diff options
Diffstat (limited to 'roles')
38 files changed, 375 insertions, 165 deletions
diff --git a/roles/docker/README.md b/roles/docker/README.md index 46f259eb7..6b5ee4421 100644 --- a/roles/docker/README.md +++ b/roles/docker/README.md @@ -1,4 +1,4 @@ -Role Name +Docker ========= Ensures docker package is installed, and optionally raises timeout for systemd-udevd.service to 5 minutes. diff --git a/roles/docker/tasks/main.yml b/roles/docker/tasks/main.yml index 7939221a1..4e24fd3b3 100644 --- a/roles/docker/tasks/main.yml +++ b/roles/docker/tasks/main.yml @@ -1,10 +1,18 @@ --- # tasks file for docker - name: Install docker - action: "{{ ansible_pkg_mgr }} name=docker state=present" and not is_atomic + action: "{{ ansible_pkg_mgr }} name=docker state=present" + when: not openshift.common.is_atomic | bool - name: enable and start the docker service - service: name=docker enabled=yes state=started + service: + name: docker + enabled: yes + state: started + register: start_result + +- set_fact: + docker_service_status_changed = start_result | changed - include: udev_workaround.yml when: docker_udev_workaround | default(False) diff --git a/roles/etcd/defaults/main.yaml b/roles/etcd/defaults/main.yaml index 0fd3de585..9e7fa59cf 100644 --- a/roles/etcd/defaults/main.yaml +++ b/roles/etcd/defaults/main.yaml @@ -1,4 +1,5 @@ --- +etcd_service: "{{ 'etcd' if not openshift.common.is_containerized else 'etcd_container' }}" etcd_interface: "{{ ansible_default_ipv4.interface }}" etcd_client_port: 2379 etcd_peer_port: 2380 diff --git a/roles/etcd/handlers/main.yml b/roles/etcd/handlers/main.yml index 4c0efb97b..aeb26d6b2 100644 --- a/roles/etcd/handlers/main.yml +++ b/roles/etcd/handlers/main.yml @@ -1,4 +1,5 @@ --- + - name: restart etcd - service: name=etcd state=restarted + service: name={{ etcd_service }} state=restarted when: not etcd_service_status_changed | default(false) diff --git a/roles/etcd/tasks/main.yml b/roles/etcd/tasks/main.yml index d661ce437..aef52886b 100644 --- a/roles/etcd/tasks/main.yml +++ b/roles/etcd/tasks/main.yml @@ -7,8 +7,42 @@ msg: IPv4 address not found for {{ etcd_interface }} when: "'ipv4' not in hostvars[inventory_hostname]['ansible_' ~ etcd_interface] or 'address' not in hostvars[inventory_hostname]['ansible_' ~ etcd_interface].ipv4" +- debug: var=openshift.common.is_containerized +- debug: var=openshift.common.is_atomic + - name: Install etcd - action: "{{ ansible_pkg_mgr }} name=etcd-2.* state=present" and not is_atomic + action: "{{ ansible_pkg_mgr }} name=etcd-2.* state=present" + when: not openshift.common.is_containerized | bool + +- name: Pull etcd container + command: > + docker pull {{ openshift.etcd.etcd_image }} + when: openshift.common.is_containerized | bool + +- name: Install etcd container service file + template: + dest: "/etc/systemd/system/etcd_container.service" + src: etcd.docker.service + register: install_etcd_result + when: openshift.common.is_containerized | bool + +- name: Ensure etcd datadir exists + when: openshift.common.is_containerized | bool + file: + path: "{{ etcd_data_dir }}" + state: directory + mode: 0700 + +- name: Disable system etcd when containerized + when: openshift.common.is_containerized | bool + service: + name: etcd + state: stopped + enabled: no + +- name: Reload systemd units + command: systemctl daemon-reload + when: openshift.common.is_containerized and ( install_etcd_result | changed ) - name: Validate permissions on the config dir file: @@ -52,7 +86,7 @@ - name: Enable etcd service: - name: etcd + name: "{{ etcd_service }}" state: started enabled: yes register: start_result diff --git a/roles/etcd/templates/etcd.conf.j2 b/roles/etcd/templates/etcd.conf.j2 index 32577c96c..28816fd87 100644 --- a/roles/etcd/templates/etcd.conf.j2 +++ b/roles/etcd/templates/etcd.conf.j2 @@ -15,13 +15,13 @@ ETCD_LISTEN_PEER_URLS={{ etcd_listen_peer_urls }} ETCD_NAME=default {% endif %} ETCD_DATA_DIR={{ etcd_data_dir }} -#ETCD_SNAPSHOT_COUNTER="10000" -ETCD_HEARTBEAT_INTERVAL="500" -ETCD_ELECTION_TIMEOUT="2500" +#ETCD_SNAPSHOT_COUNTER=10000 +ETCD_HEARTBEAT_INTERVAL=500 +ETCD_ELECTION_TIMEOUT=2500 ETCD_LISTEN_CLIENT_URLS={{ etcd_listen_client_urls }} -#ETCD_MAX_SNAPSHOTS="5" -#ETCD_MAX_WALS="5" -#ETCD_CORS="" +#ETCD_MAX_SNAPSHOTS=5 +#ETCD_MAX_WALS=5 +#ETCD_CORS= {% if groups[etcd_peers_group] and groups[etcd_peers_group] | length > 1 %} #[cluster] @@ -29,15 +29,15 @@ ETCD_INITIAL_ADVERTISE_PEER_URLS={{ etcd_initial_advertise_peer_urls }} ETCD_INITIAL_CLUSTER={{ initial_cluster() }} ETCD_INITIAL_CLUSTER_STATE={{ etcd_initial_cluster_state }} ETCD_INITIAL_CLUSTER_TOKEN={{ etcd_initial_cluster_token }} -#ETCD_DISCOVERY="" -#ETCD_DISCOVERY_SRV="" -#ETCD_DISCOVERY_FALLBACK="proxy" -#ETCD_DISCOVERY_PROXY="" +#ETCD_DISCOVERY= +#ETCD_DISCOVERY_SRV= +#ETCD_DISCOVERY_FALLBACK=proxy +#ETCD_DISCOVERY_PROXY= {% endif %} ETCD_ADVERTISE_CLIENT_URLS={{ etcd_advertise_client_urls }} #[proxy] -#ETCD_PROXY="off" +#ETCD_PROXY=off #[security] {% if etcd_url_scheme == 'https' -%} diff --git a/roles/etcd/templates/etcd.docker.service b/roles/etcd/templates/etcd.docker.service new file mode 100644 index 000000000..8058fa188 --- /dev/null +++ b/roles/etcd/templates/etcd.docker.service @@ -0,0 +1,13 @@ +[Unit] +Description=The Etcd Server container +After=docker.service + +[Service] +EnvironmentFile=/etc/etcd/etcd.conf +ExecStartPre=-/usr/bin/docker rm -f {{ etcd_service }} +ExecStart=/usr/bin/docker run --name {{ etcd_service }} --rm -v /var/lib/etcd:/var/lib/etcd:z -v /etc/etcd:/etc/etcd:z --env-file=/etc/etcd/etcd.conf --net=host --entrypoint=/usr/bin/etcd {{ openshift.etcd.etcd_image }} +ExecStop=/usr/bin/docker stop {{ etcd_service }} +Restart=always + +[Install] +WantedBy=multi-user.target diff --git a/roles/fluentd_master/tasks/main.yml b/roles/fluentd_master/tasks/main.yml index ddfa39284..a9531eecf 100644 --- a/roles/fluentd_master/tasks/main.yml +++ b/roles/fluentd_master/tasks/main.yml @@ -1,7 +1,7 @@ --- - fail: msg: "fluentd master is not yet supported on atomic hosts" - when: is_atomic + when: openshift.common.is_containerized | bool # TODO: Update fluentd install and configuration when packaging is complete - name: download and install td-agent diff --git a/roles/fluentd_node/tasks/main.yml b/roles/fluentd_node/tasks/main.yml index 4a29d1270..0c0dae973 100644 --- a/roles/fluentd_node/tasks/main.yml +++ b/roles/fluentd_node/tasks/main.yml @@ -1,7 +1,7 @@ --- - fail: msg: "fluentd node is not yet supported on atomic hosts" - when: is_atomic + when: openshift.common.is_containerized | bool # TODO: Update fluentd install and configuration when packaging is complete - name: download and install td-agent diff --git a/roles/kube_nfs_volumes/tasks/main.yml b/roles/kube_nfs_volumes/tasks/main.yml index 85338cd84..b3fe2f185 100644 --- a/roles/kube_nfs_volumes/tasks/main.yml +++ b/roles/kube_nfs_volumes/tasks/main.yml @@ -1,7 +1,7 @@ --- - fail: - msg: "That playbook is not yet supported on atomic hosts" - when: is_atomic + msg: "This role is not yet supported on atomic hosts" + when: openshift.common.is_atomic | bool - name: Install pyparted (RedHat/Fedora) action: "{{ ansible_pkg_mgr }} name=pyparted,python-httplib2 state=present" diff --git a/roles/openshift_docker/meta/main.yml b/roles/openshift_docker/meta/main.yml new file mode 100644 index 000000000..1e8f8b719 --- /dev/null +++ b/roles/openshift_docker/meta/main.yml @@ -0,0 +1,16 @@ +--- +galaxy_info: + author: Jason DeTiberus + description: OpenShift Docker + company: Red Hat, Inc. + license: Apache License, Version 2.0 + min_ansible_version: 1.9 + platforms: + - name: EL + versions: + - 7 + categories: + - cloud +dependencies: +- { role: openshift_common } +- { role: docker } diff --git a/roles/openshift_docker/tasks/main.yml b/roles/openshift_docker/tasks/main.yml new file mode 100644 index 000000000..f63b3acd5 --- /dev/null +++ b/roles/openshift_docker/tasks/main.yml @@ -0,0 +1,27 @@ +--- +- openshift_facts: + - role: common + local_facts: + deployment_type: "{{ openshift_deployment_type }}" + docker_additional_registries: "{{ docker_additional_registries | oo_split() }}" + docker_insecure_registries: "{{ docker_insecure_registries | oo_split() }}" + docker_blocked_registries: "{{ docker_blocked_registries | oo_split() }}" + +- name: Set registry params + lineinfile: + dest: /etc/sysconfig/docker + regexp: '^{{ reg_conf_var }}=.