diff --git a/ansible/playbooks/roles/containerd/defaults/main.yml b/ansible/playbooks/roles/containerd/defaults/main.yml new file mode 100644 index 0000000000..f2fc92a8b4 --- /dev/null +++ b/ansible/playbooks/roles/containerd/defaults/main.yml @@ -0,0 +1,2 @@ +--- +containerd_version: "1.4.12" diff --git a/ansible/playbooks/roles/containerd/handlers/main.yml b/ansible/playbooks/roles/containerd/handlers/main.yml index 1c18e8ef6c..49f7022e0e 100644 --- a/ansible/playbooks/roles/containerd/handlers/main.yml +++ b/ansible/playbooks/roles/containerd/handlers/main.yml @@ -1,4 +1,4 @@ -- name: Restart Containerd +- name: Restart containerd systemd: name: containerd state: restarted diff --git a/ansible/playbooks/roles/containerd/tasks/configure-containerd.yml b/ansible/playbooks/roles/containerd/tasks/configure-containerd.yml index a4e032fe67..5d1ada26c7 100644 --- a/ansible/playbooks/roles/containerd/tasks/configure-containerd.yml +++ b/ansible/playbooks/roles/containerd/tasks/configure-containerd.yml @@ -1,5 +1,5 @@ --- -- name: Create Containerd dir +- name: Create containerd dir file: path: /etc/containerd state: directory @@ -7,7 +7,7 @@ group: root mode: u=rw,go=r -- name: Provide Containerd config +- name: Provide containerd config template: src: config.toml.j2 dest: /etc/containerd/config.toml @@ -15,4 +15,4 @@ owner: root group: root notify: - - Restart Containerd + - Restart containerd diff --git a/ansible/playbooks/roles/containerd/tasks/configure-prerequisites.yml b/ansible/playbooks/roles/containerd/tasks/configure-prerequisites.yml index ba418e1b32..c65330cede 100644 --- a/ansible/playbooks/roles/containerd/tasks/configure-prerequisites.yml +++ b/ansible/playbooks/roles/containerd/tasks/configure-prerequisites.yml @@ -8,7 +8,9 @@ mode: u=rw,go= - name: Load modules - command: modprobe {{ item }} + modprobe: + name: "{{ item }}" + state: present loop: - overlay - br_netfilter diff --git a/ansible/playbooks/roles/containerd/tasks/main.yml b/ansible/playbooks/roles/containerd/tasks/main.yml index bf35fe08e3..3d1e8a15b4 100644 --- a/ansible/playbooks/roles/containerd/tasks/main.yml +++ b/ansible/playbooks/roles/containerd/tasks/main.yml @@ -1,4 +1,8 @@ --- +- name: Get information on installed packages + package_facts: + when: ansible_facts.packages is undefined + - name: Remove Docker block: - name: Stop Kubelet before Docker removal @@ -15,20 +19,28 @@ when: - is_upgrade_run - inventory_hostname not in groups.image_registry + - ansible_facts.packages['docker-ce'] is defined -- name: Install Containerd package +- name: Install containerd package package: - name: containerd.io + name: "{{ _packages[ansible_os_family] }}" state: present + vars: + _packages: + Debian: + - containerd.io={{ containerd_version }}-* + RedHat: + - containerd.io-{{ containerd_version }} module_defaults: yum: { lock_timeout: "{{ yum_lock_timeout }}" } - name: Configure prerequisites include_tasks: configure-prerequisites.yml -- name: Configure Containerd +- name: Configure containerd include_tasks: configure-containerd.yml +# To be replaced by filter plugin (https://github.com/epiphany-platform/epiphany/issues/2943) - name: Reconfigure kubelet args when: is_upgrade_run block: diff --git a/ansible/playbooks/roles/containerd/templates/config.toml.j2 b/ansible/playbooks/roles/containerd/templates/config.toml.j2 index 1434ec685d..25160cb4f3 100644 --- a/ansible/playbooks/roles/containerd/templates/config.toml.j2 +++ b/ansible/playbooks/roles/containerd/templates/config.toml.j2 @@ -55,7 +55,7 @@ oom_score = 0 stream_idle_timeout = "4h0m0s" enable_selinux = false selinux_category_range = 1024 - sandbox_image = "k8s.gcr.io/pause:3.2" + sandbox_image = "{{ image_registry_address }}/k8s.gcr.io/pause:3.5" stats_collect_period = 10 systemd_cgroup = false enable_tls_streaming = false diff --git a/ansible/playbooks/roles/filebeat/tasks/configure-filebeat.yml b/ansible/playbooks/roles/filebeat/tasks/configure-filebeat.yml index 2be8f37ee8..cb7e2a723e 100644 --- a/ansible/playbooks/roles/filebeat/tasks/configure-filebeat.yml +++ b/ansible/playbooks/roles/filebeat/tasks/configure-filebeat.yml @@ -26,12 +26,13 @@ register: modify_filebeat_yml - name: Append new field definition + when: k8s_as_cloud_service is not defined blockinfile: path: /etc/filebeat/fields.yml backup: true block: |2 - key: containerd - title: "Containerd" + title: "containerd" description: > Reading data from containerd log filepath. short_config: true @@ -41,13 +42,13 @@ description: > Contains extra fields for containerd logs. fields: - - name: container.pod.name + - name: kubernetes.pod.name type: text format: string - - name: container.uuid + - name: kubernetes.namespace type: text format: string - - name: container.namespace + - name: container.id type: text format: string diff --git a/ansible/playbooks/roles/filebeat/tasks/main.yml b/ansible/playbooks/roles/filebeat/tasks/main.yml index 73124a9a21..4cdfe32550 100644 --- a/ansible/playbooks/roles/filebeat/tasks/main.yml +++ b/ansible/playbooks/roles/filebeat/tasks/main.yml @@ -8,19 +8,13 @@ name: opendistro_for_logging_vars when: groups.logging is defined -- name: Filebeat as DaemonSet +- name: Include installation tasks for Filebeat as DaemonSet for "k8s as cloud service" + include_tasks: install-filebeat-as-daemonset.yml when: - k8s_as_cloud_service is defined - k8s_as_cloud_service - groups.logging is defined - groups.logging | length > 0 - block: - - name: Include installation tasks for Filebeat as DaemonSet for "k8s as cloud service" - include_tasks: install-filebeat-as-daemonset.yml - - - name: Set fact filebeat_as_daemonset - set_fact: - filebeat_as_daemonset: true - name: Include auditd configuration tasks include_tasks: configure-auditd.yml diff --git a/ansible/playbooks/roles/filebeat/templates/custom-chart-values.yml.j2 b/ansible/playbooks/roles/filebeat/templates/custom-chart-values.yml.j2 index 52b3f2c8e3..831897a347 100644 --- a/ansible/playbooks/roles/filebeat/templates/custom-chart-values.yml.j2 +++ b/ansible/playbooks/roles/filebeat/templates/custom-chart-values.yml.j2 @@ -64,12 +64,10 @@ filebeatConfig: processors: - add_kubernetes_metadata: - in_cluster: {{ 'true' if filebeat_as_daemonset is defined else 'false' }} - - dissect: - tokenizer: "/var/log/containers/%{container.pod.name}_%{container.namespace}_%{container.uuid}.log" - field: "log.file.path" - target_prefix: "" - overwrite_keys: true + in_cluster: true + matchers: + - logs_path: + logs_path: "/var/log/containers/" {% endif %} {# -------------------------- Filebeat modules -------------------------- #} diff --git a/ansible/playbooks/roles/filebeat/templates/filebeat.yml.j2 b/ansible/playbooks/roles/filebeat/templates/filebeat.yml.j2 index 4b2586d5b2..a6715edf20 100644 --- a/ansible/playbooks/roles/filebeat/templates/filebeat.yml.j2 +++ b/ansible/playbooks/roles/filebeat/templates/filebeat.yml.j2 @@ -123,10 +123,8 @@ filebeat.inputs: {% endif %} processors: - - add_kubernetes_metadata: - in_cluster: {{ 'true' if filebeat_as_daemonset is defined else 'false' }} - dissect: - tokenizer: "/var/log/containers/%{container.pod.name}_%{container.namespace}_%{container.uuid}.log" + tokenizer: "/var/log/containers/%{kubernetes.pod.name}_%{kubernetes.namespace}_%{container.id}.log" field: "log.file.path" target_prefix: "" overwrite_keys: true diff --git a/ansible/playbooks/roles/kubernetes_master/tasks/generate-certificates.yml b/ansible/playbooks/roles/kubernetes_master/tasks/generate-certificates.yml index 9e01e11d8a..53837e80b9 100644 --- a/ansible/playbooks/roles/kubernetes_master/tasks/generate-certificates.yml +++ b/ansible/playbooks/roles/kubernetes_master/tasks/generate-certificates.yml @@ -212,7 +212,7 @@ - name: Restart systemd services when: - services_to_restart is defined - - services_to_restart | difference(['docker', 'kubelet']) | length == 0 + - services_to_restart | difference(['containerd', 'kubelet']) | length == 0 block: - name: Restart services systemd: diff --git a/ansible/playbooks/roles/kubernetes_master/tasks/main.yml b/ansible/playbooks/roles/kubernetes_master/tasks/main.yml index e3a32f6d37..e74c1285f6 100644 --- a/ansible/playbooks/roles/kubernetes_master/tasks/main.yml +++ b/ansible/playbooks/roles/kubernetes_master/tasks/main.yml @@ -86,10 +86,8 @@ - name: Restart apiserver shell: |- set -o pipefail && \ - docker ps \ - --filter 'name=kube-apiserver_kube-apiserver' \ - --format '{{ "{{.ID}}" }}' \ - | xargs --no-run-if-empty docker kill + crictl ps --name='kube-apiserver' -q \ + | xargs --no-run-if-empty crictl stop --timeout=0 args: executable: /bin/bash @@ -109,7 +107,7 @@ vars: valid_days: "{{ specification.advanced.certificates.expiration_days }}" services_to_restart: - - docker + - containerd include_tasks: generate-certificates.yml # kubeadm-config.yml can appear not only on 'automation_designated_master' in 2 cases: diff --git a/ansible/playbooks/roles/kubernetes_promote/handlers/main.yml b/ansible/playbooks/roles/kubernetes_promote/handlers/main.yml index 91177d484a..eaad9e045a 100644 --- a/ansible/playbooks/roles/kubernetes_promote/handlers/main.yml +++ b/ansible/playbooks/roles/kubernetes_promote/handlers/main.yml @@ -1,16 +1,16 @@ --- - name: Restart controller-manager - shell: | - crictl ps \ - --name='kube-controller-manager' -q \ + shell: >- + set -o pipefail && + crictl ps --name='kube-controller-manager' -q \ | xargs --no-run-if-empty crictl stop --timeout=0 args: executable: /bin/bash - name: Restart scheduler - shell: | - crictl ps \ - --name='kube-scheduler' -q \ + shell: >- + set -o pipefail && + crictl ps --name='kube-scheduler' -q \ | xargs --no-run-if-empty crictl stop --timeout=0 args: executable: /bin/bash @@ -21,10 +21,10 @@ state: restarted - name: Restart kube-proxy - shell: | - crictl ps \ - --name='kube-proxy' -q \ - | xargs --no-run-if-empty crictl stop --timeout=0 + shell: >- + set -o pipefail && + crictl ps --name='kube-proxy' -q \ + | xargs --no-run-if-empty crictl stop --timeout=0 args: executable: /bin/bash diff --git a/docs/changelogs/CHANGELOG-2.0.md b/docs/changelogs/CHANGELOG-2.0.md index 00a5e2eb65..48d4018351 100644 --- a/docs/changelogs/CHANGELOG-2.0.md +++ b/docs/changelogs/CHANGELOG-2.0.md @@ -49,5 +49,7 @@ ### Breaking changes - Upgrade of Terraform components in issue [#2825](https://github.com/epiphany-platform/epiphany/issues/2825) and [#2853](https://github.com/epiphany-platform/epiphany/issues/2853) will make running re-apply with infrastructure break on existing 1.x clusters. The advice is to deploy a new cluster and migrate data. If needed a manual upgrade path is described [here.](../home/howto/UPGRADE.md#terraform-upgrade-from-epiphany-1.x-to-2.x) +- Kubernetes container runtime changed. Dockershim and Docker are no longer on Kubernetes hosts. +- Filebeat docker input replaced by container input. New field provided for Filebeat as system service installation: container.id. Field kubernetes.container.name is no longer valid. ### Known issues diff --git a/docs/home/COMPONENTS.md b/docs/home/COMPONENTS.md index 5e77ef75f2..7328ff5628 100644 --- a/docs/home/COMPONENTS.md +++ b/docs/home/COMPONENTS.md @@ -9,7 +9,7 @@ Note that versions are default versions and can be changed in certain cases thro | Kubernetes | 1.22.4 | https://github.com/kubernetes/kubernetes | [Apache License 2.0](https://www.apache.org/licenses/LICENSE-2.0) | | Kubernetes Dashboard | 2.3.1 | https://github.com/kubernetes/dashboard | [Apache License 2.0](https://www.apache.org/licenses/LICENSE-2.0) | | Kubernetes metrics-scraper | 1.0.7 | https://github.com/kubernetes-sigs/dashboard-metrics-scraper | [Apache License 2.0](https://www.apache.org/licenses/LICENSE-2.0) | -| Containerd | 1.4.12 | https://github.com/containerd/containerd | [Apache License 2.0](https://github.com/containerd/containerd/blob/main/LICENSE) | +| containerd | 1.4.12 | https://github.com/containerd/containerd | [Apache License 2.0](https://github.com/containerd/containerd/blob/main/LICENSE) | | Calico | 3.20.3 | https://github.com/projectcalico/calico | [Apache License 2.0](https://www.apache.org/licenses/LICENSE-2.0) | | Flannel | 0.14.0 | https://github.com/coreos/flannel/ | [Apache License 2.0](https://www.apache.org/licenses/LICENSE-2.0) | | Canal | 3.20.3 | https://github.com/projectcalico/calico | [Apache License 2.0](https://www.apache.org/licenses/LICENSE-2.0) |