Browse Source
[docker] add support for cri-dockerd as a replacement for dockershim (#8623)
pull/8629/head
[docker] add support for cri-dockerd as a replacement for dockershim (#8623)
pull/8629/head
Cristian Calin
2 years ago
committed by
GitHub
GitHub
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
23 changed files with 417 additions and 4 deletions
Split View
Diff Options
-
1.gitignore
-
1docs/_sidebar.md
-
105docs/docker.md
-
3inventory/sample/group_vars/all/docker.yml
-
21roles/container-engine/cri-dockerd/handlers/main.yml
-
4roles/container-engine/cri-dockerd/meta/main.yml
-
10roles/container-engine/cri-dockerd/molecule/default/converge.yml
-
17roles/container-engine/cri-dockerd/molecule/default/files/10-mynet.conf
-
10roles/container-engine/cri-dockerd/molecule/default/files/container.json
-
10roles/container-engine/cri-dockerd/molecule/default/files/sandbox.json
-
45roles/container-engine/cri-dockerd/molecule/default/molecule.yml
-
47roles/container-engine/cri-dockerd/molecule/default/prepare.yml
-
19roles/container-engine/cri-dockerd/molecule/default/tests/test_default.py
-
25roles/container-engine/cri-dockerd/tasks/main.yml
-
39roles/container-engine/cri-dockerd/templates/cri-dockerd.service.j2
-
12roles/container-engine/cri-dockerd/templates/cri-dockerd.socket.j2
-
8roles/container-engine/meta/main.yml
-
28roles/download/defaults/main.yml
-
2roles/kubernetes/node/templates/kubelet.env.v1beta1.j2
-
5roles/kubespray-defaults/defaults/main.yaml
-
7roles/reset/tasks/main.yml
-
1tests/files/packet_almalinux8-docker.yml
-
1tests/files/packet_ubuntu20-aio-docker.yml
@ -0,0 +1,105 @@ |
|||
# Docker support |
|||
|
|||
The docker runtime is supported by kubespray and while the `dockershim` is deprecated to be removed in kubernetes 1.24+ there are alternative ways to use docker such as through the [cri-dockerd](https://github.com/Mirantis/cri-dockerd) project supported by Mirantis. |
|||
|
|||
Using the docker container manager: |
|||
|
|||
```yaml |
|||
container_manager: docker |
|||
``` |
|||
|
|||
Using `cri-dockerd` instead of `dockershim`: |
|||
|
|||
```yaml |
|||
cri_dockerd_enabled: false |
|||
``` |
|||
|
|||
*Note:* The `cri_dockerd_enabled: true` setting will become the default in a future kubespray release once kubespray 1.24+ is supported and `dockershim` is removed. At that point, changing this option will be deprecated and silently ignored. |
|||
|
|||
Enabling the `overlay2` graph driver: |
|||
|
|||
```yaml |
|||
docker_storage_options: -s overlay2 |
|||
``` |
|||
|
|||
Enabling `docker_container_storage_setup`, it will configure devicemapper driver on Centos7 or RedHat7. |
|||
Deployers must be define a disk path for `docker_container_storage_setup_devs`, otherwise docker-storage-setup will be executed incorrectly. |
|||
|
|||
```yaml |
|||
docker_container_storage_setup: true |
|||
docker_container_storage_setup_devs: /dev/vdb |
|||
``` |
|||
|
|||
Changing the Docker cgroup driver (native.cgroupdriver); valid options are `systemd` or `cgroupfs`, default is `systemd`: |
|||
|
|||
```yaml |
|||
docker_cgroup_driver: systemd |
|||
``` |
|||
|
|||
