summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--playbooks/byo/openshift-cluster/config.yml4
-rw-r--r--playbooks/byo/openshift-cluster/openshift-logging.yml6
-rw-r--r--playbooks/common/openshift-cluster/config.yml8
-rw-r--r--playbooks/common/openshift-cluster/initialize_openshift_repos.yml8
-rw-r--r--playbooks/common/openshift-cluster/initialize_openshift_version.yml19
-rw-r--r--playbooks/common/openshift-cluster/openshift_logging.yml2
-rw-r--r--playbooks/common/openshift-cluster/std_include.yml4
-rw-r--r--playbooks/common/openshift-cluster/upgrades/containerized_node_upgrade.yml14
l---------playbooks/common/openshift-cluster/upgrades/master_docker1
-rw-r--r--playbooks/common/openshift-cluster/validate_hostnames.yml15
-rw-r--r--playbooks/common/openshift-glusterfs/config.yml38
-rw-r--r--roles/calico/README.md20
-rw-r--r--roles/calico/defaults/main.yaml6
-rw-r--r--roles/calico_master/defaults/main.yaml4
-rw-r--r--roles/etcd_common/meta/main.yml3
-rw-r--r--roles/lib_openshift/library/oc_obj.py11
-rw-r--r--roles/lib_openshift/library/oc_project.py3
-rw-r--r--roles/lib_openshift/src/class/oc_obj.py11
-rw-r--r--roles/lib_openshift/src/class/oc_project.py3
-rw-r--r--roles/nuage_node/tasks/iptables.yml6
-rw-r--r--roles/nuage_node/tasks/main.yaml4
-rw-r--r--roles/nuage_node/templates/vsp-openshift.j22
-rw-r--r--roles/openshift_ca/meta/main.yml1
-rw-r--r--roles/openshift_cfme/defaults/main.yml5
-rw-r--r--roles/openshift_common/meta/main.yml1
-rw-r--r--roles/openshift_health_checker/library/rpm_version.py14
-rw-r--r--roles/openshift_health_checker/meta/main.yml3
-rw-r--r--roles/openshift_health_checker/openshift_checks/ovs_version.py4
-rw-r--r--roles/openshift_health_checker/test/ovs_version_test.py4
-rw-r--r--roles/openshift_health_checker/test/rpm_version_test.py6
-rw-r--r--roles/openshift_loadbalancer/meta/main.yml1
-rw-r--r--roles/openshift_logging_elasticsearch/defaults/main.yml3
-rw-r--r--roles/openshift_logging_elasticsearch/tasks/main.yaml7
-rw-r--r--roles/openshift_logging_elasticsearch/templates/elasticsearch.yml.j22
-rw-r--r--roles/openshift_logging_elasticsearch/vars/main.yml2
-rw-r--r--roles/openshift_master_cluster/meta/main.yml3
-rw-r--r--roles/openshift_storage_glusterfs/defaults/main.yml12
-rw-r--r--roles/openshift_storage_glusterfs/meta/main.yml2
-rw-r--r--roles/openshift_storage_glusterfs/tasks/firewall.yml40
-rw-r--r--roles/openshift_storage_nfs/meta/main.yml1
-rw-r--r--roles/openshift_version/meta/main.yml1
-rw-r--r--roles/os_firewall/meta/main.yml16
-rw-r--r--roles/os_firewall/tasks/firewalld.yml (renamed from roles/os_firewall/tasks/firewall/firewalld.yml)8
-rw-r--r--roles/os_firewall/tasks/iptables.yml (renamed from roles/os_firewall/tasks/firewall/iptables.yml)12
-rw-r--r--roles/os_firewall/tasks/main.yml25
45 files changed, 223 insertions, 142 deletions
diff --git a/playbooks/byo/openshift-cluster/config.yml b/playbooks/byo/openshift-cluster/config.yml
index c0978c6f6..acf5469bf 100644
--- a/playbooks/byo/openshift-cluster/config.yml
+++ b/playbooks/byo/openshift-cluster/config.yml
@@ -3,6 +3,10 @@
tags:
- always
+- include: ../../common/openshift-cluster/std_include.yml
+ tags:
+ - always
+
- include: ../../common/openshift-cluster/config.yml
vars:
openshift_cluster_id: "{{ cluster_id | default('default') }}"
diff --git a/playbooks/byo/openshift-cluster/openshift-logging.yml b/playbooks/byo/openshift-cluster/openshift-logging.yml
