openstack/ansible-collection-kolla
Code Issues Proposed changes

baremetal: refactor docker deployment into a separate role

Browse Source 
The multitude of set_fact tasks have been replaced with task variables.

The deprecated docker_custom_option variable has been removed.

Change-Id: If3468ab06a64b5998314da1de2644cef3999ece6
This commit is contained in:
Mark Goddard 2021-11-17 15:30:47 +00:00 committed by Radosław Piliszek
parent 22a16e7ff7
commit 5471da12b1
18 changed files with 306 additions and 343 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
releasenotes/notes/drop-docker-custom-option-6c8251c750473558.yaml Normal file
View File

@ -0,0 +1,4 @@
---
upgrade:
- |
Removes the deprecated ``docker_custom_option`` variable.

41
roles/baremetal/defaults/main.yml
View File

@ -1,21 +1,4 @@
---
# Whether to enable a package repository for Docker.
enable_docker_repo: "{% if ansible_facts.distribution == 'openEuler' %}false{% else %}true{% endif %}"
# Docker APT repository configuration.
docker_apt_url: "https://download.docker.com/linux/{{ ansible_facts.distribution | lower }}"
docker_apt_repo: "deb {{ docker_apt_url }} {{ ansible_facts.distribution_release }} stable"
docker_apt_key_file: "gpg"
docker_apt_key_id: "0EBFCD88"
docker_apt_package: "docker-ce"
# Docker Yum repository configuration.
docker_yum_url: "https://download.docker.com/linux/centos"
docker_yum_baseurl: "{{ docker_yum_url }}/$releasever/$basearch/stable"
docker_yum_gpgkey: "{{ docker_yum_url }}/gpg"
docker_yum_gpgcheck: true
docker_yum_package: "docker-ce"
ceph_version: "pacific"
epel_version: "8"
ceph_url: "https://download.ceph.com"
@ -49,32 +32,19 @@ selinux_state: "permissive"
# If true, the host firewall service (firewalld or ufw) will be disabled.
disable_firewall: True
docker_storage_driver: ""
docker_custom_option: ""
docker_custom_config: "{% if ansible_facts.distribution == 'openEuler' %}{\"exec-opts\": [\"native.umask=normal\"]}{% else %}{}{% endif %}"
docker_http_proxy: ""
docker_https_proxy: ""
docker_no_proxy: ""
git_http_proxy: ""
git_https_proxy: ""
debian_pkg_install:
- "{{ docker_apt_package }}"
- git
- "{% if enable_multipathd|bool %}sg3-utils-udev{% endif %}"
- "{% if not docker_disable_default_iptables_rules | bool %}iptables{% endif %}"
openeuler_pkg_install:
- docker
- python3-docker
redhat_pkg_install:
- "{{ docker_yum_package }}"
- git
- sudo
- "{% if not docker_disable_default_iptables_rules | bool %}iptables{% endif %}"
ubuntu_pkg_removals:
- lxd
@ -87,17 +57,6 @@ redhat_pkg_removals:
- "{% if enable_nova_libvirt_container | bool %}libvirt-daemon{% endif %}"
- "{% if enable_nova_libvirt_container | bool %}iscsi-initiator-utils{% endif %}"
# From group_vars/all.yml:
docker_log_max_file: "5"
docker_log_max_size: "50m"
# Docker networking options
docker_disable_default_iptables_rules: "yes"
docker_disable_default_network: "{{ docker_disable_default_iptables_rules }}"
docker_disable_ip_forward: "{{ docker_disable_default_iptables_rules }}"
docker_runtime_directory: ""
node_config_directory: "/etc/kolla"
# Whether the nova_libvirt container is enabled.

