diff options
25 files changed, 545 insertions, 433 deletions
diff --git a/.tito/packages/openshift-ansible b/.tito/packages/openshift-ansible index bde176e44..efc0cbe26 100644 --- a/.tito/packages/openshift-ansible +++ b/.tito/packages/openshift-ansible @@ -1 +1 @@ -3.4.17-1 ./ +3.5.0-1 ./ diff --git a/.tito/releasers.conf b/.tito/releasers.conf index daa350cf6..032212b24 100644 --- a/.tito/releasers.conf +++ b/.tito/releasers.conf @@ -27,6 +27,12 @@ releaser = tito.release.DistGitReleaser branches = rhaos-3.4-rhel-7 srpm_disttag = .el7aos +[aos-3.5] +releaser = tito.release.DistGitReleaser +branches = rhaos-3.5-rhel-7 +srpm_disttag = .el7aos + + [copr-openshift-ansible] releaser = tito.release.CoprReleaser project_name = @OpenShiftOnlineOps/openshift-ansible diff --git a/openshift-ansible.spec b/openshift-ansible.spec index 4961d23ef..665ede1cb 100644 --- a/openshift-ansible.spec +++ b/openshift-ansible.spec @@ -5,7 +5,7 @@ } Name: openshift-ansible -Version: 3.4.17 +Version: 3.5.0 Release: 1%{?dist} Summary: Openshift and Atomic Enterprise Ansible License: ASL 2.0 @@ -249,6 +249,233 @@ Atomic OpenShift Utilities includes %changelog +* Mon Jan 09 2017 Scott Dodson <sdodson@redhat.com> 3.5.0-1 +- Update manpage version. (tbielawa@redhat.com) +- Fix openshift_image_tag=latest. (abutcher@redhat.com) +- Use registry.access.redhat.com/rhel7/etcd instead of etcd3 + (sdodson@redhat.com) +- Fix repo defaults (sdodson@redhat.com) +- Use openshift.common.hostname when verifying API port available. + (abutcher@redhat.com) +- Re-add when condition which was removed mistakenly in #3036 + (maszulik@redhat.com) +- logging-deployer pull fixes from origin-aggregated-logging/#317 + (sdodson@redhat.com) +- Don't upgrade etcd on atomic host, ever. (sdodson@redhat.com) +- Change wording in the quick installer callback plugin (tbielawa@redhat.com) +- Fix jsonpath expected output when checking registry volume secrets + (maszulik@redhat.com) +- Enable repos defined in openshift_additional_repos by default + (sdodson@redhat.com) +- Add required python-six package to installation (tbielawa@redhat.com) +- Hush the sudo privs check in oo-installer (tbielawa@redhat.com) +- Add future versions to openshift_facts (ccoleman@redhat.com) +- Cast openshift_enable_origin_repo to bool. (abutcher@redhat.com) +- Update CFME template to point to GA build (simaishi@redhat.com) +- Update aoi manpage with correct operation count (tbielawa@redhat.com) +- Add templates for CFME Beta pod images (simaishi@redhat.com) +- Add osnl_volume_reclaim_policy variable to nfs_lvm role + (ando.roots@bigbank.ee) +- remove duplicate filter name and oo_pdb (jdetiber@redhat.com) +- remove old Ops tooling (jdetiber@redhat.com) +- enable pip cache for travis (jdetiber@redhat.com) +- python3 support, add tox for better local testing against multiple python + versions (jdetiber@redhat.com) +- modify_yaml: handle None value during update. (abutcher@redhat.com) +- Update the openshift-certificate-expiry README to reflect latest changes + (tbielawa@redhat.com) +- Deprecate node 'evacuation' with 'drain' (tbielawa@redhat.com) +- Add master config hook for 3.4 upgrade and fix facts ordering for config hook + run. (abutcher@redhat.com) +- The next registry.access.redhat.com/rhel7/etcd image will be 3.0.15 + (sdodson@redhat.com) +- [uninstall] Remove excluder packages (sdodson@redhat.com) +- Check embedded etcd certs now, too (tbielawa@redhat.com) +- Include 'total' and 'ok' in check results (tbielawa@redhat.com) +- Enable firewalld by default (rteague@redhat.com) +- Fix access_modes initialization (luis.fernandezalvarez@epfl.ch) +- Updated OpenShift Master iptables rules (rteague@redhat.com) +- YAML Linting (rteague@redhat.com) +- Make both backup and upgrade optional (sdodson@redhat.com) +- [upgrades] Upgrade etcd by default (sdodson@redhat.com) +- upgrades - Fix logic error about when to backup etcd (sdodson@redhat.com) +- Limit node certificate SAN to node hostnames/ips. (abutcher@redhat.com) +- Make 'cover-erase' a config file setting. Move VENT target to pre-req for all + ci-* targets (tbielawa@redhat.com) +- Fixes to 'make ci' (tbielawa@redhat.com) +- Resolved lint issues (rteague@redhat.com) +- Minimum Ansible version check (rteague@redhat.com) +- Removed verify_ansible_version playbook refs (rteague@redhat.com) +- Fix coverage not appending new data (tbielawa@redhat.com) +- Drop 3.2 upgrade playbooks. (dgoodwin@redhat.com) +- Silence warnings when using rpm directly (dag@wieers.com) +- Silence warnings when using rpm directly (dag@wieers.com) +- Silence warnings when using rpm directly (dag@wieers.com) +- Remove Hostname from 1.1 and 1.2 predicates (jdetiber@redhat.com) +- Properly handle x.y.z formatted versions for openshift_release + (jdetiber@redhat.com) +- etcd_upgrade: Simplify package installation (sdodson@redhat.com) +- Speed up 'make ci' and trim the output (tbielawa@redhat.com) +- add comments and remove debug code (jdetiber@redhat.com) +- Pre-pull master/node/ovs images during upgrade. (dgoodwin@redhat.com) +- Handle updating of scheduler config during upgrade (jdetiber@redhat.com) +- Fix templating (jdetiber@redhat.com) +- test updates (jdetiber@redhat.com) +- Always install latest etcd for containerized hosts (sdodson@redhat.com) +- etcd_upgrade : Use different variables for rpm vs container versions + (sdodson@redhat.com) +- Switch back to using etcd rather than etcd3 (sdodson@redhat.com) +- node_dnsmasq - restart dnsmasq if it's not currently running + (sdodson@redhat.com) +- Conditionalize master config update for admission_plugin_config. + (abutcher@redhat.com) +- upgrade_control_plane.yml: systemd_units.yaml nees the master facts + (mchappel@redhat.com) +- openshift-master/restart : use openshift.common.hostname instead of + inventory_hostname (mchappel@redhat.com) +- Update scheduler predicate/priorities vars (jdetiber@redhat.com) +- fix tags (jdetiber@redhat.com) +- openshift_node_dnsmasq - Remove strict-order option from dnsmasq + (sdodson@redhat.com) +- Fix metricsPublicURL only being set correctly on first master. + (dgoodwin@redhat.com) +- Explictly set etcd vars for byo scaleup (smunilla@redhat.com) +- Cleanup ovs file and restart docker on every upgrade. (dgoodwin@redhat.com) +- Sync latest image stream and templates for v1.3 and v1.4 (sdodson@redhat.com) +- xpaas v1.3.5 (sdodson@redhat.com) +- Ansible