summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--playbooks/common/openshift-cluster/upgrades/v3_1_to_v3_2/post.yml1
-rw-r--r--roles/openshift_common/meta/main.yml1
-rw-r--r--roles/openshift_manageiq/tasks/main.yaml10
-rw-r--r--roles/openshift_manageiq/vars/main.yml3
-rw-r--r--roles/openshift_master/defaults/main.yml36
-rw-r--r--roles/openshift_master/meta/main.yml22
-rw-r--r--roles/openshift_node/meta/main.yml1
-rw-r--r--roles/openshift_node/tasks/main.yml11
-rwxr-xr-xroles/openshift_node_dnsmasq/files/networkmanager/99-origin-dns.sh17
9 files changed, 58 insertions, 44 deletions
diff --git a/playbooks/common/openshift-cluster/upgrades/v3_1_to_v3_2/post.yml b/playbooks/common/openshift-cluster/upgrades/v3_1_to_v3_2/post.yml
index 3fd97ac14..12e2edfb9 100644
--- a/playbooks/common/openshift-cluster/upgrades/v3_1_to_v3_2/post.yml
+++ b/playbooks/common/openshift-cluster/upgrades/v3_1_to_v3_2/post.yml
@@ -10,6 +10,7 @@
router_image: "{{ openshift.master.registry_url | replace( '${component}', 'haproxy-router' ) | replace ( '${version}', 'v' + g_new_version ) }}"
oc_cmd: "{{ openshift.common.client_binary }} --config={{ openshift.common.config_base }}/master/admin.kubeconfig"
roles:
+ - openshift_manageiq
# Create the new templates shipped in 3.2, existing templates are left
# unmodified. This prevents the subsequent role definition for
# openshift_examples from failing when trying to replace templates that do
diff --git a/roles/openshift_common/meta/main.yml b/roles/openshift_common/meta/main.yml
index 02150406d..f1cf3e161 100644
--- a/roles/openshift_common/meta/main.yml
+++ b/roles/openshift_common/meta/main.yml
@@ -12,6 +12,5 @@ galaxy_info:
categories:
- cloud
dependencies:
-- role: os_firewall
- role: openshift_facts
- role: openshift_repos
diff --git a/roles/openshift_manageiq/tasks/main.yaml b/roles/openshift_manageiq/tasks/main.yaml
index 2a651df65..de0a7000e 100644
--- a/roles/openshift_manageiq/tasks/main.yaml
+++ b/roles/openshift_manageiq/tasks/main.yaml
@@ -59,6 +59,16 @@
failed_when: "'already exists' not in osmiq_perm_task.stderr and osmiq_perm_task.rc != 0"
changed_when: osmiq_perm_task.rc == 0
+- name: Configure 3_2 role/user permissions
+ command: >
+ {{ openshift.common.admin_binary }} {{item}}
+ --config={{manage_iq_tmp_conf}}
+ with_items: "{{manage_iq_openshift_3_2_tasks}}"
+ register: osmiq_perm_3_2_task
+ failed_when: osmiq_perm_3_2_task.rc != 0
+ changed_when: osmiq_perm_3_2_task.rc == 0
+ when: openshift.common.version_gte_3_2_or_1_2 | bool
+
- name: Clean temporary configuration file
command: >
rm -f {{manage_iq_tmp_conf}}
diff --git a/roles/openshift_manageiq/vars/main.yml b/roles/openshift_manageiq/vars/main.yml
index 69ee2cb4c..b2aed79c7 100644
--- a/roles/openshift_manageiq/vars/main.yml
+++ b/roles/openshift_manageiq/vars/main.yml
@@ -30,3 +30,6 @@ manage_iq_tasks:
- policy add-scc-to-user privileged system:serviceaccount:management-infra:management-admin
- policy add-cluster-role-to-user system:image-puller system:serviceaccount:management-infra:inspector-admin
- policy add-scc-to-user privileged system:serviceaccount:management-infra:inspector-admin
+
+manage_iq_openshift_3_2_tasks:
+ - policy add-cluster-role-to-user system:image-auditor system:serviceaccount:management-infra:management-admin
diff --git a/roles/openshift_master/defaults/main.yml b/roles/openshift_master/defaults/main.yml
index 16df984f9..dbd62c80f 100644
--- a/roles/openshift_master/defaults/main.yml
+++ b/roles/openshift_master/defaults/main.yml
@@ -1,40 +1,4 @@
---
openshift_node_ips: []
-
# TODO: update setting these values based on the facts
-os_firewall_allow:
-- service: etcd embedded
- port: 4001/tcp
-- service: api server https
- port: "{{ openshift.master.api_port }}/tcp"
-- service: api controllers https
- port: "{{ openshift.master.controllers_port }}/tcp"
-- service: skydns tcp
- port: "{{ openshift.master.dns_port }}/tcp"
-- service: skydns udp
- port: "{{ openshift.master.dns_port }}/udp"
-# On HA masters version_gte facts are not properly set so open port 53
-# whenever we're not certain of the need
-- service: legacy skydns tcp
- port: "53/tcp"
- when: "{{ 'version' not in openshift.common or openshift.common.version == None }}"
-- service: legacy skydns udp
- port: "53/udp"
- when: "{{ 'version' not in openshift.common or openshift.common.version == None }}"
