diff options
Diffstat (limited to 'roles')
93 files changed, 455 insertions, 391 deletions
diff --git a/roles/cockpit/meta/main.yml b/roles/cockpit/meta/main.yml index 43047902d..0f507e75e 100644 --- a/roles/cockpit/meta/main.yml +++ b/roles/cockpit/meta/main.yml @@ -4,7 +4,7 @@ galaxy_info: description: Deploy and Enable cockpit-ws plus optional plugins company: Red Hat, Inc. license: Apache License, Version 2.0 - min_ansible_version: 1.7 + min_ansible_version: 2.2 platforms: - name: EL versions: diff --git a/roles/cockpit/tasks/main.yml b/roles/cockpit/tasks/main.yml index 681029332..bddad778f 100644 --- a/roles/cockpit/tasks/main.yml +++ b/roles/cockpit/tasks/main.yml @@ -1,6 +1,6 @@ --- - name: Install cockpit-ws - action: "{{ ansible_pkg_mgr }} name={{ item }} state=present" + package: name={{ item }} state=present with_items: - cockpit-ws - cockpit-shell @@ -10,7 +10,7 @@ when: not openshift.common.is_containerized | bool - name: Enable cockpit-ws - service: + systemd: name: cockpit.socket enabled: true state: started diff --git a/roles/dns/README.md b/roles/dns/README.md index 7e0140772..9a88ce97c 100644 --- a/roles/dns/README.md +++ b/roles/dns/README.md @@ -6,7 +6,7 @@ Configure a DNS server serving IPs of all the nodes of the cluster Requirements ------------ -None +Ansible 2.2 Role Variables -------------- diff --git a/roles/dns/handlers/main.yml b/roles/dns/handlers/main.yml index ef101785e..61fd7a10e 100644 --- a/roles/dns/handlers/main.yml +++ b/roles/dns/handlers/main.yml @@ -1,4 +1,5 @@ +--- - name: restart bind - service: + systemd: name: named state: restarted diff --git a/roles/dns/meta/main.yml b/roles/dns/meta/main.yml index 048274c49..64d56114e 100644 --- a/roles/dns/meta/main.yml +++ b/roles/dns/meta/main.yml @@ -4,5 +4,6 @@ galaxy_info: description: Deploy and configure a DNS server company: Amadeus SAS license: ASL 2.0 + min_ansible_version: 2.2 dependencies: - { role: openshift_facts } diff --git a/roles/dns/tasks/main.yml b/roles/dns/tasks/main.yml index 57a7e6269..c5ab53b4d 100644 --- a/roles/dns/tasks/main.yml +++ b/roles/dns/tasks/main.yml @@ -1,5 +1,6 @@ +--- - name: Install Bind - action: "{{ ansible_pkg_mgr }} name=bind" + package: name=bind state=present when: not openshift.common.is_containerized | bool - name: Create docker build dir @@ -10,7 +11,6 @@ template: dest: "/tmp/dockerbuild/Dockerfile" src: Dockerfile - register: install_result when: openshift.common.is_containerized | bool - name: Build Bind image @@ -21,13 +21,8 @@ template: dest: "/etc/systemd/system/named.service" src: named.service.j2 - register: install_result when: openshift.common.is_containerized | bool -- name: reload systemd - command: /usr/bin/systemctl --system daemon-reload - when: openshift.common.is_containerized | bool and install_result | changed - - name: Create bind zone dir file: path=/var/named state=directory when: openshift.common.is_containerized | bool @@ -44,7 +39,8 @@ notify: restart bind - name: Enable Bind - service: + systemd: name: named state: started enabled: yes + daemon_reload: yes diff --git a/roles/docker/README.md b/roles/docker/README.md index 1f0d94da0..ea06fd41a 100644 --- a/roles/docker/README.md +++ b/roles/docker/README.md @@ -6,7 +6,7 @@ Ensures docker package is installed, and optionally raises timeout for systemd-u Requirements ------------ -None +Ansible 2.2 Role Variables -------------- diff --git a/roles/docker/handlers/main.yml b/roles/docker/handlers/main.yml index aff905bc8..9ccb306fc 100644 --- a/roles/docker/handlers/main.yml +++ b/roles/docker/handlers/main.yml @@ -1,12 +1,13 @@ --- - name: restart docker - service: + systemd: name: docker state: restarted when: not docker_service_status_changed | default(false) | bool - name: restart udev - service: + systemd: name: systemd-udevd state: restarted + daemon_reload: yes diff --git a/roles/docker/meta/main.yml b/roles/docker/meta/main.yml index 3d362158d..c5c95c0d2 100644 --- a/roles/docker/meta/main.yml +++ b/roles/docker/meta/main.yml @@ -4,7 +4,7 @@ galaxy_info: description: docker package install company: Red Hat, Inc license: ASL 2.0 - min_ansible_version: 1.2 + min_ansible_version: 2.2 platforms: - name: EL versions: diff --git a/roles/docker/tasks/main.yml b/roles/docker/tasks/main.yml index 9b7ef0830..a2b18baa1 100644 --- a/roles/docker/tasks/main.yml +++ b/roles/docker/tasks/main.yml @@ -40,7 +40,7 @@ # Make sure Docker is installed, but does not update a running version. # Docker upgrades are handled by a separate playbook. - name: Install Docker - action: "{{ ansible_pkg_mgr }} name=docker{{ '-' + docker_version if docker_version is defined else '' }} state=present" + package: name=docker{{ '-' + docker_version if docker_version is defined else '' }} state=present when: not openshift.common.is_atomic | bool - name: Ensure docker.service.d directory exists diff --git a/roles/docker/tasks/udev_workaround.yml b/roles/docker/tasks/udev_workaround.yml index aa7af0cb3..257c3123d 100644 --- a/roles/docker/tasks/udev_workaround.yml +++ b/roles/docker/tasks/udev_workaround.yml @@ -21,10 +21,4 @@ owner: root mode: "0644" notify: - - restart udev - register: udevw_override_conf - -- name: reload systemd config files - command: systemctl daemon-reload - when: udevw_override_conf | changed - + - restart udev diff --git a/roles/etcd/README.md b/roles/etcd/README.md index 329a926c0..c936dbabc 100644 --- a/roles/etcd/README.md +++ b/roles/etcd/README.md @@ -6,7 +6,8 @@ Configures an etcd cluster for an arbitrary number of hosts Requirements ------------ -This role assumes it's being deployed on a RHEL/Fedora based host with package +* Ansible 2.2 +* This role assumes it's being deployed on a RHEL/Fedora based host with package named 'etcd' available via yum or dnf (conditionally). Role Variables diff --git a/roles/etcd/handlers/main.yml b/roles/etcd/handlers/main.yml index e00e1cac4..95076b19e 100644 --- a/roles/etcd/handlers/main.yml +++ b/roles/etcd/handlers/main.yml @@ -1,5 +1,5 @@ --- - name: restart etcd - service: name={{ etcd_service }} state=restarted + systemd: name={{ etcd_service }} state=restarted when: not (etcd_service_status_changed | default(false) | bool) diff --git a/roles/etcd/meta/main.yml b/roles/etcd/meta/main.yml index cfd72dfbc..532f9e313 100644 --- a/roles/etcd/meta/main.yml +++ b/roles/etcd/meta/main.yml @@ -7,7 +7,7 @@ galaxy_info: description: etcd management company: Red Hat, Inc. license: Apache License, Version 2.0 - min_ansible_version: 2.1 + min_ansible_version: 2.2 platforms: - name: EL versions: diff --git a/roles/etcd/tasks/etcdctl.yml b/roles/etcd/tasks/etcdctl.yml index 32c176449..bb6fabf64 100644 --- a/roles/etcd/tasks/etcdctl.yml +++ b/roles/etcd/tasks/etcdctl.yml @@ -1,5 +1,6 @@ +--- - name: Install etcd for etcdctl - action: "{{ ansible_pkg_mgr }} name=etcd state=present" + package: name=etcd state=present when: not openshift.common.is_atomic | bool - name: Configure etcd profile.d alises diff --git a/roles/etcd/tasks/main.yml b/roles/etcd/tasks/main.yml index 790eb3c5a..41f25be70 100644 --- a/roles/etcd/tasks/main.yml +++ b/roles/etcd/tasks/main.yml @@ -7,7 +7,7 @@ etcd_ip: "{{ etcd_ip }}" - name: Install etcd - action: "{{ ansible_pkg_mgr }} name=etcd state=present" + package: name=etcd state=present when: not etcd_is_containerized | bool - name: Pull etcd container @@ -20,36 +20,25 @@ template: dest: "/etc/systemd/system/etcd_container.service" src: etcd.docker.service - register: install_etcd_result when: etcd_is_containerized | bool -- name: Ensure etcd datadir exists - when: etcd_is_containerized | bool +- name: Ensure etcd datadir exists when containerized file: path: "{{ etcd_data_dir }}" state: directory mode: 0700 - -- name: Check for etcd service presence - command: systemctl show etcd.service - register: etcd_show - changed_when: false - failed_when: false + when: etcd_is_containerized | bool - name: Disable system etcd when containerized - when: etcd_is_containerized | bool and etcd_show.rc == 0 and 'LoadState=not-found' not in etcd_show.stdout - service: + systemd: name: etcd state: stopped enabled: no - -- name: Mask system etcd when containerized - when: etcd_is_containerized | bool and etcd_show.rc == 0 and 'LoadState=not-found' not in etcd_show.stdout - command: systemctl mask etcd - -- name: Reload systemd units - command: systemctl daemon-reload - when: etcd_is_containerized | bool and ( install_etcd_result | changed ) + masked: yes + daemon_reload: yes + when: etcd_is_containerized | bool + register: task_result + failed_when: "task_result|failed and 'could not' not in task_result.msg|lower" - name: Validate permissions on the config dir file: @@ -68,7 +57,7 @@ - restart etcd - name: Enable etcd - service: + systemd: name: "{{ etcd_service }}" state: started enabled: yes @@ -77,5 +66,6 @@ - include: etcdctl.yml when: openshift_etcd_etcdctl_profile | default(true) | bool -- set_fact: +- name: Set fact etcd_service_status_changed + set_fact: etcd_service_status_changed: "{{ start_result | changed }}" diff --git a/roles/etcd/templates/etcd.docker.service b/roles/etcd/templates/etcd.docker.service index cf957ede8..ae059b549 100644 --- a/roles/etcd/templates/etcd.docker.service +++ b/roles/etcd/templates/etcd.docker.service @@ -7,7 +7,7 @@ PartOf=docker.service [Service] EnvironmentFile=/etc/etcd/etcd.conf ExecStartPre=-/usr/bin/docker rm -f {{ etcd_service }} -ExecStart=/usr/bin/docker run --name {{ etcd_service }} --rm -v /var/lib/etcd:/var/lib/etcd:z -v /etc/etcd:/etc/etcd:z --env-file=/etc/etcd/etcd.conf --net=host --entrypoint=/usr/bin/etcd {{ openshift.etcd.etcd_image }} +ExecStart=/usr/bin/docker run --name {{ etcd_service }} --rm -v /var/lib/etcd:/var/lib/etcd:z -v /etc/etcd:/etc/etcd:ro --env-file=/etc/etcd/etcd.conf --net=host --entrypoint=/usr/bin/etcd {{ openshift.etcd.etcd_image }} ExecStop=/usr/bin/docker stop {{ etcd_service }} SyslogIdentifier=etcd_container Restart=always diff --git a/roles/etcd_ca/tasks/main.yml b/roles/etcd_ca/tasks/main.yml index 4e68bc962..c4d5efa14 100644 --- a/roles/etcd_ca/tasks/main.yml +++ b/roles/etcd_ca/tasks/main.yml @@ -1,6 +1,6 @@ --- - name: Install openssl - action: "{{ ansible_pkg_mgr }} name=openssl state=present" + package: name=openssl state=present when: not etcd_is_atomic | bool delegate_to: "{{ etcd_ca_host }}" run_once: true diff --git a/roles/etcd_server_certificates/tasks/main.yml b/roles/etcd_server_certificates/tasks/main.yml