summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--playbooks/common/openshift-cluster/config.yml4
-rw-r--r--playbooks/common/openshift-cluster/initialize_openshift_repos.yml8
-rw-r--r--playbooks/common/openshift-cluster/initialize_openshift_version.yml19
-rw-r--r--playbooks/common/openshift-cluster/std_include.yml4
-rw-r--r--playbooks/common/openshift-glusterfs/config.yml38
-rw-r--r--roles/etcd_common/meta/main.yml3
-rw-r--r--roles/lib_openshift/library/oc_obj.py11
-rw-r--r--roles/lib_openshift/library/oc_project.py3
-rw-r--r--roles/lib_openshift/src/class/oc_obj.py11
-rw-r--r--roles/lib_openshift/src/class/oc_project.py3
-rw-r--r--roles/nuage_node/tasks/iptables.yml6
-rw-r--r--roles/nuage_node/tasks/main.yaml4
-rw-r--r--roles/openshift_ca/meta/main.yml1
-rw-r--r--roles/openshift_cfme/defaults/main.yml5
-rw-r--r--roles/openshift_common/meta/main.yml1
-rw-r--r--roles/openshift_health_checker/library/rpm_version.py14
-rw-r--r--roles/openshift_health_checker/meta/main.yml3
-rw-r--r--roles/openshift_health_checker/openshift_checks/ovs_version.py4
-rw-r--r--roles/openshift_health_checker/test/ovs_version_test.py4
-rw-r--r--roles/openshift_health_checker/test/rpm_version_test.py6
-rw-r--r--roles/openshift_loadbalancer/meta/main.yml1
-rw-r--r--roles/openshift_logging_elasticsearch/defaults/main.yml3
-rw-r--r--roles/openshift_logging_elasticsearch/tasks/main.yaml7
-rw-r--r--roles/openshift_logging_elasticsearch/templates/elasticsearch.yml.j22
-rw-r--r--roles/openshift_logging_elasticsearch/vars/main.yml2
-rw-r--r--roles/openshift_master_cluster/meta/main.yml3
-rw-r--r--roles/openshift_storage_glusterfs/defaults/main.yml12
-rw-r--r--roles/openshift_storage_glusterfs/meta/main.yml2
-rw-r--r--roles/openshift_storage_glusterfs/tasks/firewall.yml40
-rw-r--r--roles/openshift_storage_nfs/meta/main.yml1
-rw-r--r--roles/openshift_version/meta/main.yml1
-rw-r--r--roles/os_firewall/meta/main.yml16
-rw-r--r--roles/os_firewall/tasks/firewalld.yml (renamed from roles/os_firewall/tasks/firewall/firewalld.yml)8
-rw-r--r--roles/os_firewall/tasks/iptables.yml (renamed from roles/os_firewall/tasks/firewall/iptables.yml)12
-rw-r--r--roles/os_firewall/tasks/main.yml25
35 files changed, 184 insertions, 103 deletions
diff --git a/playbooks/common/openshift-cluster/config.yml b/playbooks/common/openshift-cluster/config.yml
index 14d7d9822..5d5497acb 100644
--- a/playbooks/common/openshift-cluster/config.yml
+++ b/playbooks/common/openshift-cluster/config.yml
@@ -22,6 +22,10 @@
- docker_image_availability
- docker_storage
+- include: initialize_firewall.yml
+ tags:
+ - always
+
- hosts: localhost
tasks:
- fail:
diff --git a/playbooks/common/openshift-cluster/initialize_openshift_repos.yml b/playbooks/common/openshift-cluster/initialize_openshift_repos.yml
new file mode 100644
index 000000000..a7114fc80
--- /dev/null
+++ b/playbooks/common/openshift-cluster/initialize_openshift_repos.yml
@@ -0,0 +1,8 @@
+---
+- name: Setup yum repositories for all hosts
+ hosts: oo_all_hosts
+ gather_facts: no
+ tasks:
+ - name: initialize openshift repos
+ include_role:
+ name: openshift_repos
diff --git a/playbooks/common/openshift-cluster/initialize_openshift_version.yml b/playbooks/common/openshift-cluster/initialize_openshift_version.yml
index f4e52869e..7112a6084 100644
--- a/playbooks/common/openshift-cluster/initialize_openshift_version.yml
+++ b/playbooks/common/openshift-cluster/initialize_openshift_version.yml
@@ -1,24 +1,5 @@
---
# NOTE: requires openshift_facts be run
-- name: Verify compatible yum/subscription-manager combination
- hosts: oo_all_hosts
- gather_facts: no
- tasks:
- # See:
- # https://bugzilla.redhat.com/show_bug.cgi?id=1395047
- # https://bugzilla.redhat.com/show_bug.cgi?id=1282961
- # https://github.com/openshift/openshift-ansible/issues/1138
- # Consider the repoquery module for this work
- - name: Check for bad combinations of yum and subscription-manager
- command: >
- {{ repoquery_cmd }} --installed --qf '%{version}' "yum"
- register: yum_ver_test
- changed_when: false
- when: not openshift.common.is_atomic | bool
- - fail:
- msg: Incompatible versions of yum and subscription-manager found. You may need to update yum and yum-utils.