version check update (tbielawa@redhat.com) +- allow 'latest' origin_image_tag (sjenning@redhat.com) +- Remove duplicate when key (rteague@redhat.com) +- refactor handling of scheduler defaults (jdetiber@redhat.com) +- update tests and flake8/pylint fixes (jdetiber@redhat.com) +- fix tagging (jdetiber@redhat.com) +- do not report changed for group mapping (jdetiber@redhat.com) +- fix selinux issues with etcd container (dusty@dustymabe.com) +- etcd upgrade playbook is not currently applicable to embedded etcd installs + (sdodson@redhat.com) +- Fix invalid embedded etcd fact in etcd upgrade playbook. + (dgoodwin@redhat.com) +- Gracefully handle OpenSSL module absence (misc@redhat.com) +- Refactored to use Ansible systemd module (rteague@redhat.com) +- Updating docs for Ansible 2.2 requirements (rteague@redhat.com) +- Fix the list done after cluster creation on libvirt and OpenStack + (lhuard@amadeus.com) +- Set nameservers on DHCPv6 event (alexandre.lossent@cern.ch) +- Systemd `systemctl show` workaround (rteague@redhat.com) +- Verify the presence of dbus python binding (misc@redhat.com) +- Update README.md (jf.cron0@gmail.com) +- Reference master binaries when delegating from node hosts which may be + containerized. (abutcher@redhat.com) +- Merge kube_admission_plugin_config with admission_plugin_config + (smunilla@redhat.com) +- Added a BYO playbook for configuring NetworkManager on nodes + (skuznets@redhat.com) +- Make the role work on F25 Cloud (misc@redhat.com) +- Make os_firewall_manage_iptables run on python3 (misc@redhat.com) +- Modified the error message being checked for (vishal.patil@nuagenetworks.net) +- Only run tuned-adm if tuned exists. (dusty@dustymabe.com) +- Delegate openshift_manage_node tasks to master host. (abutcher@redhat.com) +- Fix rare failure to deploy new registry/router after upgrade. + (dgoodwin@redhat.com) +- Refactor os_firewall role (rteague@redhat.com) +- Allow ansible to continue when a node is unaccessible or fails. + (abutcher@redhat.com) +- Create the file in two passes, atomicly copy it over (sdodson@redhat.com) +- Escape LOGNAME variable according to GCE rules (jacek.suchenia@ocado.com) +- node_dnsmasq -- Set dnsmasq as our only nameserver (sdodson@redhat.com) +- Refactor to use Ansible package module (rteague@redhat.com) +- Allow users to disable the origin repo creation (sdodson@redhat.com) +- Fix yum/subman version check on Atomic. (dgoodwin@redhat.com) +- Check for bad versions of yum and subscription-manager. (dgoodwin@redhat.com) +- Corrected syntax and typos (rteague@redhat.com) +- Fix GCE cluster creation (lhuard@amadeus.com) +- Optimize the cloud-specific list.yml playbooks (lhuard@amadeus.com) +- Added ip forwarding for nuage (vishal.patil@nuagenetworks.net) +- Fix typo (sdodson@redhat.com) +- Fix a few places where we're not specifying the admin kubeconfig + (sdodson@redhat.com) +- Add rolebinding-reader (sdodson@redhat.com) +- Add view permissions to hawkular sa (sdodson@redhat.com) +- Use multiple '-v's when creating the metrics deployer command + (tbielawa@redhat.com) +- Sync logging deployer changes from origin to enterprise (sdodson@redhat.com) +- Docker daemon is started prematurely. (eric.mountain@amadeus.com) +- Sync latest enterprise/metrics-deployer.yaml (sdodson@redhat.com) +- Sync latest s2i content (sdodson@redhat.com) +- Actually upgrade host etcdctl no matter what (sdodson@redhat.com) +- Make etcd containerized upgrade stepwise (sdodson@redhat.com) +- Fix commit-offsets in version detection for containerized installs + (tbielawa@redhat.com) +- Fix HA upgrade when fact cache deleted. (dgoodwin@redhat.com) +- Fix openshift_hosted_metrics_deployer_version set_fact. (abutcher@redhat.com) +- Added dependency of os_firewall to docker role (rteague@redhat.com) +- Add updates for containerized (sdodson@redhat.com) +- Add etcd upgrade for RHEL and Fedora (sdodson@redhat.com) +- Drop /etc/profile.d/etcdctl.sh (sdodson@redhat.com) +- Move backups to a separate file for re-use (sdodson@redhat.com) +- Uninstall etcd3 package (sdodson@redhat.com) +- Resolve docker and iptables service dependencies (rteague@redhat.com) +- Add Travis integration (rhcarvalho@gmail.com) +- Default groups.oo_etcd_to_config when setting embedded_etcd in control plane + upgrade. (abutcher@redhat.com) +- Enable quiet output for all a-o-i commands (tbielawa@redhat.com) +- Update override cluster_hostname (smunilla@redhat.com) +- Reconcile role bindings for jenkins pipeline during upgrade. + (dgoodwin@redhat.com) +- Fix typos in openshift_facts gce cloud provider (sdodson@redhat.com) +- Don't upgrade etcd on backup operations (sdodson@redhat.com) +- Bump ansible requirement to 2.2.0.0-1 (GA) (sdodson@redhat.com) +- Fix etcd backup failure due to corrupted facts. (dgoodwin@redhat.com) +- Re-sync v1.4 image streams (andrew@andrewklau.com) +- Revert "Revert openshift.node.nodename changes" (sdodson@redhat.com) +- Change to allow cni deployments without openshift SDN (yfauser@vmware.com) +- README: fix markdown formatting (rhcarvalho@gmail.com) +- Create contribution guide (rhcarvalho@gmail.com) +- Remove README_AEP.md (rhcarvalho@gmail.com) +- Install flannel RPM on containerized but not atomic (sdodson@redhat.com) +- README: move structure overview to the top (rhcarvalho@gmail.com) +- README: cleanup setup steps (rhcarvalho@gmail.com) +- README: remove OSX setup requirements (rhcarvalho@gmail.com) +- Add missing symlink for node openvswitch oom fix. (dgoodwin@redhat.com) +- README: improve first paragraph (rhcarvalho@gmail.com) +- README: add links, fix typos (rhcarvalho@gmail.com) +- README: improve markdown formatting (rhcarvalho@gmail.com) +- Make it easier to run Python tests (rhcarvalho@gmail.com) +- FIx flannel var name (jprovazn@redhat.com) +- Always add local dns domain to no_proxy (jawed.khelil@amadeus.com) +- Refactor default sdn_cluster_network_cidr and sdn_host_subnet_length + (sdodson@redhat.com) +- Revert "Fix the nodeName of the OpenShift nodes on OpenStack" + (sdodson@redhat.com) +- Revert "Fix OpenStack cloud provider" (sdodson@redhat.com) +- Revert "Check that OpenStack hostnames are resolvable" (sdodson@redhat.com) +- set AWS creds task with no_logs (somalley@redhat.com) +- Change the logic to just compare against masters and nodes. + (tbielawa@redhat.com) +- Append /inventory/README.md to explain