diff options
86 files changed, 592 insertions, 651 deletions
diff --git a/.tito/packages/openshift-ansible b/.tito/packages/openshift-ansible index 9af073db8..259ab3192 100644 --- a/.tito/packages/openshift-ansible +++ b/.tito/packages/openshift-ansible @@ -1 +1 @@ -3.7.0-0.118.0 ./ +3.7.0-0.123.0 ./ diff --git a/inventory/byo/hosts.origin.example b/inventory/byo/hosts.origin.example index 9206d57fc..ad69bd587 100644 --- a/inventory/byo/hosts.origin.example +++ b/inventory/byo/hosts.origin.example @@ -380,45 +380,9 @@ openshift_master_identity_providers=[{'name': 'htpasswd_auth', 'login': 'true', # and is in the form of a list. If no data is passed then a default router will be # created. There are multiple combinations of router sharding. The one described # below supports routers on separate nodes. -#openshift_hosted_routers: -#- name: router1 -# stats_port: 1936 -# ports: -# - 80:80 -# - 443:443 -# replicas: 1 -# namespace: default -# serviceaccount: router -# selector: type=router1 -# images: "openshift3/ose-${component}:${version}" -# edits: [] -# certificate: -# certfile: /path/to/certificate/abc.crt -# keyfile: /path/to/certificate/abc.key -# cafile: /path/to/certificate/ca.crt -#- name: router2 -# stats_port: 1936 -# ports: -# - 80:80 -# - 443:443 -# replicas: 1 -# namespace: default -# serviceaccount: router -# selector: type=router2 -# images: "openshift3/ose-${component}:${version}" -# certificate: -# certfile: /path/to/certificate/xyz.crt -# keyfile: /path/to/certificate/xyz.key -# cafile: /path/to/certificate/ca.crt -# edits: -# # ROUTE_LABELS sets the router to listen for routes -# # tagged with the provided values -# - key: spec.template.spec.containers[0].env -# value: -# name: ROUTE_LABELS -# value: "route=external" -# action: append # +#openshift_hosted_routers=[{'name': 'router1', 'certificate': {'certfile': '/path/to/certificate/abc.crt', 'keyfile': '/path/to/certificate/abc.key', 'cafile': '/path/to/certificate/ca.crt'}, 'replicas': 1, 'serviceaccount': 'router', 'namespace': 'default', 'stats_port': 1936, 'edits': [], 'images': 'openshift3/ose-${component}:${version}', 'selector': 'type=router1', 'ports': ['80:80', '443:443']}, {'name': 'router2', 'certificate': {'certfile': '/path/to/certificate/xyz.crt', 'keyfile': '/path/to/certificate/xyz.key', 'cafile': '/path/to/certificate/ca.crt'}, 'replicas': 1, 'serviceaccount': 'router', 'namespace': 'default', 'stats_port': 1936, 'edits': [{'action': 'append', 'key': 'spec.template.spec.containers[0].env', 'value': {'name': 'ROUTE_LABELS', 'value': 'route=external'}}], 'images': 'openshift3/ose-${component}:${version}', 'selector': 'type=router2', 'ports': ['80:80', '443:443']}] + # OpenShift Registry Console Options # Override the console image prefix for enterprise deployments, not used in origin # default is "registry.access.redhat.com/openshift3/" and the image appended is "registry-console" diff --git a/inventory/byo/hosts.ose.example b/inventory/byo/hosts.ose.example index c55eb9b3f..b52806bc7 100644 --- a/inventory/byo/hosts.ose.example +++ b/inventory/byo/hosts.ose.example @@ -387,44 +387,8 @@ openshift_master_identity_providers=[{'name': 'htpasswd_auth', 'login': 'true', # and is in the form of a list. If no data is passed then a default router will be # created. There are multiple combinations of router sharding. The one described # below supports routers on separate nodes. -#openshift_hosted_routers: -#- name: router1 -# stats_port: 1936 -# ports: -# - 80:80 -# - 443:443 -# replicas: 1 -# namespace: default -# serviceaccount: router -# selector: type=router1 -# images: "openshift3/ose-${component}:${version}" -# edits: [] -# certificate: -# certfile: /path/to/certificate/abc.crt -# keyfile: /path/to/certificate/abc.key -# cafile: /path/to/certificate/ca.crt -#- name: router2 -# stats_port: 1936 -# ports: -# - 80:80 -# - 443:443 -# replicas: 1 -# namespace: default -# serviceaccount: router -# selector: type=router2 -# images: "openshift3/ose-${component}:${version}" -# certificate: -# certfile: /path/to/certificate/xyz.crt -# keyfile: /path/to/certificate/xyz.key -# cafile: /path/to/certificate/ca.crt -# edits: -# # ROUTE_LABELS sets the router to listen for routes -# # tagged with the provided values -# - key: spec.template.spec.containers[0].env -# value: -# name: ROUTE_LABELS -# value: "route=external" -# action: append +# +#openshift_hosted_routers=[{'name': 'router1', 'certificate': {'certfile': '/path/to/certificate/abc.crt', 'keyfile': '/path/to/certificate/abc.key', 'cafile': '/path/to/certificate/ca.crt'}, 'replicas': 1, 'serviceaccount': 'router', 'namespace': 'default', 'stats_port': 1936, 'edits': [], 'images': 'openshift3/ose-${component}:${version}', 'selector': 'type=router1', 'ports': ['80:80', '443:443']}, {'name': 'router2', 'certificate': {'certfile': '/path/to/certificate/xyz.crt', 'keyfile': '/path/to/certificate/xyz.key', 'cafile': '/path/to/certificate/ca.crt'}, 'replicas': 1, 'serviceaccount': 'router', 'namespace': 'default', 'stats_port': 1936, 'edits': [{'action': 'append', 'key': 'spec.template.spec.containers[0].env', 'value': {'name': 'ROUTE_LABELS', 'value': 'route=external'}}], 'images': 'openshift3/ose-${component}:${version}', 'selector': 'type=router2', 'ports': ['80:80', '443:443']}] # OpenShift Registry Console Options # Override the console image prefix for enterprise deployments, not used in origin diff --git a/openshift-ansible.spec b/openshift-ansible.spec index 5ae1bf3d3..0692114d3 100644 --- a/openshift-ansible.spec +++ b/openshift-ansible.spec @@ -10,7 +10,7 @@ Name: openshift-ansible Version: 3.7.0 -Release: 0.118.0%{?dist} +Release: 0.123.0%{?dist} Summary: Openshift and Atomic Enterprise Ansible License: ASL 2.0 URL: https://github.com/openshift/openshift-ansible @@ -280,6 +280,41 @@ Atomic OpenShift Utilities includes %changelog +* Wed Aug 30 2017 Jenkins CD Merge Bot <smunilla@redhat.com> 3.7.0-0.123.0 +- + +* Wed Aug 30 2017 Jenkins CD Merge Bot <smunilla@redhat.com> 3.7.0-0.122.0 +- Update openshift_hosted_routers example to be in ini format. + (abutcher@redhat.com) +- Update calico to v2.5 (djosborne10@gmail.com) + +* Wed Aug 30 2017 Jenkins CD Merge Bot <smunilla@redhat.com> 3.7.0-0.121.0 +- Revert "logging set memory request to limit" (sdodson@redhat.com) +- Move firewall install and fix scaleup playbooks (rteague@redhat.com) +- Fix group conditional requirements (rteague@redhat.com) +- Updating openshift_service_catalog to use oc_service over oc_obj to resolve + idempotency issues being seen from rerunning role (ewolinet@redhat.com) +- annotate the infra projects for logging to fix bz1480988 + (jcantril@redhat.com) +- docker_image_availability: timeout skopeo inspect (lmeyer@redhat.com) +- Fix scaleup on containerized installations (sdodson@redhat.com) +- bug 1480878. Default pvc for logging (jcantril@redhat.com) +- logging set memory request to limit (jcantril@redhat.com) +- openshift_cfme: add nfs directory support (fsimonce@redhat.com) + +* Tue Aug 29 2017 Jenkins CD Merge Bot <smunilla@redhat.com> 3.7.0-0.120.0 +- Nuage changes to add custom mounts for atomic-openshift-node service + (rohan.s.parulekar@nuagenetworks.net) +- Add independent registry auth support (mgugino@redhat.com) +- roles: use openshift_use_crio (gscrivan@redhat.com) +- cri-o: change to system runc (gscrivan@redhat.com) +- cri-o: rename openshift_docker_use_crio to openshift_use_crio + (gscrivan@redhat.com) +- Remove unsupported playbooks and utilities (rteague@redhat.com) +- Updating default tag for enterprise installation for ASB + (ewolinet@redhat.com) +- Only validate certificates that are passed to oc_route (zgalor@redhat.com) + * Mon Aug 28 2017 Jenkins CD Merge Bot <smunilla@redhat.com> 3.7.0-0.118.0 - Fix origin metrics and logging container version (gevorg15@users.noreply.github.com) diff --git a/playbooks/aws/README.md b/playbooks/aws/README.md index c1793c505..0fb29ca06 100644 --- a/playbooks/aws/README.md +++ b/playbooks/aws/README.md @@ -34,6 +34,7 @@ Before any provisioning may occur, AWS account credentials must be present in th The newly added playbooks are the following: - build_ami.yml - provision.yml +- provision_nodes.yml The current expected work flow should be to provide the `vars.yml` file with the desired settings for cluster instances. These settings are AWS specific and should @@ -52,19 +53,6 @@ provision: # when creating an encrypted AMI please specify use_encryption use_encryption: False - yum_repositories: # this is an example repository but it requires sslclient info. Use a valid yum repository for openshift rpms - - name: openshift-repo - file: openshift-repo - description: OpenShift Builds - baseurl: https://mirror.openshift.com/enterprise/online-int/latest/x86_64/os/ - enabled: yes - gpgcheck: no - sslverify: no - # client cert and key required for this repository - sslclientcert: "/var/lib/yum/client-cert.pem" - sslclientkey: "/var/lib/yum/client-key.pem" - gpgkey: "https://mirror.ops.rhcloud.com/libra/keys/RPM-GPG-KEY-redhat-release https://mirror.ops.rhcloud.com/libra/keys/RPM-GPG-KEY-redhat-beta https://mirror.ops.rhcloud.com/libra/keys/RPM-GPG-KEY-redhat-openshifthosted" - # for s3 registry backend openshift_registry_s3: True @@ -123,40 +111,11 @@ provision: ``` Repeat the following setup for the infra and compute node groups. This most likely - will not need editing but if further customization is required these parameters + will not need editing but if the install requires further customization then these parameters can be updated. #### Step 1 -Once the vars.yml file has been updated with the correct settings for the desired AWS account then we are ready to build an AMI. - -``` -$ ansible-playbook build_ami.yml -``` - -1. This script will build a VPC. Default name will be clusterid if not specified. -2. Create an ssh key required for the instance. -3. Create an instance. -4. Run some setup roles to ensure packages and services are correctly configured. -5. Create the AMI. -6. If encryption is desired - - A KMS key is created with the name of $clusterid - - An encrypted AMI will be produced with $clusterid KMS key -7. Terminate the instance used to configure the AMI. - -#### Step 2 - -Now that we have created an AMI for our Openshift installation, that AMI id needs to be placed in the `vars.yml` file. To do so update the following fields (The AMI can be captured from the output of the previous step or found in the ec2 console under AMIs): - -``` - # when creating an encrypted AMI please specify use_encryption - use_encryption: False # defaults to false -``` - -**Note**: If using encryption, specify with `use_encryption: True`. This will ensure to take the recently created AMI and encrypt it to be used later. If encryption is not desired then set the value to false. The AMI id will be fetched and used according to