Release 2.15 (#35)

* Only use stat get_checksum: yes when needed (kubernetes-sigs#7270)

By default Ansible stat module compute checksum, list extended attributes and find mime type
To find all stat invocations that really use one of those:
git grep -F stat. | grep -vE 'stat.(islnk|exists|lnk_source|writeable)'

Signed-off-by: Etienne Champetier <[email protected]>
(cherry picked from commit de1d9df)

Conflicts:
	roles/etcd/tasks/check_certs.yml

* Add kube-ipvs0/nodelocaldns to NetworkManager unmanaged-devices (kubernetes-sigs#7315)

On CentOS 8 they seem to be ignored by default, but better be extra safe
This also make it easy to exclude other network plugin interfaces

Signed-off-by: Etienne Champetier <[email protected]>
(cherry picked from commit e442b1d)

* Stop using kubeadm to update server in kubeconfigs (kubernetes-sigs#7338)

Using `kubeadm init phase kubeconfig all` breaks kubelet client certificate rotation
as we are missing `kubeadm init phase kubelet-finalize all` to point to `kubelet-client-current.pem`

kubeconfig format is stable so let's just use lineinfile,
this will avoid other future breakage

This revert to the logic before 6fe2248

Signed-off-by: Etienne Champetier <[email protected]>
(cherry picked from commit c9c0c01)

* kubeadm-config.v1beta2.yaml.j2: etcd log level arg (kubernetes-sigs#7339)

According to [etcd's docs](https://etcd.io/docs/v3.4.0/op-guide/configuration/#--log-package-levels), argument 'log-package-levels' should not contain underscores.

(cherry picked from commit b7c2265)

* Remove pre kubeadm cert migration tasks

apiserver.pem is not used since ddffdb6

Signed-off-by: Etienne Champetier <[email protected]>
(cherry picked from commit fedd671)

Conflicts:
	roles/kubernetes/master/tasks/kubeadm-cleanup-old-certs.yml
	roles/kubernetes/master/tasks/kubeadm-migrate-certs.yml

* Remove useless call to 'kubeadm version'

Signed-off-by: Etienne Champetier <[email protected]>
(cherry picked from commit a6e1f5e)

* Remove admin.conf removal

kubeadm is the default for a long time now,
and admin.conf is created by it, so let kubeadm handle it

Signed-off-by: Etienne Champetier <[email protected]>
(cherry picked from commit 280036f)

* Remove rotate_tokens logic

kubeadm never rotates sa.key/sa.pub, so there is no need to delete tokens/restart pods

Signed-off-by: Etienne Champetier <[email protected]>
(cherry picked from commit 8800b5c)

* Always backup both certs and kubeconfig

There are no reasons not to backup during upgrade

Signed-off-by: Etienne Champetier <[email protected]>
(cherry picked from commit 53e5ef6)

Conflicts:
	roles/kubernetes/master/tasks/kubeadm-backup.yml
	roles/kubernetes/master/tasks/kubeadm-certificate.yml

* Delete misnammed kubeadm-version.yml

The important action in kubeadm-version.yml is the templating of the configuration,
not finding / setting the version

Signed-off-by: Etienne Champetier <[email protected]>
(cherry picked from commit a9c97e5)

Conflicts:
	roles/kubernetes/master/tasks/kubeadm-version.yml

* Add privileged_without_host_devices support (kubernetes-sigs#7343)

When privileged is enabled for a container, all the `/dev/*` block
devices from the host are mounted into the guest. The
`privileged_without_host_devices` flag prevents host devices from
being passed to privileged containers.

