diff options
Diffstat (limited to 'playbooks')
| -rw-r--r-- | playbooks/adhoc/uninstall.yml | 274 | ||||
| -rw-r--r-- | playbooks/common/openshift-cluster/openshift_hosted.yml | 21 | ||||
| -rw-r--r-- | playbooks/common/openshift-cluster/upgrades/docker/upgrade.yml | 2 | ||||
| -rw-r--r-- | playbooks/common/openshift-cluster/upgrades/files/pre-upgrade-check | 193 | ||||
| -rw-r--r-- | playbooks/common/openshift-cluster/upgrades/files/rpm_versions.sh | 12 | ||||
| -rw-r--r-- | playbooks/common/openshift-master/config.yml | 31 | ||||
| -rw-r--r-- | playbooks/common/openshift-node/config.yml | 48 |
7 files changed, 183 insertions, 398 deletions
diff --git a/playbooks/adhoc/uninstall.yml b/playbooks/adhoc/uninstall.yml index b9966e715..f0cfa7f55 100644 --- a/playbooks/adhoc/uninstall.yml +++ b/playbooks/adhoc/uninstall.yml @@ -75,6 +75,10 @@ - hosts: nodes become: yes + vars: + node_dirs: + - "/etc/origin" + - "/var/lib/origin" tasks: - name: unmask services command: systemctl unmask "{{ item }}" @@ -83,63 +87,66 @@ with_items: - firewalld - - name: Remove packages - package: name={{ item }} state=absent - when: not is_atomic | bool - with_items: - - atomic-enterprise - - atomic-enterprise-node - - atomic-enterprise-sdn-ovs - - atomic-openshift - - atomic-openshift-clients - - atomic-openshift-excluder - - atomic-openshift-docker-excluder - - atomic-openshift-node - - atomic-openshift-sdn-ovs - - cockpit-bridge - - cockpit-docker - - cockpit-shell - - cockpit-ws - - kubernetes-client - - openshift - - openshift-node - - openshift-sdn - - openshift-sdn-ovs - - openvswitch - - origin - - origin-excluder - - origin-docker-excluder - - origin-clients - - origin-node - - origin-sdn-ovs - - tuned-profiles-atomic-enterprise-node - - tuned-profiles-atomic-openshift-node - - tuned-profiles-openshift-node - - tuned-profiles-origin-node - - - name: Remove flannel package - package: name=flannel state=absent - when: openshift_use_flannel | default(false) | bool and not is_atomic | bool - - - shell: systemctl reset-failed - changed_when: False - - - shell: systemctl daemon-reload - changed_when: False - - - name: Remove br0 interface - shell: ovs-vsctl del-br br0 - changed_when: False - failed_when: False - - - name: Remove linux interfaces - shell: ip link del "{{ item }}" - changed_when: False - failed_when: False - with_items: - - lbr0 - - vlinuxbr - - vovsbr + - block: + - block: + - name: Remove packages + package: name={{ item }} state=absent + with_items: + - atomic-enterprise + - atomic-enterprise-node + - atomic-enterprise-sdn-ovs + - atomic-openshift + - atomic-openshift-clients + - atomic-openshift-excluder + - atomic-openshift-docker-excluder + - atomic-openshift-node + - atomic-openshift-sdn-ovs + - cockpit-bridge + - cockpit-docker + - cockpit-shell + - cockpit-ws + - kubernetes-client + - openshift + - openshift-node + - openshift-sdn + - openshift-sdn-ovs + - openvswitch + - origin + - origin-excluder + - origin-docker-excluder + - origin-clients + - origin-node + - origin-sdn-ovs + - tuned-profiles-atomic-enterprise-node + - tuned-profiles-atomic-openshift-node + - tuned-profiles-openshift-node + - tuned-profiles-origin-node + + - name: Remove flannel package + package: name=flannel state=absent + when: openshift_use_flannel | default(false) | bool + when: "{{ not is_atomic | bool }}" + + - shell: systemctl reset-failed + changed_when: False + + - shell: systemctl daemon-reload + changed_when: False + + - name: Remove br0 interface + shell: ovs-vsctl del-br br0 + changed_when: False + failed_when: False + + - name: Remove linux interfaces + shell: ip link del "{{ item }}" + changed_when: False + failed_when: False + with_items: + - lbr0 + - vlinuxbr + - vovsbr + when: "{{ openshift_remove_all | default(true) | bool }}" - shell: find /var/lib/origin/openshift.local.volumes -type d -exec umount {} \; 2>/dev/null || true changed_when: False @@ -176,28 +183,57 @@ failed_when: False with_items: "{{ exited_containers_to_delete.results }}" - - shell: docker images | egrep {{ item }} | awk '{ print $3 }' - changed_when: False - failed_when: False - register: images_to_delete + - block: + - block: + - shell: docker images | egrep {{ item }} | awk '{ print $3 }' + changed_when: False + failed_when: False + register: images_to_delete + with_items: + - registry\.access\..