68
roles/baremetal/tasks/install.yml
View File

@ -37,44 +37,12 @@
- firewalld_check.rc == 0
when: disable_firewall | bool
# Upgrading docker engine may cause containers to stop. Take a snapshot of the
# running containers prior to a potential upgrade of Docker.
- name: Check which containers are running
command: docker ps -f 'status=running' -q
become: true
# If Docker is not installed this command may exit non-zero.
failed_when: false
changed_when: false
register: running_containers
# APT starts Docker engine right after installation, which creates
# iptables rules before we disable iptables in Docker config
- name: Check if docker systemd unit exists
stat:
path: /etc/systemd/system/docker.service
register: docker_unit_file
- name: Mask the docker systemd unit on Debian/Ubuntu
file:
src: /dev/null
dest: /etc/systemd/system/docker.service
owner: root
group: root
state: link
become: true
when:
- ansible_facts.os_family == 'Debian'
- not docker_unit_file.stat.exists
- name: Install apt packages
package:
name: "{{ (debian_pkg_install | join(' ')).split() }}"
state: present
become: True
when: ansible_facts.os_family == 'Debian'
register: apt_install_result
- name: Install deltarpm packages
package:
@ -93,7 +61,6 @@
when:
- ansible_facts.os_family == 'RedHat'
- ansible_facts.distribution != 'openEuler'
register: rpm_install_result
- name: Install RPM packages for openEuler
package:
@ -102,40 +69,9 @@
update_cache: yes
become: True
when: ansible_facts.distribution == 'openEuler'
register: rpm_install_result
# If any packages were updated, and any containers were running, wait for the
# daemon to come up and start all previously running containers.
- block:
# At some point (at least on CentOS 7) Docker CE stopped starting
# automatically after an upgrade from legacy docker . Start it manually.
- name: Start docker
systemd:
name: docker
state: started
enabled: yes
masked: no
become: True
- name: Wait for Docker to start
command: docker info
become: true
changed_when: false
register: result
until: result is success
retries: 6
delay: 10
- name: Ensure containers are running after Docker upgrade
command: "docker start {{ running_containers.stdout }}"
become: true
when:
- install_result is changed
- running_containers.rc == 0
- running_containers.stdout != ''
vars:
install_result: "{{ rpm_install_result if ansible_facts.os_family == 'RedHat' else apt_install_result }}"
- import_role:
name: openstack.kolla.docker
- name: Remove packages
package:

5
roles/baremetal/tasks/main.yml
View File

@ -5,11 +5,6 @@
- import_tasks: post-install.yml
- include_tasks: configure-containerd-for-zun.yml
when:
- containerd_configure_for_zun|bool
- "'zun-cni-daemon' in group_names"
- include_tasks: configure-ceph-for-zun.yml
when:
- zun_configure_for_cinder_ceph | bool

