ClusterAPI.imageBuilder/ansible/windows/roles/runtimes/tasks/containerd.yml

# Copyright 2020 The Kubernetes Authors.

# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at

# http://www.apache.org/licenses/LICENSE-2.0

# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
---
- name: Download containerd
  win_get_url:
    url: '{{ containerd_url }}'
    dest: '{{ tempdir.stdout | trim }}\containerd.tar.gz'
    checksum: '{{ containerd_sha256 }}'
    checksum_algorithm: "sha256"
    url_timeout: 300
  register: containerd
  retries: 5
  delay: 3
  until: containerd is not failed

- name: Create containerd directory structure
  win_file:
    path:  "{{ item }}"
    state: directory
  loop: 
    - '{{ programfiles.stdout | trim }}\containerd'
    - '{{ alluserprofile.stdout | trim }}\containerd\state'
    - '{{ alluserprofile.stdout | trim }}\containerd\root'
    - '{{ systemdrive.stdout | trim }}/opt/cni/bin'
    - '{{ systemdrive.stdout | trim }}/etc/cni/net.d'

- name: Check if containerd exists
  win_stat:
    path: '{{ programfiles.stdout | trim }}\containerd\containerd.exe'
  register: containerd_file

- name: Unpack containerd binaries
  win_command: cmd /c tar -zxvf {{ containerd.dest }} -C "{{ programfiles.stdout | trim }}\containerd" --strip-components 1
  when: not containerd_file.stat.exists

- name: Add containerd to path
  win_path:
    elements:
    - '{{ programfiles.stdout | trim }}\containerd'
    scope: machine

- name: Copy containerd config file {{ containerd_config_file }}
  win_template:
    dest: '{{ programfiles.stdout | trim }}\containerd\config.toml'
    src: "{{ containerd_config_file }}"
  vars:
    allusersprofile: "{{ alluserprofile.stdout | trim }}"
    plugin_bin_dir: "{{ systemdrive.stdout | trim }}/opt/cni/bin"
    plugin_conf_dir: "{{ systemdrive.stdout | trim }}/etc/cni/net.d"
    # programfiles is C:\Program Files, but should be C:\\Program Files
    # otherwise task Register Containerd fails with "invalid escape sequence: \P"
    containerd_conf_dir: '{{ programfiles.stdout | trim | regex_replace("\\", "\\\\") }}\\\\containerd'

- name: Check if a Containerd service is installed
  win_service:
    name: containerd
  register: containerd_service

- name: Register Containerd
  win_shell: |
    #refresh the path to ensure ansible sees update
    $env:Path = [System.Environment]::GetEnvironmentVariable("Path","Machine")
    containerd.exe --register-service
  when: containerd_service.exists == false

# Enables DNS resolution of SMB shares
# https://github.com/kubernetes-sigs/windows-gmsa/issues/30#issuecomment-802240945
- name: Apply SMB Resolution Fix for containerd
  win_regedit:
    path: HKLM:\SYSTEM\CurrentControlSet\Services\hns\State
    state: present
    name: EnableCompartmentNamespace
    data: 1
    type: dword

- name: Create Windows Defender Exclusions
  win_shell: |
    Add-MpPreference -ExclusionProcess "{{ programfiles.stdout | trim }}\containerd\containerd.exe"
    Add-MpPreference -ExclusionProcess "{{ programfiles.stdout | trim }}\containerd\ctr.exe"

- name: Ensure Containerd Service is running
  win_service:
    name: containerd
    start_mode: auto
    state: started

- name: Pre-pull containerd images
  win_shell: |
    #refresh the path to ensure ansible sees update
    $env:Path = [System.Environment]::GetEnvironmentVariable("Path","Machine")
    ctr.exe -n k8s.io images pull {{ item }}
  loop: "{{ images }}"
  async: 1800
  poll: 60
  retries: 5
  register: pull
  until: pull is not failed
  when: (prepull | bool)
  vars:
    images: "{{ prepull_images[distribution_version] | default([]) }}"