diff options
-rw-r--r-- | playbooks/common/openshift-cluster/upgrades/v3_1_to_v3_2/post.yml | 1 | ||||
-rw-r--r-- | roles/openshift_common/meta/main.yml | 1 | ||||
-rw-r--r-- | roles/openshift_manageiq/tasks/main.yaml | 10 | ||||
-rw-r--r-- | roles/openshift_manageiq/vars/main.yml | 3 | ||||
-rw-r--r-- | roles/openshift_master/defaults/main.yml | 36 | ||||
-rw-r--r-- | roles/openshift_master/meta/main.yml | 22 | ||||
-rw-r--r-- | roles/openshift_node/meta/main.yml | 1 | ||||
-rw-r--r-- | roles/openshift_node/tasks/main.yml | 11 | ||||
-rwxr-xr-x | roles/openshift_node_dnsmasq/files/networkmanager/99-origin-dns.sh | 17 |
9 files changed, 58 insertions, 44 deletions
diff --git a/playbooks/common/openshift-cluster/upgrades/v3_1_to_v3_2/post.yml b/playbooks/common/openshift-cluster/upgrades/v3_1_to_v3_2/post.yml index 3fd97ac14..12e2edfb9 100644 --- a/playbooks/common/openshift-cluster/upgrades/v3_1_to_v3_2/post.yml +++ b/playbooks/common/openshift-cluster/upgrades/v3_1_to_v3_2/post.yml @@ -10,6 +10,7 @@ router_image: "{{ openshift.master.registry_url | replace( '${component}', 'haproxy-router' ) | replace ( '${version}', 'v' + g_new_version ) }}" oc_cmd: "{{ openshift.common.client_binary }} --config={{ openshift.common.config_base }}/master/admin.kubeconfig" roles: + - openshift_manageiq # Create the new templates shipped in 3.2, existing templates are left # unmodified. This prevents the subsequent role definition for # openshift_examples from failing when trying to replace templates that do diff --git a/roles/openshift_common/meta/main.yml b/roles/openshift_common/meta/main.yml index 02150406d..f1cf3e161 100644 --- a/roles/openshift_common/meta/main.yml +++ b/roles/openshift_common/meta/main.yml @@ -12,6 +12,5 @@ galaxy_info: categories: - cloud dependencies: -- role: os_firewall - role: openshift_facts - role: openshift_repos diff --git a/roles/openshift_manageiq/tasks/main.yaml b/roles/openshift_manageiq/tasks/main.yaml index 2a651df65..de0a7000e 100644 --- a/roles/openshift_manageiq/tasks/main.yaml +++ b/roles/openshift_manageiq/tasks/main.yaml @@ -59,6 +59,16 @@ failed_when: "'already exists' not in osmiq_perm_task.stderr and osmiq_perm_task.rc != 0" changed_when: osmiq_perm_task.rc == 0 +- name: Configure 3_2 role/user permissions + command: > + {{ openshift.common.admin_binary }} {{item}} + --config={{manage_iq_tmp_conf}} + with_items: "{{manage_iq_openshift_3_2_tasks}}" + register: osmiq_perm_3_2_task + failed_when: osmiq_perm_3_2_task.rc != 0 + changed_when: osmiq_perm_3_2_task.rc == 0 + when: openshift.common.version_gte_3_2_or_1_2 | bool + - name: Clean temporary configuration file command: > rm -f {{manage_iq_tmp_conf}} diff --git a/roles/openshift_manageiq/vars/main.yml b/roles/openshift_manageiq/vars/main.yml index 69ee2cb4c..b2aed79c7 100644 --- a/roles/openshift_manageiq/vars/main.yml +++ b/roles/openshift_manageiq/vars/main.yml @@ -30,3 +30,6 @@ manage_iq_tasks: - policy add-scc-to-user privileged system:serviceaccount:management-infra:management-admin - policy add-cluster-role-to-user system:image-puller system:serviceaccount:management-infra:inspector-admin - policy add-scc-to-user privileged system:serviceaccount:management-infra:inspector-admin + +manage_iq_openshift_3_2_tasks: + - policy add-cluster-role-to-user system:image-auditor system:serviceaccount:management-infra:management-admin diff --git a/roles/openshift_master/defaults/main.yml b/roles/openshift_master/defaults/main.yml index 16df984f9..dbd62c80f 100644 --- a/roles/openshift_master/defaults/main.yml +++ b/roles/openshift_master/defaults/main.yml @@ -1,40 +1,4 @@ --- openshift_node_ips: [] - # TODO: update setting these values based on the facts -os_firewall_allow: -- service: etcd embedded - port: 4001/tcp -- service: api server https - port: "{{ openshift.master.api_port }}/tcp" -- service: api controllers https - port: "{{ openshift.master.controllers_port }}/tcp" -- service: skydns tcp - port: "{{ openshift.master.dns_port }}/tcp" -- service: skydns udp - port: "{{ openshift.master.dns_port }}/udp" -# On HA masters version_gte facts are not properly set so open port 53 -# whenever we're not certain of the need -- service: legacy skydns tcp - port: "53/tcp" - when: "{{ 'version' not in openshift.common or openshift.common.version == None }}" -- service: legacy skydns udp - port: "53/udp" - when: "{{ 'version' not