summaryrefslogtreecommitdiffstats
path: root/roles/contiv
diff options
context:
space:
mode:
authorScott Dodson <sdodson@redhat.com>2017-03-01 22:17:22 -0500
committerGitHub <noreply@github.com>2017-03-01 22:17:22 -0500
commit2d52f7c89baae452f3012102ac0f22a071f8f4ce (patch)
treefeb36c4dd6e8a04fa14a24d88d36b6dacc0fa213 /roles/contiv
parent4a3e61e035e42a260e0bf59d1e0c891dc004d50d (diff)
parent58818a6af147e457d56a1faf77b02d37bb538826 (diff)
downloadopenshift-2d52f7c89baae452f3012102ac0f22a071f8f4ce.tar.gz
openshift-2d52f7c89baae452f3012102ac0f22a071f8f4ce.tar.bz2
openshift-2d52f7c89baae452f3012102ac0f22a071f8f4ce.tar.xz
openshift-2d52f7c89baae452f3012102ac0f22a071f8f4ce.zip
Merge pull request #3393 from srampal/contiv
Pull request for Contiv Ansible code integration into Openshift Ansible
Diffstat (limited to 'roles/contiv')
-rw-r--r--roles/contiv/README.md39
-rw-r--r--roles/contiv/contiv-openshift-vlan-network.pngbin0 -> 42664 bytes
-rw-r--r--roles/contiv/defaults/main.yml91
-rw-r--r--roles/contiv/files/contiv_cni.conf5
-rw-r--r--roles/contiv/files/loopbackbin0 -> 3909976 bytes
-rw-r--r--roles/contiv/handlers/main.yml18
-rw-r--r--roles/contiv/meta/main.yml28
-rw-r--r--roles/contiv/tasks/aci.yml32
-rw-r--r--roles/contiv/tasks/default_network.yml15
-rw-r--r--roles/contiv/tasks/download_bins.yml27
-rw-r--r--roles/contiv/tasks/main.yml14
-rw-r--r--roles/contiv/tasks/netmaster.yml65
-rw-r--r--roles/contiv/tasks/netmaster_firewalld.yml16
-rw-r--r--roles/contiv/tasks/netmaster_iptables.yml21
-rw-r--r--roles/contiv/tasks/netplugin.yml121
-rw-r--r--roles/contiv/tasks/netplugin_firewalld.yml34
-rw-r--r--roles/contiv/tasks/netplugin_iptables.yml29
-rw-r--r--roles/contiv/tasks/ovs.yml28
-rw-r--r--roles/contiv/tasks/packageManagerInstall.yml12
-rw-r--r--roles/contiv/tasks/pkgMgrInstallers/centos-install.yml33
-rw-r--r--roles/contiv/templates/aci-gw.service10
-rw-r--r--roles/contiv/templates/aci_gw.j235
-rw-r--r--roles/contiv/templates/contiv.cfg.j26
-rw-r--r--roles/contiv/templates/netmaster.env.j22
-rw-r--r--roles/contiv/templates/netmaster.service8
-rw-r--r--roles/contiv/templates/netplugin.j29
-rw-r--r--roles/contiv/templates/netplugin.service8
27 files changed, 706 insertions, 0 deletions
diff --git a/roles/contiv/README.md b/roles/contiv/README.md
new file mode 100644
index 000000000..fa36039d9
--- /dev/null
+++ b/roles/contiv/README.md
@@ -0,0 +1,39 @@
+## Contiv
+
+Install Contiv components (netmaster, netplugin, contiv_etcd) on Master and Minion nodes
+
+## Requirements
+
+* Ansible 2.2
+* Centos/ RHEL
+
+## Current Contiv restrictions when used with Openshift
+
+* Openshift Origin only
+* VLAN encap mode only (default for Openshift Ansible)
+* Bare metal deployments only
+* Requires additional network configuration on the external physical routers (ref. Openshift docs Contiv section)
+
+## Key Ansible inventory configuration parameters
+
+* ``openshift_use_contiv=True``
+* ``openshift_use_openshift_sdn=False``
+* ``os_sdn_network_plugin_name='cni'``
+* ``netmaster_interface=eth0``
+* ``netplugin_interface=eth1``
+* ref. Openshift docs Contiv section for more details
+
+## Example bare metal deployment of Openshift + Contiv
+
+* Example bare metal deployment
+
+![Screenshot](roles/contiv/contiv-openshift-vlan-network.png)
+
+* contiv241 is a Master + minion node
+* contiv242 and contiv243 are minion nodes
