chore: add current provisioning state before migration

taskservs/kubernetes/default/_cri/crio/crictl.yaml

@@ -0,0 +1,3 @@
+runtime-endpoint: "unix:///var/run/crio/crio.sock"
+timeout: 0
+debug: false

taskservs/kubernetes/default/_cri/crio/install.sh

@@ -0,0 +1,137 @@
+#!/bin/bash
+# Info: Script to install/create/delete/update crio from file settings 
+# Author: JesusPerezLorenzo  
+# Release: 1.0 
+# Date: 12-11-2024
+
+USAGE="install.sh install | update | remvoe"
+[ "$1" == "-h"  ] && echo "$USAGE"  && exit 1
+
+OS=$(uname | tr '[:upper:]' '[:lower:]')
+ARCH="$(uname -m | sed -e 's/x86_64/amd64/' -e 's/\(arm\)\(64\)\?.*/\1\2/' -e 's/aarch64$/arm64/')"
+
+CRIO_VERSION="${CRIO_VERSION:-1.29.1}"
+#CRIO_URL=https://raw.githubusercontent.com/cri-o/cri-o/master/scripts/get
+CRIO_URL=https://storage.googleapis.com/cri-o/artifacts/cri-o.$ARCH.v$CRIO_VERSION.tar.gz
+
+CRICTL_VERSION="${CRICTL_VERSION:-1.29.0}"
+CRICTL_URL="https://github.com/kubernetes-sigs/cri-tools/releases/download"
+
+CRIO_SYSTEMCTL_MODE=enabled
+
+CMD_TSKSRVC=${1:-install}
+
+export LC_CTYPE=C.UTF-8 
+export LANG=C.UTF-8
+
+ORG=$(pwd)
+
+PKG_ORG=${PKG_ORG:-.}
+
+_clean_others() {
+  [ -d "/etc/cni" ] && sudo rm -r /etc/cni
+  [ -d "/var/lib/containers" ] && sudo rm -r /var/lib/containers
+  sudo rm -f /etc/systemd/system/podman* 2>/dev/null
+}
+_init() {
+  [ -z "$CRIO_VERSION" ] || [ -z "$ARCH" ] || [ -z "$CRIO_URL" ] && exit 1
+  local curr_vers
+  local has_crio
+  has_crio=$(type crio 2>/dev/null)
+  if [ -n "$has_crio" ]  ; then 
+    curr_vers=$(crio --version | grep "^Version" | awk '{print $2}')
+  else
+    _clean_others
+  fi
+  if [ "$curr_vers" != "$CRIO_VERSION" ] ; then
+    if ! curl -fsSL "$CRIO_URL" -o /tmp/crio.tar.gz ; then
+      echo "error downloading crio r"
+      return 1 
+    fi
+    tar xzf /tmp/crio.tar.gz 
+    if [ -r "cri-o/install" ] ; then
+      cd cri-o || exit 1
+      [ -n "$has_crio" ] && sudo timeout -k 10 20 systemctl stop crio 
+      sudo bash ./install &>/dev/null
+      cd "$ORG" || exit 1
+    else  
+      echo "error installing crio"
+      ret=1
+    fi
+    rm -fr cri-o
+    rm -f /tmp/crio_installer.sh
+    [ "$ret" == 1 ] && return 1 
+  fi
+  curr_vers=$(crictl --version | awk '{print $3}' | sed 's/v//g')
+  if [ "$curr_vers" != "$CRICTL_VERSION" ] ; then
+    if ! curl -fsSL "${CRICTL_URL}/v${CRICTL_VERSION}/crictl-v${CRICTL_VERSION}-${OS}-${ARCH}.tar.gz" -o /tmp/crictl.tar.gz ; then
+      echo "error downloading crictl installer"
+      return 1 
+    fi
+    tar xzf /tmp/crictl.tar.gz 
+    if [ -r "crictl" ] ; then
+      chmod +x crictl 
+      sudo mv crictl /usr/local/bin
+    fi
+    rm -f /tmp/crictl.tar.gz 
+  fi
+  return 0 
+}
+
+_config_crio() {
+  [ ! -d "/etc/crio" ] && mkdir -p /etc/crio 
+  if [ -r "$PKG_ORG/crio_config.toml" ] && [ ! -r "/etc/crio/config.toml" ] ; then
+    sudo cp "$PKG_ORG"/crio_config.toml /etc/crio/config.toml
+  fi
+  if [ -r "$PKG_ORG/crictl.yaml" ] && [ ! -r "/etc/crictl.yaml" ] ; then
+    sudo cp "$PKG_ORG"/crictl.yaml /etc/crictl.yaml
+  fi
+
+  if [ -r "$PKG_ORG/crio.service" ] && [ ! -r "/lib/systemd/crio.service" ] ; then
+    sudo cp "$PKG_ORG"/crio.service  /lib/systemd/system
+    [ ! -L "/etc/systemd/system/crio.service" ] && sudo ln -s /lib/systemd/system/crio.service /etc/systemd/system
+    sudo timeout -k 10 20 systemctl daemon-reload
+  fi
+  TARGET=/etc/modules-load.d/crio.conf
+  ITEMS="overlay br_netfilter"
+  for it in $ITEMS
+  do 
+    has_item=$(sudo grep ^"$it" $TARGET 2>/dev/null)
+    [ -z "$has_item" ] && echo "$it" | sudo tee -a /etc/modules-load.d/crio.conf
+  done
+  [ ! -d "/etc/containers" ] && sudo mkdir /etc/containers
+  [ -r "$PKG_ORG/registries.conf" ] && sudo cp "$PKG_ORG"/registries.conf  /etc/containers
+  _start_crio
+}
+
+_remove_crio() {
+  sudo timeout -k 10 20 systemctl stop crio 
+  sudo timeout -k 10 20 systemctl disable crio 
+}
+
+_start_crio() {
+  if [ "$CRIO_SYSTEMCTL_MODE" == "enabled" ] ; then 
+    sudo timeout -k 10 20 systemctl enable crio 
+  else 
+    sudo timeout -k 10 20 systemctl disable crio 
+  fi
+  sudo timeout -k 10 20 systemctl start crio
+}
+
+_restart_crio() {
+  sudo timeout -k 10 20 systemctl restart crio
+}
+[ "$CMD_TSKSRVC" == "remove" ] && _remove_crio && exit 0
+if ! _init ; then
+  echo "error crio install"
+  exit 1
+fi
+[ "$CMD_TSKSRVC"  == "update" ] &&  _restart_crio && exit 0
+if ! _config_crio ; then 
+  echo "error crio config"
+  exit 1
+fi
+if ! _start_crio ; then 
+  echo "error crio start"
+  exit 1
+fi

