feat: switch to binary runc and containerd install (#333)
* feat: switch to binary runc and containerd install
* fix: always download directly to dst node
* feat: add crictl role
* ci: add tests for binary downloads
* ci: rename scenario and add matrix
* ci: move to using prepare
* ci: stop using anchors
* chore: refactor to download_artifact
* chore: add jammy to containerd+runc
* chore: bump ansible-lint
* chore: add more platforms for cri
* fix: ensure tar command exists
* chore: drop amznlinux2
---------
Co-authored-by: Mohammed Naser <mnaser@vexxhost.com>
diff --git a/roles/containerd/defaults/main.yml b/roles/containerd/defaults/main.yml
index 60d4249..1b3525f 100644
--- a/roles/containerd/defaults/main.yml
+++ b/roles/containerd/defaults/main.yml
@@ -1,21 +1,56 @@
----
-# .. vim: foldmarker=[[[,]]]:foldmethod=marker
-
-# .. Copyright (C) 2022 VEXXHOST, Inc.
-# .. SPDX-License-Identifier: Apache-2.0
-
-# Default variables
-# =================
-
-# .. contents:: Sections
-# :local:
-
-
-# .. envvar:: containerd_pause_image [[[
+# Copyright (c) 2023 VEXXHOST, Inc.
#
-# Image to use for ``containerd`` pause container
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License. You may obtain
+# a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+
+containerd_bin_dir: /usr/bin
+
+containerd_version: 1.6.15
+containerd_archive_checksums:
+ arm64:
+ 1.6.15: d63e4d27c51e33cd10f8b5621c559f09ece8a65fec66d80551b36cac9e61a07d
+ amd64:
+ 1.6.15: 191bb4f6e4afc237efc5c85b5866b6fdfed731bde12cceaa6017a9c7f8aeda02
+
+containerd_download_url: "https://github.com/containerd/containerd/releases/download/v{{ containerd_version }}/containerd-{{ containerd_version }}-{{ ansible_system | lower }}-{{ download_artifact_goarch }}.tar.gz" # noqa: yaml[line-length]
+containerd_download_dest: "{{ containerd_download_unarchive_dest }}.tar.gz"
+containerd_download_unarchive_dest: "{{ download_artifact_work_directory }}/containerd-{{ containerd_version }}-{{ ansible_system | lower }}-{{ download_artifact_goarch }}" # noqa: yaml[line-length]
+containerd_archive_checksum: "{{ containerd_archive_checksums[download_artifact_goarch][containerd_version] }}"
+
containerd_pause_image: k8s.gcr.io/pause:3.5
-
- # ]]]
-
containerd_insecure_registries: []
+
+# NOTE(mnaser): This is to accomodate for the uninstallation of the old packages
+# that shipped with the operating system
+containerd_package_name:
+ - containerd
+ - containerd.io
+
+containerd_binaries:
+ - containerd
+ - containerd-shim
+ - containerd-shim-runc-v1
+ - containerd-shim-runc-v2
+ - containerd-stress
+ - ctr
+
+containerd_cfg_dir: /etc/containerd
+containerd_storage_dir: /var/lib/containerd
+containerd_state_dir: /run/containerd
+
+containerd_debug_level: "info"
+containerd_max_container_log_line_size: -1
+
+containerd_limit_proc_num: "infinity"
+containerd_limit_core: "infinity"
+containerd_limit_open_file_num: "infinity"
+containerd_limit_mem_lock: "infinity"
diff --git a/roles/containerd/meta/main.yml b/roles/containerd/meta/main.yml
index a9d5c50..87b064b 100644
--- a/roles/containerd/meta/main.yml
+++ b/roles/containerd/meta/main.yml
@@ -1,4 +1,4 @@
-# Copyright (c) 2022 VEXXHOST, Inc.
+# Copyright (c) 2023 VEXXHOST, Inc.
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
@@ -19,9 +19,33 @@
min_ansible_version: 5.5.0
standalone: false
platforms:
+ - name: Debian
+ versions:
+ - buster
+ - bullseye
+ - name: Fedora
+ versions:
+ - "36"
+ - "37"
+ - name: EL
+ versions:
+ - "8"
+ - "9"
- name: Ubuntu
versions:
- focal
+ - jammy
dependencies:
- role: defaults
+ - role: runc
+ - role: download_artifact
+ download_artifact_url: "{{ containerd_download_url }}"
+ download_artifact_dest: "{{ containerd_download_dest }}"
+ download_artifact_checksum: "sha256:{{ containerd_archive_checksum }}"
+ download_artifact_owner: root
+ download_artifact_mode: "0755"
+ download_artifact_unarchive: true
+ download_artifact_unarchive_dest: "{{ containerd_download_unarchive_dest }}"
+ download_artifact_unarchive_extra_opts:
+ - --strip-components=1
diff --git a/roles/containerd/tasks/main.yml b/roles/containerd/tasks/main.yml
index 95b38e6..3040bd7 100644
--- a/roles/containerd/tasks/main.yml
+++ b/roles/containerd/tasks/main.yml
@@ -1,4 +1,4 @@
-# Copyright (c) 2022 VEXXHOST, Inc.