what is BYO inventory folder #2742 + (contact@stephane-klein.info) +- Remove unused openshift-ansible/inventory/hosts file #2740 (contact@stephane- + klein.info) +- Remove unused playbooks adhoc metrics_setup files #2717 (contact@stephane- + klein.info) +- a-o-i: remove dummy data_file (rhcarvalho@gmail.com) +- a-o-i: remove script leftover from OpenShift v2 (rhcarvalho@gmail.com) +- [openstack] allows timeout option for heat create stack + (douglaskippsmith@gmail.com) +- [openstack] updates documentation to show that you need to install shade + (douglaskippsmith@gmail.com) +- default to multizone GCE config (sjenning@redhat.com) +- Add some tests for utils to get the coverage up. (tbielawa@redhat.com) +- Update defaults for clusterNetworkCIDR & hostSubnetLength + (smunilla@redhat.com) +- Add hawkular admin cluster role to management admin (fsimonce@redhat.com) +- Prevent useless master by reworking template for master service enf file + (jkhelil@gmail.com) +- support 3rd party scheduler (jannleno1@gmail.com) +- Add nuage rest server port to haproxy firewall rules. (abutcher@redhat.com) +- Port openshift_facts to py3 (misc@redhat.com) +- storage/nfs_lvm: Also export as ReadWriteOnce (walters@verbum.org) + * Fri Nov 04 2016 Scott Dodson <sdodson@redhat.com> 3.4.17-1 - Fix indentation for flannel etcd vars (smunilla@redhat.com) - Update hosted_templates (sdodson@redhat.com) diff --git a/playbooks/adhoc/uninstall.yml b/playbooks/adhoc/uninstall.yml index b9966e715..f0cfa7f55 100644 --- a/playbooks/adhoc/uninstall.yml +++ b/playbooks/adhoc/uninstall.yml @@ -75,6 +75,10 @@ - hosts: nodes become: yes + vars: + node_dirs: + - "/etc/origin" + - "/var/lib/origin" tasks: - name: unmask services command: systemctl unmask "{{ item }}" @@ -83,63 +87,66 @@ with_items: - firewalld - - name: Remove packages - package: name={{ item }} state=absent - when: not is_atomic | bool - with_items: - - atomic-enterprise - - atomic-enterprise-node - - atomic-enterprise-sdn-ovs - - atomic-openshift - - atomic-openshift-clients - - atomic-openshift-excluder - - atomic-openshift-docker-excluder - - atomic-openshift-node - - atomic-openshift-sdn-ovs - - cockpit-bridge - - cockpit-docker - - cockpit-shell - - cockpit-ws - - kubernetes-client - - openshift - - openshift-node - - openshift-sdn - - openshift-sdn-ovs - - openvswitch - - origin - - origin-excluder - - origin-docker-excluder - - origin-clients - - origin-node - - origin-sdn-ovs - - tuned-profiles-atomic-enterprise-node - - tuned-profiles-atomic-openshift-node - - tuned-profiles-openshift-node - - tuned-profiles-origin-node - - - name: Remove flannel package - package: name=flannel state=absent - when: openshift_use_flannel | default(false) | bool and not is_atomic | bool - - - shell: systemctl reset-failed - changed_when: False - - - shell: systemctl daemon-reload - changed_when: False - - - name: Remove br0 interface - shell: ovs-vsctl del-br br0 - changed_when: False - failed_when: False - - - name: Remove linux interfaces - shell: ip link del "{{ item }}" - changed_when: False - failed_when: False - with_items: - - lbr0 - - vlinuxbr - - vovsbr + - block: + - block: + - name: Remove packages + package: name={{ item }} state=absent + with_items: + - atomic-enterprise + - atomic-enterprise-node + - atomic-enterprise-sdn-ovs + - atomic-openshift + - atomic-openshift-clients + - atomic-openshift-excluder + - atomic-openshift-docker-excluder + - atomic-openshift-node + - atomic-openshift-sdn-ovs + - cockpit-bridge + - cockpit-docker + - cockpit-shell + - cockpit-ws + - kubernetes-client + - openshift + - openshift-node + - openshift-sdn + - openshift-sdn-ovs + - openvswitch + - origin + - origin-excluder + - origin-docker-excluder + - origin-clients + - origin-node + - origin-sdn-ovs + - tuned-profiles-atomic-enterprise-node + - tuned-profiles-atomic-openshift-node + - tuned-profiles-openshift-node + - tuned-profiles-origin-node + + - name: Remove flannel package + package: name=flannel state=absent + when: openshift_use_flannel | default(false) | bool + when: "{{ not is_atomic | bool }}" + + - shell: systemctl reset-failed + changed_when: False + + - shell: systemctl daemon-reload + changed_when: False + + - name: Remove br0 interface + shell: ovs-vsctl del-br br0 + changed_when: False + failed_when: False + + - name: Remove linux interfaces + shell: ip link del "{{ item }}" + changed_when: False + failed_when: False + with_items: + - lbr0 + - vlinuxbr + - vovsbr + when: "{{ openshift_remove_all | default(true) | bool }}" - shell: find /var/lib/origin/openshift.local.volumes -type d -exec umount {} \; 2>/dev/null || true changed_when: False @@ -176,28 +183,57 @@ failed_when: False with_items: "{{ exited_containers_to_delete.results }}" - - shell: docker images | egrep {{ item }} | awk '{ print $3 }' - changed_when: False - failed_when: False - register: images_to_delete + - block: + - block: + - shell: docker images | egrep {{ item }} | awk '{ print $3 }' + changed_when: False + failed_when: False + register: images_to_delete + with_items: + - registry\.access\..*redhat\.com/openshift3 + - registry\.access\..*redhat\.com/aep3 + - registry\.qe\.openshift\.com/.* + - registry\.access\..*redhat\.com/rhel7/etcd + - docker.io/openshift + + - shell: "docker rmi -f {{ item.stdout_lines | join(' ') }}" + changed_when: False + failed_when: False + with_items: "{{ images_to_delete.results }}" + when: "{{ openshift_uninstall_images | default(True) | bool }}" + + - name: remove sdn drop files + file: + path: /run/openshift-sdn + state: absent + + - name: Remove files owned by RPMs + file: path={{ item }} state=absent + with_items: + - /etc/sysconfig/openshift-node + - /etc/sysconfig/openvswitch + - /run/openshift-sdn + when: "{{ openshift_remove_all | default(True) | bool }}" + + - find: path={{ item }} file_type=file + register: files with_items: - - registry\.access\..*redhat\.com/openshift3 - - registry\.access\..*redhat\.com/aep3 - - registry\.qe\.openshift\.com/.* - - registry\.access\..