kubernetes/base: use cri-dockerd when docker runtime is configured

4 files changed, 64 insertions, 7 deletions

diff --git a/roles/kubernetes/base/tasks/cri_docker.yml b/roles/kubernetes/base/tasks/cri_docker.yml
index a9b5dec1..91de6836 100644
--- a/roles/kubernetes/base/tasks/cri_docker.yml
+++ b/roles/kubernetes/base/tasks/cri_docker.yml
@@ -3,7 +3,7 @@
   assert:
     msg: "The variable kubernetes_cri_socket is not configured correctly. You might need to move your host to the group kubernetes-cluster or standalone-kubelet!"
     that:
-    - kubernetes_cri_socket == "unix:///var/run/dockershim.sock"
+    - kubernetes_cri_socket == "unix:///var/run/cri-dockerd.sock"
 
 - name: create systemd snippet directory
   file:
@@ -14,7 +14,7 @@
   copy:
     content: |
       [Unit]
-      After=docker.service
+      After=cri-dockerd.service
     dest: /etc/systemd/system/kubelet.service.d/after-docker.conf
 
 - name: disable bridge and iptables in docker daemon config and switch to systemd cgroup driver
@@ -32,3 +32,26 @@
 - name: install docker
   include_role:
     name: docker/engine
+
+- name: install cri-dockerd
+  apt:
+    name: cri-dockerd
+    state: present
+
+- name: install systemd units for cri-docker
+  loop:
+  - socket
+  - service
+  template:
+    src: "cri-dockerd.{{ item }}.j2"
+    dest: "/etc/systemd/system/cri-dockerd.{{ item }}"
+
+- name: make sure cri-docker is started and enabled
+  loop:
+  - socket
+  - service
+  systemd:
+    daemon_reload: yes
+    name: "cri-dockerd.{{ item }}"
+    enabled: yes
+    state: started
diff --git a/roles/kubernetes/base/templates/cri-dockerd.service.j2 b/roles/kubernetes/base/templates/cri-dockerd.service.j2
new file mode 100644
index 00000000..a83a18f0
--- /dev/null
+++ b/roles/kubernetes/base/templates/cri-dockerd.service.j2
@@ -0,0 +1,27 @@
+[Unit]
+Description=CRI Interface for Docker Application Container Engine
+Documentation=https://docs.mirantis.com
+After=network-online.target firewalld.service docker.service
+Wants=network-online.target
+Requires=cri-dockerd.socket
+StartLimitBurst=3
+StartLimitIntervalSec=60s
+
+[Service]
+Type=notify
+ExecStart=/usr/bin/cri-dockerd --container-runtime-endpoint fd:// --network-plugin=cni --cni-bin-dir=/opt/cni/bin --cni-conf-dir=/etc/cni/net.d
+ExecReload=/bin/kill -s HUP $MAINPID
+TimeoutSec=0
+RestartSec=2
+Restart=always
+# Having non-zero Limit*s causes performance problems due to accounting overhead
+# in the kernel. We recommend using cgroups to do container-local accounting.
+LimitNOFILE=infinity
+LimitNPROC=infinity
+LimitCORE=infinity
+TasksMax=infinity
+Delegate=yes
+KillMode=process
+
+[Install]
+WantedBy=multi-user.target
diff --git a/roles/kubernetes/base/templates/cri-dockerd.socket.j2 b/roles/kubernetes/base/templates/cri-dockerd.socket.j2
new file mode 100644
index 00000000..8dfa27d4
--- /dev/null
+++ b/roles/kubernetes/base/templates/cri-dockerd.socket.j2
@@ -0,0 +1,12 @@
+[Unit]
+Description=CRI Docker Socket for the API
+PartOf=cri-dockerd.service
+
+[Socket]
+ListenStream=%t/cri-dockerd.sock
+SocketMode=0660
+SocketUser=root
+SocketGroup=docker
+
+[Install]
+WantedBy=sockets.target
diff --git a/roles/kubernetes/standalone/base/templates/kubelet.service.override.j2 b/roles/kubernetes/standalone/base/templates/kubelet.service.override.j2
index 00f2c360..d4637c72 100644
--- a/roles/kubernetes/standalone/base/templates/kubelet.service.override.j2
+++ b/roles/kubernetes/standalone/base/templates/kubelet.service.override.j2
@@ -1,11 +1,6 @@
 [Service]
 ExecStart=
 ExecStart=/usr/bin/kubelet \
-{% if kubernetes_container_runtime != 'docker' %}
   --container-runtime=remote \
   --container-runtime-endpoint={{ kubernetes_cri_socket }} \
-{% else %}
-  --container-runtime=docker \
-  --network-plugin=cni \
-{% endif %}
   --config=/etc/kubernetes/kubelet.yml