update

2023-05-30 14:44:26 +09:00
parent 9a3174deef
commit 4c32a7239d
2598 changed files with 164595 additions and 487 deletions
--- a/kubespray/extra_playbooks/roles/container-engine/cri-dockerd/handlers/main.yml
+++ b/kubespray/extra_playbooks/roles/container-engine/cri-dockerd/handlers/main.yml
@@ -0,0 +1,35 @@
+---
+- name: restart and enable cri-dockerd
+  command: /bin/true
+  notify:
+    - cri-dockerd | reload systemd
+    - cri-dockerd | restart docker.service
+    - cri-dockerd | reload cri-dockerd.socket
+    - cri-dockerd | reload cri-dockerd.service
+    - cri-dockerd | enable cri-dockerd service
+
+- name: cri-dockerd | reload systemd
+  systemd:
+    name: cri-dockerd
+    daemon_reload: true
+    masked: no
+
+- name: cri-dockerd | restart docker.service
+  service:
+    name: docker.service
+    state: restarted
+
+- name: cri-dockerd | reload cri-dockerd.socket
+  service:
+    name: cri-dockerd.socket
+    state: restarted
+
+- name: cri-dockerd | reload cri-dockerd.service
+  service:
+    name: cri-dockerd.service
+    state: restarted
+
+- name: cri-dockerd | enable cri-dockerd service
+  service:
+    name: cri-dockerd.service
+    enabled: yes
--- a/kubespray/extra_playbooks/roles/container-engine/cri-dockerd/meta/main.yml
+++ b/kubespray/extra_playbooks/roles/container-engine/cri-dockerd/meta/main.yml
@@ -0,0 +1,4 @@
+---
+dependencies:
+  - role: container-engine/docker
+  - role: container-engine/crictl
--- a/kubespray/extra_playbooks/roles/container-engine/cri-dockerd/molecule/default/converge.yml
+++ b/kubespray/extra_playbooks/roles/container-engine/cri-dockerd/molecule/default/converge.yml
@@ -0,0 +1,9 @@
+---
+- name: Converge
+  hosts: all
+  become: true
+  vars:
+    container_manager: docker
+  roles:
+    - role: kubespray-defaults
+    - role: container-engine/cri-dockerd
--- a/kubespray/extra_playbooks/roles/container-engine/cri-dockerd/molecule/default/files/10-mynet.conf
+++ b/kubespray/extra_playbooks/roles/container-engine/cri-dockerd/molecule/default/files/10-mynet.conf
@@ -0,0 +1,17 @@
+{
+  "cniVersion": "0.2.0",
+  "name": "mynet",
+  "type": "bridge",
+  "bridge": "cni0",
+  "isGateway": true,
+  "ipMasq": true,
+  "ipam": {
+    "type": "host-local",
+    "subnet": "172.19.0.0/24",
+    "routes": [
+      {
+        "dst": "0.0.0.0/0"
+      }
+    ]
+  }
+}
--- a/kubespray/extra_playbooks/roles/container-engine/cri-dockerd/molecule/default/files/container.json
+++ b/kubespray/extra_playbooks/roles/container-engine/cri-dockerd/molecule/default/files/container.json
@@ -0,0 +1,10 @@
+{
+  "metadata": {
+    "name": "cri-dockerd1"
+  },
+  "image": {
+    "image": "quay.io/kubespray/hello-world:latest"
+  },
+  "log_path": "cri-dockerd1.0.log",
+  "linux": {}
+}
--- a/kubespray/extra_playbooks/roles/container-engine/cri-dockerd/molecule/default/files/sandbox.json
+++ b/kubespray/extra_playbooks/roles/container-engine/cri-dockerd/molecule/default/files/sandbox.json
@@ -0,0 +1,10 @@
+{
+  "metadata": {
+    "name": "cri-dockerd1",
+    "namespace": "default",
+    "attempt": 1,
+    "uid": "hdishd83djaidwnduwk28bcsb"
+  },
+  "linux": {},
+  "log_directory": "/tmp"
+}
--- a/kubespray/extra_playbooks/roles/container-engine/cri-dockerd/molecule/default/molecule.yml
+++ b/kubespray/extra_playbooks/roles/container-engine/cri-dockerd/molecule/default/molecule.yml
@@ -0,0 +1,45 @@
+---
+driver:
+  name: vagrant
+  provider:
+    name: libvirt
+    options:
+      driver: kvm
+lint: |
+  set -e
+  yamllint -c ../../../.yamllint .