If you have more than 3 nameservers kubespray will only use the first 3 else it will fail. Set the `docker_dns_servers_strict` to `false` to prevent deployment failure. |
|||
|
|||
```yaml |
|||
docker_dns_servers_strict: false |
|||
``` |
|||
|
|||
Set the path used to store Docker data: |
|||
|
|||
```yaml |
|||
docker_daemon_graph: "/var/lib/docker" |
|||
``` |
|||
|
|||
Changing the docker daemon iptables support: |
|||
|
|||
```yaml |
|||
docker_iptables_enabled: "false" |
|||
``` |
|||
|
|||
Docker log options: |
|||
|
|||
```yaml |
|||
# Rotate container stderr/stdout logs at 50m and keep last 5 |
|||
docker_log_opts: "--log-opt max-size=50m --log-opt max-file=5" |
|||
``` |
|||
|
|||
Changre the docker `bin_dir`, this should not be changed unless you use a custom docker package: |
|||
|
|||
```yaml |
|||
docker_bin_dir: "/usr/bin" |
|||
``` |
|||
|
|||
To keep docker packages after installation; speeds up repeated ansible provisioning runs when '1'. |
|||
kubespray deletes the docker package on each run, so caching the package makes sense: |
|||
|
|||
```yaml |
|||
docker_rpm_keepcache: 1 |
|||
``` |
|||
|
|||
Allowing insecure-registry access to self hosted registries. Can be ipaddress and domain_name. |
|||
|
|||
```yaml |
|||
## example define 172.19.16.11 or mirror.registry.io |
|||
docker_insecure_registries: |
|||
- mirror.registry.io |
|||
- 172.19.16.11 |
|||
``` |
|||
|
|||
Adding other registry, i.e. China registry mirror: |
|||
|
|||
```yaml |
|||
docker_registry_mirrors: |
|||
- https://registry.docker-cn.com |
|||
- https://mirror.aliyuncs.com |
|||
``` |
|||
|
|||
Overriding default system MountFlags value. This option takes a mount propagation flag: `shared`, `slave` or `private`, which control whether mounts in the file system namespace set up for docker will receive or propagate mounts and unmounts. Leave empty for system default: |
|||
|
|||
```yaml |
|||
docker_mount_flags: |
|||
``` |
|||
|
|||
Adding extra options to pass to the docker daemon: |
|||
|
|||
```yaml |
|||
## This string should be exactly as you wish it to appear. |
|||
docker_options: "" |
|||
``` |
|||
@ -0,0 +1,21 @@ |
|||
--- |
|||
- name: restart cri-dockerd |
|||
command: /bin/true |
|||
notify: |
|||
- cri-dockerd | reload systemd |
|||
- cri-dockerd | reload cri-dockerd.socket |
|||
- cri-dockerd | reload cri-dockerd.service |
|||
|
|||
- name: cri-dockerd | reload systemd |
|||
systemd: |
|||
daemon_reload: true |
|||
|
|||
- name: cri-dockerd | reload cri-dockerd.socket |
|||
service: |
|||
name: cri-dockerd.socket |
|||
state: restarted |
|||
|
|||
- name: cri-dockerd | reload cri-dockerd.service |
|||
service: |
|||
name: cri-dockerd.service |
|||
state: restarted |
|||
@ -0,0 +1,4 @@ |
|||
--- |
|||
dependencies: |
|||
- role: container-engine/docker |
|||
- role: container-engine/crictl |
|||
@ -0,0 +1,10 @@ |
|||
--- |
|||
- name: Converge |
|||
hosts: all |
|||
become: true |
|||
vars: |
|||
container_manager: docker |
|||
cri_dockerd_enabled: true |
|||
roles: |
|||
- role: kubespray-defaults |
|||
- role: container-engine/cri-dockerd |
|||
@ -0,0 +1,17 @@ |
|||