taskservs/kubernetes/default/_cri/crio/registries.conf

@@ -0,0 +1,77 @@
+# For more information on this configuration file, see containers-registries.conf(5).
+#
+# NOTE: RISK OF USING UNQUALIFIED IMAGE NAMES
+# We recommend always using fully qualified image names including the registry
+# server (full dns name), namespace, image name, and tag
+# (e.g., registry.redhat.io/ubi8/ubi:latest). Pulling by digest (i.e.,
+# quay.io/repository/name@digest) further eliminates the ambiguity of tags.
+# When using short names, there is always an inherent risk that the image being
+# pulled could be spoofed. For example, a user wants to pull an image named
+# `foobar` from a registry and expects it to come from myregistry.com. If
+# myregistry.com is not first in the search list, an attacker could place a
+# different `foobar` image at a registry earlier in the search list. The user
+# would accidentally pull and run the attacker's image and code rather than the
+# intended content. We recommend only adding registries which are completely
+# trusted (i.e., registries which don't allow unknown or anonymous users to
+# create accounts with arbitrary names). This will prevent an image from being
+# spoofed, squatted or otherwise made insecure.  If it is necessary to use one
+# of these registries, it should be added at the end of the list.
+#
+# # An array of host[:port] registries to try when pulling an unqualified image, in order.
+unqualified-search-registries = ["docker.io", "quay.io"]
+#
+# [[registry]]
+# # The "prefix" field is used to choose the relevant [[registry]] TOML table;
+# # (only) the TOML table with the longest match for the input image name
+# # (taking into account namespace/repo/tag/digest separators) is used.
+# # 
+# # The prefix can also be of the form: *.example.com for wildcard subdomain
+# # matching.
+# #
+# # If the prefix field is missing, it defaults to be the same as the "location" field.
+# prefix = "example.com/foo"
+#
+# # If true, unencrypted HTTP as well as TLS connections with untrusted
+# # certificates are allowed.
+# insecure = false
+#
+# # If true, pulling images with matching names is forbidden.
+# blocked = false
+#
+# # The physical location of the "prefix"-rooted namespace.
+# #
+# # By default, this is equal to "prefix" (in which case "prefix" can be omitted
+# # and the [[registry]] TOML table can only specify "location").
+# #
+# # Example: Given
+# #   prefix = "example.com/foo"
+# #   location = "internal-registry-for-example.net/bar"
+# # requests for the image example.com/foo/myimage:latest will actually work with the
+# # internal-registry-for-example.net/bar/myimage:latest image.
+#
+# # The location can be empty iff prefix is in a
+# # wildcarded format: "*.example.com". In this case, the input reference will
+# # be used as-is without any rewrite.
+# location = internal-registry-for-example.com/bar"
+#
+# # (Possibly-partial) mirrors for the "prefix"-rooted namespace.
+# #
+# # The mirrors are attempted in the specified order; the first one that can be
+# # contacted and contains the image will be used (and if none of the mirrors contains the image,
+# # the primary location specified by the "registry.location" field, or using the unmodified
+# # user-specified reference, is tried last).
+# #
+# # Each TOML table in the "mirror" array can contain the following fields, with the same semantics
+# # as if specified in the [[registry]] TOML table directly:
+# # - location
+# # - insecure
+# [[registry.mirror]]
+# location = "example-mirror-0.local/mirror-for-foo"
+# [[registry.mirror]]
+# location = "example-mirror-1.local/mirrors/foo"
+# insecure = true
+# # Given the above, a pull of example.com/foo/image:latest will try:
+# # 1. example-mirror-0.local/mirror-for-foo/image:latest
+# # 2. example-mirror-1.local/mirrors/foo/image:latest
+# # 3. internal-registry-for-example.net/bar/image:latest
+# # in order, and use the first one that exists.