+* VLANs 1001, 1002 used for contiv container networks
+* VLAN 10 used for cluster-internal host network
+* VLANs added to isolated VRF on external physical switch
+* Static routes added on external switch as shown to allow routing between host and container networks
+* External switch also used for public internet access
+
diff --git a/roles/contiv/contiv-openshift-vlan-network.png b/roles/contiv/contiv-openshift-vlan-network.png
new file mode 100644
index 000000000..2462fa337
--- /dev/null
+++ b/roles/contiv/contiv-openshift-vlan-network.png
Binary files differ
diff --git a/roles/contiv/defaults/main.yml b/roles/contiv/defaults/main.yml
new file mode 100644
index 000000000..c2b72339c
--- /dev/null
+++ b/roles/contiv/defaults/main.yml
@@ -0,0 +1,91 @@
+---
+# The version of Contiv binaries to use
+contiv_version: 1.0.0-beta.3-02-21-2017.20-52-42.UTC
+
+contiv_default_subnet: "20.1.1.1/24"
+contiv_default_gw: "20.1.1.254"
+# TCP port that Netmaster listens for network connections
+netmaster_port: 9999
+
+# TCP port that Netplugin listens for network connections
+netplugin_port: 6640
+contiv_rpc_port1: 9001
+contiv_rpc_port2: 9002
+contiv_rpc_port3: 9003
+
+# Interface used by Netplugin for inter-host traffic when encap_mode is vlan.
+# The interface must support 802.1Q trunking.
+netplugin_interface: "eno16780032"
+
+# IP address of the interface used for control communication within the cluster
+# It needs to be reachable from all nodes in the cluster.
+netplugin_ctrl_ip: "{{ hostvars[inventory_hostname]['ansible_' + netplugin_interface].ipv4.address }}"
+
+# IP used to terminate vxlan tunnels
+netplugin_vtep_ip: "{{ hostvars[inventory_hostname]['ansible_' + netplugin_interface].ipv4.address }}"
+
+# Interface used to bind Netmaster service
+netmaster_interface: "{{ netplugin_interface }}"
+
+# Path to the contiv binaries
+bin_dir: /usr/bin
+
+# Path to the contivk8s cni binary
+cni_bin_dir: /opt/cni/bin
+
+# Contiv config directory
+contiv_config_dir: /opt/contiv/config
+
+# Directory to store downloaded Contiv releases
+contiv_releases_directory: /opt/contiv
+contiv_current_release_directory: "{{ contiv_releases_directory }}/{{ contiv_version }}"
+
+#The default url to download the Contiv tar's from
+contiv_download_url_base: "https://github.com/contiv/netplugin/releases/download"
+contiv_download_url: "{{ contiv_download_url_base }}/{{ contiv_version }}/netplugin-{{ contiv_version }}.tar.bz2"
+
+# This is where kubelet looks for plugin files
+kube_plugin_dir: /usr/libexec/kubernetes/kubelet-plugins/net/exec
+
+# Specifies routed mode vs bridged mode for networking (bridge | routing)
+# if you are using an external router for all routing, you should select bridge here
+netplugin_fwd_mode: bridge
+
+# Contiv fabric mode aci|default
+contiv_fabric_mode: default
+
+# Encapsulation type vlan|vxlan to use for instantiating container networks
+contiv_encap_mode: vlan
+
+# Backend used by Netplugin for instantiating container networks
+netplugin_driver: ovs
+
+# Create a default Contiv network for use by pods
+contiv_default_network: true
+
+# VLAN/ VXLAN tag value to be used for the default network
+contiv_default_network_tag: 1
+
+#SRFIXME (use the openshift variables)
+https_proxy: ""
+http_proxy: ""
+no_proxy: ""
+
+# The following are aci specific parameters when contiv_fabric_mode: aci is set.
+# Otherwise, you can ignore these.