index 76f165c6d..bbec3a4c2 100644
--- a/playbooks/byo/openshift-cluster/openshift-logging.yml
+++ b/playbooks/byo/openshift-cluster/openshift-logging.yml
@@ -5,6 +5,12 @@
# currently supported method.
#
- include: initialize_groups.yml
+ tags:
+ - always
+
+- include: ../../common/openshift-cluster/std_include.yml
+ tags:
+ - always
- include: ../../common/openshift-cluster/openshift_logging.yml
vars:
diff --git a/playbooks/common/openshift-cluster/config.yml b/playbooks/common/openshift-cluster/config.yml
index 14d7d9822..e1df71112 100644
--- a/playbooks/common/openshift-cluster/config.yml
+++ b/playbooks/common/openshift-cluster/config.yml
@@ -1,8 +1,4 @@
---
-- include: std_include.yml
- tags:
- - always
-
# TODO: refactor this into its own include
# and pass a variable for ctx
- name: Verify Requirements
@@ -22,6 +18,10 @@
- docker_image_availability
- docker_storage
+- include: initialize_firewall.yml
+ tags:
+ - always
+
- hosts: localhost
tasks:
- fail:
diff --git a/playbooks/common/openshift-cluster/initialize_openshift_repos.yml b/playbooks/common/openshift-cluster/initialize_openshift_repos.yml
new file mode 100644
index 000000000..a7114fc80
--- /dev/null
+++ b/playbooks/common/openshift-cluster/initialize_openshift_repos.yml
@@ -0,0 +1,8 @@
+---
+- name: Setup yum repositories for all hosts
+ hosts: oo_all_hosts
+ gather_facts: no
+ tasks:
+ - name: initialize openshift repos
+ include_role:
+ name: openshift_repos
diff --git a/playbooks/common/openshift-cluster/initialize_openshift_version.yml b/playbooks/common/openshift-cluster/initialize_openshift_version.yml
index f4e52869e..7112a6084 100644
--- a/playbooks/common/openshift-cluster/initialize_openshift_version.yml
+++ b/playbooks/common/openshift-cluster/initialize_openshift_version.yml
@@ -1,24 +1,5 @@
---
# NOTE: requires openshift_facts be run
-- name: Verify compatible yum/subscription-manager combination
- hosts: oo_all_hosts
- gather_facts: no
- tasks:
- # See:
- # https://bugzilla.redhat.com/show_bug.cgi?id=1395047
- # https://bugzilla.redhat.com/show_bug.cgi?id=1282961
- # https://github.com/openshift/openshift-ansible/issues/1138
- # Consider the repoquery module for this work
- - name: Check for bad combinations of yum and subscription-manager
- command: >
- {{ repoquery_cmd }} --installed --qf '%{version}' "yum"
- register: yum_ver_test
- changed_when: false
- when: not openshift.common.is_atomic | bool
- - fail:
- msg: Incompatible versions of yum and subscription-manager found. You may need to update yum and yum-utils.
- when: not openshift.common.is_atomic | bool and 'Plugin \"search-disabled-repos\" requires API 2.7. Supported API is 2.6.' in yum_ver_test.stdout
-
- name: Determine openshift_version to configure on first master
hosts: oo_first_master
roles:
diff --git a/playbooks/common/openshift-cluster/openshift_logging.yml b/playbooks/common/openshift-cluster/openshift_logging.yml
index c5f0c406a..c1a5d83cd 100644
--- a/playbooks/common/openshift-cluster/openshift_logging.yml
+++ b/playbooks/common/openshift-cluster/openshift_logging.yml
@@ -1,6 +1,4 @@
---
-- include: std_include.yml
-
- name: OpenShift Aggregated Logging
hosts: oo_first_master
roles:
diff --git a/playbooks/common/openshift-cluster/std_include.yml b/playbooks/common/openshift-cluster/std_include.yml
index eab16aba0..6cc56889a 100644
--- a/playbooks/common/openshift-cluster/std_include.yml
+++ b/playbooks/common/openshift-cluster/std_include.yml
@@ -11,10 +11,10 @@
tags:
- node
-- include: initialize_openshift_version.yml
+- include: initialize_openshift_repos.yml
tags:
- always
-- include: initialize_firewall.yml
+- include: initialize_openshift_version.yml
tags:
- always
diff --git a/playbooks/common/openshift-cluster/upgrades/containerized_node_upgrade.yml b/playbooks/common/openshift-cluster/upgrades/containerized_node_upgrade.yml
deleted file mode 100644
index 9f7961614..000000000
--- a/playbooks/common/openshift-cluster/upgrades/containerized_node_upgrade.yml
+++ /dev/null
@@ -1,14 +0,0 @@
----
-# This is a hack to allow us to use systemd_units.yml, but skip the handlers which
-# restart services. We will unconditionally restart all containerized services
-# because we have to unconditionally restart Docker:
-- set_fact:
- skip_node_svc_handlers: True
-
-- name: Update systemd units
- include: ../../../../roles/openshift_node/tasks/systemd_units.yml openshift_version={{ openshift_image_tag }}
-
-# This is a no-op because of skip_node_svc_handlers, but lets us trigger it before end of
-# play when the node has already been marked schedulable again. (this would look strange
-# in logs otherwise)
-- meta: flush_handlers
diff --git a/playbooks/common/openshift-cluster/upgrades/master_docker b/playbooks/common/openshift-cluster/upgrades/master_docker
deleted file mode 120000
index 6aeca2842..000000000
--- a/playbooks/common/openshift-cluster/upgrades/master_docker
+++ /dev/null
@@ -1 +0,0 @@
-../../../../roles/openshift_master/templates/master_docker \ No newline at end of file
diff --git a/playbooks/common/openshift-cluster/validate_hostnames.yml b/playbooks/common/openshift-cluster/validate_hostnames.yml
index 33fc5630f..be2e6a15a 100644
--- a/playbooks/common/openshift-cluster/validate_hostnames.yml
+++ b/playbooks/common/openshift-cluster/validate_hostnames.yml
@@ -1,17 +1,22 @@
---
-- name: Gather and set facts for node hosts
+- name: Validate node hostnames
hosts: oo_nodes_to_config
- roles:
- - openshift_facts
tasks:
- - shell:
+ - name: Query DNS for IP address of {{ openshift.common.hostname }}
+ shell:
getent ahostsv4 {{ openshift.common.hostname }} | head -n 1 | awk '{ print $1 }'
register: lookupip
changed_when: false
failed_when: false
- name: Warn user about bad openshift_hostname values
pause:
- prompt: "The hostname \"{{ openshift.common.hostname }}\" for \"{{ ansible_nodename }}\" doesn't resolve to an ip address owned by this host. Please set openshift_hostname variable to a hostname that when resolved on the host in question resolves to an IP address matching an interface on this host. This host will fail liveness checks for pods utilizing hostPorts, press ENTER to continue or CTRL-C to abort."