its most recent creation date. - -#### Step 3 - Create an openshift-ansible inventory file to use for a byo installation. The exception here is that there will be no hosts specified by the inventory file. Here is an example: ```ini @@ -171,10 +130,20 @@ nodes etcd [OSEv3:vars] -# cluster specific settings maybe be placed here +################################################################################ +# Ensure these variables are set for bootstrap +################################################################################ +openshift_master_bootstrap_enabled=True + openshift_hosted_router_wait=False openshift_hosted_registry_wait=False +# Repository for installation +openshift_additional_repos=[{'name': 'openshift-repo', 'id': 'openshift-repo', 'baseurl': 'https://mirror.openshift.com/enterprise/enterprise-3.6/latest/x86_64/os/', 'enabled': 'yes', 'gpgcheck': 0, 'sslverify': 'no', 'sslclientcert': '/var/lib/yum/client-cert.pem', 'sslclientkey': '/var/lib/yum/client-key.pem', 'gpgkey': 'https://mirror.ops.rhcloud.com/libra/keys/RPM-GPG-KEY-redhat-release https://mirror.ops.rhcloud.com/libra/keys/RPM-GPG-KEY-redhat-beta https://mirror.ops.rhcloud.com/libra/keys/RPM-GPG-KEY-redhat-openshifthosted'}] + +################################################################################ +# cluster specific settings maybe be placed here + [masters] [etcd] @@ -184,12 +153,46 @@ openshift_hosted_registry_wait=False There are more examples of cluster inventory settings [`here`](../../inventory/byo/). +In order to create the bootstrapable AMI we need to create an openshift-ansible inventory file. This file enables us to create the AMI using the openshift-ansible node roles. + + +#### Step 2 + +Once the vars.yml file has been updated with the correct settings for the desired AWS account then we are ready to build an AMI. + +``` +$ ansible-playbook -i inventory.yml build_ami.yml +``` + +1. This script will build a VPC. Default name will be clusterid if not specified. +2. Create an ssh key required for the instance. +3. Create an instance. +4. Run some setup roles to ensure packages and services are correctly configured. +5. Create the AMI. +6. If encryption is desired + - A KMS key is created with the name of $clusterid + - An encrypted AMI will be produced with $clusterid KMS key +7. Terminate the instance used to configure the AMI. + + +#### Step 3 + +Now that we have created an AMI for our Openshift installation, that AMI id needs to be placed in the `vars.yml` file. To do so update the following fields (The AMI can be captured from the output of the previous step or found in the ec2 console under AMIs): + +``` + # when creating an encrypted AMI please specify use_encryption + use_encryption: False # defaults to false +``` + +**Note**: If using encryption, specify with `use_encryption: True`. This will ensure to take the recently created AMI and encrypt it to be used later. If encryption is not desired then set the value to false. The AMI id will be fetched and used according to its most recent creation date. + + #### Step 4 We are ready to create the master instances and install Openshift. ``` -$ ansible-playbook -i <inventory from step 3> provision.yml +$ ansible-playbook -i <inventory from step 1> provision.yml ``` This playbook runs through the following steps: diff --git a/playbooks/aws/openshift-cluster/build_ami.yml b/playbooks/aws/openshift-cluster/build_ami.yml index fa708ffa1..d27874200 100644 --- a/playbooks/aws/openshift-cluster/build_ami.yml +++ b/playbooks/aws/openshift-cluster/build_ami.yml @@ -60,24 +60,39 @@ timeout: 300 search_regex: OpenSSH - - name: add host to group + - name: add host to nodes add_host: + groups: nodes name: "{{ amibase.tagged_instances.0.public_dns_name }}" - groups: amibase -- hosts: amibase + - name: set the user to perform installation + set_fact: + ansible_ssh_user: root + +- name: normalize groups + include: ../../byo/openshift-cluster/initialize_groups.yml + +- name: run the std_include + include: ../../common/openshift-cluster/evaluate_groups.yml + +- name: run the std_include + include: ../../common/openshift-cluster/initialize_facts.yml + +- name: run the std_include + include: ../../common/openshift-cluster/initialize_openshift_repos.yml + +- hosts: nodes remote_user: root tasks: - - name: included required variables + - name: get the necessary vars for ami building include_vars: vars.yml + - set_fact: + openshift_node_bootstrap: True + - name: run openshift image preparation include_role: - name: openshift_ami_prep - vars: - r_openshift_ami_prep_yum_repositories: "{{ provision.build.yum_repositories }}" - r_openshift_ami_prep_node: atomic-openshift-node - r_openshift_ami_prep_master: atomic-openshift-master + name: openshift_node - hosts: localhost connection: local @@ -90,6 +105,7 @@ state: present description: "This was provisioned {{ ansible_date_time.iso8601 }}" name: "{{ provision.build.ami_name }}{{ lookup('pipe', 'date +%Y%m%d%H%M')}}" + tags: "{{ provision.build.openshift_ami_tags }}" wait: yes register: amioutput diff --git a/playbooks/aws/openshift-cluster/vars.yml b/playbooks/aws/openshift-cluster/vars.yml index 7810157d4..47da03cb7 100644 --- a/playbooks/aws/openshift-cluster/vars.yml +++ b/playbooks/aws/openshift-cluster/vars.yml @@ -10,17 +10,6 @@ provision: build: # build specific variables here ami_name: "openshift-gi-" base_image: ami-bdd5d6ab # base image for AMI to build from - yum_repositories: # this is an example repository but it requires sslclient info - - name: openshift-repo - file: openshift-repo - description: OpenShift Builds - baseurl: https://mirror.openshift.com/enterprise/online-int/latest/x86_64/os/ - enabled: yes - gpgcheck: no - sslverify: no - sslclientcert: "/var/lib/yum/client-cert.pem" - sslclientkey: "/var/lib/yum/client-key.pem" - gpgkey: "https://mirror.ops.rhcloud.com/libra/keys/RPM-GPG-KEY-redhat-release https://mirror.ops.rhcloud.com/libra/keys/RPM-GPG-KEY-redhat-beta https://mirror.ops.rhcloud.com/libra/keys/RPM-GPG-KEY-redhat-openshifthosted" # when creating an encrypted AMI please specify use_encryption use_encryption: False diff --git a/playbooks/byo/openshift-master/scaleup.yml b/playbooks/byo/openshift-master/scaleup.yml index 64811e80d..e3ef704e5 100644 --- a/playbooks/byo/openshift-master/scaleup.yml +++ b/playbooks/byo/openshift-master/scaleup.yml @@ -15,6 +15,8 @@ when: - (g_new_master_hosts | default([]) | length == 0) or (g_new_node_hosts | default([]) | length == 0) +- include: ../../common/openshift-cluster/std_include.yml + - include: ../../common/openshift-master/scaleup.yml vars: openshift_cluster_id: "{{ cluster_id | default('default') }}" diff --git a/playbooks/byo/openshift-node/scaleup.yml b/playbooks/byo/openshift-node/scaleup.yml index fda89b1ea..0225623c6 100644 --- a/playbooks/byo/openshift-node/scaleup.yml +++ b/playbooks/byo/openshift-node/scaleup.yml @@ -14,6 +14,8 @@ when: - g_new_node_hosts | default([]) | length == 0 +- include: ../../common/openshift-cluster/std_include.yml + - include: ../../common/openshift-node/scaleup.yml vars: openshift_cluster_id: "{{ cluster_id | default('default') }}" diff --git a/playbooks/common/openshift-cluster/config.yml b/playbooks/common/openshift-cluster/config.yml index e1df71112..26b27ba39 100644 --- a/playbooks/common/openshift-cluster/config.yml +++ b/playbooks/common/openshift-cluster/config.yml @@ -18,10 +18,6 @@ - docker_image_availability - docker_storage -- include: initialize_firewall.yml - tags: - - always - - hosts: localhost tasks: - fail: diff --git a/playbooks/common/openshift-cluster/evaluate_groups.yml b/playbooks/common/openshift-cluster/evaluate_groups.yml index c56b07037..a1ae14a1f 100644 --- a/playbooks/common/openshift-cluster/evaluate_groups.yml +++ b/playbooks/common/openshift-cluster/evaluate_groups.yml @@ -13,12 +13,12 @@ - name: Evaluate groups - g_master_hosts or g_new_master_hosts required fail: msg: This playbook requires g_master_hosts or g_new_master_hosts to be set - when: g_master_hosts is not defined or g_new_master_hosts is not defined + when: g_master_hosts is not defined and g_new_master_hosts is not defined - name: Evaluate groups - g_node_hosts or g_new_node_hosts required fail: msg: This playbook requires g_node_hosts or g_new_node_hosts to be set - when: g_node_hosts is not defined or g_new_node_hosts is not defined + when: g_node_hosts is not defined and g_new_node_hosts is not defined - name: Evaluate groups - g_lb_hosts required fail: @@ -117,7 +117,7 @@ add_host: name: "{{ item }}" groups: oo_etcd_hosts_to_backup - with_items: "{{ groups.oo_etcd_to_config if groups.oo_etcd_to_config is defined and groups.oo_etcd_to_config | length > 0 else groups.oo_first_master }}" + with_items: "{{ groups.oo_etcd_to_config if groups.oo_etcd_to_config is defined and groups.oo_etcd_to_config | length > 0 else (groups.oo_first_master | default([])) }}" changed_when: False - name: Evaluate oo_nodes_to_config @@ -173,5 +173,5 @@ groups: oo_etcd_to_migrate ansible_ssh_user: "{{ g_ssh_user | default(omit) }}" ansible_become: "{{ g_sudo | default(omit) }}" - with_items: "{{ groups.oo_etcd_to_config if groups.oo_etcd_to_config | default([]) | length != 0 else groups.oo_first_master }}" + with_items: "{{ groups.oo_etcd_to_config if groups.oo_etcd_to_config | default([]) | length != 0 else (groups.oo_first_master |default([]))}}" changed_when: no diff --git a/playbooks/common/openshift-cluster/initialize_facts.yml b/playbooks/common/openshift-cluster/initialize_facts.yml index 65be436c6..9eaf3bc34 100644 --- a/playbooks/common/openshift-cluster/initialize_facts.yml +++ b/playbooks/common/openshift-cluster/initialize_facts.yml @@ -157,4 +157,4 @@ - name: initialize_facts set_fact on openshift_docker_hosted_registry_network set_fact: - openshift_docker_hosted_registry_network: "{{ hostvars[groups.oo_first_master.0].openshift.common.portal_net }}" + openshift_docker_hosted_registry_network: "{{ '' if 'oo_first_master' not in groups else hostvars[groups.oo_first_master.0].openshift.common.portal_net }}" diff --git a/playbooks/common/openshift-cluster/initialize_firewall.yml b/playbooks/common/openshift-cluster/initialize_firewall.yml deleted file mode 100644 index f0374fbc7..000000000 --- a/playbooks/common/openshift-cluster/initialize_firewall.yml +++ /dev/null @@ -1,7 +0,0 @@ ---- -- name: Initialize host firewall - hosts: oo_all_hosts - tasks: - - name: Install and configure the proper firewall settings - include_role: - name: os_firewall diff --git a/playbooks/common/openshift-cluster/update_repos_and_packages.yml b/playbooks/common/openshift-cluster/update_repos_and_packages.yml deleted file mode 100644 index be956fca5..000000000 --- a/playbooks/common/openshift-cluster/update_repos_and_packages.yml +++ /dev/null @@ -1,18 +0,0 @@ ---- -- include: evaluate_groups.yml - -- name: Subscribe hosts, update repos and update OS packages - hosts: oo_hosts_to_update - roles: - # Explicitly calling openshift_facts because it appears that when - # rhel_subscribe is skipped that the openshift_facts dependency for - # openshift_repos is also skipped (this is the case at least for Ansible - # 2.0.2) - - openshift_facts - - role: rhel_subscribe - when: deployment_type in ["enterprise", "atomic-enterprise", "openshift-enterprise"] and - ansible_distribution == "RedHat" and - lookup('oo_option', 'rhel_skip_subscription') | default(rhsub_skip, True) | - default('no', True) | lower in ['no', 'false'] - - openshift_repos - - os_update_latest diff --git a/playbooks/common/openshift-cluster/upgrades/docker/docker_upgrade.yml b/playbooks/common/openshift-cluster/upgrades/docker/docker_upgrade.yml index 02b8a9d3c..7cc13137f 100644 --- a/playbooks/common/openshift-cluster/upgrades/docker/docker_upgrade.yml +++ b/playbooks/common/openshift-cluster/upgrades/docker/docker_upgrade.yml @@ -60,7 +60,7 @@ retries: 60 delay: 60 - - include: upgrade.yml + - include: tasks/upgrade.yml when: l_docker_upgrade is defined and l_docker_upgrade | bool - name: Set node schedulability diff --git a/playbooks/common/openshift-cluster/upgrades/docker/restart.yml b/playbooks/common/openshift-cluster/upgrades/docker/tasks/restart.yml index 83f16ac0d..83f16ac0d 100644 --- a/playbooks/common/openshift-cluster/upgrades/docker/restart.yml +++ b/playbooks/common/openshift-cluster/upgrades/docker/tasks/restart.yml diff --git a/playbooks/common/openshift-cluster/upgrades/docker/upgrade.yml b/playbooks/common/openshift-cluster/upgrades/docker/tasks/upgrade.yml index 808cc562c..808cc562c 100644 --- a/playbooks/common/openshift-cluster/upgrades/docker/upgrade.yml +++ b/playbooks/common/openshift-cluster/upgrades/docker/tasks/upgrade.yml diff --git a/playbooks/common/openshift-cluster/upgrades/pre/verify_docker_upgrade_targets.yml b/playbooks/common/openshift-cluster/upgrades/pre/tasks/verify_docker_upgrade_targets.yml index 9d8b73cff..9d8b73cff 100644 --- a/playbooks/common/openshift-cluster/upgrades/pre/verify_docker_upgrade_targets.yml +++ b/playbooks/common/openshift-cluster/upgrades/pre/tasks/verify_docker_upgrade_targets.yml diff --git a/playbooks/common/openshift-cluster/upgrades/upgrade_control_plane.yml b/playbooks/common/openshift-cluster/upgrades/upgrade_control_plane.yml index abcd21c90..18f10437d 100644 --- a/playbooks/common/openshift-cluster/upgrades/upgrade_control_plane.yml +++ b/playbooks/common/openshift-cluster/upgrades/upgrade_control_plane.yml @@ -91,10 +91,7 @@ - include_vars: ../../../../roles/openshift_master/vars/main.yml - - name: Remove any legacy systemd units - include: ../../../../roles/openshift_master/tasks/clean_systemd_units.yml - - - name: Update systemd units + - name: Remove any legacy systemd units and update systemd units include: ../../../../roles/openshift_master/tasks/systemd_units.yml - name: Check for ca-bundle.crt @@ -284,7 +281,7 @@ roles: - openshift_facts tasks: - - include: docker/upgrade.yml + - include: docker/tasks/upgrade.yml when: l_docker_upgrade is defined and l_docker_upgrade | bool and not openshift.common.is_atomic | bool - name: Drain and upgrade master nodes diff --git a/playbooks/common/openshift-cluster/upgrades/v3_3/upgrade.yml b/playbooks/common/openshift-cluster/upgrades/v3_3/upgrade.yml index 0f6fb46a4..a241ef039 100644 --- a/playbooks/common/openshift-cluster/upgrades/v3_3/upgrade.yml +++ b/playbooks/common/openshift-cluster/upgrades/v3_3/upgrade.yml @@ -89,7 +89,7 @@ - name: Verify docker upgrade targets hosts: oo_masters_to_config:oo_nodes_to_upgrade:oo_etcd_to_config tasks: - - include: ../pre/verify_docker_upgrade_targets.yml + - include: ../pre/tasks/verify_docker_upgrade_targets.yml tags: - pre_upgrade diff --git a/playbooks/common/openshift-cluster/upgrades/v3_3/upgrade_control_plane.yml b/playbooks/common/openshift-cluster/upgrades/v3_3/upgrade_control_plane.yml index cfba788a8..54c85f0fb 100644 --- a/playbooks/common/openshift-cluster/upgrades/v3_3/upgrade_control_plane.yml +++ b/playbooks/common/openshift-cluster/upgrades/v3_3/upgrade_control_plane.yml @@ -93,7 +93,7 @@ - name: Verify docker upgrade targets hosts: oo_masters_to_config:oo_etcd_to_config tasks: - - include: ../pre/verify_docker_upgrade_targets.yml + - include: ../pre/tasks/verify_docker_upgrade_targets.yml tags: - pre_upgrade diff --git a/playbooks/common/openshift-cluster/upgrades/v3_3/upgrade_nodes.yml b/playbooks/common/openshift-cluster/upgrades/v3_3/upgrade_nodes.yml index 1054f430e..cee4e9087 100644 --- a/playbooks/common/openshift-cluster/upgrades/v3_3/upgrade_nodes.yml +++ b/playbooks/common/openshift-cluster/upgrades/v3_3/upgrade_nodes.yml @@ -90,7 +90,7 @@ - name: Verify docker upgrade targets hosts: oo_nodes_to_upgrade tasks: - - include: ../pre/verify_docker_upgrade_targets.yml + - include: ../pre/tasks/verify_docker_upgrade_targets.yml tags: - pre_upgrade diff --git a/playbooks/common/openshift-cluster/upgrades/v3_4/upgrade.yml b/playbooks/common/openshift-cluster/upgrades/v3_4/upgrade.yml index 783289c87..ae217ba2e 100644 --- a/playbooks/common/openshift-cluster/upgrades/v3_4/upgrade.yml +++ b/playbooks/common/openshift-cluster/upgrades/v3_4/upgrade.yml @@ -89,7 +89,7 @@ - name: Verify docker upgrade targets hosts: oo_masters_to_config:oo_nodes_to_upgrade:oo_etcd_to_config tasks: - - include: ../pre/verify_docker_upgrade_targets.yml + - include: ../pre/tasks/verify_docker_upgrade_targets.yml tags: - pre_upgrade diff --git a/playbooks/common/openshift-cluster/upgrades/v3_4/upgrade_control_plane.yml b/playbooks/common/openshift-cluster/upgrades/v3_4/upgrade_control_plane.yml index 8aa443c3c..d7cb38d03 100644 --- a/playbooks/common/openshift-cluster/upgrades/v3_4/upgrade_control_plane.yml +++ b/playbooks/common/openshift-cluster/upgrades/v3_4/upgrade_control_plane.yml @@ -93,7 +93,7 @@ - name: Verify docker upgrade targets hosts: oo_masters_to_config:oo_etcd_to_config tasks: - - include: ../pre/verify_docker_upgrade_targets.yml + - include: ../pre/tasks/verify_docker_upgrade_targets.yml tags: - pre_upgrade diff --git a/playbooks/common/openshift-cluster/upgrades/v3_4/upgrade_nodes.yml b/playbooks/common/openshift-cluster/upgrades/v3_4/upgrade_nodes.yml index 436795694..8531e6045 100644 --- a/playbooks/common/openshift-cluster/upgrades/v3_4/upgrade_nodes.yml +++ b/playbooks/common/openshift-cluster/upgrades/v3_4/upgrade_nodes.yml @@ -90,7 +90,7 @@ - name: Verify docker upgrade targets hosts: oo_nodes_to_upgrade tasks: - - include: ../pre/verify_docker_upgrade_targets.yml + - include: ../pre/tasks/verify_docker_upgrade_targets.yml tags: - pre_upgrade diff --git a/playbooks/common/openshift-cluster/upgrades/v3_5/upgrade.yml b/playbooks/common/openshift-cluster/upgrades/v3_5/upgrade.yml index 9a000265e..a3d0d6305 100644 --- a/playbooks/common/openshift-cluster/upgrades/v3_5/upgrade.yml +++ b/playbooks/common/openshift-cluster/upgrades/v3_5/upgrade.yml @@ -89,7 +89,7 @@ - name: Verify docker upgrade targets hosts: oo_masters_to_config:oo_nodes_to_upgrade:oo_etcd_to_config tasks: - - include: ../pre/verify_docker_upgrade_targets.yml + - include: ../pre/tasks/verify_docker_upgrade_targets.yml tags: - pre_upgrade diff --git a/playbooks/common/openshift-cluster/upgrades/v3_5/upgrade_control_plane.yml b/playbooks/common/openshift-cluster/upgrades/v3_5/upgrade_control_plane.yml index 2dd9676c7..5fee56615 100644 --- a/playbooks/common/openshift-cluster/upgrades/v3_5/upgrade_control_plane.yml +++ b/playbooks/common/openshift-cluster/upgrades/v3_5/upgrade_control_plane.yml @@ -93,7 +93,7 @@ - name: Verify docker upgrade targets hosts: oo_masters_to_config:oo_etcd_to_config tasks: - - include: ../pre/verify_docker_upgrade_targets.yml + - include: ../pre/tasks/verify_docker_upgrade_targets.yml tags: - pre_upgrade diff --git a/playbooks/common/openshift-cluster/upgrades/v3_5/upgrade_nodes.yml b/playbooks/common/openshift-cluster/upgrades/v3_5/upgrade_nodes.yml index d5fe8285e..e29d0f8e6 100644 --- a/playbooks/common/openshift-cluster/upgrades/v3_5/upgrade_nodes.yml +++ b/playbooks/common/openshift-cluster/upgrades/v3_5/upgrade_nodes.yml @@ -90,7 +90,7 @@ - name: Verify docker upgrade targets hosts: oo_nodes_to_upgrade tasks: - - include: ../pre/verify_docker_upgrade_targets.yml + - include: ../pre/tasks/verify_docker_upgrade_targets.yml tags: - pre_upgrade diff --git a/playbooks/common/openshift-cluster/upgrades/v3_6/upgrade.yml b/playbooks/common/openshift-cluster/upgrades/v3_6/upgrade.yml index 8ceab09f4..51acd17da 100644 --- a/playbooks/common/openshift-cluster/upgrades/v3_6/upgrade.yml +++ b/playbooks/common/openshift-cluster/upgrades/v3_6/upgrade.yml @@ -93,7 +93,7 @@ - name: Verify docker upgrade targets hosts: oo_masters_to_config:oo_nodes_to_upgrade:oo_etcd_to_config tasks: - - include: ../pre/verify_docker_upgrade_targets.yml + - include: ../pre/tasks/verify_docker_upgrade_targets.yml tags: - pre_upgrade diff --git a/playbooks/common/openshift-cluster/upgrades/v3_6/upgrade_control_plane.yml b/playbooks/common/openshift-cluster/upgrades/v3_6/upgrade_control_plane.yml index f765e9064..9fe059ac9 100644 --- a/playbooks/common/openshift-cluster/upgrades/v3_6/upgrade_control_plane.yml +++ b/playbooks/common/openshift-cluster/upgrades/v3_6/upgrade_control_plane.yml @@ -93,7 +93,7 @@ - name: Verify docker upgrade targets hosts: oo_masters_to_config:oo_etcd_to_config tasks: - - include: ../pre/verify_docker_upgrade_targets.yml + - include: ../pre/tasks/verify_docker_upgrade_targets.yml tags: - pre_upgrade diff --git a/playbooks/common/openshift-cluster/upgrades/v3_6/upgrade_nodes.yml b/playbooks/common/openshift-cluster/upgrades/v3_6/upgrade_nodes.yml index 8bed6a8c2..1b10d4e37 100644 --- a/playbooks/common/openshift-cluster/upgrades/v3_6/upgrade_nodes.yml +++ b/playbooks/common/openshift-cluster/upgrades/v3_6/upgrade_nodes.yml @@ -90,7 +90,7 @@ - name: Verify docker upgrade targets hosts: oo_nodes_to_upgrade tasks: - - include: ../pre/verify_docker_upgrade_targets.yml + - include: ../pre/tasks/verify_docker_upgrade_targets.yml tags: - pre_upgrade diff --git a/playbooks/common/openshift-cluster/upgrades/v3_7/upgrade.yml b/playbooks/common/openshift-cluster/upgrades/v3_7/upgrade.yml index 4f05d0c64..9ec40723a 100644 --- a/playbooks/common/openshift-cluster/upgrades/v3_7/upgrade.yml +++ b/playbooks/common/openshift-cluster/upgrades/v3_7/upgrade.yml @@ -93,7 +93,7 @@ - name: Verify docker upgrade targets hosts: oo_masters_to_config:oo_nodes_to_upgrade:oo_etcd_to_config tasks: - - include: ../pre/verify_docker_upgrade_targets.yml + - include: ../pre/tasks/verify_docker_upgrade_targets.yml tags: - pre_upgrade diff --git a/playbooks/common/openshift-cluster/upgrades/v3_7/upgrade_control_plane.yml b/playbooks/common/openshift-cluster/upgrades/v3_7/upgrade_control_plane.yml