diff options
author | Jason DeTiberus <jdetiber@redhat.com> | 2015-08-25 14:40:08 -0400 |
---|---|---|
committer | Andrew Butcher <abutcher@redhat.com> | 2015-11-04 19:57:22 -0500 |
commit | ac0f4cb56e1469e9033e3a218265bc70f774624d (patch) | |
tree | ef752e894c17dfae7f3bd1b1cf87e2209925b4ca | |
parent | 18c877db73dcb63b1402322fe8352505006e4985 (diff) | |
download | openshift-ac0f4cb56e1469e9033e3a218265bc70f774624d.tar.gz openshift-ac0f4cb56e1469e9033e3a218265bc70f774624d.tar.bz2 openshift-ac0f4cb56e1469e9033e3a218265bc70f774624d.tar.xz openshift-ac0f4cb56e1469e9033e3a218265bc70f774624d.zip |
more tweaks
-rw-r--r-- | filter_plugins/oo_filters.py | 2 | ||||
-rw-r--r-- | playbooks/common/openshift-master/config.yml | 44 | ||||
-rw-r--r-- | roles/haproxy/defaults/main.yml | 7 | ||||
-rw-r--r-- | roles/haproxy/meta/main.yml | 4 | ||||
-rw-r--r-- | roles/haproxy/templates/haproxy.cfg.j2 | 9 | ||||
-rw-r--r-- | roles/openshift_master/files/atomic-openshift-master-api | 9 | ||||
-rw-r--r-- | roles/openshift_master/files/atomic-openshift-master-api.service | 21 | ||||
-rw-r--r-- | roles/openshift_master/files/atomic-openshift-master-controllers | 9 | ||||
-rw-r--r-- | roles/openshift_master/files/atomic-openshift-master-controllers.service | 22 | ||||
-rw-r--r-- | roles/openshift_master/tasks/main.yml | 21 | ||||
-rw-r--r-- | roles/openshift_master_ca/tasks/main.yml | 2 |
11 files changed, 94 insertions, 56 deletions
diff --git a/filter_plugins/oo_filters.py b/filter_plugins/oo_filters.py index 80bce80f0..4e4f7507c 100644 --- a/filter_plugins/oo_filters.py +++ b/filter_plugins/oo_filters.py @@ -253,7 +253,7 @@ class FilterModule(object): server_ip = host_info['openshift']['common']['ip'] server_port = host_info['openshift']['master']['api_port'] server['address'] = "%s:%s" % (server_ip, server_port) - server['opts'] = 'check ssl verify none' + server['opts'] = 'check' servers.append(server) return servers diff --git a/playbooks/common/openshift-master/config.yml b/playbooks/common/openshift-master/config.yml index e223e3d57..67068e001 100644 --- a/playbooks/common/openshift-master/config.yml +++ b/playbooks/common/openshift-master/config.yml @@ -170,6 +170,10 @@ masters_needing_certs: "{{ hostvars | oo_select_keys(groups['oo_masters_to_config'] | difference(groups['oo_first_master'])) | oo_filter_list(filter_attr='master_certs_missing') }}" + master_hostnames: "{{ hostvars + | oo_select_keys(groups['oo_masters_to_config']) + | oo_collect('openshift.common.all_hostnames') + | oo_flatten | unique }}" sync_tmpdir: "{{ hostvars.localhost.g_master_mktemp.stdout }}" roles: - openshift_master_certificates @@ -209,24 +213,7 @@ parsed_named_certificates: "{{ openshift_master_named_certificates | oo_parse_certificate_names(master_cert_config_dir, openshift.common.internal_hostnames) }}" when: openshift_master_named_certificates is defined -- name: Fetch master server certificate for load balancer - hosts: oo_first_master - vars: - sync_tmpdir: "{{ hostvars.localhost.g_master_mktemp.stdout }}" - tasks: - - file: - path: "{{ sync_tmpdir }}/haproxy_cert" - state: directory - - fetch: - src: /etc/origin/master/master.server.crt - dest: "{{ sync_tmpdir }}/haproxy_cert/server.crt" - flat: yes - - fetch: - src: /etc/origin/master/master.server.key - dest: "{{ sync_tmpdir }}/haproxy_cert/server.key" - flat: yes - -- name: Compute haproxy_backend_servers and combine certificate +- name: Compute haproxy_backend_servers hosts: localhost connection: local sudo: false @@ -234,11 +221,6 @@ tasks: - set_fact: haproxy_backend_servers: "{{ hostvars | oo_select_keys(groups['oo_masters_to_config']) | oo_haproxy_backend_masters }}" - - shell: cat server.crt server.key > server.pem - args: - chdir: "{{ g_master_mktemp.stdout }}/haproxy_cert" - creates: "{{ g_master_mktemp.stdout }}/haproxy_cert/server.pem" - - name: Configure load