From 6d619505065b7131c8999d79c8a125e144ee6bc5 Mon Sep 17 00:00:00 2001 From: Mark Goddard Date: Thu, 25 Nov 2021 14:07:29 +0000 Subject: [PATCH] Import baremetal role from kolla-ansible Role imported from kolla-ansible@646868ebf4a94583d2bc6e6441551885479a6dd9 Fixes an 'issue' found by Ansible sanity checks in the zun-cni.j2 template, replacing the shebang #!/bin/bash with #!/usr/bin/env bash. Change-Id: I0f7670e7cb418e335c6db8474c199b35e816cc16 --- roles/baremetal/defaults/main.yml | 80 ++++++ roles/baremetal/tasks/bootstrap-servers.yml | 11 + roles/baremetal/tasks/check.yml | 1 + .../tasks/configure-containerd-for-zun.yml | 50 ++++ roles/baremetal/tasks/install.yml | 162 +++++++++++ roles/baremetal/tasks/main.yml | 2 + roles/baremetal/tasks/post-install.yml | 253 ++++++++++++++++++ roles/baremetal/tasks/pre-install.yml | 159 +++++++++++ roles/baremetal/templates/10-zun-cni.conf.j2 | 5 + .../templates/containerd_config.toml.j2 | 2 + .../templates/docker_systemd_service.j2 | 13 + roles/baremetal/templates/zun-cni.j2 | 12 + roles/baremetal/vars/main.yml | 8 + 13 files changed, 758 insertions(+) create mode 100644 roles/baremetal/defaults/main.yml create mode 100644 roles/baremetal/tasks/bootstrap-servers.yml create mode 100644 roles/baremetal/tasks/check.yml create mode 100644 roles/baremetal/tasks/configure-containerd-for-zun.yml create mode 100644 roles/baremetal/tasks/install.yml create mode 100644 roles/baremetal/tasks/main.yml create mode 100644 roles/baremetal/tasks/post-install.yml create mode 100644 roles/baremetal/tasks/pre-install.yml create mode 100644 roles/baremetal/templates/10-zun-cni.conf.j2 create mode 100644 roles/baremetal/templates/containerd_config.toml.j2 create mode 100644 roles/baremetal/templates/docker_systemd_service.j2 create mode 100644 roles/baremetal/templates/zun-cni.j2 create mode 100644 roles/baremetal/vars/main.yml diff --git a/roles/baremetal/defaults/main.yml b/roles/baremetal/defaults/main.yml new file mode 100644 index 0000000..bb19f40 --- /dev/null +++ b/roles/baremetal/defaults/main.yml @@ -0,0 +1,80 @@ +--- +# Whether to enable a package repository for Docker. +enable_docker_repo: true + +# Docker APT repository configuration. +docker_apt_url: "https://download.docker.com/linux/{{ ansible_facts.distribution | lower }}" +docker_apt_repo: "deb {{ docker_apt_url }} {{ ansible_facts.distribution_release }} stable" +docker_apt_key_file: "gpg" +docker_apt_key_id: "0EBFCD88" +docker_apt_package: "docker-ce" + +# Docker Yum repository configuration. +docker_yum_url: "https://download.docker.com/linux/{{ ansible_facts.distribution | lower }}" +docker_yum_baseurl: "{{ docker_yum_url }}/$releasever/$basearch/stable" +docker_yum_gpgkey: "{{ docker_yum_url }}/gpg" +docker_yum_gpgcheck: true +docker_yum_package: "docker-ce" + +customize_etc_hosts: True + +create_kolla_user: True +create_kolla_user_sudoers: "{{ create_kolla_user }}" + +kolla_user: "kolla" +kolla_group: "kolla" + +change_selinux: True + +selinux_state: "permissive" + +# If true, the host firewall service (firewalld or ufw) will be disabled. +disable_firewall: True + +docker_storage_driver: "" +docker_custom_option: "" +docker_custom_config: {} + +docker_http_proxy: "" +docker_https_proxy: "" +docker_no_proxy: "" + +# Version of python used to execute Ansible modules. +host_python_version: "{{ ansible_facts.python.version.major }}.