More information:
* containerd/cri#1225
* cri-o/cri-o@1d0f681

(cherry picked from commit dc5df57)

* ansible and jinja2 updates (kubernetes-sigs#7357)

* Update ansible to v2.9.18

Signed-off-by: Maciej Wereski <[email protected]>

* Update jinja2 to v2.11.3

Signed-off-by: Maciej Wereski <[email protected]>
(cherry picked from commit b07c596)

* Fixup kubelet.conf to point to kubelet-client-current.pem (kubernetes-sigs#7347)

c9c0c01 only fix the problem for new clusters

Signed-off-by: Etienne Champetier <[email protected]>
(cherry picked from commit 14b63ed)

Conflicts:
	roles/kubernetes/master/tasks/kubelet-fix-client-cert-rotation.yml

* Check for dummy kernel module (kubernetes-sigs#7348)

The dummy module is needed for nodelocaldns.

(cherry picked from commit 5a54db2)

* Fixup one more missing kubespray-defaults (kubernetes-sigs#7375)

"The error was: 'proxy_disable_env' is undefined\n\nThe error appears to
be in '<censored>scale.yml': line 72, column 7"

Fixes 067db68

Signed-off-by: Etienne Champetier <[email protected]>
(cherry picked from commit 057e8b4)

* Upgrade openSUSE Leap to 15.2 (kubernetes-sigs#7331)

15.1 has reached EOL on 2021-02-02.

Signed-off-by: Maciej Wereski <[email protected]>
(cherry picked from commit 69d11da)

* Update kube-ovn to 1.6.0 (kubernetes-sigs#7240)

(cherry picked from commit edc4bb4)

* Minor update to cilium and calico

(cherry picked from commit de46f86)

* Update nodelocaldns to 1.17.1

(cherry picked from commit 5f2c8ac)

* Download Calico KDD CRDs (kubernetes-sigs#7372)

* Download Calico KDD CRDs

* Replace kustomize with lineinfile and use ansible assemble module

* Replace find+lineinfile by sed in shell module to avoid nested loop

* add condition on sed

* use block for kdd tasks + remove supernumerary kdd manifest apply in start "Start Calico resources"

(cherry picked from commit 1c62af0)

Conflicts:
        roles/network_plugin/calico/tasks/install.yml

* Update CNI (calico, kubeovn, multus) and Helm

(cherry picked from commit 05f132c)

* Fix calico crds missing 3.16.9 (kubernetes-sigs#7386)

(cherry picked from commit ead8a4e)

* Update hashes for 1.20.5/1.19.9/1.18.17

(cherry picked from commit 6d3dbb4)

* Set K8S default to v1.19.9

Signed-off-by: Etienne Champetier <[email protected]>

* Auto renew control plane certificates (kubernetes-sigs#7358)

While at it remove force_certificate_regeneration
This boolean only forced the renewal of the apiserver certs
Either manually use k8s-certs-renew.sh or set auto_renew_certificates

Signed-off-by: Etienne Champetier <[email protected]>
(cherry picked from commit efa1803)

Conflicts:
	roles/kubernetes/master/templates/k8s-certs-renew.service.j2
	roles/kubernetes/master/templates/k8s-certs-renew.sh.j2
	roles/kubernetes/master/templates/k8s-certs-renew.timer.j2

* Add cryptography installation (kubernetes-sigs#7404)

To avoid ModuleNotFoundError due to no module named 'setuptools_rust',
this adds cryptography installation to requirements.txt.

Created by jfc-evs originally as kubernetes-sigs#7264

(cherry picked from commit 49abf60)

* Allow connecting to bastion via non-standard SSH port (kubernetes-sigs#7396)

* Allow connecting to bastion via non-standard port

* Fix bastion connection when ansible_port is not provided

(cherry picked from commit 6fa3565)

* Correct Jinja Syntax for etcd-unsupported-arch (kubernetes-sigs#6919)

`-%` causes `etcd-unsupported-arch: arm64` to print on COL 1 instead of
COL 6.

Signed-off-by: anthr76 <[email protected]>
(cherry picked from commit edfa3e9)

* Fix k8s-certs-renew for k8s < 1.20 (kubernetes-sigs#7410)

Signed-off-by: Etienne Champetier <[email protected]>
(cherry picked from commit 2d1597b)

* Remove ignore_errors from drain tasks and enable retires (kubernetes-sigs#7151)

* Remove ignore_errors from drain tasks and enable retires

* Fix lint error by checking if stdout length is not 0, ie string is not empty.

