diff options
64 files changed, 497 insertions, 203 deletions
diff --git a/.redhat-ci.sh b/.redhat-ci.sh index 29d64e4d5..fce8c1d52 100755 --- a/.redhat-ci.sh +++ b/.redhat-ci.sh @@ -1,10 +1,9 @@ #!/bin/bash set -xeuo pipefail -# F25 currently has 2.2.1, so install from pypi -pip install ansible==2.2.2.0 +pip install -r requirements.txt -# do a simple ping to make sure the nodes are available +# ping the nodes to check they're responding and register their ostree versions ansible -vvv -i .redhat-ci.inventory nodes -a 'rpm-ostree status' upload_journals() { diff --git a/.redhat-ci.yml b/.redhat-ci.yml index 887cc6ef0..6dac7b256 100644 --- a/.redhat-ci.yml +++ b/.redhat-ci.yml @@ -24,7 +24,7 @@ env: OPENSHIFT_IMAGE_TAG: v3.6.0-alpha.1 tests: - - sh .redhat-ci.sh + - ./.redhat-ci.sh artifacts: - journals/ diff --git a/.tito/packages/openshift-ansible b/.tito/packages/openshift-ansible index ebb0299ff..c7d412311 100644 --- a/.tito/packages/openshift-ansible +++ b/.tito/packages/openshift-ansible @@ -1 +1 @@ -3.6.52-1 ./ +3.6.54-1 ./ diff --git a/filter_plugins/oo_filters.py b/filter_plugins/oo_filters.py index 10c8600ba..d61184c48 100644 --- a/filter_plugins/oo_filters.py +++ b/filter_plugins/oo_filters.py @@ -11,6 +11,7 @@ import pdb import random import re +from base64 import b64encode from collections import Mapping # pylint no-name-in-module and import-error disabled here because pylint # fails to properly detect the packages when installed in a virtualenv @@ -672,8 +673,7 @@ def oo_generate_secret(num_bytes): if not isinstance(num_bytes, int): raise errors.AnsibleFilterError("|failed expects num_bytes is int") - secret = os.urandom(num_bytes) - return secret.encode('base-64').strip() + return b64encode(os.urandom(num_bytes)).decode('utf-8') def to_padded_yaml(data, level=0, indent=2, **kw): diff --git a/inventory/byo/hosts.origin.example b/inventory/byo/hosts.origin.example index d31c35f69..db6ac12ce 100644 --- a/inventory/byo/hosts.origin.example +++ b/inventory/byo/hosts.origin.example @@ -78,6 +78,18 @@ openshift_release=v1.5 #openshift_docker_blocked_registries=registry.hacker.com # Disable pushing to dockerhub #openshift_docker_disable_push_dockerhub=True +# Use Docker inside a System Container. Note that this is a tech preview and should +# not be used to upgrade! +# The following options for docker are ignored: +# - docker_version +# - docker_upgrade +# The following options must not be used +# - openshift_docker_options +#openshift_docker_use_system_container=False +# Force the registry to use for the system container. By default the registry +# will be built off of the deployment type and ansible_distribution. Only +# use this option if you are sure you know what you are doing! +#openshift_docker_systemcontainer_image_registry_override="registry.example.com" # Items added, as is, to end of /etc/sysconfig/docker OPTIONS # Default value: "--log-driver=journald" #openshift_docker_options="-l warn --ipv6=false" diff --git a/inventory/byo/hosts.ose.example b/inventory/byo/hosts.ose.example index 80cc65f06..42097a593 100644 --- a/inventory/byo/hosts.ose.example +++ b/inventory/byo/hosts.ose.example @@ -78,6 +78,18 @@ openshift_release=v3.5 #openshift_docker_blocked_registries=registry.hacker.com # Disable pushing to dockerhub #openshift_docker_disable_push_dockerhub=True +# Use Docker inside a System Container. Note that this is a tech preview and should +# not be used to upgrade! +# The following options for docker are ignored: +# - docker_version +# - docker_upgrade +# The following options must not be used +# - openshift_docker_options +#openshift_docker_use_system_container=False +# Force the registry to use for the system container. By default the registry +# will be built off of the deployment type and ansible_distribution. Only +# use this option if you are sure you know what you are doing! +#openshift_docker_systemcontainer_image_registry_override="registry.example.com" # Items added, as is, to end of /etc/sysconfig/docker OPTIONS # Default value: "--log-driver=journald" #openshift_docker_options="-l warn --ipv6=false" diff --git a/openshift-ansible.spec b/openshift-ansible.spec index 9af1bd366..c2fc0d68d 100644 --- a/openshift-ansible.spec +++ b/openshift-ansible.spec @@ -9,7 +9,7 @@ %global __requires_exclude ^/usr/bin/ansible-playbook$ Name: openshift-ansible -Version: 3.6.52 +Version: 3.6.54 Release: 1%{?dist} Summary: Openshift and Atomic Enterprise Ansible License: ASL 2.0 @@ -25,6 +25,7 @@ Requires: openshift-ansible-docs = %{version} Requires: java-1.8.0-openjdk-headless Requires: httpd-tools Requires: libselinux-python +Requires: python-passlib %description Openshift and Atomic Enterprise Ansible @@ -273,6 +274,25 @@ Atomic OpenShift Utilities includes %changelog +* Fri May 05 2017 Jenkins CD Merge Bot <tdawson@redhat.com> 3.6.54-1 +- Allow oc_ modules to pass unicode results (rteague@redhat.com) +- Ensure repo cache is clean on the first run (rteague@redhat.com) +- move etcdctl.yml from etcd to etcd_common role (jchaloup@redhat.com) +- Modified pick from release-1.5 for updating hawkular htpasswd generation + (ewolinet@redhat.com) + +* Thu May 04 2017 Jenkins CD Merge Bot <tdawson@redhat.com> 3.6.53-1 +- Correctly setting the primary and replica shard count settings + (ewolinet@redhat.com) +- System container docker (smilner@redhat.com) +- Stop logging AWS credentials in master role. (dgoodwin@redhat.com) +- Remove set operations from openshift_master_certificates iteration. + (abutcher@redhat.com) +- Refactor system fact gathering to avoid dictionary size change during + iteration. (abutcher@redhat.com) +- Refactor secret generation for python3. (abutcher@redhat.com) +- redhat-ci: use requirements.txt (jlebon@redhat.com) + * Wed May 03 2017 Jenkins CD Merge Bot <tdawson@redhat.com> 3.6.52-1 - Making mux with_items list evaluate as empty if didnt get objects before (ewolinet@redhat.com) @@ -304,17 +324,17 @@ Atomic OpenShift Utilities includes - Bump ansible rpm dependency to 2.2.2.0 (sdodson@redhat.com) * Mon May 01 2017 Jenkins CD Merge Bot <tdawson@redhat.com> 3.6.48-1 -- +- * Mon May 01 2017 Jenkins CD Merge Bot <tdawson@redhat.com> 3.6.47-1 -- +- * Mon May 01 2017 Jenkins CD Merge Bot <tdawson@redhat.com> 3.6.46-1 - Contrib: Hook to verify modules match assembled fragments (tbielawa@redhat.com) * Mon May 01 2017 Jenkins CD Merge Bot <tdawson@redhat.com> 3.6.45-1 -- +- * Sun Apr 30 2017 Jenkins CD Merge Bot <tdawson@redhat.com> 3.6.44-1 - Refactor etcd roles (jchaloup@redhat.com) @@ -385,7 +405,7 @@ Atomic OpenShift Utilities includes - Remove v1.5 and v1.6 metrics/logging templates (sdodson@redhat.com) * Sun Apr 23 2017 Jenkins CD Merge Bot <tdawson@redhat.com> 3.6.35-1 -- +- * Fri Apr 21 2017 Jenkins CD Merge Bot <tdawson@redhat.com> 3.6.34-1 - GlusterFS: provide default for groups.oo_glusterfs_to_config in with_items diff --git a/playbooks/common/openshift-cluster/upgrades/etcd/main.yml b/playbooks/common/openshift-cluster/upgrades/etcd/main.yml index 73657d2f1..d9b59edcb 100644 --- a/playbooks/common/openshift-cluster/upgrades/etcd/main.yml +++ b/playbooks/common/openshift-cluster/upgrades/etcd/main.yml @@ -14,7 +14,9 @@ - name: Drop etcdctl profiles hosts: oo_etcd_hosts_to_upgrade tasks: - - include: roles/etcd/tasks/etcdctl.yml + - include_role: + name: etcd_common + tasks_from: etcdctl.yml - name: Perform etcd upgrade include: ./upgrade.yml diff --git a/playbooks/common/openshift-cluster/upgrades/init.yml