{{ ansible_facts.python.version.minor }}" + +debian_pkg_install: + - "{{ docker_apt_package }}" + - git + - "python3-setuptools" + - "python3-pip" + - "{% if virtualenv is not none %}python3-virtualenv{% endif %}" + - "{% if enable_multipathd|bool %}sg3-utils-udev{% endif %}" + - "{% if not docker_disable_default_iptables_rules | bool %}iptables{% endif %}" + +redhat_pkg_install: + - "{{ docker_yum_package }}" + - git + - "python3-pip" + - "{% if virtualenv is not none %}python3-virtualenv{% endif %}" + - sudo + - "{% if not docker_disable_default_iptables_rules | bool %}iptables{% endif %}" + +ubuntu_pkg_removals: + - lxd + - lxc + - libvirt-bin + - open-iscsi + +redhat_pkg_removals: + - libvirt + - libvirt-daemon + - iscsi-initiator-utils + +# Path to a virtualenv in which to install python packages. If None, a +# virtualenv will not be used. +virtualenv: + +# Whether the virtualenv will inherit packages from the global site-packages +# directory. This is typically required for modules such as yum and apt which +# are not available on PyPI. +virtualenv_site_packages: True diff --git a/roles/baremetal/tasks/bootstrap-servers.yml b/roles/baremetal/tasks/bootstrap-servers.yml new file mode 100644 index 0000000..46f2ae1 --- /dev/null +++ b/roles/baremetal/tasks/bootstrap-servers.yml @@ -0,0 +1,11 @@ +--- +- import_tasks: pre-install.yml + +- import_tasks: install.yml + +- import_tasks: post-install.yml + +- include_tasks: configure-containerd-for-zun.yml + when: + - containerd_configure_for_zun|bool + - "'zun-cni-daemon' in group_names" diff --git a/roles/baremetal/tasks/check.yml b/roles/baremetal/tasks/check.yml new file mode 100644 index 0000000..ed97d53 --- /dev/null +++ b/roles/baremetal/tasks/check.yml @@ -0,0 +1 @@ +--- diff --git a/roles/baremetal/tasks/configure-containerd-for-zun.yml b/roles/baremetal/tasks/configure-containerd-for-zun.yml new file mode 100644 index 0000000..b8a29d6 --- /dev/null +++ b/roles/baremetal/tasks/configure-containerd-for-zun.yml @@ -0,0 +1,50 @@ +--- +- name: Ensuring CNI config directory exist + file: + path: "{{ cni_config_dir }}" + state: "directory" + mode: "0770" + owner: "{{ config_owner_user }}" + group: "{{ config_owner_group }}" + become: True + +- name: Copying CNI config file + template: + src: "10-zun-cni.conf.j2" + dest: "{{ cni_config_dir }}/10-zun-cni.conf" + mode: "0660" + owner: "{{ config_owner_user }}" + group: "{{ config_owner_group }}" + become: True + register: cni_configured + +- name: Ensuring CNI bin directory exist + file: + path: "{{ cni_bin_dir }}" + state: "directory" + mode: "0770" + owner: "{{ config_owner_user }}" + group: "{{ config_owner_group }}" + become: True + +- name: Copy zun-cni script + template: + src: "zun-cni.j2" + dest: "{{ cni_bin_dir }}/zun-cni" + mode: "0775" + become: True + +- name: Copying over containerd config + template: + src: "containerd_config.toml.j2" + dest: "/etc/containerd/config.toml" + mode: "0660" + become: true + register: containerd_configured + +- name: Restart containerd + service: + name: containerd + state: restarted + become: True + when: cni_configured.changed or containerd_configured.changed diff --git a/roles/baremetal/tasks/install.yml b/roles/baremetal/tasks/install.yml new file mode 100644 index 0000000..adb9043 --- /dev/null +++ b/roles/baremetal/tasks/install.yml @@ -0,0 +1,162 @@ +--- +- name: Update apt cache + apt: + update_cache: yes + become: True + when: ansible_facts.os_family == 'Debian' + +# TODO(inc0): Gates don't seem to have ufw executable, check for it instead of ignore errors +- block: + - name: Set firewall default policy + become: True + ufw: + state: disabled + policy: allow + when: ansible_facts.os_family == 'Debian' + ignore_errors: yes + + - name: Check if firewalld is installed + command: rpm -q firewalld + register: firewalld_check + changed_when: false + failed_when: firewalld_check.rc > 1 + args: + warn: false + when: ansible_facts.os_family == 'RedHat' + + - name: Disable firewalld + become: True + service: + name: "{{ item }}" + enabled: false + state: stopped + with_items: + - firewalld + when: + - ansible_facts.os_family == 'RedHat' + - firewalld_check.rc == 0 + when: disable_firewall | bool + +# Upgrading docker engine may cause containers to stop. Take a snapshot of the +# running containers prior to a potential upgrade of Docker. + +- name: Check which containers are running + command: docker ps -f 'status=running' -q + become: true + # If Docker is not installed this command may exit non-zero. + failed_when: false + changed_when: false + register: running_containers + +# APT starts Docker engine right after installation, which creates +# iptables rules before we disable iptables in Docker config + +- name: Check if docker systemd unit exists + stat: + path: /etc/systemd/system/docker.service + register: docker_unit_file + +- name: Mask the docker systemd unit on Debian/Ubuntu + file: + src: /dev/null + dest: /etc/systemd/system/docker.service + owner: root + group: root + state: link + become: true + when: + - ansible_facts.os_family == 'Debian' + - not docker_unit_file.stat.exists + +- name: Install apt packages + package: + name: "{{ (debian_pkg_install | join(' ')).split() }}" + state: present + become: True + when: ansible_facts.os_family == 'Debian' + register: apt_install_result + +- name: Install deltarpm packages + package: + name: drpm + state: present + update_cache: yes + become: True + when: ansible_facts.os_family == 'RedHat' + +- name: Install RPM packages + package: + name: "{{ (redhat_pkg_install | join(' ')).split() }}" + state: present + update_cache: yes + become: True + when: ansible_facts.os_family == 'RedHat' + register: rpm_install_result + +# If any packages were updated, and any containers were running, wait for the +# daemon to come up and start all previously running containers. + +- block: + # At some point (at least on CentOS 7) Docker CE stopped starting + # automatically after an upgrade from legacy docker . Start it manually. + - name: Start docker + systemd: + name: docker + state: started + enabled: yes + masked: no + become: True + + - name: Wait for Docker to start + command: docker info + become: true + changed_when: false + register: result + until: result is success + retries: 6 + delay: 10 + + - name: Ensure containers are running after Docker upgrade + command: "docker start {{ running_containers.stdout }}" + become: true + when: + - install_result is changed + - running_containers.rc == 0 + - running_containers.stdout != '' + vars: + install_result: "{{ rpm_install_result if ansible_facts.os_family == 'RedHat' else apt_install_result }}" + +- name: Install latest pip in the virtualenv + pip: + # NOTE(hrw) pip 19.3 is first version complaining about being run with Python 2 + name: pip>19.3 + virtualenv: "{{ virtualenv }}" + virtualenv_site_packages: "{{ virtualenv_site_packages }}" + virtualenv_python: "python{{ host_python_version }}" + become: True + when: virtualenv is not none + +- name: Install docker SDK for python + pip: + # NOTE(hrw) docker 2.4.2 is in kolla-ansible requirements + # NOTE(mnasiadka): docker 5.0.0 lacks six in deps but requires it + name: docker>=2.4.2,<5.0.0 + executable: "{{ virtualenv is none | ternary('pip3', omit) }}" + virtualenv: "{{ virtualenv is none | ternary(omit, virtualenv) }}" + virtualenv_site_packages: "{{ virtualenv is none | ternary(omit, virtualenv_site_packages) }}" + virtualenv_python: "{{ virtualenv is none | ternary(omit, 'python' ~ host_python_version) }}" + become: True + +- name: Remove packages + package: + name: "{{ (ubuntu_pkg_removals | join(' ')).split() }}" + state: absent + become: True + when: ansible_facts.os_family == 'Debian' + +- name: Remove packages + package: + name: "{{ (redhat_pkg_removals | join(' ')).split() }}" + state: absent + become: True + when: ansible_facts.os_family == 'RedHat' diff --git a/roles/baremetal/tasks/main.yml b/roles/baremetal/tasks/main.yml new file mode 100644 index 0000000..bc5d1e6 --- /dev/null +++ b/roles/baremetal/tasks/main.yml @@ -0,0 +1,2 @@ +--- +- include_tasks: "{{ kolla_action }}.yml" diff --git a/roles/baremetal/tasks/post-install.yml b/roles/baremetal/tasks/post-install.yml new file mode 100644 index 0000000..55d31d8 --- /dev/null +++ b/roles/baremetal/tasks/post-install.yml @@ -0,0 +1,253 @@ +--- +- name: Create kolla user + user: + name: "{{ kolla_user }}" + state: present + group: "{{ kolla_group }}" + groups: "sudo" + append: true + become: True + when: create_kolla_user | bool + +- name: Add public key to kolla user authorized keys + authorized_key: + user: "{{ kolla_user }}" + key: "{{ kolla_ssh_key.public_key }}" + become: True + when: create_kolla_user | bool + +- name: Grant kolla user passwordless sudo + lineinfile: + dest: /etc/sudoers.d/kolla-ansible-users + state: present + create: yes + mode: '0640' + regexp: '^{{ kolla_user }}' + line: '{{ kolla_user }} ALL=(ALL) NOPASSWD: ALL' + become: True + when: create_kolla_user_sudoers | bool + +- name: Ensure virtualenv has correct ownership + file: + path: "{{ virtualenv }}" + recurse: True + state: directory + owner: "{{ kolla_user }}" + group: "{{ kolla_group }}" + become: True + when: virtualenv is not none + +- name: Ensure node_config_directory directory exists for user kolla + file: + path: "{{ node_config_directory }}" + state: directory + owner: "{{ kolla_user }}" + group: "{{ kolla_group }}" + mode: 0755 + become: True + when: create_kolla_user | bool + +- name: Ensure node_config_directory directory exists + file: + path: "{{ node_config_directory }}" + state: directory + mode: 0755 + become: True + when: not create_kolla_user | bool + +- name: Ensure docker config directory exists + file: + path: /etc/docker + state: directory + become: True + +- name: Merge Zun docker config + set_fact: + docker_config: "{{ docker_config | combine(docker_zun_config) }}" + when: + - docker_configure_for_zun | bool + - "'zun-compute' in group_names" + +- name: Warn about deprecations + debug: + msg: > + docker_custom_option is deprecated in favor of docker_custom_config + when: docker_custom_option | length > 0 + +- name: Setup docker insecure registries + vars: + registries: ["{{ docker_registry }}"] + set_fact: + docker_config: "{{ docker_config | combine({'insecure-registries': registries}) }}" + when: docker_registry_insecure | bool + +- name: Setup docker storage driver + set_fact: + docker_config: "{{ docker_config | combine({'storage-driver': docker_storage_driver}) }}" + when: docker_storage_driver | length > 0 + +- name: Setup docker runtime directory + set_fact: + docker_config: "{{ docker_config | combine({'data-root': docker_runtime_directory}) }}" + when: docker_runtime_directory | length > 0 + +- name: Warn about docker default iptables + debug: + msg: >- + Docker default iptables rules will be disabled by default from the Wallaby 12.0.0 + release. If you have any non-Kolla containers that need this functionality, you should + plan a migration for this change, or set docker_disable_default_iptables_rules to false. + when: not docker_disable_default_iptables_rules | bool + +- name: Disable docker default iptables rules + set_fact: + docker_config: "{{ docker_config | combine({'iptables': false}) }}" + when: docker_disable_default_iptables_rules | bool + +- name: Warn about docker default networking + debug: + msg: >- + Docker default network on docker0 will be disabled by default from