From bf970a4feadec0012c8b6a5578924a3fcd827520 Mon Sep 17 00:00:00 2001 From: Calin Cristian Andrei Date: Tue, 14 Sep 2021 12:34:15 -0400 Subject: [PATCH] containerd: download containerd from upstream instead of using distro specific packages split runc download to separate role pin container_manager=containerd for molecule test --- .../containerd-common/defaults/main.yml | 16 +-- .../containerd-common/tasks/main.yml | 34 +++++- .../containerd-common/vars/amazon.yml | 8 -- .../containerd-common/vars/debian-stretch.yml | 10 -- .../containerd-common/vars/debian.yml | 11 +- .../containerd-common/vars/fedora.yml | 11 -- .../containerd-common/vars/redhat.yml | 11 -- .../containerd-common/vars/suse.yml | 2 + .../containerd-common/vars/ubuntu.yml | 11 -- .../containerd/defaults/main.yml | 33 ------ .../container-engine/containerd/meta/main.yml | 2 + .../containerd/molecule/default/converge.yml | 2 + .../containerd/tasks/containerd_repo.yml | 36 ------ .../containerd/tasks/main.yml | 105 +++++------------- .../templates/containerd.service.j2 | 40 +++++++ .../templates/fedora_containerd.repo.j2 | 7 -- .../templates/rh_containerd.repo.j2 | 10 -- .../containerd/vars/amazon.yml | 5 - .../containerd/vars/debian.yml | 16 --- .../containerd/vars/fedora.yml | 5 - .../containerd/vars/redhat.yml | 5 - .../container-engine/containerd/vars/suse.yml | 7 -- .../containerd/vars/ubuntu.yml | 16 --- roles/container-engine/runc/defaults/main.yml | 3 + roles/container-engine/runc/tasks/main.yml | 12 ++ roles/download/defaults/main.yml | 50 +++++++++ roles/reset/tasks/main.yml | 42 +++++++ 27 files changed, 215 insertions(+), 295 deletions(-) delete mode 100644 roles/container-engine/containerd-common/vars/debian-stretch.yml delete mode 100644 roles/container-engine/containerd-common/vars/fedora.yml delete mode 100644 roles/container-engine/containerd-common/vars/redhat.yml create mode 100644 roles/container-engine/containerd-common/vars/suse.yml delete mode 100644 roles/container-engine/containerd-common/vars/ubuntu.yml delete mode 100644 roles/container-engine/containerd/tasks/containerd_repo.yml create mode 100644 roles/container-engine/containerd/templates/containerd.service.j2 delete mode 100644 roles/container-engine/containerd/templates/fedora_containerd.repo.j2 delete mode 100644 roles/container-engine/containerd/templates/rh_containerd.repo.j2 delete mode 100644 roles/container-engine/containerd/vars/amazon.yml delete mode 100644 roles/container-engine/containerd/vars/debian.yml delete mode 100644 roles/container-engine/containerd/vars/fedora.yml delete mode 100644 roles/container-engine/containerd/vars/redhat.yml delete mode 100644 roles/container-engine/containerd/vars/suse.yml delete mode 100644 roles/container-engine/containerd/vars/ubuntu.yml create mode 100644 roles/container-engine/runc/defaults/main.yml create mode 100644 roles/container-engine/runc/tasks/main.yml diff --git a/roles/container-engine/containerd-common/defaults/main.yml b/roles/container-engine/containerd-common/defaults/main.yml index e1555e986d3..f6716f70224 100644 --- a/roles/container-engine/containerd-common/defaults/main.yml +++ b/roles/container-engine/containerd-common/defaults/main.yml @@ -1,17 +1,3 @@ --- containerd_package: 'containerd.io' - -# Fedora docker-ce repo -docker_fedora_repo_base_url: 'https://download.docker.com/linux/fedora/{{ ansible_distribution_major_version }}/$basearch/stable' -docker_fedora_repo_gpgkey: 'https://download.docker.com/linux/fedora/gpg' -# CentOS/RedHat docker-ce repo -docker_rh_repo_base_url: 'https://download.docker.com/linux/centos/{{ ansible_distribution_major_version }}/$basearch/stable' -docker_rh_repo_gpgkey: 'https://download.docker.com/linux/centos/gpg' -# Ubuntu docker-ce repo -docker_ubuntu_repo_base_url: "https://download.docker.com/linux/ubuntu" -docker_ubuntu_repo_gpgkey: 'https://download.docker.com/linux/ubuntu/gpg' -docker_ubuntu_repo_repokey: '9DC858229FC7DD38854AE2D88D81803C0EBFCD88' -# Debian docker-ce repo -docker_debian_repo_base_url: "https://download.docker.com/linux/debian" -docker_debian_repo_gpgkey: 