- when: not openshift.common.is_atomic | bool and 'Plugin \"search-disabled-repos\" requires API 2.7. Supported API is 2.6.' in yum_ver_test.stdout
-
- name: Determine openshift_version to configure on first master
hosts: oo_first_master
roles:
diff --git a/playbooks/common/openshift-cluster/std_include.yml b/playbooks/common/openshift-cluster/std_include.yml
index eab16aba0..6cc56889a 100644
--- a/playbooks/common/openshift-cluster/std_include.yml
+++ b/playbooks/common/openshift-cluster/std_include.yml
@@ -11,10 +11,10 @@
tags:
- node
-- include: initialize_openshift_version.yml
+- include: initialize_openshift_repos.yml
tags:
- always
-- include: initialize_firewall.yml
+- include: initialize_openshift_version.yml
tags:
- always
diff --git a/playbooks/common/openshift-glusterfs/config.yml b/playbooks/common/openshift-glusterfs/config.yml
index edc15a3f2..d9de578f3 100644
--- a/playbooks/common/openshift-glusterfs/config.yml
+++ b/playbooks/common/openshift-glusterfs/config.yml
@@ -1,40 +1,26 @@
---
- name: Open firewall ports for GlusterFS nodes
hosts: glusterfs
- vars:
- os_firewall_allow:
- - service: glusterfs_sshd
- port: "2222/tcp"
- - service: glusterfs_daemon
- port: "24007/tcp"
- - service: glusterfs_management
- port: "24008/tcp"
- - service: glusterfs_bricks
- port: "49152-49251/tcp"
- roles:
- - role: os_firewall
+ tasks:
+ - include_role:
+ name: openshift_storage_glusterfs
+ tasks_from: firewall.yml
when:
- openshift_storage_glusterfs_is_native | default(True) | bool
- name: Open firewall ports for GlusterFS registry nodes
hosts: glusterfs_registry
- vars:
- os_firewall_allow:
- - service: glusterfs_sshd
- port: "2222/tcp"
- - service: glusterfs_daemon
- port: "24007/tcp"
- - service: glusterfs_management
- port: "24008/tcp"
- - service: glusterfs_bricks
- port: "49152-49251/tcp"
- roles:
- - role: os_firewall
+ tasks:
+ - include_role:
+ name: openshift_storage_glusterfs
+ tasks_from: firewall.yml
when:
- openshift_storage_glusterfs_registry_is_native | default(True) | bool
- name: Configure GlusterFS
hosts: oo_first_master
- roles:
- - role: openshift_storage_glusterfs
+ tasks:
+ - name: setup glusterfs
+ include_role:
+ name: openshift_storage_glusterfs
when: groups.oo_glusterfs_to_config | default([]) | count > 0
diff --git a/roles/etcd_common/meta/main.yml b/roles/etcd_common/meta/main.yml
index fb9280c9e..dfb1c7a2c 100644
--- a/roles/etcd_common/meta/main.yml
+++ b/roles/etcd_common/meta/main.yml
@@ -12,5 +12,4 @@ galaxy_info:
categories:
- cloud
- system
-dependencies:
-- { role: openshift_repos }
+dependencies: []
diff --git a/roles/lib_openshift/library/oc_obj.py b/roles/lib_openshift/library/oc_obj.py
index 9b0c0e0e4..7d9392af9 100644
--- a/roles/lib_openshift/library/oc_obj.py
+++ b/roles/lib_openshift/library/oc_obj.py
@@ -1478,7 +1478,16 @@ class OCObject(OpenShiftCLI):
if files:
return self._create(files[0])
- content['data'] = yaml.dump(content['data'])
+ # pylint: disable=no-member
+ # The purpose of this change is twofold:
+ # - we need a check to only use the ruamel specific dumper if ruamel is loaded
+ # - the dumper or the flow style change is needed so openshift is able to parse
+ # the resulting yaml, at least until gopkg.in/yaml.v2 is updated
+ if hasattr(yaml, 'RoundTripDumper'):
+ content['data'] = yaml.dump(content['data'], Dumper=yaml.RoundTripDumper)