index 2ef95e778..f97f34c3b 100644 --- a/playbooks/common/openshift-cluster/upgrades/v3_7/upgrade_control_plane.yml +++ b/playbooks/common/openshift-cluster/upgrades/v3_7/upgrade_control_plane.yml @@ -93,7 +93,7 @@ - name: Verify docker upgrade targets hosts: oo_masters_to_config:oo_etcd_to_config tasks: - - include: ../pre/verify_docker_upgrade_targets.yml + - include: ../pre/tasks/verify_docker_upgrade_targets.yml tags: - pre_upgrade diff --git a/playbooks/common/openshift-cluster/upgrades/v3_7/upgrade_nodes.yml b/playbooks/common/openshift-cluster/upgrades/v3_7/upgrade_nodes.yml index abc4c245b..e95b90cd5 100644 --- a/playbooks/common/openshift-cluster/upgrades/v3_7/upgrade_nodes.yml +++ b/playbooks/common/openshift-cluster/upgrades/v3_7/upgrade_nodes.yml @@ -90,7 +90,7 @@ - name: Verify docker upgrade targets hosts: oo_nodes_to_upgrade tasks: - - include: ../pre/verify_docker_upgrade_targets.yml + - include: ../pre/tasks/verify_docker_upgrade_targets.yml tags: - pre_upgrade diff --git a/playbooks/common/openshift-etcd/config.yml b/playbooks/common/openshift-etcd/config.yml index 2cb6197d1..f2b85eea1 100644 --- a/playbooks/common/openshift-etcd/config.yml +++ b/playbooks/common/openshift-etcd/config.yml @@ -3,6 +3,7 @@ hosts: oo_etcd_to_config any_errors_fatal: true roles: + - role: os_firewall - role: openshift_etcd etcd_peers: "{{ groups.oo_etcd_to_config | default([], true) }}" etcd_ca_host: "{{ groups.oo_etcd_to_config.0 }}" diff --git a/playbooks/common/openshift-etcd/scaleup.yml b/playbooks/common/openshift-etcd/scaleup.yml index 52b90daca..5f8bb1c7a 100644 --- a/playbooks/common/openshift-etcd/scaleup.yml +++ b/playbooks/common/openshift-etcd/scaleup.yml @@ -28,13 +28,15 @@ delay: 10 until: etcd_add_check.rc == 0 roles: + - role: os_firewall + when: etcd_add_check.rc == 0 - role: openshift_etcd when: etcd_add_check.rc == 0 etcd_peers: "{{ groups.oo_etcd_to_config | union(groups.oo_new_etcd_to_config)| default([], true) }}" etcd_ca_host: "{{ groups.oo_etcd_to_config.0 }}" etcd_certificates_etcd_hosts: "{{ groups.oo_etcd_to_config | default([], true) }}" etcd_initial_cluster_state: "existing" - initial_etcd_cluster: "{{ etcd_add_check.stdout_lines[3] | regex_replace('ETCD_INITIAL_CLUSTER=','') }}" + initial_etcd_cluster: "{{ etcd_add_check.stdout_lines[3] | regex_replace('ETCD_INITIAL_CLUSTER=','') | regex_replace('\"','') }}" etcd_ca_setup: False r_etcd_common_etcd_runtime: "{{ openshift.common.etcd_runtime }}" - role: nickhammond.logrotate @@ -47,5 +49,7 @@ --ca-file {{ etcd_peer_ca_file }} -C {{ etcd_peer_url_scheme }}://{{ hostvars[etcd_ca_host].etcd_hostname }}:{{ etcd_client_port }} cluster-health - retries: 1 + register: scaleup_health + retries: 3 delay: 30 + until: scaleup_health.rc == 0 diff --git a/playbooks/common/openshift-loadbalancer/config.yml b/playbooks/common/openshift-loadbalancer/config.yml index 2dacc1218..09ed81a83 100644 --- a/playbooks/common/openshift-loadbalancer/config.yml +++ b/playbooks/common/openshift-loadbalancer/config.yml @@ -14,4 +14,5 @@ + openshift_loadbalancer_additional_backends | default([]) }}" openshift_image_tag: "{{ hostvars[groups.oo_first_master.0].openshift_image_tag }}" roles: + - role: os_firewall - role: openshift_loadbalancer diff --git a/playbooks/common/openshift-master/config.yml b/playbooks/common/openshift-master/config.yml index b30450def..cd25dd211 100644 --- a/playbooks/common/openshift-master/config.yml +++ b/playbooks/common/openshift-master/config.yml @@ -180,6 +180,7 @@ | oo_collect('openshift.common.ip') | default([]) | join(',') }}" roles: + - role: os_firewall - role: openshift_master openshift_ca_host: "{{ groups.oo_first_master.0 }}" openshift_master_etcd_hosts: "{{ hostvars diff --git a/playbooks/common/openshift-master/scaleup.yml b/playbooks/common/openshift-master/scaleup.yml index bc61ee9bb..6ad4cde65 100644 --- a/playbooks/common/openshift-master/scaleup.yml +++ b/playbooks/common/openshift-master/scaleup.yml @@ -1,11 +1,4 @@ --- -- include: ../openshift-cluster/evaluate_groups.yml - -- name: Gather facts - hosts: oo_etcd_to_config:oo_masters_to_config:oo_nodes_to_config - roles: - - openshift_facts - - name: Update master count hosts: oo_masters:!oo_masters_to_config serial: 1 @@ -50,16 +43,6 @@ delay: 1 changed_when: false -- name: Configure docker hosts - hosts: oo_masters_to_config:oo_nodes_to_config - vars: - docker_additional_registries: "{{ lookup('oo_option', 'docker_additional_registries') | oo_split }}" - docker_insecure_registries: "{{ lookup('oo_option', 'docker_insecure_registries') | oo_split }}" - docker_blocked_registries: "{{ lookup('oo_option', 'docker_blocked_registries') | oo_split }}" - roles: - - openshift_facts - - openshift_docker - - name: Disable excluders hosts: oo_masters_to_config tags: diff --git a/playbooks/common/openshift-node/config.yml b/playbooks/common/openshift-node/config.yml index ef7d54f9f..04c811c22 100644 --- a/playbooks/common/openshift-node/config.yml +++ b/playbooks/common/openshift-node/config.yml @@ -32,6 +32,7 @@ }}" roles: + - role: os_firewall - role: openshift_node openshift_ca_host: "{{ groups.oo_first_master.0 }}" @@ -47,6 +48,7 @@ | oo_collect('openshift.common.hostname') | default([]) | join (',') }}" roles: + - role: os_firewall - role: openshift_node openshift_ca_host: "{{ groups.oo_first_master.0 }}" diff --git a/playbooks/common/openshift-node/scaleup.yml b/playbooks/common/openshift-node/scaleup.yml index 40da8990d..b1bbbb14c 100644 --- a/playbooks/common/openshift-node/scaleup.yml +++ b/playbooks/common/openshift-node/scaleup.yml @@ -1,32 +1,4 @@ --- -- include: ../openshift-cluster/evaluate_groups.yml - -- name: Gather facts - hosts: oo_etcd_to_config:oo_masters_to_config:oo_nodes_to_config - roles: - - openshift_facts - -- name: Gather and set facts for first master - hosts: oo_first_master - vars: - openshift_master_count: "{{ groups.oo_masters | length }}" - pre_tasks: - - set_fact: - openshift_master_default_subdomain: "{{ lookup('oo_option', 'openshift_master_default_subdomain') | default(None, true) }}" - when: openshift_master_default_subdomain is not defined - roles: - - openshift_master_facts - -- name: Configure docker hosts - hosts: oo_nodes_to_config - vars: - docker_additional_registries: "{{ lookup('oo_option', 'docker_additional_registries') | oo_split }}" - docker_insecure_registries: "{{ lookup('oo_option', 'docker_insecure_registries') | oo_split }}" - docker_blocked_registries: "{{ lookup('oo_option', 'docker_blocked_registries') | oo_split }}" - roles: - - openshift_facts - - openshift_docker - - name: Disable excluders hosts: oo_nodes_to_config tags: diff --git a/roles/calico/defaults/main.yaml b/roles/calico/defaults/main.yaml index b1907f8cb..be73e8a73 100644 --- a/roles/calico/defaults/main.yaml +++ b/roles/calico/defaults/main.yaml @@ -11,4 +11,4 @@ calico_url_ipam: "https://github.com/projectcalico/cni-plugin/releases/download/ calico_ipv4pool_ipip: "always" calico_log_dir: "/var/log/calico" -calico_node_image: "calico/node:v2.4.1" +calico_node_image: "calico/node:v2.5.0" diff --git a/roles/calico_master/defaults/main.yaml b/roles/calico_master/defaults/main.yaml index d40286aba..01a2b9529 100644 --- a/roles/calico_master/defaults/main.yaml +++ b/roles/calico_master/defaults/main.yaml @@ -3,5 +3,5 @@ kubeconfig: "{{ openshift.common.config_base }}/master/openshift-master.kubeconf calicoctl_bin_dir: "/usr/local/bin/" -calico_url_calicoctl: "https://github.com/projectcalico/calicoctl/releases/download/v1.4.0/calicoctl" +calico_url_calicoctl: "https://github.com/projectcalico/calicoctl/releases/download/v1.5.0/calicoctl" calico_url_policy_controller: "quay.io/calico/kube-policy-controller:v0.7.0" diff --git a/roles/etcd/defaults/main.yaml b/roles/etcd/defaults/main.yaml index d12d7a358..3cc2bbb18 100644 --- a/roles/etcd/defaults/main.yaml +++ b/roles/etcd/defaults/main.yaml @@ -1,6 +1,6 @@ --- -r_etcd_firewall_enabled: True -r_etcd_use_firewalld: False +r_etcd_firewall_enabled: "{{ os_firewall_enabled | default(True) }}" +r_etcd_use_firewalld: "{{ os_firewall_use_firewalld | default(Falsel) }}" etcd_initial_cluster_state: new etcd_initial_cluster_token: etcd-cluster-1 diff --git a/roles/etcd_migrate/tasks/migrate.yml b/roles/etcd_migrate/tasks/migrate.yml index 173de77f4..54a9c74ff 100644 --- a/roles/etcd_migrate/tasks/migrate.yml +++ b/roles/etcd_migrate/tasks/migrate.yml @@ -21,15 +21,24 @@ lineinfile: line: "ETCD_FORCE_NEW_CLUSTER=true" dest: /etc/etcd/etcd.conf + backup: true - name: Start etcd systemd: name: "{{ l_etcd_service }}" state: started +- name: Wait for cluster to become healthy after bringing up first member + command: > + etcdctl --cert-file {{ etcd_peer_cert_file }} --key-file {{ etcd_peer_key_file }} --ca-file {{ etcd_peer_ca_file }} --endpoint https://{{ etcd_peer }}:{{ etcd_client_port }} cluster-health + register: l_etcd_migrate_health + until: l_etcd_migrate_health.rc == 0 + retries: 3 + delay: 30 - name: Unset ETCD_FORCE_NEW_CLUSTER=true on first etcd host lineinfile: line: "ETCD_FORCE_NEW_CLUSTER=true" dest: /etc/etcd/etcd.conf state: absent + backup: true - name: Restart first etcd host systemd: name: "{{ l_etcd_service }}" diff --git a/roles/nuage_node/handlers/main.yaml b/roles/nuage_node/handlers/main.yaml index 60247c33e..e68ae74bd 100644 --- a/roles/nuage_node/handlers/main.yaml +++ b/roles/nuage_node/handlers/main.yaml @@ -1,7 +1,7 @@ --- - name: restart node become: yes - systemd: name={{ openshift.common.service_type }}-node state=restarted + systemd: name={{ openshift.common.service_type }}-node daemon-reload=yes state=restarted - name: save iptable rules become: yes diff --git a/roles/nuage_node/tasks/main.yaml b/roles/nuage_node/tasks/main.yaml index 3764681ff..9db9dbb6a 100644 --- a/roles/nuage_node/tasks/main.yaml +++ b/roles/nuage_node/tasks/main.yaml @@ -33,6 +33,11 @@ - include: certificates.yml +- name: Add additional Docker mounts for Nuage for atomic hosts + become: yes + lineinfile: dest="{{ openshift_atomic_node_config_file }}" line="{{ nuage_atomic_docker_additional_mounts }}" + when: openshift.common.is_atomic | bool + - name: Restart node services command: /bin/true notify: diff --git a/roles/nuage_node/vars/main.yaml b/roles/nuage_node/vars/main.yaml index 4cf68411f..d8bfca62a 100644 --- a/roles/nuage_node/vars/main.yaml +++ b/roles/nuage_node/vars/main.yaml @@ -23,3 +23,5 @@ cni_conf_dir: "/etc/cni/net.d/" cni_bin_dir: "/opt/cni/bin/" nuage_plugin_crt_dir: /usr/share/vsp-openshift +openshift_atomic_node_config_file: /etc/sysconfig/{{ openshift.common.service_type }}-node +nuage_atomic_docker_additional_mounts: "DOCKER_ADDTL_BIND_MOUNTS=-v /var/usr/share/vsp-openshift:/var/usr/share/vsp-openshift -v /etc/default:/etc/default -v /var/run:/var/run -v /opt/cni/bin:/opt/cni/bin -v /etc/cni/net.d:/etc/cni/net.d" diff --git