(cherry picked from commit ccd3aee)

* Fix remove-node by removing jq usage (kubernetes-sigs#7405)

Signed-off-by: Etienne Champetier <[email protected]>
(cherry picked from commit 36a3a78)

* Remove left over nodes_to_drain

Signed-off-by: Etienne Champetier <[email protected]>

* remove local lb privileged (kubernetes-sigs#7437) (kubernetes-sigs#7454)

Co-authored-by: Samuel Liu <[email protected]>

* Add new kubernetes hashes (1.19.10, 1.20.6)

* Default to latest kubernetes patch version (1.19.10)

* Update k8s-certs-renew.sh.j2 (kubernetes-sigs#7422)

fix undefinedElse

(cherry picked from commit cce9d31)

* reset roles need flush iptables:raw (kubernetes-sigs#7426)

(cherry picked from commit 7f52c1d)

* Remove calico-rr from local inventory hosts file (kubernetes-sigs#7439)

(cherry picked from commit 596d028)

Conflicts:
	inventory/local/hosts.ini

* Replace deprecated 'with_dict' with 'loop' (kubernetes-sigs#7442)

(cherry picked from commit 6479e26)

* local provisioner 'useNodeNameOnly' option can be configured (kubernetes-sigs#7421)

(cherry picked from commit 7e75d48)

* fix scale (kubernetes-sigs#7449)

(cherry picked from commit 7340a16)

* remove-node roles: fix kubectl absolute path (kubernetes-sigs#7469)

* kubelet absolute path

* kubelet absolute path

(cherry picked from commit e2a7f3e)

* add CI test for auto_renew_certificates (kubernetes-sigs#7472)

* add CI test for auto_renew_certificates

* change timer value

fix typo error in rotate cert script

(cherry picked from commit cce0940)

Conflicts:
	roles/kubernetes/master/templates/k8s-certs-renew.timer.j2

* Remove dead code from kubeadm-etcd (kubernetes-sigs#7470)

(cherry picked from commit aa086e5)

* format ansible output (kubernetes-sigs#7482)

(cherry picked from commit 90c643f)

* Regenerate apiserver.crt on all control-plane nodes (kubernetes-sigs#7463)

We were regenerating only the cert of the first node
While at it speed up the check step

Signed-off-by: Etienne Champetier <[email protected]>
(cherry picked from commit e444b3c)

Conflicts:
	roles/kubernetes/master/tasks/kubeadm-setup.yml

* Add auto_renew_certificates_systemd_calendar (kubernetes-sigs#7490)

This allow to configure when K8S certificates renewal runs

Signed-off-by: Etienne Champetier <[email protected]>
(cherry picked from commit bf6a39e)

Conflicts:
        inventory/sample/group_vars/k8s-cluster/k8s-cluster.yml
        roles/kubernetes/master/defaults/main/main.yml
        roles/kubernetes/master/templates/k8s-certs-renew.timer.j2

* Check if python netaddr and recent enough jinja are installed (kubernetes-sigs#7486)

CentOS 7 provides up to date Ansible with really old jinja version

Signed-off-by: Etienne Champetier <[email protected]>
(cherry picked from commit 332cc1c)

* Add missing proxy environment in crio_repo.yml (kubernetes-sigs#7492)

(cherry picked from commit 2a2fb68)