+ prompt:
+ The hostname {{ openshift.common.hostname }} for {{ ansible_nodename }}
+ doesn't resolve to an IP address owned by this host. Please set
+ openshift_hostname variable to a hostname that when resolved on the host
+ in question resolves to an IP address matching an interface on this
+ host. This host will fail liveness checks for pods utilizing hostPorts,
+ press ENTER to continue or CTRL-C to abort.
seconds: "{{ 10 if openshift_override_hostname_check | default(false) | bool else omit }}"
when:
- lookupip.stdout != '127.0.0.1'
diff --git a/playbooks/common/openshift-glusterfs/config.yml b/playbooks/common/openshift-glusterfs/config.yml
index edc15a3f2..d9de578f3 100644
--- a/playbooks/common/openshift-glusterfs/config.yml
+++ b/playbooks/common/openshift-glusterfs/config.yml
@@ -1,40 +1,26 @@
---
- name: Open firewall ports for GlusterFS nodes
hosts: glusterfs
- vars:
- os_firewall_allow:
- - service: glusterfs_sshd
- port: "2222/tcp"
- - service: glusterfs_daemon
- port: "24007/tcp"
- - service: glusterfs_management
- port: "24008/tcp"
- - service: glusterfs_bricks
- port: "49152-49251/tcp"
- roles:
- - role: os_firewall
+ tasks:
+ - include_role:
+ name: openshift_storage_glusterfs
+ tasks_from: firewall.yml
when:
- openshift_storage_glusterfs_is_native | default(True) | bool
- name: Open firewall ports for GlusterFS registry nodes
hosts: glusterfs_registry
- vars:
- os_firewall_allow:
- - service: glusterfs_sshd
- port: "2222/tcp"
- - service: glusterfs_daemon
- port: "24007/tcp"
- - service: glusterfs_management
- port: "24008/tcp"
- - service: glusterfs_bricks
- port: "49152-49251/tcp"
- roles:
- - role: os_firewall
+ tasks:
+ - include_role:
+ name: openshift_storage_glusterfs
+ tasks_from: firewall.yml
when:
- openshift_storage_glusterfs_registry_is_native | default(True) | bool
- name: Configure GlusterFS
hosts: oo_first_master
- roles:
- - role: openshift_storage_glusterfs
+ tasks:
+ - name: setup glusterfs
+ include_role:
+ name: openshift_storage_glusterfs
when: groups.oo_glusterfs_to_config | default([]) | count > 0
diff --git a/roles/calico/README.md b/roles/calico/README.md
index 9b9458bfa..65f66ebfa 100644
--- a/roles/calico/README.md
+++ b/roles/calico/README.md
@@ -6,12 +6,6 @@ Configure Calico components for the Master host.
* Ansible 2.2
-## Warning: This Calico Integration is in Alpha
-
-Calico shares the etcd instance used by OpenShift, and distributes client etcd certificates to each node.
-For this reason, **we do not (yet) recommend running Calico on any production-like
-cluster, or using it for any purpose besides early access testing.**
-
## Installation
To install, set the following inventory configuration parameters:
@@ -20,7 +14,19 @@ To install, set the following inventory configuration parameters:
* `openshift_use_openshift_sdn=False`
* `os_sdn_network_plugin_name='cni'`
-## Additional Calico/Node and Felix Configuration Options
+For more information, see [Calico's official OpenShift Installation Documentation](https://docs.projectcalico.org/latest/getting-started/openshift/installation#bring-your-own-etcd)
+
+## Improving security with BYO-etcd
+
+By default, Calico uses the etcd set up by OpenShift. To accomplish this, it generates and distributes client etcd certificates to each node.
+Distributing these certs across the cluster in this way weakens the overall security,
+so Calico should not be deployed in production in this mode.