+ else:
+ content['data'] = yaml.safe_dump(content['data'], default_flow_style=False)
+
content_file = Utils.create_tmp_files_from_contents(content)[0]
return self._create(content_file['path'])
diff --git a/roles/lib_openshift/library/oc_project.py b/roles/lib_openshift/library/oc_project.py
index a78bc06d2..bf65ef603 100644
--- a/roles/lib_openshift/library/oc_project.py
+++ b/roles/lib_openshift/library/oc_project.py
@@ -1657,6 +1657,9 @@ class OCProject(OpenShiftCLI):
# Create it here
api_rval = oadm_project.create()
+ if api_rval['returncode'] != 0:
+ return {'failed': True, 'msg': api_rval}
+
# return the created object
api_rval = oadm_project.get()
diff --git a/roles/lib_openshift/src/class/oc_obj.py b/roles/lib_openshift/src/class/oc_obj.py
index 5e423bea9..68f7818e4 100644
--- a/roles/lib_openshift/src/class/oc_obj.py
+++ b/roles/lib_openshift/src/class/oc_obj.py
@@ -50,7 +50,16 @@ class OCObject(OpenShiftCLI):
if files:
return self._create(files[0])
- content['data'] = yaml.dump(content['data'])
+ # pylint: disable=no-member
+ # The purpose of this change is twofold:
+ # - we need a check to only use the ruamel specific dumper if ruamel is loaded
+ # - the dumper or the flow style change is needed so openshift is able to parse
+ # the resulting yaml, at least until gopkg.in/yaml.v2 is updated
+ if hasattr(yaml, 'RoundTripDumper'):
+ content['data'] = yaml.dump(content['data'], Dumper=yaml.RoundTripDumper)
+ else:
+ content['data'] = yaml.safe_dump(content['data'], default_flow_style=False)
+
content_file = Utils.create_tmp_files_from_contents(content)[0]
return self._create(content_file['path'])
diff --git a/roles/lib_openshift/src/class/oc_project.py b/roles/lib_openshift/src/class/oc_project.py
index 9ad8111a8..298597067 100644
--- a/roles/lib_openshift/src/class/oc_project.py
+++ b/roles/lib_openshift/src/class/oc_project.py
@@ -156,6 +156,9 @@ class OCProject(OpenShiftCLI):
# Create it here
api_rval = oadm_project.create()
+ if api_rval['returncode'] != 0:
+ return {'failed': True, 'msg': api_rval}
+
# return the created object
api_rval = oadm_project.get()
diff --git a/roles/nuage_node/tasks/iptables.yml b/roles/nuage_node/tasks/iptables.yml
index 847c8395d..95ee8643a 100644
--- a/roles/nuage_node/tasks/iptables.yml
+++ b/roles/nuage_node/tasks/iptables.yml
@@ -15,3 +15,9 @@
when: "'nuage-underlay-overlay' not in iptablesrules.stdout"
notify:
- save iptable rules
+
+- name: Allow docker daemon traffic from underlay to overlay
+ command: /sbin/iptables -t nat -A POSTROUTING ! -s {{ hostvars[groups.oo_first_master.0].openshift.master.sdn_cluster_network_cidr }} -o svc-pat-tap -j MASQUERADE -m comment --comment "nuage-docker-underlay-overlay"
+ when: "'nuage-docker-underlay-overlay' not in iptablesrules.stdout"
+ notify:
+ - save iptable rules
diff --git a/roles/nuage_node/tasks/main.yaml b/roles/nuage_node/tasks/main.yaml
index 9cd743304..66d6ef4ca 100644
--- a/roles/nuage_node/tasks/main.yaml
+++ b/roles/nuage_node/tasks/main.yaml
@@ -11,6 +11,10 @@
become: yes
lineinfile: dest={{ vrs_config }} regexp=^ACTIVE_CONTROLLER line='ACTIVE_CONTROLLER={{ vsc_active_ip }}'
+- name: Set the K8S/OSE Cluster service CIDR
+ become: yes
+ lineinfile: dest={{ vrs_config }} regexp=^K8S_SERVICE_IPV4_SUBNET line='K8S_SERVICE_IPV4_SUBNET={{ k8s_cluster_service_cidr }}'
+
- name: Set the Standby Controller