index d66a0a7bf..b0fd117ed 100644 --- a/roles/etcd_server_certificates/tasks/main.yml +++ b/roles/etcd_server_certificates/tasks/main.yml @@ -1,6 +1,6 @@ --- - name: Install etcd - action: "{{ ansible_pkg_mgr }} name=etcd state=present" + package: name=etcd state=present when: not etcd_is_containerized | bool - name: Check status of etcd certificates diff --git a/roles/flannel/README.md b/roles/flannel/README.md index 84e2c5c49..0c7347603 100644 --- a/roles/flannel/README.md +++ b/roles/flannel/README.md @@ -6,7 +6,8 @@ Configure flannel on openshift nodes Requirements ------------ -This role assumes it's being deployed on a RHEL/Fedora based host with package +* Ansible 2.2 +* This role assumes it's being deployed on a RHEL/Fedora based host with package named 'flannel' available via yum or dnf (conditionally), in version superior to 0.3. diff --git a/roles/flannel/handlers/main.yml b/roles/flannel/handlers/main.yml index 981ea5c7a..94d1d18fb 100644 --- a/roles/flannel/handlers/main.yml +++ b/roles/flannel/handlers/main.yml @@ -1,8 +1,8 @@ --- - name: restart flanneld become: yes - service: name=flanneld state=restarted + systemd: name=flanneld state=restarted - name: restart docker become: yes - service: name=docker state=restarted + systemd: name=docker state=restarted diff --git a/roles/flannel/meta/main.yml b/roles/flannel/meta/main.yml index 616ae61d2..35f825586 100644 --- a/roles/flannel/meta/main.yml +++ b/roles/flannel/meta/main.yml @@ -4,7 +4,7 @@ galaxy_info: description: flannel management company: Red Hat, Inc. license: Apache License, Version 2.0 - min_ansible_version: 2.1 + min_ansible_version: 2.2 platforms: - name: EL versions: diff --git a/roles/flannel/tasks/main.yml b/roles/flannel/tasks/main.yml index bf400cfe8..3a8945a82 100644 --- a/roles/flannel/tasks/main.yml +++ b/roles/flannel/tasks/main.yml @@ -1,7 +1,7 @@ --- - name: Install flannel become: yes - action: "{{ ansible_pkg_mgr }} name=flannel state=present" + package: name=flannel state=present when: not openshift.common.is_atomic | bool - name: Set flannel etcd options @@ -27,7 +27,7 @@ - name: Enable flanneld become: yes - service: + systemd: name: flanneld state: started enabled: yes diff --git a/roles/kube_nfs_volumes/README.md b/roles/kube_nfs_volumes/README.md index dd91ad8b1..8cf7c0cd4 100644 --- a/roles/kube_nfs_volumes/README.md +++ b/roles/kube_nfs_volumes/README.md @@ -11,8 +11,8 @@ system) on the disks! ## Requirements +* Ansible 2.2 * Running Kubernetes with NFS persistent volume support (on a remote machine). - * Works only on RHEL/Fedora-like distros. ## Role Variables diff --git a/roles/kube_nfs_volumes/handlers/main.yml b/roles/kube_nfs_volumes/handlers/main.yml index 52f3ceffe..9ce8b783d 100644 --- a/roles/kube_nfs_volumes/handlers/main.yml +++ b/roles/kube_nfs_volumes/handlers/main.yml @@ -1,3 +1,3 @@ --- - name: restart nfs - service: name=nfs-server state=restarted + systemd: name=nfs-server state=restarted diff --git a/roles/kube_nfs_volumes/meta/main.yml b/roles/kube_nfs_volumes/meta/main.yml index dc4ccdfee..be6ca6b88 100644 --- a/roles/kube_nfs_volumes/meta/main.yml +++ b/roles/kube_nfs_volumes/meta/main.yml @@ -4,7 +4,7 @@ galaxy_info: description: Partition disks and use them as Kubernetes NFS physical volumes. company: Red Hat, Inc. license: license (Apache) - min_ansible_version: 1.4 + min_ansible_version: 2.2 platforms: - name: EL versions: diff --git a/roles/kube_nfs_volumes/tasks/main.yml b/roles/kube_nfs_volumes/tasks/main.yml index 5eff30f6f..67f709c8c 100644 --- a/roles/kube_nfs_volumes/tasks/main.yml +++ b/roles/kube_nfs_volumes/tasks/main.yml @@ -4,7 +4,10 @@ when: openshift.common.is_atomic | bool - name: Install pyparted (RedHat/Fedora) - action: "{{ ansible_pkg_mgr }} name=pyparted,python-httplib2 state=present" + package: name={{ item }} state=present + with_items: + - pyparted + - python-httplib2 when: not openshift.common.is_containerized | bool - name: partition the drives diff --git a/roles/kube_nfs_volumes/tasks/nfs.yml b/roles/kube_nfs_volumes/tasks/nfs.yml index 474ec69e5..9eeff9260 100644 --- a/roles/kube_nfs_volumes/tasks/nfs.yml +++ b/roles/kube_nfs_volumes/tasks/nfs.yml @@ -1,13 +1,19 @@ --- - name: Install NFS server - action: "{{ ansible_pkg_mgr }} name=nfs-utils state=present" + package: name=nfs-utils state=present when: not openshift.common.is_containerized | bool - name: Start rpcbind on Fedora/Red Hat - service: name=rpcbind state=started enabled=yes + systemd: + name: rpcbind + state: started + enabled: yes - name: Start nfs on Fedora/Red Hat - service: name=nfs-server state=started enabled=yes + systemd: + name: nfs-server + state: started + enabled: yes - name: Export the directories lineinfile: dest=/etc/exports diff --git a/roles/nickhammond.logrotate/tasks/main.yml b/roles/nickhammond.logrotate/tasks/main.yml index 1979c851f..657cb10ec 100644 --- a/roles/nickhammond.logrotate/tasks/main.yml +++ b/roles/nickhammond.logrotate/tasks/main.yml @@ -1,6 +1,6 @@ --- - name: nickhammond.logrotate | Install logrotate - action: "{{ ansible_pkg_mgr }} name=logrotate state=present" + package: name=logrotate state=present when: not openshift.common.is_atomic | bool - name: nickhammond.logrotate | Setup logrotate.d scripts diff --git a/roles/nuage_ca/tasks/main.yaml b/roles/nuage_ca/tasks/main.yaml index 9cfa40b8a..8d73e6840 100644 --- a/roles/nuage_ca/tasks/main.yaml +++ b/roles/nuage_ca/tasks/main.yaml @@ -1,6 +1,6 @@ --- - name: Install openssl - action: "{{ ansible_pkg_mgr }} name=openssl state=present" + package: name=openssl state=present when: not openshift.common.is_atomic | bool - name: Create CA directory @@ -41,6 +41,6 @@ delegate_to: "{{ nuage_ca_master }}" - name: Copy SSL config file - copy: src=openssl.cnf dest="{{ nuage_ca_dir }}/openssl.cnf" + copy: src=openssl.cnf dest="{{ nuage_ca_dir }}/openssl.cnf" run_once: true delegate_to: "{{ nuage_ca_master }}" diff --git a/roles/nuage_master/README.md b/roles/nuage_master/README.md index de101dd19..0f1f6f2b1 100644 --- a/roles/nuage_master/README.md +++ b/roles/nuage_master/README.md @@ -5,4 +5,6 @@ Setup Nuage Kubernetes Monitor on the Master node Requirements ------------ -This role assumes it has been deployed on RHEL/Fedora + +* Ansible 2.2 +* This role assumes it has been deployed on RHEL/Fedora diff --git a/roles/nuage_master/handlers/main.yaml b/roles/nuage_master/handlers/main.yaml index 56224cf82..162aaae1a 100644 --- a/roles/nuage_master/handlers/main.yaml +++ b/roles/nuage_master/handlers/main.yaml @@ -1,18 +1,24 @@ --- - name: restart nuage-openshift-monitor become: yes - service: name=nuage-openshift-monitor state=restarted + systemd: name=nuage-openshift-monitor state=restarted - name: restart master - service: name={{ openshift.common.service_type }}-master state=restarted + systemd: name={{ openshift.common.service_type }}-master state=restarted when: (not openshift_master_ha | bool) and (not master_service_status_changed | default(false)) - name: restart master api - service: name={{ openshift.common.service_type }}-master-api state=restarted - when: (openshift_master_ha | bool) and (not master_api_service_status_changed | default(false)) and openshift.master.cluster_method == 'native' + systemd: name={{ openshift.common.service_type }}-master-api state=restarted + when: > + (openshift_master_ha | bool) and + (not master_api_service_status_changed | default(false)) and + openshift.master.cluster_method == 'native' # TODO: need to fix up ignore_errors here - name: restart master controllers - service: name={{ openshift.common.service_type }}-master-controllers state=restarted - when: (openshift_master_ha | bool) and (not master_controllers_service_status_changed | default(false)) and openshift.master.cluster_method == 'native' + systemd: name={{ openshift.common.service_type }}-master-controllers state=restarted + when: > + (openshift_master_ha | bool) and + (not master_controllers_service_status_changed | default(false)) and + openshift.master.cluster_method == 'native' ignore_errors: yes diff --git a/roles/nuage_master/meta/main.yml b/roles/nuage_master/meta/main.yml index 51b89fbf6..b2a47ef71 100644 --- a/roles/nuage_master/meta/main.yml +++ b/roles/nuage_master/meta/main.yml @@ -1,10 +1,10 @@ --- galaxy_info: - author: Vishal Patil + author: Vishal Patil description: company: Nuage Networks license: Apache License, Version 2.0 - min_ansible_version: 1.8 + min_ansible_version: 2.2 platforms: - name: EL versions: @@ -18,5 +18,5 @@ dependencies: - role: openshift_etcd_client_certificates - role: os_firewall os_firewall_allow: - - service: openshift-monitor + - service: openshift-monitor port: "{{ nuage_mon_rest_server_port }}/tcp" diff --git a/roles/nuage_master/tasks/serviceaccount.yml b/roles/nuage_master/tasks/serviceaccount.yml index 2b3ae0454..41143772e 100644 --- a/roles/nuage_master/tasks/serviceaccount.yml +++ b/roles/nuage_master/tasks/serviceaccount.yml @@ -29,7 +29,7 @@ --config={{nuage_tmp_conf}} with_items: "{{nuage_tasks}}" register: osnuage_perm_task - failed_when: "'already exists' not in osnuage_perm_task.stderr and osnuage_perm_task.rc != 0" + failed_when: "'the object has been modified' not in osnuage_perm_task.stderr and osnuage_perm_task.rc != 0" changed_when: osnuage_perm_task.rc == 0 - name: Generate the node client config diff --git a/roles/nuage_node/README.md b/roles/nuage_node/README.md index 02a3cbc77..75a75ca6b 100644 --- a/roles/nuage_node/README.md +++ b/roles/nuage_node/README.md @@ -6,4 +6,5 @@ Setup Nuage VRS (Virtual Routing Switching) on the Openshift Node Requirements ------------ -This role assumes it has been deployed on RHEL/Fedora +* Ansible 2.2 +* This role assumes it has been deployed on RHEL/Fedora diff --git a/roles/nuage_node/handlers/main.yaml b/roles/nuage_node/handlers/main.yaml index fd06d9025..8384856ff 100644 --- a/roles/nuage_node/handlers/main.yaml +++ b/roles/nuage_node/handlers/main.yaml @@ -1,11 +1,11 @@ --- - name: restart vrs become: yes - service: name=openvswitch state=restarted + systemd: name=openvswitch state=restarted - name: restart node become: yes - service: name={{ openshift.common.service_type }}-node state=restarted + systemd: name={{ openshift.common.service_type }}-node state=restarted - name: save iptable rules become: yes diff --git a/roles/nuage_node/meta/main.yml b/roles/nuage_node/meta/main.yml index a6fbcba61..f96318611 100644 --- a/roles/nuage_node/meta/main.yml +++ b/roles/nuage_node/meta/main.yml @@ -1,10 +1,10 @@ --- galaxy_info: - author: Vishal Patil + author: Vishal Patil description: company: Nuage Networks license: Apache License, Version 2.0 - min_ansible_version: 1.8 + min_ansible_version: 2.2 platforms: - name: EL versions: @@ -17,7 +17,7 @@ dependencies: - role: nuage_ca - role: os_firewall os_firewall_allow: - - service: vxlan + - service: vxlan port: 4789/udp - service: nuage-monitor port: "{{ nuage_mon_rest_server_port }}/tcp" diff --git a/roles/openshift_ca/tasks/main.yml b/roles/openshift_ca/tasks/main.yml index b6d403067..e2a12e5ff 100644 --- a/roles/openshift_ca/tasks/main.yml +++ b/roles/openshift_ca/tasks/main.yml @@ -8,7 +8,9 @@ when: openshift_master_ca_certificate is defined and ('certfile' not in openshift_master_ca_certificate or 'keyfile' not in openshift_master_ca_certificate) - name: Install the base package for admin tooling - action: "{{ ansible_pkg_mgr }} name={{ openshift.common.service_type }}{{ openshift_pkg_version | default('') | oo_image_tag_to_rpm_version(include_dash=True) }} state=present" + package: + name: "{{ openshift.common.service_type }}{{ openshift_pkg_version | default('') | oo_image_tag_to_rpm_version(include_dash=True) }}" + state: present when: not openshift.common.is_containerized | bool register: install_result delegate_to: "{{ openshift_ca_host }}" diff --git a/roles/openshift_cli/tasks/main.yml b/roles/openshift_cli/tasks/main.yml index 11c73b25c..07a00189c 100644 --- a/roles/openshift_cli/tasks/main.yml +++ b/roles/openshift_cli/tasks/main.yml @@ -1,6 +1,6 @@ --- - name: Install clients - action: "{{ ansible_pkg_mgr }} name={{ openshift.common.service_type }}-clients state=present" + package: name={{ openshift.common.service_type }}-clients state=present when: not openshift.common.is_containerized | bool - name: Pull CLI Image @@ -20,5 +20,5 @@ openshift_facts: - name: Install bash completion for oc tools - action: "{{ ansible_pkg_mgr }} name=bash-completion state=present" + package: name=bash-completion state=present when: not openshift.common.is_containerized | bool diff --git a/roles/openshift_clock/tasks/main.yaml b/roles/openshift_clock/tasks/main.yaml index 5a8403f68..3911201ea 100644 --- a/roles/openshift_clock/tasks/main.yaml +++ b/roles/openshift_clock/tasks/main.yaml @@ -6,7 +6,7 @@ enabled: "{{ openshift_clock_enabled | default(None) }}" - name: Install ntp package - action: "{{ ansible_pkg_mgr }} name=ntp state=present" + package: name=ntp state=present when: openshift.clock.enabled | bool and not openshift.clock.chrony_installed | bool - name: Start and enable ntpd/chronyd diff --git a/roles/openshift_common/tasks/main.yml b/roles/openshift_common/tasks/main.yml index 3f8ea5dce..c9a44b3f5 100644 --- a/roles/openshift_common/tasks/main.yml +++ b/roles/openshift_common/tasks/main.yml @@ -29,7 +29,9 @@ use_dnsmasq: "{{ openshift_use_dnsmasq | default(None) }}" - name: Install the base package for versioning - action: "{{ ansible_pkg_mgr }} name={{ openshift.common.service_type }}{{ openshift_pkg_version | default('') | oo_image_tag_to_rpm_version(include_dash=True) }} state=present" + package: + name: "{{ openshift.common.service_type }}{{ openshift_pkg_version | default('') | oo_image_tag_to_rpm_version(include_dash=True) }}" + state: present when: not openshift.common.is_containerized | bool - name: Set version facts diff --git a/roles/openshift_expand_partition/tasks/main.yml b/roles/openshift_expand_partition/tasks/main.yml index cdd813e6a..00603f4fa 100644 --- a/roles/openshift_expand_partition/tasks/main.yml +++ b/roles/openshift_expand_partition/tasks/main.yml @@ -1,6 +1,6 @@ --- - name: Ensure growpart is installed - action: "{{ ansible_pkg_mgr }} name=cloud-utils-growpart state=present" + package: name=cloud-utils-growpart state=present when: not openshift.common.is_containerized | bool - name: Determine if growpart is installed diff --git a/roles/openshift_facts/library/openshift_facts.py b/roles/openshift_facts/library/openshift_facts.py index d797eb4d3..ad4b1e47b 100755 --- a/roles/openshift_facts/library/openshift_facts.py +++ b/roles/openshift_facts/library/openshift_facts.py @@ -22,9 +22,14 @@ from distutils.util import strtobool from distutils.version import LooseVersion import struct import socket -from dbus import SystemBus, Interface -from dbus.exceptions import DBusException +HAVE_DBUS=False +try: + from dbus import SystemBus, Interface + from dbus.exceptions import DBusException + HAVE_DBUS=True +except ImportError: + pass DOCUMENTATION = ''' --- @@ -102,14 +107,6 @@ def migrate_node_facts(facts): facts['node'][param] = facts[role].pop(param) return facts -def migrate_local_facts(facts): - """ Apply migrations of local facts """ - migrated_facts = copy.deepcopy(facts) - migrated_facts = migrate_docker_facts(migrated_facts) - migrated_facts = migrate_common_facts(migrated_facts) - migrated_facts = migrate_node_facts(migrated_facts) - migrated_facts = migrate_hosted_facts(migrated_facts) - return migrated_facts def migrate_hosted_facts(facts): """ Apply migrations for master facts """ @@ -128,6 +125,30 @@ def migrate_hosted_facts(facts): facts['hosted']['registry']['selector'] = facts['master'].pop('registry_selector') return facts +def migrate_admission_plugin_facts(facts): + if 'master' in facts: + if 'kube_admission_plugin_config' in facts['master']: + if 'admission_plugin_config' not in facts['master']: + facts['master']['admission_plugin_config'] = dict() + # Merge existing kube_admission_plugin_config with admission_plugin_config. + facts['master']['admission_plugin_config'] = merge_facts(facts['master']['admission_plugin_config'], + facts['master']['kube_admission_plugin_config'], + additive_facts_to_overwrite=[], + protected_facts_to_overwrite=[]) + # Remove kube_admission_plugin_config fact + facts['master'].pop('kube_admission_plugin_config', None) + return facts + +def migrate_local_facts(facts): + """ Apply migrations of local facts """ + migrated_facts = copy.deepcopy(facts) + migrated_facts = migrate_docker_facts(migrated_facts) + migrated_facts = migrate_common_facts(migrated_facts) + migrated_facts = migrate_node_facts(migrated_facts) + migrated_facts = migrate_hosted_facts(migrated_facts) + migrated_facts = migrate_admission_plugin_facts(migrated_facts) + return migrated_facts + def first_ip(network): """ Return the first IPv4 address in network @@ -1567,14 +1588,14 @@ def set_proxy_facts(facts): builddefaults['git_http_proxy'] = builddefaults['http_proxy'] if 'git_https_proxy' not in builddefaults and 'https_proxy' in builddefaults: builddefaults['git_https_proxy'] = builddefaults['https_proxy'] - # If we're actually defining a proxy config then create kube_admission_plugin_config + # If we're actually defining a proxy config then create admission_plugin_config # if it doesn't exist, then merge builddefaults[config] structure - # into kube_admission_plugin_config - if 'kube_admission_plugin_config' not in facts['master']: - facts['master']['kube_admission_plugin_config'] = dict() + # into admission_plugin_config + if 'admission_plugin_config' not in facts['master']: + facts['master']['admission_plugin_config'] = dict() if 'config' in builddefaults and ('http_proxy' in builddefaults or \ 'https_proxy' in builddefaults): - facts['master']['kube_admission_plugin_config'].update(builddefaults['config']) + facts['master']['admission_plugin_config'].update(builddefaults['config']) facts['builddefaults'] = builddefaults return facts @@ -2277,6 +2298,9 @@ def main(): add_file_common_args=True, ) + if not HAVE_DBUS: + module.fail_json(msg="This module requires dbus python bindings") + module.params['gather_subset'] = ['hardware', 'network', 'virtual', 'facter'] module.params['gather_timeout'] = 10 module.params['filter'] = '*' diff --git a/roles/openshift_facts/tasks/main.yml b/roles/openshift_facts/tasks/main.yml index 4d4a232cc..70cf49dd4 100644 --- a/roles/openshift_facts/tasks/main.yml +++ b/roles/openshift_facts/tasks/main.yml @@ -10,12 +10,11 @@ - set_fact: l_is_containerized: "{{ (l_is_atomic | bool) or (containerized | default(false) | bool) }}" -- name: Ensure PyYaml is installed - action: "{{ ansible_pkg_mgr }} name=PyYAML state=present" - when: not l_is_atomic | bool - -- name: Ensure yum-utils is installed - action: "{{ ansible_pkg_mgr }} name=yum-utils state=present" +- name: Ensure PyYaml and yum-utils are installed + package: name={{ item }} state=present + with_items: + - PyYAML + - yum-utils when: not l_is_atomic | bool - name: Gather Cluster facts and set is_containerized if needed diff --git a/roles/openshift_loadbalancer/README.md b/roles/openshift_loadbalancer/README.md index 03e837e46..bea4c509b 100644 --- a/roles/openshift_loadbalancer/README.md +++ b/roles/openshift_loadbalancer/README.md @@ -6,6 +6,8 @@ OpenShift HaProxy Loadbalancer Configuration Requirements ------------ +* Ansible 2.2 + This role is intended to be applied to the [lb] host group which is separate from OpenShift infrastructure components. diff --git a/roles/openshift_loadbalancer/handlers/main.yml b/roles/openshift_loadbalancer/handlers/main.yml index 5b8691b26..3bf052460 100644 --- a/roles/openshift_loadbalancer/handlers/main.yml +++ b/roles/openshift_loadbalancer/handlers/main.yml @@ -1,6 +1,6 @@ --- - name: restart haproxy - service: + systemd: name: haproxy state: restarted when: not (haproxy_start_result_changed | default(false) | bool) diff --git a/roles/openshift_loadbalancer/meta/main.yml b/roles/openshift_loadbalancer/meta/main.yml index 0b29df2a0..0dffb545f 100644 --- a/roles/openshift_loadbalancer/meta/main.yml +++ b/roles/openshift_loadbalancer/meta/main.yml @@ -4,7 +4,7 @@ galaxy_info: description: OpenShift haproxy loadbalancer company: Red Hat, Inc. license: Apache License, Version 2.0 - min_ansible_version: 1.9 + min_ansible_version: 2.2 platforms: - name: EL versions: diff --git a/roles/openshift_loadbalancer/tasks/main.yml b/roles/openshift_loadbalancer/tasks/main.yml index 863738143..400f80715 100644 --- a/roles/openshift_loadbalancer/tasks/main.yml +++ b/roles/openshift_loadbalancer/tasks/main.yml @@ -3,7 +3,7 @@ when: openshift.common.is_containerized | bool - name: Install haproxy - action: "{{ ansible_pkg_mgr }} name=haproxy state=present" + package: name=haproxy state=present - name: Configure systemd service directory for haproxy file: @@ -27,11 +27,6 @@ option: LimitNOFILE