+
+Instead, Calico can be installed in BYO-etcd mode, where it connects to an externally
+set up etcd. For information on deploying Calico in BYO-etcd mode, see
+[Calico's official OpenShift Installation Documentation](https://docs.projectcalico.org/latest/getting-started/openshift/installation#bring-your-own-etcd)
+
+## Calico Configuration Options
Additional parameters that can be defined in the inventory are:
diff --git a/roles/calico/defaults/main.yaml b/roles/calico/defaults/main.yaml
index 207dee068..e7a9db92f 100644
--- a/roles/calico/defaults/main.yaml
+++ b/roles/calico/defaults/main.yaml
@@ -5,11 +5,11 @@ cni_conf_dir: "/etc/cni/net.d/"
cni_bin_dir: "/opt/cni/bin/"
cni_url: "https://github.com/containernetworking/cni/releases/download/v0.5.2/cni-amd64-v0.5.2.tgz"
-calico_url_cni: "https://github.com/projectcalico/cni-plugin/releases/download/v1.8.3/calico"
-calico_url_ipam: "https://github.com/projectcalico/cni-plugin/releases/download/v1.8.3/calico-ipam"
+calico_url_cni: "https://github.com/projectcalico/cni-plugin/releases/download/v1.10.0/calico"
+calico_url_ipam: "https://github.com/projectcalico/cni-plugin/releases/download/v1.10.0/calico-ipam"
calico_ipv4pool_ipip: "always"
calico_ipv4pool_cidr: "192.168.0.0/16"
calico_log_dir: "/var/log/calico"
-calico_node_image: "calico/node:v1.2.1"
+calico_node_image: "calico/node:v2.4.1"
diff --git a/roles/calico_master/defaults/main.yaml b/roles/calico_master/defaults/main.yaml
index b2df0105f..d40286aba 100644
--- a/roles/calico_master/defaults/main.yaml
+++ b/roles/calico_master/defaults/main.yaml
@@ -3,5 +3,5 @@ kubeconfig: "{{ openshift.common.config_base }}/master/openshift-master.kubeconf
calicoctl_bin_dir: "/usr/local/bin/"
-calico_url_calicoctl: "https://github.com/projectcalico/calicoctl/releases/download/v1.1.3/calicoctl"
-calico_url_policy_controller: "quay.io/calico/kube-policy-controller:v0.5.4"
+calico_url_calicoctl: "https://github.com/projectcalico/calicoctl/releases/download/v1.4.0/calicoctl"
+calico_url_policy_controller: "quay.io/calico/kube-policy-controller:v0.7.0"
diff --git a/roles/etcd_common/meta/main.yml b/roles/etcd_common/meta/main.yml
index fb9280c9e..dfb1c7a2c 100644
--- a/roles/etcd_common/meta/main.yml
+++ b/roles/etcd_common/meta/main.yml
@@ -12,5 +12,4 @@ galaxy_info:
categories:
- cloud
- system
-dependencies:
-- { role: openshift_repos }
+dependencies: []
diff --git a/roles/lib_openshift/library/oc_obj.py b/roles/lib_openshift/library/oc_obj.py
index 9b0c0e0e4..7d9392af9 100644
--- a/roles/lib_openshift/library/oc_obj.py
+++ b/roles/lib_openshift/library/oc_obj.py
@@ -1478,7 +1478,16 @@ class OCObject(OpenShiftCLI):
if files:
return self._create(files[0])
- content['data'] = yaml.dump(content['data'])
+ # pylint: disable=no-member
+ # The purpose of this change is twofold:
+ # - we need a check to only use the ruamel specific dumper if ruamel is loaded
+ # - the dumper or the flow style change is needed so openshift is able to parse
+ # the resulting yaml, at least until gopkg.in/yaml.v2 is updated
+ if hasattr(yaml, 'RoundTripDumper'):
+ content['data'] = yaml.dump(content['data'], Dumper=yaml.RoundTripDumper)
+ else:
+ content['data'] = yaml.safe_dump(content['data'], default_flow_style=False)
+
content_file = Utils.create_tmp_files_from_contents(content)[0]
return self._create(content_file['path'])
diff --git a/roles/lib_openshift/library/oc_project.py b/roles/lib_openshift/library/oc_project.py
index a78bc06d2..bf65ef603 100644
--- a/roles/lib_openshift/library/oc_project.py
+++ b/roles/lib_openshift/library/oc_project.py
@@ -1657,6 +1657,9 @@ class OCProject(OpenShiftCLI):
# Create it here
api_rval = oadm_project.create()
+ if api_rval['returncode'] != 0:
+ return {'failed': True, 'msg': api_rval}
+
# return the created object
api_rval = oadm_project.get()
diff --git a/roles/lib_openshift/src/class/oc_obj.py b/roles/lib_openshift/src/class/oc_obj.py
index 5e423bea9..68f7818e4 100644
--- a/roles/lib_openshift/src/class/oc_obj.py
+++ b/roles/lib_openshift/src/class/oc_obj.py
@@ -50,7 +50,16 @@ class OCObject(OpenShiftCLI):
if files:
return self._create(files[0])
- content['data'] = yaml.dump(content['data'])
+ # pylint: disable=no-member
+ # The purpose of this change is twofold:
+ # - we need a check to only use the ruamel specific dumper if ruamel is loaded
+ # - the dumper or the flow style change is needed so openshift is able to parse
+ # the resulting yaml, at least until gopkg.in/yaml.v2 is updated
+ if hasattr(yaml, 'RoundTripDumper'):
+ content['data'] = yaml.dump(content['data'], Dumper=yaml.RoundTripDumper)
+ else:
+ content['data'] = yaml.safe_dump(content['data'], default_flow_style=False)
