}"
-
 - name: Fail containerd setup if distribution is not supported
   fail:
     msg: "{{ ansible_distribution }} is not supported by containerd."
   when:
     - not ansible_distribution in ["CentOS", "OracleLinux", "RedHat", "Ubuntu", "Debian", "Fedora", "AlmaLinux", "Amazon", "Flatcar Container Linux by Kinvolk"]
 
-- name: gather os specific variables
-  include_vars: "{{ item }}"
-  with_first_found:
-    - files:
-        - "{{ ansible_distribution|lower }}-{{ ansible_distribution_version|lower|replace('/', '_') }}.yml"
-        - "{{ ansible_distribution|lower }}-{{ ansible_distribution_release|lower }}-{{ host_architecture }}.yml"
-        - "{{ ansible_distribution|lower }}-{{ ansible_distribution_release|lower }}.yml"
-        - "{{ ansible_distribution|lower }}-{{ ansible_distribution_major_version|lower|replace('/', '_') }}.yml"
-        - "{{ ansible_distribution|lower }}-{{ host_architecture }}.yml"
-        - "{{ ansible_distribution|lower }}.yml"
-        - "{{ ansible_os_family|lower }}-{{ host_architecture }}.yml"
-        - "{{ ansible_os_family|lower }}.yml"
-        - defaults.yml
-      paths:
-        - ../vars
-      skip: true
-  tags:
-    - facts
-
 - name: disable unified_cgroup_hierarchy in Fedora 31+
   command: grubby --update-kernel=ALL --args="systemd.unified_cgroup_hierarchy=0"
   when:
@@ -52,76 +21,56 @@
     - ansible_proc_cmdline['systemd.unified_cgroup_hierarchy'] is not defined or ansible_proc_cmdline['systemd.unified_cgroup_hierarchy'] != '0'
     - not is_ostree
 
-- include_tasks: containerd_repo.yml
-  when: not (is_ostree or (ansible_distribution == "Flatcar Container Linux by Kinvolk"))
+- name: containerd | Download containerd
+  include_tasks: "../../../download/tasks/download_file.yml"
+  vars:
+    download: "{{ download_defaults | combine(downloads.containerd) }}"
 
-- name: Create containerd service systemd directory if it doesn't exist
-  file:
-    path: /etc/systemd/system/containerd.service.d
-    state: directory
+- name: containerd | Unpack containerd archive
+  unarchive:
+    src: "{{ downloads.containerd.dest }}"
+    dest: "{{ containerd_bin_dir }}"
     mode: 0755
+    remote_src: yes
+    extra_opts:
+      - --strip-components=1
+  notify: restart containerd
 
-- name: Write containerd proxy drop-in
+- name: containerd | generate systemd service for containerd
+  template:
+    src: containerd.service.j2
+    dest: /etc/systemd/system/containerd.service
+    mode: 0644
+  notify: restart containerd
+
+- name: containerd | Write containerd proxy drop-in
   template:
     src: http-proxy.conf.j2
     dest: /etc/systemd/system/containerd.service.d/http-proxy.conf
     mode: 0644
   notify: restart containerd
   when: http_proxy is defined or https_proxy is defined
 
-- name: ensure containerd config directory
+- name: containerd | Ensure containerd directories exist
   file:
-    dest: "{{ containerd_cfg_dir }}"
+    dest: "{{ item }}"
     state: directory
     mode: 0755
     owner: root
     group: root
+  with_items:
+    - "{{ containerd_cfg_dir }}"
+    - "{{ containerd_storage_dir }}"
+    - "{{ containerd_state_dir }}"
 
-- name: Copy containerd config file
+- name: containerd | Copy containerd config file
   template:
     src: config.toml.j2
     dest: "{{ containerd_cfg_dir }}/config.toml"
     owner: "root"
     mode: 0640
   notify: restart containerd
 
-# This is required to ensure any apt upgrade will not break kubernetes
-- name: Set containerd pin priority to apt_preferences on Debian family
-  copy:
-    content: |
-      Package: {{ containerd_package }}
-      Pin: version {{ containerd_version }}*
-      Pin-Priority: 1001
-    dest: "/etc/apt/preferences.d/containerd"
-    owner: "root"
-    mode: 0644
-  when: ansible_pkg_mgr == 'apt'
-
-- name: ensure containerd packages are installed
-  package:
-    name: "{{ containerd_package_info.pkgs }}"
-    state: present
-  module_defaults:
-    apt:
-      update_cache: true
-    dnf:
-      enablerepo: "{{ containerd_package_info.enablerepo | default(omit) }}"
-    yum:
-      enablerepo: "{{ containerd_package_info.enablerepo | default(omit) }}"
-    zypper:
-      update_cache: true
-  register: containerd_task_result
-  until: containerd_task_result is succeeded
-  retries: 4
-  delay: "{{ retry_stagger | d(3) }}"
-  notify: restart containerd
-  when:
-    - not (is_ostree or (ansible_distribution == "Flatcar Container Linux by Kinvolk"))
-    - containerd_package_info.pkgs|length > 0
-
-- include_role:  # noqa unnamed-task
-    name: container-engine/crictl
-
 # you can sometimes end up in a state where everything is installed
 # but containerd was not started / enabled
 - name: flush handlers