+apic_url: ""
+apic_username: ""
+apic_password: ""
+apic_leaf_nodes: ""
+apic_phys_dom: ""
+apic_contracts_unrestricted_mode: no
+apic_epg_bridge_domain: not_specified
+is_atomic: False
+kube_cert_dir: "/data/src/github.com/openshift/origin/openshift.local.config/master"
+master_name: "{{ groups['masters'][0] }}"
+contiv_etcd_port: 22379
+etcd_url: "{{ hostvars[groups['masters'][0]]['ansible_' + netmaster_interface].ipv4.address }}:{{ contiv_etcd_port }}"
+kube_ca_cert: "{{ kube_cert_dir }}/ca.crt"
+kube_key: "{{ kube_cert_dir }}/admin.key"
+kube_cert: "{{ kube_cert_dir }}/admin.crt"
+kube_master_api_port: 8443
diff --git a/roles/contiv/files/contiv_cni.conf b/roles/contiv/files/contiv_cni.conf
new file mode 100644
index 000000000..441dffd41
--- /dev/null
+++ b/roles/contiv/files/contiv_cni.conf
@@ -0,0 +1,5 @@
+{
+ "cniVersion": "0.1.0",
+ "name": "contiv-net",
+ "type": "contivk8s"
+}
diff --git a/roles/contiv/files/loopback b/roles/contiv/files/loopback
new file mode 100644
index 000000000..f02b0b1fb
--- /dev/null
+++ b/roles/contiv/files/loopback
Binary files differ
diff --git a/roles/contiv/handlers/main.yml b/roles/contiv/handlers/main.yml
new file mode 100644
index 000000000..0fbe73036
--- /dev/null
+++ b/roles/contiv/handlers/main.yml
@@ -0,0 +1,18 @@
+---
+- name: reload systemd
+ command: systemctl --system daemon-reload
+
+- name: restart netmaster
+ service:
+ name: netmaster
+ state: restarted
+ when: netmaster_started.changed == false
+
+- name: restart netplugin
+ service:
+ name: netplugin
+ state: restarted
+ when: netplugin_started.changed == false
+
+- name: Save iptables rules
+ command: service iptables save
diff --git a/roles/contiv/meta/main.yml b/roles/contiv/meta/main.yml
new file mode 100644
index 000000000..3223afb6e
--- /dev/null
+++ b/roles/contiv/meta/main.yml
@@ -0,0 +1,28 @@
+---
+galaxy_info:
+ author: Cisco
+ description:
+ company: Cisco
+ license:
+ min_ansible_version: 2.2
+ platforms:
+ - name: EL
+ versions:
+ - 7
+ categories:
+ - cloud
+ - system
+dependencies:
+- role: contiv_facts
+- role: etcd
+ etcd_service: contiv-etcd
+ etcd_is_thirdparty: True
+ etcd_peer_port: 22380
+ etcd_client_port: 22379
+ etcd_conf_dir: /etc/contiv-etcd/
+ etcd_data_dir: /var/lib/contiv-etcd/
+ etcd_ca_host: "{{ inventory_hostname }}"
+ etcd_cert_config_dir: /etc/contiv-etcd/
+ etcd_url_scheme: http
+ etcd_peer_url_scheme: http
+ when: contiv_role == "netmaster"
diff --git a/roles/contiv/tasks/aci.yml b/roles/contiv/tasks/aci.yml
new file mode 100644
index 000000000..30d2eb339
--- /dev/null
+++ b/roles/contiv/tasks/aci.yml
@@ -0,0 +1,32 @@
+---
+- name: ACI | Check aci-gw container image
+ command: "docker inspect contiv/aci-gw"
+ register: docker_aci_inspect_result
+ ignore_errors: yes
+
+- name: ACI | Pull aci-gw container
+ command: "docker pull contiv/aci-gw"
+ when: "'No such image' in docker_aci_inspect_result.stderr"
+
+- name: ACI | Copy shell script used by aci-gw service
+ template:
+ src: aci_gw.j2
+ dest: "{{ bin_dir }}/aci_gw.sh"
+ mode: u=rwx,g=rx,o=rx
+
+- name: ACI | Copy systemd units for aci-gw
+ template:
+ src: aci-gw.service
+ dest: /etc/systemd/system/aci-gw.service
+ notify: reload systemd
+
+- name: ACI | Enable aci-gw service
+ service:
+ name: aci-gw
+ enabled: yes
+
+- name: ACI | Start aci-gw service
+ service:
+ name: aci-gw
+ state: started
+ register: aci-gw_started
diff --git a/roles/contiv/tasks/default_network.yml b/roles/contiv/tasks/default_network.yml