value: "{{ openshift_loadbalancer_limit_nofile | default(100000) }}" notify: restart haproxy - register: nofile_limit_result - -- name: Reload systemd if needed - command: systemctl daemon-reload - when: nofile_limit_result | changed - name: Configure haproxy template: @@ -43,10 +38,11 @@ notify: restart haproxy - name: Enable and start haproxy - service: + systemd: name: haproxy state: started enabled: yes + daemon_reload: yes register: start_result - set_fact: diff --git a/roles/openshift_manage_node/tasks/main.yml b/roles/openshift_manage_node/tasks/main.yml index 28e4e46e9..c06758833 100644 --- a/roles/openshift_manage_node/tasks/main.yml +++ b/roles/openshift_manage_node/tasks/main.yml @@ -3,18 +3,51 @@ command: mktemp -d /tmp/openshift-ansible-XXXXXX register: mktemp changed_when: False + delegate_to: "{{ openshift_master_host }}" + run_once: true - set_fact: openshift_manage_node_kubeconfig: "{{ mktemp.stdout }}/admin.kubeconfig" + delegate_to: "{{ openshift_master_host }}" + run_once: true - name: Copy the admin client config(s) command: > cp {{ openshift.common.config_base }}/master/admin.kubeconfig {{ openshift_manage_node_kubeconfig }} changed_when: False + delegate_to: "{{ openshift_master_host }}" + run_once: true + +# Necessary because when you're on a node that's also a master the master will be +# restarted after the node restarts docker and it will take up to 60 seconds for +# systemd to start the master again +- name: Wait for master API to become available before proceeding + # Using curl here since the uri module requires python-httplib2 and + # wait_for port doesn't provide health information. + command: > + curl --silent --tlsv1.2 + {% if openshift.common.version_gte_3_2_or_1_2 | bool %} + --cacert {{ openshift.common.config_base }}/master/ca-bundle.crt + {% else %} + --cacert {{ openshift.common.config_base }}/master/ca.crt + {% endif %} + {{ openshift_node_master_api_url }}/healthz/ready + args: + # Disables the following warning: + # Consider using get_url or uri module rather than running curl + warn: no + register: api_available_output + until: api_available_output.stdout == 'ok' + retries: 120 + delay: 1 + changed_when: false + when: openshift.common.is_containerized | bool + delegate_to: "{{ openshift_master_host }}" + run_once: true - name: Wait for Node Registration command: > - {{ openshift.common.client_binary }} get node {{ hostvars[item].openshift.node.nodename }} + {{ hostvars[openshift_master_host].openshift.common.client_binary }} get node {{ openshift.node.nodename }} --config={{ openshift_manage_node_kubeconfig }} -n default register: omd_get_node @@ -22,26 +55,29 @@ retries: 50 delay: 5 changed_when: false - with_items: "{{ openshift_nodes }}" + when: "'nodename' in openshift.node" + delegate_to: "{{ openshift_master_host }}" - name: Set node schedulability command: > - {{ openshift.common.client_binary }} adm manage-node {{ hostvars[item].openshift.node.nodename }} --schedulable={{ 'true' if hostvars[item].openshift.node.schedulable | bool else 'false' }} + {{ hostvars[openshift_master_host].openshift.common.client_binary }} adm manage-node {{ openshift.node.nodename }} --schedulable={{ 'true' if openshift.node.schedulable | bool else 'false' }} --config={{ openshift_manage_node_kubeconfig }} -n default - with_items: "{{ openshift_nodes }}" - when: hostvars[item].openshift.node.nodename is defined + when: "'nodename' in openshift.node" + delegate_to: "{{ openshift_master_host }}" - name: Label nodes command: > - {{ openshift.common.client_binary }} label --overwrite node {{ hostvars[item].openshift.node.nodename }} {{ hostvars[item].openshift.node.labels | oo_combine_dict }} + {{ hostvars[openshift_master_host].openshift.common.client_binary }} label --overwrite node {{ openshift.node.nodename }} {{ openshift.node.labels | oo_combine_dict }} --config={{ openshift_manage_node_kubeconfig }} -n default - with_items: "{{ openshift_nodes }}" - when: hostvars[item].openshift.node.nodename is defined and 'labels' in hostvars[item].openshift.node and hostvars[item].openshift.node.labels != {} + when: "'nodename' in openshift.node and 'labels' in openshift.node and openshift.node.labels != {}" + delegate_to: "{{ openshift_master_host }}" - name: Delete temp directory file: name: "{{ mktemp.stdout }}" state: absent changed_when: False + delegate_to: "{{ openshift_master_host }}" + run_once: true diff --git a/roles/openshift_manageiq/tasks/main.yaml b/roles/openshift_manageiq/tasks/main.yaml index bdaf64b3f..a7214482f 100644 --- a/roles/openshift_manageiq/tasks/main.yaml +++ b/roles/openshift_manageiq/tasks/main.yaml @@ -50,6 +50,16 @@ failed_when: "'already exists' not in osmiq_create_cluster_role.stderr and osmiq_create_cluster_role.rc != 0" changed_when: osmiq_create_cluster_role.rc == 0 +- name: Create Hawkular Metrics Admin Cluster Role + shell: > + echo {{ manageiq_metrics_admin_clusterrole | to_json | quote }} | + {{ openshift.common.client_binary }} + --config={{manage_iq_tmp_conf}} + create -f - + register: oshawkular_create_cluster_role + failed_when: "'already exists' not in oshawkular_create_cluster_role.stderr and oshawkular_create_cluster_role.rc != 0" + changed_when: oshawkular_create_cluster_role.rc == 0 + - name: Configure role/user permissions command: > {{ openshift.common.client_binary }} adm {{item}} diff --git a/roles/openshift_manageiq/vars/main.yml b/roles/openshift_manageiq/vars/main.yml index 6a0c5b41b..37d4679ef 100644 --- a/roles/openshift_manageiq/vars/main.yml +++ b/roles/openshift_manageiq/vars/main.yml @@ -9,6 +9,20 @@ manageiq_cluster_role: verbs: - '*' +manageiq_metrics_admin_clusterrole: + apiVersion: v1 + kind: ClusterRole + metadata: + name: hawkular-metrics-admin + rules: + - apiGroups: + - "" + resources: + - hawkular-metrics + - hawkular-alerts + verbs: + - '*' + manageiq_service_account: apiVersion: v1 kind: ServiceAccount @@ -31,6 +45,7 @@ manage_iq_tasks: - policy add-cluster-role-to-user system:image-puller system:serviceaccount:management-infra:inspector-admin - policy add-scc-to-user privileged system:serviceaccount:management-infra:inspector-admin - policy add-cluster-role-to-user self-provisioner system:serviceaccount:management-infra:management-admin + - policy add-cluster-role-to-user hawkular-metrics-admin system:serviceaccount:management-infra:management-admin manage_iq_openshift_3_2_tasks: - policy add-cluster-role-to-user system:image-auditor system:serviceaccount:management-infra:management-admin diff --git a/roles/openshift_master/README.md b/roles/openshift_master/README.md index 663ac08b8..c3300a7ef 100644 --- a/roles/openshift_master/README.md +++ b/roles/openshift_master/README.md @@ -6,7 +6,8 @@ Master service installation Requirements ------------ -A RHEL 7.1 host pre-configured with access to the rhel-7-server-rpms, +* Ansible 2.2 +* A RHEL 7.1 host pre-configured with access to the rhel-7-server-rpms, rhel-7-server-extras-rpms, and rhel-7-server-ose-3.0-rpms repos. Role Variables diff --git a/roles/openshift_master/handlers/main.yml b/roles/openshift_master/handlers/main.yml index e119db1a2..69c5a1663 100644 --- a/roles/openshift_master/handlers/main.yml +++ b/roles/openshift_master/handlers/main.yml @@ -1,16 +1,16 @@ --- - name: restart master - service: name={{ openshift.common.service_type }}-master state=restarted + systemd: name={{ openshift.common.service_type }}-master state=restarted when: (openshift.master.ha is not defined or not openshift.master.ha | bool) and (not (master_service_status_changed | default(false) | bool)) notify: Verify API Server - name: restart master api - service: name={{ openshift.common.service_type }}-master-api state=restarted + systemd: name={{ openshift.common.service_type }}-master-api state=restarted when: (openshift.master.ha is defined and openshift.master.ha | bool) and (not (master_api_service_status_changed | default(false) | bool)) and openshift.master.cluster_method == 'native' notify: Verify API Server - name: restart master controllers - service: name={{ openshift.common.service_type }}-master-controllers state=restarted + systemd: name={{ openshift.common.service_type }}-master-controllers state=restarted when: (openshift.master.ha is defined and openshift.master.ha | bool) and (not (master_controllers_service_status_changed | default(false) | bool)) and openshift.master.cluster_method == 'native' - name: Verify API Server diff --git a/roles/openshift_master/meta/main.yml b/roles/openshift_master/meta/main.yml index a2f665702..7457e4378 100644 --- a/roles/openshift_master/meta/main.yml +++ b/roles/openshift_master/meta/main.yml @@ -4,7 +4,7 @@ galaxy_info: description: Master company: Red Hat, Inc. license: Apache License, Version 2.0 - min_ansible_version: 2.1 + min_ansible_version: 2.2 platforms: - name: EL versions: diff --git a/roles/openshift_master/tasks/main.yml b/roles/openshift_master/tasks/main.yml index 1d6758c4a..2de5cd3f3 100644 --- a/roles/openshift_master/tasks/main.yml +++ b/roles/openshift_master/tasks/main.yml @@ -24,7 +24,9 @@ when: openshift_master_ha | bool and openshift_master_cluster_method == "pacemaker" and openshift.common.is_containerized | bool - name: Install Master package - action: "{{ ansible_pkg_mgr }} name={{ openshift.common.service_type }}-master{{ openshift_pkg_version | default('') | oo_image_tag_to_rpm_version(include_dash=True) }} state=present" + package: + name: "{{ openshift.common.service_type }}-master{{ openshift_pkg_version | default('') | oo_image_tag_to_rpm_version(include_dash=True) }}" + state: present when: not openshift.common.is_containerized | bool - name: Pull master image @@ -62,9 +64,9 @@ args: creates: "{{ openshift_master_policy }}" notify: - - restart master - - restart master api - - restart master controllers + - restart master + - restart master api + - restart master controllers - name: Create the scheduler config copy: @@ -72,12 +74,12 @@ dest: "{{ openshift_master_scheduler_conf }}" backup: true notify: - - restart master - - restart master api - - restart master controllers + - restart master + - restart master api + - restart master controllers - name: Install httpd-tools if needed - action: "{{ ansible_pkg_mgr }} name=httpd-tools state=present" + package: name=httpd-tools state=present when: (item.kind == 'HTPasswdPasswordIdentityProvider') and not openshift.common.is_atomic | bool with_items: "{{ openshift.master.identity_providers }}" @@ -145,8 +147,8 @@ mode: 0600 when: openshift.master.session_auth_secrets is defined and openshift.master.session_encryption_secrets is defined notify: - - restart master - - restart master api + - restart master + - restart master api - set_fact: translated_identity_providers: "{{ openshift.master.identity_providers | translate_idps('v1', openshift.common.version, openshift.common.deployment_type) }}" @@ -161,9 +163,9 @@ group: root mode: 0600 notify: - - restart master - - restart master api - - restart master controllers + - restart master + - restart master api + - restart master controllers - include: set_loopback_context.yml when: openshift.common.version_gte_3_2_or_1_2 @@ -177,7 +179,10 @@ # https://github.com/openshift/origin/issues/6065 # https://github.com/openshift/origin/issues/6447 - name: Start and enable master - service: name={{ openshift.common.service_type }}-master enabled=yes state=started + systemd: + name: "{{ openshift.common.service_type }}-master" + enabled: yes + state: started when: not openshift_master_ha | bool register: start_result until: not start_result | failed @@ -185,29 +190,30 @@ delay: 60 notify: Verify API Server -- name: Check for non-HA master service presence - command: systemctl show {{ openshift.common.service_type }}-master.service - register: master_svc_show - changed_when: false - failed_when: false - - name: Stop and disable non-HA master when running HA - service: + systemd: name: "{{ openshift.common.service_type }}-master" enabled: no state: stopped - when: openshift_master_ha | bool and master_svc_show.rc == 0 and 'LoadState=not-found' not in master_svc_show.stdout + when: openshift_master_ha | bool + register: task_result + failed_when: "task_result|failed and 'could not' not in task_result.msg|lower" - set_fact: master_service_status_changed: "{{ start_result | changed }}" when: not openshift_master_ha | bool - name: Mask master service - command: systemctl mask {{ openshift.common.service_type }}-master - when: openshift_master_ha | bool and openshift.master.cluster_method == 'native' and not openshift.common.is_containerized | bool + systemd: + name: "{{ openshift.common.service_type }}-master" + masked: yes + when: > + openshift_master_ha | bool and + openshift.master.cluster_method == 'native' and + not openshift.common.is_containerized | bool - name: Start and enable master api on first master - service: + systemd: name: "{{ openshift.common.service_type }}-master-api" enabled: yes state: started @@ -226,7 +232,7 @@ when: openshift_master_ha | bool and openshift.master.cluster_method == 'native' - name: Start and enable master api all masters - service: + systemd: name: "{{ openshift.common.service_type }}-master-api" enabled: yes state: started @@ -262,7 +268,7 @@ when: openshift_master_ha | bool and openshift.master.cluster_method == 'native' and master_api_service_status_changed | bool - name: Start and enable master controller on first master - service: + systemd: name: "{{ openshift.common.service_type }}-master-controllers" enabled: yes state: started @@ -272,12 +278,13 @@ retries: 1 delay: 60 -- pause: +- name: Wait for master controller service to start on first master + pause: seconds: 15 when: openshift_master_ha | bool and openshift.master.cluster_method == 'native' - name: Start and enable master controller on all masters - service: + systemd: name: "{{ openshift.common.service_type }}-master-controllers" enabled: yes state: started @@ -292,13 +299,16 @@ when: openshift_master_ha | bool and openshift.master.cluster_method == 'native' - name: Install cluster packages - action: "{{ ansible_pkg_mgr }} name=pcs state=present" + package: name=pcs state=present when: openshift_master_ha | bool and openshift.master.cluster_method == 'pacemaker' and not openshift.common.is_containerized | bool register: install_result - name: Start and enable cluster service - service: name=pcsd enabled=yes state=started + systemd: + name: pcsd + enabled: yes + state: started when: openshift_master_ha | bool and openshift.master.cluster_method == 'pacemaker' and not openshift.common.is_containerized | bool diff --git a/roles/openshift_master/templates/master.yaml.v1.j2 b/roles/openshift_master/templates/master.yaml.v1.j2 index a52ae578c..dc9226a5a 100644 --- a/roles/openshift_master/templates/master.yaml.v1.j2 +++ b/roles/openshift_master/templates/master.yaml.v1.j2 @@ -1,7 +1,4 @@ admissionConfig: -{% if 'admission_plugin_order' in openshift.master %} - pluginOrderOverride:{{ openshift.master.admission_plugin_order | to_padded_yaml(level=2) }} -{% endif %} {% if 'admission_plugin_config' in openshift.master %} pluginConfig:{{ openshift.master.admission_plugin_config | to_padded_yaml(level=2) }} {% endif %} @@ -116,13 +113,6 @@ kubernetesMasterConfig: - v1beta3 - v1 {% endif %} - admissionConfig: -{% if 'kube_admission_plugin_order' in openshift.master %} - pluginOrderOverride:{{ openshift.master.kube_admission_plugin_order | to_padded_yaml(level=3) }} -{% endif %} -{% if 'kube_admission_plugin_config' in openshift.master %} - pluginConfig:{{ openshift.master.kube_admission_plugin_config | to_padded_yaml(level=3) }} -{% endif %} apiServerArguments: {{ openshift.master.api_server_args | default(None) | to_padded_yaml( level=2 ) }} controllerArguments: {{ openshift.master.controller_args | default(None) | to_padded_yaml( level=2 ) }} masterCount: {{ openshift.master.master_count if openshift.master.cluster_method | default(None) == 'native' else 1 }} diff --git a/roles/openshift_master_cluster/README.md b/roles/openshift_master_cluster/README.md index f150981fa..58dd19ac3 100644 --- a/roles/openshift_master_cluster/README.md +++ b/roles/openshift_master_cluster/README.md @@ -6,7 +6,7 @@ TODO Requirements ------------ -TODO +* Ansible 2.2 Role Variables -------------- diff --git a/roles/openshift_master_cluster/meta/main.yml b/roles/openshift_master_cluster/meta/main.yml index 0c8881521..f2a67bc54 100644 --- a/roles/openshift_master_cluster/meta/main.yml +++ b/roles/openshift_master_cluster/meta/main.yml @@ -4,7 +4,7 @@ galaxy_info: description: company: Red Hat, Inc. license: Apache License, Version 2.0 - min_ansible_version: 1.8 + min_ansible_version: 2.2 platforms: - name: EL versions: diff --git a/roles/openshift_master_facts/tasks/main.yml b/roles/openshift_master_facts/tasks/main.yml index 62ac1aef5..1f27a2c1d 100644 --- a/roles/openshift_master_facts/tasks/main.yml +++ b/roles/openshift_master_facts/tasks/main.yml @@ -66,10 +66,8 @@ master_image: "{{ osm_image | default(None) }}" scheduler_predicates: "{{ openshift_master_scheduler_predicates | default(None) }}" scheduler_priorities: "{{ openshift_master_scheduler_priorities | default(None) }}" - admission_plugin_order: "{{openshift_master_admission_plugin_order | default(None) }}" admission_plugin_config: "{{openshift_master_admission_plugin_config | default(None) }}" - kube_admission_plugin_order: "{{openshift_master_kube_admission_plugin_order | default(None) }}" - kube_admission_plugin_config: "{{openshift_master_kube_admission_plugin_config | default(None) }}" + kube_admission_plugin_config: "{{openshift_master_kube_admission_plugin_config | default(None) }}" # deprecated, merged with admission_plugin_config oauth_template: "{{ openshift_master_oauth_template | default(None) }}" # deprecated in origin 1.2 / OSE 3.2 oauth_templates: "{{ openshift_master_oauth_templates | default(None) }}" oauth_always_show_provider_selection: "{{ openshift_master_oauth_always_show_provider_selection | default(None) }}" diff --git a/roles/openshift_metrics/README.md b/roles/openshift_metrics/README.md index 30a0a608d..f3c0f3474 100644 --- a/roles/openshift_metrics/README.md +++ b/roles/openshift_metrics/README.md @@ -5,8 +5,10 @@ OpenShift Metrics Installation Requirements ------------ -It requires subdomain fqdn to be set. -If persistence is enabled, then it also requires NFS. + +* Ansible 2.2 +* It requires subdomain fqdn to be set. +* If persistence is enabled, then it also requires NFS. Role Variables -------------- diff --git a/roles/openshift_metrics/handlers/main.yml b/roles/openshift_metrics/handlers/main.yml index e119db1a2..69c5a1663 100644 --- a/roles/openshift_metrics/handlers/main.yml +++ b/roles/openshift_metrics/handlers/main.yml @@ -1,16 +1,16 @@ --- - name: restart master - service: name={{ openshift.common.service_type }}-master state=restarted + systemd: name={{ openshift.common.service_type }}-master state=restarted when: (openshift.master.ha is not defined or not openshift.master.ha | bool) and (not (master_service_status_changed | default(false) | bool)) notify: Verify API Server - name: restart master api - service: name={{ openshift.common.service_type }}-master-api state=restarted + systemd: name={{ openshift.common.service_type }}-master-api state=restarted when: (openshift.master.ha is defined and openshift.master.ha | bool) and (not (master_api_service_status_changed | default(false) | bool)) and openshift.master.cluster_method == 'native' notify: Verify API Server - name: restart master controllers - service: name={{ openshift.common.service_type }}-master-controllers state=restarted + systemd: name={{ openshift.common.service_type }}-master-controllers state=restarted when: (openshift.master.ha is defined and openshift.master.ha | bool) and (not (master_controllers_service_status_changed | default(false) | bool)) and openshift.master.cluster_method == 'native' - name: Verify API Server diff --git a/roles/openshift_metrics/meta/main.yaml b/roles/openshift_metrics/meta/main.yaml index 5f8d4f5c5..a89467de5 100644 --- a/roles/openshift_metrics/meta/main.yaml +++ b/roles/openshift_metrics/meta/main.yaml @@ -1,3 +1,17 @@ +--- +galaxy_info: + author: David MartÃn + description: + company: + license: Apache License, Version 2.0 + min_ansible_version: 2.2 + platforms: + - name: EL + versions: + - 7 + categories: + - cloud + - system dependencies: - { role: openshift_examples } -- { role: openshift_facts }