a/roles/openshift_ami_prep/defaults/main.yml b/roles/openshift_ami_prep/defaults/main.yml deleted file mode 100644 index 2ba6d8eae..000000000 --- a/roles/openshift_ami_prep/defaults/main.yml +++ /dev/null @@ -1,50 +0,0 @@ ---- - - -r_openshift_ami_prep_packages: -- atomic-openshift-master -- atomic-openshift-node -- atomic-openshift-docker-excluder -- atomic-openshift-sdn-ovs -- openvswitch -- docker -- etcd -#- pcs -- haproxy -- dnsmasq -- ntp -- logrotate -- httpd-tools -- bind -- firewalld -- libselinux-python -- conntrack-tools -- openssl -- cloud-init -- iproute -- python-dbus -- PyYAML -- yum-utils -- python2-boto -- python2-boto3 -- cloud-utils-growpart -# gluster -- glusterfs-fuse -- heketi-client -# nfs -- nfs-utils -- flannel -- bash-completion -# cockpit -- cockpit-ws -- cockpit-system -- cockpit-bridge -- cockpit-docker -# iscsi -- iscsi-initiator-utils -# ceph -- ceph-common -# systemcontainer -# - runc -# - container-selinux -# - atomic diff --git a/roles/openshift_ami_prep/tasks/main.yml b/roles/openshift_ami_prep/tasks/main.yml deleted file mode 100644 index 98f7bc0e2..000000000 --- a/roles/openshift_ami_prep/tasks/main.yml +++ /dev/null @@ -1,42 +0,0 @@ ---- -- name: install repositories - include: yum_repos.yml - static: yes - -- name: install needed rpm(s) - package: - name: "{{ item }}" - state: present - with_items: "{{ r_openshift_ami_prep_packages }}" - -- name: create the directory for node - file: - state: directory - path: "/etc/systemd/system/{{ r_openshift_ami_prep_node }}.service.d" - -- name: laydown systemd override - copy: - dest: "/etc/systemd/system/{{ r_openshift_ami_prep_node }}.service.d/override.conf" - content: | - [Unit] - After=cloud-init.service - -- name: update the sysconfig to have KUBECONFIG - lineinfile: - dest: "/etc/sysconfig/{{ r_openshift_ami_prep_node }}" - line: "KUBECONFIG=/root/csr_kubeconfig" - regexp: "^KUBECONFIG=.*" - -- name: update the ExecStart to have bootstrap - lineinfile: - dest: "/usr/lib/systemd/system/{{ r_openshift_ami_prep_node }}.service" - line: "{% raw %}ExecStart=/usr/bin/openshift start node --bootstrap --kubeconfig=${KUBECONFIG} $OPTIONS{% endraw %}" - regexp: "^ExecStart=.*" - -- name: systemctl enable origin-node - systemd: - name: "{{ item }}" - enabled: no - with_items: - - "{{ r_openshift_ami_prep_node }}.service" - - "{{ r_openshift_ami_prep_master }}.service" diff --git a/roles/openshift_ami_prep/tasks/yum_repos.yml b/roles/openshift_ami_prep/tasks/yum_repos.yml deleted file mode 100644 index c48c67ac2..000000000 --- a/roles/openshift_ami_prep/tasks/yum_repos.yml +++ /dev/null @@ -1,14 +0,0 @@ ---- -- name: Create our install repository - yum_repository: - description: "{{ item.description | default(omit) }}" - name: "{{ item.name }}" - baseurl: "{{ item.baseurl }}" - gpgkey: "{{ item.gpgkey | default(omit)}}" - gpgcheck: "{{ item.gpgcheck | default(1) }}" - sslverify: "{{ item.sslverify | default(1) }}" - sslclientkey: "{{ item.sslclientkey | default(omit) }}" - sslclientcert: "{{ item.sslclientcert | default(omit) }}" - file: "{{ item.file }}" - enabled: "{{ item.enabled }}" - with_items: "{{ r_openshift_ami_prep_yum_repositories }}" diff --git a/roles/openshift_cfme/defaults/main.yml b/roles/openshift_cfme/defaults/main.yml index 393bee1f3..8aa57e75a 100644 --- a/roles/openshift_cfme/defaults/main.yml +++ b/roles/openshift_cfme/defaults/main.yml @@ -29,6 +29,7 @@ openshift_cfme_pv_data: openshift_cfme_maxImagesBulkImportedPerRepository: 100 # Hostname/IP of the NFS server. Currently defaults to first master openshift_cfme_nfs_server: "{{ groups.nfs.0 }}" +openshift_cfme_nfs_directory: "/exports" # TODO: Refactor '_install_app' variable. This is just for testing but # maybe in the future it should control the entire yes/no for CFME. # diff --git a/roles/openshift_cfme/templates/miq-pv-db.yaml.j2 b/roles/openshift_cfme/templates/miq-pv-db.yaml.j2 index b8c3bb277..280f3e97a 100644 --- a/roles/openshift_cfme/templates/miq-pv-db.yaml.j2 +++ b/roles/openshift_cfme/templates/miq-pv-db.yaml.j2 @@ -8,6 +8,6 @@ spec: accessModes: - ReadWriteOnce nfs: - path: /exports/miq-pv01 + path: {{ openshift_cfme_nfs_directory }}/miq-pv01 server: {{ openshift_cfme_nfs_server }} persistentVolumeReclaimPolicy: Retain diff --git a/roles/openshift_cfme/templates/miq-pv-region.yaml.j2 b/roles/openshift_cfme/templates/miq-pv-region.yaml.j2 index 7218773f0..fe80dffa5 100644 --- a/roles/openshift_cfme/templates/miq-pv-region.yaml.j2 +++ b/roles/openshift_cfme/templates/miq-pv-region.yaml.j2 @@ -8,6 +8,6 @@ spec: accessModes: - ReadWriteOnce nfs: - path: /exports/miq-pv02 + path: {{ openshift_cfme_nfs_directory }}/miq-pv02 server: {{ openshift_cfme_nfs_server }} persistentVolumeReclaimPolicy: Retain diff --git a/roles/openshift_cfme/templates/miq-pv-server.yaml.j2 b/roles/openshift_cfme/templates/miq-pv-server.yaml.j2 index 7b40b6c69..f84b67ea9 100644 --- a/roles/openshift_cfme/templates/miq-pv-server.yaml.j2 +++ b/roles/openshift_cfme/templates/miq-pv-server.yaml.j2 @@ -8,6 +8,6 @@ spec: accessModes: - ReadWriteOnce nfs: - path: /exports/miq-pv03 + path: {{ openshift_cfme_nfs_directory }}/miq-pv03 server: {{ openshift_cfme_nfs_server }} persistentVolumeReclaimPolicy: Retain diff --git a/roles/openshift_health_checker/openshift_checks/__init__.py b/roles/openshift_health_checker/openshift_checks/__init__.py index 07ec6f7ef..02ee1d0f9 100644 --- a/roles/openshift_health_checker/openshift_checks/__init__.py +++ b/roles/openshift_health_checker/openshift_checks/__init__.py @@ -242,7 +242,7 @@ def load_checks(path=None, subpkg=""): modules = modules + load_checks(os.path.join(path, name), subpkg + "." + name) continue - if name.endswith(".py") and name not in LOADER_EXCLUDES: + if name.endswith(".py") and not name.startswith(".") and name not in LOADER_EXCLUDES: modules.append(import_module(__package__ + subpkg + "." + name[:-3])) return modules diff --git a/roles/openshift_health_checker/openshift_checks/disk_availability.py b/roles/openshift_health_checker/openshift_checks/disk_availability.py index 6d1dea9ce..f302fd14b 100644 --- a/roles/openshift_health_checker/openshift_checks/disk_availability.py +++ b/roles/openshift_health_checker/openshift_checks/disk_availability.py @@ -115,10 +115,7 @@ class DiskAvailability(OpenShiftCheck): return { 'failed': True, - 'msg': ( - 'Available disk space in "{}" ({:.1f} GB) ' - 'is below minimum recommended ({:.1f} GB)' - ).format(path, free_gb, recommended_gb) + 'msg': msg, } return {} diff --git a/roles/openshift_health_checker/openshift_checks/docker_image_availability.py b/roles/openshift_health_checker/openshift_checks/docker_image_availability.py index 85a922f86..857a80c74 100644 --- a/roles/openshift_health_checker/openshift_checks/docker_image_availability.py +++ b/roles/openshift_health_checker/openshift_checks/docker_image_availability.py @@ -168,7 +168,10 @@ class DockerImageAvailability(DockerHostMixin, OpenShiftCheck): registries = [registry] for registry in registries: - args = {"_raw_params": "skopeo inspect --tls-verify=false docker://{}/{}".format(registry, image)} + args = { + "_raw_params": "timeout 10 skopeo inspect --tls-verify=false " + "docker://{}/{}".format(registry, image) + } result = self.execute_module("command", args) if result.get("rc", 0) == 0 and not result.get("failed"): return True diff --git a/roles/openshift_hosted/defaults/main.yml b/roles/openshift_hosted/defaults/main.yml index f3747eead..c26df3afa 100644 --- a/roles/openshift_hosted/defaults/main.yml +++ b/roles/openshift_hosted/defaults/main.yml @@ -5,8 +5,8 @@ r_openshift_hosted_router_use_firewalld: "{{ os_firewall_use_firewalld | default r_openshift_hosted_registry_firewall_enabled: "{{ os_firewall_enabled | default(True) }}" r_openshift_hosted_registry_use_firewalld: "{{ os_firewall_use_firewalld | default(False) }}" -openshift_hosted_router_wait: True -openshift_hosted_registry_wait: True +openshift_hosted_router_wait: "{{ not openshift_master_bootstrap_enabled | default(True) }}" +openshift_hosted_registry_wait: "{{ not openshift_master_bootstrap_enabled | default(True) }}" registry_volume_claim: 'registry-claim' diff --git a/roles/openshift_logging/README.md b/roles/openshift_logging/README.md index 70aef02cd..f283261c4 100644 --- a/roles/openshift_logging/README.md +++ b/roles/openshift_logging/README.md @@ -15,12 +15,11 @@ to the list of persisted [node labels](https://docs.openshift.org/latest/install ###Required vars: - `openshift_logging_install_logging`: When `True` the `openshift_logging` role will install Aggregated Logging. -- `openshift_logging_upgrade_logging`: When `True` the `openshift_logging` role will upgrade Aggregated Logging. -When both `openshift_logging_install_logging` and `openshift_logging_upgrade_logging` are `False` the `openshift_logging` role will uninstall Aggregated Logging. +When `openshift_logging_install_logging` is set to `False` the `openshift_logging` role will uninstall Aggregated Logging. ###Optional vars: - +- `openshift_logging_purge_logging`: When `openshift_logging_install_logging` is set to 'False' to trigger uninstalation and `openshift_logging_purge_logging` is set to 'True', it will completely and irreversibly remove all logging persistent data including PVC. Defaults to 'False'. - `openshift_logging_image_prefix`: The prefix for the logging images to use. Defaults to 'docker.io/openshift/origin-'. - `openshift_logging_curator_image_prefix`: Setting the image prefix for Curator image. Defaults to `openshift_logging_image_prefix`. - `openshift_logging_elasticsearch_image_prefix`: Setting the image prefix for Elasticsearch image. Defaults to `openshift_logging_image_prefix`. diff --git a/roles/openshift_logging/defaults/main.yml b/roles/openshift_logging/defaults/main.yml index f07d7e6da..716f0e002 100644 --- a/roles/openshift_logging/defaults/main.yml +++ b/roles/openshift_logging/defaults/main.yml @@ -8,6 +8,7 @@ openshift_logging_labels: {} openshift_logging_label_key: "" openshift_logging_label_value: "" openshift_logging_install_logging: True +openshift_logging_purge_logging: False openshift_logging_image_pull_secret: "{{ openshift_hosted_logging_image_pull_secret | default('') }}" openshift_logging_curator_default_days: 30 diff --git a/roles/openshift_logging/tasks/annotate_ops_projects.yaml b/roles/openshift_logging/tasks/annotate_ops_projects.yaml new file mode 100644 index 000000000..d4b33616a --- /dev/null +++ b/roles/openshift_logging/tasks/annotate_ops_projects.yaml @@ -0,0 +1,17 @@ +--- +- oc_obj: + state: list + kind: project + name: "{{ item }}" + with_items: "{{ __default_logging_ops_projects }}" + register: __logging_ops_projects + +- name: Annotate Operations Projects + oc_edit: + kind: ns + name: "{{ item.item }}" + separator: '#' + content: + metadata#annotations#openshift.io/logging.ui.hostname: "{{ openshift_logging_kibana_ops_hostname }}" + with_items: "{{ __logging_ops_projects.results }}" + when: "{{ item.results.stderr is not defined }}" diff --git a/roles/openshift_logging/tasks/delete_logging.yaml b/roles/openshift_logging/tasks/delete_logging.yaml index 6d023a02d..45298e345 100644 --- a/roles/openshift_logging/tasks/delete_logging.yaml +++ b/roles/openshift_logging/tasks/delete_logging.yaml @@ -14,6 +14,16 @@ - templates - ds +# return all persistent volume claims as well if purge is set +- name: delete logging pvc objects + oc_obj: + state: absent + kind: pvc + namespace: "{{ openshift_logging_namespace }}" + selector: "logging-infra" + when: + - openshift_logging_purge_logging | default(false) | bool + # delete the oauthclient - name: delete oauthclient kibana-proxy oc_obj: diff --git a/roles/openshift_logging/tasks/install_logging.yaml b/roles/openshift_logging/tasks/install_logging.yaml index f8553be79..a77df9986 100644 --- a/roles/openshift_logging/tasks/install_logging.yaml +++ b/roles/openshift_logging/tasks/install_logging.yaml @@ -216,6 +216,7 @@ when: - openshift_logging_use_ops | bool +- include: annotate_ops_projects.yaml ## Curator - include_role: diff --git a/roles/openshift_logging/vars/main.yaml b/roles/openshift_logging/vars/main.yaml index e561b41e2..01809fddf 100644 --- a/roles/openshift_logging/vars/main.yaml +++ b/roles/openshift_logging/vars/main.yaml @@ -6,3 +6,5 @@ es_ops_node_quorum: "{{ (openshift_logging_es_ops_cluster_size | int/2 | round(0 es_ops_recover_expected_nodes: "{{openshift_logging_es_ops_cluster_size | int}}" es_log_appenders: ['file', 'console'] + +__default_logging_ops_projects: ['default', 'openshift', 'openshift-infra', 'kube-system'] diff --git a/roles/openshift_logging_elasticsearch/tasks/main.yaml b/roles/openshift_logging_elasticsearch/tasks/main.yaml index 931846fdb..1e800b1d6 100644 --- a/roles/openshift_logging_elasticsearch/tasks/main.yaml +++ b/roles/openshift_logging_elasticsearch/tasks/main.yaml @@ -229,7 +229,7 @@ dest: "{{ tempdir }}/templates/logging-es-pvc.yml" vars: obj_name: "{{ openshift_logging_elasticsearch_pvc_name }}" - size: "{{ openshift_logging_elasticsearch_pvc_size }}" + size: "{{ (openshift_logging_elasticsearch_pvc_size | trim | length == 0) | ternary('10Gi', openshift_logging_elasticsearch_pvc_size) }}" access_modes: "{{ openshift_logging_elasticsearch_pvc_access_modes | list }}" pv_selector: "{{ openshift_logging_elasticsearch_pvc_pv_selector }}" storage_class_name: "{{ openshift_logging_elasticsearch_pvc_storage_class_name | default('', true) }}" @@ -243,7 +243,7 @@ dest: "{{ tempdir }}/templates/logging-es-pvc.yml" vars: obj_name: "{{ openshift_logging_elasticsearch_pvc_name }}" - size: "{{ openshift_logging_elasticsearch_pvc_size }}" + size: "{{ (openshift_logging_elasticsearch_pvc_size | trim | length == 0) | ternary('10Gi', openshift_logging_elasticsearch_pvc_size) }}" access_modes: "{{ openshift_logging_elasticsearch_pvc_access_modes | list }}" pv_selector: "{{ openshift_logging_elasticsearch_pvc_pv_selector }}" when: diff --git a/roles/openshift_master/tasks/main.yml b/roles/openshift_master/tasks/main.yml index ba56ac94e..a06defdb9 100644 --- a/roles/openshift_master/tasks/main.yml +++ b/roles/openshift_master/tasks/main.yml @@ -177,9 +177,6 @@ local_facts: no_proxy_etcd_host_ips: "{{ openshift_no_proxy_etcd_host_ips }}" -- name: Remove the legacy master service if it exists - include: clean_systemd_units.yml - - name: Install the systemd units include: systemd_units.yml diff --git a/roles/openshift_master/tasks/systemd_units.yml b/roles/openshift_master/tasks/systemd_units.yml index 72c231e52..782a35abe 100644 --- a/roles/openshift_master/tasks/systemd_units.yml +++ b/roles/openshift_master/tasks/systemd_units.yml @@ -3,6 +3,16 @@ # playbooks. For that reason the ha_svc variables are use set_fact instead of # the vars directory on the role. +# This play may be consumed outside the role, we need to ensure that +# openshift_master_config_dir is set. +- name: Set openshift_master_config_dir if unset + set_fact: + openshift_master_config_dir: '/var/lib/origin' + when: openshift_master_config_dir is not defined + +- name: Remove the legacy master service if it exists + include: clean_systemd_units.yml + - name: Init HA Service Info set_fact: containerized_svc_dir: "/usr/lib/systemd/system" diff --git a/roles/openshift_node/defaults/main.yml b/roles/openshift_node/defaults/main.yml index cc000496a..a7dad5b1f 100644 --- a/roles/openshift_node/defaults/main.yml +++ b/roles/openshift_node/defaults/main.yml @@ -1,6 +1,64 @@ --- r_openshift_node_firewall_enabled: "{{ os_firewall_enabled | default(True) }}" r_openshift_node_use_firewalld: "{{ os_firewall_use_firewalld | default(False) }}" + +openshift_service_type: "{{ openshift.common.service_type }}" + +openshift_image_tag: '' + +openshift_node_ami_prep_packages: +- "{{ openshift_service_type }}-master" +- "{{ openshift_service_type }}-node" +- "{{ openshift_service_type }}-docker-excluder" +- "{{ openshift_service_type }}-sdn-ovs" +- ansible +- openvswitch +- docker +- etcd +#- pcs +- haproxy +- dnsmasq +- ntp +- logrotate +- httpd-tools +- bind +- firewalld +- libselinux-python +- conntrack-tools +- openssl +- cloud-init +- iproute +- python-dbus +- PyYAML +- yum-utils +- python2-boto +- python2-boto3 +- cloud-utils-growpart +# gluster +- glusterfs-fuse +- heketi-client +# nfs +- nfs-utils +- flannel +- bash-completion +# cockpit +- cockpit-ws +- cockpit-system +- cockpit-bridge +- cockpit-docker +# iscsi +- iscsi-initiator-utils +# ceph +- ceph-common +# systemcontainer +# - runc +# - container-selinux +# - atomic +# +openshift_deployment_type: origin + +openshift_node_bootstrap: False + r_openshift_node_os_firewall_deny: [] r_openshift_node_os_firewall_allow: - service: Kubernetes kubelet diff --git a/roles/openshift_node/handlers/main.yml b/roles/openshift_node/handlers/main.yml index f2c45a4bd..14ba48aba 100644 --- a/roles/openshift_node/handlers/main.yml +++ b/roles/openshift_node/handlers/main.yml @@ -27,6 +27,7 @@ when: - (not skip_node_svc_handlers | default(False) | bool) - not (node_service_status_changed | default(false) | bool) + - not openshift_node_bootstrap - name: reload sysctl.conf command: /sbin/sysctl -p diff --git a/roles/openshift_node/meta/main.yml b/roles/openshift_node/meta/main.yml index 06373de04..3db980514 100644 --- a/roles/openshift_node/meta/main.yml +++ b/roles/openshift_node/meta/main.yml @@ -19,6 +19,7 @@ dependencies: - role: openshift_clock - role: openshift_docker - role: openshift_node_certificates + when: not openshift_node_bootstrap - role: openshift_cloud_provider - role: openshift_node_dnsmasq when: openshift.common.use_dnsmasq | bool diff --git a/roles/openshift_node/tasks/bootstrap.yml b/roles/openshift_node/tasks/bootstrap.yml new file mode 100644 index 000000000..cb1440283 --- /dev/null +++ b/roles/openshift_node/tasks/bootstrap.yml @@ -0,0 +1,55 @@ +--- +- name: install needed rpm(s) + package: + name: "{{ item }}" + state: present + with_items: "{{ openshift_node_ami_prep_packages }}" + +- name: create the directory for node + file: + state: directory + path: "/etc/systemd/system/{{ openshift_service_type }}-node.service.d" + +- name: laydown systemd override + copy: + dest: "/etc/systemd/system/{{ openshift_service_type }}-node.service.d/override.conf" + content: | + [Unit] + After=cloud-init.service + +- name: update the sysconfig to have KUBECONFIG + lineinfile: + dest: "/etc/sysconfig/{{ openshift_service_type }}-node" + line: "KUBECONFIG=/root/csr_kubeconfig" + regexp: "^KUBECONFIG=.*" + +- name: update the ExecStart to have bootstrap + lineinfile: + dest: "/usr/lib/systemd/system/{{ openshift_service_type }}-node.service" + line: "{% raw %}ExecStart=/usr/bin/openshift start node --bootstrap --kubeconfig=${KUBECONFIG} $OPTIONS{% endraw %}" + regexp: "^ExecStart=.*" + +- name: "systemctl enable {{ openshift_service_type }}-node" + systemd: + name: "{{ item }}" + enabled: no + with_items: + - "{{ openshift_service_type }}-node.service" + - "{{ openshift_service_type }}-master.service" + +- name: Check for RPM generated config marker file .config_managed + stat: + path: /etc/origin/.config_managed + register: rpmgenerated_config + +- name: Remove RPM generated config files if present + file: + path: "/etc/origin/{{ item }}" + state: absent + when: + - rpmgenerated_config.stat.exists + - openshift_deployment_type in ['openshift-enterprise', 'atomic-enterprise'] + with_items: + - master + - node + - .config_managed diff --git a/roles/openshift_node/tasks/config.yml b/roles/openshift_node/tasks/config.yml new file mode 100644 index 000000000..8210fd881 --- /dev/null +++ b/roles/openshift_node/tasks/config.yml @@ -0,0 +1,111 @@ +--- +- name: Install the systemd units + include: systemd_units.yml + +- name: Check for tuned package + command: rpm -q tuned + args: + warn: no + register: tuned_installed + changed_when: false + failed_when: false + +- name: Set atomic-guest tuned profile + command: "tuned-adm profile atomic-guest" + when: tuned_installed.rc == 0 and openshift.common.is_atomic | bool + +- name: Start and enable openvswitch service + systemd: + name: openvswitch.service + enabled: yes + state: started + daemon_reload: yes + when: + - openshift.common.is_containerized | bool + - openshift.common.use_openshift_sdn | default(true) | bool + register: ovs_start_result + until: not ovs_start_result | failed + retries: 3 + delay: 30 + +- set_fact: + ovs_service_status_changed: "{{ ovs_start_result | changed }}" + +- file: + dest: "{{ (openshift_node_kubelet_args|default({'config':None})).config}}" + state: directory + when: openshift_node_kubelet_args is defined and 'config' in openshift_node_kubelet_args + +# TODO: add the validate parameter when there is a validation command to run +- name: Create the Node config + template: + dest: "{{ openshift.common.config_base }}/node/node-config.yaml" + src: node.yaml.v1.j2 + backup: true + owner: root + group: root + mode: 0600 + notify: + - restart node + +- name: Configure Node Environment Variables + lineinfile: + dest: /etc/sysconfig/{{ openshift.common.service_type }}-node + regexp: "^{{ item.key }}=" + line: "{{ item.key }}={{ item.value }}" + create: true + with_dict: "{{ openshift.node.env_vars | default({}) }}" + notify: + - restart node + +# Necessary because when you're on a node that's also a master the master will be +# restarted after the node restarts docker and it will take up to 60 seconds for +# systemd to start the master again +- when: openshift.common.is_containerized | bool + block: + - name: Wait for master API to become available before proceeding + # Using curl here since the uri module requires python-httplib2 and + # wait_for port doesn't provide health information. + command: > + curl --silent --tlsv1.2 --cacert {{ openshift.common.config_base }}/node/ca.crt + {{ openshift_node_master_api_url }}/healthz/ready + args: + # Disables the following warning: + # Consider using get_url or uri module rather than running curl + warn: no + register: api_available_output + until: api_available_output.stdout == 'ok' + retries: 120 + delay: 1 + changed_when: false + + - name: Start and enable node dep + systemd: + daemon_reload: yes + name: "{{ openshift.common.service_type }}-node-dep" + enabled: yes + state: started + +- name: Start and enable node + systemd: + name: "{{ openshift.common.service_type }}-node" + enabled: yes + state: started + daemon_reload: yes + register: node_start_result + until: not node_start_result | failed + retries: 1 + delay: 30 + ignore_errors: true + +- name: Dump logs from node service if it failed + command: journalctl --no-pager -n 100 -u {{ openshift.common.service_type }}-node + when: node_start_result | failed + +- name: Abort if node failed to start + fail: + msg: Node failed to start please inspect the logs and try again + when: node_start_result | failed + +- set_fact: + node_service_status_changed: "{{ node_start_result | changed }}" diff --git a/roles/openshift_node/tasks/install.yml b/roles/openshift_node/tasks/install.yml new file mode 100644 index 000000000..9bf4ed879 --- /dev/null +++ b/roles/openshift_node/tasks/install.yml @@ -0,0 +1,33 @@ +--- +# We have to add tuned-profiles in the same transaction otherwise we run into depsolving +# problems because the rpms don't pin the version properly. This was fixed in 3.1 packaging. +- when: not openshift.common.is_containerized | bool + block: + - name: Install Node package + package: + name: "{{ openshift.common.service_type }}-node{{ openshift_pkg_version | default('') | oo_image_tag_to_rpm_version(include_dash=True) }},tuned-profiles-{{ openshift.common.service_type }}-node{{ openshift_pkg_version | default('') | oo_image_tag_to_rpm_version(include_dash=True) }}" + state: present + + - name: Install sdn-ovs package + package: + name: "{{ openshift.common.service_type }}-sdn-ovs{{ openshift_pkg_version | oo_image_tag_to_rpm_version(include_dash=True) }}" + state: present + when: + - openshift.common.use_openshift_sdn | default(true) | bool + + - name: Install conntrack-tools package + package: + name: "conntrack-tools" + state: present + +- when: + - openshift.common.is_containerized | bool + - not openshift.common.is_node_system_container | bool + block: + - name: Pre-pull node image when containerized + command: > + docker pull {{ openshift.node.node_image }}:{{ openshift_image_tag }} + register: pull_result + changed_when: "'Downloaded newer image' in pull_result.stdout" + + - include: config/install-node-docker-service-file.yml diff --git a/roles/openshift_node/tasks/main.yml b/roles/openshift_node/tasks/main.yml index 525dd1d1a..60a25dcc6 100644 --- a/roles/openshift_node/tasks/main.yml +++ b/roles/openshift_node/tasks/main.yml @@ -1,5 +1,4 @@ --- -# TODO: allow for overriding default ports where possible - fail: msg: "SELinux is disabled, This deployment type requires that SELinux is enabled." when: @@ -10,34 +9,7 @@ include: firewall.yml static: yes -- name: Set node facts - openshift_facts: - role: "{{ item.role }}" - local_facts: "{{ item.local_facts }}" - with_items: - # Reset node labels to an empty dictionary. - - role: node - local_facts: - labels: {} - - role: node - local_facts: - annotations: "{{ openshift_node_annotations | default(none) }}" - debug_level: "{{ openshift_node_debug_level | default(openshift.common.debug_level) }}" - iptables_sync_period: "{{ openshift_node_iptables_sync_period | default(None) }}" - kubelet_args: "{{ openshift_node_kubelet_args | default(None) }}" - labels: "{{ lookup('oo_option', 'openshift_node_labels') | default( openshift_node_labels | default(none), true) }}" - registry_url: "{{ oreg_url_node | default(oreg_url) | default(None) }}" - schedulable: "{{ openshift_schedulable | default(openshift_scheduleable) | default(None) }}" - sdn_mtu: "{{ openshift_node_sdn_mtu | default(None) }}" - storage_plugin_deps: "{{ osn_storage_plugin_deps | default(None) }}" - set_node_ip: "{{ openshift_set_node_ip | default(None) }}" - node_image: "{{ osn_image | default(None) }}" - ovs_image: "{{ osn_ovs_image | default(None) }}" - proxy_mode: "{{ openshift_node_proxy_mode | default('iptables') }}" - local_quota_per_fsgroup: "{{ openshift_node_local_quota_per_fsgroup | default(None) }}" - dns_ip: "{{ openshift_dns_ip | default(none) | get_dns_ip(hostvars[inventory_hostname])}}" - env_vars: "{{ openshift_node_env_vars | default(None) }}" - +#### Disable SWAP ##### # https://docs.openshift.com/container-platform/3.4/admin_guide/overcommit.html#disabling-swap-memory - name: Check for swap usage command: grep "^[^#].*swap" /etc/fstab @@ -46,9 +18,10 @@ failed_when: false register: swap_result -# Disable Swap Block -- block: - +- when: + - swap_result.stdout_lines | length > 0 + - openshift_disable_swap | default(true) | bool + block: - name: Disable swap command: swapoff --all @@ -64,29 +37,10 @@ dest: /etc/fstab line: '# OpenShift-Ansible Installer disabled swap per overcommit guidelines' state: present +#### End Disable Swap Block #### - when: - - swap_result.stdout_lines | length > 0 - - openshift_disable_swap | default(true) | bool -# End Disable Swap Block - -- name: Install Node package - package: - name: "{{ openshift.common.service_type }}-node{{ openshift_pkg_version | default('') | oo_image_tag_to_rpm_version(include_dash=True) }}" - state: present - when: not openshift.common.is_containerized | bool - -- name: setup tuned - include: tuned.yml - static: yes - -- name: Install sdn-ovs package - package: - name: "{{ openshift.common.service_type }}-sdn-ovs{{ openshift_pkg_version | oo_image_tag_to_rpm_version(include_dash=True) }}" - state: present - when: - - openshift.common.use_openshift_sdn | default(true) | bool - - not openshift.common.is_containerized | bool +- name: include node installer + include: install.yml - name: Restart cri-o systemd: @@ -95,15 +49,6 @@ state: restarted when: openshift_use_crio | default(false) -- name: Install conntrack-tools package - package: - name: "conntrack-tools" - state: present - when: not openshift.common.is_containerized | bool - -- name: Install the systemd units - include: systemd_units.yml - # The atomic-openshift-node service will set this parameter on # startup, but if the network service is restarted this setting is # lost. Reference: https://bugzilla.redhat.com/show_bug.cgi?id=1372388 @@ -116,39 +61,13 @@ notify: - reload sysctl.conf -- name: Start and enable openvswitch service - systemd: - name: openvswitch.service - enabled: yes - state: started - daemon_reload: yes - when: - - openshift.common.is_containerized | bool - - openshift.common.use_openshift_sdn | default(true) | bool - register: ovs_start_result - until: not ovs_start_result | failed - retries: 3 - delay: 30 - -- set_fact: - ovs_service_status_changed: "{{ ovs_start_result | changed }}" +- name: include bootstrap node config + include: bootstrap.yml + when: openshift_node_bootstrap -- file: - dest: "{{ (openshift_node_kubelet_args|default({'config':None})).config}}" - state: directory - when: openshift_node_kubelet_args is defined and 'config' in openshift_node_kubelet_args - -# TODO: add the validate parameter when there is a validation command to run -- name: Create the Node config - template: - dest: "{{ openshift.common.config_base }}/node/node-config.yaml" - src: node.yaml.v1.j2 - backup: true - owner: root - group: root - mode: 0600 - notify: - - restart node +- name: include standard node config + include: config.yml + when: not openshift_node_bootstrap - name: Check for credentials file for registry auth stat: @@ -181,16 +100,7 @@ notify: - restart node -- name: Configure Node Environment Variables - lineinfile: - dest: /etc/sysconfig/{{ openshift.common.service_type }}-node - regexp: "^{{ item.key }}=" - line: "{{ item.key }}={{ item.value }}" - create: true - with_dict: "{{ openshift.node.env_vars | default({}) }}" - notify: - - restart node - +#### Storage class plugins here #### - name: NFS storage plugin configuration include: storage_plugins/nfs.yml tags: @@ -208,55 +118,7 @@ include: storage_plugins/iscsi.yml when: "'iscsi' in openshift.node.storage_plugin_deps" -# Necessary because when you're on a node that's also a master the master will be -# restarted after the node restarts docker and it will take up to 60 seconds for -# systemd to start the master again -- name: Wait for master API to become available before proceeding - # Using curl here since the uri module requires python-httplib2 and - # wait_for port doesn't provide health information. - command: > - curl --silent --tlsv1.2 --cacert {{ openshift.common.config_base }}/node/ca.crt - {{ openshift_node_master_api_url }}/healthz/ready - args: - # Disables the following warning: - # Consider using get_url or uri module rather than running curl - warn: no - register: api_available_output - until: api_available_output.stdout == 'ok' - retries: 120 - delay: 1 - changed_when: false - when: openshift.common.is_containerized | bool - -- name: Start and enable node dep - systemd: - daemon_reload: yes - name: "{{ openshift.common.service_type }}-node-dep" - enabled: yes - state: started - when: openshift.common.is_containerized | bool - - -- name: Start and enable node - systemd: - name: "{{ openshift.common.service_type }}-node" - enabled: yes - state: started - daemon_reload: yes - register: node_start_result - until: not node_start_result | failed - retries: 1 - delay: 30 - ignore_errors: true - -- name: Dump logs from node service if it failed - command: journalctl --no-pager -n 100 -u {{ openshift.common.service_type }}-node - when: node_start_result | failed - -- name: Abort if node failed to start - fail: - msg: Node failed to start please inspect the logs and try again - when: node_start_result | failed +##### END Storage ##### -- set_fact: - node_service_status_changed: "{{ node_start_result | changed }}" +- include: config/workaround-bz1331590-ovs-oom-fix.yml + when: openshift.common.use_openshift_sdn | default(true) | bool diff --git a/roles/openshift_node/tasks/systemd_units.yml b/roles/openshift_node/tasks/systemd_units.yml index b86bb1549..4687400cd 100644 --- a/roles/openshift_node/tasks/systemd_units.yml +++ b/roles/openshift_node/tasks/systemd_units.yml @@ -1,22 +1,6 @@ --- # This file is included both in the openshift_master role and in the upgrade # playbooks. - -- include: config/install-node-deps-docker-service-file.yml - when: openshift.common.is_containerized | bool - -- block: - - name: Pre-pull node image - command: > - docker pull {{ openshift.node.node_image }}:{{ openshift_image_tag }} - register: pull_result - changed_when: "'Downloaded