b/playbooks/common/openshift-cluster/upgrades/init.yml index cbf6d58b3..0f421928b 100644 --- a/playbooks/common/openshift-cluster/upgrades/init.yml +++ b/playbooks/common/openshift-cluster/upgrades/init.yml @@ -10,17 +10,6 @@ - include: ../initialize_facts.yml -- name: Ensure clean repo cache in the event repos have been changed manually - hosts: oo_all_hosts - tags: - - pre_upgrade - tasks: - - name: Clean package cache - command: "{{ ansible_pkg_mgr }} clean all" - when: not openshift.common.is_atomic | bool - args: - warn: no - - name: Ensure firewall is not switched during upgrade hosts: oo_all_hosts tasks: diff --git a/roles/calico/handlers/main.yml b/roles/calico/handlers/main.yml index 65d75cf00..53cecfcc3 100644 --- a/roles/calico/handlers/main.yml +++ b/roles/calico/handlers/main.yml @@ -5,4 +5,6 @@ - name: restart docker become: yes - systemd: name=docker state=restarted + systemd: + name: "{{ openshift.docker.service_name }}" + state: restarted diff --git a/roles/contiv/tasks/netplugin.yml b/roles/contiv/tasks/netplugin.yml index 97b9762df..0847c92bc 100644 --- a/roles/contiv/tasks/netplugin.yml +++ b/roles/contiv/tasks/netplugin.yml @@ -105,7 +105,7 @@ - name: Docker | Restart docker service: - name: docker + name: "{{ openshift.docker.service_name }}" state: restarted when: docker_updated|changed diff --git a/roles/docker/README.md b/roles/docker/README.md index ea06fd41a..f25ca03cd 100644 --- a/roles/docker/README.md +++ b/roles/docker/README.md @@ -1,7 +1,7 @@ Docker ========= -Ensures docker package is installed, and optionally raises timeout for systemd-udevd.service to 5 minutes. +Ensures docker package or system container is installed, and optionally raises timeout for systemd-udevd.service to 5 minutes. Requirements ------------ @@ -11,8 +11,10 @@ Ansible 2.2 Role Variables -------------- -udevw_udevd_dir: location of systemd config for systemd-udevd.service +docker_conf_dir: location of the Docker configuration directory +docker_systemd_dir location of the systemd directory for Docker docker_udev_workaround: raises udevd timeout to 5 minutes (https://bugzilla.redhat.com/show_bug.cgi?id=1272446) +udevw_udevd_dir: location of systemd config for systemd-udevd.service Dependencies ------------ @@ -26,6 +28,7 @@ Example Playbook roles: - role: docker docker_udev_workaround: "true" + docker_use_system_container: False License ------- diff --git a/roles/docker/handlers/main.yml b/roles/docker/handlers/main.yml index 9ccb306fc..7f91afb37 100644 --- a/roles/docker/handlers/main.yml +++ b/roles/docker/handlers/main.yml @@ -2,7 +2,7 @@ - name: restart docker systemd: - name: docker + name: "{{ openshift.docker.service_name }}" state: restarted when: not docker_service_status_changed | default(false) | bool diff --git a/roles/docker/meta/main.yml b/roles/docker/meta/main.yml index ad28cece9..cd4083572 100644 --- a/roles/docker/meta/main.yml +++ b/roles/docker/meta/main.yml @@ -11,3 +11,4 @@ galaxy_info: - 7 dependencies: - role: os_firewall +- role: lib_openshift diff --git a/roles/docker/tasks/main.yml b/roles/docker/tasks/main.yml index c34700aeb..e60dbe2d6 100644 --- a/roles/docker/tasks/main.yml +++ b/roles/docker/tasks/main.yml @@ -1,119 +1,16 @@ --- -- name: Get current installed Docker version - command: "{{ repoquery_cmd }} --installed --qf '%{version}' docker" - when: not openshift.common.is_atomic | bool - register: curr_docker_version - changed_when: false - -- name: Error out if Docker pre-installed but too old - fail: - msg: "Docker {{ curr_docker_version.stdout }} is installed, but >= 1.9.1 is required." - when: not curr_docker_version | skipped and curr_docker_version.stdout != '' and curr_docker_version.stdout | version_compare('1.9.1', '<') and not docker_version is defined - -- name: Error out if requested Docker is too old - fail: - msg: "Docker {{ docker_version }} requested, but >= 1.9.1 is required." - when: docker_version is defined and docker_version | version_compare('1.9.1', '<') - -# If a docker_version was requested, sanity check that we can install or upgrade to it, and -# no downgrade is required. -- name: Fail if Docker version requested but downgrade is required - fail: - msg: "Docker {{ curr_docker_version.stdout }} is installed, but version {{ docker_version }} was requested." - when: not curr_docker_version | skipped and curr_docker_version.stdout != '' and docker_version is defined and curr_docker_version.stdout | version_compare(docker_version, '>') - -# This involves an extremely slow migration process, users should instead run the -# Docker 1.10 upgrade playbook to accomplish this. -- name: Error out if attempting to upgrade Docker across the 1.10 boundary - fail: - msg: "Cannot upgrade Docker to >= 1.10, please upgrade or remove Docker manually, or use the Docker upgrade playbook if OpenShift is already installed." - when: not curr_docker_version | skipped and curr_docker_version.stdout != '' and curr_docker_version.stdout | version_compare('1.10', '<') and docker_version is defined and docker_version | version_compare('1.10', '>=') - -# Make sure Docker is installed, but does not update a running version. -# Docker upgrades are handled by a separate playbook. -- name: Install Docker - package: name=docker{{ '-' + docker_version if docker_version is defined else '' }} state=present - when: not openshift.common.is_atomic | bool - -- block: - # Extend the default Docker service unit file when using iptables-services - - name: Ensure docker.service.d directory exists - file: - path: "{{ docker_systemd_dir }}" - state: directory - - - name: Configure Docker service unit file - template: - dest: "{{ docker_systemd_dir }}/custom.conf" - src: custom.conf.j2 - when: not os_firewall_use_firewalld | default(True) | bool +# These tasks dispatch to the proper set of docker tasks based on the +# inventory:openshift_docker_use_system_container variable - include: udev_workaround.yml when: docker_udev_workaround | default(False) | bool -- stat: path=/etc/sysconfig/docker - register: docker_check - -- name: Set registry params - lineinfile: - dest: /etc/sysconfig/docker - regexp: '^{{ item.reg_conf_var }}=.*$' - line: "{{ item.reg_conf_var }}='{{ item.reg_fact_val | oo_prepend_strings_in_list(item.reg_flag ~ ' ') | join(' ') }}'" - when: item.reg_fact_val != '' and docker_check.stat.isreg is defined and docker_check.stat.isreg - with_items: - - reg_conf_var: ADD_REGISTRY - reg_fact_val: "{{ docker_additional_registries | default(None, true)}}" - reg_flag: --add-registry - - reg_conf_var: BLOCK_REGISTRY - reg_fact_val: "{{ docker_blocked_registries| default(None, true) }}" - reg_flag: --block-registry - - reg_conf_var: INSECURE_REGISTRY - reg_fact_val: "{{ docker_insecure_registries| default(None, true) }}" - reg_flag: --insecure-registry - notify: - - restart docker +- name: Use Package Docker if Requested + include: package_docker.yml + when: openshift.docker.use_system_container is not defined or openshift.docker.use_system_container == False -- name: Set Proxy Settings - lineinfile: - dest: /etc/sysconfig/docker - regexp: '^{{ item.reg_conf_var }}=.*$' - line: "{{ item.reg_conf_var }}='{{ item.reg_fact_val }}'" - state: "{{ 'present' if item.reg_fact_val != '' else 'absent'}}" - with_items: - - reg_conf_var: HTTP_PROXY - reg_fact_val: "{{ docker_http_proxy | default('') }}" - - reg_conf_var: HTTPS_PROXY - reg_fact_val: "{{ docker_https_proxy | default('') }}" - - reg_conf_var: NO_PROXY - reg_fact_val: "{{ docker_no_proxy | default('') }}" - notify: - - restart docker +- name: Use System Container Docker if Requested + include: systemcontainer_docker.yml when: - - docker_check.stat.isreg is defined and docker_check.stat.isreg and '"http_proxy" in openshift.common or "https_proxy" in openshift.common' - -- name: Set various Docker options - lineinfile: - dest: /etc/sysconfig/docker - regexp: '^OPTIONS=.