summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorJason DeTiberus <jdetiber@redhat.com>2015-08-25 14:40:08 -0400
committerAndrew Butcher <abutcher@redhat.com>2015-11-04 19:57:22 -0500
commitac0f4cb56e1469e9033e3a218265bc70f774624d (patch)
treeef752e894c17dfae7f3bd1b1cf87e2209925b4ca
parent18c877db73dcb63b1402322fe8352505006e4985 (diff)
downloadopenshift-ac0f4cb56e1469e9033e3a218265bc70f774624d.tar.gz
openshift-ac0f4cb56e1469e9033e3a218265bc70f774624d.tar.bz2
openshift-ac0f4cb56e1469e9033e3a218265bc70f774624d.tar.xz
openshift-ac0f4cb56e1469e9033e3a218265bc70f774624d.zip
more tweaks
-rw-r--r--filter_plugins/oo_filters.py2
-rw-r--r--playbooks/common/openshift-master/config.yml44
-rw-r--r--roles/haproxy/defaults/main.yml7
-rw-r--r--roles/haproxy/meta/main.yml4
-rw-r--r--roles/haproxy/templates/haproxy.cfg.j29
-rw-r--r--roles/openshift_master/files/atomic-openshift-master-api9
-rw-r--r--roles/openshift_master/files/atomic-openshift-master-api.service21
-rw-r--r--roles/openshift_master/files/atomic-openshift-master-controllers9
-rw-r--r--roles/openshift_master/files/atomic-openshift-master-controllers.service22
-rw-r--r--roles/openshift_master/tasks/main.yml21
-rw-r--r--roles/openshift_master_ca/tasks/main.yml2
11 files changed, 94 insertions, 56 deletions
diff --git a/filter_plugins/oo_filters.py b/filter_plugins/oo_filters.py
index 80bce80f0..4e4f7507c 100644
--- a/filter_plugins/oo_filters.py
+++ b/filter_plugins/oo_filters.py
@@ -253,7 +253,7 @@ class FilterModule(object):
server_ip = host_info['openshift']['common']['ip']
server_port = host_info['openshift']['master']['api_port']
server['address'] = "%s:%s" % (server_ip, server_port)
- server['opts'] = 'check ssl verify none'
+ server['opts'] = 'check'
servers.append(server)
return servers
diff --git a/playbooks/common/openshift-master/config.yml b/playbooks/common/openshift-master/config.yml
index e223e3d57..67068e001 100644
--- a/playbooks/common/openshift-master/config.yml
+++ b/playbooks/common/openshift-master/config.yml
@@ -170,6 +170,10 @@
masters_needing_certs: "{{ hostvars
| oo_select_keys(groups['oo_masters_to_config'] | difference(groups['oo_first_master']))
| oo_filter_list(filter_attr='master_certs_missing') }}"
+ master_hostnames: "{{ hostvars
+ | oo_select_keys(groups['oo_masters_to_config'])
+ | oo_collect('openshift.common.all_hostnames')
+ | oo_flatten | unique }}"
sync_tmpdir: "{{ hostvars.localhost.g_master_mktemp.stdout }}"
roles:
- openshift_master_certificates
@@ -209,24 +213,7 @@
parsed_named_certificates: "{{ openshift_master_named_certificates | oo_parse_certificate_names(master_cert_config_dir, openshift.common.internal_hostnames) }}"
when: openshift_master_named_certificates is defined
-- name: Fetch master server certificate for load balancer
- hosts: oo_first_master
- vars:
- sync_tmpdir: "{{ hostvars.localhost.g_master_mktemp.stdout }}"
- tasks:
- - file:
- path: "{{ sync_tmpdir }}/haproxy_cert"
- state: directory
- - fetch:
- src: /etc/origin/master/master.server.crt
- dest: "{{ sync_tmpdir }}/haproxy_cert/server.crt"
- flat: yes
- - fetch:
- src: /etc/origin/master/master.server.key
- dest: "{{ sync_tmpdir }}/haproxy_cert/server.key"
- flat: yes
-
-- name: Compute haproxy_backend_servers and combine certificate
+- name: Compute haproxy_backend_servers
hosts: localhost
connection: local
sudo: false
@@ -234,11 +221,6 @@
tasks:
- set_fact:
haproxy_backend_servers: "{{ hostvars | oo_select_keys(groups['oo_masters_to_config']) | oo_haproxy_backend_masters }}"
- - shell: cat server.crt server.key > server.pem
- args:
- chdir: "{{ g_master_mktemp.stdout }}/haproxy_cert"
- creates: "{{ g_master_mktemp.stdout }}/haproxy_cert/server.pem"
-
- name: Configure load balancers
hosts: oo_lb_to_config
@@ -246,32 +228,24 @@
sync_tmpdir: "{{ hostvars.localhost.g_master_mktemp.stdout }}"