+platforms:
+  - name: almalinux8
+    box: almalinux/8
+    cpus: 1
+    memory: 1024
+    nested: true
+    groups:
+      - kube_control_plane
+  - name: ubuntu20
+    box: generic/ubuntu2004
+    cpus: 1
+    memory: 1024
+    nested: true
+    groups:
+      - kube_control_plane
+provisioner:
+  name: ansible
+  env:
+    ANSIBLE_ROLES_PATH: ../../../../
+  config_options:
+    defaults:
+      callbacks_enabled: profile_tasks
+      timeout: 120
+  lint:
+    name: ansible-lint
+    options:
+      c: ../../../.ansible-lint
+  inventory:
+    group_vars:
+      all:
+        become: true
+verifier:
+  name: testinfra
+  lint:
+    name: flake8
--- a/kubespray/extra_playbooks/roles/container-engine/cri-dockerd/molecule/default/prepare.yml
+++ b/kubespray/extra_playbooks/roles/container-engine/cri-dockerd/molecule/default/prepare.yml
@@ -0,0 +1,47 @@
+---
+- name: Prepare
+  hosts: all
+  become: true
+  roles:
+    - role: kubespray-defaults
+    - role: bootstrap-os
+    - role: adduser
+      user: "{{ addusers.kube }}"
+  tasks:
+    - include_tasks: "../../../../download/tasks/download_file.yml"
+      vars:
+        download: "{{ download_defaults | combine(downloads.cni) }}"
+
+- name: Prepare container runtime
+  hosts: all
+  become: true
+  vars:
+    container_manager: containerd
+    kube_network_plugin: cni
+  roles:
+    - role: kubespray-defaults
+    - role: network_plugin/cni
+  tasks:
+    - name: Copy test container files
+      copy:
+        src: "{{ item }}"
+        dest: "/tmp/{{ item }}"
+        owner: root
+        mode: 0644
+      with_items:
+        - container.json
+        - sandbox.json
+    - name: Create /etc/cni/net.d directory
+      file:
+        path: /etc/cni/net.d
+        state: directory
+        owner: "{{ kube_owner }}"
+        mode: 0755
+    - name: Setup CNI
+      copy:
+        src: "{{ item }}"
+        dest: "/etc/cni/net.d/{{ item }}"
+        owner: root
+        mode: 0644
+      with_items:
+        - 10-mynet.conf
--- a/kubespray/extra_playbooks/roles/container-engine/cri-dockerd/molecule/default/tests/test_default.py
+++ b/kubespray/extra_playbooks/roles/container-engine/cri-dockerd/molecule/default/tests/test_default.py
@@ -0,0 +1,19 @@
+import os
+
+import testinfra.utils.ansible_runner
+
+testinfra_hosts = testinfra.utils.ansible_runner.AnsibleRunner(
+    os.environ['MOLECULE_INVENTORY_FILE']).get_hosts('all')
+
+
+def test_run_pod(host):
+    run_command = "/usr/local/bin/crictl run --with-pull /tmp/container.json /tmp/sandbox.json"
+    with host.sudo():
+        cmd = host.command(run_command)
+    assert cmd.rc == 0
+
+    with host.sudo():
+      log_f = host.file("/tmp/cri-dockerd1.0.log")
+
+      assert log_f.exists
+      assert b"Hello from Docker" in log_f.content
--- a/kubespray/extra_playbooks/roles/container-engine/cri-dockerd/tasks/main.yml
+++ b/kubespray/extra_playbooks/roles/container-engine/cri-dockerd/tasks/main.yml
@@ -0,0 +1,28 @@
+---
+- name: runc | Download cri-dockerd binary
