From 90f8c3607cee375c40f906132a4184119c6a3cd3 Mon Sep 17 00:00:00 2001
From: caoyingjunz <cao.yingjunz@gmail.com>
Date: Tue, 16 May 2023 19:30:40 +0800
Subject: [PATCH 1/3] Enable SystemdCgroup by default for containerd

---
 .../roles/baremetal/templates/config.toml.j2  | 267 +++++++++++++++---
 1 file changed, 220 insertions(+), 47 deletions(-)

diff --git a/ansible/roles/baremetal/templates/config.toml.j2 b/ansible/roles/baremetal/templates/config.toml.j2
index de20ed91..aa5d7658 100644
--- a/ansible/roles/baremetal/templates/config.toml.j2
+++ b/ansible/roles/baremetal/templates/config.toml.j2
@@ -1,77 +1,250 @@
+disabled_plugins = []
+imports = []
+oom_score = 0
+plugin_dir = ""
+required_plugins = []
 root = "/var/lib/containerd"
 state = "/run/containerd"
-oom_score = 0
+temp = ""
+version = 2
+
+[cgroup]
+  path = ""
+
+[debug]
+  address = ""
+  format = ""
+  gid = 0
+  level = ""
+  uid = 0
 
 [grpc]
   address = "/run/containerd/containerd.sock"
-  uid = 0
   gid = 0
   max_recv_message_size = 16777216
   max_send_message_size = 16777216
-
-[debug]
-  address = ""
+  tcp_address = ""
+  tcp_tls_ca = ""
+  tcp_tls_cert = ""
+  tcp_tls_key = ""
   uid = 0
-  gid = 0
-  level = ""
 