*$' - line: "OPTIONS='\ - {% if ansible_selinux.status | default(None) == '''enabled''' and docker_selinux_enabled | default(true) %} --selinux-enabled {% endif %}\ - {% if docker_log_driver is defined %} --log-driver {{ docker_log_driver }}{% endif %}\ - {% if docker_log_options is defined %} {{ docker_log_options | oo_split() | oo_prepend_strings_in_list('--log-opt ') | join(' ')}}{% endif %}\ - {% if docker_options is defined %} {{ docker_options }}{% endif %}\ - {% if docker_disable_push_dockerhub is defined %} --confirm-def-push={{ docker_disable_push_dockerhub | bool }}{% endif %}'" - when: docker_check.stat.isreg is defined and docker_check.stat.isreg - notify: - - restart docker - -- name: Start the Docker service - systemd: - name: docker - enabled: yes - state: started - daemon_reload: yes - register: start_result - -- set_fact: - docker_service_status_changed: start_result | changed - -- meta: flush_handlers + - openshift.docker.use_system_container is defined + - openshift.docker.use_system_container is True diff --git a/roles/docker/tasks/package_docker.yml b/roles/docker/tasks/package_docker.yml new file mode 100644 index 000000000..10fb5772c --- /dev/null +++ b/roles/docker/tasks/package_docker.yml @@ -0,0 +1,116 @@ +--- +- name: Get current installed Docker version + command: "{{ repoquery_cmd }} --installed --qf '%{version}' docker" + when: not openshift.common.is_atomic | bool + register: curr_docker_version + changed_when: false + +- name: Error out if Docker pre-installed but too old + fail: + msg: "Docker {{ curr_docker_version.stdout }} is installed, but >= 1.9.1 is required." + when: not curr_docker_version | skipped and curr_docker_version.stdout != '' and curr_docker_version.stdout | version_compare('1.9.1', '<') and not docker_version is defined + +- name: Error out if requested Docker is too old + fail: + msg: "Docker {{ docker_version }} requested, but >= 1.9.1 is required." + when: docker_version is defined and docker_version | version_compare('1.9.1', '<') + +# If a docker_version was requested, sanity check that we can install or upgrade to it, and +# no downgrade is required. +- name: Fail if Docker version requested but downgrade is required + fail: + msg: "Docker {{ curr_docker_version.stdout }} is installed, but version {{ docker_version }} was requested." + when: not curr_docker_version | skipped and curr_docker_version.stdout != '' and docker_version is defined and curr_docker_version.stdout | version_compare(docker_version, '>') + +# This involves an extremely slow migration process, users should instead run the +# Docker 1.10 upgrade playbook to accomplish this. +- name: Error out if attempting to upgrade Docker across the 1.10 boundary + fail: + msg: "Cannot upgrade Docker to >= 1.10, please upgrade or remove Docker manually, or use the Docker upgrade playbook if OpenShift is already installed." + when: not curr_docker_version | skipped and curr_docker_version.stdout != '' and curr_docker_version.stdout | version_compare('1.10', '<') and docker_version is defined and docker_version | version_compare('1.10', '>=') + +# Make sure Docker is installed, but does not update a running version. +# Docker upgrades are handled by a separate playbook. +- name: Install Docker + package: name=docker{{ '-' + docker_version if docker_version is defined else '' }} state=present + when: not openshift.common.is_atomic | bool + +- block: + # Extend the default Docker service unit file when using iptables-services + - name: Ensure docker.service.d directory exists + file: + path: "{{ docker_systemd_dir }}" + state: directory + + - name: Configure Docker service unit file + template: + dest: "{{ docker_systemd_dir }}/custom.conf" + src: custom.conf.j2 + when: not os_firewall_use_firewalld | default(True) | bool + +- stat: path=/etc/sysconfig/docker + register: docker_check + +- name: Set registry params + lineinfile: + dest: /etc/sysconfig/docker + regexp: '^{{ item.reg_conf_var }}=.*$' + line: "{{ item.reg_conf_var }}='{{ item.reg_fact_val | oo_prepend_strings_in_list(item.reg_flag ~ ' ') | join(' ') }}'" + when: item.reg_fact_val != '' and docker_check.stat.isreg is defined and docker_check.stat.isreg + with_items: + - reg_conf_var: ADD_REGISTRY + reg_fact_val: "{{ docker_additional_registries | default(None, true)}}" + reg_flag: --add-registry + - reg_conf_var: BLOCK_REGISTRY + reg_fact_val: "{{ docker_blocked_registries| default(None, true) }}" + reg_flag: --block-registry + - reg_conf_var: INSECURE_REGISTRY + reg_fact_val: "{{ docker_insecure_registries| default(None, true) }}" + reg_flag: --insecure-registry + notify: + - restart docker + +- name: Set Proxy Settings + lineinfile: + dest: /etc/sysconfig/docker + regexp: '^{{ item.reg_conf_var }}=.*$' + line: "{{ item.reg_conf_var }}='{{ item.reg_fact_val }}'" + state: "{{ 'present' if item.reg_fact_val != '' else 'absent'}}" + with_items: + - reg_conf_var: HTTP_PROXY + reg_fact_val: "{{ docker_http_proxy | default('') }}" + - reg_conf_var: HTTPS_PROXY + reg_fact_val: "{{ docker_https_proxy | default('') }}" + - reg_conf_var: NO_PROXY + reg_fact_val: "{{ docker_no_proxy | default('') }}" + notify: + - restart docker + when: + - docker_check.stat.isreg is defined and docker_check.stat.isreg and '"http_proxy" in openshift.common or "https_proxy" in openshift.common' + +- name: Set various Docker options + lineinfile: + dest: /etc/sysconfig/docker + regexp: '^OPTIONS=.*$' + line: "OPTIONS='\ + {% if ansible_selinux.status | default(None) == '''enabled''' and docker_selinux_enabled | default(true) %} --selinux-enabled {% endif %}\ + {% if docker_log_driver is defined %} --log-driver {{ docker_log_driver }}{% endif %}\ + {% if docker_log_options is defined %} {{ docker_log_options | oo_split() | oo_prepend_strings_in_list('--log-opt ') | join(' ')}}{% endif %}\ + {% if docker_options is defined %} {{ docker_options }}{% endif %}\ + {% if docker_disable_push_dockerhub is defined %} --confirm-def-push={{ docker_disable_push_dockerhub | bool }}{% endif %}'" + when: docker_check.stat.isreg is defined and docker_check.stat.isreg + notify: + - restart docker + +- name: Start the Docker service + systemd: + name: docker + enabled: yes + state: started + daemon_reload: yes + register: start_result + +- set_fact: + docker_service_status_changed: start_result | changed + +- meta: flush_handlers diff --git a/roles/docker/tasks/systemcontainer_docker.yml b/roles/docker/tasks/systemcontainer_docker.yml new file mode 100644 index 000000000..6db95bf12 --- /dev/null +++ b/roles/docker/tasks/systemcontainer_docker.yml @@ -0,0 +1,135 @@ +--- +# If docker_options are provided we should fail. We should not install docker and ignore +# the users configuration. NOTE: docker_options == inventory:openshift_docker_options +- name: Fail quickly if openshift_docker_options are set + assert: + that: + - docker_options is defined + - docker_options != "" + msg: | + Docker via System Container does not allow for the use of the openshift_docker_options + variable. If you want to use openshift_docker_options you will need to use the + traditional docker package install. Otherwise, comment