155
roles/baremetal/tasks/post-install.yml
View File

@ -15,139 +15,6 @@
mode: 0755
become: True
- name: Ensure docker config directory exists
file:
path: /etc/docker
state: directory
become: True
- name: Merge Zun docker config
set_fact:
docker_config: "{{ docker_config | combine(docker_zun_config) }}"
when:
- docker_configure_for_zun | bool
- "'zun-compute' in group_names"
- name: Warn about deprecations
debug:
msg: >
docker_custom_option is deprecated in favor of docker_custom_config
when: docker_custom_option | length > 0
- name: Setup docker insecure registries
vars:
registries: ["{{ docker_registry }}"]
set_fact:
docker_config: "{{ docker_config | combine({'insecure-registries': registries}) }}"
when: docker_registry_insecure | bool
- name: Setup docker storage driver
set_fact:
docker_config: "{{ docker_config | combine({'storage-driver': docker_storage_driver}) }}"
when: docker_storage_driver | length > 0
- name: Setup docker runtime directory
set_fact:
docker_config: "{{ docker_config | combine({'data-root': docker_runtime_directory}) }}"
when: docker_runtime_directory | length > 0
- name: Warn about docker default iptables
debug:
msg: >-
Docker default iptables rules will be disabled by default from the Wallaby 12.0.0
release. If you have any non-Kolla containers that need this functionality, you should
plan a migration for this change, or set docker_disable_default_iptables_rules to false.
when: not docker_disable_default_iptables_rules | bool
- name: Disable docker default iptables rules
set_fact:
docker_config: "{{ docker_config | combine({'iptables': false}) }}"
when: docker_disable_default_iptables_rules | bool
- name: Warn about docker default networking
debug:
msg: >-
Docker default network on docker0 will be disabled by default from the
Wallaby 12.0.0 release. If you have any non-Kolla containers that need
this functionality, you should plan a migration for this change, or set
docker_disable_default_network to false.
when: not docker_disable_default_network | bool
- name: Disable docker default network on docker0
set_fact:
docker_config: "{{ docker_config | combine({'bridge': 'none'}) }}"
when: docker_disable_default_network | bool
- name: Warn about docker ip_forward
debug:
msg: >-
Docker ip_forward will be disabled by default from the
Wallaby 12.0.0 release. If you have any non-Kolla containers that need
this functionality, you should plan a migration for this change, or set
docker_disable_ip_forward to false.
when: not docker_disable_ip_forward | bool
- name: Disable docker ip_forward
set_fact:
docker_config: "{{ docker_config | combine({'ip-forward': false}) }}"
when: docker_disable_ip_forward | bool
- name: Merge custom docker config
set_fact:
docker_config: "{{ docker_config | combine(docker_custom_config) }}"
- name: Write docker config
become: True
copy:
content: "{{ docker_config | to_nice_json }}"
dest: /etc/docker/daemon.json
mode: 0644
register: docker_configured
- name: Remove old docker options file
become: True
file:
path: /etc/systemd/system/docker.service.d/kolla.conf
state: absent
when:
- not docker_custom_option
- not docker_configure_for_zun | bool or 'zun-compute' not in group_names
- not docker_http_proxy
- not docker_https_proxy
- not docker_no_proxy
- name: Ensure docker service directory exists
become: True
file:
path: /etc/systemd/system/docker.service.d
state: directory
recurse: yes
when: >
docker_custom_option | length > 0 or
(docker_configure_for_zun | bool and 'zun-compute' in group_names) or
docker_http_proxy | length > 0 or
docker_https_proxy | length > 0 or
docker_no_proxy | length > 0
- name: Configure docker service
become: True
template:
src: docker_systemd_service.j2
dest: /etc/systemd/system/docker.service.d/kolla.conf
when: >
docker_custom_option | length > 0 or
(docker_configure_for_zun | bool and 'zun-compute' in group_names) or
docker_http_proxy | length > 0 or
docker_https_proxy | length > 0 or
docker_no_proxy | length > 0
- name: Reload docker service file
become: True
systemd:
name: docker
daemon_reload: yes
register: docker_reloaded
- block:
- name: Get stat of libvirtd apparmor profile
stat:
@ -173,28 +40,6 @@
- ansible_facts.distribution == "Ubuntu"
- apparmor_remove_libvirt_profile | bool
- name: Start docker
systemd:
name: docker
state: started
masked: no
become: True
- name: Restart docker
systemd:
name: docker
state: restarted
masked: no
become: True
when: docker_configured.changed or docker_reloaded.changed
- name: Enable docker
systemd:
name: docker
enabled: yes
masked: no
become: True
- name: Change state of selinux
selinux:
policy: targeted