 [metrics]
   address = ""
   grpc_histogram = false
 
-[cgroup]
-  path = ""
-
 [plugins]
-  [plugins.cgroups]
-    no_prometheus = false
-  [plugins.cri]
-    stream_server_address = "127.0.0.1"
-    stream_server_port = "0"
+
+  [plugins."io.containerd.gc.v1.scheduler"]
+    deletion_threshold = 0
+    mutation_threshold = 100
+    pause_threshold = 0.02
+    schedule_delay = "0s"
+    startup_delay = "100ms"
+
+  [plugins."io.containerd.grpc.v1.cri"]
+    device_ownership_from_security_context = false
+    disable_apparmor = false
+    disable_cgroup = false
+    disable_hugetlb_controller = true
+    disable_proc_mount = false
+    disable_tcp_service = true
     enable_selinux = false
+    enable_tls_streaming = false
+    enable_unprivileged_icmp = false
+    enable_unprivileged_ports = false
+    ignore_image_defined_volumes = false
+    max_concurrent_downloads = 3
+    max_container_log_line_size = 16384
+    netns_mounts_under_state_dir = false
+    restrict_oom_score_adj = false
     sandbox_image = "{{ sandbox_image }}"
+    selinux_category_range = 1024
     stats_collect_period = 10
+    stream_idle_timeout = "4h0m0s"
+    stream_server_address = "127.0.0.1"
+    stream_server_port = "0"
     systemd_cgroup = false
-    enable_tls_streaming = false
-    max_container_log_line_size = 16384
-    disable_proc_mount = false
-    [plugins.cri.containerd]
-      snapshotter = "overlayfs"
+    tolerate_missing_hugetlb_controller = true
+    unset_seccomp_profile = ""
+
+    [plugins."io.containerd.grpc.v1.cri".cni]
+      bin_dir = "/opt/cni/bin"
+      conf_dir = "/etc/cni/net.d"
+      conf_template = ""
+      ip_pref = ""
+      max_conf_num = 1
+
+    [plugins."io.containerd.grpc.v1.cri".containerd]
+      default_runtime_name = "runc"
+      disable_snapshot_annotations = true
+      discard_unpacked_layers = false
+      ignore_rdt_not_enabled_errors = false
       no_pivot = false
-      [plugins.cri.containerd.default_runtime]
-        runtime_type = "io.containerd.runtime.v1.linux"
+      snapshotter = "overlayfs"
+
+      [plugins."io.containerd.grpc.v1.cri".containerd.default_runtime]
+        base_runtime_spec = ""
+        cni_conf_dir = ""
+        cni_max_conf_num = 0
+        container_annotations = []
+        pod_annotations = []
+        privileged_without_host_devices = false
         runtime_engine = ""
+        runtime_path = ""
         runtime_root = ""
-      [plugins.cri.containerd.untrusted_workload_runtime]
         runtime_type = ""
+
+        [plugins."io.containerd.grpc.v1.cri".containerd.default_runtime.options]
+
+      [plugins."io.containerd.grpc.v1.cri".containerd.runtimes]
+
+        [plugins."io.containerd.grpc.v1.cri".containerd.runtimes.runc]
+          base_runtime_spec = ""
+          cni_conf_dir = ""
+          cni_max_conf_num = 0
+          container_annotations = []
+          pod_annotations = []
+          privileged_without_host_devices = false
+          runtime_engine = ""
+          runtime_path = ""
+          runtime_root = ""
+          runtime_type = "io.containerd.runc.v2"
+
+          [plugins."io.containerd.grpc.v1.cri".containerd.runtimes.runc.options]
+            BinaryName = ""
+            CriuImagePath = ""
+            CriuPath = ""
+            CriuWorkPath = ""
+            IoGid = 0
+            IoUid = 0
+            NoNewKeyring = false
+            NoPivotRoot = false
+            Root = ""
+            ShimCgroup = ""
+            SystemdCgroup = true
+
+      [plugins."io.containerd.grpc.v1.cri".containerd.untrusted_workload_runtime]
+        base_runtime_spec = ""
+        cni_conf_dir = ""
+        cni_max_conf_num = 0
+        container_annotations = []
+        pod_annotations = []
+        privileged_without_host_devices = false
         runtime_engine = ""
+        runtime_path = ""
         runtime_root = ""
-    [plugins.cri.cni]
-      bin_dir = "/opt/cni/bin"
-      conf_dir = "/etc/cni/net.d"
-      conf_template = ""
-    [plugins.cri.registry]
-      [plugins.cri.registry.mirrors]
-        [plugins.cri.registry.mirrors."docker.io"]
-          endpoint = ["https://registry-1.docker.io"]
-    [plugins.cri.x509_key_pair_streaming]
+        runtime_type = ""
+
+        [plugins."io.containerd.grpc.v1.cri".containerd.untrusted_workload_runtime.options]
+
+    [plugins."io.containerd.grpc.v1.cri".image_decryption]
+      key_model = "node"
+
+    [plugins."io.containerd.grpc.v1.cri".registry]
+      config_path = ""
+
+      [plugins."io.containerd.grpc.v1.cri".registry.auths]
+
+      [plugins."io.containerd.grpc.v1.cri".registry.configs]
+
+      [plugins."io.containerd.grpc.v1.cri".registry.headers]
+
+      [plugins."io.containerd.grpc.v1.cri".registry.mirrors]
+
+    [plugins."io.containerd.grpc.v1.cri".x509_key_pair_streaming]
       tls_cert_file = ""
       tls_key_file = ""
-  [plugins.diff-service]
-    default = ["walking"]
-  [plugins.linux]
-    shim = "containerd-shim"
+
+  [plugins."io.containerd.internal.v1.opt"]
+    path = "/opt/containerd"
+
+  [plugins."io.containerd.internal.v1.restart"]
+    interval = "10s"
+
+  [plugins."io.containerd.internal.v1.tracing"]
+    sampling_ratio = 1.0
+    service_name = "containerd"
+
+  [plugins."io.containerd.metadata.v1.bolt"]
+    content_sharing_policy = "shared"
+
+  [plugins."io.containerd.monitor.v1.cgroups"]
+    no_prometheus = false
+
+  [plugins."io.containerd.runtime.v1.linux"]
+    no_shim = false
     runtime = "runc"
     runtime_root = ""
-    no_shim = false
+    shim = "containerd-shim"
     shim_debug = false
-  [plugins.opt]
-    path = "/opt/containerd"
-  [plugins.restart]
-    interval = "10s"
-  [plugins.scheduler]
-    pause_threshold = 0.02
-    deletion_threshold = 0
-    mutation_threshold = 100
-    schedule_delay = "0s"
-    startup_delay = "100ms"
+
+  [plugins."io.containerd.runtime.v2.task"]
+    platforms = ["linux/amd64"]
+    sched_core = false
+
+  [plugins."io.containerd.service.v1.diff-service"]
+    default = ["walking"]
+
+  [plugins."io.containerd.service.v1.tasks-service"]
+    rdt_config_file = ""
+
+  [plugins."io.containerd.snapshotter.v1.aufs"]
+    root_path = ""
+
+  [plugins."io.containerd.snapshotter.v1.btrfs"]
+    root_path = ""
+
+  [plugins."io.containerd.snapshotter.v1.devmapper"]
+    async_remove = false
+    base_image_size = ""
+    discard_blocks = false
+    fs_options = ""
+    fs_type = ""
+    pool_name = ""
+    root_path = ""
+
+  [plugins."io.containerd.snapshotter.v1.native"]
+    root_path = ""
+
+  [plugins."io.containerd.snapshotter.v1.overlayfs"]
+    root_path = ""
+    upperdir_label = false
+
+  [plugins."io.containerd.snapshotter.v1.zfs"]
+    root_path = ""
+
+  [plugins."io.containerd.tracing.processor.v1.otlp"]
+    endpoint = ""
+    insecure = false
+    protocol = ""
+
+[proxy_plugins]
+
+[stream_processors]
+
+  [stream_processors."io.containerd.ocicrypt.decoder.v1.tar"]
+    accepts = ["application/vnd.oci.image.layer.v1.tar+encrypted"]
+    args = ["--decryption-keys-path", "/etc/containerd/ocicrypt/keys"]
+    env = ["OCICRYPT_KEYPROVIDER_CONFIG=/etc/containerd/ocicrypt/ocicrypt_keyprovider.conf"]
+    path = "ctd-decoder"
+    returns = "application/vnd.oci.image.layer.v1.tar"
+
+  [stream_processors."io.containerd.ocicrypt.decoder.v1.tar.gzip"]
+    accepts = ["application/vnd.oci.image.layer.v1.tar+gzip+encrypted"]
+    args = ["--decryption-keys-path", "/etc/containerd/ocicrypt/keys"]
+    env = ["OCICRYPT_KEYPROVIDER_CONFIG=/etc/containerd/ocicrypt/ocicrypt_keyprovider.conf"]
+    path = "ctd-decoder"
+    returns = "application/vnd.oci.image.layer.v1.tar+gzip"
+
+[timeouts]
+  "io.containerd.timeout.bolt.open" = "0s"
+  "io.containerd.timeout.shim.cleanup" = "5s"
+  "io.containerd.timeout.shim.load" = "5s"
+  "io.containerd.timeout.shim.shutdown" = "3s"
+  "io.containerd.timeout.task.state" = "2s"
+
+[ttrpc]
+  address = ""
+  gid = 0
+  uid = 0