\ No newline at end of file +- { role: openshift_facts } diff --git a/roles/openshift_node/README.md b/roles/openshift_node/README.md index cafecd343..d1920c485 100644 --- a/roles/openshift_node/README.md +++ b/roles/openshift_node/README.md @@ -6,10 +6,10 @@ Node service installation Requirements ------------ -One or more Master servers. - -A RHEL 7.1 host pre-configured with access to the rhel-7-server-rpms, -rhel-7-server-extras-rpms, and rhel-7-server-ose-3.0-rpms repos. +* Ansible 2.2 +* One or more Master servers +* A RHEL 7.1 host pre-configured with access to the rhel-7-server-rpms, +rhel-7-server-extras-rpms, and rhel-7-server-ose-3.0-rpms repos Role Variables -------------- diff --git a/roles/openshift_node/handlers/main.yml b/roles/openshift_node/handlers/main.yml index 34071964a..ebe584588 100644 --- a/roles/openshift_node/handlers/main.yml +++ b/roles/openshift_node/handlers/main.yml @@ -1,6 +1,6 @@ --- - name: restart openvswitch - service: name=openvswitch state=restarted + systemd: name=openvswitch state=restarted when: not (ovs_service_status_changed | default(false) | bool) and openshift.common.use_openshift_sdn | bool notify: - restart openvswitch pause @@ -10,5 +10,5 @@ when: openshift.common.is_containerized | bool - name: restart node - service: name={{ openshift.common.service_type }}-node state=restarted + systemd: name={{ openshift.common.service_type }}-node state=restarted when: not (node_service_status_changed | default(false) | bool) diff --git a/roles/openshift_node/tasks/main.yml b/roles/openshift_node/tasks/main.yml index 6022694bc..31d07838d 100644 --- a/roles/openshift_node/tasks/main.yml +++ b/roles/openshift_node/tasks/main.yml @@ -2,48 +2,60 @@ # TODO: allow for overriding default ports where possible - fail: msg: "SELinux is disabled, This deployment type requires that SELinux is enabled." - when: (not ansible_selinux or ansible_selinux.status != 'enabled') and deployment_type in ['enterprise', 'online', 'atomic-enterprise', 'openshift-enterprise'] + when: > + (not ansible_selinux or ansible_selinux.status != 'enabled') and + deployment_type in ['enterprise', 'online', 'atomic-enterprise', 'openshift-enterprise'] - name: Set node facts openshift_facts: role: "{{ item.role }}" local_facts: "{{ item.local_facts }}" with_items: - # Reset node labels to an empty dictionary. - - role: node - local_facts: - labels: {} - - role: node - local_facts: - annotations: "{{ openshift_node_annotations | default(none) }}" - debug_level: "{{ openshift_node_debug_level | default(openshift.common.debug_level) }}" - iptables_sync_period: "{{ openshift_node_iptables_sync_period | default(None) }}" - kubelet_args: "{{ openshift_node_kubelet_args | default(None) }}" - labels: "{{ lookup('oo_option', 'openshift_node_labels') | default( openshift_node_labels | default(none), true) }}" - registry_url: "{{ oreg_url | default(none) }}" - schedulable: "{{ openshift_schedulable | default(openshift_scheduleable) | default(None) }}" - sdn_mtu: "{{ openshift_node_sdn_mtu | default(None) }}" - storage_plugin_deps: "{{ osn_storage_plugin_deps | default(None) }}" - set_node_ip: "{{ openshift_set_node_ip | default(None) }}" - node_image: "{{ osn_image | default(None) }}" - ovs_image: "{{ osn_ovs_image | default(None) }}" - proxy_mode: "{{ openshift_node_proxy_mode | default('iptables') }}" - local_quota_per_fsgroup: "{{ openshift_node_local_quota_per_fsgroup | default(None) }}" - dns_ip: "{{ openshift_dns_ip | default(none) | get_dns_ip(hostvars[inventory_hostname])}}" - env_vars: "{{ openshift_node_env_vars | default(None) }}" + # Reset node labels to an empty dictionary. + - role: node + local_facts: + labels: {} + - role: node + local_facts: + annotations: "{{ openshift_node_annotations | default(none) }}" + debug_level: "{{ openshift_node_debug_level | default(openshift.common.debug_level) }}" + iptables_sync_period: "{{ openshift_node_iptables_sync_period | default(None) }}" + kubelet_args: "{{ openshift_node_kubelet_args | default(None) }}" + labels: "{{ lookup('oo_option', 'openshift_node_labels') | default( openshift_node_labels | default(none), true) }}" + registry_url: "{{ oreg_url | default(none) }}" + schedulable: "{{ openshift_schedulable | default(openshift_scheduleable) | default(None) }}" + sdn_mtu: "{{ openshift_node_sdn_mtu | default(None) }}" + storage_plugin_deps: "{{ osn_storage_plugin_deps | default(None) }}" + set_node_ip: "{{ openshift_set_node_ip | default(None) }}" + node_image: "{{ osn_image | default(None) }}" + ovs_image: "{{ osn_ovs_image | default(None) }}" + proxy_mode: "{{ openshift_node_proxy_mode | default('iptables') }}" + local_quota_per_fsgroup: "{{ openshift_node_local_quota_per_fsgroup | default(None) }}" + dns_ip: "{{ openshift_dns_ip | default(none) | get_dns_ip(hostvars[inventory_hostname])}}" + env_vars: "{{ openshift_node_env_vars | default(None) }}" # We have to add tuned-profiles in the same transaction otherwise we run into depsolving # problems because the rpms don't pin the version properly. This was fixed in 3.1 packaging. - name: Install Node package - action: "{{ ansible_pkg_mgr }} name={{ openshift.common.service_type }}-node{{ openshift_pkg_version | default('') | oo_image_tag_to_rpm_version(include_dash=True) }},tuned-profiles-{{ openshift.common.service_type }}-node{{ openshift_pkg_version | default('') | oo_image_tag_to_rpm_version(include_dash=True) }} state=present" + package: + name: "{{ openshift.common.service_type }}-node{{ openshift_pkg_version | default('') | oo_image_tag_to_rpm_version(include_dash=True) }},tuned-profiles-{{ openshift.common.service_type }}-node{{ openshift_pkg_version | default('') | oo_image_tag_to_rpm_version(include_dash=True) }}" + state: present when: not openshift.common.is_containerized | bool +- name: Check for tuned package + command: rpm -q tuned + register: tuned_installed + changed_when: false + failed_when: false + - name: Set atomic-guest tuned profile command: "tuned-adm profile atomic-guest" - when: openshift.common.is_atomic | bool + when: tuned_installed.rc == 0 and openshift.common.is_atomic | bool - name: Install sdn-ovs package - action: "{{ ansible_pkg_mgr }} name={{ openshift.common.service_type }}-sdn-ovs{{ openshift_pkg_version | oo_image_tag_to_rpm_version(include_dash=True) }} state=present" + package: + name: "{{ openshift.common.service_type }}-sdn-ovs{{ openshift_pkg_version | oo_image_tag_to_rpm_version(include_dash=True) }}" + state: present when: openshift.common.use_openshift_sdn and not openshift.common.is_containerized | bool - name: Pull node image @@ -70,7 +82,10 @@ sysctl: name="net.ipv4.ip_forward" value=1 sysctl_set=yes state=present reload=yes - name: Start and enable openvswitch docker service - service: name=openvswitch.service enabled=yes state=started + systemd: + name: openvswitch.service + enabled: yes + state: started when: openshift.common.is_containerized | bool and openshift.common.use_openshift_sdn | bool register: ovs_start_result @@ -92,7 +107,7 @@ group: root mode: 0600 notify: - - restart node + - restart node - name: Configure AWS Cloud Provider Settings lineinfile: @@ -108,7 +123,7 @@ no_log: True when: "openshift_cloudprovider_kind is defined and openshift_cloudprovider_kind == 'aws' and openshift_cloudprovider_aws_access_key is defined and openshift_cloudprovider_aws_secret_key is defined" notify: - - restart node + - restart node - name: Configure Node Environment Variables lineinfile: @@ -118,7 +133,7 @@ create: true with_dict: "{{ openshift.node.env_vars | default({}) }}" notify: - - restart node + - restart node - name: NFS storage plugin configuration include: storage_plugins/nfs.yml @@ -158,11 +173,17 @@ when: openshift.common.is_containerized | bool - name: Start and enable node dep - service: name={{ openshift.common.service_type }}-node-dep enabled=yes state=started + systemd: + name: "{{ openshift.common.service_type }}-node-dep" + enabled: yes + state: started when: openshift.common.is_containerized | bool - name: Start and enable node - service: name={{ openshift.common.service_type }}-node enabled=yes state=started + systemd: + name: "{{ openshift.common.service_type }}-node" + enabled: yes + state: started register: node_start_result until: not node_start_result | failed retries: 1 diff --git a/roles/openshift_node/tasks/storage_plugins/ceph.yml b/roles/openshift_node/tasks/storage_plugins/ceph.yml index eed3c99a3..037efe81a 100644 --- a/roles/openshift_node/tasks/storage_plugins/ceph.yml +++ b/roles/openshift_node/tasks/storage_plugins/ceph.yml @@ -1,4 +1,4 @@ --- - name: Install Ceph storage plugin dependencies - action: "{{ ansible_pkg_mgr }} name=ceph-common state=present" - when: not openshift.common.is_atomic | bool
\ No newline at end of file + package: name=ceph-common state=present + when: not openshift.common.is_atomic | bool diff --git a/roles/openshift_node/tasks/storage_plugins/glusterfs.yml b/roles/openshift_node/tasks/storage_plugins/glusterfs.yml index 4fd9cd10b..7d8c42ee2 100644 --- a/roles/openshift_node/tasks/storage_plugins/glusterfs.yml +++ b/roles/openshift_node/tasks/storage_plugins/glusterfs.yml @@ -1,6 +1,6 @@ --- - name: Install GlusterFS storage plugin dependencies - action: "{{ ansible_pkg_mgr }} name=glusterfs-fuse state=present" + package: name=glusterfs-fuse state=present when: not openshift.common.is_atomic | bool - name: Check for existence of virt_use_fusefs seboolean diff --git a/roles/openshift_node/tasks/storage_plugins/iscsi.yml b/roles/openshift_node/tasks/storage_plugins/iscsi.yml index d6684b34a..1c5478c55 100644 --- a/roles/openshift_node/tasks/storage_plugins/iscsi.yml +++ b/roles/openshift_node/tasks/storage_plugins/iscsi.yml @@ -1,4 +1,4 @@ --- - name: Install iSCSI storage plugin dependencies - action: "{{ ansible_pkg_mgr }} name=iscsi-initiator-utils state=present" + package: name=iscsi-initiator-utils state=present when: not openshift.common.is_atomic | bool diff --git a/roles/openshift_node/tasks/storage_plugins/nfs.yml b/roles/openshift_node/tasks/storage_plugins/nfs.yml index 5f99f129c..d40ae66cb 100644 --- a/roles/openshift_node/tasks/storage_plugins/nfs.yml +++ b/roles/openshift_node/tasks/storage_plugins/nfs.yml @@ -1,6 +1,6 @@ --- - name: Install NFS storage plugin dependencies - action: "{{ ansible_pkg_mgr }} name=nfs-utils state=present" + package: name=nfs-utils state=present when: not openshift.common.is_atomic | bool - name: Check for existence of seboolean diff --git a/roles/openshift_node_certificates/README.md b/roles/openshift_node_certificates/README.md index f56066b29..f4215950f 100644 --- a/roles/openshift_node_certificates/README.md +++ b/roles/openshift_node_certificates/README.md @@ -6,6 +6,8 @@ This role determines if OpenShift node certificates must be created, delegates c Requirements ------------ +* Ansible 2.2 + Role