haproxy_frontends:
- name: atomic-openshift-api
+ mode: tcp
options:
- tcplog
binds:
- - "*:{{ hostvars[groups.oo_first_master.0].openshift.master.api_port }} ssl crt /etc/haproxy/server.pem"
+ - "*:{{ hostvars[groups.oo_first_master.0].openshift.master.api_port }}"
default_backend: atomic-openshift-api
haproxy_backends:
- name: atomic-openshift-api
+ mode: tcp
+ option: tcplog
balance: roundrobin
servers: "{{ hostvars.localhost.haproxy_backend_servers }}"
- pre_tasks:
- - file:
- path: /etc/haproxy
- state: directory
- - copy:
- src: "{{ sync_tmpdir }}/haproxy_cert/server.pem"
- dest: /etc/haproxy/server.pem
- mode: 0600
- owner: root
- group: root
roles:
- role: haproxy
when: groups.oo_masters_to_config | length > 1
- name: Configure master instances
hosts: oo_masters_to_config
- serial: 1
vars:
named_certificates: "{{ hostvars[groups['oo_first_master'][0]]['parsed_named_certificates'] | default([])}}"
sync_tmpdir: "{{ hostvars.localhost.g_master_mktemp.stdout }}"
diff --git a/roles/haproxy/defaults/main.yml b/roles/haproxy/defaults/main.yml
index 16e9af4d1..7ba5bd485 100644
--- a/roles/haproxy/defaults/main.yml
+++ b/roles/haproxy/defaults/main.yml
@@ -12,3 +12,10 @@ haproxy_backends:
- name: web01
address: 127.0.0.1:9000
opts: check
+
+os_firewall_use_firewalld: False
+os_firewall_allow:
+- service: haproxy stats
+ port: "9000/tcp"
+- service: haproxy balance
+ port: "8443/tcp"
diff --git a/roles/haproxy/meta/main.yml b/roles/haproxy/meta/main.yml
index e02d8f53c..0fad106a9 100644
--- a/roles/haproxy/meta/main.yml
+++ b/roles/haproxy/meta/main.yml
@@ -9,4 +9,6 @@ galaxy_info:
- name: EL
versions:
- 7
-dependencies: []
+dependencies:
+- { role: os_firewall }
+- { role: openshift_repos }
diff --git a/roles/haproxy/templates/haproxy.cfg.j2 b/roles/haproxy/templates/haproxy.cfg.j2
index fddf0ede1..c932af72f 100644
--- a/roles/haproxy/templates/haproxy.cfg.j2
+++ b/roles/haproxy/templates/haproxy.cfg.j2
@@ -27,12 +27,17 @@ defaults
timeout http-request 10s
timeout queue 1m
timeout connect 10s
- timeout client 1m
- timeout server 1m
+ timeout client 300s
+ timeout server 300s
timeout http-keep-alive 10s
timeout check 10s
maxconn 3000
+listen stats :9000
+ mode http
+ stats enable
+ stats uri /
+
{% for frontend in haproxy_frontends %}
frontend {{ frontend.name }}
{% for bind in frontend.binds %}
diff --git a/roles/openshift_master/files/atomic-openshift-master-api b/roles/openshift_master/files/atomic-openshift-master-api
new file mode 100644
index 000000000..ea82468a0
--- /dev/null
+++ b/roles/openshift_master/files/atomic-openshift-master-api
@@ -0,0 +1,9 @@
+OPTIONS=
+CONFIG_FILE=/etc/origin/master/master-config.yaml
+
+# Proxy configuration
+# Origin uses standard HTTP_PROXY environment variables. Be sure to set
+# NO_PROXY for your master
+#NO_PROXY=master.example.com
+#HTTP_PROXY=http://USER:PASSWORD@IPADDR:PORT
+#HTTPS_PROXY=https://USER:PASSWORD@IPADDR:PORT
diff --git a/roles/openshift_master/files/atomic-openshift-master-api.service b/roles/openshift_master/files/atomic-openshift-master-api.service
new file mode 100644
index 000000000..b24b9809e
--- /dev/null
+++ b/roles/openshift_master/files/atomic-openshift-master-api.service
@@ -0,0 +1,21 @@
+[Unit]
+Description=Atomic OpenShift Master API
+Documentation=https://github.com/openshift/origin
+After=network.target
+After=etcd.service
+Before=atomic-openshift-node.service
+Requires=network.target
+
+[Service]
+Type=notify
+EnvironmentFile=/etc/sysconfig/atomic-openshift-master-api
+Environment=GOTRACEBACK=crash
+ExecStart=/usr/bin/atomic-enterprise start master api --config=${CONFIG_FILE} $OPTIONS
+LimitNOFILE=131072
+LimitCORE=infinity
+WorkingDirectory=/var/lib/origin/
+SyslogIdentifier=atomic-openshift-master-api
+
+[Install]
+WantedBy=multi-user.target