Co-authored-by: Etienne Champetier <[email protected]>
Co-authored-by: Du9L.com <[email protected]>
Co-authored-by: Victor Morales <[email protected]>
Co-authored-by: Maciej <[email protected]>
Co-authored-by: Lennart Jern <[email protected]>
Co-authored-by: Florian Ruynat <[email protected]>
Co-authored-by: Erwan Miran <[email protected]>
Co-authored-by: Kenichi Omichi <[email protected]>
Co-authored-by: Kaleb Elwert <[email protected]>
Co-authored-by: Anthony Rabbito <[email protected]>
Co-authored-by: David Louks <[email protected]>
Co-authored-by: bleech1 <[email protected]>
Co-authored-by: Samuel Liu <[email protected]>
Co-authored-by: Fredrik Liv <[email protected]>
Co-authored-by: Helmut Januschka <[email protected]>
Co-authored-by: Maxime Lavandier <[email protected]>
Co-authored-by: orange-llajeanne <[email protected]>
Co-authored-by: Sergey <[email protected]>
Co-authored-by: Krystian Młynek <[email protected]>

Dockerfile

@@ -1,7 +1,7 @@
 # Use imutable image tags rather than mutable tags (like ubuntu:18.04)
 FROM ubuntu:bionic-20200807
 
-ENV KUBE_VERSION=v1.19.8
+ENV KUBE_VERSION=v1.19.10
 
 RUN mkdir /kubespray
 WORKDIR /kubespray

README.md

@@ -108,28 +108,28 @@ vagrant up
 - **CentOS/RHEL** 7, 8 (experimental: see [centos 8 notes](docs/centos8.md))
 - **Fedora** 32, 33
 - **Fedora CoreOS** (experimental: see [fcos Note](docs/fcos.md))
-- **openSUSE** Leap 42.3/Tumbleweed
+- **openSUSE** Leap 15.x/Tumbleweed
 - **Oracle Linux** 7, 8 (experimental: [centos 8 notes](docs/centos8.md) apply)
 
 Note: Upstart/SysV init based OS types are not supported.
 
 ## Supported Components
 
 - Core
-  - [kubernetes](https://github.com/kubernetes/kubernetes) v1.19.8
+  - [kubernetes](https://github.com/kubernetes/kubernetes) v1.19.10
   - [etcd](https://github.com/coreos/etcd) v3.4.13
   - [docker](https://www.docker.com/) v19.03 (see note)
   - [containerd](https://containerd.io/) v1.3.9
   - [cri-o](http://cri-o.io/) v1.19 (experimental: see [CRI-O Note](docs/cri-o.md). Only on fedora, ubuntu and centos based OS)
 - Network Plugin
   - [cni-plugins](https://github.com/containernetworking/plugins) v0.9.0
-  - [calico](https://github.com/projectcalico/calico) v3.16.6
+  - [calico](https://github.com/projectcalico/calico) v3.16.9
   - [canal](https://github.com/projectcalico/canal) (given calico/flannel versions)
-  - [cilium](https://github.com/cilium/cilium) v1.8.6
+  - [cilium](https://github.com/cilium/cilium) v1.8.8
   - [flanneld](https://github.com/coreos/flannel) v0.13.0
-  - [kube-ovn](https://github.com/alauda/kube-ovn) v1.5.2
+  - [kube-ovn](https://github.com/alauda/kube-ovn) v1.6.1
   - [kube-router](https://github.com/cloudnativelabs/kube-router) v1.1.1
-  - [multus](https://github.com/intel/multus-cni) v3.6.0
+  - [multus](https://github.com/intel/multus-cni) v3.7.0
   - [ovn4nfv](https://github.com/opnfv/ovn4nfv-k8s-plugin) v1.1.0
   - [weave](https://github.com/weaveworks/weave) v2.7.0
 - Application