*$' + line: "{{ reg_conf_var }}='{{ reg_fact_val | oo_prepend_strings_in_list(reg_flag ~ ' ') | join(' ') }}'" + when: "'docker_additional_registries' in openshift.common" + with_items: + - reg_conf_var: ADD_REGISTRY + reg_fact_val: {{ openshift.common.docker_additional_registries }} + reg_flag: --add-registry + - reg_conf_var: BLOCK_REGISTRY + reg_fact_val: {{ openshift.common.docker_blocked_registries }} + reg_flag: --block-registry + - reg_conf_var: INSECURE_REGISTRY + reg_fact_val: {{ openshift.common.docker_insecure_registries }} + reg_flag: --insecure-registry + notify: + - restart docker diff --git a/roles/openshift_examples/defaults/main.yml b/roles/openshift_examples/defaults/main.yml index ae642fae1..d318d17e3 100644 --- a/roles/openshift_examples/defaults/main.yml +++ b/roles/openshift_examples/defaults/main.yml @@ -8,7 +8,7 @@ openshift_examples_load_quickstarts: true content_version: "{{ 'v1.1' if openshift.common.version_greater_than_3_1_or_1_1 else 'v1.0' }}" -examples_base: "{% if is_atomic %}{{ openshift.common.config_base }}{% else %}/usr/share/openshift{% endif %}/examples" +examples_base: "{% if openshift.common.is_atomic %}{{ openshift.common.config_base }}{% else %}/usr/share/openshift{% endif %}/examples" image_streams_base: "{{ examples_base }}/image-streams" centos_image_streams: "{{ image_streams_base}}/image-streams-centos7.json" rhel_image_streams: "{{ image_streams_base}}/image-streams-rhel7.json" diff --git a/roles/openshift_expand_partition/tasks/main.yml b/roles/openshift_expand_partition/tasks/main.yml index b74d635d5..cdd813e6a 100644 --- a/roles/openshift_expand_partition/tasks/main.yml +++ b/roles/openshift_expand_partition/tasks/main.yml @@ -1,13 +1,14 @@ --- - name: Ensure growpart is installed - action: "{{ ansible_pkg_mgr }} name=cloud-utils-growpart state=present" and not is_atomic + action: "{{ ansible_pkg_mgr }} name=cloud-utils-growpart state=present" + when: not openshift.common.is_containerized | bool - name: Determine if growpart is installed command: "rpm -q cloud-utils-growpart" register: has_growpart failed_when: "has_growpart.cr != 0 and 'package cloud-utils-growpart is not installed' not in has_growpart.stdout" changed_when: false - when: is_atomic + when: openshift.common.is_containerized | bool - name: Grow the partitions command: "growpart {{oep_drive}} {{oep_partition}}" diff --git a/roles/openshift_facts/library/openshift_facts.py b/roles/openshift_facts/library/openshift_facts.py index 4278111c2..8e733a3a2 100755 --- a/roles/openshift_facts/library/openshift_facts.py +++ b/roles/openshift_facts/library/openshift_facts.py @@ -643,6 +643,20 @@ def set_deployment_facts_if_unset(facts): data_dir = '/var/lib/openshift' facts['common']['data_dir'] = data_dir + # remove duplicate and empty strings from registry lists + for cat in ['additional', 'blocked', 'insecure']: + key = 'docker_{0}_registries'.format(cat) + if key in facts['common']: + facts['common'][key] = set(facts['common'][key]) - set(['']) + + + if deployment_type in ['enterprise', 'atomic-enterprise', 'openshift-enterprise']: + addtl_regs = facts['common']['docker_additional_registries']: + ent_reg = 'registry.access.redhat.com' + if ent_reg not in addtl_regs + facts['common']['docker_additional_registries'].append(ent_reg) + + for role in ('master', 'node'): if role in facts: deployment_type = facts['common']['deployment_type'] @@ -1032,7 +1046,7 @@ class OpenShiftFacts(object): facts = set_version_facts_if_unset(facts) facts = set_aggregate_facts(facts) facts = set_etcd_facts_if_unset(facts) - facts = self.init_in_docker_facts(facts) + facts = self.set_containerized_facts_if_unset(facts) return dict(openshift=facts) def get_defaults(self, roles): @@ -1199,26 +1213,54 @@ class OpenShiftFacts(object): self.changed = changed return new_local_facts - def init_in_docker_facts(self, facts): - facts['is_atomic'] = os.path.isfile('/run/ostree-booted') - - docker = dict() - docker['image_name'] = 'openshift/origin' - # TODO: figure out right way to set the version - docker['image_version'] = 'latest' - docker['image'] = "%s:%s" % (docker['image_name'], docker['image_version']) + def set_containerized_facts_if_unset(self, facts): + deployment_type = facts['common']['deployment_type'] + if deployment_type in ['enterprise','openshift-enterprise']: + master_image = 'openshift3/ose' + cli_image = master_image + node_image = 'openshift3/node' + ovs_image = 'openshift3/openvswitch' + etcd_image = 'registry.access.redhat.com/rhel7/etcd' + elif deployment_type == 'atomic-enterprise': + master_image = 'aep3_beta/aep' + cli_image = master_image + node_image = 'aep3_beta/node' + ovs_image = 'aep3_beta/openvswitch' + etcd_image = 'registry.access.redhat.com/rhel7/etcd' + else: + master_image = 'openshift/origin' + cli_image = master_image + node_image = 'openshift/node' + ovs_image = 'openshift/openvswitch' + etcd_image = 'registry.access.redhat.com/rhel7/etcd' + + facts['common']['is_atomic'] = os.path.isfile('/run/ostree-booted') + if 'is_containerized' not in facts['common']: + facts['common']['is_containerized'] = facts['common']['is_atomic'] + if 'cli_image' not in facts['common']: + facts['common']['cli_image'] = cli_image + if 'master' in facts: + if 'master_image' not in facts['master']: + facts['master']['master_image'] = master_image + if 'node' in facts: + if 'node_image' not in facts ['node']: + facts['node']['node_image'] = node_image + if 'ovs_image' not in facts ['node']: + facts['node']['ovs_image'] = ovs_image + if 'etcd' in facts: + if 'etcd_image' not in facts['etcd']: + facts['etcd']['etcd_image'] = etcd_image # shared /tmp/openshift vol is for file exchange with ansible # --privileged is required to read the config dir # --net host to access openshift from the container # maybe -v /var/run/docker.sock:/var/run/docker.sock is required as well - docker['runner'] = "docker run --rm --privileged --net host -v /tmp/openshift:/tmp/openshift -v {datadir}:{datadir} -v {confdir}:{confdir} -e KUBECONFIG={confdir}/master/admin.kubeconfig {image}".format(confdir=facts['common']['config_base'], datadir=facts['common']['data_dir'], image=docker['image']) + runner = "docker run --rm --privileged --net host -v /tmp/openshift:/tmp/openshift -v {datadir}:{datadir} -v {confdir}:{confdir} -e KUBECONFIG={confdir}/master/admin.kubeconfig {image}".format(confdir=facts['common']['config_base'], datadir=facts['common']['data_dir'], image=facts['common']['cli_image']) - if facts['is_atomic']: - facts['common']['client_binary'] = '%s cli' % docker['runner'] - facts['common']['admin_binary'] = '%s admin' % docker['runner'] + if facts['common']['is_containerized']: + facts['common']['client_binary'] = '%s cli' % runner + facts['common']['admin_binary'] = '%s admin' % runner - facts['docker'] = docker return facts diff --git a/roles/openshift_facts/tasks/main.yml b/roles/openshift_facts/tasks/main.yml index e98b7c591..832f7ad84 100644 --- a/roles/openshift_facts/tasks/main.yml +++ b/roles/openshift_facts/tasks/main.yml @@ -6,20 +6,6 @@ - ansible_version | version_compare('1.9.0', 'ne') - ansible_version | version_compare('1.9.0.1', 'ne') -- name: Determine if Atomic - stat: path=/run/ostree-booted - register: s - changed_when: false - -- name: Init the is_atomic fact - set_fact: - is_atomic: false - -- name: Set the is_atomic fact - set_fact: - is_atomic: true - when: s.stat.exists - - name: Ensure PyYaml is installed action: "{{ ansible_pkg_mgr }} name=PyYAML state=present" diff --git a/roles/openshift_master/tasks/main.yml b/roles/openshift_master/tasks/main.yml index 6844a16cc..e9e77d231 100644 --- a/roles/openshift_master/tasks/main.yml +++ b/roles/openshift_master/tasks/main.yml @@ -20,10 +20,9 @@ - fail: msg: "openshift_master_cluster_password must be set for multi-master installations" when: openshift_master_ha | bool and openshift_master_cluster_method == "pacemaker" and (openshift_master_cluster_password is not defined or not openshift_master_cluster_password) - - fail: - msg: "openshift_master_ha is not yet supported on atomic hosts" - when: openshift_master_ha | bool and is_atomic + msg: "Pacemaker based HA is not supported at this time when used with containerized installs" + when: openshift_master_ha | bool and openshift_master_cluster_method == "pacemaker" and openshift.common.is_containerized | bool - name: Set master facts openshift_facts: @@ -80,28 +79,38 @@ disabled_features: "{{ osm_disabled_features | default(None) }}" master_count: "{{ openshift_master_count | default(None) }}" controller_lease_ttl: "{{ osm_controller_lease_ttl | default(None) }}" + master_image: "{{ osm_image | default(None) }}" - name: Install Master package action: "{{ ansible_pkg_mgr }} name={{ openshift.common.service_type }}-master{{ openshift_version }} state=present" - when: not is_atomic + when: not openshift.common.is_containerized | bool # TODO: enable when ansible#1993 lands and is widespread enough # - name: Docker image present # docker: # image: "{{ openshift.common.docker.image }}" # state: image_present -# when: is_atomic +# when: openshift.common.is_containerized | bool - name: Install Master docker service file template: dest: "/etc/systemd/system/{{ openshift.common.service_type }}-master.service" - src: openshift.docker.master.service - register: install_result - when: is_atomic + src: master.docker.service.j2 + register: install_result + when: openshift.common.is_containerized | bool and not openshift_master_ha | bool + +- name: Create openshift.common.data_dir + file: + path: "{{ openshift.common.data_dir }}" + state: directory + mode: 0755 + owner: root + group: root + when: openshift.common.is_containerized | bool -- name: Reload systemd units +- name: Reload systemd units command: systemctl daemon-reload - when: is_atomic and install_result | changed + when: openshift.common.is_containerized | bool and install_result | changed - name: Re-gather package dependent master facts openshift_facts: @@ -134,9 +143,9 @@ - name: Install httpd-tools if needed action: "{{ ansible_pkg_mgr }} name=httpd-tools state=present" - when: (item.kind == 'HTPasswdPasswordIdentityProvider') + when: (item.kind == 'HTPasswdPasswordIdentityProvider') and + not openshift.common.is_containerized | bool with_items: openshift.master.identity_providers - when: not is_atomic - name: Ensure htpasswd directory exists file: @@ -154,16 +163,27 @@ when: item.kind == 'HTPasswdPasswordIdentityProvider' with_items: openshift.master.identity_providers +- name: Init HA Service Info + set_fact: + ha_suffix: "" + ha_svcdir: "/usr/lib/systemd/system" + +- name: Set HA Service Info for containerized installs + set_fact: + ha_suffix: ".docker" + ha_svcdir: "/etc/systemd/system" + when: openshift.common.is_containerized | bool + # workaround for missing systemd unit files for controllers/api - name: Create the api service file template: - src: atomic-openshift-master-api.service.j2 - dest: /usr/lib/systemd/system/{{ openshift.common.service_type }}-master-api.service + src: atomic-openshift-master-api{{ ha_suffix }}.service.j2 + dest: "{{ ha_svcdir }}/{{ openshift.common.service_type }}-master-api.service" when: openshift_master_ha | bool and openshift_master_cluster_method == "native" - name: Create the controllers service file template: - src: atomic-openshift-master-controllers.service.j2 - dest: /usr/lib/systemd/system/{{ openshift.common.service_type }}-master-controllers.service + src: atomic-openshift-master-controllers{{ ha_suffix }}.service.j2 + dest: "{{ ha_svcdir }}/{{ openshift.common.service_type }}-master-controllers.service" when: openshift_master_ha | bool and openshift_master_cluster_method == "native" - name: Create the api env file template: @@ -251,6 +271,10 @@ when: not openshift_master_ha | bool register: start_result +- name: Stop and disable non HA master when running HA + service: name={{ openshift.common.service_type }}-master enabled=no state=stopped + when: openshift_master_ha | bool + - set_fact: master_service_status_changed: start_result | changed when: not openshift_master_ha | bool @@ -275,12 +299,14 @@ - name: Install cluster packages action: "{{ ansible_pkg_mgr }} name=pcs state=present" - when: openshift_master_ha | bool and openshift.master.cluster_method == 'pacemaker' and not is_atomic + when: openshift_master_ha | bool and openshift.master.cluster_method == 'pacemaker' + and not openshift.common.is_containerized | bool register: install_result - name: Start and enable cluster service service: name=pcsd enabled=yes state=started when: openshift_master_ha | bool and openshift.master.cluster_method == 'pacemaker' + and not openshift.common.is_containerized | bool - name: Set the cluster user password shell: echo {{ openshift_master_cluster_password | quote }} | passwd --stdin hacluster @@ -307,7 +333,6 @@ command: cp {{ openshift_master_config_dir }}/admin.kubeconfig ~{{ item }}/.kube/config args: creates: ~{{ item }}/.kube/config - when: not is_atomic with_items: - root - "{{ ansible_ssh_user }}" diff --git a/roles/openshift_master/templates/atomic-openshift-master-api.docker.service.j2 b/roles/openshift_master/templates/atomic-openshift-master-api.docker.service.j2 new file mode 100644 index 000000000..936c39edf --- /dev/null +++ b/roles/openshift_master/templates/atomic-openshift-master-api.docker.service.j2 @@ -0,0 +1,26 @@ +[Unit] +Description=Atomic OpenShift Master API +Documentation=https://github.com/openshift/origin +After=network.target +After=etcd.service +Before={{ openshift.common.service_type }}-node.service +Requires=network.target +Requires=docker.service +PartOf=docker.service + +[Service] +EnvironmentFile=/etc/sysconfig/{{ openshift.common.service_type }}-master-api +Environment=GOTRACEBACK=crash +ExecStartPre=-/usr/bin/docker rm -f {{ openshift.common.service_type}}-master-api +ExecStart=/usr/bin/docker run --rm --privileged --net=host --name {{ openshift.common.service_type }}-master-api -v {{ openshift.common.data_dir }}:{{ openshift.common.data_dir }} -v /var/run/docker.sock:/var/run/docker.sock -v {{ openshift.common.config_base }}:{{ openshift.common.config_base }} {{ openshift.master.master_image }} start master api --config=${CONFIG_FILE} $OPTIONS +ExecStartPost=/usr/bin/sleep 10 +ExecStop=/usr/bin/docker stop {{ openshift.common.service_type }}-master-api +LimitNOFILE=131072 +LimitCORE=infinity +WorkingDirectory={{ openshift.common.data_dir }} +SyslogIdentifier=atomic-openshift-master-api +Restart=always + +[Install] +WantedBy=multi-user.target +WantedBy={{ openshift.common.service_type }}-node.service
\ No newline at end of file diff --git a/roles/openshift_master/templates/atomic-openshift-master-controllers.docker.service.j2 b/roles/openshift_master/templates/atomic-openshift-master-controllers.docker.service.j2 new file mode 100644 index 000000000..6ba7d6e2a --- /dev/null +++ b/roles/openshift_master/templates/atomic-openshift-master-controllers.docker.service.j2 @@ -0,0 +1,25 @@ +[Unit] +Description=Atomic OpenShift Master Controllers +Documentation=https://github.com/openshift/origin +After=network.target +After={{ openshift.common.service_type }}-master-api.service +Before={{ openshift.common.service_type }}-node.service +Requires=docker.service +PartOf=docker.service + +[Service] +EnvironmentFile=/etc/sysconfig/{{ openshift.common.service_type }}-master-controllers +Environment=GOTRACEBACK=crash +ExecStartPre=-/usr/bin/docker rm -f {{ openshift.common.service_type}}-master-controllers +ExecStart=/usr/bin/docker run --rm --privileged --net=host --name {{ openshift.common.service_type }}-master-controllers -v {{ openshift.common.data_dir }}:{{ openshift.common.data_dir }} -v /var/run/docker.sock:/var/run/docker.sock -v {{ openshift.common.config_base }}:{{ openshift.common.config_base }} {{ openshift.master.master_image }} start master controllers --config=${CONFIG_FILE} $OPTIONS +ExecStartPost=/usr/bin/sleep 10 +ExecStop=/usr/bin/docker stop {{ openshift.common.service_type }}-master-controllers +LimitNOFILE=131072 +LimitCORE=infinity +WorkingDirectory={{ openshift.common.data_dir }} +SyslogIdentifier={{ openshift.common.service_type }}-master-controllers +Restart=on-failure + +[Install] +WantedBy=multi-user.target +WantedBy={{ openshift.common.service_type }}-node.service diff --git a/roles/openshift_master/templates/openshift.docker.master.service b/roles/openshift_master/templates/master.docker.service.j2 index 9e436f8eb..8b23d70b1 100644 --- a/roles/openshift_master/templates/openshift.docker.master.service +++ b/roles/openshift_master/templates/master.docker.service.j2 @@ -1,11 +1,16 @@ [Unit] After=docker.service -Require=docker.service +Before={{ openshift.common.service_type }}-node.service +Requires=docker.service +PartOf=docker.service [Service] EnvironmentFile=/etc/sysconfig/{{ openshift.common.service_type }}-master -ExecStart=/usr/bin/docker run --rm --privileged --net=host --name {{ openshift.common.service_type }}-master -v {{ openshift.common.data_dir }}:{{ openshift.common.data_dir }} -v /var/run/docker.sock:/var/run/docker.sock -v {{ openshift.common.config_base }}:{{ openshift.common.config_base }} {{ openshift_docker_image }} start master --config=${CONFIG_FILE} ${OPTIONS} +ExecStartPre=-/usr/bin/docker rm -f {{ openshift.common.service_type}}-master +ExecStart=/usr/bin/docker run --rm --privileged --net=host --name {{ openshift.common.service_type }}-master -v {{ openshift.common.data_dir }}:{{ openshift.common.data_dir }} -v /var/run/docker.sock:/var/run/docker.sock -v {{ openshift.common.config_base }}:{{ openshift.common.config_base }} {{ openshift.master.master_image }} start master --config=${CONFIG_FILE} $OPTIONS +ExecStartPost=/usr/bin/sleep 10 ExecStop=/usr/bin/docker stop {{ openshift.common.service_type }}-master +Restart=always [Install] WantedBy=multi-user.target diff --git a/roles/openshift_master/vars/main.yml b/roles/openshift_master/vars/main.yml index 875d61a3b..534465451 100644 --- a/roles/openshift_master/vars/main.yml +++ b/roles/openshift_master/vars/main.yml @@ -5,8 +5,6 @@ openshift_master_scheduler_conf: "{{ openshift_master_config_dir }}/scheduler.js