the + Wallaby 12.0.0 release. If you have any non-Kolla containers that need + this functionality, you should plan a migration for this change, or set + docker_disable_default_network to false. + when: not docker_disable_default_network | bool + +- name: Disable docker default network on docker0 + set_fact: + docker_config: "{{ docker_config | combine({'bridge': 'none'}) }}" + when: docker_disable_default_network | bool + +- name: Warn about docker ip_forward + debug: + msg: >- + Docker ip_forward will be disabled by default from the + Wallaby 12.0.0 release. If you have any non-Kolla containers that need + this functionality, you should plan a migration for this change, or set + docker_disable_ip_forward to false. + when: not docker_disable_ip_forward | bool + +- name: Disable docker ip_forward + set_fact: + docker_config: "{{ docker_config | combine({'ip-forward': false}) }}" + when: docker_disable_ip_forward | bool + +- name: Merge custom docker config + set_fact: + docker_config: "{{ docker_config | combine(docker_custom_config) }}" + +- name: Write docker config + become: True + copy: + content: "{{ docker_config | to_nice_json }}" + dest: /etc/docker/daemon.json + mode: 0644 + register: docker_configured + +- name: Remove old docker options file + become: True + file: + path: /etc/systemd/system/docker.service.d/kolla.conf + state: absent + when: + - not docker_custom_option + - not docker_configure_for_zun | bool or 'zun-compute' not in group_names + - not docker_http_proxy + - not docker_https_proxy + - not docker_no_proxy + +- name: Ensure docker service directory exists + become: True + file: + path: /etc/systemd/system/docker.service.d + state: directory + recurse: yes + when: > + docker_custom_option | length > 0 or + (docker_configure_for_zun | bool and 'zun-compute' in group_names) or + docker_http_proxy | length > 0 or + docker_https_proxy | length > 0 or + docker_no_proxy | length > 0 + +- name: Configure docker service + become: True + template: + src: docker_systemd_service.j2 + dest: /etc/systemd/system/docker.service.d/kolla.conf + when: > + docker_custom_option | length > 0 or + (docker_configure_for_zun | bool and 'zun-compute' in group_names) or + docker_http_proxy | length > 0 or + docker_https_proxy | length > 0 or + docker_no_proxy | length > 0 + +- name: Reload docker service file + become: True + systemd: + name: docker + daemon_reload: yes + register: docker_reloaded + +- name: Get stat of libvirtd apparmor profile + stat: + path: /etc/apparmor.d/usr.sbin.libvirtd + register: apparmor_libvirtd_profile + when: ansible_facts.distribution == "Ubuntu" + +- name: Get stat of libvirtd apparmor disable profile + stat: + path: /etc/apparmor.d/disable/usr.sbin.libvirtd + register: apparmor_libvirtd_disable_profile + when: ansible_facts.distribution == "Ubuntu" + +- name: Remove apparmor profile for libvirt + command: apparmor_parser -R /etc/apparmor.d/usr.sbin.libvirtd + become: True + when: + - ansible_facts.distribution == "Ubuntu" + - apparmor_libvirtd_profile.stat.exists + - not apparmor_libvirtd_disable_profile.stat.exists + +- name: Create docker group + group: + name: docker + become: True + +- name: Add kolla user to docker group + user: + name: "{{ kolla_user }}" + append: yes + groups: docker + become: True + when: create_kolla_user | bool + +- name: Start docker + systemd: + name: docker + state: started + masked: no + become: True + +- name: Restart docker + systemd: + name: docker + state: restarted + masked: no + become: True + when: docker_configured.changed or docker_reloaded.changed + +- name: Enable docker + systemd: + name: docker + enabled: yes + masked: no + become: True + +- name: Change state of selinux + selinux: + policy: targeted + state: "{{ selinux_state }}" + become: true + when: + - change_selinux | bool + - ansible_facts.os_family == "RedHat" diff --git a/roles/baremetal/tasks/pre-install.yml b/roles/baremetal/tasks/pre-install.yml new file mode 100644 index 0000000..97308cf --- /dev/null +++ b/roles/baremetal/tasks/pre-install.yml @@ -0,0 +1,159 @@ +--- +- name: Ensure localhost in /etc/hosts + lineinfile: + dest: /etc/hosts + regexp: "^127.0.0.1.