*redhat\.com/openshift3 + - registry\.access\..*redhat\.com/aep3 + - registry\.qe\.openshift\.com/.* + - registry\.access\..*redhat\.com/rhel7/etcd + - docker.io/openshift + + - shell: "docker rmi -f {{ item.stdout_lines | join(' ') }}" + changed_when: False + failed_when: False + with_items: "{{ images_to_delete.results }}" + when: "{{ openshift_uninstall_images | default(True) | bool }}" + + - name: remove sdn drop files + file: + path: /run/openshift-sdn + state: absent + + - name: Remove files owned by RPMs + file: path={{ item }} state=absent + with_items: + - /etc/sysconfig/openshift-node + - /etc/sysconfig/openvswitch + - /run/openshift-sdn + when: "{{ openshift_remove_all | default(True) | bool }}" + + - find: path={{ item }} file_type=file + register: files with_items: - - registry\.access\..*redhat\.com/openshift3 - - registry\.access\..*redhat\.com/aep3 - - registry\.qe\.openshift\.com/.* - - registry\.access\..*redhat\.com/rhel7/etcd - - docker.io/openshift - when: openshift_uninstall_images | default(True) | bool - - - shell: "docker rmi -f {{ item.stdout_lines | join(' ') }}" - changed_when: False - failed_when: False - with_items: "{{ images_to_delete.results }}" - when: openshift_uninstall_images | default(True) | bool + - "{{ node_dirs }}" + + - find: path={{ item }} file_type=directory + register: directories + with_items: + - "{{ node_dirs }}" - - name: Remove sdn drop files - file: - path: /run/openshift-sdn - state: absent + - file: path={{ item.1.path }} state=absent + with_subelements: + - "{{ files.results | default([]) }}" + - files + + - file: path={{ item.1.path }} state=absent + with_subelements: + - "{{ directories.results | default([]) }}" + - files - name: Remove remaining files file: path={{ item }} state=absent @@ -209,13 +245,10 @@ - /etc/NetworkManager/dispatcher.d/99-origin-dns.sh - /etc/openshift - /etc/openshift-sdn - - /etc/origin - /etc/sysconfig/atomic-enterprise-node - /etc/sysconfig/atomic-openshift-node - /etc/sysconfig/atomic-openshift-node-dep - - /etc/sysconfig/openshift-node - /etc/sysconfig/openshift-node-dep - - /etc/sysconfig/openvswitch - /etc/sysconfig/origin-node - /etc/sysconfig/origin-node - /etc/sysconfig/origin-node-dep @@ -227,10 +260,8 @@ - /etc/systemd/system/origin-node-dep.service - /etc/systemd/system/origin-node.service - /etc/systemd/system/origin-node.service.wants - - /run/openshift-sdn - /var/lib/atomic-enterprise - /var/lib/openshift - - /var/lib/origin - name: restart docker service: name=docker state=restarted @@ -238,9 +269,12 @@ - name: restart NetworkManager service: name=NetworkManager state=restarted - - hosts: masters become: yes + vars: + master_dirs: + - "/etc/origin" + - "/var/lib/origin" tasks: - name: unmask services command: systemctl unmask "{{ item }}" @@ -252,7 +286,7 @@ - name: Remove packages package: name={{ item }} state=absent - when: not is_atomic | bool + when: not is_atomic | bool and openshift_remove_all | default(True) | bool with_items: - atomic-enterprise - atomic-enterprise-master @@ -283,6 +317,33 @@ - shell: systemctl daemon-reload changed_when: False + - name: Remove files owned by RPMs + file: path={{ item }} state=absent + when: openshift_remove_all | default(True) | bool + with_items: + - /etc/sysconfig/atomic-openshift-master + - /etc/sysconfig/openvswitch + + - find: path={{ item }} file_type=file + register: files + with_items: + - "{{ master_dirs }}" + + - find: path={{ item }} file_type=directory + register: directories + with_items: + - "{{ master_dirs }}" + + - file: path={{ item.1.path }} state=absent + with_subelements: + - "{{ files.results | default([]) }}" + - files + + - file: path={{ item.1.path }} state=absent + with_subelements: + - "{{ directories.results | default([]) }}" + - files + - name: Remove remaining files file: path={{ item }} state=absent with_items: @@ -292,7 +353,6 @@ - /etc/corosync - /etc/openshift - /etc/openshift-sdn - - /etc/origin - /etc/systemd/system/atomic-openshift-master.service - /etc/systemd/system/atomic-openshift-master-api.service - /etc/systemd/system/atomic-openshift-master-controllers.service @@ -303,14 +363,12 @@ - /etc/sysconfig/atomic-enterprise-master - /etc/sysconfig/atomic-enterprise-master-api - /etc/sysconfig/atomic-enterprise-master-controllers - - /etc/sysconfig/atomic-openshift-master - /etc/sysconfig/atomic-openshift-master-api - /etc/sysconfig/atomic-openshift-master-controllers - /etc/sysconfig/origin-master - /etc/sysconfig/origin-master-api - /etc/sysconfig/origin-master-controllers - /etc/sysconfig/openshift-master - - /etc/sysconfig/openvswitch - /etc/sysconfig/origin-master - /etc/sysconfig/origin-master-api - /etc/sysconfig/origin-master-controllers @@ -318,7 +376,6 @@ - /usr/share/openshift/examples - /var/lib/atomic-enterprise - /var/lib/openshift - - /var/lib/origin - /var/lib/pacemaker - /var/lib/pcsd - /usr/lib/systemd/system/atomic-openshift-master-api.service @@ -339,6 +396,10 @@ - hosts: etcd become: yes + vars: + etcd_dirs: + - "/etc/etcd" + - "/var/lib/etcd" tasks: - name: unmask services command: systemctl unmask "{{ item }}" @@ -358,7 +419,7 @@ - name: Remove packages package: name={{ item }} state=absent - when: not is_atomic | bool + when: not is_atomic | bool and openshift_remove_all | default(True) | bool with_items: - etcd - etcd3 @@ -369,13 +430,25 @@ - shell: systemctl daemon-reload changed_when: False - - name: Remove remaining files - file: path={{ item }} state=absent + - find: path={{ item }} file_type=file + register: files with_items: - - /etc/ansible/facts.d/openshift.fact - - /etc/etcd - - /etc/systemd/system/etcd_container.service - - /etc/profile.d/etcdctl.sh + - "{{ etcd_dirs }}" + + - find: path={{ item }} file_type=directory + register: directories + with_items: + - "{{ etcd_dirs }}" + + - file: path={{ item.1.path }} state=absent + with_subelements: + - "{{ files.results | default([]) }}" + - files + + - file: path={{ item.1.path }} state=absent + with_subelements: + - "{{ directories.results | default([]) }}" + - files # Intenationally using rm command over file module because if someone had mounted a filesystem # at /var/lib/etcd then the contents was not removed correctly @@ -385,6 +458,13 @@ warn: no failed_when: false + - name: Remove remaining files + file: path={{ item }} state=absent + with_items: + - /etc/ansible/facts.d/openshift.fact + - /etc/systemd/system/etcd_container.service + - /etc/profile.d/etcdctl.sh + - hosts: lb become: yes tasks: @@ -397,7 +477,7 @@ - name: Remove packages package: name={{ item }} state=absent - when: not is_atomic | bool + when: not is_atomic | bool and openshift_remove_all | default(True) | bool with_items: - haproxy @@ -411,4 +491,4 @@ file: path={{ item }} state=absent with_items: - /etc/ansible/facts.d/openshift.fact - - /var/lib/haproxy + - /var/lib/haproxy/stats diff --git a/playbooks/common/openshift-cluster/openshift_hosted.yml b/playbooks/common/openshift-cluster/openshift_hosted.yml index cd2f2e6aa..7839b85e8 100644 --- a/playbooks/common/openshift-cluster/openshift_hosted.yml +++ b/playbooks/common/openshift-cluster/openshift_hosted.yml @@ -26,27 +26,6 @@ logging_elasticsearch_cluster_size: "{{ openshift_hosted_logging_elasticsearch_cluster_size | default(1) }}" logging_elasticsearch_ops_cluster_size: "{{ openshift_hosted_logging_elasticsearch_ops_cluster_size | default(1) }}" roles: - - role: openshift_cli - - role: openshift_hosted_facts - - role: openshift_projects - # TODO: Move standard project definitions to openshift_hosted/vars/main.yml - # Vars are not accessible in meta/main.yml in ansible-1.9.x - openshift_projects: "{{ openshift_additional_projects | default({}) | oo_merge_dicts({'default':{'default_node_selector':''},'openshift-infra':{'default_node_selector':''},'logging':{'default_node_selector':''}}) }}" - - role: openshift_serviceaccounts - openshift_serviceaccounts_names: - - router - openshift_serviceaccounts_namespace: default - openshift_serviceaccounts_sccs: - - hostnetwork - when: openshift.common.version_gte_3_2_or_1_2 - - role: openshift_serviceaccounts - openshift_serviceaccounts_names: - - router - - registry - openshift_serviceaccounts_namespace: default - openshift_serviceaccounts_sccs: - - privileged - when: not openshift.common.version_gte_3_2_or_1_2 - role: openshift_hosted - role: openshift_metrics when: openshift_hosted_metrics_deploy | default(false) | bool diff --git a/playbooks/common/openshift-cluster/upgrades/docker/upgrade.yml b/playbooks/common/openshift-cluster/upgrades/docker/upgrade.yml index 44ddf97ad..17f8fc6e9 100644 --- a/playbooks/common/openshift-cluster/upgrades/docker/upgrade.yml +++ b/playbooks/common/openshift-cluster/upgrades/docker/upgrade.yml @@ -20,7 +20,7 @@ - debug: var=docker_image_count.stdout - name: Remove all containers and images - script: nuke_images.sh docker + script: nuke_images.sh register: nuke_images_result when: docker_upgrade_nuke_images is defined and docker_upgrade_nuke_images | bool diff --git a/playbooks/common/openshift-cluster/upgrades/files/pre-upgrade-check b/playbooks/common/openshift-cluster/upgrades/files/pre-upgrade-check deleted file mode 100644 index e5c958ebb..000000000 --- a/playbooks/common/openshift-cluster/upgrades/files/pre-upgrade-check +++ /dev/null @@ -1,193 +0,0 @@ -#!/usr/bin/env python -""" -Pre-upgrade checks that must be run on a master before proceeding with upgrade. -""" -# This is a script not a python module: -# pylint: disable=invalid-name - -# NOTE: This script should not require any python libs other than what is -# in the standard library. - -__license__ = "ASL 2.0" - -import json -import os -import subprocess -import re - -# The maximum length of container.ports.name -ALLOWED_LENGTH = 15 -# The valid structure of container.ports.name -ALLOWED_CHARS = re.compile('^[a-z0-9][a-z0-9\\-]*[a-z0-9]$') -AT_LEAST_ONE_LETTER = re.compile('[a-z]') -# look at OS_PATH for the full path. Default ot 'oc' -OC_PATH = os.getenv('OC_PATH', 'oc') - - -def validate(value): - """ - validate verifies that value matches required conventions - - Rules of container.ports.name validation: - - * must be less that 16 chars - * at least one letter - * only a-z0-9- - * hyphens can not be leading or trailing or next to each other - - :Parameters: - - `value`: Value to validate - """ - if len(value) > ALLOWED_LENGTH: - return False - - if '--' in value: - return False - - # We search since it can be anywhere - if not AT_LEAST_ONE_LETTER.search(value): - return False - - # We match because it must start at the beginning - if not ALLOWED_CHARS.match(value): - return False - return True - - -def list_items(kind): - """ - list_items returns a list of items from the api - - :Parameters: - - `kind`: Kind of item to access - """ - response = subprocess.check_output([OC_PATH, 'get', '--all-namespaces', '-o', 'json', kind]) - items = json.loads(response) - return items.get("items", []) - - -def get(obj, *paths): - """ - Gets an object - - :Parameters: - - `obj`: A dictionary structure - - `path`: All other non-keyword arguments - """ - ret_obj = obj - for path in paths: - if ret_obj.get(path, None) is None: - return [] - ret_obj = ret_obj[path] - return ret_obj - - -# pylint: disable=too-many-arguments -def pretty_print_errors(namespace, kind, item_name, container_name, invalid_label, port_name, valid): - """ - Prints out results in human friendly way. - - :Parameters: - - `namespace`: Namespace of the resource - - `kind`: Kind of the resource - - `item_name`: Name of the resource - - `container_name`: Name of the container. May be "" when kind=Service. - - `port_name`: Name of the port - - `invalid_label`: The label of the invalid port. Port.name/targetPort - - `valid`: True if the port is valid - """ - if not valid: - if len(container_name) > 0: - print('%s/%s -n %s (Container="%s" %s="%s")' % ( - kind, item_name, namespace, container_name, invalid_label, port_name)) - else: - print('%s/%s -n %s (%s="%s")' % ( - kind, item_name, namespace, invalid_label, port_name)) - - -def print_validation_header(): - """ - Prints the error header. Should run on the first error to avoid - overwhelming the user. - """ - print """\ -At least one port name is invalid and must be corrected before upgrading. -Please update or remove any resources with invalid port names. - - Valid port names must: - - * be less that 16 characters - * have at least one letter - * contain only a-z0-9- - * not start or end with - - * not contain dashes next to each other ('--') -""" - - -def main(): - """ - main is the main entry point to this script - """ - try: - # the comma at the end suppresses the newline - print "Checking for oc ...", - subprocess.check_output([OC_PATH, 'whoami']) - print "found" - except: - print( - 'Unable to run "%s whoami"\n' - 'Please ensure OpenShift is running, and "oc" is on your system ' - 'path.\n' - 'You can override the path with the OC_PATH environment variable.' - % OC_PATH) - raise SystemExit(1) - - # Where the magic happens - first_error = True - for kind, path in [ - ('deploymentconfigs', ("spec", "template", "spec", "containers")), - ('replicationcontrollers', ("spec", "template", "spec", "containers")), - ('pods', ("spec", "containers"))]: - for item in list_items(kind): - namespace = item["metadata"]["namespace"] - item_name = item["metadata"]["name"] - for container in get(item, *path): - container_name = container["name"] - for port in get(container, "ports"): - port_name = port.get("name", None) - if not port_name: - # Unnamed ports are OK - continue - valid = validate(port_name) - if not valid and first_error: - first_error = False - print_validation_header() - pretty_print_errors( - namespace, kind, item_name, - container_name, "Port.name", port_name, valid) - - # Services follow a different flow - for item in list_items('services'): - namespace = item["metadata"]["namespace"] - item_name = item["metadata"]["name"] - for port in get(item, "spec", "ports"): - port_name = port.get("targetPort", None) - if isinstance(port_name, int) or port_name is None: - # Integer only or unnamed ports are OK - continue - valid = validate(port_name) - if not valid and first_error: - first_error = False - print_validation_header() - pretty_print_errors( - namespace, "services", item_name, "", - "targetPort", port_name, valid) - - # If we had at least 1 error then exit with 1 - if not first_error: - raise SystemExit(1) - - -if __name__ == '__main__': - main() - diff --git a/playbooks/common/openshift-cluster/upgrades/files/rpm_versions.sh b/playbooks/common/openshift-cluster/upgrades/files/rpm_versions.sh deleted file mode 100644 index 7bf249742..000000000 --- a/playbooks/common/openshift-cluster/upgrades/files/rpm_versions.sh +++ /dev/null @@ -1,12 +0,0 @@ -#!/bin/bash -if [ `which dnf 2> /dev/null` ]; then - installed=$(dnf repoquery --installed --latest-limit 1 -d 0 --qf '%{version}-%{release}' "${@}" 2> /dev/null) - available=$(dnf repoquery --available --latest-limit 1 -d 0 --qf '%{version}-%{release}' "${@}" 2> /dev/null) -else - installed=$(repoquery --plugins --pkgnarrow=installed --qf '%{version}-%{release}' "${@}" 2> /dev/null) - available=$(repoquery --plugins --pkgnarrow=available --qf '%{version}-%{release}' "${@}" 2> /dev/null) -fi - -echo "---" -echo "curr_version: ${installed}" -echo "avail_version: ${available}" diff --git a/playbooks/common/openshift-master/config.yml b/playbooks/common/openshift-master/config.yml index 8058d3377..21f3c80a1 100644 --- a/playbooks/common/openshift-master/config.yml +++ b/playbooks/common/openshift-master/config.yml @@ -133,9 +133,7 @@ | oo_collect('openshift.common.hostname') | default([]) | join (',') }}" roles: - - role: openshift_master_facts - - role: openshift_hosted_facts - - role: openshift_master_certificates + - role: openshift_master openshift_ca_host: "{{ groups.oo_first_master.0 }}" openshift_master_etcd_hosts: "{{ hostvars | oo_select_keys(groups['oo_etcd_to_config'] | default([])) @@ -145,35 +143,12 @@ | oo_select_keys(groups['oo_masters_to_config'] | default([])) | oo_collect('openshift.common.all_hostnames') | oo_flatten | unique }}" - - role: openshift_etcd_client_certificates + openshift_master_hosts: "{{ groups.oo_masters_to_config }}" etcd_ca_host: "{{ groups.oo_etcd_to_config.0 }}" etcd_cert_subdir: "openshift-master-{{ openshift.common.hostname }}" etcd_cert_config_dir: "{{ openshift.common.config_base }}/master" etcd_cert_prefix: "master.etcd-" - when: groups.oo_etcd_to_config is defined and groups.oo_etcd_to_config - - role: openshift_clock - - role: openshift_cloud_provider - - role: openshift_builddefaults - - role: os_firewall - os_firewall_allow: - - service: api server https - port: "{{ openshift.master.api_port }}/tcp" - - service: api controllers https - port: "{{ openshift.master.controllers_port }}/tcp" - - service: skydns tcp - port: "{{ openshift.master.dns_port }}/tcp" - - service: skydns udp - port: "{{ openshift.master.dns_port }}/udp" - - role: os_firewall - os_firewall_allow: - - service: etcd embedded - port: 4001/tcp - when: groups.oo_etcd_to_config | default([]) | length == 0 - - role: openshift_master - openshift_master_hosts: "{{ groups.oo_masters_to_config }}" - - role: nickhammond.logrotate - - role: nuage_master - when: openshift.common.use_nuage | bool + post_tasks: - name: Create group for deployment type group_by: key=oo_masters_deployment_type_{{ openshift.common.deployment_type }} diff --git a/playbooks/common/openshift-node/config.yml b/playbooks/common/openshift-node/config.yml index e28da5713..b36c0eedf 100644 --- a/playbooks/common/openshift-node/config.yml +++ b/playbooks/common/openshift-node/config.yml @@ -60,30 +60,8 @@ when: "{{ (openshift_http_proxy is defined or openshift_https_proxy is defined) and openshift_generate_no_proxy_hosts | default(True) | bool }}" roles: - - role: openshift_common - - role: openshift_clock - - role: openshift_docker - - role: openshift_node_certificates - openshift_ca_host: "{{ groups.oo_first_master.0 }}" - - role: openshift_cloud_provider - - role: openshift_node_dnsmasq - when: openshift.common.use_dnsmasq | bool - - role: os_firewall - os_firewall_allow: - - service: Kubernetes kubelet - port: 10250/tcp - - service: http - port: 80/tcp - - service: https - port: 443/tcp - - service: Openshift kubelet ReadOnlyPort - port: 10255/tcp - - service: Openshift kubelet ReadOnlyPort udp - port: 10255/udp - - service: OpenShift OVS sdn - port: 4789/udp - when: openshift.node.use_openshift_sdn | bool - role: openshift_node + openshift_ca_host: "{{ groups.oo_first_master.0 }}" - name: Configure nodes hosts: oo_nodes_to_config:!oo_containerized_master_nodes @@ -99,30 +77,8 @@ when: "{{ (openshift_http_proxy is defined or openshift_https_proxy is defined) and openshift_generate_no_proxy_hosts | default(True) | bool }}" roles: - - role: openshift_common - - role: openshift_clock - - role: openshift_docker - - role: openshift_node_certificates - openshift_ca_host: "{{ groups.oo_first_master.0 }}" - - role: openshift_cloud_provider - - role: openshift_node_dnsmasq - when: openshift.common.use_dnsmasq | bool - - role: os_firewall - os_firewall_allow: - - service: Kubernetes kubelet - port: 10250/tcp - - service: http - port: 80/tcp - - service: https - port: 443/tcp - - service: Openshift kubelet ReadOnlyPort - port: 10255/tcp - - service: Openshift kubelet ReadOnlyPort udp - port: 10255/udp - - service: OpenShift OVS sdn - port: 4789/udp - when: openshift.node.use_openshift_sdn | bool - role: openshift_node + openshift_ca_host: "{{ groups.oo_first_master.0 }}" - name: Additional node config hosts: oo_nodes_to_config |