+
content_file = Utils.create_tmp_files_from_contents(content)[0]
return self._create(content_file['path'])
diff --git a/roles/lib_openshift/src/class/oc_project.py b/roles/lib_openshift/src/class/oc_project.py
index 9ad8111a8..298597067 100644
--- a/roles/lib_openshift/src/class/oc_project.py
+++ b/roles/lib_openshift/src/class/oc_project.py
@@ -156,6 +156,9 @@ class OCProject(OpenShiftCLI):
# Create it here
api_rval = oadm_project.create()
+ if api_rval['returncode'] != 0:
+ return {'failed': True, 'msg': api_rval}
+
# return the created object
api_rval = oadm_project.get()
diff --git a/roles/nuage_node/tasks/iptables.yml b/roles/nuage_node/tasks/iptables.yml
index 847c8395d..95ee8643a 100644
--- a/roles/nuage_node/tasks/iptables.yml
+++ b/roles/nuage_node/tasks/iptables.yml
@@ -15,3 +15,9 @@
when: "'nuage-underlay-overlay' not in iptablesrules.stdout"
notify:
- save iptable rules
+
+- name: Allow docker daemon traffic from underlay to overlay
+ command: /sbin/iptables -t nat -A POSTROUTING ! -s {{ hostvars[groups.oo_first_master.0].openshift.master.sdn_cluster_network_cidr }} -o svc-pat-tap -j MASQUERADE -m comment --comment "nuage-docker-underlay-overlay"
+ when: "'nuage-docker-underlay-overlay' not in iptablesrules.stdout"
+ notify:
+ - save iptable rules
diff --git a/roles/nuage_node/tasks/main.yaml b/roles/nuage_node/tasks/main.yaml
index 9cd743304..66d6ef4ca 100644
--- a/roles/nuage_node/tasks/main.yaml
+++ b/roles/nuage_node/tasks/main.yaml
@@ -11,6 +11,10 @@
become: yes
lineinfile: dest={{ vrs_config }} regexp=^ACTIVE_CONTROLLER line='ACTIVE_CONTROLLER={{ vsc_active_ip }}'
+- name: Set the K8S/OSE Cluster service CIDR
+ become: yes
+ lineinfile: dest={{ vrs_config }} regexp=^K8S_SERVICE_IPV4_SUBNET line='K8S_SERVICE_IPV4_SUBNET={{ k8s_cluster_service_cidr }}'
+
- name: Set the Standby Controller
become: yes
lineinfile: dest={{ vrs_config }} regexp=^STANDBY_CONTROLLER line='STANDBY_CONTROLLER={{ vsc_standby_ip }}'
diff --git a/roles/nuage_node/templates/vsp-openshift.j2 b/roles/nuage_node/templates/vsp-openshift.j2
index 9fab53906..f6bccebc2 100644
--- a/roles/nuage_node/templates/vsp-openshift.j2
+++ b/roles/nuage_node/templates/vsp-openshift.j2
@@ -9,7 +9,7 @@ enterpriseName: {{ enterprise }}
# Name of the domain in which pods will reside
domainName: {{ domain }}
# Name of the VSD user in admin group
-vsdUser: {{ vsduser }}
+vsdUser: {{ vsd_user }}
# IP address and port number of master API server
masterApiServer: {{ api_server }}
# REST server URL
diff --git a/roles/openshift_ca/meta/main.yml b/roles/openshift_ca/meta/main.yml
index 444c5b77e..dfbdf0cc7 100644
--- a/roles/openshift_ca/meta/main.yml
+++ b/roles/openshift_ca/meta/main.yml
@@ -13,6 +13,5 @@ galaxy_info:
- cloud
- system
dependencies:
-- role: openshift_repos
- role: openshift_cli
- role: openshift_named_certificates
diff --git a/roles/openshift_cfme/defaults/main.yml b/roles/openshift_cfme/defaults/main.yml
index 27ed57703..393bee1f3 100644
--- a/roles/openshift_cfme/defaults/main.yml
+++ b/roles/openshift_cfme/defaults/main.yml
@@ -1,6 +1,7 @@
---
-# Namespace for the CFME project
-openshift_cfme_project: cfme
+# Namespace for the CFME project (Note: changed post-3.6 to use
+# reserved 'openshift-' namespace prefix)
+openshift_cfme_project: openshift-cfme
# Namespace/project description
openshift_cfme_project_description: ManageIQ - CloudForms Management Engine
# Basic user assigned the `admin` role for the project
diff --git a/roles/openshift_common/meta/main.yml b/roles/openshift_common/meta/main.yml
index f1cf3e161..7cc95d8fa 100644
--- a/roles/openshift_common/meta/main.yml
+++ b/roles/openshift_common/meta/main.yml
@@ -13,4 +13,3 @@ galaxy_info:
- cloud
dependencies:
- role: openshift_facts
-- role: openshift_repos
diff --git a/roles/openshift_health_checker/library/rpm_version.py b/roles/openshift_health_checker/library/rpm_version.py
index 8ea223055..c24fbba3b 100644
--- a/roles/openshift_health_checker/library/rpm_version.py
+++ b/roles/openshift_health_checker/library/rpm_version.py
@@ -4,6 +4,7 @@ Ansible module for rpm-based systems determining existing package version inform
"""
from ansible.module_utils.basic import AnsibleModule
+from ansible.module_utils.six import string_types
IMPORT_EXCEPTION = None
try:
@@ -82,11 +83,16 @@ def _check_pkg_versions(found_pkgs_dict, expected_pkgs_dict):
continue
found_versions = [_parse_version(version) for version in found_pkgs_dict[pkg_name]]
- expected_version = _parse_version(pkg["version"])
- if expected_version not in found_versions:
+
+ if isinstance(pkg["version"], string_types):
+ expected_versions = [_parse_version(pkg["version"])]
+ else:
+ expected_versions = [_parse_version(version) for version in pkg["version"]]
+
+ if not set(expected_versions) & set(found_versions):
invalid_pkg_versions[pkg_name] = {
"found_versions": found_versions,
- "required_version": expected_version,
+ "required_versions": expected_versions,
}
if not_found_pkgs:
@@ -106,7 +112,7 @@ def _check_pkg_versions(found_pkgs_dict, expected_pkgs_dict):
"The following packages were found to be installed with an incorrect version: {}".format('\n'.join([
" \n{}\n Required version: {}\n Found versions: {}".format(
pkg_name,
- pkg["required_version"],
+ ', '.join(pkg["required_versions"]),
', '.join([version for version in pkg["found_versions"]]))
for pkg_name, pkg in invalid_pkg_versions.items()
]))
diff --git a/roles/openshift_health_checker/meta/main.yml b/roles/openshift_health_checker/meta/main.yml
index cd9b55902..bc8e7bdcf 100644
--- a/roles/openshift_health_checker/meta/main.yml
+++ b/roles/openshift_health_checker/meta/main.yml
@@ -1,4 +1,3 @@
---
dependencies:
- - role: openshift_facts
- - role: openshift_repos
+- role: openshift_facts
diff --git a/roles/openshift_health_checker/openshift_checks/ovs_version.py b/roles/openshift_health_checker/openshift_checks/ovs_version.py
index d5e55bc25..363c12def 100644
--- a/roles/openshift_health_checker/openshift_checks/ovs_version.py
+++ b/roles/openshift_health_checker/openshift_checks/ovs_version.py
@@ -16,8 +16,8 @@ class OvsVersion(NotContainerizedMixin, OpenShiftCheck):
tags = ["health"]
openshift_to_ovs_version = {
- "3.6": "2.6",
- "3.5": "2.6",
+ "3.6": ["2.6", "2.7"],
+ "3.5": ["2.6", "2.7"],
"3.4": "2.4",
}
diff --git a/roles/openshift_health_checker/test/ovs_version_test.py b/roles/openshift_health_checker/test/ovs_version_test.py
index b6acef5a6..e1bf29d2a 100644
--- a/roles/openshift_health_checker/test/ovs_version_test.py
+++ b/roles/openshift_health_checker/test/ovs_version_test.py
@@ -38,8 +38,8 @@ def test_invalid_openshift_release_format():
@pytest.mark.parametrize('openshift_release,expected_ovs_version', [
- ("3.5", "2.6"),
- ("3.6", "2.6"),
+ ("3.5", ["2.6", "2.7"]),
+ ("3.6", ["2.6", "2.7"]),
("3.4", "2.4"),
("3.3", "2.4"),
("1.0", "2.4"),
diff --git a/roles/openshift_health_checker/test/rpm_version_test.py b/roles/openshift_health_checker/test/rpm_version_test.py
index 2f09ef965..2c1bcf876 100644
--- a/roles/openshift_health_checker/test/rpm_version_test.py
+++ b/roles/openshift_health_checker/test/rpm_version_test.py
@@ -49,7 +49,7 @@ def test_check_pkg_found(pkgs, expect_not_found):
},
{
"eggs": {
- "required_version": "3.2",
+ "required_versions": ["3.2"],
"found_versions": ["3.3"],
}
}, # not the right version
@@ -61,11 +61,11 @@ def test_check_pkg_found(pkgs, expect_not_found):
},
{
"eggs": {
- "required_version": "3.2",
+ "required_versions": ["3.2"],
"found_versions": ["3.3", "1.2"],
},
"spam": {
- "required_version": "3.2",
+ "required_versions": ["3.2"],
"found_versions": ["3.1", "3.3"],
}
}, # not the right version
diff --git a/roles/openshift_loadbalancer/meta/main.yml b/roles/openshift_loadbalancer/meta/main.yml
index 073bdd94d..72298b599 100644
--- a/roles/openshift_loadbalancer/meta/main.yml
+++ b/roles/openshift_loadbalancer/meta/main.yml
@@ -12,4 +12,3 @@ galaxy_info:
dependencies:
- role: lib_os_firewall
- role: openshift_facts
-- role: openshift_repos
diff --git a/roles/openshift_logging_elasticsearch/defaults/main.yml b/roles/openshift_logging_elasticsearch/defaults/main.yml
index c0b5d394e..0690bf114 100644
--- a/roles/openshift_logging_elasticsearch/defaults/main.yml
+++ b/roles/openshift_logging_elasticsearch/defaults/main.yml
@@ -37,6 +37,9 @@ openshift_logging_elasticsearch_storage_group: '65534'
openshift_logging_es_pvc_prefix: "{{ openshift_hosted_logging_elasticsearch_pvc_prefix | default('logging-es') }}"
+# config the es plugin to write kibana index based on the index mode
+openshift_logging_elasticsearch_kibana_index_mode: 'unique'
+
# this is used to determine if this is an operations deployment or a non-ops deployment
# simply used for naming purposes
openshift_logging_elasticsearch_ops_deployment: false
diff --git a/roles/openshift_logging_elasticsearch/tasks/main.yaml b/roles/openshift_logging_elasticsearch/tasks/main.yaml
index aae23668a..5593fac3a 100644
--- a/roles/openshift_logging_elasticsearch/tasks/main.yaml
+++ b/roles/openshift_logging_elasticsearch/tasks/main.yaml
@@ -102,6 +102,11 @@
delete_after: true
# configmap
+- assert:
+ that:
+ - openshift_logging_elasticsearch_kibana_index_mode in __kibana_index_modes
+ msg: "The openshift_logging_elasticsearch_kibana_index_mode '{{ openshift_logging_elasticsearch_kibana_index_mode }}' only supports one of: {{ __kibana_index_modes | join(', ') }}"