new file mode 100644
index 000000000..9cf98bb80
--- /dev/null
+++ b/roles/contiv/tasks/default_network.yml
@@ -0,0 +1,15 @@
+---
+- name: Contiv | Wait for netmaster
+ command: 'netctl --netmaster "http://{{ inventory_hostname }}:{{ netmaster_port }}" tenant ls'
+ register: tenant_result
+ until: tenant_result.stdout.find("default") != -1
+ retries: 9
+ delay: 10
+
+- name: Contiv | Check if default-net exists
+ command: 'netctl --netmaster "http://{{ inventory_hostname }}:{{ netmaster_port }}" net ls'
+ register: net_result
+
+- name: Contiv | Create default-net
+ command: 'netctl --netmaster "http://{{ inventory_hostname }}:{{ netmaster_port }}" net create --subnet={{ contiv_default_subnet }} -e {{ contiv_encap_mode }} -p {{ contiv_default_network_tag }} --gateway={{ contiv_default_gw }} default-net'
+ when: net_result.stdout.find("default-net") == -1
diff --git a/roles/contiv/tasks/download_bins.yml b/roles/contiv/tasks/download_bins.yml
new file mode 100644
index 000000000..28ed50fae
--- /dev/null
+++ b/roles/contiv/tasks/download_bins.yml
@@ -0,0 +1,27 @@
+---
+- name: Download Bins | Create directory for current Contiv release
+ file:
+ path: "{{ contiv_current_release_directory }}"
+ state: directory
+
+- name: Install bzip2
+ yum:
+ name: bzip2
+ state: installed
+
+- name: Download Bins | Download Contiv tar file
+ get_url:
+ url: "{{ contiv_download_url }}"
+ dest: "{{ contiv_current_release_directory }}"
+ mode: 0755
+ validate_certs: False
+ environment:
+ http_proxy: "{{ http_proxy|default('') }}"
+ https_proxy: "{{ https_proxy|default('') }}"
+ no_proxy: "{{ no_proxy|default('') }}"
+
+- name: Download Bins | Extract Contiv tar file
+ unarchive:
+ src: "{{ contiv_current_release_directory }}/netplugin-{{ contiv_version }}.tar.bz2"
+ dest: "{{ contiv_current_release_directory }}"
+ copy: no
diff --git a/roles/contiv/tasks/main.yml b/roles/contiv/tasks/main.yml
new file mode 100644
index 000000000..40a0f9e61
--- /dev/null
+++ b/roles/contiv/tasks/main.yml
@@ -0,0 +1,14 @@
+---
+- name: Ensure bin_dir exists
+ file:
+ path: "{{ bin_dir }}"
+ recurse: yes
+ state: directory
+
+- include: download_bins.yml
+
+- include: netmaster.yml
+ when: contiv_role == "netmaster"
+
+- include: netplugin.yml
+ when: contiv_role == "netplugin"
diff --git a/roles/contiv/tasks/netmaster.yml b/roles/contiv/tasks/netmaster.yml
new file mode 100644
index 000000000..5057767b8
--- /dev/null
+++ b/roles/contiv/tasks/netmaster.yml
@@ -0,0 +1,65 @@
+---
+- include: netmaster_firewalld.yml
+ when: has_firewalld
+
+- include: netmaster_iptables.yml
+ when: not has_firewalld and has_iptables
+
+- name: Netmaster | Check is /etc/hosts file exists
+ stat:
+ path: /etc/hosts
+ register: hosts
+
+- name: Netmaster | Create hosts file if it is not present
+ file:
+ path: /etc/hosts
+ state: touch
+ when: not hosts.stat.exists
+
+- name: Netmaster | Build hosts file
+ lineinfile:
+ dest: /etc/hosts
+ regexp: .*netmaster$
+ line: "{{ hostvars[item]['ansible_' + netmaster_interface].ipv4.address }} netmaster"
+ state: present
+ when: hostvars[item]['ansible_' + netmaster_interface].ipv4.address is defined
+ with_items: groups['masters']
+
+- name: Netmaster | Create netmaster symlinks
+ file:
+ src: "{{ contiv_current_release_directory }}/{{ item }}"
+ dest: "{{ bin_dir }}/{{ item }}"
+ state: link
+ with_items:
+ - netmaster
+ - netctl
+
+- name: Netmaster | Copy environment file for netmaster
+ template:
+ src: netmaster.env.j2