become: yes
lineinfile: dest={{ vrs_config }} regexp=^STANDBY_CONTROLLER line='STANDBY_CONTROLLER={{ vsc_standby_ip }}'
diff --git a/roles/openshift_ca/meta/main.yml b/roles/openshift_ca/meta/main.yml
index 444c5b77e..dfbdf0cc7 100644
--- a/roles/openshift_ca/meta/main.yml
+++ b/roles/openshift_ca/meta/main.yml
@@ -13,6 +13,5 @@ galaxy_info:
- cloud
- system
dependencies:
-- role: openshift_repos
- role: openshift_cli
- role: openshift_named_certificates
diff --git a/roles/openshift_cfme/defaults/main.yml b/roles/openshift_cfme/defaults/main.yml
index 27ed57703..393bee1f3 100644
--- a/roles/openshift_cfme/defaults/main.yml
+++ b/roles/openshift_cfme/defaults/main.yml
@@ -1,6 +1,7 @@
---
-# Namespace for the CFME project
-openshift_cfme_project: cfme
+# Namespace for the CFME project (Note: changed post-3.6 to use
+# reserved 'openshift-' namespace prefix)
+openshift_cfme_project: openshift-cfme
# Namespace/project description
openshift_cfme_project_description: ManageIQ - CloudForms Management Engine
# Basic user assigned the `admin` role for the project
diff --git a/roles/openshift_common/meta/main.yml b/roles/openshift_common/meta/main.yml
index f1cf3e161..7cc95d8fa 100644
--- a/roles/openshift_common/meta/main.yml
+++ b/roles/openshift_common/meta/main.yml
@@ -13,4 +13,3 @@ galaxy_info:
- cloud
dependencies:
- role: openshift_facts
-- role: openshift_repos
diff --git a/roles/openshift_health_checker/library/rpm_version.py b/roles/openshift_health_checker/library/rpm_version.py
index 8ea223055..c24fbba3b 100644
--- a/roles/openshift_health_checker/library/rpm_version.py
+++ b/roles/openshift_health_checker/library/rpm_version.py
@@ -4,6 +4,7 @@ Ansible module for rpm-based systems determining existing package version inform
"""
from ansible.module_utils.basic import AnsibleModule
+from ansible.module_utils.six import string_types
IMPORT_EXCEPTION = None
try:
@@ -82,11 +83,16 @@ def _check_pkg_versions(found_pkgs_dict, expected_pkgs_dict):
continue
found_versions = [_parse_version(version) for version in found_pkgs_dict[pkg_name]]
- expected_version = _parse_version(pkg["version"])
- if expected_version not in found_versions:
+
+ if isinstance(pkg["version"], string_types):
+ expected_versions = [_parse_version(pkg["version"])]
+ else:
+ expected_versions = [_parse_version(version) for version in pkg["version"]]
+
+ if not set(expected_versions) & set(found_versions):
invalid_pkg_versions[pkg_name] = {
"found_versions": found_versions,
- "required_version": expected_version,
+ "required_versions": expected_versions,
}
if not_found_pkgs:
@@ -106,7 +112,7 @@ def _check_pkg_versions(found_pkgs_dict, expected_pkgs_dict):
"The following packages were found to be installed with an incorrect version: {}".format('\n'.join([
" \n{}\n Required version: {}\n Found versions: {}".format(
pkg_name,
- pkg["required_version"],
+ ', '.join(pkg["required_versions"]),
', '.join([version for version in pkg["found_versions"]]))
for pkg_name, pkg in invalid_pkg_versions.items()
]))
diff --git a/roles/openshift_health_checker/meta/main.yml b/roles/openshift_health_checker/meta/main.yml
index cd9b55902..bc8e7bdcf 100644
--- a/roles/openshift_health_checker/meta/main.yml
+++ b/roles/openshift_health_checker/meta/main.yml
@@ -1,4 +1,3 @@
---
dependencies:
- - role: openshift_facts
- - role: openshift_repos