*redhat\.com/rhel7/etcd - - docker.io/openshift - when: openshift_uninstall_images | default(True) | bool - - - shell: "docker rmi -f {{ item.stdout_lines | join(' ') }}" - changed_when: False - failed_when: False - with_items: "{{ images_to_delete.results }}" - when: openshift_uninstall_images | default(True) | bool + - "{{ node_dirs }}" + + - find: path={{ item }} file_type=directory + register: directories + with_items: + - "{{ node_dirs }}" - - name: Remove sdn drop files - file: - path: /run/openshift-sdn - state: absent + - file: path={{ item.1.path }} state=absent + with_subelements: + - "{{ files.results | default([]) }}" + - files + + - file: path={{ item.1.path }} state=absent + with_subelements: + - "{{ directories.results | default([]) }}" + - files - name: Remove remaining files file: path={{ item }} state=absent @@ -209,13 +245,10 @@ - /etc/NetworkManager/dispatcher.d/99-origin-dns.sh - /etc/openshift - /etc/openshift-sdn - - /etc/origin - /etc/sysconfig/atomic-enterprise-node - /etc/sysconfig/atomic-openshift-node - /etc/sysconfig/atomic-openshift-node-dep - - /etc/sysconfig/openshift-node - /etc/sysconfig/openshift-node-dep - - /etc/sysconfig/openvswitch - /etc/sysconfig/origin-node - /etc/sysconfig/origin-node - /etc/sysconfig/origin-node-dep @@ -227,10 +260,8 @@ - /etc/systemd/system/origin-node-dep.service - /etc/systemd/system/origin-node.service - /etc/systemd/system/origin-node.service.wants - - /run/openshift-sdn - /var/lib/atomic-enterprise - /var/lib/openshift - - /var/lib/origin - name: restart docker service: name=docker state=restarted @@ -238,9 +269,12 @@ - name: restart NetworkManager service: name=NetworkManager state=restarted - - hosts: masters become: yes + vars: + master_dirs: + - "/etc/origin" + - "/var/lib/origin" tasks: - name: unmask services command: systemctl unmask "{{ item }}" @@ -252,7 +286,7 @@ - name: Remove packages package: name={{ item }} state=absent - when: not is_atomic | bool + when: not is_atomic | bool and openshift_remove_all | default(True) | bool with_items: - atomic-enterprise - atomic-enterprise-master @@ -283,6 +317,33 @@ - shell: systemctl daemon-reload changed_when: False + - name: Remove files owned by RPMs + file: path={{ item }} state=absent + when: openshift_remove_all | default(True) | bool + with_items: + - /etc/sysconfig/atomic-openshift-master + - /etc/sysconfig/openvswitch + + - find: path={{ item }} file_type=file + register: files + with_items: + - "{{ master_dirs }}" + + - find: path={{ item }} file_type=directory + register: directories + with_items: + - "{{ master_dirs }}" + + - file: path={{ item.1.path }} state=absent + with_subelements: + - "{{ files.results | default([]) }}" + - files + + - file: path={{ item.1.path }} state=absent + with_subelements: + - "{{ directories.results | default([]) }}" + - files + - name: Remove remaining files file: path={{ item }} state=absent with_items: @@ -292,7 +353,6 @@ - /etc/corosync - /etc/openshift - /etc/openshift-sdn - - /etc/origin - /etc/systemd/system/atomic-openshift-master.service - /etc/systemd/system/atomic-openshift-master-api.service - /etc/systemd/system/atomic-openshift-master-controllers.service @@ -303,14 +363,12 @@ - /etc/sysconfig/atomic-enterprise-master - /etc/sysconfig/atomic-enterprise-master-api - /etc/sysconfig/atomic-enterprise-master-controllers - - /etc/sysconfig/atomic-openshift-master - /etc/sysconfig/atomic-openshift-master-api - /etc/sysconfig/atomic-openshift-master-controllers - /etc/sysconfig/origin-master - /etc/sysconfig/origin-master-api - /etc/sysconfig/origin-master-controllers - /etc/sysconfig/openshift-master - - /etc/sysconfig/openvswitch - /etc/sysconfig/origin-master - /etc/sysconfig/origin-master-api - /etc/sysconfig/origin-master-controllers @@ -318,7 +376,6 @@ - /usr/share/openshift/examples - /var/lib/atomic-enterprise - /var/lib/openshift - - /var/lib/origin - /var/lib/pacemaker - /var/lib/pcsd - /usr/lib/systemd/system/atomic-openshift-master-api.service @@ -339,6 +396,10 @@ - hosts: etcd become: yes + vars: + etcd_dirs: + - "/etc/etcd" + - "/var/lib/etcd" tasks: - name: unmask services command: systemctl unmask "{{ item }}" @@ -358,7 +419,7 @@ - name: Remove packages package: name={{ item }} state=absent - when: not is_atomic | bool + when: not is_atomic | bool and openshift_remove_all | default(True) | bool with_items: - etcd - etcd3 @@ -369,13 +430,25 @@ - shell: systemctl daemon-reload changed_when: False - - name: Remove remaining files - file: path={{ item }} state=absent + - find: path={{ item }} file_type=file + register: files with_items: - - /etc/ansible/facts.d/openshift.fact - - /etc/etcd - - /etc/systemd/system/etcd_container.service - - /etc/profile.d/etcdctl.sh + - "{{ etcd_dirs }}" + + - find: path={{ item }} file_type=directory + register: directories + with_items: + - "{{ etcd_dirs }}" + + - file: path={{ item.1.path }} state=absent + with_subelements: + - "{{ files.results | default([]) }}" + - files + + - file: path={{ item.1.path }} state=absent + with_subelements: + - "{{ directories.results | default([]) }}" + - files # Intenationally using rm command over file module because if someone had mounted a filesystem # at /var/lib/etcd then the contents was not removed correctly @@ -385,6 +458,13 @@ warn: no failed_when: false + - name: Remove remaining files + file: path={{ item }} state=absent + with_items: + - /etc/ansible/facts.d/openshift.fact + - /etc/systemd/system/etcd_container.service + - /etc/profile.d/etcdctl.sh + - hosts: lb become: yes tasks: @@ -397,7 +477,7 @@ - name: Remove packages package: name={{ item }} state=absent - when: not is_atomic | bool + when: not is_atomic | bool and openshift_remove_all | default(True) | bool with_items: - haproxy @@ -411,4 +491,4 @@ file: path={{ item }} state=absent with_items: - /etc/ansible/facts.d/openshift.fact - - /var/lib/haproxy + - /var/lib/haproxy/stats diff --git a/playbooks/common/openshift-cluster/openshift_hosted.yml b/playbooks/common/openshift-cluster/openshift_hosted.yml index cd2f2e6aa..7839b85e8 100644 --- a/playbooks/common/openshift-cluster/openshift_hosted.yml +++ b/playbooks/common/openshift-cluster/openshift_hosted.yml @@ -26,27 +26,6 @@ logging_elasticsearch_cluster_size: "{{ openshift_hosted_logging_elasticsearch_cluster_size | default(1) }}" logging_elasticsearch_ops_cluster_size: "{{ openshift_hosted_logging_elasticsearch_ops_cluster_size | default(1) }}" roles: - - role: openshift_cli - - role: openshift_hosted_facts - - role: openshift_projects - # TODO: Move standard project definitions to openshift_hosted/vars/main.yml - # Vars are not accessible in meta/main.yml in ansible-1.9.x - openshift_projects: "{{ openshift_additional_projects | default({}) | oo_merge_dicts({'default':{'default_node_selector':''},'openshift-infra':{'default_node_selector':''},'logging':{'default_node_selector':''}}) }}" - - role: openshift_serviceaccounts - openshift_serviceaccounts_names: - - router - openshift_serviceaccounts_namespace: default - openshift_serviceaccounts_sccs: - - hostnetwork - when: openshift.common.version_gte_3_2_or_1_2 - - role: openshift_serviceaccounts - openshift_serviceaccounts_names: - - router - - registry - openshift_serviceaccounts_namespace: default - openshift_serviceaccounts_sccs: - - privileged - when: not openshift.common.version_gte_3_2_or_1_2 - role: openshift_hosted - role: openshift_metrics when: openshift_hosted_metrics_deploy | default(false) | bool diff --git a/playbooks/common/openshift-cluster/upgrades/docker/upgrade.yml b/playbooks/common/openshift-cluster/upgrades/docker/upgrade.yml index 44ddf97ad..17f8fc6e9 100644 --- a/playbooks/common/openshift-cluster/upgrades/docker/upgrade.yml +++ b/playbooks/common/openshift-cluster/upgrades/docker/upgrade.yml @@ -20,7 +20,7 @@ - debug: var=docker_image_count.stdout - name: Remove all containers and images - script: nuke_images.sh docker + script: nuke_images.sh register: nuke_images_result when: docker_upgrade_nuke_images is defined and docker_upgrade_nuke_images | bool diff --git a/playbooks/common/openshift-cluster/upgrades/files/pre-upgrade-check b/playbooks/common/openshift-cluster/upgrades/files/pre-upgrade-check deleted file mode 100644 index e5c958ebb..000000000 --- a/playbooks/common/openshift-cluster/upgrades/files/pre-upgrade-check +++ /dev/null @@ -1,193 +0,0 @@ -#!/usr/bin/env python -""" -Pre-upgrade checks that must be run on a master before proceeding with upgrade. -""" -# This is a script not a python module: -# pylint: disable=invalid-name - -# NOTE: This script should not require any python libs other than what is -# in the standard library. - -__license__ = "ASL 2.0" - -import json -import os -import subprocess -import re - -# The maximum length of container.ports.name -ALLOWED_LENGTH = 15 -# The valid structure of container.ports.name -ALLOWED_CHARS = re.compile('^[a-z0-9][a-z0-9\\-]*[a-z0-9]$') -AT_LEAST_ONE_LETTER = re.compile('[a-z]') -# look at OS_PATH for the full path. Default ot 'oc' -OC_PATH = os.getenv('OC_PATH', 'oc') - - -def validate(value): - """ - validate verifies that value matches required conventions - - Rules of container.ports.name validation: - - * must be less that 16 chars - * at least one letter - * only a-z0-9- - * hyphens can not be leading or trailing or next to each other - - :Parameters: - - `value`: Value to validate - """ - if len(value) > ALLOWED_LENGTH: - return False - - if '--' in value: - return False - - # We search since it can be anywhere - if not AT_LEAST_ONE_LETTER.search(value): - return False - - # We match because it must start at the beginning - if not ALLOWED_CHARS.match(value): - return False - return True - - -def list_items(kind): - """ - list_items returns a list of items from the api - - :Parameters: - - `kind`: Kind of item to access - """ - response = subprocess.check_output([OC_PATH, 'get', '--all-namespaces', '-o', 'json', kind]) - items = json.loads(response) - return items.get("items", []) - - -def get(obj, *paths): - """ - Gets an object - - :Parameters: - - `obj`: A dictionary structure - - `path`: All other non-keyword arguments - """ - ret_obj = obj - for path in paths: - if ret_obj.get(path, None) is None: - return [] - ret_obj = ret_obj[path] - return ret_obj - - -# pylint: disable=too-many-arguments -def pretty_print_errors(namespace, kind, item_name, container_name, invalid_label, port_name, valid): - """ - Prints out results in human friendly way. - - :Parameters: - - `namespace`: Namespace of the resource - - `kind`: Kind of the resource - - `item_name`: Name of the resource - - `container_name`: Name of the container. May be "" when kind=Service. - - `port_name`: Name of the port - - `invalid_label`: The label of the invalid port. Port.name/targetPort - - `valid`: True if the port is valid - """ - if not valid: - if len(container_name) > 0: - print('%s/%s -n %s (Container="%s" %s="%s")' % ( - kind, item_name, namespace, container_name, invalid_label, port_name)) - else: - print('%s/%s -n %s (%s="%s")' % ( - kind, item_name, namespace, invalid_label, port_name)) - - -def print_validation_header(): - """ - Prints the error header. Should run on the first error to avoid - overwhelming the user. - """ - print """\ -At least one port name is invalid and must be corrected before upgrading. -Please update or remove any resources with invalid port names. - - Valid port names must: - - * be less that 16 characters - * have at least one letter - * contain only a-z0-9- - * not start or end with - - * not contain dashes next to each other ('--') -""" - - -def main(): - """ - main is the main entry point to this script - """ - try: - # the comma at the end suppresses the newline - print "Checking for oc ...", - subprocess.check_output([OC_PATH, 'whoami']) - print "found" - except: - print( - 'Unable to run "%s whoami"\n' - 'Please ensure OpenShift is running, and "oc" is on your system ' - 'path.\n' - 'You can override the path with the OC_PATH environment variable.' - % OC_PATH) - raise SystemExit(1) - - # Where the magic happens - first_error = True - for kind, path in [ - ('deploymentconfigs', ("spec", "template", "spec", "containers")), - ('replicationcontrollers', ("spec", "template", "spec", "containers")), - ('pods', ("spec", "containers"))]: - for item in list_items(kind): - namespace = item["metadata"]["namespace"] - item_name = item["metadata"]["name"] - for container in get(item, *path): - container_name = container["name"] - for port in get(container, "ports"): - port_name = port.get("name", None) - if not port_name: - # Unnamed ports are OK - continue - valid = validate(port_name) - if not valid and first_error: - first_error = False - print_validation_header() - pretty_print_errors( - namespace, kind, item_name, - container_name, "Port.name", port_name, valid) - - # Services follow a different flow - for item in list_items('services'): - namespace = item["metadata"]["namespace"] - item_name = item["metadata"]["name"] - for port in get(item, "spec", "ports"): - port_name = port.get("targetPort", None) - if isinstance(port_name, int) or port_name is None: - # Integer only or unnamed ports are OK - continue - valid = validate(port_name) - if not valid and first_error: - first_error = False - print_validation_header() - pretty_print_errors( - namespace, "services", item_name, "", - "targetPort", port_name, valid) - - # If we had at least 1 error then exit with 1 - if not first_error: - raise SystemExit(1) - - -if __name__ == '__main__': - main() - diff --git a/playbooks/common/openshift-cluster/upgrades/files/rpm_versions.sh b/playbooks/common/openshift-cluster/upgrades/files/rpm_versions.sh deleted file mode 100644 index 7bf249742..000000000 --- a/playbooks/common/openshift-cluster/upgrades/files/rpm_versions.sh +++ /dev/null @@ -1,12 +0,0 @@ -#!