*" + line: "127.0.0.1 localhost" + state: present + become: True + when: customize_etc_hosts | bool + +# NOTE(mgoddard): Ubuntu may include a line in /etc/hosts that makes the local +# hostname and fqdn point to 127.0.1.1. This can break +# RabbitMQ, which expects the hostname to resolve to the API network address. +# Remove the troublesome entry. +# see https://bugs.launchpad.net/kolla-ansible/+bug/1837699 +# and https://bugs.launchpad.net/kolla-ansible/+bug/1862739 +- name: Ensure hostname does not point to 127.0.1.1 in /etc/hosts + lineinfile: + dest: /etc/hosts + regexp: "^127.0.1.1\\b.*\\s{{ ansible_facts.hostname }}\\b" + state: absent + become: True + when: customize_etc_hosts | bool + +- name: Generate /etc/hosts for all of the nodes + blockinfile: + dest: /etc/hosts + marker: "# {mark} ANSIBLE GENERATED HOSTS" + block: | + {% for host in groups['baremetal'] %} + {% set api_interface = hostvars[host]['api_interface'] %} + {% if host not in groups['bifrost'] or api_interface in hostvars[host].ansible_facts %} + {% set hostnames = [hostvars[host].ansible_facts.nodename, hostvars[host].ansible_facts.hostname] %} + {{ 'api' | kolla_address(host) }} {{ hostnames | unique | join(' ') }} + {% endif %} + {% endfor %} + become: True + when: + - customize_etc_hosts | bool + # Skip hosts in the bifrost group that do not have a valid api_interface. + - inventory_hostname not in groups['bifrost'] or + hostvars[inventory_hostname]['api_interface'] | replace('-', '_') in hostvars[inventory_hostname].ansible_facts + +- name: Ensure unprivileged users can use ping + become: true + sysctl: + name: net.ipv4.ping_group_range + value: '0 2147483647' + state: present + sysctl_file: "{{ kolla_sysctl_conf_path }}" + when: ansible_facts.os_family == 'RedHat' + +# NOTE(osmanlicilegi): The distribution might come with cloud-init installed, and manage_etc_hosts +# configuration enabled. If so, it will override the file /etc/hosts from cloud-init templates at +# every boot, which will break RabbitMQ. To prevent this happens, first we check whether cloud-init +# has been installed, and then set manage_etc_hosts to false. +- name: Check whether cloud-init has been installed, and ensure manage_etc_hosts is disabled + block: + - name: Ensure /etc/cloud/cloud.cfg exists + stat: + path: /etc/cloud/cloud.cfg + register: cloud_init + + - name: Disable cloud-init manage_etc_hosts + copy: + content: "manage_etc_hosts: false" + dest: /etc/cloud/cloud.cfg.d/99-kolla.cfg + mode: "0660" + when: cloud_init.stat.exists + become: True + when: customize_etc_hosts | bool + +- name: Ensure sudo group is present + group: + name: sudo + state: present + become: True + +- name: Ensure kolla group is present + group: + name: "{{ kolla_group }}" + state: present + become: True + when: create_kolla_user | bool + +- block: + - block: + - name: Install apt packages + apt: + update_cache: yes + become: True + + - name: Install CA certificates and gnupg packages + package: + name: "{{ item }}" + state: latest + become: True + with_items: + - ca-certificates + - gnupg + + - name: Ensure apt sources list directory exists + file: + path: /etc/apt/sources.list.d + state: directory + recurse: yes + become: True + + - name: Install docker