75
roles/baremetal/tasks/pre-install.yml
View File

@ -69,78 +69,3 @@
when: cloud_init.stat.exists
become: True
when: customize_etc_hosts | bool
- block:
- block:
- name: Install apt packages
apt:
update_cache: yes
become: True
- name: Install CA certificates and gnupg packages
package:
name: "{{ item }}"
state: latest
become: True
with_items:
- ca-certificates
- gnupg
- name: Ensure apt sources list directory exists
file:
path: /etc/apt/sources.list.d
state: directory
recurse: yes
become: True
- name: Install docker apt gpg key
apt_key:
url: "{{ docker_apt_url }}/{{ docker_apt_key_file }}"
id: "{{ docker_apt_key_id }}"
state: present
become: True
- name: Enable docker apt repository
apt_repository:
repo: "{{ docker_apt_repo }}"
filename: docker
become: True
when: ansible_facts.os_family == 'Debian'
- block:
- name: Ensure yum repos directory exists
file:
path: /etc/yum.repos.d/
state: directory
recurse: yes
become: True
- name: Enable docker yum repository
yum_repository:
name: docker
description: Docker main Repository
baseurl: "{{ docker_yum_baseurl }}"
gpgcheck: "{{ docker_yum_gpgcheck | bool }}"
gpgkey: "{{ docker_yum_gpgkey }}"
become: True
# NOTE(yoctozepto): above cannot set this but we require it
# to install containerd.io due to runc being a modular package
# in CentOS 8
# see: https://bugzilla.redhat.com/show_bug.cgi?id=1734081
- name: Ensure module_hotfixes enabled for docker
lineinfile:
dest: /etc/yum.repos.d/docker.repo
regexp: "^module_hotfixes"
line: "module_hotfixes = True"
state: present
become: True
- name: Install docker rpm gpg key
rpm_key:
state: present
key: "{{ docker_yum_gpgkey }}"
become: True
when: docker_yum_gpgcheck | bool
when: ansible_facts.os_family == 'RedHat'
when: enable_docker_repo | bool

50
roles/docker/defaults/main.yml Normal file
View File

@ -0,0 +1,50 @@
---
# APT cache TTL in seconds.
apt_cache_valid_time: 3600
# Whether to enable a package repository for Docker.
enable_docker_repo: "{% if ansible_facts.distribution == 'openEuler' %}false{% else %}true{% endif %}"
# Docker APT repository configuration.
docker_apt_url: "https://download.docker.com/linux/{{ ansible_facts.distribution | lower }}"
docker_apt_repo: "deb {{ docker_apt_url }} {{ ansible_facts.distribution_release }} stable"
docker_apt_key_file: "gpg"
docker_apt_key_id: "0EBFCD88"
docker_apt_package: "docker-ce"
# Docker Yum repository configuration.
docker_yum_url: "https://download.docker.com/linux/centos"
docker_yum_baseurl: "{{ docker_yum_url }}/$releasever/$basearch/stable"
docker_yum_gpgkey: "{{ docker_yum_url }}/gpg"
docker_yum_gpgcheck: true
docker_yum_package: "{% if ansible_facts.distribution == 'openEuler' %}docker{% else %}docker-ce{% endif %}"
# List of packages to install.
docker_packages:
- "{{ docker_apt_package if ansible_facts.os_family == 'Debian' else docker_yum_package }}"
- "{% if not docker_disable_default_iptables_rules | bool %}iptables{% endif %}"
docker_storage_driver: ""
docker_custom_config: "{% if ansible_facts.distribution == 'openEuler' %}{\"exec-opts\": [\"native.umask=normal\"]}{% else %}{}{% endif %}"
docker_http_proxy: ""
docker_https_proxy: ""
docker_no_proxy: ""
docker_log_max_file: "5"
docker_log_max_size: "50m"
# Docker networking options
docker_disable_default_iptables_rules: "yes"
docker_disable_default_network: "{{ docker_disable_default_iptables_rules }}"
docker_disable_ip_forward: "{{ docker_disable_default_iptables_rules }}"
docker_runtime_directory: ""
# URL of docker registry
docker_registry:
docker_registry_insecure: false
# Whether to configure Docker and containerd for Zun.
docker_configure_for_zun: false
containerd_configure_for_zun: "{{ docker_configure_for_zun | bool }}"