/bin/bash -if [ `which dnf 2> /dev/null` ]; then - installed=$(dnf repoquery --installed --latest-limit 1 -d 0 --qf '%{version}-%{release}' "${@}" 2> /dev/null) - available=$(dnf repoquery --available --latest-limit 1 -d 0 --qf '%{version}-%{release}' "${@}" 2> /dev/null) -else - installed=$(repoquery --plugins --pkgnarrow=installed --qf '%{version}-%{release}' "${@}" 2> /dev/null) - available=$(repoquery --plugins --pkgnarrow=available --qf '%{version}-%{release}' "${@}" 2> /dev/null) -fi - -echo "---" -echo "curr_version: ${installed}" -echo "avail_version: ${available}" diff --git a/playbooks/common/openshift-master/config.yml b/playbooks/common/openshift-master/config.yml index 8058d3377..21f3c80a1 100644 --- a/playbooks/common/openshift-master/config.yml +++ b/playbooks/common/openshift-master/config.yml @@ -133,9 +133,7 @@ | oo_collect('openshift.common.hostname') | default([]) | join (',') }}" roles: - - role: openshift_master_facts - - role: openshift_hosted_facts - - role: openshift_master_certificates + - role: openshift_master openshift_ca_host: "{{ groups.oo_first_master.0 }}" openshift_master_etcd_hosts: "{{ hostvars | oo_select_keys(groups['oo_etcd_to_config'] | default([])) @@ -145,35 +143,12 @@ | oo_select_keys(groups['oo_masters_to_config'] | default([])) | oo_collect('openshift.common.all_hostnames') | oo_flatten | unique }}" - - role: openshift_etcd_client_certificates + openshift_master_hosts: "{{ groups.oo_masters_to_config }}" etcd_ca_host: "{{ groups.oo_etcd_to_config.0 }}" etcd_cert_subdir: "openshift-master-{{ openshift.common.hostname }}" etcd_cert_config_dir: "{{ openshift.common.config_base }}/master" etcd_cert_prefix: "master.etcd-" - when: groups.oo_etcd_to_config is defined and groups.oo_etcd_to_config - - role: openshift_clock - - role: openshift_cloud_provider - - role: openshift_builddefaults - - role: os_firewall - os_firewall_allow: - - service: api server https - port: "{{ openshift.master.api_port }}/tcp" - - service: api controllers https - port: "{{ openshift.master.controllers_port }}/tcp" - - service: skydns tcp - port: "{{ openshift.master.dns_port }}/tcp" - - service: skydns udp - port: "{{ openshift.master.dns_port }}/udp" - - role: os_firewall - os_firewall_allow: - - service: etcd embedded - port: 4001/tcp - when: groups.oo_etcd_to_config | default([]) | length == 0 - - role: openshift_master - openshift_master_hosts: "{{ groups.oo_masters_to_config }}" - - role: nickhammond.logrotate - - role: nuage_master - when: openshift.common.use_nuage | bool + post_tasks: - name: Create group for deployment type group_by: key=oo_masters_deployment_type_{{ openshift.common.deployment_type }} diff --git a/playbooks/common/openshift-node/config.yml b/playbooks/common/openshift-node/config.yml index e28da5713..b36c0eedf 100644 --- a/playbooks/common/openshift-node/config.yml +++ b/playbooks/common/openshift-node/config.yml @@ -60,30 +60,8 @@ when: "{{ (openshift_http_proxy is defined or openshift_https_proxy is defined) and openshift_generate_no_proxy_hosts | default(True) | bool }}" roles: - - role: openshift_common - - role: openshift_clock - - role: openshift_docker - - role: openshift_node_certificates - openshift_ca_host: "{{ groups.oo_first_master.0 }}" - - role: openshift_cloud_provider - - role: openshift_node_dnsmasq - when: openshift.common.use_dnsmasq | bool - - role: os_firewall - os_firewall_allow: - - service: Kubernetes kubelet - port: 10250/tcp - - service: http - port: 80/tcp - - service: https - port: 443/tcp - - service: Openshift kubelet ReadOnlyPort - port: 10255/tcp - - service: Openshift kubelet ReadOnlyPort udp - port: 10255/udp - - service: OpenShift OVS sdn - port: 4789/udp - when: openshift.node.use_openshift_sdn | bool - role: openshift_node + openshift_ca_host: "{{ groups.oo_first_master.0 }}" - name: Configure nodes hosts: oo_nodes_to_config:!oo_containerized_master_nodes @@ -99,30 +77,8 @@ when: "{{ (openshift_http_proxy is defined or openshift_https_proxy is defined) and openshift_generate_no_proxy_hosts | default(True) | bool }}" roles: - - role: openshift_common - - role: openshift_clock - - role: openshift_docker - - role: openshift_node_certificates - openshift_ca_host: "{{ groups.oo_first_master.0 }}" - - role: openshift_cloud_provider - - role: openshift_node_dnsmasq - when: openshift.common.use_dnsmasq | bool - - role: os_firewall - os_firewall_allow: - - service: Kubernetes kubelet - port: 10250/tcp - - service: http - port: 80/tcp - - service: https - port: 443/tcp - - service: Openshift kubelet ReadOnlyPort - port: 10255/tcp - - service: Openshift kubelet ReadOnlyPort udp - port: 10255/udp - - service: OpenShift OVS sdn - port: 4789/udp - when: openshift.node.use_openshift_sdn | bool - role: openshift_node + openshift_ca_host: "{{ groups.oo_first_master.0 }}" - name: Additional node config hosts: oo_nodes_to_config diff --git a/roles/docker/meta/main.yml b/roles/docker/meta/main.yml index dadd62c93..ad28cece9 100644 --- a/roles/docker/meta/main.yml +++ b/roles/docker/meta/main.yml @@ -11,4 +11,3 @@ galaxy_info: - 7 dependencies: - role: os_firewall - os_firewall_use_firewalld: False diff --git a/roles/docker/tasks/main.yml b/roles/docker/tasks/main.yml index a93bdc2ad..57da23e0a 100644 --- a/roles/docker/tasks/main.yml +++ b/roles/docker/tasks/main.yml @@ -43,16 +43,18 @@ package: name=docker{{ '-' + docker_version if docker_version is defined else '' }} state=present when: not openshift.common.is_atomic | bool -- name: Ensure docker.service.d directory exists - file: - path: "{{ docker_systemd_dir }}" - state: directory - -# Extend the default Docker service unit