summaryrefslogtreecommitdiffstats
path: root/roles
diff options
context:
space:
mode:
Diffstat (limited to 'roles')
-rw-r--r--roles/docker/meta/main.yml1
-rw-r--r--roles/docker/tasks/main.yml22
-rwxr-xr-xroles/openshift_facts/library/openshift_facts.py8
-rw-r--r--roles/openshift_master_facts/lookup_plugins/openshift_master_facts_default_predicates.py4
-rw-r--r--roles/openshift_master_facts/lookup_plugins/openshift_master_facts_default_priorities.py4
-rw-r--r--roles/openshift_master_facts/test/openshift_master_facts_default_predicates_tests.py6
-rw-r--r--roles/openshift_repos/templates/yum_repo.j24
-rw-r--r--roles/openshift_version/tasks/set_version_containerized.yml5
-rw-r--r--roles/os_firewall/README.md7
-rw-r--r--roles/os_firewall/defaults/main.yml8
-rw-r--r--roles/os_firewall/tasks/main.yml6
11 files changed, 48 insertions, 27 deletions
diff --git a/roles/docker/meta/main.yml b/roles/docker/meta/main.yml
index dadd62c93..ad28cece9 100644
--- a/roles/docker/meta/main.yml
+++ b/roles/docker/meta/main.yml
@@ -11,4 +11,3 @@ galaxy_info:
- 7
dependencies:
- role: os_firewall
- os_firewall_use_firewalld: False
diff --git a/roles/docker/tasks/main.yml b/roles/docker/tasks/main.yml
index a93bdc2ad..57da23e0a 100644
--- a/roles/docker/tasks/main.yml
+++ b/roles/docker/tasks/main.yml
@@ -43,16 +43,18 @@
package: name=docker{{ '-' + docker_version if docker_version is defined else '' }} state=present
when: not openshift.common.is_atomic | bool
-- name: Ensure docker.service.d directory exists
- file:
- path: "{{ docker_systemd_dir }}"
- state: directory
-
-# Extend the default Docker service unit file
-- name: Configure Docker service unit file
- template:
- dest: "{{ docker_systemd_dir }}/custom.conf"
- src: custom.conf.j2
+- block:
+ # Extend the default Docker service unit file when using iptables-services
+ - name: Ensure docker.service.d directory exists
+ file:
+ path: "{{ docker_systemd_dir }}"
+ state: directory
+
+ - name: Configure Docker service unit file
+ template:
+ dest: "{{ docker_systemd_dir }}/custom.conf"
+ src: custom.conf.j2
+ when: not os_firewall_use_firewalld | default(True) | bool
- include: udev_workaround.yml
when: docker_udev_workaround | default(False) | bool
diff --git a/roles/openshift_facts/library/openshift_facts.py b/roles/openshift_facts/library/openshift_facts.py
index 05b0377bc..d7e3596fd 100755
--- a/roles/openshift_facts/library/openshift_facts.py
+++ b/roles/openshift_facts/library/openshift_facts.py
@@ -896,23 +896,31 @@ def set_version_facts_if_unset(facts):
version_gte_3_2_or_1_2 = version >= LooseVersion('1.2.0')
version_gte_3_3_or_1_3 = version >= LooseVersion('1.3.0')
version_gte_3_4_or_1_4 = version >= LooseVersion('1.4.0')
+ version_gte_3_5_or_1_5 = version >= LooseVersion('1.5.0')
+ version_gte_3_6_or_1_6 = version >= LooseVersion('1.6.0')
else:
version_gte_3_1_or_1_1 = version >= LooseVersion('3.0.2.905')
version_gte_3_1_1_or_1_1_1 = version >= LooseVersion('3.1.1')
version_gte_3_2_or_1_2 = version >= LooseVersion('3.1.1.901')
version_gte_3_3_or_1_3 = version >= LooseVersion('3.3.0')
version_gte_3_4_or_1_4 = version >= LooseVersion('3.4.0')
+ version_gte_3_5_or_1_5 = version >= LooseVersion('3.5.0')
+ version_gte_3_6_or_1_6 = version >= LooseVersion('3.6.0')
else:
version_gte_3_1_or_1_1 = True
version_gte_3_1_1_or_1_1_1 = True
version_gte_3_2_or_1_2 = True
version_gte_3_3_or_1_3 = True
version_gte_3_4_or_1_4 = False
+ version_gte_3_5_or_1_5 = False
+ version_gte_3_6_or_1_6 = False
facts['common']['version_gte_3_1_or_1_1'] = version_gte_3_1_or_1_1
facts['common']['version_gte_3_1_1_or_1_1_1'] = version_gte_3_1_1_or_1_1_1
facts['common']['version_gte_3_2_or_1_2'] = version_gte_3_2_or_1_2
facts['common']['version_gte_3_3_or_1_3'] = version_gte_3_3_or_1_3
facts['common']['version_gte_3_4_or_1_4'] = version_gte_3_4_or_1_4