+  include_tasks: "../../../download/tasks/download_file.yml"
+  vars:
+    download: "{{ download_defaults | combine(downloads.cri_dockerd) }}"
+
+- name: Copy cri-dockerd binary from download dir
+  copy:
+    src: "{{ local_release_dir }}/cri-dockerd"
+    dest: "{{ bin_dir }}/cri-dockerd"
+    mode: 0755
+    remote_src: true
+  notify:
+    - restart and enable cri-dockerd
+
+- name: Generate cri-dockerd systemd unit files
+  template:
+    src: "{{ item }}.j2"
+    dest: "/etc/systemd/system/{{ item }}"
+    mode: 0644
+  with_items:
+    - cri-dockerd.service
+    - cri-dockerd.socket
+  notify:
+    - restart and enable cri-dockerd
+
+- name: Flush handlers
+  meta: flush_handlers
--- a/kubespray/extra_playbooks/roles/container-engine/cri-dockerd/templates/cri-dockerd.service.j2
+++ b/kubespray/extra_playbooks/roles/container-engine/cri-dockerd/templates/cri-dockerd.service.j2
@@ -0,0 +1,40 @@
+[Unit]
+Description=CRI Interface for Docker Application Container Engine
+Documentation=https://docs.mirantis.com
+After=network-online.target firewalld.service docker.service
+Wants=network-online.target docker.service
+Requires=cri-dockerd.socket
+
+[Service]
+Type=notify
+ExecStart={{ bin_dir }}/cri-dockerd --container-runtime-endpoint {{ cri_socket }} --cni-conf-dir=/etc/cni/net.d --cni-bin-dir=/opt/cni/bin --network-plugin=cni --pod-cidr={{ kube_pods_subnet }} --pod-infra-container-image={{ pod_infra_image_repo }}:{{ pod_infra_version }} {% if enable_dual_stack_networks %}--ipv6-dual-stack=True{% endif %}
+
+ExecReload=/bin/kill -s HUP $MAINPID
+TimeoutSec=0
+RestartSec=2
+Restart=always
+
+# Note that StartLimit* options were moved from "Service" to "Unit" in systemd 229.
+# Both the old, and new location are accepted by systemd 229 and up, so using the old location
+# to make them work for either version of systemd.
+StartLimitBurst=3
+
+# Note that StartLimitInterval was renamed to StartLimitIntervalSec in systemd 230.
+# Both the old, and new name are accepted by systemd 230 and up, so using the old name to make
+# this option work for either version of systemd.
+StartLimitInterval=60s
+
+# Having non-zero Limit*s causes performance problems due to accounting overhead
+# in the kernel. We recommend using cgroups to do container-local accounting.
+LimitNOFILE=infinity
+LimitNPROC=infinity
+LimitCORE=infinity
+
+# Comment TasksMax if your systemd version does not support it.
+# Only systemd 226 and above support this option.
+TasksMax=infinity
+Delegate=yes
+KillMode=process
+
+[Install]
+WantedBy=multi-user.target
--- a/kubespray/extra_playbooks/roles/container-engine/cri-dockerd/templates/cri-dockerd.socket.j2
+++ b/kubespray/extra_playbooks/roles/container-engine/cri-dockerd/templates/cri-dockerd.socket.j2
@@ -0,0 +1,12 @@
+[Unit]
+Description=CRI Docker Socket for the API
+PartOf=cri-dockerd.service
+
+[Socket]
+ListenStream=%t/cri-dockerd.sock
+SocketMode=0660
+SocketUser=root
+SocketGroup=docker
+
+[Install]
+WantedBy=sockets.target