file -- name: Configure Docker service unit file - template: - dest: "{{ docker_systemd_dir }}/custom.conf" - src: custom.conf.j2 +- block: + # Extend the default Docker service unit file when using iptables-services + - name: Ensure docker.service.d directory exists + file: + path: "{{ docker_systemd_dir }}" + state: directory + + - name: Configure Docker service unit file + template: + dest: "{{ docker_systemd_dir }}/custom.conf" + src: custom.conf.j2 + when: not os_firewall_use_firewalld | default(True) | bool - include: udev_workaround.yml when: docker_udev_workaround | default(False) | bool diff --git a/roles/openshift_hosted/meta/main.yml b/roles/openshift_hosted/meta/main.yml index 74c50ae1d..ca5e88b15 100644 --- a/roles/openshift_hosted/meta/main.yml +++ b/roles/openshift_hosted/meta/main.yml @@ -11,4 +11,23 @@ galaxy_info: - 7 categories: - cloud -dependencies: [] +dependencies: +- role: openshift_cli +- role: openshift_hosted_facts +- role: openshift_projects + openshift_projects: "{{ openshift_additional_projects | default({}) | oo_merge_dicts({'default':{'default_node_selector':''},'openshift-infra':{'default_node_selector':''},'logging':{'default_node_selector':''}}) }}" +- role: openshift_serviceaccounts + openshift_serviceaccounts_names: + - router + openshift_serviceaccounts_namespace: default + openshift_serviceaccounts_sccs: + - hostnetwork + when: openshift.common.version_gte_3_2_or_1_2 +- role: openshift_serviceaccounts + openshift_serviceaccounts_names: + - router + - registry + openshift_serviceaccounts_namespace: default + openshift_serviceaccounts_sccs: + - privileged + when: not openshift.common.version_gte_3_2_or_1_2 diff --git a/roles/openshift_master/meta/main.yml b/roles/openshift_master/meta/main.yml index 7457e4378..3a595b2d1 100644 --- a/roles/openshift_master/meta/main.yml +++ b/roles/openshift_master/meta/main.yml @@ -11,4 +11,33 @@ galaxy_info: - 7 categories: - cloud -dependencies: [] +dependencies: +- role: openshift_master_facts +- role: openshift_hosted_facts +- role: openshift_master_certificates +- role: openshift_etcd_client_certificates + etcd_cert_subdir: "openshift-master-{{ openshift.common.hostname }}" + etcd_cert_config_dir: "{{ openshift.common.config_base }}/master" + etcd_cert_prefix: "master.etcd-" + when: groups.oo_etcd_to_config | default([]) | length != 0 +- role: openshift_clock +- role: openshift_cloud_provider +- role: openshift_builddefaults +- role: os_firewall + os_firewall_allow: + - service: api server https + port: "{{ openshift.master.api_port }}/tcp" + - service: api controllers https + port: "{{ openshift.master.controllers_port }}/tcp" + - service: skydns tcp + port: "{{ openshift.master.dns_port }}/tcp" + - service: skydns udp + port: "{{ openshift.master.dns_port }}/udp" +- role: os_firewall + os_firewall_allow: + - service: etcd embedded + port: 4001/tcp + when: groups.oo_etcd_to_config | default([]) | length == 0 +- role: nickhammond.logrotate +- role: nuage_master + when: openshift.common.use_nuage | bool diff --git a/roles/openshift_master_facts/lookup_plugins/openshift_master_facts_default_predicates.py b/roles/openshift_master_facts/lookup_plugins/openshift_master_facts_default_predicates.py index b0984b004..29a59a0d3 100644 --- a/roles/openshift_master_facts/lookup_plugins/openshift_master_facts_default_predicates.py +++ b/roles/openshift_master_facts/lookup_plugins/openshift_master_facts_default_predicates.py @@ -40,10 +40,10 @@ class LookupModule(LookupBase): # pylint: disable=line-too-long raise AnsibleError("Either OpenShift needs to be installed or openshift_release needs to be specified") if deployment_type == 'origin': - if short_version not in ['1.1', '1.2', '1.3', '1.4', '1.5', '1.6']: + if short_version not in ['1.1', '1.2', '1.3', '1.4', '1.5', '1.6', 'latest']: raise AnsibleError("Unknown short_version %s" % short_version) elif deployment_type == 'openshift-enterprise': - if short_version not in ['3.1', '3.2', '3.3', '3.4', '3.5', '3.6']: + if short_version not in ['3.1', '3.2', '3.3', '3.4', '3.5', '3.6', 'latest']: raise AnsibleError("Unknown short_version %s" % short_version) else: raise AnsibleError("Unknown deployment_type %s" % deployment_type) diff --git a/roles/openshift_master_facts/lookup_plugins/openshift_master_facts_default_priorities.py b/roles/openshift_master_facts/lookup_plugins/openshift_master_facts_default_priorities.py index 4d6572dae..36022597f 100644 --- a/roles/openshift_master_facts/lookup_plugins/openshift_master_facts_default_priorities.py +++ b/roles/openshift_master_facts/lookup_plugins/openshift_master_facts_default_priorities.py @@ -45,10 +45,10 @@ class LookupModule(LookupBase): raise AnsibleError("Either OpenShift needs to be installed or openshift_release needs to be specified") if deployment_type == 'origin': - if short_version not in ['1.1', '1.2', '1.3', '1.4', '1.5', '1.6']: + if short_version not in ['1.1', '1.2', '1.3', '1.4', '1.5', '1.6', 'latest']: raise AnsibleError("Unknown short_version %s" % short_version) elif deployment_type == 'openshift-enterprise': - if short_version not in ['3.1', '3.2', '3.3', '3.4', '3.5', '3.6']: + if short_version not in ['3.1', '3.2', '3.3', '3.4', '3.5', '3.6', 'latest']: raise AnsibleError("Unknown short_version %s" % short_version) else: raise AnsibleError("Unknown deployment_type %s" % deployment_type) diff --git a/roles/openshift_node/meta/main.yml b/roles/openshift_node/meta/main.yml index c39269f33..56dee2958 100644 --- a/roles/openshift_node/meta/main.yml +++ b/roles/openshift_node/meta/main.yml @@ -11,4 +11,26 @@ galaxy_info: - 7 categories: - cloud -dependencies: [] +dependencies: +- role: openshift_common +- role: openshift_clock +- role: openshift_docker +- role: openshift_node_certificates +- role: openshift_cloud_provider +- role: openshift_node_dnsmasq + when: openshift.common.use_dnsmasq | bool +- role: os_firewall + os_firewall_allow: + - service: Kubernetes kubelet + port: 10250/tcp + - service: http + port: 80/tcp + - service: https + port: 443/tcp + - service: Openshift kubelet ReadOnlyPort + port: 10255/tcp + - service: Openshift kubelet ReadOnlyPort udp + port: 10255/udp + - service: OpenShift OVS sdn + port: 4789/udp + when: openshift.node.use_openshift_sdn | bool diff --git a/roles/openshift_version/tasks/set_version_containerized.yml b/roles/openshift_version/tasks/set_version_containerized.yml