in openshift.common or openshift.common.version == None }}" -- service: Fluentd td-agent tcp - port: 24224/tcp -- service: Fluentd td-agent udp - port: 24224/udp -- service: pcsd - port: 2224/tcp -- service: Corosync UDP - port: 5404/udp -- service: Corosync UDP - port: 5405/udp -os_firewall_deny: -- service: api server http - port: 8080/tcp -- service: former etcd peer port - port: 7001/tcp - openshift_version: "{{ openshift_pkg_version | default(openshift_image_tag | default(openshift.docker.openshift_image_tag | default(''))) }}" diff --git a/roles/openshift_master/meta/main.yml b/roles/openshift_master/meta/main.yml index e882e0b8b..d8834d27f 100644 --- a/roles/openshift_master/meta/main.yml +++ b/roles/openshift_master/meta/main.yml @@ -18,3 +18,25 @@ dependencies: - role: openshift_builddefaults - role: openshift_master_facts - role: openshift_hosted_facts +- role: os_firewall + os_firewall_allow: + - service: etcd embedded + port: 4001/tcp + - service: api server https + port: "{{ openshift.master.api_port }}/tcp" + - service: api controllers https + port: "{{ openshift.master.controllers_port }}/tcp" + - service: skydns tcp + port: "{{ openshift.master.dns_port }}/tcp" + - service: skydns udp + port: "{{ openshift.master.dns_port }}/udp" + - service: Fluentd td-agent tcp + port: 24224/tcp + - service: Fluentd td-agent udp + port: 24224/udp + - service: pcsd + port: 2224/tcp + - service: Corosync UDP + port: 5404/udp + - service: Corosync UDP + port: 5405/udp diff --git a/roles/openshift_node/meta/main.yml b/roles/openshift_node/meta/main.yml index ca0c332ea..db1776632 100644 --- a/roles/openshift_node/meta/main.yml +++ b/roles/openshift_node/meta/main.yml @@ -17,4 +17,5 @@ dependencies: - role: openshift_common - role: openshift_node_dnsmasq when: openshift.common.use_dnsmasq +- role: os_firewall diff --git a/roles/openshift_node/tasks/main.yml b/roles/openshift_node/tasks/main.yml index 06fde88af..be70a170d 100644 --- a/roles/openshift_node/tasks/main.yml +++ b/roles/openshift_node/tasks/main.yml @@ -112,6 +112,17 @@ - name: Start and enable node service: name={{ openshift.common.service_type }}-node enabled=yes state=started register: node_start_result + ignore_errors: yes + +- name: Check logs on failure + command: journalctl -xe + register: node_failure + when: node_start_result | failed + +- name: Dump failure information + debug: var=node_failure + when: node_start_result | failed + - set_fact: node_service_status_changed: "{{ node_start_result | changed }}" diff --git a/roles/openshift_node_dnsmasq/files/networkmanager/99-origin-dns.sh b/roles/openshift_node_dnsmasq/files/networkmanager/99-origin-dns.sh index 691fa32f3..09bae1777 100755 --- a/roles/openshift_node_dnsmasq/files/networkmanager/99-origin-dns.sh +++ b/roles/openshift_node_dnsmasq/files/networkmanager/99-origin-dns.sh @@ -8,10 +8,12 @@ # a pod would fail. # # To use this, -# Drop this script in /etc/NetworkManager/dispatcher.d/ -# systemctl restart NetworkManager -# Configure node-config.yaml to set dnsIP: to the ip address of this -# node +# - If this host is also a master, reconfigure master dnsConfig to listen on +# 8053 to avoid conflicts on port 53 and open port 8053 in the firewall +# - Drop this script in /etc/NetworkManager/dispatcher.d/ +# - systemctl restart NetworkManager +# - Configure node-config.yaml to set dnsIP: to the ip address of this +# node # # Test it: # host kubernetes.default.svc.cluster.local @@ -31,7 +33,8 @@ if [[ $2 =~ ^(up|dhcp4-change)$ ]]; then def_route=$(/sbin/ip route list match 0.0.0.0/0 | awk '{print $3 }') def_route_int=$(/sbin/ip route get to ${def_route} | awk '{print $3}') def_route_ip=$(/sbin/ip route get to ${def_route} | awk '{print $5}') - if [[ ${DEVICE_IFACE} == ${def_route_int} ]]; then + if [[ ${DEVICE_IFACE} == ${def_route_int} && \ + -n "${IP4_NAMESERVERS}" ]]; then if [ ! -f /etc/dnsmasq.d/origin-dns.conf ]; then cat << EOF > /etc/dnsmasq.d/origin-dns.conf strict-order @@ -42,8 +45,8 @@ server=/30.172.in-addr.arpa/172.30.0.1 EOF fi # zero out our upstream servers list and feed it into dnsmasq - echo '' > /etc/dnsmasq.d/origin-upstream-dns.conf - for ns in ${DHCP4_DOMAIN_NAME_SERVERS}; do + echo -n > /etc/dnsmasq.d/origin-upstream-dns.conf + for ns in ${IP4_NAMESERVERS}; do echo "server=${ns}" >> /etc/dnsmasq.d/origin-upstream-dns.conf done systemctl restart dnsmasq |