+ dest: /etc/default/netmaster
+ mode: 0644
+ notify: restart netmaster
+
+- name: Netmaster | Copy systemd units for netmaster
+ template:
+ src: netmaster.service
+ dest: /etc/systemd/system/netmaster.service
+ notify: reload systemd
+
+- name: Netmaster | Enable Netmaster
+ service:
+ name: netmaster
+ enabled: yes
+
+- name: Netmaster | Start Netmaster
+ service:
+ name: netmaster
+ state: started
+ register: netmaster_started
+
+- include: aci.yml
+ when: contiv_fabric_mode == "aci"
+
+- include: default_network.yml
+ when: contiv_default_network == true
diff --git a/roles/contiv/tasks/netmaster_firewalld.yml b/roles/contiv/tasks/netmaster_firewalld.yml
new file mode 100644
index 000000000..2975351ac
--- /dev/null
+++ b/roles/contiv/tasks/netmaster_firewalld.yml
@@ -0,0 +1,16 @@
+---
+- name: Netmaster Firewalld | Open Netmaster port
+ firewalld:
+ port: "{{ netmaster_port }}/tcp"
+ permanent: false
+ state: enabled
+ # in case this is also a node where firewalld turned off
+ ignore_errors: yes
+
+- name: Netmaster Firewalld | Save Netmaster port
+ firewalld:
+ port: "{{ netmaster_port }}/tcp"
+ permanent: true
+ state: enabled
+ # in case this is also a node where firewalld turned off
+ ignore_errors: yes
diff --git a/roles/contiv/tasks/netmaster_iptables.yml b/roles/contiv/tasks/netmaster_iptables.yml
new file mode 100644
index 000000000..2d0fb95ae
--- /dev/null
+++ b/roles/contiv/tasks/netmaster_iptables.yml
@@ -0,0 +1,21 @@
+---
+- name: Netmaster IPtables | Get iptables rules
+ command: iptables -L --wait
+ register: iptablesrules
+ always_run: yes
+
+- name: Netmaster IPtables | Enable iptables at boot
+ service:
+ name: iptables
+ enabled: yes
+ state: started
+
+- name: Netmaster IPtables | Open Netmaster with iptables
+ command: /sbin/iptables -I INPUT 1 -p tcp --dport {{ item }} -j ACCEPT -m comment --comment "contiv"
+ with_items:
+ - "{{ netmaster_port }}"
+ - "{{ contiv_rpc_port1 }}"
+ - "{{ contiv_rpc_port2 }}"
+ - "{{ contiv_rpc_port3 }}"
+ when: iptablesrules.stdout.find("contiv") == -1
+ notify: Save iptables rules
diff --git a/roles/contiv/tasks/netplugin.yml b/roles/contiv/tasks/netplugin.yml
new file mode 100644
index 000000000..ec6c72fe9
--- /dev/null
+++ b/roles/contiv/tasks/netplugin.yml
@@ -0,0 +1,121 @@
+---
+- include: netplugin_firewalld.yml
+ when: has_firewalld
+
+- include: netplugin_iptables.yml
+ when: has_iptables
+
+- name: Netplugin | Ensure localhost entry correct in /etc/hosts
+ lineinfile:
+ dest: /etc/hosts
+ regexp: '^127\.0\.0\.1.*'
+ line: '127.0.0.1 localhost {{ ansible_hostname }}'
+ state: present
+
+- name: Netplugin | Remove incorrect localhost entry in /etc/hosts
+ lineinfile:
+ dest: /etc/hosts
+ regexp: '^::1. localhost '
+ line: '::1 '
+ state: absent
+
+- include: ovs.yml
+ when: netplugin_driver == "ovs"
+
+- name: Netplugin | Create Netplugin bin symlink
+ file:
+ src: "{{ contiv_current_release_directory }}/netplugin"
+ dest: "{{ bin_dir }}/netplugin"
+ state: link
+
+
+- name: Netplugin | Ensure cni_bin_dir exists
+ file:
+ path: "{{ cni_bin_dir }}"
+ recurse: yes
+ state: directory
+
+- name: Netplugin | Create CNI bin symlink
+ file:
+ src: "{{ contiv_current_release_directory }}/contivk8s"
+ dest: "{{ cni_bin_dir }}/contivk8s"
+ state: link
+
+- name: Netplugin | Copy CNI loopback bin
+ copy:
+ src: loopback
+ dest: "{{ cni_bin_dir }}/loopback"
+ mode: 0755
+
+- name: Netplugin | Ensure kube_plugin_dir and cni/net.d directories exist
+ file:
+ path: "{{ item }}"