+- role: openshift_facts
diff --git a/roles/openshift_health_checker/openshift_checks/ovs_version.py b/roles/openshift_health_checker/openshift_checks/ovs_version.py
index d5e55bc25..363c12def 100644
--- a/roles/openshift_health_checker/openshift_checks/ovs_version.py
+++ b/roles/openshift_health_checker/openshift_checks/ovs_version.py
@@ -16,8 +16,8 @@ class OvsVersion(NotContainerizedMixin, OpenShiftCheck):
tags = ["health"]
openshift_to_ovs_version = {
- "3.6": "2.6",
- "3.5": "2.6",
+ "3.6": ["2.6", "2.7"],
+ "3.5": ["2.6", "2.7"],
"3.4": "2.4",
}
diff --git a/roles/openshift_health_checker/test/ovs_version_test.py b/roles/openshift_health_checker/test/ovs_version_test.py
index b6acef5a6..e1bf29d2a 100644
--- a/roles/openshift_health_checker/test/ovs_version_test.py
+++ b/roles/openshift_health_checker/test/ovs_version_test.py
@@ -38,8 +38,8 @@ def test_invalid_openshift_release_format():
@pytest.mark.parametrize('openshift_release,expected_ovs_version', [
- ("3.5", "2.6"),
- ("3.6", "2.6"),
+ ("3.5", ["2.6", "2.7"]),
+ ("3.6", ["2.6", "2.7"]),
("3.4", "2.4"),
("3.3", "2.4"),
("1.0", "2.4"),
diff --git a/roles/openshift_health_checker/test/rpm_version_test.py b/roles/openshift_health_checker/test/rpm_version_test.py
index 2f09ef965..2c1bcf876 100644
--- a/roles/openshift_health_checker/test/rpm_version_test.py
+++ b/roles/openshift_health_checker/test/rpm_version_test.py
@@ -49,7 +49,7 @@ def test_check_pkg_found(pkgs, expect_not_found):
},
{
"eggs": {
- "required_version": "3.2",
+ "required_versions": ["3.2"],
"found_versions": ["3.3"],
}
}, # not the right version
@@ -61,11 +61,11 @@ def test_check_pkg_found(pkgs, expect_not_found):
},
{
"eggs": {
- "required_version": "3.2",
+ "required_versions": ["3.2"],
"found_versions": ["3.3", "1.2"],
},
"spam": {
- "required_version": "3.2",
+ "required_versions": ["3.2"],
"found_versions": ["3.1", "3.3"],
}
}, # not the right version
diff --git a/roles/openshift_loadbalancer/meta/main.yml b/roles/openshift_loadbalancer/meta/main.yml
index 073bdd94d..72298b599 100644
--- a/roles/openshift_loadbalancer/meta/main.yml
+++ b/roles/openshift_loadbalancer/meta/main.yml
@@ -12,4 +12,3 @@ galaxy_info:
dependencies:
- role: lib_os_firewall
- role: openshift_facts
-- role: openshift_repos
diff --git a/roles/openshift_logging_elasticsearch/defaults/main.yml b/roles/openshift_logging_elasticsearch/defaults/main.yml
index c0b5d394e..0690bf114 100644
--- a/roles/openshift_logging_elasticsearch/defaults/main.yml
+++ b/roles/openshift_logging_elasticsearch/defaults/main.yml
@@ -37,6 +37,9 @@ openshift_logging_elasticsearch_storage_group: '65534'
openshift_logging_es_pvc_prefix: "{{ openshift_hosted_logging_elasticsearch_pvc_prefix | default('logging-es') }}"
+# config the es plugin to write kibana index based on the index mode
+openshift_logging_elasticsearch_kibana_index_mode: 'unique'
+
# this is used to determine if this is an operations deployment or a non-ops deployment
# simply used for naming purposes
openshift_logging_elasticsearch_ops_deployment: false
diff --git a/roles/openshift_logging_elasticsearch/tasks/main.yaml b/roles/openshift_logging_elasticsearch/tasks/main.yaml
index aae23668a..5593fac3a 100644
--- a/roles/openshift_logging_elasticsearch/tasks/main.yaml
+++ b/roles/openshift_logging_elasticsearch/tasks/main.yaml
@@ -102,6 +102,11 @@
delete_after: true