Vagrantfile

@@ -28,7 +28,7 @@ SUPPORTED_OS = {
   "centos8-bento"       => {box: "bento/centos-8",             user: "vagrant"},
   "fedora32"            => {box: "fedora/32-cloud-base",       user: "vagrant"},
   "fedora33"            => {box: "fedora/33-cloud-base",       user: "vagrant"},
-  "opensuse"            => {box: "bento/opensuse-leap-15.1",   user: "vagrant"},
+  "opensuse"            => {box: "bento/opensuse-leap-15.2",   user: "vagrant"},
   "opensuse-tumbleweed" => {box: "opensuse/Tumbleweed.x86_64", user: "vagrant"},
   "oraclelinux"         => {box: "generic/oracle7",            user: "vagrant"},
   "oraclelinux8"        => {box: "generic/oracle8",            user: "vagrant"},

ansible_version.yml

@@ -15,3 +15,18 @@
           - ansible_version.string is version(maximal_ansible_version, "<")
       tags:
         - check
+
+    - name: "Check that python netaddr is installed"
+      assert:
+        msg: "Python netaddr is not present"
+        that: "'127.0.0.1' | ipaddr"
+      tags:
+        - check
+
+    # CentOS 7 provides too old jinja version
+    - name: "Check that jinja is not too old (install via pip)"
+      assert:
+        msg: "Your Jinja version is too old, install via pip"
+        that: "{% set test %}It works{% endset %}{{ test == 'It works' }}"
+      tags:
+        - check

cluster.yml

@@ -100,7 +100,6 @@
   environment: "{{ proxy_disable_env }}"
   roles:
     - { role: kubespray-defaults }
-    - { role: kubernetes-apps/rotate_tokens, tags: rotate_tokens, when: "secret_changed|default(false)" }
     - { role: win_nodes/kubernetes_patch, tags: ["master", "win_nodes"] }
 
 - hosts: kube-master

docs/offline-environment.md

@@ -28,6 +28,8 @@ cni_download_url: "{{ files_repo }}/kubernetes/cni/cni-plugins-linux-{{ image_ar
 crictl_download_url: "{{ files_repo }}/kubernetes/cri-tools/crictl-{{ crictl_version }}-{{ ansible_system | lower }}-{{ image_arch }}.tar.gz"
 # If using Calico
 calicoctl_download_url: "{{ files_repo }}/kubernetes/calico/{{ calico_ctl_version }}/calicoctl-linux-{{ image_arch }}"
+# If using Calico with kdd
+calico_crds_download_url: "{{ files_repo }}/kubernetes/calico/{{ calico_version }}.tar.gz"
 
 # CentOS/Redhat
 ## Docker / Containerd

docs/opensuse.md

@@ -1,4 +1,4 @@
-# openSUSE Leap 15.0 and Tumbleweed
+# openSUSE Leap 15.2 and Tumbleweed
 
 openSUSE Leap installation Notes:
 

docs/upgrades.md

@@ -284,20 +284,6 @@ follows:
 * kube-apiserver, kube-scheduler, and kube-controller-manager
 * Add-ons (such as KubeDNS)
 
-## Upgrade considerations
-
-Kubespray supports rotating certificates used for etcd and Kubernetes
-components, but some manual steps may be required. If you have a pod that
-requires use of a service token and is deployed in a namespace other than
-`kube-system`, you will need to manually delete the affected pods after
-rotating certificates. This is because all service account tokens are dependent
-on the apiserver token that is used to generate them. When the certificate
-rotates, all service account tokens must be rotated as well. During the
-kubernetes-apps/rotate_tokens role, only pods in kube-system are destroyed and
-recreated. All other invalidated service account tokens are cleaned up
-automatically, but other pods are not deleted out of an abundance of caution
-for impact to user deployed pods.
-
 ### Component-based upgrades
 
 A deployer may want to upgrade specific components in order to minimize risk

inventory/local/hosts.ini

@@ -12,4 +12,3 @@ node1
 [k8s-cluster:children]
 kube-node
 kube-master
-calico-rr

inventory/sample/group_vars/k8s-cluster/k8s-cluster.yml

@@ -17,7 +17,7 @@ kube_token_dir: "{{ kube_config_dir }}/tokens"
 kube_api_anonymous_auth: true
 
 ## Change this to use another Kubernetes version, e.g. a current beta release
-kube_version: v1.19.8
+kube_version: v1.19.10
 