+
- template:
src: elasticsearch-logging.yml.j2
dest: "{{ tempdir }}/elasticsearch-logging.yml"
@@ -115,6 +120,8 @@
allow_cluster_reader: "{{ openshift_logging_elasticsearch_ops_allow_cluster_reader | lower | default('false') }}"
es_number_of_shards: "{{ openshift_logging_es_number_of_shards | default(1) }}"
es_number_of_replicas: "{{ openshift_logging_es_number_of_replicas | default(0) }}"
+ es_kibana_index_mode: "{{ openshift_logging_elasticsearch_kibana_index_mode | default('unique') }}"
+
when: es_config_contents is undefined
changed_when: no
diff --git a/roles/openshift_logging_elasticsearch/templates/elasticsearch.yml.j2 b/roles/openshift_logging_elasticsearch/templates/elasticsearch.yml.j2
index 141967c33..0c06a7677 100644
--- a/roles/openshift_logging_elasticsearch/templates/elasticsearch.yml.j2
+++ b/roles/openshift_logging_elasticsearch/templates/elasticsearch.yml.j2
@@ -53,6 +53,8 @@ openshift.searchguard:
openshift.operations.allow_cluster_reader: {{allow_cluster_reader | default (false)}}
+openshift.kibana.index.mode: {{es_kibana_index_mode | default('unique')}}
+
path:
data: /elasticsearch/persistent/${CLUSTER_NAME}/data
logs: /elasticsearch/${CLUSTER_NAME}/logs
diff --git a/roles/openshift_logging_elasticsearch/vars/main.yml b/roles/openshift_logging_elasticsearch/vars/main.yml
index 7a1f5048b..5b4b226e8 100644
--- a/roles/openshift_logging_elasticsearch/vars/main.yml
+++ b/roles/openshift_logging_elasticsearch/vars/main.yml
@@ -3,6 +3,8 @@ __latest_es_version: "3_5"
__allowed_es_versions: ["3_5", "3_6"]
__allowed_es_types: ["data-master", "data-client", "master", "client"]
+__kibana_index_modes: ["unique", "shared_ops"]
+
# TODO: integrate these
openshift_master_config_dir: "{{ openshift.common.config_base }}/master"
es_node_quorum: "{{ openshift_logging_elasticsearch_replica_count | int/2 + 1 }}"
diff --git a/roles/openshift_master_cluster/meta/main.yml b/roles/openshift_master_cluster/meta/main.yml
index f2a67bc54..c452b165e 100644
--- a/roles/openshift_master_cluster/meta/main.yml
+++ b/roles/openshift_master_cluster/meta/main.yml
@@ -12,5 +12,4 @@ galaxy_info:
categories:
- cloud
- system
-dependencies:
-- { role: openshift_repos }
+dependencies: []
diff --git a/roles/openshift_storage_glusterfs/defaults/main.yml b/roles/openshift_storage_glusterfs/defaults/main.yml
index ff2c18812..a5887465e 100644
--- a/roles/openshift_storage_glusterfs/defaults/main.yml
+++ b/roles/openshift_storage_glusterfs/defaults/main.yml
@@ -52,3 +52,15 @@ openshift_storage_glusterfs_registry_heketi_ssh_port: "{{ openshift_storage_glus
openshift_storage_glusterfs_registry_heketi_ssh_user: "{{ openshift_storage_glusterfs_heketi_ssh_user }}"
openshift_storage_glusterfs_registry_heketi_ssh_sudo: "{{ openshift_storage_glusterfs_heketi_ssh_sudo }}"
openshift_storage_glusterfs_registry_heketi_ssh_keyfile: "{{ openshift_storage_glusterfs_heketi_ssh_keyfile | default(omit) }}"
+r_openshift_master_firewall_enabled: True
+r_openshift_master_use_firewalld: False
+r_openshift_storage_glusterfs_os_firewall_deny: []
+r_openshift_storage_glusterfs_os_firewall_allow:
+- service: glusterfs_sshd
+ port: "2222/tcp"
+- service: glusterfs_daemon
+ port: "24007/tcp"
+- service: glusterfs_management
+ port: "24008/tcp"
+- service: glusterfs_bricks
+ port: "49152-49251/tcp"
diff --git a/roles/openshift_storage_glusterfs/meta/main.yml b/roles/openshift_storage_glusterfs/meta/main.yml
index aab9851f9..0cdd33880 100644
--- a/roles/openshift_storage_glusterfs/meta/main.yml
+++ b/roles/openshift_storage_glusterfs/meta/main.yml
@@ -11,5 +11,5 @@ galaxy_info:
- 7
dependencies:
- role: openshift_hosted_facts
-- role: openshift_repos
- role: lib_openshift
+- role: lib_os_firewall
diff --git a/roles/openshift_storage_glusterfs/tasks/firewall.yml b/roles/openshift_storage_glusterfs/tasks/firewall.yml
new file mode 100644
index 000000000..09dcf1ef9
--- /dev/null
+++ b/roles/openshift_storage_glusterfs/tasks/firewall.yml
@@ -0,0 +1,40 @@
+---
+- when: r_openshift_storage_glusterfs_firewall_enabled | bool and not r_openshift_storage_glusterfs_use_firewalld | bool
+ block:
+ - name: Add iptables allow rules
+ os_firewall_manage_iptables:
+ name: "{{ item.service }}"
+ action: add
+ protocol: "{{ item.port.split('/')[1] }}"
+ port: "{{ item.port.split('/')[0] }}"
+ when: item.cond | default(True)
+ with_items: "{{ r_openshift_storage_glusterfs_os_firewall_allow }}"
+
+ - name: Remove iptables rules
+ os_firewall_manage_iptables:
+ name: "{{ item.service }}"
+ action: remove
+ protocol: "{{ item.port.split('/')[1] }}"
+ port: "{{ item.port.split('/')[0] }}"
+ when: item.cond | default(True)