{ |
|||
"cniVersion": "0.2.0", |
|||
"name": "mynet", |
|||
"type": "bridge", |
|||
"bridge": "cni0", |
|||
"isGateway": true, |
|||
"ipMasq": true, |
|||
"ipam": { |
|||
"type": "host-local", |
|||
"subnet": "172.19.0.0/24", |
|||
"routes": [ |
|||
{ |
|||
"dst": "0.0.0.0/0" |
|||
} |
|||
] |
|||
} |
|||
} |
|||
@ -0,0 +1,10 @@ |
|||
{ |
|||
"metadata": { |
|||
"name": "cri-dockerd1" |
|||
}, |
|||
"image": { |
|||
"image": "quay.io/kubespray/hello-world:latest" |
|||
}, |
|||
"log_path": "cri-dockerd1.0.log", |
|||
"linux": {} |
|||
} |
|||
@ -0,0 +1,10 @@ |
|||
{ |
|||
"metadata": { |
|||
"name": "cri-dockerd1", |
|||
"namespace": "default", |
|||
"attempt": 1, |
|||
"uid": "hdishd83djaidwnduwk28bcsb" |
|||
}, |
|||
"linux": {}, |
|||
"log_directory": "/tmp" |
|||
} |
|||
@ -0,0 +1,45 @@ |
|||
--- |
|||
driver: |
|||
name: vagrant |
|||
provider: |
|||
name: libvirt |
|||
options: |
|||
driver: kvm |
|||
lint: | |
|||
set -e |
|||
yamllint -c ../../../.yamllint . |
|||
platforms: |
|||
- name: almalinux8 |
|||
box: almalinux/8 |
|||
cpus: 1 |
|||
memory: 1024 |
|||
nested: true |
|||
groups: |
|||
- kube_control_plane |
|||
- name: ubuntu20 |
|||
box: generic/ubuntu2004 |
|||
cpus: 1 |
|||
memory: 1024 |
|||
nested: true |
|||
groups: |
|||
- kube_control_plane |
|||
provisioner: |
|||
name: ansible |
|||
env: |
|||
ANSIBLE_ROLES_PATH: ../../../../ |
|||
config_options: |
|||
defaults: |
|||
callback_whitelist: profile_tasks |
|||
timeout: 120 |
|||
lint: |
|||
name: ansible-lint |
|||
options: |
|||
c: ../../../.ansible-lint |
|||
inventory: |
|||
group_vars: |
|||
all: |
|||
become: true |
|||
verifier: |
|||
name: testinfra |
|||
lint: |
|||
name: flake8 |
|||
@ -0,0 +1,47 @@ |
|||
--- |
|||
- name: Prepare |
|||
hosts: all |
|||
become: true |
|||
roles: |
|||
- role: kubespray-defaults |
|||
- role: bootstrap-os |
|||
- role: adduser |
|||
user: "{{ addusers.kube }}" |
|||
tasks: |
|||
- include_tasks: "../../../../download/tasks/download_file.yml" |
|||
vars: |
|||
download: "{{ download_defaults | combine(downloads.cni) }}" |
|||
|
|||
- name: Prepare container runtime |
|||
hosts: all |
|||
become: true |
|||
vars: |
|||
container_manager: containerd |
|||
kube_network_plugin: cni |
|||
roles: |
|||
- role: kubespray-defaults |
|||
- role: network_plugin/cni |
|||
tasks: |
|||
- name: Copy test container files |
|||
copy: |
|||
src: "{{ item }}" |
|||
dest: "/tmp/{{ item }}" |
|||
owner: root |
|||
mode: 0644 |
|||
with_items: |
|||
- container.json |
|||
- sandbox.json |
|||
- name: Create /etc/cni/net.d directory |
|||
file: |
|||
path: /etc/cni/net.d |
|||
state: directory |
|||
owner: kube |
|||
mode: 0755 |
|||
- name: Setup CNI |
|||
copy: |
|||
src: "{{ item }}" |
|||
dest: "/etc/cni/net.d/{{ item }}" |
|||
owner: root |
|||
mode: 0644 |
|||
with_items: |
|||
- 10-mynet.conf |
|||
@ -0,0 +1,19 @@ |
|||
import os |
|||
|
|||
import testinfra.utils.ansible_runner |
|||
|
|||
testinfra_hosts = testinfra.utils.ansible_runner.AnsibleRunner( |
|||
os.environ['MOLECULE_INVENTORY_FILE']).get_hosts('all') |
|||
|
|||
|
|||
def test_run_pod(host): |
|||