101
roles/docker/tasks/config.yml Normal file
View File

@ -0,0 +1,101 @@
---
- name: Ensure docker config directory exists
file:
path: /etc/docker
state: directory
become: True
- name: Write docker config
become: True
vars:
docker_config_insecure_registries:
insecure-registries:
- "{{ docker_registry }}"
docker_config_storage_driver:
storage-driver: "{{ docker_storage_driver }}"
docker_config_runtime_directory:
data-root: "{{ docker_runtime_directory }}"
docker_config_iptables:
iptables: false
docker_config_bridge:
bridge: "none"
docker_config_ip_forward:
ip-forward: false
docker_config: >-
{{ {}
| combine(docker_zun_config if docker_configure_for_zun | bool and 'zun-compute' in group_names else {})
| combine(docker_config_insecure_registries if docker_registry_insecure | bool else {})
| combine(docker_config_storage_driver if docker_storage_driver | length > 0 else {})
| combine(docker_config_runtime_directory if docker_runtime_directory | length > 0 else {})
| combine(docker_config_iptables if docker_disable_default_iptables_rules | bool else {})
| combine(docker_config_bridge if docker_disable_default_network | bool else {})
| combine(docker_config_ip_forward if docker_disable_ip_forward | bool else {})
| combine(docker_custom_config) }}
copy:
content: "{{ docker_config | to_nice_json }}"
dest: /etc/docker/daemon.json
mode: 0644
register: docker_configured
- name: Remove old docker options file
become: True
file:
path: /etc/systemd/system/docker.service.d/kolla.conf
state: absent
when:
- not docker_configure_for_zun | bool or 'zun-compute' not in group_names
- not docker_http_proxy
- not docker_https_proxy
- not docker_no_proxy
- name: Ensure docker service directory exists
become: True
file:
path: /etc/systemd/system/docker.service.d
state: directory
recurse: yes
when: >
(docker_configure_for_zun | bool and 'zun-compute' in group_names) or
docker_http_proxy | length > 0 or
docker_https_proxy | length > 0 or
docker_no_proxy | length > 0
- name: Configure docker service
become: True
template:
src: docker_systemd_service.j2
dest: /etc/systemd/system/docker.service.d/kolla.conf
when: >
(docker_configure_for_zun | bool and 'zun-compute' in group_names) or
docker_http_proxy | length > 0 or
docker_https_proxy | length > 0 or
docker_no_proxy | length > 0
- name: Reload docker service file
become: True
systemd:
name: docker
daemon_reload: yes
register: docker_reloaded
- name: Start docker
systemd:
name: docker
state: started
masked: no
become: True
- name: Restart docker
systemd:
name: docker
state: restarted
masked: no
become: True
when: docker_configured.changed or docker_reloaded.changed
- name: Enable docker
systemd:
name: docker
enabled: yes
masked: no
become: True

0
roles/baremetal/tasks/configure-containerd-for-zun.yml → roles/docker/tasks/configure-containerd-for-zun.yml
View File

71
roles/docker/tasks/install.yml Normal file
View File

@ -0,0 +1,71 @@
---
# Upgrading docker engine may cause containers to stop. Take a snapshot of the
# running containers prior to a potential upgrade of Docker.
- name: Check which containers are running
command: docker ps -f 'status=running' -q
become: true
# If Docker is not installed this command may exit non-zero.
failed_when: false
changed_when: false
register: running_containers
# APT starts Docker engine right after installation, which creates
# iptables rules before we disable iptables in Docker config
- name: Check if docker systemd unit exists
stat:
path: /etc/systemd/system/docker.service
register: docker_unit_file
- name: Mask the docker systemd unit on Debian/Ubuntu
file:
src: /dev/null
dest: /etc/systemd/system/docker.service
owner: root
group: root
state: link
become: true
when:
- ansible_facts.os_family == 'Debian'
- not docker_unit_file.stat.exists
- name: Install packages
package:
name: "{{ docker_packages | select | list }}"
cache_valid_time: "{{ apt_cache_valid_time if ansible_facts.os_family == 'Debian' else omit }}"
update_cache: true
state: present
become: True
register: docker_install_result
# If any packages were updated, and any containers were running, wait for the
# daemon to come up and start all previously running containers.
- block:
# At some point (at least on CentOS 7) Docker CE stopped starting
# automatically after an upgrade from legacy docker . Start it manually.
- name: Start docker
systemd:
name: docker
state: started
enabled: yes
masked: no
become: True
- name: Wait for Docker to start
command: docker info
become: true
changed_when: false
register: result
until: result is success
retries: 6
delay: 10
- name: Ensure containers are running after Docker upgrade
command: "docker start {{ running_containers.stdout }}"
become: true
when:
- docker_install_result is changed
- running_containers.rc == 0
- running_containers.stdout != ''