Variables -------------- diff --git a/roles/openshift_node_certificates/handlers/main.yml b/roles/openshift_node_certificates/handlers/main.yml index f2299cecf..a74668b13 100644 --- a/roles/openshift_node_certificates/handlers/main.yml +++ b/roles/openshift_node_certificates/handlers/main.yml @@ -2,9 +2,9 @@ - name: update ca trust command: update-ca-trust notify: - - restart docker after updating ca trust + - restart docker after updating ca trust - name: restart docker after updating ca trust - service: + systemd: name: docker state: restarted diff --git a/roles/openshift_node_certificates/meta/main.yml b/roles/openshift_node_certificates/meta/main.yml index 50a862ee9..93216c1d2 100644 --- a/roles/openshift_node_certificates/meta/main.yml +++ b/roles/openshift_node_certificates/meta/main.yml @@ -4,7 +4,7 @@ galaxy_info: description: OpenShift Node Certificates company: Red Hat, Inc. license: Apache License, Version 2.0 - min_ansible_version: 2.1 + min_ansible_version: 2.2 platforms: - name: EL versions: diff --git a/roles/openshift_node_certificates/tasks/main.yml b/roles/openshift_node_certificates/tasks/main.yml index 69bcd3668..35f84c2cf 100644 --- a/roles/openshift_node_certificates/tasks/main.yml +++ b/roles/openshift_node_certificates/tasks/main.yml @@ -44,7 +44,7 @@ - name: Generate the node client config command: > - {{ openshift.common.client_binary }} adm create-api-client-config + {{ hostvars[openshift_ca_host].openshift.common.client_binary }} adm create-api-client-config {% for named_ca_certificate in hostvars[openshift_ca_host].openshift.master.named_certificates | default([]) | oo_collect('cafile') %} --certificate-authority {{ named_ca_certificate }} {% endfor %} @@ -63,7 +63,7 @@ - name: Generate the node server certificate command: > - {{ openshift.common.client_binary }} adm ca create-server-cert + {{ hostvars[openshift_ca_host].openshift.common.client_binary }} adm ca create-server-cert --cert={{ openshift_node_generated_config_dir }}/server.crt --key={{ openshift_generated_configs_dir }}/node-{{ openshift.common.hostname }}/server.key --overwrite=true diff --git a/roles/openshift_node_dnsmasq/files/networkmanager/99-origin-dns.sh b/roles/openshift_node_dnsmasq/files/networkmanager/99-origin-dns.sh index ced0fa663..089c3f7e4 100755 --- a/roles/openshift_node_dnsmasq/files/networkmanager/99-origin-dns.sh +++ b/roles/openshift_node_dnsmasq/files/networkmanager/99-origin-dns.sh @@ -28,7 +28,7 @@ cd /etc/sysconfig/network-scripts [ -f ../network ] && . ../network -if [[ $2 =~ ^(up|dhcp4-change)$ ]]; then +if [[ $2 =~ ^(up|dhcp4-change|dhcp6-change)$ ]]; then # If the origin-upstream-dns config file changed we need to restart NEEDS_RESTART=0 UPSTREAM_DNS='/etc/dnsmasq.d/origin-upstream-dns.conf' @@ -36,6 +36,7 @@ if [[ $2 =~ ^(up|dhcp4-change)$ ]]; then UPSTREAM_DNS_TMP=`mktemp` UPSTREAM_DNS_TMP_SORTED=`mktemp` CURRENT_UPSTREAM_DNS_SORTED=`mktemp` + NEW_RESOLV_CONF=`mktemp` ###################################################################### # couldn't find an existing method to determine if the interface owns the @@ -85,13 +86,17 @@ EOF systemctl restart dnsmasq fi - sed -i '0,/^nameserver/ s/^nameserver.*$/nameserver '"${def_route_ip}"'/g' /etc/resolv.conf - - if ! grep -q '99-origin-dns.sh' /etc/resolv.conf; then - echo "# nameserver updated by /etc/NetworkManager/dispatcher.d/99-origin-dns.sh" >> /etc/resolv.conf + # Only if dnsmasq is running properly make it our only nameserver + if `systemctl -q is-active dnsmasq.service`; then + sed -e '/^nameserver.*$/d' /etc/resolv.conf > ${NEW_RESOLV_CONF} + echo "nameserver "${def_route_ip}"" >> ${NEW_RESOLV_CONF} + if ! grep -q '99-origin-dns.sh' ${NEW_RESOLV_CONF}; then + echo "# nameserver updated by /etc/NetworkManager/dispatcher.d/99-origin-dns.sh" >> ${NEW_RESOLV_CONF} + fi + cp -Z ${NEW_RESOLV_CONF} /etc/resolv.conf fi fi # Clean up after yourself - rm -f $UPSTREAM_DNS_TMP $UPSTREAM_DNS_TMP_SORTED $CURRENT_UPSTREAM_DNS_SORTED + rm -f $UPSTREAM_DNS_TMP $UPSTREAM_DNS_TMP_SORTED $CURRENT_UPSTREAM_DNS_SORTED $NEW_RESOLV_CONF fi diff --git a/roles/openshift_node_dnsmasq/handlers/main.yml b/roles/openshift_node_dnsmasq/handlers/main.yml index 7d43b6106..b4a0c3583 100644 --- a/roles/openshift_node_dnsmasq/handlers/main.yml +++ b/roles/openshift_node_dnsmasq/handlers/main.yml @@ -1,10 +1,10 @@ --- - name: restart NetworkManager - service: + systemd: name: NetworkManager state: restarted - name: restart dnsmasq - service: + systemd: name: dnsmasq state: restarted diff --git a/roles/openshift_node_dnsmasq/meta/main.yml b/roles/openshift_node_dnsmasq/meta/main.yml index c83d64ae4..18e04e06d 100644 --- a/roles/openshift_node_dnsmasq/meta/main.yml +++ b/roles/openshift_node_dnsmasq/meta/main.yml @@ -4,7 +4,7 @@ galaxy_info: description: OpenShift Node DNSMasq support company: Red Hat, Inc. license: Apache License, Version 2.0 - min_ansible_version: 1.7 + min_ansible_version: 2.2 platforms: - name: EL versions: diff --git a/roles/openshift_node_dnsmasq/tasks/main.yml b/roles/openshift_node_dnsmasq/tasks/main.yml index 396c27295..3311f7006 100644 --- a/roles/openshift_node_dnsmasq/tasks/main.yml +++ b/roles/openshift_node_dnsmasq/tasks/main.yml @@ -4,13 +4,14 @@ systemctl show NetworkManager register: nm_show changed_when: false + ignore_errors: True - name: Set fact using_network_manager set_fact: network_manager_active: "{{ True if 'ActiveState=active' in nm_show.stdout else False }}" - name: Install dnsmasq - action: "{{ ansible_pkg_mgr }} name=dnsmasq state=installed" + package: name=dnsmasq state=installed when: not openshift.common.is_atomic | bool - name: Install dnsmasq configuration @@ -21,16 +22,16 @@ - name: Deploy additional dnsmasq.conf template: - src: "{{ openshift_node_dnsmasq_additional_config_file }}" - dest: /etc/dnsmasq.d/openshift-ansible.conf - owner: root - group: root - mode: 0644 + src: "{{ openshift_node_dnsmasq_additional_config_file }}" + dest: /etc/dnsmasq.d/openshift-ansible.conf + owner: root + group: root + mode: 0644 when: openshift_node_dnsmasq_additional_config_file is defined notify: restart dnsmasq - name: Enable dnsmasq - service: + systemd: name: dnsmasq enabled: yes state: started diff --git a/roles/openshift_repos/tasks/main.yaml b/roles/openshift_repos/tasks/main.yaml index 9be168611..d5ed9c09d 100644 --- a/roles/openshift_repos/tasks/main.yaml +++ b/roles/openshift_repos/tasks/main.yaml @@ -12,7 +12,7 @@ when: not openshift.common.is_containerized | bool - name: Ensure libselinux-python is installed - action: "{{ ansible_pkg_mgr }} name=libselinux-python state=present" + package: name=libselinux-python state=present when: not openshift.common.is_containerized | bool - name: Create any additional repos that are defined @@ -37,6 +37,7 @@ when: ansible_os_family == "RedHat" and ansible_distribution != "Fedora" and openshift_deployment_type == 'origin' and not openshift.common.is_containerized | bool + and openshift_enable_origin_repo | default(true) - name: Configure origin yum repositories RHEL/CentOS copy: @@ -46,3 +47,4 @@ when: ansible_os_family == "RedHat" and ansible_distribution != "Fedora" and openshift_deployment_type == 'origin' and not openshift.common.is_containerized | bool + and openshift_enable_origin_repo | default(true) diff --git a/roles/openshift_storage_nfs/README.md b/roles/openshift_storage_nfs/README.md index b0480a958..817b007e8 100644 --- a/roles/openshift_storage_nfs/README.md +++ b/roles/openshift_storage_nfs/README.md @@ -6,10 +6,10 @@ OpenShift NFS Server Installation Requirements ------------ -This role is intended to be applied to the [nfs] host group which is +* Ansible 2.2 +* This role is intended to be applied to the [nfs] host group which is separate from OpenShift infrastructure components. - -Requires access to the 'nfs-utils' package. +* Requires access to the 'nfs-utils' package. Role Variables -------------- diff --git a/roles/openshift_storage_nfs/handlers/main.yml b/roles/openshift_storage_nfs/handlers/main.yml index a1377a203..0d1149db8 100644 --- a/roles/openshift_storage_nfs/handlers/main.yml +++ b/roles/openshift_storage_nfs/handlers/main.yml @@ -1,6 +1,6 @@ --- - name: restart nfs-server - service: + systemd: name: nfs-server state: restarted when: not (nfs_service_status_changed | default(false)) diff --git a/roles/openshift_storage_nfs/meta/main.yml b/roles/openshift_storage_nfs/meta/main.yml index 865865d9c..62e38bd8c 100644 --- a/roles/openshift_storage_nfs/meta/main.yml +++ b/roles/openshift_storage_nfs/meta/main.yml @@ -4,7 +4,7 @@ galaxy_info: description: OpenShift NFS Server company: Red Hat, Inc. license: Apache License, Version 2.0 - min_ansible_version: 1.9 + min_ansible_version: 2.2 platforms: - name: EL versions: diff --git a/roles/openshift_storage_nfs/tasks/main.yml b/roles/openshift_storage_nfs/tasks/main.yml index 4716c77ae..fd935f105 100644 --- a/roles/openshift_storage_nfs/tasks/main.yml +++ b/roles/openshift_storage_nfs/tasks/main.yml @@ -1,6 +1,6 @@ --- - name: Install nfs-utils - action: "{{ ansible_pkg_mgr }} name=nfs-utils state=present" + package: name=nfs-utils state=present - name: Configure NFS lineinfile: @@ -10,7 +10,7 @@ register: nfs_config - name: Restart nfs-config - service: name=nfs-config state=restarted + systemd: name=nfs-config state=restarted when: nfs_config | changed - name: Ensure exports directory exists @@ -26,9 +26,9 @@ owner: nfsnobody group: nfsnobody with_items: - - "{{ openshift.hosted.registry }}" - - "{{ openshift.hosted.metrics }}" - - "{{ openshift.hosted.logging }}" + - "{{ openshift.hosted.registry }}" + - "{{ openshift.hosted.metrics }}" + - "{{ openshift.hosted.logging }}" - name: Configure exports @@ -36,7 +36,7 @@ dest: /etc/exports.d/openshift-ansible.exports src: exports.j2 notify: - - restart nfs-server + - restart nfs-server # Now that we're putting our exports in our own file clean up the old ones - name: register exports @@ -51,16 +51,14 @@ with_items: "{{ exports_out.stdout_lines | default([]) }}" when: exports_out.rc == 0 notify: - - restart nfs-server + - restart nfs-server - name: Enable and start services - service: - name: "{{ item }}" + systemd: + name: nfs-server state: started enabled: yes register: start_result - with_items: - - nfs-server - set_fact: nfs_service_status_changed: "{{ start_result | changed }}" diff --git a/roles/openshift_storage_nfs_lvm/README.md b/roles/openshift_storage_nfs_lvm/README.md index 