# configmap
+- assert:
+ that:
+ - openshift_logging_elasticsearch_kibana_index_mode in __kibana_index_modes
+ msg: "The openshift_logging_elasticsearch_kibana_index_mode '{{ openshift_logging_elasticsearch_kibana_index_mode }}' only supports one of: {{ __kibana_index_modes | join(', ') }}"
+
- template:
src: elasticsearch-logging.yml.j2
dest: "{{ tempdir }}/elasticsearch-logging.yml"
@@ -115,6 +120,8 @@
allow_cluster_reader: "{{ openshift_logging_elasticsearch_ops_allow_cluster_reader | lower | default('false') }}"
es_number_of_shards: "{{ openshift_logging_es_number_of_shards | default(1) }}"
es_number_of_replicas: "{{ openshift_logging_es_number_of_replicas | default(0) }}"
+ es_kibana_index_mode: "{{ openshift_logging_elasticsearch_kibana_index_mode | default('unique') }}"
+
when: es_config_contents is undefined
changed_when: no
diff --git a/roles/openshift_logging_elasticsearch/templates/elasticsearch.yml.j2 b/roles/openshift_logging_elasticsearch/templates/elasticsearch.yml.j2
index 141967c33..0c06a7677 100644
--- a/roles/openshift_logging_elasticsearch/templates/elasticsearch.yml.j2
+++ b/roles/openshift_logging_elasticsearch/templates/elasticsearch.yml.j2
@@ -53,6 +53,8 @@ openshift.searchguard:
openshift.operations.allow_cluster_reader: {{allow_cluster_reader | default (false)}}
+openshift.kibana.index.mode: {{es_kibana_index_mode | default('unique')}}
+
path:
data: /elasticsearch/persistent/${CLUSTER_NAME}/data
logs: /elasticsearch/${CLUSTER_NAME}/logs
diff --git a/roles/openshift_logging_elasticsearch/vars/main.yml b/roles/openshift_logging_elasticsearch/vars/main.yml
index 7a1f5048b..5b4b226e8 100644
--- a/roles/openshift_logging_elasticsearch/vars/main.yml
+++ b/roles/openshift_logging_elasticsearch/vars/main.yml
@@ -3,6 +3,8 @@ __latest_es_version: "3_5"
__allowed_es_versions: ["3_5", "3_6"]
__allowed_es_types: ["data-master", "data-client", "master", "client"]
+__kibana_index_modes: ["unique", "shared_ops"]
+
# TODO: integrate these
openshift_master_config_dir: "{{ openshift.common.config_base }}/master"
es_node_quorum: "{{ openshift_logging_elasticsearch_replica_count | int/2 + 1 }}"
diff --git a/roles/openshift_master_cluster/meta/main.yml b/roles/openshift_master_cluster/meta/main.yml
index f2a67bc54..c452b165e 100644
--- a/roles/openshift_master_cluster/meta/main.yml
+++ b/roles/openshift_master_cluster/meta/main.yml
@@ -12,5 +12,4 @@ galaxy_info:
categories:
- cloud
- system
-dependencies:
-- { role: openshift_repos }
+dependencies: []
diff --git a/roles/openshift_storage_glusterfs/defaults/main.yml b/roles/openshift_storage_glusterfs/defaults/main.yml
index ff2c18812..a5887465e 100644
--- a/roles/openshift_storage_glusterfs/defaults/main.yml
+++ b/roles/openshift_storage_glusterfs/defaults/main.yml
@@ -52,3 +52,15 @@ openshift_storage_glusterfs_registry_heketi_ssh_port: "{{ openshift_storage_glus
openshift_storage_glusterfs_registry_heketi_ssh_user: "{{ openshift_storage_glusterfs_heketi_ssh_user }}"
openshift_storage_glusterfs_registry_heketi_ssh_sudo: "{{ openshift_storage_glusterfs_heketi_ssh_sudo }}"
openshift_storage_glusterfs_registry_heketi_ssh_keyfile: "{{ openshift_storage_glusterfs_heketi_ssh_keyfile | default(omit) }}"
+r_openshift_master_firewall_enabled: True
+r_openshift_master_use_firewalld: False
+r_openshift_storage_glusterfs_os_firewall_deny: []