+ recurse: yes
+ state: directory
+ with_items:
+ - "{{ kube_plugin_dir }}"
+ - "/etc/cni/net.d"
+
+- name: Netplugin | Ensure contiv_config_dir exists
+ file:
+ path: "{{ contiv_config_dir }}"
+ recurse: yes
+ state: directory
+
+- name: Netplugin | Copy contiv_cni.conf file
+ copy:
+ src: contiv_cni.conf
+ dest: "{{ item }}"
+ with_items:
+ - "{{ kube_plugin_dir }}/contiv_cni.conf"
+ - "/etc/cni/net.d"
+# notify: restart kubelet
+
+- name: Netplugin | Setup contiv.json config for the cni plugin
+ template:
+ src: contiv.cfg.j2
+ dest: "{{ contiv_config_dir }}/contiv.json"
+ notify: restart netplugin
+
+- name: Netplugin | Copy environment file for netplugin
+ template:
+ src: netplugin.j2
+ dest: /etc/default/netplugin
+ mode: 0644
+ notify: restart netplugin
+
+- name: Docker | Make sure proxy setting exists
+ lineinfile:
+ dest: /etc/sysconfig/docker-network
+ regexp: '^https_proxy.*'
+ line: 'https_proxy={{ https_proxy }}'
+ state: present
+ register: docker_updated
+
+- name: Netplugin | Copy systemd unit for netplugin
+ template:
+ src: netplugin.service
+ dest: /etc/systemd/system/netplugin.service
+ notify: reload systemd
+
+- name: systemd reload
+ command: systemctl daemon-reload
+ when: docker_updated|changed
+
+- name: Docker | Restart docker
+ service:
+ name: docker
+ state: restarted
+ when: docker_updated|changed
+
+- name: Netplugin | Enable Netplugin
+ service:
+ name: netplugin
+ enabled: yes
+
+- name: Netplugin | Start Netplugin
+ service:
+ name: netplugin
+ state: started
+ register: netplugin_started
+# notify: restart kubelet
diff --git a/roles/contiv/tasks/netplugin_firewalld.yml b/roles/contiv/tasks/netplugin_firewalld.yml
new file mode 100644
index 000000000..3aeffae56
--- /dev/null
+++ b/roles/contiv/tasks/netplugin_firewalld.yml
@@ -0,0 +1,34 @@
+---
+- name: Netplugin Firewalld | Open Netplugin port
+ firewalld:
+ port: "{{ netplugin_port }}/tcp"
+ permanent: false
+ state: enabled
+ # in case this is also a node where firewalld turned off
+ ignore_errors: yes
+
+- name: Netplugin Firewalld | Save Netplugin port
+ firewalld:
+ port: "{{ netplugin_port }}/tcp"
+ permanent: true
+ state: enabled
+ # in case this is also a node where firewalld turned off
+ ignore_errors: yes
+
+- name: Netplugin Firewalld | Open vxlan port
+ firewalld:
+ port: "8472/udp"
+ permanent: false
+ state: enabled
+ # in case this is also a node where firewalld turned off
+ ignore_errors: yes
+ when: contiv_encap_mode == "vxlan"
+
+- name: Netplugin Firewalld | Save firewalld vxlan port for flanneld
+ firewalld:
+ port: "8472/udp"
+ permanent: true
+ state: enabled
+ # in case this is also a node where firewalld turned off
+ ignore_errors: yes
+ when: contiv_encap_mode == "vxlan"
diff --git a/roles/contiv/tasks/netplugin_iptables.yml b/roles/contiv/tasks/netplugin_iptables.yml
new file mode 100644
index 000000000..8c348ac67
--- /dev/null
+++ b/roles/contiv/tasks/netplugin_iptables.yml
@@ -0,0 +1,29 @@
+---
+- name: Netplugin IPtables | Get iptables rules
+ command: iptables -L --wait
+ register: iptablesrules
+ always_run: yes
+
+- name: Netplugin IPtables | Enable iptables at boot
+ service:
+ name: iptables
+ enabled: yes
+ state: started
+
+- name: Netplugin IPtables | Open Netmaster with iptables
+ command: /sbin/iptables -I INPUT 1 -p tcp --dport {{ item }} -j ACCEPT -m comment --comment "contiv"
+ with_items:
+ - "{{ netmaster_port }}"
+ - "{{ contiv_rpc_port1 }}"
+ - "{{ contiv_rpc_port2 }}"