-- service: Fluentd td-agent tcp
- port: 24224/tcp
-- service: Fluentd td-agent udp
- port: 24224/udp
-- service: pcsd
- port: 2224/tcp
-- service: Corosync UDP
- port: 5404/udp
-- service: Corosync UDP
- port: 5405/udp
-os_firewall_deny:
-- service: api server http
- port: 8080/tcp
-- service: former etcd peer port
- port: 7001/tcp
-
openshift_version: "{{ openshift_pkg_version | default(openshift_image_tag | default(openshift.docker.openshift_image_tag | default(''))) }}"
diff --git a/roles/openshift_master/meta/main.yml b/roles/openshift_master/meta/main.yml
index e882e0b8b..d8834d27f 100644
--- a/roles/openshift_master/meta/main.yml
+++ b/roles/openshift_master/meta/main.yml
@@ -18,3 +18,25 @@ dependencies:
- role: openshift_builddefaults
- role: openshift_master_facts
- role: openshift_hosted_facts
+- role: os_firewall
+ os_firewall_allow:
+ - service: etcd embedded
+ port: 4001/tcp
+ - service: api server https
+ port: "{{ openshift.master.api_port }}/tcp"
+ - service: api controllers https
+ port: "{{ openshift.master.controllers_port }}/tcp"
+ - service: skydns tcp
+ port: "{{ openshift.master.dns_port }}/tcp"
+ - service: skydns udp
+ port: "{{ openshift.master.dns_port }}/udp"
+ - service: Fluentd td-agent tcp
+ port: 24224/tcp
+ - service: Fluentd td-agent udp
+ port: 24224/udp
+ - service: pcsd
+ port: 2224/tcp
+ - service: Corosync UDP
+ port: 5404/udp
+ - service: Corosync UDP
+ port: 5405/udp
diff --git a/roles/openshift_node/meta/main.yml b/roles/openshift_node/meta/main.yml
index ca0c332ea..db1776632 100644
--- a/roles/openshift_node/meta/main.yml
+++ b/roles/openshift_node/meta/main.yml
@@ -17,4 +17,5 @@ dependencies:
- role: openshift_common
- role: openshift_node_dnsmasq
when: openshift.common.use_dnsmasq
+- role: os_firewall
diff --git a/roles/openshift_node/tasks/main.yml b/roles/openshift_node/tasks/main.yml
index 06fde88af..be70a170d 100644
--- a/roles/openshift_node/tasks/main.yml
+++ b/roles/openshift_node/tasks/main.yml
@@ -112,6 +112,17 @@
- name: Start and enable node
service: name={{ openshift.common.service_type }}-node enabled=yes state=started
register: node_start_result
+ ignore_errors: yes
+
+- name: Check logs on failure
+ command: journalctl -xe
+ register: node_failure
+ when: node_start_result | failed
+
+- name: Dump failure information
+ debug: var=node_failure
+ when: node_start_result | failed
+
- set_fact:
node_service_status_changed: "{{ node_start_result | changed }}"
diff --git a/roles/openshift_node_dnsmasq/files/networkmanager/99-origin-dns.sh b/roles/openshift_node_dnsmasq/files/networkmanager/99-origin-dns.sh
index 691fa32f3..09bae1777 100755
--- a/roles/openshift_node_dnsmasq/files/networkmanager/99-origin-dns.sh
+++ b/roles/openshift_node_dnsmasq/files/networkmanager/99-origin-dns.sh
@@ -8,10 +8,12 @@
# a pod would fail.
#
# To use this,
-# Drop this script in /etc/NetworkManager/dispatcher.d/
-# systemctl restart NetworkManager
-# Configure node-config.yaml to set dnsIP: to the ip address of this
-# node
+# - If this host is also a master, reconfigure master dnsConfig to listen on
+# 8053 to avoid conflicts on port 53 and open port 8053 in the firewall
+# - Drop this script in /etc/NetworkManager/dispatcher.d/
+# - systemctl restart NetworkManager
+# - Configure node-config.yaml to set dnsIP: to the ip address of this
+# node
#
# Test it:
# host kubernetes.default.svc.cluster.local
@@ -31,7 +33,8 @@ if [[ $2 =~ ^(up|dhcp4-change)$ ]]; then
def_route=$(/sbin/ip route list match 0.0.0.0/0 | awk '{print $3 }')
def_route_int=$(/sbin/ip route get to ${def_route} | awk '{print $3}')
def_route_ip=$(/sbin/ip route get to ${def_route} | awk '{print $5}')
- if [[ ${DEVICE_IFACE} == ${def_route_int} ]]; then
+ if [[ ${DEVICE_IFACE} == ${def_route_int} && \
+ -n "${IP4_NAMESERVERS}" ]]; then
if [ ! -f /etc/dnsmasq.d/origin-dns.conf ]; then
cat << EOF > /etc/dnsmasq.d/origin-dns.conf
strict-order
@@ -42,8 +45,8 @@ server=/30.172.in-addr.arpa/172.30.0.1
EOF
fi
# zero out our upstream servers list and feed it into dnsmasq
- echo '' > /etc/dnsmasq.d/origin-upstream-dns.conf
- for ns in ${DHCP4_DOMAIN_NAME_SERVERS}; do
+ echo -n > /etc/dnsmasq.d/origin-upstream-dns.conf
+ for ns in ${IP4_NAMESERVERS}; do
echo "server=${ns}" >> /etc/dnsmasq.d/origin-upstream-dns.conf
done
systemctl restart dnsmasq