+# Copyright (c) 2023 VEXXHOST, Inc.
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
@@ -12,48 +12,60 @@
# License for the specific language governing permissions and limitations
# under the License.
-- name: Add repository
- ansible.builtin.apt_repository:
- repo: "deb {{ containerd_repository_url }} {{ ansible_distribution_release }} main"
- state: present
- when:
- - containerd_repository_url is defined
+- name: Remove containerd package
+ ansible.builtin.package:
+ name: "{{ containerd_package_name }}"
+ state: absent
-- name: Install packages
- ansible.builtin.apt:
- name: containerd
- state: present
+- name: Install containerd binaries
+ ansible.builtin.copy:
+ src: "{{ containerd_download_unarchive_dest }}/{{ item }}"
+ dest: "{{ containerd_bin_dir }}/{{ item }}"
+ mode: "0755"
+ remote_src: true
+ loop: "{{ containerd_binaries }}"
+ notify: Restart containerd
-- name: Create folder for configuration
+- name: Remove containerd orphaned binaries
ansible.builtin.file:
- path: /etc/containerd
+ path: "/usr/bin/{{ item }}"
+ state: absent
+ loop: "{{ containerd_binaries }}"
+ when: containerd_bin_dir != "/usr/bin"
+
+- name: Create systemd service file for containerd
+ ansible.builtin.template:
+ src: containerd.service.j2
+ dest: /etc/systemd/system/containerd.service
+ mode: "0644"
+ notify:
+ - Reload systemd
+ - Restart containerd
+
+- name: Create folders for configuration
+ ansible.builtin.file:
+ dest: "{{ item }}"
state: directory
+ mode: "0755"
owner: root
group: root
- mode: 0755
+ with_items:
+ - "{{ containerd_cfg_dir }}"
+ - "{{ containerd_storage_dir }}"
+ - "{{ containerd_state_dir }}"
notify:
- Restart containerd
-- name: Update pause image in configuration
+- name: Create containerd config file
ansible.builtin.template:
src: config.toml.j2
dest: /etc/containerd/config.toml
owner: root
group: root
- mode: 0644
+ mode: "0644"
notify:
- Restart containerd
-- name: Bump DefaultLimitMEMLOCK for system
- ansible.builtin.lineinfile:
- path: /etc/systemd/system.conf
- regexp: '^DefaultLimitMEMLOCK='
- line: 'DefaultLimitMEMLOCK=infinity'
- state: present
- notify:
- - Reload systemd
- - Restart containerd
-
- name: Force any restarts if necessary
ansible.builtin.meta: flush_handlers
diff --git a/roles/containerd/templates/config.toml.j2 b/roles/containerd/templates/config.toml.j2
index 16c0ae1..55b6b41 100644
--- a/roles/containerd/templates/config.toml.j2
+++ b/roles/containerd/templates/config.toml.j2
@@ -1,8 +1,12 @@
version = 2
+[debug]
+ level = "{{ containerd_debug_level | default('info') }}"
+
[plugins]
[plugins."io.containerd.grpc.v1.cri"]
sandbox_image = "{{ containerd_pause_image }}"
+ max_container_log_line_size = {{ containerd_max_container_log_line_size }}
[plugins."io.containerd.grpc.v1.cri".registry]
[plugins."io.containerd.grpc.v1.cri".registry.mirrors]
{% for registry in containerd_insecure_registries %}
diff --git a/roles/containerd/templates/containerd.service.j2 b/roles/containerd/templates/containerd.service.j2
new file mode 100644
index 0000000..adebcf2
--- /dev/null
+++ b/roles/containerd/templates/containerd.service.j2
@@ -0,0 +1,41 @@
+# Copyright The containerd Authors.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+[Unit]
+Description=containerd container runtime
+Documentation=https://containerd.io
+After=network.target local-fs.target
+
+[Service]
+ExecStartPre=-/sbin/modprobe overlay
+ExecStart={{ containerd_bin_dir }}/containerd
+
+Type=notify
+Delegate=yes
+KillMode=process
+Restart=always
+RestartSec=5
+# Having non-zero Limit*s causes performance problems due to accounting overhead
+# in the kernel. We recommend using cgroups to do container-local accounting.
+LimitNPROC={{ containerd_limit_proc_num }}
+LimitCORE={{ containerd_limit_core }}
+LimitNOFILE={{ containerd_limit_open_file_num }}
+LimitMEMLOCK={{ containerd_limit_mem_lock }}
+# Comment TasksMax if your systemd version does not supports it.
+# Only systemd 226 and above support this version.
+TasksMax=infinity
+OOMScoreAdjust=-999
+
+[Install]
+WantedBy=multi-user.target