20
roles/docker/tasks/main.yml Normal file
View File

@ -0,0 +1,20 @@
---
# TODO(mgoddard): Remove this task in the A release.
- name: Fail if docker_custom_option is defined
fail:
msg: >-
The 'docker_custom_option' variable has been removed. Please use
'docker_custom_config' instead.
when: docker_custom_option is defined
- include_tasks: "repo-{{ ansible_facts.os_family }}.yml"
when: enable_docker_repo | bool
- import_tasks: install.yml
- import_tasks: config.yml
- include_tasks: configure-containerd-for-zun.yml
when:
- containerd_configure_for_zun|bool
- "'zun-cni-daemon' in group_names"

30
roles/docker/tasks/repo-Debian.yml Normal file
View File

@ -0,0 +1,30 @@
---
- name: Install CA certificates and gnupg packages
package:
name:
- ca-certificates
- gnupg
cache_valid_time: "{{ apt_cache_valid_time if ansible_facts.os_family == 'Debian' else omit }}"
update_cache: "{{ True if ansible_facts.os_family == 'Debian' else omit }}"
state: present
become: True
- name: Ensure apt sources list directory exists
file:
path: /etc/apt/sources.list.d
state: directory
recurse: yes
become: True
- name: Install docker apt gpg key
apt_key:
url: "{{ docker_apt_url }}/{{ docker_apt_key_file }}"
id: "{{ docker_apt_key_id }}"
state: present
become: True
- name: Enable docker apt repository
apt_repository:
repo: "{{ docker_apt_repo }}"
filename: docker
become: True

27
roles/docker/tasks/repo-RedHat.yml Normal file
View File

@ -0,0 +1,27 @@
---
- name: Ensure yum repos directory exists
file:
path: /etc/yum.repos.d/
state: directory
recurse: yes
become: True
- name: Enable docker yum repository
yum_repository:
name: docker
description: Docker main Repository
baseurl: "{{ docker_yum_baseurl }}"
gpgcheck: "{{ docker_yum_gpgcheck | bool }}"
gpgkey: "{{ docker_yum_gpgkey }}"
# NOTE(yoctozepto): required to install containerd.io due to runc being a
# modular package in CentOS 8 see:
# https://bugzilla.redhat.com/show_bug.cgi?id=1734081
module_hotfixes: true
become: True
- name: Install docker rpm gpg key
rpm_key:
state: present
key: "{{ docker_yum_gpgkey }}"
become: True
when: docker_yum_gpgcheck | bool

0
roles/baremetal/templates/10-zun-cni.conf.j2 → roles/docker/templates/10-zun-cni.conf.j2
View File

0
roles/baremetal/templates/containerd_config.toml.j2 → roles/docker/templates/containerd_config.toml.j2
View File

2
roles/baremetal/templates/docker_systemd_service.j2 → roles/docker/templates/docker_systemd_service.j2
View File

@ -10,4 +10,4 @@ Environment="NO_PROXY={{ docker_no_proxy }}"
{% endif %}
ExecStart=
# ExecStart commandline copied from 'docker-ce' package. Same on CentOS/Debian/Ubuntu systems.
ExecStart=/usr/bin/dockerd -H fd:// --containerd=/run/containerd/containerd.sock{% if docker_custom_option %} {{ docker_custom_option }}{% endif %}{% if docker_configure_for_zun|bool and 'zun-compute' in group_names %} {{ docker_zun_options }}{% endif %}
ExecStart=/usr/bin/dockerd -H fd:// --containerd=/run/containerd/containerd.sock{% if docker_configure_for_zun|bool and 'zun-compute' in group_names %} {{ docker_zun_options }}{% endif %}

0
roles/baremetal/templates/zun-cni.j2 → roles/docker/templates/zun-cni.j2
View File

0
roles/baremetal/vars/main.yml → roles/docker/vars/main.yml
View File