taskservs/kubernetes/default/_cri/crio/storage.conf

@@ -0,0 +1,195 @@
+# This file is is the configuration file for all tools
+# that use the containers/storage library.
+# See man 5 containers-storage.conf for more information
+# The "container storage" table contains all of the server options.
+[storage]
+
+# Default Storage Driver, Must be set for proper operation.
+driver = "overlay"
+
+# Temporary storage location
+runroot = "/run/containers/storage"
+
+# Primary Read/Write location of container storage
+graphroot = "/var/lib/containers/storage"
+
+# Storage path for rootless users
+#
+# rootless_storage_path = "$HOME/.local/share/containers/storage"
+
+[storage.options]
+# Storage options to be passed to underlying storage drivers
+
+# AdditionalImageStores is used to pass paths to additional Read/Only image stores
+# Must be comma separated list.
+additionalimagestores = [
+]
+
+# Remap-UIDs/GIDs is the mapping from UIDs/GIDs as they should appear inside of
+# a container, to the UIDs/GIDs as they should appear outside of the container,
+# and the length of the range of UIDs/GIDs.  Additional mapped sets can be
+# listed and will be heeded by libraries, but there are limits to the number of
+# mappings which the kernel will allow when you later attempt to run a
+# container.
+#
+# remap-uids = 0:1668442479:65536
+# remap-gids = 0:1668442479:65536
+
+# Remap-User/Group is a user name which can be used to look up one or more UID/GID
+# ranges in the /etc/subuid or /etc/subgid file.  Mappings are set up starting
+# with an in-container ID of 0 and then a host-level ID taken from the lowest
+# range that matches the specified name, and using the length of that range.
+# Additional ranges are then assigned, using the ranges which specify the
+# lowest host-level IDs first, to the lowest not-yet-mapped in-container ID,
+# until all of the entries have been used for maps.
+#
+# remap-user = "containers"
+# remap-group = "containers"
+
+# Root-auto-userns-user is a user name which can be used to look up one or more UID/GID
+# ranges in the /etc/subuid and /etc/subgid file.  These ranges will be partitioned
+# to containers configured to create automatically a user namespace.  Containers
+# configured to automatically create a user namespace can still overlap with containers
+# having an explicit mapping set.
+# This setting is ignored when running as rootless.
+# root-auto-userns-user = "storage"
+#
+# Auto-userns-min-size is the minimum size for a user namespace created automatically.
+# auto-userns-min-size=1024
+#
+# Auto-userns-max-size is the minimum size for a user namespace created automatically.
+# auto-userns-max-size=65536
+
+[storage.options.overlay]
+# ignore_chown_errors can be set to allow a non privileged user running with
+# a single UID within a user namespace to run containers. The user can pull
+# and use any image even those with multiple uids.  Note multiple UIDs will be
+# squashed down to the default uid in the container.  These images will have no
+# separation between the users in the container. Only supported for the overlay
+# and vfs drivers.
+#ignore_chown_errors = "false"
+
+# Inodes is used to set a maximum inodes of the container image.
+# inodes = ""
+
+# Path to an helper program to use for mounting the file system instead of mounting it
+# directly.
+#mount_program = "/usr/bin/fuse-overlayfs"
+
+# mountopt specifies comma separated list of extra mount options
+mountopt = "nodev,metacopy=on"
+
+# Set to skip a PRIVATE bind mount on the storage home directory.
+# skip_mount_home = "false"
+
+# Size is used to set a maximum size of the container image.
+# size = ""
+
+# ForceMask specifies the permissions mask that is used for new files and
+# directories.
+#
+# The values "shared" and "private" are accepted.
+# Octal permission masks are also accepted.
+#
+#  "": No value specified.
+#     All files/directories, get set with the permissions identified within the
+#     image.
+#  "private": it is equivalent to 0700.
+#     All files/directories get set with 0700 permissions.  The owner has rwx