 # Where the binaries will be downloaded.
 # Note: ensure that you've enough disk space (about 1G)
@@ -310,5 +310,8 @@ persistent_volumes_enabled: false
 
 ## Amount of time to retain events. (default 1h0m0s)
 event_ttl_duration: "1h0m0s"
-##  Force regeneration of kubernetes control plane certificates without the need of bumping the cluster version
-force_certificate_regeneration: false
+
+## Automatically renew K8S control plane certificates on first Monday of each month
+auto_renew_certificates: false
+# First Monday of each month
+# auto_renew_certificates_systemd_calendar: "Mon *-*-1,2,3,4,5,6,7 03:{{ groups['kube-master'].index(inventory_hostname) }}0:00"

inventory/sample/group_vars/k8s-cluster/offline.yml

@@ -32,6 +32,8 @@
 
 # [Optional] Calico: If using Calico network plugin
 # calicoctl_download_url: "{{ files_repo }}/kubernetes/calico/{{ calico_ctl_version }}/calicoctl-linux-{{ image_arch }}"
+# [Optional] Calico with kdd: If using Calico network plugin with kdd datastore
+# calico_crds_download_url: "{{ files_repo }}/kubernetes/calico/{{ calico_version }}.tar.gz"
 
 ## CentOS/Redhat
 ### For EL7, base and extras repo must be available, for EL8, baseos and appstream

requirements.txt

@@ -1,5 +1,6 @@
-ansible==2.9.17
-jinja2==2.11.1
+ansible==2.9.18
+cryptography==2.8
+jinja2==2.11.3
 netaddr==0.7.19
 pbr==5.4.4
 jmespath==0.9.5

roles/bastion-ssh-config/tasks/main.yml

@@ -1,7 +1,8 @@
 ---
-- name: set bastion host IP
+- name: set bastion host IP and port
   set_fact:
     bastion_ip: "{{ hostvars[groups['bastion'][0]]['ansible_host'] | d(hostvars[groups['bastion'][0]]['ansible_ssh_host']) }}"
+    bastion_port: "{{ hostvars[groups['bastion'][0]]['ansible_port'] | d(hostvars[groups['bastion'][0]]['ansible_ssh_port']) | d(22) }}"
   delegate_to: localhost
   connection: local
 

roles/bastion-ssh-config/templates/ssh-bastion.conf

@@ -15,4 +15,4 @@ Host {{ bastion_ip }}
   ControlPersist 5m
 
 Host {{ vars['hosts'] }}
-  ProxyCommand ssh -F /dev/null -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -W %h:%p {{ real_user }}@{{ bastion_ip }} {% if ansible_ssh_private_key_file is defined %}-i {{ ansible_ssh_private_key_file }}{% endif %}
+  ProxyCommand ssh -F /dev/null -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -W %h:%p -p {{ bastion_port }} {{ real_user }}@{{ bastion_ip }} {% if ansible_ssh_private_key_file is defined %}-i {{ ansible_ssh_private_key_file }}{% endif %}

roles/bootstrap-os/tasks/bootstrap-centos.yml

@@ -69,6 +69,9 @@
 - name: Check presence of fastestmirror.conf
   stat:
     path: /etc/yum/pluginconf.d/fastestmirror.conf
+    get_attributes: no
+    get_checksum: no
+    get_mime: no
   register: fastestmirror
 
 # the fastestmirror plugin can actually slow down Ansible deployments

roles/bootstrap-os/tasks/bootstrap-opensuse.yml

@@ -4,6 +4,9 @@
 - name: Check that /etc/sysconfig/proxy file exists
   stat:
     path: /etc/sysconfig/proxy
+    get_attributes: no
+    get_checksum: no
+    get_mime: no
   register: stat_result
 