+r_openshift_storage_glusterfs_os_firewall_allow:
+- service: glusterfs_sshd
+ port: "2222/tcp"
+- service: glusterfs_daemon
+ port: "24007/tcp"
+- service: glusterfs_management
+ port: "24008/tcp"
+- service: glusterfs_bricks
+ port: "49152-49251/tcp"
diff --git a/roles/openshift_storage_glusterfs/meta/main.yml b/roles/openshift_storage_glusterfs/meta/main.yml
index aab9851f9..0cdd33880 100644
--- a/roles/openshift_storage_glusterfs/meta/main.yml
+++ b/roles/openshift_storage_glusterfs/meta/main.yml
@@ -11,5 +11,5 @@ galaxy_info:
- 7
dependencies:
- role: openshift_hosted_facts
-- role: openshift_repos
- role: lib_openshift
+- role: lib_os_firewall
diff --git a/roles/openshift_storage_glusterfs/tasks/firewall.yml b/roles/openshift_storage_glusterfs/tasks/firewall.yml
new file mode 100644
index 000000000..09dcf1ef9
--- /dev/null
+++ b/roles/openshift_storage_glusterfs/tasks/firewall.yml
@@ -0,0 +1,40 @@
+---
+- when: r_openshift_storage_glusterfs_firewall_enabled | bool and not r_openshift_storage_glusterfs_use_firewalld | bool
+ block:
+ - name: Add iptables allow rules
+ os_firewall_manage_iptables:
+ name: "{{ item.service }}"
+ action: add
+ protocol: "{{ item.port.split('/')[1] }}"
+ port: "{{ item.port.split('/')[0] }}"
+ when: item.cond | default(True)
+ with_items: "{{ r_openshift_storage_glusterfs_os_firewall_allow }}"
+
+ - name: Remove iptables rules
+ os_firewall_manage_iptables:
+ name: "{{ item.service }}"
+ action: remove
+ protocol: "{{ item.port.split('/')[1] }}"
+ port: "{{ item.port.split('/')[0] }}"
+ when: item.cond | default(True)
+ with_items: "{{ r_openshift_storage_glusterfs_os_firewall_deny }}"
+
+- when: r_openshift_storage_glusterfs_firewall_enabled | bool and r_openshift_storage_glusterfs_use_firewalld | bool
+ block:
+ - name: Add firewalld allow rules
+ firewalld:
+ port: "{{ item.port }}"
+ permanent: true
+ immediate: true
+ state: enabled
+ when: item.cond | default(True)
+ with_items: "{{ r_openshift_storage_glusterfs_os_firewall_allow }}"
+
+ - name: Remove firewalld allow rules
+ firewalld:
+ port: "{{ item.port }}"
+ permanent: true
+ immediate: true
+ state: disabled
+ when: item.cond | default(True)
+ with_items: "{{ r_openshift_storage_glusterfs_os_firewall_deny }}"
diff --git a/roles/openshift_storage_nfs/meta/main.yml b/roles/openshift_storage_nfs/meta/main.yml
index b360d0658..98f7c317e 100644
--- a/roles/openshift_storage_nfs/meta/main.yml
+++ b/roles/openshift_storage_nfs/meta/main.yml
@@ -12,4 +12,3 @@ galaxy_info:
dependencies:
- role: lib_os_firewall
- role: openshift_hosted_facts
-- role: openshift_repos
diff --git a/roles/openshift_version/meta/main.yml b/roles/openshift_version/meta/main.yml
index ca896addd..38b398343 100644
--- a/roles/openshift_version/meta/main.yml
+++ b/roles/openshift_version/meta/main.yml
@@ -12,7 +12,6 @@ galaxy_info:
categories:
- cloud
dependencies:
-- role: openshift_repos
- role: openshift_docker_facts
- role: docker
when: openshift.common.is_containerized | default(False) | bool and not skip_docker_role | default(False) | bool
diff --git a/roles/os_firewall/meta/main.yml b/roles/os_firewall/meta/main.yml
deleted file mode 100644
index dca5fc5ff..000000000
--- a/roles/os_firewall/meta/main.yml
+++ /dev/null
@@ -1,16 +0,0 @@
----
-galaxy_info:
- author: Jason DeTiberus
- description: os_firewall
- company: Red Hat, Inc.