out openshift_docker_options + in your inventory file. + +# Used to pull and install the system container +- name: Ensure atomic is installed + package: + name: atomic + state: present + when: not openshift.common.is_atomic | bool + +# At the time of writing the atomic command requires runc for it's own use. This +# task is here in the even that the atomic package ever removes the dependency. +- name: Ensure runc is installed + package: + name: runc + state: present + when: not openshift.common.is_atomic | bool + +# If we are on atomic, set http_proxy and https_proxy in /etc/atomic.conf +- block: + + - name: Add http_proxy to /etc/atomic.conf + lineinfile: + path: /etc/atomic.conf + line: "http_proxy={{ openshift.common.http_proxy | default('') }}" + when: + - openshift.common.http_proxy is defined + - openshift.common.http_proxy != '' + + - name: Add https_proxy to /etc/atomic.conf + lineinfile: + path: /etc/atomic.conf + line: "https_proxy={{ openshift.common.https_proxy | default('') }}" + when: + - openshift.common.https_proxy is defined + - openshift.common.https_proxy != '' + + when: openshift.common.is_atomic | bool + + +- block: + + - name: Set to default prepend + set_fact: + l_docker_image_prepend: "gscrivano/" + + - name: Use Red Hat Registry for image when distribution is Red Hat + set_fact: + l_docker_image_prepend: "registry.access.redhat.com/openshift3/" + when: ansible_distribution == 'RedHat' + + - name: Use Fedora Registry for image when distribution is Fedora + set_fact: + l_docker_image_prepend: "registry.fedoraproject.org/" + when: ansible_distribution == 'Fedora' + + # For https://github.com/openshift/openshift-ansible/pull/4049#discussion_r114478504 + - name: Use a testing registry if requested + set_fact: + l_docker_image_prepend: "{{ openshift.docker.systemcontainer_image_registry_override }}/" + when: + - openshift.docker.systemcontainer_image_registry_override is defined + - openshift.docker.systemcontainer_image_registry_override != "" + + - name: Set the full image name + set_fact: + l_docker_image: "{{ l_docker_image_prepend }}container-engine-docker:latest" + +- name: Pre-pull Container Enginer System Container image + command: "atomic pull --storage ostree {{ l_docker_image }}" + changed_when: false + +# Make sure docker is disabled Errors are ignored as docker may not +# be installed. +- name: Disable Docker + systemd: + name: docker + enabled: no + state: stopped + daemon_reload: yes + ignore_errors: True + +- name: Ensure docker.service.d directory exists + file: + path: "{{ docker_systemd_dir }}" + state: directory + +- name: Ensure /etc/docker directory exists + file: + path: "{{ docker_conf_dir }}" + state: directory + +- name: Install Container Enginer System Container + oc_atomic_container: + name: container-engine-docker + image: "container-engine-docker" + state: latest + values: + - "system-package no" + +- name: Configure Container Engine Service File + template: + dest: "{{ docker_systemd_dir }}/custom.conf" + src: systemcontainercustom.conf.j2 + +# Configure container-engine using the daemon.json file +- name: Configure Container Engine + template: + dest: "{{ docker_conf }}/daemon.json" + src: daemon.json + +# Enable and start the container-engine service +- name: Start the Container Engine service + systemd: + name: "{{ openshift.docker.service_name }}" + enabled: yes + state: started + daemon_reload: yes + register: start_result + +- set_fact: + docker_service_status_changed: start_result | changed + +- meta: flush_handlers diff --git a/roles/docker/templates/daemon.json b/roles/docker/templates/daemon.json new file mode 100644 index 000000000..bd085d2be --- /dev/null +++ b/roles/docker/templates/daemon.json @@ -0,0 +1,64 @@ + +{ + "api-cors-header": "", + "authorization-plugins": ["rhel-push-plugin"], + "bip": "", + "bridge": "", + "cgroup-parent": "", + "cluster-store": "", + "cluster-store-opts": {}, + "cluster-advertise": "", + "debug": true, + "default-gateway": "", + "default-gateway-v6": "", + "default-runtime": "oci", + "containerd": "/var/run/containerd.sock", + "default-ulimits": {}, + "disable-legacy-registry": false, + "dns": [], + "dns-opts": [], + "dns-search": [], + "exec-opts": ["native.cgroupdriver=systemd"], + "exec-root": "", + "fixed-cidr": "", + "fixed-cidr-v6": "", + "graph": "", + "group": "", + "hosts": [], + "icc": false, + "insecure-registries": {{ docker_insecure_registries|default([]) }}, + "ip": "0.0.0.0", + "iptables": false, + "ipv6": false, + "ip-forward": false, + "ip-masq": false, + "labels": [], + "live-restore": true, + "log-driver": "{{ docker_log_driver }}", + "log-level": "", + "log-opts": {{ docker_log_options|default({}) }}, + "max-concurrent-downloads": 3, + "max-concurrent-uploads": 5, + "mtu": 0, + "oom-score-adjust": -500, + "pidfile": "", + "raw-logs": false, + "registry-mirrors": [], + "runtimes": { + "oci": { + "path": "/usr/libexec/docker/docker-runc-current" + } + }, + "selinux-enabled": {{ docker_selinux_enabled|default(true) }}, + "storage-driver": "", + "storage-opts": [], + "tls": true, + "tlscacert": "", + "tlscert": "", + "tlskey": "", + "tlsverify": true, + "userns-remap": "", + "add-registry": {{ docker_additional_registries|default([]) }}, + "blocked-registries": {{ docker_blocked_registries|defaukt([]) }}, + "userland-proxy-path": "/usr/libexec/docker/docker-proxy-current" +} diff --git a/roles/docker/templates/systemcontainercustom.conf.j2 b/roles/docker/templates/systemcontainercustom.conf.j2 new file mode 100644 index 000000000..a2cfed8a9 --- /dev/null +++ b/roles/docker/templates/systemcontainercustom.conf.j2 @@ -0,0 +1,17 @@ +# {{ ansible_managed }} + +[Service] +{%- if docker_http_proxy %} +ENVIRONMENT=HTTP_PROXY={{ docker_http_proxy }} +{%- endif -%} +{%- if docker_https_proxy %} +ENVIRONMENT=HTTPS_PROXY={{ docker_http_proxy }} +{%- endif -%} +{%- if docker_no_proxy %} +ENVIRONMENT=NO_PROXY={{ docker_no_proxy }} +{%- endif %} +{%- if os_firewall_use_firewalld|default(true) %} +[Unit] +Wants=iptables.service +After=iptables.service +{%- endif %} diff --git a/roles/docker/vars/main.yml b/roles/docker/vars/main.yml index 5237ed8f2..0082ded1e 100644 --- a/roles/docker/vars/main.yml +++ b/roles/docker/vars/main.yml @@ -1,3 +1,4 @@ --- -udevw_udevd_dir: /etc/systemd/system/systemd-udevd.service.d docker_systemd_dir: /etc/systemd/system/docker.service.d +docker_conf_dir: /etc/docker/ +udevw_udevd_dir: /etc/systemd/system/systemd-udevd.service.d diff --git a/roles/etcd/tasks/main.yml b/roles/etcd/tasks/main.yml index 35117225b..fa2f44609 100644 --- a/roles/etcd/tasks/main.yml +++ b/roles/etcd/tasks/main.yml @@ -120,7 +120,9 @@ enabled: yes register: start_result -- include: etcdctl.yml +- include_role: + name: etcd_common + tasks_from: etcdctl.yml when: openshift_etcd_etcdctl_profile | default(true) | bool - name: Set fact etcd_service_status_changed diff --git a/roles/etcd/tasks/etcdctl.yml b/roles/etcd_common/tasks/etcdctl.yml index 6cb456677..6cb456677 100644 --- a/roles/etcd/tasks/etcdctl.yml +++ b/roles/etcd_common/tasks/etcdctl.yml diff --git a/roles/etcd/templates/etcdctl.sh.j2 b/roles/etcd_common/templates/etcdctl.sh.j2 index ac7d9c72f..ac7d9c72f 100644 --- a/roles/etcd/templates/etcdctl.sh.j2 +++ b/roles/etcd_common/templates/etcdctl.sh.j2 diff --git a/roles/flannel/handlers/main.yml b/roles/flannel/handlers/main.yml index 94d1d18fb..c60c2115a 100644 --- a/roles/flannel/handlers/main.yml +++ b/roles/flannel/handlers/main.yml @@ -5,4 +5,6 @@ - name: restart docker become: yes - systemd: name=docker state=restarted + systemd: + name: "{{ openshift.docker.service_name }}" + state: restarted diff --git a/roles/lib_openshift/library/oc_adm_ca_server_cert.py b/roles/lib_openshift/library/oc_adm_ca_server_cert.py index 8a311cd0f..7039a0cec 100644 --- a/roles/lib_openshift/library/oc_adm_ca_server_cert.py +++ b/roles/lib_openshift/library/oc_adm_ca_server_cert.py @@ -1080,7 +1080,7 @@ class OpenShiftCLI(object): stdout, stderr = proc.communicate(input_data) - return proc.returncode, stdout.decode(), stderr.decode() + return proc.returncode, stdout.decode('utf-8'), stderr.decode('utf-8') # pylint: disable=too-many-arguments,too-many-branches def openshift_cmd(self, cmd, oadm=False, output=False, output_type='json', input_data=None): diff --git a/roles/lib_openshift/library/oc_adm_manage_node.py b/roles/lib_openshift/library/oc_adm_manage_node.py index 0930faadb..ae5806137 100644 --- a/roles/lib_openshift/library/oc_adm_manage_node.py +++ b/roles/lib_openshift/library/oc_adm_manage_node.py @@ -1066,7 +1066,7 @@ class OpenShiftCLI(object): stdout, stderr = proc.communicate(input_data) - return proc.returncode, stdout.decode(), stderr.decode() + return proc.returncode, stdout.decode('utf-8'), stderr.decode('utf-8') # pylint: disable=too-many-arguments,too-many-branches def openshift_cmd(self, cmd, oadm=False, output=False, output_type='json', input_data=None): diff --git a/roles/lib_openshift/library/oc_adm_policy_group.py b/roles/lib_openshift/library/oc_adm_policy_group.py index 6a7be65d0..36eb294a8 100644 --- a/roles/lib_openshift/library/oc_adm_policy_group.py +++ b/roles/lib_openshift/library/oc_adm_policy_group.py @@ -1052,7 +1052,7 @@ class OpenShiftCLI(object): stdout, stderr = proc.communicate(input_data) - return proc.returncode, stdout.decode(), stderr.decode() + return proc.returncode, stdout.decode('utf-8'), stderr.decode('utf-8') # pylint: disable=too-many-arguments,too-many-branches def openshift_cmd(self, cmd, oadm=False, output=False, output_type='json', input_data=None): diff --git a/roles/lib_openshift/library/oc_adm_policy_user.py b/roles/lib_openshift/library/oc_adm_policy_user.py index 44923ecd2..bedd45922 100644 --- a/roles/lib_openshift/library/oc_adm_policy_user.py +++ b/roles/lib_openshift/library/oc_adm_policy_user.py @@ -1052,7 +1052,7 @@ class OpenShiftCLI(object): stdout, stderr = proc.communicate(input_data) - return proc.returncode, stdout.decode(), stderr.decode() + return proc.returncode, stdout.decode('utf-8'), stderr.decode('utf-8') # pylint: disable=too-many-arguments,too-many-branches def openshift_cmd(self, cmd, oadm=False, output=False, output_type='json', input_data=None): diff --git a/roles/lib_openshift/library/oc_adm_registry.py b/roles/lib_openshift/library/oc_adm_registry.py index 3722f38b3..c6fa85f90 100644 --- a/roles/lib_openshift/library/oc_adm_registry.py +++ b/roles/lib_openshift/library/oc_adm_registry.py @@ -1170,7 +1170,7 @@ class OpenShiftCLI(object): stdout, stderr = proc.communicate(input_data) - return proc.returncode, stdout.decode(), stderr.decode() + return proc.returncode, stdout.decode('utf-8'), stderr.decode('utf-8') # pylint: disable=too-many-arguments,too-many-branches def openshift_cmd(self, cmd, oadm=False, output=False, output_type='json', input_data=None): diff --git a/roles/lib_openshift/library/oc_adm_router.py b/roles/lib_openshift/library/oc_adm_router.py index bdcf94a58..8a4f93372 100644 --- a/roles/lib_openshift/library/oc_adm_router.py +++ b/roles/lib_openshift/library/oc_adm_router.py @@ -1195,7 +1195,7 @@ class OpenShiftCLI(object): stdout, stderr = proc.communicate(input_data) - return proc.returncode, stdout.decode(), stderr.decode() + return proc.returncode, stdout.decode('utf-8'), stderr.decode('utf-8') # pylint: disable=too-many-arguments,too-many-branches def openshift_cmd(self, cmd, oadm=False, output=False, output_type='json', input_data=None): diff --git a/roles/lib_openshift/library/oc_clusterrole.py b/roles/lib_openshift/library/oc_clusterrole.py index af48ce636..d81c29784 100644 --- a/roles/lib_openshift/library/oc_clusterrole.py +++ b/roles/lib_openshift/library/oc_clusterrole.py @@ -1044,7 +1044,7 @@ class OpenShiftCLI(object): stdout, stderr = proc.communicate(input_data) - return proc.returncode, stdout.decode(), stderr.decode() + return proc.returncode, stdout.decode('utf-8'), stderr.decode('utf-8') # pylint: disable=too-many-arguments,too-many-branches def openshift_cmd(self, cmd, oadm=False, output=False, output_type='json', input_data=None): diff --git a/roles/lib_openshift/library/oc_configmap.py b/roles/lib_openshift/library/oc_configmap.py index 385ed888b..bdcb3f278 100644 --- a/roles/lib_openshift/library/oc_configmap.py +++ b/roles/lib_openshift/library/oc_configmap.py @@ -1050,7 +1050,7 @@ class OpenShiftCLI(object): stdout, stderr = proc.communicate(input_data) - return proc.returncode, stdout.decode(), stderr.decode() + return proc.returncode, stdout.decode('utf-8'), stderr.decode('utf-8') # pylint: disable=too-many-arguments,too-many-branches def openshift_cmd(self, cmd, oadm=False, output=False, output_type='json', input_data=None): diff --git a/roles/lib_openshift/library/oc_edit.py b/roles/lib_openshift/library/oc_edit.py index 649de547e..be1b3a01e 100644 --- a/roles/lib_openshift/library/oc_edit.py +++ b/roles/lib_openshift/library/oc_edit.py @@ -1094,7 +1094,7 @@ class OpenShiftCLI(object): stdout, stderr = proc.communicate(input_data) - return proc.returncode, stdout.decode(), stderr.decode() + return proc.returncode, stdout.decode('utf-8'), stderr.decode('utf-8') # pylint: disable=too-many-arguments,too-many-branches def openshift_cmd(self, cmd, oadm=False, output=False, output_type='json', input_data=None): diff --git a/roles/lib_openshift/library/oc_env.py b/roles/lib_openshift/library/oc_env.py index 74bf63353..4ac6e4aeb 100644 --- a/roles/lib_openshift/library/oc_env.py +++ b/roles/lib_openshift/library/oc_env.py @@ -1061,7 +1061,7 @@ class OpenShiftCLI(object): stdout, stderr = proc.communicate(input_data) - return proc.returncode, stdout.decode(), stderr.decode() + return proc.returncode, stdout.decode('utf-8'), stderr.decode('utf-8') # pylint: disable=too-many-arguments,too-many-branches def openshift_cmd(self, cmd, oadm=False, output=False, output_type='json', input_data=None): diff --git a/roles/lib_openshift/library/oc_group.py b/roles/lib_openshift/library/oc_group.py index 2dd3d28ec..b6f058340 100644 --- a/roles/lib_openshift/library/oc_group.py +++ b/roles/lib_openshift/library/oc_group.py @@ -1034,7 +1034,7 @@ class OpenShiftCLI(object): stdout, stderr = proc.communicate(input_data) - return proc.returncode, stdout.decode(), stderr.decode() + return proc.returncode, stdout.decode('utf-8'), stderr.decode('utf-8') # pylint: disable=too-many-arguments,too-many-branches def openshift_cmd(self, cmd, oadm=False, output=False, output_type='json', input_data=None): diff --git a/roles/lib_openshift/library/oc_image.py b/roles/lib_openshift/library/oc_image.py index bb7f97689..c094c9472 100644 --- a/roles/lib_openshift/library/oc_image.py +++ b/roles/lib_openshift/library/oc_image.py @@ -1053,7 +1053,7 @@ class OpenShiftCLI(object): stdout, stderr = proc.communicate(input_data) - return proc.returncode, stdout.decode(), stderr.decode() + return proc.returncode, stdout.decode('utf-8'), stderr.decode('utf-8') # pylint: disable=too-many-arguments,too-many-branches def