 - name: Create the /etc/sysconfig/proxy empty file

roles/bootstrap-os/tasks/bootstrap-redhat.yml

@@ -85,6 +85,9 @@
 - name: Check presence of fastestmirror.conf
   stat:
     path: /etc/yum/pluginconf.d/fastestmirror.conf
+    get_attributes: no
+    get_checksum: no
+    get_mime: no
   register: fastestmirror
 
 # the fastestmirror plugin can actually slow down Ansible deployments

roles/container-engine/containerd/defaults/main.yml

@@ -65,6 +65,7 @@ containerd_default_runtime:
 #     type: io.containerd.kata.v2
 #     engine: ""
 #     root: ""
+#     privileged_without_host_devices: true
 containerd_runtimes: []
 
 containerd_untrusted_runtime_type: ''

roles/container-engine/containerd/tasks/main.yml

@@ -2,6 +2,9 @@
 - name: check if fedora coreos
   stat:
     path: /run/ostree-booted
+    get_attributes: no
+    get_checksum: no
+    get_mime: no
   register: ostree
 
 - name: set is_ostree

roles/container-engine/containerd/templates/config.toml.j2

@@ -42,6 +42,7 @@ disabled_plugins = ["restart"]
   runtime_type = "{{ containerd_default_runtime.type }}"
   runtime_engine = "{{ containerd_default_runtime.engine }}"
   runtime_root = "{{ containerd_default_runtime.root }}"
+  privileged_without_host_devices = {{ containerd_default_runtime.privileged_without_host_devices|default(false)|lower }}
 
 {% if kata_containers_enabled %}
 [plugins.cri.containerd.runtimes.kata-qemu]
@@ -55,6 +56,7 @@ disabled_plugins = ["restart"]
   runtime_type = "{{ runtime.type }}"
   runtime_engine = "{{ runtime.engine }}"
   runtime_root = "{{ runtime.root }}"
+  privileged_without_host_devices = {{ runtime.privileged_without_host_devices|default(false)|lower }}
 {% endfor %}
 
 [plugins.cri.containerd.untrusted_workload_runtime]

roles/container-engine/cri-o/tasks/crio_repo.yml

@@ -14,6 +14,7 @@
   until: apt_key_download is succeeded
   retries: 4
   delay: "{{ retry_stagger | d(3) }}"
+  environment: "{{ proxy_env }}"
 
 - name: Add CRI-O kubic apt repo
   apt_repository:

roles/container-engine/cri-o/tasks/main.yaml

@@ -2,6 +2,9 @@
 - name: check if fedora coreos
   stat:
     path: /run/ostree-booted
+    get_attributes: no
+    get_checksum: no
+    get_mime: no
   register: ostree
 
 - name: set is_ostree
@@ -94,6 +97,9 @@
 - name: Check if already installed
   stat:
     path: "/bin/crio"
+    get_attributes: no
+    get_checksum: no
+    get_mime: no
   register: need_bootstrap_crio
   when: is_ostree
 

roles/container-engine/cri-o/templates/crio.conf.j2

@@ -293,6 +293,7 @@ pinns_path = ""
 runtime_path = "{{ runtime.path }}"
 runtime_type = "{{ runtime.type }}"
 runtime_root = "{{ runtime.root }}"
+privileged_without_host_devices = {{ runtime.privileged_without_host_devices|default(false)|lower }}
 {% endfor %}
 
 # Kata Containers with the Firecracker VMM

roles/container-engine/crun/tasks/main.yml

@@ -9,6 +9,9 @@
 - name: Check if binary exists
   stat:
     path: "{{ crun_bin_dir }}/crun"
+    get_attributes: no
+    get_checksum: no
+    get_mime: no
   register: crun_stat
 
 # TODO: use download_file.yml

roles/container-engine/docker/tasks/main.yml

@@ -2,6 +2,9 @@
 - name: check if fedora coreos
   stat:
     path: /run/ostree-booted
+    get_attributes: no
+    get_checksum: no
+    get_mime: no
   register: ostree
 
 - name: set is_ostree