apt gpg key + apt_key: + url: "{{ docker_apt_url }}/{{ docker_apt_key_file }}" + id: "{{ docker_apt_key_id }}" + state: present + become: True + + - name: Enable docker apt repository + apt_repository: + repo: "{{ docker_apt_repo }}" + filename: docker + become: True + when: ansible_facts.os_family == 'Debian' + + - block: + - name: Ensure yum repos directory exists + file: + path: /etc/yum.repos.d/ + state: directory + recurse: yes + become: True + + - name: Enable docker yum repository + yum_repository: + name: docker + description: Docker main Repository + baseurl: "{{ docker_yum_baseurl }}" + gpgcheck: "{{ docker_yum_gpgcheck | bool }}" + gpgkey: "{{ docker_yum_gpgkey }}" + become: True + + # NOTE(yoctozepto): above cannot set this but we require it + # to install containerd.io due to runc being a modular package + # in CentOS 8 + # see: https://bugzilla.redhat.com/show_bug.cgi?id=1734081 + - name: Ensure module_hotfixes enabled for docker + lineinfile: + dest: /etc/yum.repos.d/docker.repo + regexp: "^module_hotfixes" + line: "module_hotfixes = True" + state: present + become: True + + - name: Install docker rpm gpg key + rpm_key: + state: present + key: "{{ docker_yum_gpgkey }}" + become: True + when: docker_yum_gpgcheck | bool + when: ansible_facts.os_family == 'RedHat' + when: enable_docker_repo | bool diff --git a/roles/baremetal/templates/10-zun-cni.conf.j2 b/roles/baremetal/templates/10-zun-cni.conf.j2 new file mode 100644 index 0000000..99a8398 --- /dev/null +++ b/roles/baremetal/templates/10-zun-cni.conf.j2 @@ -0,0 +1,5 @@ +{ + "cniVersion": "0.3.1", + "name": "zun", + "type": "zun-cni" +} diff --git a/roles/baremetal/templates/containerd_config.toml.j2 b/roles/baremetal/templates/containerd_config.toml.j2 new file mode 100644 index 0000000..1fa5dd8 --- /dev/null +++ b/roles/baremetal/templates/containerd_config.toml.j2 @@ -0,0 +1,2 @@ +[grpc] + gid = {{ containerd_grpc_gid }} diff --git a/roles/baremetal/templates/docker_systemd_service.j2 b/roles/baremetal/templates/docker_systemd_service.j2 new file mode 100644 index 0000000..f10beaf --- /dev/null +++ b/roles/baremetal/templates/docker_systemd_service.j2 @@ -0,0 +1,13 @@ +[Service] +{% if docker_http_proxy | length > 0 %} +Environment="HTTP_PROXY={{ docker_http_proxy }}" +{% endif %} +{% if docker_https_proxy | length > 0 %} +Environment="HTTPS_PROXY={{ docker_https_proxy }}" +{% endif %} +{% if docker_no_proxy | length > 0 %} +Environment="NO_PROXY={{ docker_no_proxy }}" +{% endif %} +ExecStart= +# ExecStart commandline copied from 'docker-ce' package. Same on CentOS/Debian/Ubuntu systems. +ExecStart=/usr/bin/dockerd -H fd:// --containerd=/run/containerd/containerd.sock{% if docker_custom_option %} {{ docker_custom_option }}{% endif %}{% if docker_configure_for_zun|bool and 'zun-compute' in group_names %} {{ docker_zun_options }}{% endif %} diff --git a/roles/baremetal/templates/zun-cni.j2 b/roles/baremetal/templates/zun-cni.j2 new file mode 100644 index 0000000..4e734bb --- /dev/null +++ b/roles/baremetal/templates/zun-cni.j2 @@ -0,0 +1,12 @@ +#!/usr/bin/env bash + +env_list="" +for line in $(env | grep "CNI_") +do + key=$(echo "$line" | cut -d "=" -f 1) + value=$(echo "$line" | cut -d "=" -f 2-) + env_list="$env_list --env ${key}=\"${value}\"" +done + +cmd="docker exec -i $env_list zun_cni_daemon zun-cni <&0" +eval "$cmd" diff --git a/roles/baremetal/vars/main.yml b/roles/baremetal/vars/main.yml new file mode 100644 index 0000000..cafc448 --- /dev/null +++ b/roles/baremetal/vars/main.yml @@ -0,0 +1,8 @@ +--- +docker_config: + log-opts: + max-file: "{{ docker_log_max_file }}" + max-size: "{{ docker_log_max_size }}" + +cni_config_dir: /etc/cni/net.d +cni_bin_dir: /opt/cni/bin