newer image' in pull_result.stdout" - - - include: config/install-node-docker-service-file.yml - when: - - openshift.common.is_containerized | bool - - not openshift.common.is_node_system_container | bool - - name: Install Node service file template: dest: "/etc/systemd/system/{{ openshift.common.service_type }}-node.service" @@ -26,24 +10,24 @@ - reload systemd units - restart node -- include: config/install-ovs-service-env-file.yml - when: openshift.common.is_containerized | bool +- when: openshift.common.is_containerized | bool + block: + - name: include node deps docker service file + include: config/install-node-deps-docker-service-file.yml -- name: Install Node system container - include: node_system_container.yml - when: - - openshift.common.is_containerized | bool - - openshift.common.is_node_system_container | bool + - name: include ovs service environment file + include: config/install-ovs-service-env-file.yml -- name: Install OpenvSwitch system containers - include: openvswitch_system_container.yml - when: - - openshift.common.use_openshift_sdn | default(true) | bool - - openshift.common.is_containerized | bool - - openshift.common.is_openvswitch_system_container | bool + - name: Install Node system container + include: node_system_container.yml + when: + - openshift.common.is_node_system_container | bool -- include: config/workaround-bz1331590-ovs-oom-fix.yml - when: openshift.common.use_openshift_sdn | default(true) | bool + - name: Install OpenvSwitch system containers + include: openvswitch_system_container.yml + when: + - openshift.common.use_openshift_sdn | default(true) | bool + - openshift.common.is_openvswitch_system_container | bool - block: - name: Pre-pull openvswitch image diff --git a/roles/openshift_node_certificates/defaults/main.yml b/roles/openshift_node_certificates/defaults/main.yml index 70a38b844..455f26f30 100644 --- a/roles/openshift_node_certificates/defaults/main.yml +++ b/roles/openshift_node_certificates/defaults/main.yml @@ -1,2 +1,3 @@ --- openshift_node_cert_expire_days: 730 +openshift_ca_host: '' diff --git a/roles/openshift_node_dnsmasq/tasks/main.yml b/roles/openshift_node_dnsmasq/tasks/main.yml index d0221a94b..9bbaafc29 100644 --- a/roles/openshift_node_dnsmasq/tasks/main.yml +++ b/roles/openshift_node_dnsmasq/tasks/main.yml @@ -14,6 +14,17 @@ package: name=dnsmasq state=installed when: not openshift.common.is_atomic | bool +- name: ensure origin/node directory exists + file: + state: directory + path: "{{ item }}" + owner: root + group: root + mode: '0700' + with_items: + - /etc/origin + - /etc/origin/node + # this file is copied to /etc/dnsmasq.d/ when the node starts and is removed # when the node stops. A dbus-message is sent to dnsmasq to add the same entries # so that dnsmasq doesn't need to be restarted. Once we can use dnsmasq 2.77 or diff --git a/roles/openshift_repos/tasks/main.yaml b/roles/openshift_repos/tasks/main.yaml index 7458db87e..6b3de4dba 100644 --- a/roles/openshift_repos/tasks/main.yaml +++ b/roles/openshift_repos/tasks/main.yaml @@ -6,23 +6,24 @@ - when: not ostree_booted.stat.exists block: + # TODO: This needs to be removed and placed into a role - name: Ensure libselinux-python is installed package: name=libselinux-python state=present - name: Create any additional repos that are defined - template: - src: yum_repo.j2 - dest: /etc/yum.repos.d/openshift_additional.repo - when: - - openshift_additional_repos | length > 0 - notify: refresh cache - - - name: Remove the additional repos if no longer defined - file: - dest: /etc/yum.repos.d/openshift_additional.repo - state: absent - when: - - openshift_additional_repos | length == 0 + yum_repository: + description: "{{ item.description | default(item.name) }}" + name: "{{ item.name | default(item.id) }}" + baseurl: "{{ item.baseurl }}" + gpgkey: "{{ item.gpgkey | default(omit)}}" + gpgcheck: "{{ item.gpgcheck | default(1) }}" + sslverify: "{{ item.sslverify | default(1) }}" + sslclientkey: "{{ item.sslclientkey | default(omit) }}" + sslclientcert: "{{ item.sslclientcert | default(omit) }}" + file: "{{ item.name }}" + enabled: "{{ item.enabled | default('no')}}" + with_items: "{{ openshift_additional_repos }}" + when: openshift_additional_repos | length > 0 notify: refresh cache # Singleton block diff --git a/roles/openshift_repos/templates/yum_repo.j2 b/roles/openshift_repos/templates/yum_repo.j2 deleted file mode 100644 index ef2cd6603..000000000 --- a/roles/openshift_repos/templates/yum_repo.j2 +++ /dev/null @@ -1,14 +0,0 @@ -{% for repo in openshift_additional_repos %} -[{{ repo.id }}] -name={{ repo.name | default(repo.id) }} -baseurl={{ repo.baseurl }} -{% set enable_repo = repo.enabled | default(1) %} -enabled={{ 1 if ( enable_repo == 1 or enable_repo == True ) else 0 }} -{% set enable_gpg_check = repo.gpgcheck | default(1) %} -gpgcheck={{ 1 if ( enable_gpg_check == 1 or enable_gpg_check == True ) else 0 }} -{% for key, value in repo.iteritems() %} -{% if key not in ['id', 'name', 'baseurl', 'enabled', 'gpgcheck'] and value is defined %} -{{ key }}={{ value }} -{% endif %} -{% endfor %} -{% endfor %} diff --git a/roles/openshift_service_catalog/tasks/install.yml b/roles/openshift_service_catalog/tasks/install.yml index 686857d94..64f94347b 100644 --- a/roles/openshift_service_catalog/tasks/install.yml +++ b/roles/openshift_service_catalog/tasks/install.yml @@ -168,19 +168,19 @@ - "{{ mktemp.stdout }}/service_catalog_api_server.yml" delete_after: yes -- template: - src: api_server_service.j2 - dest: "{{ mktemp.stdout }}/service_catalog_api_service.yml" - - name: Set Service Catalog API Server service - oc_obj: - state: present - namespace: "kube-service-catalog" - kind: service + oc_service: name: apiserver - files: - - "{{ mktemp.stdout }}/service_catalog_api_service.yml" - delete_after: yes + namespace: kube-service-catalog + state: present + ports: + - name: secure + port: 443 + protocol: TCP + targetPort: 6443 + selector: + app: apiserver + session_affinity: None - template: src: api_server_route.j2 @@ -216,19 +216,19 @@ - "{{ mktemp.stdout }}/controller_manager.yml" delete_after: yes -- template: - src: controller_manager_service.j2 - dest: "{{ mktemp.stdout }}/controller_manager_service.yml" - - name: Set Controller Manager service - oc_obj: - state: present - namespace: "kube-service-catalog" - kind: service + oc_service: name: controller-manager - files: - - "{{ mktemp.stdout }}/controller_manager_service.yml" - delete_after: yes + namespace: kube-service-catalog + state: present + ports: + - port: 6443 + protocol: TCP + targetPort: 6443 + selector: + app: controller-manager + session_affinity: None + service_type: ClusterIP - include: start_api_server.yml diff --git a/roles/openshift_service_catalog/templates/api_server_service.j2 b/roles/openshift_service_catalog/templates/api_server_service.j2 deleted file mode 100644 index bae337201..000000000 --- a/roles/openshift_service_catalog/templates/api_server_service.j2 +++ /dev/null @@ -1,13 +0,0 @@ -apiVersion: v1 -kind: Service -metadata: - name: apiserver -spec: - ports: - - name: secure - port: 443 - protocol: TCP - targetPort: 6443 - selector: - app: apiserver - sessionAffinity: None diff --git a/roles/openshift_service_catalog/templates/controller_manager_service.j2 b/roles/openshift_service_catalog/templates/controller_manager_service.j2 deleted file mode 100644 index 2bac645fc..000000000 --- a/roles/openshift_service_catalog/templates/controller_manager_service.j2 +++ /dev/null @@ -1,13 +0,0 @@ -apiVersion: v1 -kind: Service -metadata: - name: controller-manager -spec: - ports: - - port: 6443 - protocol: TCP - targetPort: 6443 - selector: - app: controller-manager - sessionAffinity: None - type: ClusterIP diff --git a/roles/openshift_storage_glusterfs/defaults/main.yml b/roles/openshift_storage_glusterfs/defaults/main.yml index 8d21a3f27..0b3d3aef1 100644 --- a/roles/openshift_storage_glusterfs/defaults/main.yml +++ b/roles/openshift_storage_glusterfs/defaults/main.yml @@ -52,8 +52,8 @@ openshift_storage_glusterfs_registry_heketi_ssh_port: "{{ openshift_storage_glus openshift_storage_glusterfs_registry_heketi_ssh_user: "{{ openshift_storage_glusterfs_heketi_ssh_user }}" openshift_storage_glusterfs_registry_heketi_ssh_sudo: "{{ openshift_storage_glusterfs_heketi_ssh_sudo }}" openshift_storage_glusterfs_registry_heketi_ssh_keyfile: "{{ openshift_storage_glusterfs_heketi_ssh_keyfile | default(omit) }}" -r_openshift_master_firewall_enabled: "{{ os_firewall_enabled | default(True) }}" -r_openshift_master_use_firewalld: "{{ os_firewall_use_firewalld | default(False) }}" +r_openshift_storage_glusterfs_firewall_enabled: "{{ os_firewall_enabled | default(True) }}" +r_openshift_storage_glusterfs_use_firewalld: "{{ os_firewall_use_firewalld | default(False) }}" r_openshift_storage_glusterfs_os_firewall_deny: [] r_openshift_storage_glusterfs_os_firewall_allow: - service: glusterfs_sshd @@ -225,8 +225,9 @@ class OpenShiftAnsibleSyntaxCheck(Command): included_playbooks = set() for yaml_file in find_files( - os.path.join(os.getcwd(), 'playbooks', 'byo'), - None, None, r'\.ya?ml$'): + os.path.join(os.getcwd(), 'playbooks'), + ['adhoc', 'tasks'], + None, r'\.ya?ml$'): with open(yaml_file, 'r') as contents: for task in yaml.safe_load(contents): if not isinstance(task, dict): @@ -245,19 +246,27 @@ class OpenShiftAnsibleSyntaxCheck(Command): # Evaluate the difference between all playbooks and included playbooks entrypoint_playbooks = sorted(playbooks.difference(included_playbooks)) print('Entry point playbook count: {}'.format(len(entrypoint_playbooks))) - # Syntax each entry point playbook + for playbook in entrypoint_playbooks: print('-' * 60) print('Syntax checking playbook: {}'.format(playbook)) - try: - subprocess.check_output( - ['ansible-playbook', '-i localhost,', - '--syntax-check', playbook] - ) - except subprocess.CalledProcessError as cpe: - print('{}Execution failed: {}{}'.format( - self.FAIL, cpe, self.ENDC)) + + if 'common' in playbook: + # Error on any entry points in 'common' + print('{}Invalid entry point playbook. All playbooks must' + ' start in playbooks/byo{}'.format(self.FAIL, self.ENDC)) has_errors = True + else: + # Syntax check each entry point playbook + try: + subprocess.check_output( + ['ansible-playbook', '-i localhost,', + '--syntax-check', playbook] + ) + except subprocess.CalledProcessError as cpe: + print('{}Execution failed: {}{}'.format( + self.FAIL, cpe, self.ENDC)) + has_errors = True if has_errors: raise SystemExit(1) @@ -22,6 +22,5 @@ commands = pylint: python setup.py lint yamllint: python setup.py yamllint generate_validation: python setup.py generate_validation - # TODO(rhcarvalho): check syntax of other important entrypoint playbooks ansible_syntax: python setup.py ansible_syntax integration: python -c 'print("run test/integration/run-tests.sh")' |