index 718537287..cd0f20ae9 100644 --- a/roles/openshift_version/tasks/set_version_containerized.yml +++ b/roles/openshift_version/tasks/set_version_containerized.yml @@ -1,8 +1,9 @@ --- - name: Set containerized version to configure if openshift_image_tag specified set_fact: - # Expects a leading "v" in inventory, strip it off here: - openshift_version: "{{ openshift_image_tag[1:].split('-')[0] }}" + # Expects a leading "v" in inventory, strip it off here unless + # openshift_image_tag=latest + openshift_version: "{{ openshift_image_tag[1:].split('-')[0] if openshift_image_tag != 'latest' else openshift_image_tag }}" when: openshift_image_tag is defined and openshift_version is not defined - name: Set containerized version to configure if openshift_release specified diff --git a/roles/os_firewall/README.md b/roles/os_firewall/README.md index c13c5dfc9..43db3cc74 100644 --- a/roles/os_firewall/README.md +++ b/roles/os_firewall/README.md @@ -4,6 +4,9 @@ OS Firewall OS Firewall manages firewalld and iptables firewall settings for a minimal use case (Adding/Removing rules based on protocol and port number). +Note: firewalld is not supported on Atomic Host +https://bugzilla.redhat.com/show_bug.cgi?id=1403331 + Requirements ------------ @@ -14,7 +17,7 @@ Role Variables | Name | Default | | |---------------------------|---------|----------------------------------------| -| os_firewall_use_firewalld | False | If false, use iptables | +| os_firewall_use_firewalld | True | If false, use iptables | | os_firewall_allow | [] | List of service,port mappings to allow | | os_firewall_deny | [] | List of service, port mappings to deny | @@ -31,6 +34,7 @@ Use iptables and open tcp ports 80 and 443: --- - hosts: servers vars: + os_firewall_use_firewalld: false os_firewall_allow: - service: httpd port: 80/tcp @@ -45,7 +49,6 @@ Use firewalld and open tcp port 443 and close previously open tcp port 80: --- - hosts: servers vars: - os_firewall_use_firewalld: true os_firewall_allow: - service: https port: 443/tcp diff --git a/roles/os_firewall/defaults/main.yml b/roles/os_firewall/defaults/main.yml index c870a301a..4c544122f 100644 --- a/roles/os_firewall/defaults/main.yml +++ b/roles/os_firewall/defaults/main.yml @@ -1,9 +1,7 @@ --- os_firewall_enabled: True -# TODO: Upstream kubernetes only supports iptables currently -# TODO: it might be possible to still use firewalld if we wire up the created -# chains with the public zone (or the zone associated with the correct -# interfaces) -os_firewall_use_firewalld: False +# firewalld is not supported on Atomic Host +# https://bugzilla.redhat.com/show_bug.cgi?id=1403331 +os_firewall_use_firewalld: "{{ False if openshift.common.is_atomic | bool else True }}" os_firewall_allow: [] os_firewall_deny: [] diff --git a/roles/os_firewall/tasks/main.yml b/roles/os_firewall/tasks/main.yml index 076e5e311..20efe5b0d 100644 --- a/roles/os_firewall/tasks/main.yml +++ b/roles/os_firewall/tasks/main.yml @@ -1,4 +1,10 @@ --- +- name: Assert - Do not use firewalld on Atomic Host + assert: + that: not os_firewall_use_firewalld | bool + msg: "Firewalld is not supported on Atomic Host" + when: openshift.common.is_atomic | bool + - include: firewall/firewalld.yml when: os_firewall_enabled | bool and os_firewall_use_firewalld | bool diff --git a/utils/Makefile b/utils/Makefile index 0e1cd79dd..2a37b922c 100644 --- a/utils/Makefile +++ b/utils/Makefile @@ -30,7 +30,8 @@ SHORTNAME := ooinstall # directory of the target file ($@), kinda like `dirname`. ASCII2MAN = a2x -D $(dir $@) -d manpage -f manpage $< MANPAGES := docs/man/man1/atomic-openshift-installer.1 -VERSION := 1.3 +# slipped into the manpage template before a2x processing +VERSION := 1.4 # YAMLFILES: Skipping all '/files/' folders due to conflicting yaml file definitions YAMLFILES = $(shell find ../ -name $(VENV) -prune -o -name .tox -prune -o \( -name '*.yml' -o -name '*.yaml' \) ! -path "*/files/*" -print 2>&1) diff --git a/utils/docs/man/man1/atomic-openshift-installer.1 b/utils/docs/man/man1/atomic-openshift-installer.1 index 072833ce8..827ce224b 100644 --- a/utils/docs/man/man1/atomic-openshift-installer.1 +++ b/utils/docs/man/man1/atomic-openshift-installer.1 @@ -2,12 +2,12 @@ .\" Title: atomic-openshift-installer .\" Author: [see the "AUTHOR" section] .\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/> -.\" Date: 10/20/2016 +.\" Date: 12/28/2016 .\" Manual: atomic-openshift-installer -.\" Source: atomic-openshift-utils 1.3 +.\" Source: atomic-openshift-utils 1.4 .\" Language: English .\" -.TH "ATOMIC\-OPENSHIFT\-I" "1" "10/20/2016" "atomic\-openshift\-utils 1\&.3" "atomic\-openshift\-installer" +.TH "ATOMIC\-OPENSHIFT\-I" "1" "12/28/2016" "atomic\-openshift\-utils 1\&.4" "atomic\-openshift\-installer" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- @@ -86,7 +86,7 @@ Show the usage help and exit\&. .RE .SH "COMMANDS" .sp -\fBatomic\-openshift\-installer\fR has three modes of operation: +\fBatomic\-openshift\-installer\fR has four modes of operation: .sp .RS 4 .ie n \{\ diff --git a/utils/docs/man/man1/atomic-openshift-installer.1.asciidoc.in b/utils/docs/man/man1/atomic-openshift-installer.1.asciidoc.in index 9b02c4d14..2917e9992 100644 --- a/utils/docs/man/man1/atomic-openshift-installer.1.asciidoc.in +++ b/utils/docs/man/man1/atomic-openshift-installer.1.asciidoc.in @@ -68,7 +68,7 @@ Show the usage help and exit. COMMANDS -------- -**atomic-openshift-installer** has three modes of operation: +**atomic-openshift-installer** has four modes of operation: * **install** * **uninstall** diff --git a/utils/src/ooinstall/cli_installer.py b/utils/src/ooinstall/cli_installer.py index b70bd1817..0bc9aa45e 100644 --- a/utils/src/ooinstall/cli_installer.py +++ b/utils/src/ooinstall/cli_installer.py @@ -1124,6 +1124,20 @@ def scaleup(ctx, gen_inventory): click.echo('Welcome to the OpenShift Enterprise 3 Scaleup utility.') + # Scaleup requires manual data entry. Therefore, we do not support + # unattended operations. + if unattended: + msg = """ +--- + +The 'scaleup' operation does not support unattended +functionality. Re-run the installer without the '-u' or '--unattended' +option to continue. +""" + click.echo(msg) + sys.exit(1) + + # Resume normal scaleup workflow print_installation_summary(installed_hosts, oo_cfg.settings['variant_version'], verbose=False,) |