+ with_items: "{{ r_openshift_storage_glusterfs_os_firewall_deny }}"
+
+- when: r_openshift_storage_glusterfs_firewall_enabled | bool and r_openshift_storage_glusterfs_use_firewalld | bool
+ block:
+ - name: Add firewalld allow rules
+ firewalld:
+ port: "{{ item.port }}"
+ permanent: true
+ immediate: true
+ state: enabled
+ when: item.cond | default(True)
+ with_items: "{{ r_openshift_storage_glusterfs_os_firewall_allow }}"
+
+ - name: Remove firewalld allow rules
+ firewalld:
+ port: "{{ item.port }}"
+ permanent: true
+ immediate: true
+ state: disabled
+ when: item.cond | default(True)
+ with_items: "{{ r_openshift_storage_glusterfs_os_firewall_deny }}"
diff --git a/roles/openshift_storage_nfs/meta/main.yml b/roles/openshift_storage_nfs/meta/main.yml
index b360d0658..98f7c317e 100644
--- a/roles/openshift_storage_nfs/meta/main.yml
+++ b/roles/openshift_storage_nfs/meta/main.yml
@@ -12,4 +12,3 @@ galaxy_info:
dependencies:
- role: lib_os_firewall
- role: openshift_hosted_facts
-- role: openshift_repos
diff --git a/roles/openshift_version/meta/main.yml b/roles/openshift_version/meta/main.yml
index ca896addd..38b398343 100644
--- a/roles/openshift_version/meta/main.yml
+++ b/roles/openshift_version/meta/main.yml
@@ -12,7 +12,6 @@ galaxy_info:
categories:
- cloud
dependencies:
-- role: openshift_repos
- role: openshift_docker_facts
- role: docker
when: openshift.common.is_containerized | default(False) | bool and not skip_docker_role | default(False) | bool
diff --git a/roles/os_firewall/meta/main.yml b/roles/os_firewall/meta/main.yml
deleted file mode 100644
index dca5fc5ff..000000000
--- a/roles/os_firewall/meta/main.yml
+++ /dev/null
@@ -1,16 +0,0 @@
----
-galaxy_info:
- author: Jason DeTiberus
- description: os_firewall
- company: Red Hat, Inc.
- license: Apache License, Version 2.0
- min_ansible_version: 2.2
- platforms:
- - name: EL
- versions:
- - 7
- categories:
- - system
-allow_duplicates: yes
-dependencies:
- - role: openshift_facts
diff --git a/roles/os_firewall/tasks/firewall/firewalld.yml b/roles/os_firewall/tasks/firewalld.yml
index 2cc7af478..54430f402 100644
--- a/roles/os_firewall/tasks/firewall/firewalld.yml
+++ b/roles/os_firewall/tasks/firewalld.yml
@@ -1,4 +1,9 @@
---
+- name: Fail - Firewalld is not supported on Atomic Host
+ fail:
+ msg: "Firewalld is not supported on Atomic Host"
+ when: r_os_firewall_is_atomic | bool
+
- name: Install firewalld packages
package:
name: firewalld
@@ -31,7 +36,8 @@
register: result
- name: need to pause here, otherwise the firewalld service starting can sometimes cause ssh to fail
- pause: seconds=10
+ pause:
+ seconds: 10
when: result | changed
- name: Restart polkitd
diff --git a/roles/os_firewall/tasks/firewall/iptables.yml b/roles/os_firewall/tasks/iptables.yml
index ccb3c4713..0af5abf38 100644
--- a/roles/os_firewall/tasks/firewall/iptables.yml
+++ b/roles/os_firewall/tasks/iptables.yml
@@ -15,11 +15,13 @@
when: task_result | changed
- name: Install iptables packages
- package: name={{ item }} state=present
+ package:
+ name: "{{ item }}"
+ state: present
with_items:
- iptables
- iptables-services
- when: not openshift.common.is_atomic | bool
+ when: not r_os_firewall_is_atomic | bool
- name: Start and enable iptables service
systemd:
@@ -29,7 +31,11 @@
masked: no
daemon_reload: yes
register: result
+ delegate_to: "{{item}}"
+ run_once: true
+ with_items: "{{ ansible_play_hosts }}"
- name: need to pause here, otherwise the iptables service starting can sometimes cause ssh to fail
- pause: seconds=10
+ pause:
+ seconds: 10
when: result | changed
diff --git a/roles/os_firewall/tasks/main.yml b/roles/os_firewall/tasks/main.yml
index 20efe5b0d..c477d386c 100644
--- a/roles/os_firewall/tasks/main.yml
+++ b/roles/os_firewall/tasks/main.yml
@@ -1,12 +1,19 @@
---
-- name: Assert - Do not use firewalld on Atomic Host
- assert:
- that: not os_firewall_use_firewalld | bool
- msg: "Firewalld is not supported on Atomic Host"
- when: openshift.common.is_atomic | bool
+- name: Detecting Atomic Host Operating System
+ stat:
+ path: /run/ostree-booted
+ register: r_os_firewall_ostree_booted
-- include: firewall/firewalld.yml
- when: os_firewall_enabled | bool and os_firewall_use_firewalld | bool
+- name: Set fact r_os_firewall_is_atomic
+ set_fact:
+ r_os_firewall_is_atomic: "{{ r_os_firewall_ostree_booted.stat.exists }}"
-- include: firewall/iptables.yml
- when: os_firewall_enabled | bool and not os_firewall_use_firewalld | bool
+- include: firewalld.yml
+ when:
+ - os_firewall_enabled | bool
+ - os_firewall_use_firewalld | bool
+
+- include: iptables.yml
+ when:
+ - os_firewall_enabled | bool
+ - not os_firewall_use_firewalld | bool