+#     access to the files. No other users on the system can access the files.
+#     This setting could be used with networked based homedirs.
+#  "shared": it is equivalent to 0755.
+#     The owner has rwx access to the files and everyone else can read, access
+#     and execute them. This setting is useful for sharing containers storage
+#     with other users.  For instance have a storage owned by root but shared
+#     to rootless users as an additional store.
+#     NOTE:  All files within the image are made readable and executable by any
+#     user on the system. Even /etc/shadow within your image is now readable by
+#     any user.
+#
+#   OCTAL: Users can experiment with other OCTAL Permissions.
+#
+#  Note: The force_mask Flag is an experimental feature, it could change in the
+#  future.  When "force_mask" is set the original permission mask is stored in
+#  the "user.containers.override_stat" xattr and the "mount_program" option must
+#  be specified. Mount programs like "/usr/bin/fuse-overlayfs" present the
+#  extended attribute permissions to processes within containers rather then the
+#  "force_mask"  permissions.
+#
+# force_mask = ""
+
+[storage.options.thinpool]
+# Storage Options for thinpool
+
+# autoextend_percent determines the amount by which pool needs to be
+# grown. This is specified in terms of % of pool size. So a value of 20 means
+# that when threshold is hit, pool will be grown by 20% of existing
+# pool size.
+# autoextend_percent = "20"
+
+# autoextend_threshold determines the pool extension threshold in terms
+# of percentage of pool size. For example, if threshold is 60, that means when
+# pool is 60% full, threshold has been hit.
+# autoextend_threshold = "80"
+
+# basesize specifies the size to use when creating the base device, which
+# limits the size of images and containers.
+# basesize = "10G"
+
+# blocksize specifies a custom blocksize to use for the thin pool.
+# blocksize="64k"
+
+# directlvm_device specifies a custom block storage device to use for the
+# thin pool. Required if you setup devicemapper.
+# directlvm_device = ""
+
+# directlvm_device_force wipes device even if device already has a filesystem.
+# directlvm_device_force = "True"
+
+# fs specifies the filesystem type to use for the base device.
+# fs="xfs"
+
+# log_level sets the log level of devicemapper.
+# 0: LogLevelSuppress 0 (Default)
+# 2: LogLevelFatal
+# 3: LogLevelErr
+# 4: LogLevelWarn
+# 5: LogLevelNotice
+# 6: LogLevelInfo
+# 7: LogLevelDebug
+# log_level = "7"
+
+# min_free_space specifies the min free space percent in a thin pool require for
+# new device creation to succeed. Valid values are from 0% - 99%.
+# Value 0% disables
+# min_free_space = "10%"
+
+# mkfsarg specifies extra mkfs arguments to be used when creating the base
+# device.
+# mkfsarg = ""
+
+# metadata_size is used to set the `pvcreate --metadatasize` options when
+# creating thin devices. Default is 128k
+# metadata_size = ""
+
+# Size is used to set a maximum size of the container image.
+# size = ""
+
+# use_deferred_removal marks devicemapper block device for deferred removal.
+# If the thinpool is in use when the driver attempts to remove it, the driver
+# tells the kernel to remove it as soon as possible. Note this does not free
+# up the disk space, use deferred deletion to fully remove the thinpool.
+# use_deferred_removal = "True"
+
+# use_deferred_deletion marks thinpool device for deferred deletion.
+# If the device is busy when the driver attempts to delete it, the driver
+# will attempt to delete device every 30 seconds until successful.
+# If the program using the driver exits, the driver will continue attempting
+# to cleanup the next time the driver is used. Deferred deletion permanently
+# deletes the device and all data stored in device will be lost.
+# use_deferred_deletion = "True"
+
+# xfs_nospace_max_retries specifies the maximum number of retries XFS should
+# attempt to complete IO when ENOSPC (no space) error is returned by
+# underlying storage device.
+# xfs_nospace_max_retries = "0"