'https://download.docker.com/linux/debian/gpg' -docker_debian_repo_repokey: '9DC858229FC7DD38854AE2D88D81803C0EBFCD88' +seccomp_package: 'libseccomp' diff --git a/roles/container-engine/containerd-common/tasks/main.yml b/roles/container-engine/containerd-common/tasks/main.yml index 59eee3270f2..3084a02e736 100644 --- a/roles/container-engine/containerd-common/tasks/main.yml +++ b/roles/container-engine/containerd-common/tasks/main.yml @@ -1,5 +1,17 @@ --- -- name: gather os specific variables +- name: containerd-common | check if fedora coreos + stat: + path: /run/ostree-booted + get_attributes: no + get_checksum: no + get_mime: no + register: ostree + +- name: containerd-common | set is_ostree + set_fact: + is_ostree: "{{ ostree.stat.exists }}" + +- name: containerd-common | gather os specific variables include_vars: "{{ item }}" with_first_found: - files: @@ -17,3 +29,23 @@ skip: true tags: - facts + +- name: containerd-common | remove any distribution specific containerd package + package: + name: "{{ containerd_package }}" + state: absent + when: + - not is_ostree + +- name: containerd-common | install container-selinux + package: + name: container-selinux + state: latest + when: + - preinstall_selinux_state != 'disabled' + - ansible_os_family in ['RedHat'] + +- name: containerd-common | install libseccomp + package: + name: "{{ seccomp_package }}" + state: present diff --git a/roles/container-engine/containerd-common/vars/amazon.yml b/roles/container-engine/containerd-common/vars/amazon.yml index 3ad56d4d4f4..05681693606 100644 --- a/roles/container-engine/containerd-common/vars/amazon.yml +++ b/roles/container-engine/containerd-common/vars/amazon.yml @@ -1,10 +1,2 @@ --- containerd_package: containerd -containerd_versioned_pkg: - 'latest': "{{ containerd_package }}" - '1.3.2': "{{ containerd_package }}-1.3.2-1.amzn{{ ansible_distribution_major_version }}" - '1.4.1': "{{ containerd_package }}-1.4.1-2.amzn{{ ansible_distribution_major_version }}" - '1.4.4': "{{ containerd_package }}-1.4.4-1.amzn{{ ansible_distribution_major_version }}" - '1.4.6': "{{ containerd_package }}-1.4.6-1.amzn{{ ansible_distribution_major_version }}" - 'stable': "{{ containerd_package }}-1.4.6-1.amzn{{ ansible_distribution_major_version }}" - 'edge': "{{ containerd_package }}-1.4.6-1.amzn{{ ansible_distribution_major_version }}" diff --git a/roles/container-engine/containerd-common/vars/debian-stretch.yml b/roles/container-engine/containerd-common/vars/debian-stretch.yml deleted file mode 100644 index b0a2584c798..00000000000 --- a/roles/container-engine/containerd-common/vars/debian-stretch.yml +++ /dev/null @@ -1,10 +0,0 @@ ---- -containerd_version: 1.4.3 - -containerd_versioned_pkg: - 'latest': "{{ containerd_package }}" - '1.3.7': "{{ containerd_package }}=1.3.7-1" - '1.3.9': "{{ containerd_package }}=1.3.9-1" - '1.4.3': "{{ containerd_package }}=1.4.3-1" - 'stable': "{{ containerd_package }}=1.4.3-1" - 'edge': "{{ containerd_package }}=1.4.3-1" diff --git a/roles/container-engine/containerd-common/vars/debian.yml b/roles/container-engine/containerd-common/vars/debian.yml index 184eb8f10ed..6fca6986e68 100644 --- a/roles/container-engine/containerd-common/vars/debian.yml +++ b/roles/container-engine/containerd-common/vars/debian.yml @@ -1,11 +1,2 @@ --- -containerd_versioned_pkg: - 'latest': "{{ containerd_package }}" - '1.3.7': "{{ containerd_package }}=1.3.7-1" - '1.3.9': "{{ containerd_package }}=1.3.9-1" - '1.4.3': "{{ containerd_package }}=1.4.3-2" - '1.4.4': "{{ containerd_package }}=1.4.4-1" - '1.4.6': "{{ containerd_package }}=1.4.6-1" - '1.4.9': "{{ containerd_package }}=1.4.9-1" - 'stable': "{{ containerd_package }}=1.4.9-1" - 'edge': "{{ containerd_package }}=1.4.9-1" +seccomp_package: 'libseccomp2' diff --git a/roles/container-engine/containerd-common/vars/fedora.yml b/roles/container-engine/containerd-common/vars/fedora.yml deleted file mode 100644 index 011910adc8f..00000000000 --- a/roles/container-engine/containerd-common/vars/fedora.yml +++ /dev/null @@ -1,11 +0,0 @@ ---- -containerd_versioned_pkg: - 'latest': "{{ containerd_package }}" - '1.3.7': "{{ containerd_package }}-1.3.7-3.1.fc{{ ansible_distribution_major_version }}" - '1.3.9': "{{ containerd_package }}-1.3.9-3.1.fc{{ ansible_distribution_major_version }}" - '1.4.3': "{{ containerd_package }}-1.4.3-3.2.fc{{ ansible_distribution_major_version }}" - '1.4.4': "{{ containerd_package }}-1.4.4-3.1.fc{{ ansible_distribution_major_version }}" - '1.4.6': "{{ containerd_package }}-1.4.6-3.1.fc{{ ansible_distribution_major_version }}" - '1.4.9': "{{ containerd_package }}-1.4.9-3.1.fc{{ ansible_distribution_major_version }}" - 'stable': "{{ containerd_package }}-1.4.9-3.1.fc{{ ansible_distribution_major_version }}" - 'edge': "{{ containerd_package }}-1.4.9-3.1.fc{{ ansible_distribution_major_version }}" diff --git a/roles/container-engine/containerd-common/vars/redhat.yml b/roles/container-engine/containerd-common/vars/redhat.yml deleted file mode 100644 index 58edb8ba341..00000000000 --- a/roles/container-engine/containerd-common/vars/redhat.yml +++ /dev/null @@ -1,11 +0,0 @@ ---- -containerd_versioned_pkg: - 'latest': "{{ containerd_package }}" - '1.3.7': "{{ containerd_package }}-1.3.7-3.1.el{{ ansible_distribution_major_version }}" - '1.3.9': "{{ containerd_package }}-1.3.9-3.1.el{{ ansible_distribution_major_version }}" - '1.4.3': "{{ containerd_package }}-1.4.3-3.2.el{{ ansible_distribution_major_version }}" - '1.4.4': "{{ containerd_package }}-1.4.4-3.1.el{{ ansible_distribution_major_version }}" - '1.4.6': "{{ containerd_package }}-1.4.6-3.1.el{{ ansible_distribution_major_version }}" - '1.4.9': "{{ containerd_package }}-1.4.9-3.1.el{{ ansible_distribution_major_version }}" - 'stable': "{{ containerd_package }}-1.4.9-3.1.el{{ ansible_distribution_major_version }}" - 'edge': "{{ containerd_package }}-1.4.9-3.1.el{{ ansible_distribution_major_version }}" diff --git a/roles/container-engine/containerd-common/vars/suse.yml b/roles/container-engine/containerd-common/vars/suse.yml new file mode 100644 index 00000000000..05681693606 --- /dev/null +++ b/roles/container-engine/containerd-common/vars/suse.yml @@ -0,0 +1,2 @@ +--- +containerd_package: containerd diff --git a/roles/container-engine/containerd-common/vars/ubuntu.yml b/roles/container-engine/containerd-common/vars/ubuntu.yml deleted file mode 100644 index 184eb8f10ed..00000000000 --- a/roles/container-engine/containerd-common/vars/ubuntu.yml +++ /dev/null @@ -1,11 +0,0 @@ ---- -containerd_versioned_pkg: - 'latest': "{{ containerd_package }}" - '1.3.7': "{{ containerd_package }}=1.3.7-1" - '1.3.9': "{{ containerd_package }}=1.3.9-1" - '1.4.3': "{{ containerd_package }}=1.4.3-2" - '1.4.4': "{{ containerd_package }}=1.4.4-1" - '1.4.6': "{{ containerd_package }}=1.4.6-1" - '1.4.9': "{{ containerd_package }}=1.4.9-1" - 'stable': "{{ containerd_package }}=1.4.9-1" - 'edge': "{{ containerd_package }}=1.4.9-1" diff --git a/roles/container-engine/containerd/defaults/main.yml b/roles/container-engine/containerd/defaults/main.yml index 0e0bb0d5078..fc1e3ff5532 100644 --- a/roles/container-engine/containerd/defaults/main.yml +++ b/roles/container-engine/containerd/defaults/main.yml @@ -35,39 +35,6 @@ containerd_max_container_log_line_size: -1 containerd_cfg_dir: /etc/containerd -# Path to runc binary -runc_binary: /usr/bin/runc - -yum_repo_dir: /etc/yum.repos.d - -# Optional values for containerd apt repo -containerd_package_info: - pkgs: - -containerd_repo_key_info: - repo_keys: - -containerd_repo_info: - repos: - -# Ubuntu docker-ce repo -containerd_ubuntu_repo_base_url: "https://download.docker.com/linux/ubuntu" -containerd_ubuntu_repo_gpgkey: "https://download.docker.com/linux/ubuntu/gpg" -containerd_ubuntu_repo_repokey: "9DC858229FC7DD38854AE2D88D81803C0EBFCD88" -containerd_ubuntu_repo_component: "stable" - -# Debian docker-ce repo -containerd_debian_repo_base_url: "https://download.docker.com/linux/debian" -containerd_debian_repo_gpgkey: "https://download.docker.com/linux/debian/gpg" -containerd_debian_repo_repokey: "9DC858229FC7DD38854AE2D88D81803C0EBFCD88" -containerd_debian_repo_component: "stable" - -# Fedora docker-ce repo -containerd_fedora_repo_base_url: "https://download.docker.com/linux/fedora/{{ ansible_distribution_major_version }}/$basearch/stable" -containerd_fedora_repo_gpgkey: "https://download.docker.com/linux/fedora/gpg" -containerd_fedora_repo_repokey: "9DC858229FC7DD38854AE2D88D81803C0EBFCD88" -containerd_fedora_repo_component: "stable" - # Extra config to be put in {{ containerd_cfg_dir }}/config.toml literally containerd_extra_args: '' diff --git a/roles/container-engine/containerd/meta/main.yml b/roles/container-engine/containerd/meta/main.yml index 1a53ba7d6ec..5629567722a 100644 --- a/roles/container-engine/containerd/meta/main.yml +++ b/roles/container-engine/containerd/meta/main.yml @@ -1,3 +1,5 @@ --- dependencies: - role: container-engine/containerd-common + - role: container-engine/runc + - role: container-engine/crictl diff --git a/roles/container-engine/containerd/molecule/default/converge.yml b/roles/container-engine/containerd/molecule/default/converge.yml index 26ff82a9ebb..7847871e28b 100644 --- a/roles/container-engine/containerd/molecule/default/converge.yml +++ b/roles/container-engine/containerd/molecule/default/converge.yml @@ -2,6 +2,8 @@ - name: Converge hosts: all become: true + vars: + container_manager: containerd roles: - role: kubespray-defaults - role: container-engine/containerd diff --git a/roles/container-engine/containerd/tasks/containerd_repo.yml b/roles/container-engine/containerd/tasks/containerd_repo.yml deleted file mode 100644 index b26bc84c75a..00000000000 --- a/roles/container-engine/containerd/tasks/containerd_repo.yml +++ /dev/null @@ -1,36 +0,0 @@ ---- -- name: ensure containerd repository public key is installed - apt_key: - id: "{{ item }}" - url: "{{ containerd_repo_key_info.url }}" - state: present - register: keyserver_task_result - until: keyserver_task_result is succeeded - retries: 4 - delay: "{{ retry_stagger | d(3) }}" - with_items: "{{ containerd_repo_key_info.repo_keys }}" - environment: "{{ proxy_env }}" - when: ansible_pkg_mgr == 'apt' - -- name: ensure containerd repository is enabled - apt_repository: - repo: "{{ item }}" - state: present - with_items: "{{ containerd_repo_info.repos }}" - when: ansible_pkg_mgr == 'apt' - -- name: Configure containerd repository on Fedora - template: - src: "fedora_containerd.repo.j2" - dest: "{{ yum_repo_dir }}/containerd.repo" - mode: 0644 - when: ansible_distribution == "Fedora" - -- name: Configure containerd repository on RedHat/OracleLinux/CentOS/AlmaLinux - template: - src: "rh_containerd.repo.j2" - dest: "{{ yum_repo_dir }}/containerd.repo" - mode: 0644 - when: - - ansible_os_family == "RedHat" - - ansible_distribution not in ["Fedora", "Amazon"] diff --git a/roles/container-engine/containerd/tasks/main.yml b/roles/container-engine/containerd/tasks/main.yml index 8378b4f4e8a..f502dffb9d2 100644 --- a/roles/container-engine/containerd/tasks/main.yml +++ b/roles/container-engine/containerd/tasks/main.yml @@ -1,41 +1,10 @@ --- -- name: check if fedora coreos - stat: - path: /run/ostree-booted - get_attributes: no - get_checksum: no - get_mime: no - register: ostree - -- name: set is_ostree - set_fact: - is_ostree: "{{ ostree.stat.exists }}" - - name: Fail containerd setup if distribution is not supported fail: msg: "{{ ansible_distribution }} is not supported by containerd." when: - not ansible_distribution in ["CentOS", "OracleLinux", "RedHat", "Ubuntu", "Debian", "Fedora", "AlmaLinux", "Amazon", "Flatcar Container Linux by Kinvolk"] -- name: gather os specific variables - include_vars: "{{ item }}" - with_first_found: - - files: - - "{{ ansible_distribution|lower }}-{{ ansible_distribution_version|lower|replace('/', '_') }}.yml" - - "{{ ansible_distribution|lower }}-{{ ansible_distribution_release|lower }}-{{ host_architecture }}.yml" - - "{{ ansible_distribution|lower }}-{{ ansible_distribution_release|lower }}.yml" - - "{{ ansible_distribution|lower }}-{{ ansible_distribution_major_version|lower|replace('/', '_') }}.yml" - - "{{ ansible_distribution|lower }}-{{ host_architecture }}.yml" - - "{{ ansible_distribution|lower }}.yml" - - "{{ ansible_os_family|lower }}-{{ host_architecture }}.yml" - - "{{ ansible_os_family|lower }}.yml" - - defaults.yml - paths: - - ../vars - skip: true - tags: - - facts - - name: disable unified_cgroup_hierarchy in Fedora 31+ command: grubby --update-kernel=ALL --args="systemd.unified_cgroup_hierarchy=0" when: @@ -52,16 +21,29 @@ - ansible_proc_cmdline['systemd.unified_cgroup_hierarchy'] is not defined or ansible_proc_cmdline['systemd.unified_cgroup_hierarchy'] != '0' - not is_ostree -- include_tasks: containerd_repo.yml - when: not (is_ostree or (ansible_distribution == "Flatcar Container Linux by Kinvolk")) +- name: containerd | Download containerd + include_tasks: "../../../download/tasks/download_file.yml" + vars: + download: "{{ download_defaults | combine(downloads.containerd) }}" -- name: Create containerd service systemd directory if it doesn't exist - file: - path: /etc/systemd/system/containerd.service.d - state: directory +- name: containerd | Unpack containerd archive + unarchive: + src: "{{ downloads.containerd.dest }}" + dest: "{{ containerd_bin_dir }}" mode: 0755 + remote_src: yes + extra_opts: + - --strip-components=1 + notify: restart containerd -- name: Write containerd proxy drop-in +- name: containerd | generate systemd service for containerd + template: + src: containerd.service.j2 + dest: /etc/systemd/system/containerd.service + mode: 0644 + notify: restart containerd + +- name: containerd | Write containerd proxy drop-in template: src: http-proxy.conf.j2 dest: /etc/systemd/system/containerd.service.d/http-proxy.conf @@ -69,15 +51,19 @@ notify: restart containerd when: http_proxy is defined or https_proxy is defined -- name: ensure containerd config directory +- name: containerd | Ensure containerd directories exist file: - dest: "{{ containerd_cfg_dir }}" + dest: "{{ item }}" state: directory mode: 0755 owner: root group: root + with_items: + - "{{ containerd_cfg_dir }}" + - "{{ containerd_storage_dir }}" + - "{{ containerd_state_dir }}" -- name: Copy containerd config file +- name: containerd | Copy containerd config file template: src: config.toml.j2 dest: "{{ containerd_cfg_dir }}/config.toml" @@ -85,43 +71,6 @@ mode: 0640 notify: restart containerd -# This is required to ensure any apt upgrade will not break kubernetes -- name: Set containerd pin priority to apt_preferences on Debian family - copy: - content: | - Package: {{ containerd_package }} - Pin: version {{ containerd_version }}* - Pin-Priority: 1001 - dest: "/etc/apt/preferences.d/containerd" - owner: "root" - mode: 0644 - when: ansible_pkg_mgr == 'apt' - -- name: ensure containerd packages are installed - package: - name: "{{ containerd_package_info.pkgs }}" - state: present - module_defaults: - apt: - update_cache: true - dnf: - enablerepo: "{{ containerd_package_info.enablerepo | default(omit) }}" - yum: - enablerepo: "{{ containerd_package_info.enablerepo | default(omit) }}" - zypper: - update_cache: true - register: containerd_task_result - until: containerd_task_result is succeeded - retries: 4 - delay: "{{ retry_stagger | d(3) }}" - notify: restart containerd - when: - - not (is_ostree or (ansible_distribution == "Flatcar Container Linux by Kinvolk")) - - containerd_package_info.pkgs|length > 0 - -- include_role: # noqa unnamed-task - name: container-engine/crictl - # you can sometimes end up in a state where everything is installed # but containerd was not started / enabled - name: flush handlers diff --git a/roles/container-engine/containerd/templates/containerd.service.j2 b/roles/container-engine/containerd/templates/containerd.service.j2 new file mode 100644 index 00000000000..09f9a3b2a32 --- /dev/null +++ b/roles/container-engine/containerd/templates/containerd.service.j2 @@ -0,0 +1,40 @@ +# Copyright The containerd Authors. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +[Unit] +Description=containerd container runtime +Documentation=https://containerd.io +After=network.target local-fs.target + +[Service] +ExecStartPre=-/sbin/modprobe overlay +ExecStart={{ containerd_bin_dir }}/containerd + +Type=notify +Delegate=yes +KillMode=process +Restart=always +RestartSec=5 +# Having non-zero Limit*s causes performance problems due to accounting overhead +# in the kernel. We recommend using cgroups to do container-local accounting. +LimitNPROC=infinity +LimitCORE=infinity +LimitNOFILE=infinity +# Comment TasksMax if your systemd version does not supports it. +# Only systemd 226 and above support this version. +TasksMax=infinity +OOMScoreAdjust=-999 + +[Install] +WantedBy=multi-user.target diff --git a/roles/container-engine/containerd/templates/fedora_containerd.repo.j2 b/roles/container-engine/containerd/templates/fedora_containerd.repo.j2 deleted file mode 100644 index 8422664a6d8..00000000000 --- a/roles/container-engine/containerd/templates/fedora_containerd.repo.j2 +++ /dev/null @@ -1,7 +0,0 @@ -[docker-ce] -name=Docker-CE Repository -baseurl={{ containerd_fedora_repo_base_url }} -enabled=0 -gpgcheck={{ '1' if containerd_fedora_repo_gpgkey else '0' }} -gpgkey={{ containerd_fedora_repo_gpgkey }} -{% if http_proxy is defined %}proxy={{ http_proxy }}{% endif %} diff --git a/roles/container-engine/containerd/templates/rh_containerd.repo.j2 b/roles/container-engine/containerd/templates/rh_containerd.repo.j2 deleted file mode 100644 index 178bbc2cd7f..00000000000 --- a/roles/container-engine/containerd/templates/rh_containerd.repo.j2 +++ /dev/null @@ -1,10 +0,0 @@ -[docker-ce] -name=Docker-CE Repository -baseurl={{ docker_rh_repo_base_url }} -enabled=0 -gpgcheck={{ '1' if docker_rh_repo_gpgkey else '0' }} -keepcache={{ docker_rpm_keepcache | default('1') }} -gpgkey={{ docker_rh_repo_gpgkey }} -{% if http_proxy is defined %} -proxy={{ http_proxy }} -{% endif %} diff --git a/roles/container-engine/containerd/vars/amazon.yml b/roles/container-engine/containerd/vars/amazon.yml deleted file mode 100644 index 28235ec73fd..00000000000 --- a/roles/container-engine/containerd/vars/amazon.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -containerd_package_info: - enablerepo: "amzn2extra-docker" - pkgs: - - "{{ containerd_versioned_pkg[containerd_version | string] }}" diff --git a/roles/container-engine/containerd/vars/debian.yml b/roles/container-engine/containerd/vars/debian.yml deleted file mode 100644 index 7b73083dacc..00000000000 --- a/roles/container-engine/containerd/vars/debian.yml +++ /dev/null @@ -1,16 +0,0 @@ ---- -containerd_package_info: - pkgs: - - "{{ containerd_versioned_pkg[containerd_version | string] }}" - -containerd_repo_key_info: - url: '{{ containerd_debian_repo_gpgkey }}' - repo_keys: - - '{{ containerd_debian_repo_repokey }}' - -containerd_repo_info: - repos: - - > - deb {{ containerd_debian_repo_base_url }} - {{ ansible_distribution_release|lower }} - {{ containerd_debian_repo_component }} diff --git a/roles/container-engine/containerd/vars/fedora.yml b/roles/container-engine/containerd/vars/fedora.yml deleted file mode 100644 index e51f2c89c31..00000000000 --- a/roles/container-engine/containerd/vars/fedora.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -containerd_package_info: - enablerepo: "docker-ce" - pkgs: - - "{{ containerd_versioned_pkg[containerd_version | string] }}" diff --git a/roles/container-engine/containerd/vars/redhat.yml b/roles/container-engine/containerd/vars/redhat.yml deleted file mode 100644 index e51f2c89c31..00000000000 --- a/roles/container-engine/containerd/vars/redhat.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -containerd_package_info: - enablerepo: "docker-ce" - pkgs: - - "{{ containerd_versioned_pkg[containerd_version | string] }}" diff --git a/roles/container-engine/containerd/vars/suse.yml b/roles/container-engine/containerd/vars/suse.yml deleted file mode 100644 index fb45f9ca8f1..00000000000 --- a/roles/container-engine/containerd/vars/suse.yml +++ /dev/null @@ -1,7 +0,0 @@ ---- -# docker-ce containerd.io does not contain daemon -containerd_package: containerd - -containerd_package_info: - pkgs: - - "{{ containerd_package }}" diff --git a/roles/container-engine/containerd/vars/ubuntu.yml