- license: Apache License, Version 2.0
- min_ansible_version: 2.2
- platforms:
- - name: EL
- versions:
- - 7
- categories:
- - system
-allow_duplicates: yes
-dependencies:
- - role: openshift_facts
diff --git a/roles/os_firewall/tasks/firewall/firewalld.yml b/roles/os_firewall/tasks/firewalld.yml
index 2cc7af478..54430f402 100644
--- a/roles/os_firewall/tasks/firewall/firewalld.yml
+++ b/roles/os_firewall/tasks/firewalld.yml
@@ -1,4 +1,9 @@
---
+- name: Fail - Firewalld is not supported on Atomic Host
+ fail:
+ msg: "Firewalld is not supported on Atomic Host"
+ when: r_os_firewall_is_atomic | bool
+
- name: Install firewalld packages
package:
name: firewalld
@@ -31,7 +36,8 @@
register: result
- name: need to pause here, otherwise the firewalld service starting can sometimes cause ssh to fail
- pause: seconds=10
+ pause:
+ seconds: 10
when: result | changed
- name: Restart polkitd
diff --git a/roles/os_firewall/tasks/firewall/iptables.yml b/roles/os_firewall/tasks/iptables.yml
index ccb3c4713..0af5abf38 100644
--- a/roles/os_firewall/tasks/firewall/iptables.yml
+++ b/roles/os_firewall/tasks/iptables.yml
@@ -15,11 +15,13 @@
when: task_result | changed
- name: Install iptables packages
- package: name={{ item }} state=present
+ package:
+ name: "{{ item }}"
+ state: present
with_items:
- iptables
- iptables-services
- when: not openshift.common.is_atomic | bool
+ when: not r_os_firewall_is_atomic | bool
- name: Start and enable iptables service
systemd:
@@ -29,7 +31,11 @@
masked: no
daemon_reload: yes
register: result
+ delegate_to: "{{item}}"
+ run_once: true
+ with_items: "{{ ansible_play_hosts }}"
- name: need to pause here, otherwise the iptables service starting can sometimes cause ssh to fail
- pause: seconds=10
+ pause:
+ seconds: 10
when: result | changed
diff --git a/roles/os_firewall/tasks/main.yml b/roles/os_firewall/tasks/main.yml
index 20efe5b0d..c477d386c 100644
--- a/roles/os_firewall/tasks/main.yml
+++ b/roles/os_firewall/tasks/main.yml
@@ -1,12 +1,19 @@
---
-- name: Assert - Do not use firewalld on Atomic Host
- assert:
- that: not os_firewall_use_firewalld | bool
- msg: "Firewalld is not supported on Atomic Host"
- when: openshift.common.is_atomic | bool
+- name: Detecting Atomic Host Operating System
+ stat:
+ path: /run/ostree-booted
+ register: r_os_firewall_ostree_booted
-- include: firewall/firewalld.yml
- when: os_firewall_enabled | bool and os_firewall_use_firewalld | bool
+- name: Set fact r_os_firewall_is_atomic
+ set_fact:
+ r_os_firewall_is_atomic: "{{ r_os_firewall_ostree_booted.stat.exists }}"
-- include: firewall/iptables.yml
- when: os_firewall_enabled | bool and not os_firewall_use_firewalld | bool
+- include: firewalld.yml
+ when:
+ - os_firewall_enabled | bool
+ - os_firewall_use_firewalld | bool
+
+- include: iptables.yml
+ when:
+ - os_firewall_enabled | bool
+ - not os_firewall_use_firewalld | bool