openshift_cmd(self, cmd, oadm=False, output=False, output_type='json', input_data=None): diff --git a/roles/lib_openshift/library/oc_label.py b/roles/lib_openshift/library/oc_label.py index ec9abcda7..a76dd44c4 100644 --- a/roles/lib_openshift/library/oc_label.py +++ b/roles/lib_openshift/library/oc_label.py @@ -1070,7 +1070,7 @@ class OpenShiftCLI(object): stdout, stderr = proc.communicate(input_data) - return proc.returncode, stdout.decode(), stderr.decode() + return proc.returncode, stdout.decode('utf-8'), stderr.decode('utf-8') # pylint: disable=too-many-arguments,too-many-branches def openshift_cmd(self, cmd, oadm=False, output=False, output_type='json', input_data=None): diff --git a/roles/lib_openshift/library/oc_obj.py b/roles/lib_openshift/library/oc_obj.py index 3abd50a2e..e12137b51 100644 --- a/roles/lib_openshift/library/oc_obj.py +++ b/roles/lib_openshift/library/oc_obj.py @@ -1073,7 +1073,7 @@ class OpenShiftCLI(object): stdout, stderr = proc.communicate(input_data) - return proc.returncode, stdout.decode(), stderr.decode() + return proc.returncode, stdout.decode('utf-8'), stderr.decode('utf-8') # pylint: disable=too-many-arguments,too-many-branches def openshift_cmd(self, cmd, oadm=False, output=False, output_type='json', input_data=None): diff --git a/roles/lib_openshift/library/oc_objectvalidator.py b/roles/lib_openshift/library/oc_objectvalidator.py index bc5245216..aeb4e5686 100644 --- a/roles/lib_openshift/library/oc_objectvalidator.py +++ b/roles/lib_openshift/library/oc_objectvalidator.py @@ -1005,7 +1005,7 @@ class OpenShiftCLI(object): stdout, stderr = proc.communicate(input_data) - return proc.returncode, stdout.decode(), stderr.decode() + return proc.returncode, stdout.decode('utf-8'), stderr.decode('utf-8') # pylint: disable=too-many-arguments,too-many-branches def openshift_cmd(self, cmd, oadm=False, output=False, output_type='json', input_data=None): diff --git a/roles/lib_openshift/library/oc_process.py b/roles/lib_openshift/library/oc_process.py index de5426c51..f7aa8c0d2 100644 --- a/roles/lib_openshift/library/oc_process.py +++ b/roles/lib_openshift/library/oc_process.py @@ -1062,7 +1062,7 @@ class OpenShiftCLI(object): stdout, stderr = proc.communicate(input_data) - return proc.returncode, stdout.decode(), stderr.decode() + return proc.returncode, stdout.decode('utf-8'), stderr.decode('utf-8') # pylint: disable=too-many-arguments,too-many-branches def openshift_cmd(self, cmd, oadm=False, output=False, output_type='json', input_data=None): diff --git a/roles/lib_openshift/library/oc_project.py b/roles/lib_openshift/library/oc_project.py index 02cd810ce..b044a47ce 100644 --- a/roles/lib_openshift/library/oc_project.py +++ b/roles/lib_openshift/library/oc_project.py @@ -1059,7 +1059,7 @@ class OpenShiftCLI(object): stdout, stderr = proc.communicate(input_data) - return proc.returncode, stdout.decode(), stderr.decode() + return proc.returncode, stdout.decode('utf-8'), stderr.decode('utf-8') # pylint: disable=too-many-arguments,too-many-branches def openshift_cmd(self, cmd, oadm=False, output=False, output_type='json', input_data=None): diff --git a/roles/lib_openshift/library/oc_pvc.py b/roles/lib_openshift/library/oc_pvc.py index a9103ebf6..8604cc2f3 100644 --- a/roles/lib_openshift/library/oc_pvc.py +++ b/roles/lib_openshift/library/oc_pvc.py @@ -1054,7 +1054,7 @@ class OpenShiftCLI(object): stdout, stderr = proc.communicate(input_data) - return proc.returncode, stdout.decode(), stderr.decode() + return proc.returncode, stdout.decode('utf-8'), stderr.decode('utf-8') # pylint: disable=too-many-arguments,too-many-branches def openshift_cmd(self, cmd, oadm=False, output=False, output_type='json', input_data=None): diff --git a/roles/lib_openshift/library/oc_route.py b/roles/lib_openshift/library/oc_route.py index f005adffc..fef48daf0 100644 --- a/roles/lib_openshift/library/oc_route.py +++ b/roles/lib_openshift/library/oc_route.py @@ -1104,7 +1104,7 @@ class OpenShiftCLI(object): stdout, stderr = proc.communicate(input_data) - return proc.returncode, stdout.decode(), stderr.decode() + return proc.returncode, stdout.decode('utf-8'), stderr.decode('utf-8') # pylint: disable=too-many-arguments,too-many-branches def openshift_cmd(self, cmd, oadm=False, output=False, output_type='json', input_data=None): diff --git a/roles/lib_openshift/library/oc_scale.py b/roles/lib_openshift/library/oc_scale.py index 9dcb38216..384df0ee3 100644 --- a/roles/lib_openshift/library/oc_scale.py +++ b/roles/lib_openshift/library/oc_scale.py @@ -1048,7 +1048,7 @@ class OpenShiftCLI(object): stdout, stderr = proc.communicate(input_data) - return proc.returncode, stdout.decode(), stderr.decode() + return proc.returncode, stdout.decode('utf-8'), stderr.decode('utf-8') # pylint: disable=too-many-arguments,too-many-branches def openshift_cmd(self, cmd, oadm=False, output=False, output_type='json', input_data=None): diff --git a/roles/lib_openshift/library/oc_secret.py b/roles/lib_openshift/library/oc_secret.py index 2ac0abcec..443750c5d 100644 --- a/roles/lib_openshift/library/oc_secret.py +++ b/roles/lib_openshift/library/oc_secret.py @@ -1094,7 +1094,7 @@ class OpenShiftCLI(object): stdout, stderr = proc.communicate(input_data) - return proc.returncode, stdout.decode(), stderr.decode() + return proc.returncode, stdout.decode('utf-8'), stderr.decode('utf-8') # pylint: disable=too-many-arguments,too-many-branches def openshift_cmd(self, cmd, oadm=False, output=False, output_type='json', input_data=None): diff --git a/roles/lib_openshift/library/oc_service.py b/roles/lib_openshift/library/oc_service.py index 0af695e08..7537bdb5b 100644 --- a/roles/lib_openshift/library/oc_service.py +++ b/roles/lib_openshift/library/oc_service.py @@ -1100,7 +1100,7 @@ class OpenShiftCLI(object): stdout, stderr = proc.communicate(input_data) - return proc.returncode, stdout.decode(), stderr.decode() + return proc.returncode, stdout.decode('utf-8'), stderr.decode('utf-8') # pylint: disable=too-many-arguments,too-many-branches def openshift_cmd(self, cmd, oadm=False, output=False, output_type='json', input_data=None): diff --git a/roles/lib_openshift/library/oc_serviceaccount.py b/roles/lib_openshift/library/oc_serviceaccount.py index ba8a1fdac..03a4dd3b9 100644 --- a/roles/lib_openshift/library/oc_serviceaccount.py +++ b/roles/lib_openshift/library/oc_serviceaccount.py @@ -1046,7 +1046,7 @@ class OpenShiftCLI(object): stdout, stderr = proc.communicate(input_data) - return proc.returncode, stdout.decode(), stderr.decode() + return proc.returncode, stdout.decode('utf-8'), stderr.decode('utf-8') # pylint: disable=too-many-arguments,too-many-branches def openshift_cmd(self, cmd, oadm=False, output=False, output_type='json', input_data=None): diff --git a/roles/lib_openshift/library/oc_serviceaccount_secret.py b/roles/lib_openshift/library/oc_serviceaccount_secret.py index 5bff7621c..db1010694 100644 --- a/roles/lib_openshift/library/oc_serviceaccount_secret.py +++ b/roles/lib_openshift/library/oc_serviceaccount_secret.py @@ -1046,7 +1046,7 @@ class OpenShiftCLI(object): stdout, stderr = proc.communicate(input_data) - return proc.returncode, stdout.decode(), stderr.decode() + return proc.returncode, stdout.decode('utf-8'), stderr.decode('utf-8') # pylint: disable=too-many-arguments,too-many-branches def openshift_cmd(self, cmd, oadm=False, output=False, output_type='json', input_data=None): diff --git a/roles/lib_openshift/library/oc_user.py b/roles/lib_openshift/library/oc_user.py index 450a30f57..c3885c1ac 100644 --- a/roles/lib_openshift/library/oc_user.py +++ b/roles/lib_openshift/library/oc_user.py @@ -1106,7 +1106,7 @@ class OpenShiftCLI(object): stdout, stderr = proc.communicate(input_data) - return proc.returncode, stdout.decode(), stderr.decode() + return proc.returncode, stdout.decode('utf-8'), stderr.decode('utf-8') # pylint: disable=too-many-arguments,too-many-branches def openshift_cmd(self, cmd, oadm=False, output=False, output_type='json', input_data=None): diff --git a/roles/lib_openshift/library/oc_version.py b/roles/lib_openshift/library/oc_version.py index 0937df5a1..5c4596c09 100644 --- a/roles/lib_openshift/library/oc_version.py +++ b/roles/lib_openshift/library/oc_version.py @@ -1018,7 +1018,7 @@ class OpenShiftCLI(object): stdout, stderr = proc.communicate(input_data) - return proc.returncode, stdout.decode(), stderr.decode() + return proc.returncode, stdout.decode('utf-8'), stderr.decode('utf-8') # pylint: disable=too-many-arguments,too-many-branches def openshift_cmd(self, cmd, oadm=False, output=False, output_type='json', input_data=None): diff --git a/roles/lib_openshift/library/oc_volume.py b/roles/lib_openshift/library/oc_volume.py index d0e7e77e1..5a507348c 100644 --- a/roles/lib_openshift/library/oc_volume.py +++ b/roles/lib_openshift/library/oc_volume.py @@ -1083,7 +1083,7 @@ class OpenShiftCLI(object): stdout, stderr = proc.communicate(input_data) - return proc.returncode, stdout.decode(), stderr.decode() + return proc.returncode, stdout.decode('utf-8'), stderr.decode('utf-8') # pylint: disable=too-many-arguments,too-many-branches def openshift_cmd(self, cmd, oadm=False, output=False, output_type='json', input_data=None): diff --git a/roles/lib_openshift/src/lib/base.py b/roles/lib_openshift/src/lib/base.py index fc1b6f1ec..2bf795e25 100644 --- a/roles/lib_openshift/src/lib/base.py +++ b/roles/lib_openshift/src/lib/base.py @@ -256,7 +256,7 @@ class OpenShiftCLI(object): stdout, stderr = proc.communicate(input_data) - return proc.returncode, stdout.decode(), stderr.decode() + return proc.returncode, stdout.decode('utf-8'), stderr.decode('utf-8') # pylint: disable=too-many-arguments,too-many-branches def openshift_cmd(self, cmd, oadm=False, output=False, output_type='json', input_data=None): diff --git a/roles/openshift_facts/library/openshift_facts.py b/roles/openshift_facts/library/openshift_facts.py index ca0279426..7720136d1 100755 --- a/roles/openshift_facts/library/openshift_facts.py +++ b/roles/openshift_facts/library/openshift_facts.py @@ -59,7 +59,8 @@ def migrate_docker_facts(facts): 'additional_registries', 'insecure_registries', 'blocked_registries', - 'options' + 'options', + 'use_system_container', ), 'node': ( 'log_driver', @@ -1792,6 +1793,12 @@ def set_container_facts_if_unset(facts): deployer_image = 'openshift/origin-deployer' facts['common']['is_atomic'] = os.path.isfile('/run/ostree-booted') + # If openshift_docker_use_system_container is set and is True .... + if 'use_system_container' in list(facts['docker'].keys()): + if facts['docker']['use_system_container'] is True: + # ... set the service name to container-engine-docker + facts['docker']['service_name'] = 'container-engine-docker' + if 'is_containerized' not in facts['common']: facts['common']['is_containerized'] = facts['common']['is_atomic'] if 'cli_image' not in facts['common']: @@ -1911,14 +1918,16 @@ class OpenShiftFacts(object): ) self.role = role + # Collect system facts and preface each fact with 'ansible_'. try: - # ansible-2.1 # pylint: disable=too-many-function-args,invalid-name self.system_facts = ansible_facts(module, ['hardware', 'network', 'virtual', 'facter']) # noqa: F405 + additional_facts = {} for (k, v) in self.system_facts.items(): - self.system_facts["ansible_%s" % k.replace('-', '_')] = v + additional_facts["ansible_%s" % k.replace('-', '_')] = v + self.system_facts.update(additional_facts) except UnboundLocalError: - # ansible-2.2 + # ansible-2.2,2.3 self.system_facts = get_all_facts(module)['ansible_facts'] # noqa: F405 self.facts = self.generate_facts(local_facts, @@ -2072,6 +2081,7 @@ class OpenShiftFacts(object): hosted_registry_insecure = get_hosted_registry_insecure() if hosted_registry_insecure is not None: docker['hosted_registry_insecure'] = hosted_registry_insecure + docker['service_name'] = 'docker' defaults['docker'] = docker if 'clock' in roles: diff --git a/roles/openshift_logging/README.md b/roles/openshift_logging/README.md index 42f4fc72e..cba0f2de8 100644 --- a/roles/openshift_logging/README.md +++ b/roles/openshift_logging/README.md @@ -91,8 +91,6 @@ same as above for their non-ops counterparts, but apply to the OPS cluster insta - `openshift_logging_es_ops_pvc_prefix`: logging-es-ops - `openshift_logging_es_ops_recover_after_time`: 5m - `openshift_logging_es_ops_storage_group`: 65534 -- `openshift_logging_es_ops_number_of_shards`: The number of primary shards for every new index created in ES. Defaults to '1'. -- `openshift_logging_es_ops_number_of_replicas`: The number of replica shards per primary shard for every new index. Defaults to '0'. - `openshift_logging_kibana_ops_hostname`: The Operations Kibana hostname. Defaults to 'kibana-ops.example.com'. - `openshift_logging_kibana_ops_cpu_limit`: The amount of CPU to allocate to Kibana or unset if not specified. - `openshift_logging_kibana_ops_memory_limit`: The amount of memory to allocate to Kibana or unset if not specified. diff --git a/roles/openshift_logging/defaults/main.yml b/roles/openshift_logging/defaults/main.yml index dbf5b4d3d..c05cc5f98 100644 --- a/roles/openshift_logging/defaults/main.yml +++ b/roles/openshift_logging/defaults/main.yml @@ -117,8 +117,6 @@ openshift_logging_es_ops_pvc_prefix: "{{ openshift_hosted_logging_elasticsearch_ openshift_logging_es_ops_recover_after_time: 5m openshift_logging_es_ops_storage_group: "{{ openshift_hosted_logging_elasticsearch_storage_group | default('65534') }}" openshift_logging_es_ops_nodeselector: "{{ openshift_hosted_logging_elasticsearch_ops_nodeselector | default('') | map_from_pairs }}" -openshift_logging_es_ops_number_of_shards: 1 -openshift_logging_es_ops_number_of_replicas: 0 # storage related defaults openshift_logging_storage_access_modes: "{{ openshift_hosted_logging_storage_access_modes | default(['ReadWriteOnce']) }}" diff --git a/roles/openshift_logging/tasks/generate_configmaps.yaml b/roles/openshift_logging/tasks/generate_configmaps.yaml index 44bd0058a..b047eb35a 100644 --- a/roles/openshift_logging/tasks/generate_configmaps.yaml +++ b/roles/openshift_logging/tasks/generate_configmaps.yaml @@ -21,6 +21,8 @@ dest="{{local_tmp.stdout}}/elasticsearch-gen-template.yml" vars: - allow_cluster_reader: "{{openshift_logging_es_ops_allow_cluster_reader | lower | default('false')}}" + - es_number_of_shards: "{{ openshift_logging_es_number_of_shards | default(1) }}" + - es_number_of_replicas: "{{ openshift_logging_es_number_of_replicas | default(0) }}" when: es_config_contents is undefined changed_when: no diff --git a/roles/openshift_logging/tasks/install_elasticsearch.yaml b/roles/openshift_logging/tasks/install_elasticsearch.yaml index 878010eb0..29c866e08 100644 --- a/roles/openshift_logging/tasks/install_elasticsearch.yaml +++ b/roles/openshift_logging/tasks/install_elasticsearch.yaml @@ -20,8 +20,6 @@ es_pv_selector: "{{ openshift_logging_es_pv_selector }}" es_cpu_limit: "{{ openshift_logging_es_cpu_limit }}" es_memory_limit: "{{ openshift_logging_es_memory_limit }}" - es_number_of_shards: "{{ openshift_logging_es_number_of_shards }}" - es_number_of_replicas: "{{ openshift_logging_es_number_of_replicas }}" with_together: - "{{ openshift_logging_facts.elasticsearch.deploymentconfigs.keys() }}" - "{{ openshift_logging_facts.elasticsearch.deploymentconfigs.values() }}" @@ -43,8 +41,6 @@ es_pv_selector: "{{ openshift_logging_es_pv_selector }}" es_cpu_limit: "{{ openshift_logging_es_cpu_limit }}" es_memory_limit: "{{ openshift_logging_es_memory_limit }}" - es_number_of_shards: "{{ openshift_logging_es_number_of_shards }}" - es_number_of_replicas: "{{ openshift_logging_es_number_of_replicas }}" with_sequence: count={{ openshift_logging_es_cluster_size | int - openshift_logging_facts.elasticsearch.deploymentconfigs | count }} # --------- Tasks for Operation clusters --------- @@ -80,8 +76,6 @@ es_pv_selector: "{{ openshift_logging_es_ops_pv_selector }}" es_cpu_limit: "{{ openshift_logging_es_ops_cpu_limit }}" es_memory_limit: "{{ openshift_logging_es_ops_memory_limit }}" - es_number_of_shards: "{{ openshift_logging_es_ops_number_of_shards }}" - es_number_of_replicas: "{{ openshift_logging_es_ops_number_of_replicas }}" with_together: - "{{ openshift_logging_facts.elasticsearch_ops.deploymentconfigs.keys() }}" - "{{ openshift_logging_facts.elasticsearch_ops.deploymentconfigs.values() }}" @@ -105,8 +99,6 @@ es_pv_selector: "{{ openshift_logging_es_ops_pv_selector }}" es_cpu_limit: "{{ openshift_logging_es_ops_cpu_limit }}" es_memory_limit: "{{ openshift_logging_es_ops_memory_limit }}" - es_number_of_shards: "{{ openshift_logging_es_ops_number_of_shards }}" - es_number_of_replicas: "{{ openshift_logging_es_ops_number_of_replicas }}" with_sequence: count={{ openshift_logging_es_ops_cluster_size | int - openshift_logging_facts.elasticsearch_ops.deploymentconfigs | count }} when: - openshift_logging_use_ops | bool diff --git a/roles/openshift_logging/tasks/set_es_storage.yaml b/roles/openshift_logging/tasks/set_es_storage.yaml index 198b1d04d..0bb4d5ee5 100644 --- a/roles/openshift_logging/tasks/set_es_storage.yaml +++ b/roles/openshift_logging/tasks/set_es_storage.yaml @@ -76,7 +76,5 @@ es_memory_limit: "{{ es_memory_limit }}" es_node_selector: "{{ es_node_selector }}" es_storage: "{{ openshift_logging_facts | es_storage( es_name, es_storage_claim ) }}" - es_number_of_shards: "{{ es_number_of_shards }}" - es_number_of_replicas: "{{ es_number_of_replicas }}" check_mode: no changed_when: no diff --git a/roles/openshift_master/tasks/systemd_units.yml b/roles/openshift_master/tasks/systemd_units.yml index 506c8b129..58fabddeb 100644 --- a/roles/openshift_master/tasks/systemd_units.yml +++ b/roles/openshift_master/tasks/systemd_units.yml @@ -90,6 +90,7 @@ dest: /etc/sysconfig/{{ openshift.common.service_type }}-master-api line: "{{ item }}" with_items: "{{ master_api_aws.stdout_lines | default([]) }}" + no_log: True - name: Preserve Master Controllers Proxy Config options command: grep PROXY /etc/sysconfig/{{ openshift.common.service_type }}-master-controllers diff --git a/roles/openshift_master_certificates/tasks/main.yml b/roles/openshift_master_certificates/tasks/main.yml index d4c9a96ca..33a0af07f 100644 --- a/roles/openshift_master_certificates/tasks/main.yml +++ b/roles/openshift_master_certificates/tasks/main.yml @@ -64,10 +64,10 @@ --signer-key={{ openshift_ca_key }} --signer-serial={{ openshift_ca_serial }} --overwrite=false + when: inventory_hostname != openshift_ca_host with_items: "{{ hostvars | oo_select_keys(groups['oo_masters_to_config']) - | oo_collect(attribute='inventory_hostname', filters={'master_certs_missing':True}) - | difference([openshift_ca_host])}}" + | oo_collect(attribute='inventory_hostname', filters={'master_certs_missing':True}) }}" delegate_to: "{{ openshift_ca_host }}" run_once: true @@ -94,8 +94,8 @@ creates: "{{ openshift_generated_configs_dir }}/master-{{ hostvars[item].openshift.common.hostname }}/openshift-master.kubeconfig" with_items: "{{ hostvars | oo_select_keys(groups['oo_masters_to_config']) - | oo_collect(attribute='inventory_hostname', filters={'master_certs_missing':True}) - | difference([openshift_ca_host])}}" + | oo_collect(attribute='inventory_hostname', filters={'master_certs_missing':True}) }}" + when: inventory_hostname != openshift_ca_host delegate_to: "{{ openshift_ca_host }}" run_once: true diff --git a/roles/openshift_metrics/tasks/generate_hawkular_certificates.yaml b/roles/openshift_metrics/tasks/generate_hawkular_certificates.yaml index 07b7eca33..fb4fe2f03 100644 --- a/roles/openshift_metrics/tasks/generate_hawkular_certificates.yaml +++ b/roles/openshift_metrics/tasks/generate_hawkular_certificates.yaml @@ -14,20 +14,22 @@ changed_when: no - name: generate password for hawkular metrics - local_action: copy dest="{{ local_tmp.stdout}}/{{ item }}.pwd" content="{{ 15 | oo_random_word }}" + local_action: copy dest="{{ local_tmp.stdout }}/{{ item }}.pwd" content="{{ 15 | oo_random_word }}" with_items: - hawkular-metrics +- local_action: slurp src="{{ local_tmp.stdout }}/hawkular-metrics.pwd" + register: hawkular_metrics_pwd + no_log: true + - name: generate htpasswd file for hawkular metrics - local_action: > - shell htpasswd -ci - '{{ local_tmp.stdout }}/hawkular-metrics.htpasswd' hawkular - < '{{ local_tmp.stdout }}/hawkular-metrics.pwd' + local_action: htpasswd path="{{ local_tmp.stdout }}/hawkular-metrics.htpasswd" name=hawkular password="{{ hawkular_metrics_pwd.content | b64decode }}" + no_log: true - name: copy local generated passwords to target copy: - src: "{{local_tmp.stdout}}/{{item}}" - dest: "{{mktemp.stdout}}/{{item}}" + src: "{{ local_tmp.stdout }}/{{ item }}" + dest: "{{ mktemp.stdout }}/{{ item }}" with_items: - hawkular-metrics.pwd - hawkular-metrics.htpasswd diff --git a/roles/openshift_node_certificates/handlers/main.yml b/roles/openshift_node_certificates/handlers/main.yml index 1aa826c09..502f80434 100644 --- a/roles/openshift_node_certificates/handlers/main.yml +++ b/roles/openshift_node_certificates/handlers/main.yml @@ -6,6 +6,6 @@ - name: restart docker after updating ca trust systemd: - name: docker + name: "{{ openshift.docker.service_name }}" state: restarted when: not openshift_certificates_redeploy | default(false) | bool diff --git a/roles/openshift_node_upgrade/tasks/restart.yml b/roles/openshift_node_upgrade/tasks/restart.yml index a9fab74e1..e576228ba 100644 --- a/roles/openshift_node_upgrade/tasks/restart.yml +++ b/roles/openshift_node_upgrade/tasks/restart.yml @@ -6,7 +6,9 @@ # - openshift.master.api_port - name: Restart docker - service: name=docker state=restarted + service: + name: "{{ openshift.docker.service_name }}" + state: restarted - name: Update docker facts openshift_facts: diff --git a/roles/openshift_repos/tasks/main.yaml b/roles/openshift_repos/tasks/main.yaml index 84a0905cc..9a9436fcb 100644 --- a/roles/openshift_repos/tasks/main.yaml +++ b/roles/openshift_repos/tasks/main.yaml @@ -40,4 +40,21 @@ - openshift_deployment_type == 'origin' - openshift_enable_origin_repo | default(true) | bool + # Singleton block + - when: r_osr_first_run | default(true) + block: + - name: Ensure clean repo cache in the event repos have been changed manually + debug: + msg: "First run of openshift_repos" + changed_when: true + notify: refresh cache + + - name: Set fact r_osr_first_run false + set_fact: + r_osr_first_run: false + + # Force running ALL handlers now, because we expect repo cache to be cleared + # if changes have been made. + - meta: flush_handlers + when: not ostree_booted.stat.exists |