openshift_master_session_secrets_file: "{{ openshift_master_config_dir }}/session-secrets.yaml" openshift_master_policy: "{{ openshift_master_config_dir }}/policy.json" openshift_version: "{{ openshift_pkg_version | default('') }}" -openshift_docker_image_name: openshift/origin -openshift_docker_image: "{{ openshift_docker_image_name }}:{{ openshift_pkg_version | default('latest') }}" openshift_master_valid_grant_methods: - auto diff --git a/roles/openshift_master_ca/tasks/main.yml b/roles/openshift_master_ca/tasks/main.yml index c179ceb61..17d832d26 100644 --- a/roles/openshift_master_ca/tasks/main.yml +++ b/roles/openshift_master_ca/tasks/main.yml @@ -1,7 +1,7 @@ --- - name: Install the base package for admin tooling action: "{{ ansible_pkg_mgr }} name={{ openshift.common.service_type }}{{ openshift_version }} state=present" - when: not is_atomic + when: openshift.common.is_containerized | bool - name: Reload generated facts openshift_facts: @@ -12,6 +12,11 @@ path: "{{ openshift_master_config_dir }}" state: directory +- name: Pull required docker image + command: > + docker pull {{ openshift.common.cli_image }} + when: openshift.common.is_containerized | bool + - name: Create the master certificates if they do not already exist command: > {{ openshift.common.admin_binary }} create-master-certs diff --git a/roles/openshift_master_ca/vars/main.yml b/roles/openshift_master_ca/vars/main.yml index 0f1f32a34..b35339b18 100644 --- a/roles/openshift_master_ca/vars/main.yml +++ b/roles/openshift_master_ca/vars/main.yml @@ -4,6 +4,3 @@ openshift_master_ca_cert: "{{ openshift_master_config_dir }}/ca.crt" openshift_master_ca_key: "{{ openshift_master_config_dir }}/ca.key" openshift_master_ca_serial: "{{ openshift_master_config_dir }}/ca.serial.txt" openshift_version: "{{ openshift_pkg_version | default('') }}" - -openshift_docker_image_name: openshift/origin -openshift_docker_image: "{{ openshift_docker_image_name }}:{{ openshift_pkg_version | default('latest') }}" diff --git a/roles/openshift_master_certificates/tasks/main.yml b/roles/openshift_master_certificates/tasks/main.yml index 13e5d7a4b..36d953111 100644 --- a/roles/openshift_master_certificates/tasks/main.yml +++ b/roles/openshift_master_certificates/tasks/main.yml @@ -16,6 +16,8 @@ - admin.kubeconfig - master.kubelet-client.crt - master.kubelet-client.key + - master.server.crt + - master.server.key - openshift-master.crt - openshift-master.key - openshift-master.kubeconfig diff --git a/roles/openshift_master_cluster/tasks/main.yml b/roles/openshift_master_cluster/tasks/main.yml index 978e2920d..40705d357 100644 --- a/roles/openshift_master_cluster/tasks/main.yml +++ b/roles/openshift_master_cluster/tasks/main.yml @@ -1,7 +1,7 @@ --- - fail: msg: "Not possible on atomic hosts for now" - when: is_atomic + when: openshift.common.is_containerized | bool - name: Test if cluster is already configured command: pcs status diff --git a/roles/openshift_node/tasks/main.yml b/roles/openshift_node/tasks/main.yml index 8607aa3fb..67c6387a3 100644 --- a/roles/openshift_node/tasks/main.yml +++ b/roles/openshift_node/tasks/main.yml @@ -4,10 +4,6 @@ msg: "SELinux is disabled, This deployment type requires that SELinux is enabled." when: (not ansible_selinux or ansible_selinux.status != 'enabled') and deployment_type in ['enterprise', 'online', 'atomic-enterprise', 'openshift-enterprise'] -- fail: - msg: "This playbook does not support using SDN on atomic hosts yet" - when: openshift.common.use_openshift_sdn and is_atomic - - name: Set node facts openshift_facts: role: "{{ item.role }}" @@ -37,16 +33,50 @@ sdn_mtu: "{{ openshift_node_sdn_mtu | default(None) }}" storage_plugin_deps: "{{ osn_storage_plugin_deps | default(None) }}" set_node_ip: "{{ openshift_set_node_ip | default(None) }}" + node_image: "{{ osn_image | default(None) }}" + ovs_image: "{{ osn_ovs_image | default(None) }}" # We have to add tuned-profiles in the same transaction otherwise we run into depsolving -# problems because the rpms don't pin the version properly. +# problems because the rpms don't pin the version properly. This was fixed in 3.1 packaging. - name: Install Node package action: "{{ ansible_pkg_mgr }} name={{ openshift.common.service_type }}-node{{ openshift_version }},tuned-profiles-{{ openshift.common.service_type }}-node{{ openshift_version }} state=present" - when: not is_atomic + when: not openshift.common.is_containerized | bool - name: Install