3680ef5b5..8b8471745 100644 --- a/roles/openshift_storage_nfs_lvm/README.md +++ b/roles/openshift_storage_nfs_lvm/README.md @@ -8,10 +8,9 @@ create persistent volumes. ## Requirements -* NFS server with NFS, iptables, and everything setup. - +* Ansible 2.2 +* NFS server with NFS, iptables, and everything setup * A lvm volume group created on the nfs server (default: openshiftvg) - * The lvm volume needs to have as much free space as you are allocating ## Role Variables diff --git a/roles/openshift_storage_nfs_lvm/handlers/main.yml b/roles/openshift_storage_nfs_lvm/handlers/main.yml index 52f3ceffe..9ce8b783d 100644 --- a/roles/openshift_storage_nfs_lvm/handlers/main.yml +++ b/roles/openshift_storage_nfs_lvm/handlers/main.yml @@ -1,3 +1,3 @@ --- - name: restart nfs - service: name=nfs-server state=restarted + systemd: name=nfs-server state=restarted diff --git a/roles/openshift_storage_nfs_lvm/meta/main.yml b/roles/openshift_storage_nfs_lvm/meta/main.yml index 62ea54883..bed1216f8 100644 --- a/roles/openshift_storage_nfs_lvm/meta/main.yml +++ b/roles/openshift_storage_nfs_lvm/meta/main.yml @@ -4,7 +4,7 @@ galaxy_info: description: Create LVM volumes and use them as openshift persistent volumes. company: Red Hat, Inc. license: license (Apache) - min_ansible_version: 1.4 + min_ansible_version: 2.2 platforms: - name: EL versions: diff --git a/roles/openshift_storage_nfs_lvm/tasks/nfs.yml b/roles/openshift_storage_nfs_lvm/tasks/nfs.yml index fc8de1cb5..03f4fcec0 100644 --- a/roles/openshift_storage_nfs_lvm/tasks/nfs.yml +++ b/roles/openshift_storage_nfs_lvm/tasks/nfs.yml @@ -1,17 +1,26 @@ --- - name: Install NFS server - action: "{{ ansible_pkg_mgr }} name=nfs-utils state=present" + package: name=nfs-utils state=present when: not openshift.common.is_containerized | bool - + - name: Start rpcbind - service: name=rpcbind state=started enabled=yes + systemd: + name: rpcbind + state: started + enabled: yes - name: Start nfs - service: name=nfs-server state=started enabled=yes + systemd: + name: nfs-server + state: started + enabled: yes - name: Export the directories lineinfile: dest=/etc/exports regexp="^{{ osnl_mount_dir }}/{{ item }} " line="{{ osnl_mount_dir }}/{{ item }} {{osnl_nfs_export_options}}" - with_sequence: start={{osnl_volume_num_start}} count={{osnl_number_of_volumes}} format={{osnl_volume_prefix}}{{osnl_volume_size}}g%04d + with_sequence: + start: "{{osnl_volume_num_start}}" + count: "{{osnl_number_of_volumes}}" + format: "{{osnl_volume_prefix}}{{osnl_volume_size}}g%04d" notify: restart nfs diff --git a/roles/openshift_storage_nfs_lvm/templates/nfs.json.j2 b/roles/openshift_storage_nfs_lvm/templates/nfs.json.j2 index 0f3d84e75..3c4d2f56c 100644 --- a/roles/openshift_storage_nfs_lvm/templates/nfs.json.j2 +++ b/roles/openshift_storage_nfs_lvm/templates/nfs.json.j2 @@ -11,7 +11,7 @@ "capacity": { "storage": "{{ osnl_volume_size }}Gi" }, - "accessModes": [ "ReadWriteMany" ], + "accessModes": [ "ReadWriteOnce", "ReadWriteMany" ], "persistentVolumeReclaimPolicy": "Recycle", "nfs": { "Server": "{{ inventory_hostname }}", diff --git a/roles/os_firewall/README.md b/roles/os_firewall/README.md index c6c70b81d..c13c5dfc9 100644 --- a/roles/os_firewall/README.md +++ b/roles/os_firewall/README.md @@ -7,7 +7,7 @@ case (Adding/Removing rules based on protocol and port number). Requirements ------------ -None. +Ansible 2.2 Role Variables -------------- @@ -31,7 +31,6 @@ Use iptables and open tcp ports 80 and 443: --- - hosts: servers vars: - os_firewall_use_firewalld: false os_firewall_allow: - service: httpd port: 80/tcp @@ -46,6 +45,7 @@ Use firewalld and open tcp port 443 and close previously open tcp port 80: --- - hosts: servers vars: + os_firewall_use_firewalld: true os_firewall_allow: - service: https port: 443/tcp diff --git a/roles/os_firewall/library/os_firewall_manage_iptables.py b/roles/os_firewall/library/os_firewall_manage_iptables.py index bd638b69b..37bb16f35 100755 --- a/roles/os_firewall/library/os_firewall_manage_iptables.py +++ b/roles/os_firewall/library/os_firewall_manage_iptables.py @@ -139,7 +139,7 @@ class IpTablesManager(object): # pylint: disable=too-many-instance-attributes output = check_output(cmd, stderr=subprocess.STDOUT) # break the input rules into rows and columns - input_rules = [s.split() for s in output.split('\n')] + input_rules = [s.split() for s in to_native(output).split('\n')] # Find the last numbered rule last_rule_num = None @@ -269,5 +269,6 @@ def main(): # pylint: disable=redefined-builtin, unused-wildcard-import, wildcard-import # import module snippets from ansible.module_utils.basic import * +from ansible.module_utils._text import to_native if __name__ == '__main__': main() diff --git a/roles/os_firewall/meta/main.yml b/roles/os_firewall/meta/main.yml index 6df7c9f2b..dca5fc5ff 100644 --- a/roles/os_firewall/meta/main.yml +++ b/roles/os_firewall/meta/main.yml @@ -4,13 +4,13 @@ galaxy_info: description: os_firewall company: Red Hat, Inc. license: Apache License, Version 2.0 - min_ansible_version: 1.7 + min_ansible_version: 2.2 platforms: - - name: EL - versions: - - 7 + - name: EL + versions: + - 7 categories: - - system + - system allow_duplicates: yes dependencies: -- { role: openshift_facts } + - role: openshift_facts diff --git a/roles/os_firewall/tasks/firewall/firewalld.yml b/roles/os_firewall/tasks/firewall/firewalld.yml index 5ddca1fc0..1101870be 100644 --- a/roles/os_firewall/tasks/firewall/firewalld.yml +++ b/roles/os_firewall/tasks/firewall/firewalld.yml @@ -1,88 +1,45 @@ --- - name: Install firewalld packages - action: "{{ ansible_pkg_mgr }} name=firewalld state=present" + package: name=firewalld state=present when: not openshift.common.is_containerized | bool - register: install_result - -- name: Check if iptables-services is installed - command: rpm -q iptables-services - register: pkg_check - failed_when: pkg_check.rc > 1 - changed_when: no - name: Ensure iptables services are not enabled - service: + systemd: name: "{{ item }}" state: stopped enabled: no + masked: yes with_items: - - iptables - - ip6tables - when: pkg_check.rc == 0 - -- name: Reload systemd units - command: systemctl daemon-reload - when: install_result | changed - -- name: Determine if firewalld service masked - command: > - systemctl is-enabled firewalld - register: os_firewall_firewalld_masked_output - changed_when: false - failed_when: false - -- name: Unmask firewalld service - command: > - systemctl unmask firewalld - when: os_firewall_firewalld_masked_output.stdout == "masked" + - iptables + - ip6tables + register: task_result + failed_when: "task_result|failed and 'could not' not in task_result.msg|lower" - name: Start and enable firewalld service - service: + systemd: name: firewalld state: started enabled: yes + masked: no + daemon_reload: yes register: result - name: need to pause here, otherwise the firewalld service starting can sometimes cause ssh to fail pause: seconds=10 when: result | changed -- name: Mask iptables services - command: systemctl mask "{{ item }}" - register: result - changed_when: "'iptables' in result.stdout" - with_items: - - iptables - - ip6tables - when: pkg_check.rc == 0 - ignore_errors: yes - -# TODO: Ansible 1.9 will eliminate the need for separate firewalld tasks for -# enabling rules and making them permanent with the immediate flag - name: Add firewalld allow rules firewalld: port: "{{ item.port }}" - permanent: false - state: enabled - with_items: "{{ os_firewall_allow }}" - -- name: Persist firewalld allow rules - firewalld: - port: "{{ item.port }}" permanent: true + immediate: true state: enabled with_items: "{{ os_firewall_allow }}" - name: Remove firewalld allow rules firewalld: port: "{{ item.port }}" - permanent: false - state: disabled - with_items: "{{ os_firewall_deny }}" - -- name: Persist removal of firewalld allow rules - firewalld: - port: "{{ item.port }}" permanent: true + immediate: true state: disabled with_items: "{{ os_firewall_deny }}" diff --git a/roles/os_firewall/tasks/firewall/iptables.yml b/roles/os_firewall/tasks/firewall/iptables.yml index 470d4f4f9..930b32cf2 100644 --- a/roles/os_firewall/tasks/firewall/iptables.yml +++ b/roles/os_firewall/tasks/firewall/iptables.yml @@ -1,64 +1,28 @@ --- -- name: Check if firewalld is installed - command: rpm -q firewalld - args: - # Disables the following warning: - # Consider using yum, dnf or zypper module rather than running rpm - warn: no - register: pkg_check - failed_when: pkg_check.rc > 1 - changed_when: no - name: Ensure firewalld service is not enabled - service: + systemd: name: firewalld state: stopped enabled: no - when: pkg_check.rc == 0 - -# TODO: submit PR upstream to add mask/unmask to service module -- name: Mask firewalld service - command: systemctl mask firewalld - register: result - changed_when: "'firewalld' in result.stdout" - when: pkg_check.rc == 0 - ignore_errors: yes + masked: yes + register: task_result + failed_when: "task_result|failed and 'could not' not in task_result.msg|lower" - name: Install iptables packages - action: "{{ ansible_pkg_mgr }} name={{ item }} state=present" + package: name={{ item }} state=present with_items: - - iptables - - iptables-services - register: install_result + - iptables + - iptables-services when: not openshift.common.is_atomic | bool -- name: Reload systemd units - command: systemctl daemon-reload - when: install_result | changed - -- name: Determine if iptables service masked - command: > - systemctl is-enabled {{ item }} - with_items: - - iptables - - ip6tables - register: os_firewall_iptables_masked_output - changed_when: false - failed_when: false - -- name: Unmask iptables service - command: > - systemctl unmask {{ item }} - with_items: - - iptables - - ip6tables - when: "'masked' in os_firewall_iptables_masked_output.results | map(attribute='stdout')" - - name: Start and enable iptables service - service: + systemd: name: iptables state: started enabled: yes + masked: no + daemon_reload: yes register: result - name: need to pause here, otherwise the iptables service starting can sometimes cause ssh to fail diff --git a/roles/os_update_latest/tasks/main.yml b/roles/os_update_latest/tasks/main.yml index ff2b52275..6b5fd0106 100644 --- a/roles/os_update_latest/tasks/main.yml +++ b/roles/os_update_latest/tasks/main.yml @@ -1,3 +1,3 @@ --- - name: Update all packages - action: "{{ ansible_pkg_mgr }} name=* state=latest" + package: name=* state=latest |