Install apparmor tools also for Ubuntu Focal.

k8s gate is still on focal, so patch which unblock the apparmor for
jammy does not affect it. Here is the fix for focal as well.

Change-Id: I2a9bc69a59e7d6d21d61e79115d5a3c726c73ab0
(cherry picked from commit bdc0b49ce3)

.gitreview

@@ -2,4 +2,4 @@
 host=review.opendev.org
 port=29418
 project=openstack/devstack-plugin-container.git
-defaultbranch=unmaintained/victoria
+defaultbranch=stable/wallaby

.zuul.yaml

@@ -7,6 +7,7 @@
     timeout: 4200
     required-projects:
       - openstack/devstack
+      - openstack/devstack-gate
       - openstack/devstack-plugin-container
     vars:
       devstack_localrc:
@@ -24,6 +25,7 @@
     timeout: 7200
     required-projects:
       - openstack/devstack
+      - openstack/devstack-gate
       - openstack/devstack-plugin-container
     vars:
       devstack_services:

devstack/lib/crio

@@ -40,14 +40,22 @@ function install_crio {
 
     local lsb_dist=${os_VENDOR,,}
     local dist_version=${os_CODENAME}
-    local arch
-    arch=$(dpkg --print-architecture)
+    local kubic_obs_project_key="2472d6d0d2f66af87aba8da34d64390375060aa4"
+    local os="x${os_VENDOR}_${os_RELEASE}"
     if is_ubuntu; then
-        apt_get install apt-transport-https ca-certificates software-properties-common
-        sudo add-apt-repository -y ppa:projectatomic/ppa
+        apt_get install apt-transport-https ca-certificates \
+            software-properties-common
+        sudo apt-key adv --keyserver hkp://keyserver.ubuntu.com:80 \
+            --recv ${kubic_obs_project_key}
+        sudo apt-add-repository "deb https://download.opensuse.org/"`
+            `"repositories/devel:/kubic:/libcontainers:/stable/${os}/ /"
+        sudo apt-add-repository "deb http://download.opensuse.org/"`
+            `"repositories/devel:/kubic:/libcontainers:/stable:/cri-o:/"`
+            `"${CRIO_VERSION}/${os}/ /"
+
         # Installing podman and containerd will get us compatible versions of
         # cri-o and runc. And we need podman to manage container images anyway.
-        apt_get install podman buildah
+        apt_get install podman buildah cri-o-runc cri-o
     elif is_fedora; then
         if [[ "$lsb_dist" = "centos" ]]; then
             sudo yum-config-manager \
@@ -75,16 +83,6 @@ function configure_crio {
         iniset -sudo ${crio_conf} crio.runtime log_level \"info\"
     fi
     if is_ubuntu; then
-        # In Ubuntu's a special vendored version of runc is installed with
-        # cri-o. This means that it'll not work with the system's version of
-        # runc. Moreover vendored runc is not placed into /usr/bin, where
-        # crio.conf states that it will be. We fix that by linking the vendored
-        # binary to /usr/bin.
-        if [[ ! -e /usr/bin/runc ]]; then
-            sudo ln -s /usr/lib/cri-o-runc/sbin/runc /usr/bin/runc
-            sudo chmod +x /usr/bin/runc
-        fi
-
         # At least for 18.04 we need to set up /etc/containers/registries.conf
         # with some initial content. That's another bug with that PPA.
         local registries_conf

devstack/lib/docker

@@ -59,6 +59,7 @@ function install_docker {
     local arch
     arch=$(dpkg --print-architecture)
     if is_ubuntu; then
+        apt_get install apparmor
         if [[ ${dist_version} == 'trusty' ]]; then
             if uname -r | grep -q -- '-generic' && dpkg -l 'linux-image-*-generic' | grep -qE '^ii|^hi' 2>/dev/null; then
                 apt_get install linux-image-extra-$(uname -r) linux-image-extra-virtual

devstack/lib/k8s

@@ -63,6 +63,7 @@ function kubeadm_init {
     cat <<EOF | tee $kubeadm_config_file >/dev/null
 apiVersion: kubeadm.k8s.io/v1beta1
 kind: ClusterConfiguration
+imageRepository: "${KUBEADMIN_IMAGE_REPOSITORY}"
 etcd:
   external:
     endpoints:
@@ -84,6 +85,7 @@ apiVersion: kubelet.config.k8s.io/v1beta1
 kind: KubeletConfiguration
 failSwapOn: false
 EOF
+    sudo kubeadm config images pull --image-repository=${KUBEADMIN_IMAGE_REPOSITORY}
     sudo kubeadm init --config $kubeadm_config_file --ignore-preflight-errors Swap
 
     local kube_config_file=$HOME/.kube/config

devstack/settings

@@ -9,6 +9,7 @@ ENABLE_LIVE_RESTORE=${ENABLE_LIVE_RESTORE:-false}
 ENABLE_IPV6=${ENABLE_IPV6:-false}
 K8S_NETWORK_ADDON=${K8S_NETWORK_ADDON:-flannel}
 ENABLE_CONTAINERD_CRI=${ENABLE_CONTAINERD_CRI:-false}
+CRIO_VERSION=${CRIO_VERSION:-"1.18:/1.18.0"}
 
 # Enable container services
 enable_service container
@@ -20,3 +21,6 @@ if [[ ,${ENABLED_SERVICES} =~ ,"k8s-master" ]]; then
     enable_service kube-scheduler
     enable_service kube-proxy
 fi
+
+# Customize kubeadm container images repository
+KUBEADMIN_IMAGE_REPOSITORY=${KUBEADMIN_IMAGE_REPOSITORY:-"k8s.gcr.io"}