+ - "{{ contiv_rpc_port3 }}"
+ - "{{ contiv_etcd_port }}"
+ - "{{ kube_master_api_port }}"
+ when: iptablesrules.stdout.find("contiv") == -1
+ notify: Save iptables rules
+
+- name: Netplugin IPtables | Open vxlan port with iptables
+ command: /sbin/iptables -I INPUT 1 -p udp --dport 8472 -j ACCEPT -m comment --comment "vxlan"
+
+- name: Netplugin IPtables | Open vxlan port with iptables
+ command: /sbin/iptables -I INPUT 1 -p udp --dport 4789 -j ACCEPT -m comment --comment "vxlan"
diff --git a/roles/contiv/tasks/ovs.yml b/roles/contiv/tasks/ovs.yml
new file mode 100644
index 000000000..0c1b994c7
--- /dev/null
+++ b/roles/contiv/tasks/ovs.yml
@@ -0,0 +1,28 @@
+---
+- include: packageManagerInstall.yml
+ when: source_type == "packageManager"
+ tags:
+ - binary-update
+
+- name: OVS | Configure selinux for ovs
+ command: "semanage permissive -a openvswitch_t"
+
+- name: OVS | Enable ovs
+ service:
+ name: openvswitch
+ enabled: yes
+
+- name: OVS | Start ovs
+ service:
+ name: openvswitch
+ state: started
+ register: ovs_started
+
+- name: OVS | Configure ovs
+ command: "ovs-vsctl set-manager {{ item }}"
+ with_items:
+ - "tcp:127.0.0.1:6640"
+ - "ptcp:6640"
+
+- name: OVS | Configure ovsdb-server
+ command: "ovs-appctl -t ovsdb-server ovsdb-server/add-remote ptcp:6640"
diff --git a/roles/contiv/tasks/packageManagerInstall.yml b/roles/contiv/tasks/packageManagerInstall.yml
new file mode 100644
index 000000000..2eff1b85f
--- /dev/null
+++ b/roles/contiv/tasks/packageManagerInstall.yml
@@ -0,0 +1,12 @@
+---
+- name: Package Manager | Init the did_install fact
+ set_fact:
+ did_install: false
+
+- include: pkgMgrInstallers/centos-install.yml
+ when: ansible_distribution == "CentOS" and not is_atomic
+
+- name: Package Manager | Set fact saying we did CentOS package install
+ set_fact:
+ did_install: true
+ when: ansible_distribution == "CentOS"
diff --git a/roles/contiv/tasks/pkgMgrInstallers/centos-install.yml b/roles/contiv/tasks/pkgMgrInstallers/centos-install.yml
new file mode 100644
index 000000000..51c3d35ac
--- /dev/null
+++ b/roles/contiv/tasks/pkgMgrInstallers/centos-install.yml
@@ -0,0 +1,33 @@
+---
+- name: PkgMgr CentOS | Install net-tools pkg for route
+ yum:
+ pkg=net-tools
+ state=latest
+
+- name: PkgMgr CentOS | Get openstack kilo rpm
+ get_url:
+ url: https://repos.fedorapeople.org/repos/openstack/openstack-kilo/rdo-release-kilo-2.noarch.rpm
+ dest: /tmp/rdo-release-kilo-2.noarch.rpm
+ validate_certs: False
+ environment:
+ http_proxy: "{{ http_proxy|default('') }}"
+ https_proxy: "{{ https_proxy|default('') }}"
+ no_proxy: "{{ no_proxy|default('') }}"
+ tags:
+ - ovs_install
+
+- name: PkgMgr CentOS | Install openstack kilo rpm
+ yum: name=/tmp/rdo-release-kilo-2.noarch.rpm state=present
+ tags:
+ - ovs_install
+
+- name: PkgMgr CentOS | Install ovs
+ yum:
+ pkg=openvswitch
+ state=latest
+ environment:
+ http_proxy: "{{ http_proxy|default('') }}"
+ https_proxy: "{{ https_proxy|default('') }}"
+ no_proxy: "{{ no_proxy|default('') }}"
+ tags:
+ - ovs_install
diff --git a/roles/contiv/templates/aci-gw.service b/roles/contiv/templates/aci-gw.service
new file mode 100644
index 000000000..8e4b66fbe
--- /dev/null
+++ b/roles/contiv/templates/aci-gw.service
@@ -0,0 +1,10 @@
+[Unit]
+Description=Contiv ACI gw
+After=auditd.service systemd-user-sessions.service time-sync.target docker.service
+
+[Service]
+ExecStart={{ bin_dir }}/aci_gw.sh start
+ExecStop={{ bin_dir }}/aci_gw.sh stop
+KillMode=control-group