balancers hosts: oo_lb_to_config @@ -246,32 +228,24 @@ sync_tmpdir: "{{ hostvars.localhost.g_master_mktemp.stdout }}" haproxy_frontends: - name: atomic-openshift-api + mode: tcp options: - tcplog binds: - - "*:{{ hostvars[groups.oo_first_master.0].openshift.master.api_port }} ssl crt /etc/haproxy/server.pem" + - "*:{{ hostvars[groups.oo_first_master.0].openshift.master.api_port }}" default_backend: atomic-openshift-api haproxy_backends: - name: atomic-openshift-api + mode: tcp + option: tcplog balance: roundrobin servers: "{{ hostvars.localhost.haproxy_backend_servers }}" - pre_tasks: - - file: - path: /etc/haproxy - state: directory - - copy: - src: "{{ sync_tmpdir }}/haproxy_cert/server.pem" - dest: /etc/haproxy/server.pem - mode: 0600 - owner: root - group: root roles: - role: haproxy when: groups.oo_masters_to_config | length > 1 - name: Configure master instances hosts: oo_masters_to_config - serial: 1 vars: named_certificates: "{{ hostvars[groups['oo_first_master'][0]]['parsed_named_certificates'] | default([])}}" sync_tmpdir: "{{ hostvars.localhost.g_master_mktemp.stdout }}" diff --git a/roles/haproxy/defaults/main.yml b/roles/haproxy/defaults/main.yml index 16e9af4d1..7ba5bd485 100644 --- a/roles/haproxy/defaults/main.yml +++ b/roles/haproxy/defaults/main.yml @@ -12,3 +12,10 @@ haproxy_backends: - name: web01 address: 127.0.0.1:9000 opts: check + +os_firewall_use_firewalld: False +os_firewall_allow: +- service: haproxy stats + port: "9000/tcp" +- service: haproxy balance + port: "8443/tcp" diff --git a/roles/haproxy/meta/main.yml b/roles/haproxy/meta/main.yml index e02d8f53c..0fad106a9 100644 --- a/roles/haproxy/meta/main.yml +++ b/roles/haproxy/meta/main.yml @@ -9,4 +9,6 @@ galaxy_info: - name: EL versions: - 7 -dependencies: [] +dependencies: +- { role: os_firewall } +- { role: openshift_repos } diff --git a/roles/haproxy/templates/haproxy.cfg.j2 b/roles/haproxy/templates/haproxy.cfg.j2 index fddf0ede1..c932af72f 100644 --- a/roles/haproxy/templates/haproxy.cfg.j2 +++ b/roles/haproxy/templates/haproxy.cfg.j2 @@ -27,12 +27,17 @@ defaults timeout http-request 10s timeout queue 1m timeout connect 10s - timeout client 1m - timeout server 1m + timeout client 300s + timeout server 300s timeout http-keep-alive 10s timeout check 10s maxconn 3000 +listen stats :9000 + mode http + stats enable + stats uri / + {% for frontend in haproxy_frontends %} frontend {{ frontend.name }} {% for bind in frontend.binds %} diff --git a/roles/openshift_master/files/atomic-openshift-master-api b/roles/openshift_master/files/atomic-openshift-master-api new file mode 100644 index 000000000..ea82468a0 --- /dev/null +++ b/roles/openshift_master/files/atomic-openshift-master-api @@ -0,0 +1,9 @@ +OPTIONS= +CONFIG_FILE=/etc/origin/master/master-config.yaml + +# Proxy configuration +# Origin uses standard HTTP_PROXY environment variables. Be sure to set +# NO_PROXY for your master +#NO_PROXY=master.example.com +#HTTP_PROXY=http://USER:PASSWORD@IPADDR:PORT +#HTTPS_PROXY=https://USER:PASSWORD@IPADDR:PORT diff --git a/roles/openshift_master/files/atomic-openshift-master-api.service b/roles/openshift_master/files/atomic-openshift-master-api.service new file mode 100644 index 000000000..b24b9809e --- /dev/null +++ b/roles/openshift_master/files/atomic-openshift-master-api.service @@ -0,0 +1,21 @@ +[Unit] +Description=Atomic OpenShift Master API +Documentation=https://github.com/openshift/origin +After=network.target +After=etcd.service +Before=atomic-openshift-node.service +Requires=network.target + +[Service] +Type=notify +EnvironmentFile=/etc/sysconfig/atomic-openshift-master-api +Environment=GOTRACEBACK=crash +ExecStart=/usr/bin/atomic-enterprise start master api --config=${CONFIG_FILE} $OPTIONS +LimitNOFILE=131072 +LimitCORE=infinity +WorkingDirectory=/var/lib/origin/ +SyslogIdentifier=atomic-openshift-master-api + +[Install] +WantedBy=multi-user.target +WantedBy=atomic-openshift-node.service diff --git a/roles/openshift_master/files/atomic-openshift-master-controllers b/roles/openshift_master/files/atomic-openshift-master-controllers new file mode 100644 index 000000000..ea82468a0 --- /dev/null +++ b/roles/openshift_master/files/atomic-openshift-master-controllers @@ -0,0 +1,9 @@ +OPTIONS= +CONFIG_FILE=/etc/origin/master/master-config.yaml + +# Proxy configuration +# Origin uses standard HTTP_PROXY environment variables. Be sure to set +# NO_PROXY for your master +#NO_PROXY=master.example.com +#HTTP_PROXY=http://USER:PASSWORD@IPADDR:PORT +#HTTPS_PROXY=https://USER:PASSWORD@IPADDR:PORT diff --git a/roles/openshift_master/files/atomic-openshift-master-controllers.service b/roles/openshift_master/files/atomic-openshift-master-controllers.service new file mode 100644 index 000000000..e84160e5a --- /dev/null +++ b/roles/openshift_master/files/atomic-openshift-master-controllers.service @@ -0,0 +1,22 @@ +[Unit] +Description=Atomic OpenShift Master Controllers +Documentation=https://github.com/openshift/origin +After=network.target +After=atomic-openshift-master-api.service +Before=atomic-openshift-node.service +Requires=network.target + +[Service] +Type=notify +EnvironmentFile=/etc/sysconfig/atomic-openshift-master-controllers +Environment=GOTRACEBACK=crash +ExecStart=/usr/bin/atomic-enterprise start master controllers --config=${CONFIG_FILE} $OPTIONS +LimitNOFILE=131072 +LimitCORE=infinity +WorkingDirectory=/var/lib/origin/ +SyslogIdentifier=atomic-openshift-master-controllers +Restart=on-failure + +[Install] +WantedBy=multi-user.target +WantedBy=atomic-openshift-node.service diff --git a/roles/openshift_master/tasks/main.yml b/roles/openshift_master/tasks/main.yml index b23c19d37..00aaa2e57 100644 --- a/roles/openshift_master/tasks/main.yml +++ b/roles/openshift_master/tasks/main.yml @@ -204,27 +204,16 @@ when: not openshift_master_ha | bool register: start_result -# workaround for start bug when configuring ha -- name: Start master for ha workaround - service: name={{ openshift.common.service_type }}-master state=started - when: openshift_master_ha | bool and inventory_hostname in groups.oo_first_master - -- name: pause for 30 seconds to let master finish starting up for ha workaround - pause: seconds=30 - when: openshift_master_ha | bool and inventory_hostname in groups.oo_first_master - -- name: Stop master for ha workaround - service: name={{ openshift.common.service_type }}-master state=stopped - when: openshift_master_ha | bool and inventory_hostname in groups.oo_first_master -# end workaround for start bug when configuring ha - -- fail: - - name: Start and enable master api service: name={{ openshift.common.service_type }}-master-api enabled=yes state=started when: openshift_master_ha | bool register: start_result +# TODO: work to eliminate this workaround +- name: pause a random interval to avoid startup errors for controller + pause: seconds={{ 60 | random(step=5) }} + when: openshift_master_ha | bool + - name: Start and enable master controller service: name={{ openshift.common.service_type }}-master-controllers enabled=yes state=started when: openshift_master_ha | bool diff --git a/roles/openshift_master_ca/tasks/main.yml b/roles/openshift_master_ca/tasks/main.yml index abb0f8252..0738048d3 100644 --- a/roles/openshift_master_ca/tasks/main.yml +++ b/roles/openshift_master_ca/tasks/main.yml @@ -14,7 +14,7 @@ - name: Create the master certificates if they do not already exist command: > {{ openshift.common.admin_binary }} create-master-certs - --hostnames={{ openshift.common.all_hostnames | join(',') }} + --hostnames={{ master_hostnames | join(',') }} --master={{ openshift.master.api_url }} --public-master={{ openshift.master.public_api_url }} --cert-dir={{ openshift_master_config_dir }} --overwrite=false |