b/roles/container-engine/containerd/vars/ubuntu.yml deleted file mode 100644 index a43797e6521..00000000000 --- a/roles/container-engine/containerd/vars/ubuntu.yml +++ /dev/null @@ -1,16 +0,0 @@ ---- -containerd_package_info: - pkgs: - - "{{ containerd_versioned_pkg[containerd_version | string] }}" - -containerd_repo_key_info: - url: '{{ containerd_ubuntu_repo_gpgkey }}' - repo_keys: - - '{{ containerd_ubuntu_repo_repokey }}' - -containerd_repo_info: - repos: - - > - deb {{ containerd_ubuntu_repo_base_url }} - {{ ansible_distribution_release|lower }} - {{ containerd_ubuntu_repo_component }} diff --git a/roles/container-engine/runc/defaults/main.yml b/roles/container-engine/runc/defaults/main.yml new file mode 100644 index 00000000000..6b9dd019dcc --- /dev/null +++ b/roles/container-engine/runc/defaults/main.yml @@ -0,0 +1,3 @@ +--- + +runc_bin_dir: /usr/bin/ diff --git a/roles/container-engine/runc/tasks/main.yml b/roles/container-engine/runc/tasks/main.yml new file mode 100644 index 00000000000..bdb34044a83 --- /dev/null +++ b/roles/container-engine/runc/tasks/main.yml @@ -0,0 +1,12 @@ +--- +- name: runc | Download runc binary + include_tasks: "../../../download/tasks/download_file.yml" + vars: + download: "{{ download_defaults | combine(downloads.runc) }}" + +- name: Copy runc binary from download dir + copy: + src: "{{ local_release_dir }}/runc" + dest: "{{ runc_bin_dir }}/runc" + mode: 0755 + remote_src: true diff --git a/roles/download/defaults/main.yml b/roles/download/defaults/main.yml index b585cab0e9d..014c35c1821 100644 --- a/roles/download/defaults/main.yml +++ b/roles/download/defaults/main.yml @@ -51,6 +51,7 @@ image_arch: "{{host_architecture | default('amd64')}}" # Versions kubeadm_version: "{{ kube_version }}" etcd_version: v3.4.13 +runc_version: v1.0.2 crun_version: 0.21 kata_containers_version: 2.1.0 gvisor_version: 20210518.0 @@ -111,6 +112,7 @@ calicoctl_download_url: "https://github.com/projectcalico/calicoctl/releases/dow calico_crds_download_url: "https://github.com/projectcalico/calico/archive/{{ calico_version }}.tar.gz" crictl_download_url: "https://github.com/kubernetes-sigs/cri-tools/releases/download/{{ crictl_version }}/crictl-{{ crictl_version }}-{{ ansible_system | lower }}-{{ image_arch }}.tar.gz" helm_download_url: "https://get.helm.sh/helm-{{ helm_version }}-linux-{{ image_arch }}.tar.gz" +runc_download_url: "https://github.com/opencontainers/runc/releases/download/{{ runc_version }}/runc.{{ image_arch }}" crun_download_url: "https://github.com/containers/crun/releases/download/{{ crun_version }}/crun-{{ crun_version }}-linux-{{ image_arch }}" kata_containers_download_url: "https://github.com/kata-containers/kata-containers/releases/download/{{ kata_containers_version }}/kata-static-{{ kata_containers_version }}-{{ ansible_architecture }}.tar.xz" # gVisor only supports amd64 and uses x86_64 to in the download link @@ -118,6 +120,7 @@ gvisor_runsc_download_url: "https://storage.googleapis.com/gvisor/releases/relea gvisor_containerd_shim_runsc_download_url: "https://storage.googleapis.com/gvisor/releases/release/{{ gvisor_version }}/{{ ansible_architecture }}/containerd-shim-runsc-v1" nerdctl_download_url: "https://github.com/containerd/nerdctl/releases/download/v{{ nerdctl_version }}/nerdctl-{{ nerdctl_version }}-{{ ansible_system | lower }}-{{ image_arch }}.tar.gz" krew_download_url: "https://github.com/kubernetes-sigs/krew/releases/download/{{ krew_version }}/krew.tar.gz" +containerd_download_url: "https://github.com/containerd/containerd/releases/download/v{{ containerd_version }}/containerd-{{ containerd_version }}-linux-{{ image_arch }}.tar.gz" crictl_checksums: arm: @@ -527,6 +530,14 @@ helm_archive_checksums: arm64: v3.6.3: 6fe647628bc27e7ae77d015da4d5e1c63024f673062ac7bc11453ccc55657713 +runc_checksums: + arm: + v1.0.2: 0 + arm64: + v1.0.2: 0 + amd64: + v1.0.2: 44d1ba01a286aaf0b31b4be9c6abc20deab0653d44ecb0d93b4d0d20eac3e0b6 + crun_checksums: arm: 0 amd64: @@ -583,6 +594,17 @@ nerdctl_archive_checksums: amd64: 0.8.1: 7c3573db282749079e06f4c592b4585d53628d13fd762746b30389f854d79a47 +containerd_archive_checksums: + arm: + 1.4.9: 0 + 1.5.5: 0 + arm64: + 1.4.9: 0 + 1.5.5: 0 + amd64: + 1.4.9: 346f88ad5b973960ff81b5539d4177af5941ec2e4703b479ca9a6081ff1d023b + 1.5.5: 8efc527ffb772a82021800f0151374a3113ed2439922497ff08f2596a70f10f1 + etcd_binary_checksum: "{{ etcd_binary_checksums[image_arch] }}" cni_binary_checksum: "{{ cni_binary_checksums[image_arch] }}" kubelet_binary_checksum: "{{ kubelet_checksums[image_arch][kube_version] }}" @@ -592,12 +614,14 @@ calicoctl_binary_checksum: "{{ calicoctl_binary_checksums[image_arch][calico_ctl calico_crds_archive_checksum: "{{ calico_crds_archive_checksums[calico_version] }}" crictl_binary_checksum: "{{ crictl_checksums[image_arch][crictl_version] }}" helm_archive_checksum: "{{ helm_archive_checksums[image_arch][helm_version] }}" +runc_binary_checksum: "{{ runc_checksums[image_arch][runc_version] }}" crun_binary_checksum: "{{ crun_checksums[image_arch][crun_version] }}" kata_containers_binary_checksum: "{{ kata_containers_binary_checksums[image_arch][kata_containers_version] }}" gvisor_runsc_binary_checksum: "{{ gvisor_runsc_binary_checksums[image_arch][gvisor_version] }}" gvisor_containerd_shim_binary_checksum: "{{ gvisor_containerd_shim_binary_checksums[image_arch][gvisor_version] }}" nerdctl_archive_checksum: "{{ nerdctl_archive_checksums[image_arch][nerdctl_version] }}" krew_archive_checksum: "{{ krew_archive_checksums[krew_version] }}" +containerd_archive_checksum: "{{ containerd_archive_checksums[image_arch][containerd_version] }}" # Containers # In some cases, we need a way to set --registry-mirror or --insecure-registry for docker, @@ -884,6 +908,19 @@ downloads: groups: - k8s_cluster + runc: + file: true + enabled: "{{ container_manager in ['containerd'] }}" + version: "{{ runc_version }}" + dest: "{{ local_release_dir }}/runc" + sha256: "{{ runc_binary_checksum }}" + url: "{{ runc_download_url }}" + unarchive: false + owner: "root" + mode: "0755" + groups: + - k8s_cluster + kata_containers: enabled: "{{ kata_containers_enabled }}" file: true @@ -897,6 +934,19 @@ downloads: groups: - k8s_cluster + containerd: + enabled: "{{ container_manager == 'containerd' }}" + file: true + version: "{{ containerd_version }}" + dest: "{{ local_release_dir }}/containerd-{{ containerd_version }}-linux-{{ image_arch }}.tar.gz" + sha256: "{{ containerd_archive_checksum }}" + url: "{{ containerd_download_url }}" + unarchive: false + owner: "root" + mode: "0644" + groups: + - k8s_cluster + gvisor_runsc: enabled: "{{ gvisor_enabled }}" file: true diff --git a/roles/reset/tasks/main.yml b/roles/reset/tasks/main.yml index 00029b09b7b..2244ee75503 100644 --- a/roles/reset/tasks/main.yml +++ b/roles/reset/tasks/main.yml @@ -169,6 +169,25 @@ tags: - services +- name: reset | remove containerd + when: container_manager == 'containerd' + block: + - name: reset | stop containerd service + service: + name: containerd + state: stopped + failed_when: false + tags: + - services + + - name: reset | remove containerd service + file: + path: /etc/systemd/system/containerd.service + state: absent + register: services_removed + tags: + - services + - name: reset | gather mounted kubelet dirs # noqa 301 shell: set -o pipefail && mount | grep /var/lib/kubelet/ | awk '{print $3}' | tac args: @@ -279,6 +298,7 @@ - "{{ bin_dir }}/etcd" - "{{ bin_dir }}/etcd-events" - "{{ bin_dir }}/etcdctl" + - "{{ bin_dir }}/etcdctl.sh" - "{{ bin_dir }}/kubernetes-scripts" - "{{ bin_dir }}/kubectl" - "{{ bin_dir }}/kubeadm" @@ -310,6 +330,28 @@ tags: - files +- name: reset | remove containerd + when: container_manager == 'containerd' + block: + - name: reset | remove containerd binary files + file: + path: "{{ containerd_bin_dir }}/{{ item }}" + state: absent + with_items: + - containerd + - containerd-shim + - containerd-shim-runc-v1 + - containerd-shim-runc-v2 + - containerd-stress + - crictl + - critest + - ctd-decoder + - ctr + - runc + ignore_errors: true # noqa ignore-errors + tags: + - files + - name: reset | remove dns settings from dhclient.conf blockinfile: path: "{{ item }}"