+Restart=on-failure
+RestartSec=10
diff --git a/roles/contiv/templates/aci_gw.j2 b/roles/contiv/templates/aci_gw.j2
new file mode 100644
index 000000000..ab4ad46a6
--- /dev/null
+++ b/roles/contiv/templates/aci_gw.j2
@@ -0,0 +1,35 @@
+#!/bin/bash
+
+usage="$0 start"
+if [ $# -ne 1 ]; then
+ echo USAGE: $usage
+ exit 1
+fi
+
+case $1 in
+start)
+ set -e
+
+ docker run --net=host \
+ -e "APIC_URL={{ apic_url }}" \
+ -e "APIC_USERNAME={{ apic_username }}" \
+ -e "APIC_PASSWORD={{ apic_password }}" \
+ -e "APIC_LEAF_NODE={{ apic_leaf_nodes }}" \
+ -e "APIC_PHYS_DOMAIN={{ apic_phys_dom }}" \
+ -e "APIC_EPG_BRIDGE_DOMAIN={{ apic_epg_bridge_domain }}" \
+ -e "APIC_CONTRACTS_UNRESTRICTED_MODE={{ apic_contracts_unrestricted_mode }}" \
+ --name=contiv-aci-gw \
+ contiv/aci-gw
+ ;;
+
+stop)
+ # don't stop on error
+ docker stop contiv-aci-gw
+ docker rm contiv-aci-gw
+ ;;
+
+*)
+ echo USAGE: $usage
+ exit 1
+ ;;
+esac
diff --git a/roles/contiv/templates/contiv.cfg.j2 b/roles/contiv/templates/contiv.cfg.j2
new file mode 100644
index 000000000..2c9a666a9
--- /dev/null
+++ b/roles/contiv/templates/contiv.cfg.j2
@@ -0,0 +1,6 @@
+{
+ "K8S_API_SERVER": "https://{{ hostvars[groups['masters'][0]]['ansible_' + netmaster_interface].ipv4.address }}:{{ kube_master_api_port }}",
+ "K8S_CA": "{{ openshift.common.config_base }}/node/ca.crt",
+ "K8S_KEY": "{{ openshift.common.config_base }}/node/system:node:{{ openshift.common.hostname }}.key",
+ "K8S_CERT": "{{ openshift.common.config_base }}/node/system:node:{{ openshift.common.hostname }}.crt"
+}
diff --git a/roles/contiv/templates/netmaster.env.j2 b/roles/contiv/templates/netmaster.env.j2
new file mode 100644
index 000000000..5b5c84a2e
--- /dev/null
+++ b/roles/contiv/templates/netmaster.env.j2
@@ -0,0 +1,2 @@
+NETMASTER_ARGS='--cluster-store etcd://{{ etcd_url }} --cluster-mode=kubernetes'
+
diff --git a/roles/contiv/templates/netmaster.service b/roles/contiv/templates/netmaster.service
new file mode 100644
index 000000000..21c0380be
--- /dev/null
+++ b/roles/contiv/templates/netmaster.service
@@ -0,0 +1,8 @@
+[Unit]
+Description=Netmaster
+After=auditd.service systemd-user-sessions.service contiv-etcd.service
+
+[Service]
+EnvironmentFile=/etc/default/netmaster
+ExecStart={{ bin_dir }}/netmaster $NETMASTER_ARGS
+KillMode=control-group
diff --git a/roles/contiv/templates/netplugin.j2 b/roles/contiv/templates/netplugin.j2
new file mode 100644
index 000000000..f3d26c037
--- /dev/null
+++ b/roles/contiv/templates/netplugin.j2
@@ -0,0 +1,9 @@
+{% if contiv_encap_mode == "vlan" %}
+NETPLUGIN_ARGS='-vlan-if {{ netplugin_interface }} -ctrl-ip {{ netplugin_ctrl_ip }} -plugin-mode kubernetes -cluster-store etcd://{{ etcd_url }}'
+{% endif %}
+{# Note: Commenting out vxlan encap mode support until it is fully supported
+{% if contiv_encap_mode == "vxlan" %}
+NETPLUGIN_ARGS='-vtep-ip {{ netplugin_ctrl_ip }} -e {{contiv_encap_mode}} -ctrl-ip {{ netplugin_ctrl_ip }} -plugin-mode kubernetes -cluster-store etcd://{{ etcd_url }}'
+{% endif %}
+#}
+
diff --git a/roles/contiv/templates/netplugin.service b/roles/contiv/templates/netplugin.service
new file mode 100644
index 000000000..dc7b95bb5
--- /dev/null
+++ b/roles/contiv/templates/netplugin.service
@@ -0,0 +1,8 @@
+[Unit]
+Description=Netplugin
+After=auditd.service systemd-user-sessions.service contiv-etcd.service
+
+[Service]
+EnvironmentFile=/etc/default/netplugin
+ExecStart={{ bin_dir }}/netplugin $NETPLUGIN_ARGS
+KillMode=control-group