+WantedBy=atomic-openshift-node.service
diff --git a/roles/openshift_master/files/atomic-openshift-master-controllers b/roles/openshift_master/files/atomic-openshift-master-controllers
new file mode 100644
index 000000000..ea82468a0
--- /dev/null
+++ b/roles/openshift_master/files/atomic-openshift-master-controllers
@@ -0,0 +1,9 @@
+OPTIONS=
+CONFIG_FILE=/etc/origin/master/master-config.yaml
+
+# Proxy configuration
+# Origin uses standard HTTP_PROXY environment variables. Be sure to set
+# NO_PROXY for your master
+#NO_PROXY=master.example.com
+#HTTP_PROXY=http://USER:PASSWORD@IPADDR:PORT
+#HTTPS_PROXY=https://USER:PASSWORD@IPADDR:PORT
diff --git a/roles/openshift_master/files/atomic-openshift-master-controllers.service b/roles/openshift_master/files/atomic-openshift-master-controllers.service
new file mode 100644
index 000000000..e84160e5a
--- /dev/null
+++ b/roles/openshift_master/files/atomic-openshift-master-controllers.service
@@ -0,0 +1,22 @@
+[Unit]
+Description=Atomic OpenShift Master Controllers
+Documentation=https://github.com/openshift/origin
+After=network.target
+After=atomic-openshift-master-api.service
+Before=atomic-openshift-node.service
+Requires=network.target
+
+[Service]
+Type=notify
+EnvironmentFile=/etc/sysconfig/atomic-openshift-master-controllers
+Environment=GOTRACEBACK=crash
+ExecStart=/usr/bin/atomic-enterprise start master controllers --config=${CONFIG_FILE} $OPTIONS
+LimitNOFILE=131072
+LimitCORE=infinity
+WorkingDirectory=/var/lib/origin/
+SyslogIdentifier=atomic-openshift-master-controllers
+Restart=on-failure
+
+[Install]
+WantedBy=multi-user.target
+WantedBy=atomic-openshift-node.service
diff --git a/roles/openshift_master/tasks/main.yml b/roles/openshift_master/tasks/main.yml
index b23c19d37..00aaa2e57 100644
--- a/roles/openshift_master/tasks/main.yml
+++ b/roles/openshift_master/tasks/main.yml
@@ -204,27 +204,16 @@
when: not openshift_master_ha | bool
register: start_result
-# workaround for start bug when configuring ha
-- name: Start master for ha workaround
- service: name={{ openshift.common.service_type }}-master state=started
- when: openshift_master_ha | bool and inventory_hostname in groups.oo_first_master
-
-- name: pause for 30 seconds to let master finish starting up for ha workaround
- pause: seconds=30
- when: openshift_master_ha | bool and inventory_hostname in groups.oo_first_master
-
-- name: Stop master for ha workaround
- service: name={{ openshift.common.service_type }}-master state=stopped
- when: openshift_master_ha | bool and inventory_hostname in groups.oo_first_master
-# end workaround for start bug when configuring ha
-
-- fail:
-
- name: Start and enable master api
service: name={{ openshift.common.service_type }}-master-api enabled=yes state=started
when: openshift_master_ha | bool
register: start_result
+# TODO: work to eliminate this workaround
+- name: pause a random interval to avoid startup errors for controller
+ pause: seconds={{ 60 | random(step=5) }}
+ when: openshift_master_ha | bool
+
- name: Start and enable master controller
service: name={{ openshift.common.service_type }}-master-controllers enabled=yes state=started
when: openshift_master_ha | bool
diff --git a/roles/openshift_master_ca/tasks/main.yml b/roles/openshift_master_ca/tasks/main.yml
index abb0f8252..0738048d3 100644
--- a/roles/openshift_master_ca/tasks/main.yml
+++ b/roles/openshift_master_ca/tasks/main.yml
@@ -14,7 +14,7 @@
- name: Create the master certificates if they do not already exist
command: >
{{ openshift.common.admin_binary }} create-master-certs
- --hostnames={{ openshift.common.all_hostnames | join(',') }}
+ --hostnames={{ master_hostnames | join(',') }}
--master={{ openshift.master.api_url }}
--public-master={{ openshift.master.public_api_url }}
--cert-dir={{ openshift_master_config_dir }} --overwrite=false