+ facts['common']['version_gte_3_5_or_1_5'] = version_gte_3_5_or_1_5
+ facts['common']['version_gte_3_6_or_1_6'] = version_gte_3_6_or_1_6
if version_gte_3_4_or_1_4:
examples_content_version = 'v1.4'
diff --git a/roles/openshift_master_facts/lookup_plugins/openshift_master_facts_default_predicates.py b/roles/openshift_master_facts/lookup_plugins/openshift_master_facts_default_predicates.py
index 4f7461827..29a59a0d3 100644
--- a/roles/openshift_master_facts/lookup_plugins/openshift_master_facts_default_predicates.py
+++ b/roles/openshift_master_facts/lookup_plugins/openshift_master_facts_default_predicates.py
@@ -40,10 +40,10 @@ class LookupModule(LookupBase):
# pylint: disable=line-too-long
raise AnsibleError("Either OpenShift needs to be installed or openshift_release needs to be specified")
if deployment_type == 'origin':
- if short_version not in ['1.1', '1.2', '1.3', '1.4']:
+ if short_version not in ['1.1', '1.2', '1.3', '1.4', '1.5', '1.6', 'latest']:
raise AnsibleError("Unknown short_version %s" % short_version)
elif deployment_type == 'openshift-enterprise':
- if short_version not in ['3.1', '3.2', '3.3', '3.4']:
+ if short_version not in ['3.1', '3.2', '3.3', '3.4', '3.5', '3.6', 'latest']:
raise AnsibleError("Unknown short_version %s" % short_version)
else:
raise AnsibleError("Unknown deployment_type %s" % deployment_type)
diff --git a/roles/openshift_master_facts/lookup_plugins/openshift_master_facts_default_priorities.py b/roles/openshift_master_facts/lookup_plugins/openshift_master_facts_default_priorities.py
index 7087ff03c..36022597f 100644
--- a/roles/openshift_master_facts/lookup_plugins/openshift_master_facts_default_priorities.py
+++ b/roles/openshift_master_facts/lookup_plugins/openshift_master_facts_default_priorities.py
@@ -45,10 +45,10 @@ class LookupModule(LookupBase):
raise AnsibleError("Either OpenShift needs to be installed or openshift_release needs to be specified")
if deployment_type == 'origin':
- if short_version not in ['1.1', '1.2', '1.3', '1.4']:
+ if short_version not in ['1.1', '1.2', '1.3', '1.4', '1.5', '1.6', 'latest']:
raise AnsibleError("Unknown short_version %s" % short_version)
elif deployment_type == 'openshift-enterprise':
- if short_version not in ['3.1', '3.2', '3.3', '3.4']:
+ if short_version not in ['3.1', '3.2', '3.3', '3.4', '3.5', '3.6', 'latest']:
raise AnsibleError("Unknown short_version %s" % short_version)
else:
raise AnsibleError("Unknown deployment_type %s" % deployment_type)
diff --git a/roles/openshift_master_facts/test/openshift_master_facts_default_predicates_tests.py b/roles/openshift_master_facts/test/openshift_master_facts_default_predicates_tests.py
index c95356908..07bac6826 100644
--- a/roles/openshift_master_facts/test/openshift_master_facts_default_predicates_tests.py
+++ b/roles/openshift_master_facts/test/openshift_master_facts_default_predicates_tests.py
@@ -65,7 +65,11 @@ TEST_VARS = [
('1.3', 'origin', DEFAULT_PREDICATES_1_3),
('3.3', 'openshift-enterprise', DEFAULT_PREDICATES_1_3),
('1.4', 'origin', DEFAULT_PREDICATES_1_4),
- ('3.4', 'openshift-enterprise', DEFAULT_PREDICATES_1_4)
+ ('3.4', 'openshift-enterprise', DEFAULT_PREDICATES_1_4),
+ ('1.5', 'origin', DEFAULT_PREDICATES_1_4),
+ ('3.5', 'openshift-enterprise', DEFAULT_PREDICATES_1_4),
+ ('1.6', 'origin', DEFAULT_PREDICATES_1_4),
+ ('3.6', 'openshift-enterprise', DEFAULT_PREDICATES_1_4),
]
diff --git a/roles/openshift_repos/templates/yum_repo.j2 b/roles/openshift_repos/templates/yum_repo.j2
index 0ec0045eb..ef2cd6603 100644
--- a/roles/openshift_repos/templates/yum_repo.j2
+++ b/roles/openshift_repos/templates/yum_repo.j2
@@ -2,9 +2,9 @@
[{{ repo.id }}]
name={{ repo.name | default(repo.id) }}
baseurl={{ repo.baseurl }}
-{% set enable_repo = repo.enabled | default(1,True) %}
+{% set enable_repo = repo.enabled | default(1) %}