run_command = "/usr/local/bin/crictl run --with-pull /tmp/container.json /tmp/sandbox.json" |
|||
with host.sudo(): |
|||
cmd = host.command(run_command) |
|||
assert cmd.rc == 0 |
|||
|
|||
with host.sudo(): |
|||
log_f = host.file("/tmp/cri-dockerd1.0.log") |
|||
|
|||
assert log_f.exists |
|||
assert b"Hello from Docker" in log_f.content |
|||
@ -0,0 +1,25 @@ |
|||
--- |
|||
- name: runc | Download cri-dockerd binary |
|||
include_tasks: "../../../download/tasks/download_file.yml" |
|||
vars: |
|||
download: "{{ download_defaults | combine(downloads.cri_dockerd) }}" |
|||
|
|||
- name: Copy cri-dockerd binary from download dir |
|||
copy: |
|||
src: "{{ local_release_dir }}/cri-dockerd" |
|||
dest: "{{ bin_dir }}/cri-dockerd" |
|||
mode: 0755 |
|||
remote_src: true |
|||
notify: |
|||
- restart cri-dockerd |
|||
|
|||
- name: Generate cri-dockerd systemd unit files |
|||
template: |
|||
src: "{{ item }}.j2" |
|||
dest: "/etc/systemd/system/{{ item }}" |
|||
mode: 0644 |
|||
with_items: |
|||
- cri-dockerd.service |
|||
- cri-dockerd.socket |
|||
notify: |
|||
- restart cri-dockerd |
|||
@ -0,0 +1,39 @@ |
|||
[Unit] |
|||
Description=CRI Interface for Docker Application Container Engine |
|||
Documentation=https://docs.mirantis.com |
|||
After=network-online.target firewalld.service docker.service |
|||
Wants=network-online.target docker.service |
|||
Requires=cri-dockerd.socket |
|||
|
|||
[Service] |
|||
Type=notify |
|||
ExecStart={{ bin_dir }}/cri-dockerd --container-runtime-endpoint fd:// --cni-conf-dir=/etc/cni/net.d --cni-bin-dir=/opt/cni/bin --network-plugin=cni --pod-cidr={{ kube_pods_subnet }} |
|||
ExecReload=/bin/kill -s HUP $MAINPID |
|||
TimeoutSec=0 |
|||
RestartSec=2 |
|||
Restart=always |
|||
|
|||
# Note that StartLimit* options were moved from "Service" to "Unit" in systemd 229. |
|||
# Both the old, and new location are accepted by systemd 229 and up, so using the old location |
|||
# to make them work for either version of systemd. |
|||
StartLimitBurst=3 |
|||
|
|||
# Note that StartLimitInterval was renamed to StartLimitIntervalSec in systemd 230. |
|||
# Both the old, and new name are accepted by systemd 230 and up, so using the old name to make |
|||
# this option work for either version of systemd. |
|||
StartLimitInterval=60s |
|||
|
|||
# Having non-zero Limit*s causes performance problems due to accounting overhead |
|||
# in the kernel. We recommend using cgroups to do container-local accounting. |
|||
LimitNOFILE=infinity |
|||
LimitNPROC=infinity |
|||
LimitCORE=infinity |
|||
|
|||
# Comment TasksMax if your systemd version does not support it. |
|||
# Only systemd 226 and above support this option. |
|||
TasksMax=infinity |
|||
Delegate=yes |
|||
KillMode=process |
|||
|
|||
[Install] |
|||
WantedBy=multi-user.target |
|||
@ -0,0 +1,12 @@ |
|||
[Unit] |
|||
Description=CRI Docker Socket for the API |
|||
PartOf=cri-dockerd.service |
|||
|
|||
[Socket] |
|||
ListenStream=%t/cri-dockerd.sock |
|||
SocketMode=0660 |
|||
SocketUser=root |
|||
SocketGroup=docker |
|||
|
|||
[Install] |
|||
WantedBy=sockets.target |
|||
Write
Preview
Loading…
Cancel
Save