From 35dca09f6f67870a058c88ca9ade523ebdd10a6b Mon Sep 17 00:00:00 2001
From: caoyingjunz <cao.yingjunz@gmail.com>
Date: Wed, 17 May 2023 08:17:24 +0800
Subject: [PATCH 2/3] Bump default version to 3.0

---
 README.md          | 2 +-
 tools/setup_env.sh | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/README.md b/README.md
index 124cac5d..d0dc0d4c 100644
--- a/README.md
+++ b/README.md
@@ -6,7 +6,7 @@ To provide quick deployment tools for kubernetes cluster and cloud native applic
 [![Release][release-image]][release-url]
 [![License][license-image]][license-url]
 
-This session has been tested on CentOS 7, Debian 10 and Ubuntu 18.04 which supported by python2.7 for now.
+This session has been tested on Rocky 8.5+, Debian 11 and Ubuntu 20.04+ which supported by python3.
 
 ## Getting Started
 Learn about Kubez Ansible by reading the documentation online [kubez-ansible](https://www.bilibili.com/video/BV1L84y1h7LE/).
diff --git a/tools/setup_env.sh b/tools/setup_env.sh
index 8fdcd2d7..04c880f6 100755
--- a/tools/setup_env.sh
+++ b/tools/setup_env.sh
@@ -5,7 +5,7 @@
 # This script is intended to be used for install kubernetes env.
 
 REPO=gopixiu-io
-# 选择需要安装的分支，默认 stable/tiger 分支
+# 选择需要安装的分支，默认 master 分支
 BRANCH=master
 
 TARGET=kubez-ansible-${BRANCH//\//-}

From 27b9b06ce20932efdc383998f825eb295fae93cc Mon Sep 17 00:00:00 2001
From: caoyingjunz <cao.yingjunz@gmail.com>
Date: Wed, 17 May 2023 08:19:39 +0800
Subject: [PATCH 3/3] add

---
 docs/install/prerequisites.md | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/docs/install/prerequisites.md b/docs/install/prerequisites.md
index ffbf8c67..ccf0aba5 100644
--- a/docs/install/prerequisites.md
+++ b/docs/install/prerequisites.md
@@ -8,12 +8,12 @@
 #### 直接安装
    ```shell
    # 当有网络的时候建议直接安装(因为简单又方便)
-   curl https://raw.githubusercontent.com/gopixiu-io/kubez-ansible/stable/tiger/tools/setup_env.sh | bash
+   curl https://raw.githubusercontent.com/gopixiu-io/kubez-ansible/master/tools/setup_env.sh | bash
    ```
 #### 脚本安装
    ```text
    # 自动获取，网络通时，通过 curl 命令直接获取脚本到本地
-   curl https://raw.githubusercontent.com/gopixiu-io/kubez-ansible/stable/tiger/tools/setup_env.sh -o setup_env.sh
+   curl https://raw.githubusercontent.com/gopixiu-io/kubez-ansible/master/tools/setup_env.sh -o setup_env.sh
 
    # 手动获取，自动获取失败时使用，一般因为网络不通或者未安装 curl 命令
    # 拷贝项目的 tools/setup_env.sh, 并保存到 setup_env.sh