enabled={{ 1 if ( enable_repo == 1 or enable_repo == True ) else 0 }}
-{% set enable_gpg_check = repo.gpgcheck | default(1,True) %}
+{% set enable_gpg_check = repo.gpgcheck | default(1) %}
gpgcheck={{ 1 if ( enable_gpg_check == 1 or enable_gpg_check == True ) else 0 }}
{% for key, value in repo.iteritems() %}
{% if key not in ['id', 'name', 'baseurl', 'enabled', 'gpgcheck'] and value is defined %}
diff --git a/roles/openshift_version/tasks/set_version_containerized.yml b/roles/openshift_version/tasks/set_version_containerized.yml
index 718537287..cd0f20ae9 100644
--- a/roles/openshift_version/tasks/set_version_containerized.yml
+++ b/roles/openshift_version/tasks/set_version_containerized.yml
@@ -1,8 +1,9 @@
---
- name: Set containerized version to configure if openshift_image_tag specified
set_fact:
- # Expects a leading "v" in inventory, strip it off here:
- openshift_version: "{{ openshift_image_tag[1:].split('-')[0] }}"
+ # Expects a leading "v" in inventory, strip it off here unless
+ # openshift_image_tag=latest
+ openshift_version: "{{ openshift_image_tag[1:].split('-')[0] if openshift_image_tag != 'latest' else openshift_image_tag }}"
when: openshift_image_tag is defined and openshift_version is not defined
- name: Set containerized version to configure if openshift_release specified
diff --git a/roles/os_firewall/README.md b/roles/os_firewall/README.md
index c13c5dfc9..43db3cc74 100644
--- a/roles/os_firewall/README.md
+++ b/roles/os_firewall/README.md
@@ -4,6 +4,9 @@ OS Firewall
OS Firewall manages firewalld and iptables firewall settings for a minimal use
case (Adding/Removing rules based on protocol and port number).
+Note: firewalld is not supported on Atomic Host
+https://bugzilla.redhat.com/show_bug.cgi?id=1403331
+
Requirements
------------
@@ -14,7 +17,7 @@ Role Variables
| Name | Default | |
|---------------------------|---------|----------------------------------------|
-| os_firewall_use_firewalld | False | If false, use iptables |
+| os_firewall_use_firewalld | True | If false, use iptables |
| os_firewall_allow | [] | List of service,port mappings to allow |
| os_firewall_deny | [] | List of service, port mappings to deny |
@@ -31,6 +34,7 @@ Use iptables and open tcp ports 80 and 443:
---
- hosts: servers
vars:
+ os_firewall_use_firewalld: false
os_firewall_allow:
- service: httpd
port: 80/tcp
@@ -45,7 +49,6 @@ Use firewalld and open tcp port 443 and close previously open tcp port 80:
---
- hosts: servers
vars:
- os_firewall_use_firewalld: true
os_firewall_allow:
- service: https
port: 443/tcp
diff --git a/roles/os_firewall/defaults/main.yml b/roles/os_firewall/defaults/main.yml
index c870a301a..4c544122f 100644
--- a/roles/os_firewall/defaults/main.yml
+++ b/roles/os_firewall/defaults/main.yml
@@ -1,9 +1,7 @@
---
os_firewall_enabled: True
-# TODO: Upstream kubernetes only supports iptables currently
-# TODO: it might be possible to still use firewalld if we wire up the created
-# chains with the public zone (or the zone associated with the correct
-# interfaces)
-os_firewall_use_firewalld: False
+# firewalld is not supported on Atomic Host
+# https://bugzilla.redhat.com/show_bug.cgi?id=1403331
+os_firewall_use_firewalld: "{{ False if openshift.common.is_atomic | bool else True }}"
os_firewall_allow: []
os_firewall_deny: []
diff --git a/roles/os_firewall/tasks/main.yml b/roles/os_firewall/tasks/main.yml
index 076e5e311..20efe5b0d 100644
--- a/roles/os_firewall/tasks/main.yml
+++ b/roles/os_firewall/tasks/main.yml
@@ -1,4 +1,10 @@
---
+- name: Assert - Do not use firewalld on Atomic Host
+ assert:
+ that: not os_firewall_use_firewalld | bool
+ msg: "Firewalld is not supported on Atomic Host"
+ when: openshift.common.is_atomic | bool
+
- include: firewall/firewalld.yml
when: os_firewall_enabled | bool and os_firewall_use_firewalld | bool