sdn-ovs package action: "{{ ansible_pkg_mgr }} name={{ openshift.common.service_type }}-sdn-ovs{{ openshift_version }} state=present" - when: openshift.common.use_openshift_sdn and not is_atomic + when: openshift.common.use_openshift_sdn and not openshift.common.is_containerized | bool + +- name: Install Node docker service file + template: + dest: "/etc/systemd/system/{{ openshift.common.service_type }}-node.service" + src: openshift.docker.node.service + register: install_node_result + when: openshift.common.is_containerized | bool + +- name: Create openshift.common.data_dir + file: + path: openshift.common.data_dir + state: directory + mode: 0755 + owner: root + group: root + when: openshift.common.is_containerized | bool + +- name: Install OpenvSwitch docker service file + template: + dest: "/etc/systemd/system/openvswitch.service" + src: openvswitch.docker.service + register: install_ovs_result + when: openshift.common.is_containerized | bool and openshift.common.use_openshift_sdn | bool + +- name: Reload systemd units + command: systemctl daemon-reload + when: openshift.common.is_containerized and ( ( install_node_result | changed ) + or ( install_ovs_result | changed ) ) + +- name: Start and enable openvswitch docker service + service: name=openvswitch.service enabled=yes state=started + when: openshift.common.is_containerized | bool and openshift.common.use_openshift_sdn | bool # TODO: add the validate parameter when there is a validation command to run - name: Create the Node config @@ -71,64 +101,6 @@ notify: - restart node -- stat: path=/etc/sysconfig/docker - register: docker_check - - # TODO: Enable secure registry when code available in origin -- name: Secure Registry and Logs Options - lineinfile: - dest: /etc/sysconfig/docker - regexp: '^OPTIONS=.*$' - line: "OPTIONS='--insecure-registry={{ openshift.node.portal_net }} \ -{% if ansible_selinux and ansible_selinux.status == '''enabled''' %}--selinux-enabled{% endif %} \ -{% if openshift.node.docker_log_driver is defined %} --log-driver {{ openshift.node.docker_log_driver }} {% endif %} \ -{% if openshift.node.docker_log_options is defined %} {{ openshift.node.docker_log_options | oo_split() | oo_prepend_strings_in_list('--log-opt ') | join(' ')}} {% endif %} '" - when: docker_check.stat.isreg - notify: - - restart docker - -- set_fact: - docker_additional_registries: "{{ lookup('oo_option', 'docker_additional_registries') - | oo_split() | union(['registry.access.redhat.com']) - | difference(['']) }}" - when: openshift.common.deployment_type in ['enterprise', 'openshift-enterprise', 'atomic-enterprise'] -- set_fact: - docker_additional_registries: "{{ lookup('oo_option', 'docker_additional_registries') - | oo_split() | difference(['']) }}" - when: openshift.common.deployment_type not in ['enterprise', 'openshift-enterprise', 'atomic-enterprise'] - -- name: Add personal registries - lineinfile: - dest: /etc/sysconfig/docker - regexp: '^ADD_REGISTRY=.*$' - line: "ADD_REGISTRY='{{ docker_additional_registries - | oo_prepend_strings_in_list('--add-registry ') | join(' ') }}'" - when: docker_check.stat.isreg and docker_additional_registries - notify: - - restart docker - -- name: Block registries - lineinfile: - dest: /etc/sysconfig/docker - regexp: '^BLOCK_REGISTRY=.*$' - line: "BLOCK_REGISTRY='{{ lookup('oo_option', 'docker_blocked_registries') | oo_split() - | oo_prepend_strings_in_list('--block-registry ') | join(' ') }}'" - when: docker_check.stat.isreg and - lookup('oo_option', 'docker_blocked_registries') != '' - notify: - - restart docker - -- name: Grant access to additional insecure registries - lineinfile: - dest: /etc/sysconfig/docker - regexp: '^INSECURE_REGISTRY=.*' - line: "INSECURE_REGISTRY='{{ lookup('oo_option', 'docker_insecure_registries') | oo_split() - | oo_prepend_strings_in_list('--insecure-registry ') | join(' ') }}'" - when: docker_check.stat.isreg and - lookup('oo_option', 'docker_insecure_registries') != '' - notify: - - restart docker - - name: Additional storage plugin configuration include: storage_plugins/main.yml diff --git a/roles/openshift_node/tasks/storage_plugins/main.yml b/roles/openshift_node/tasks/storage_plugins/main.yml index 39c7b9390..d237c26ec 100644 --- a/roles/openshift_node/tasks/storage_plugins/main.yml +++ b/roles/openshift_node/tasks/storage_plugins/main.yml @@ -3,11 +3,12 @@ # additional package dependencies - name: NFS storage plugin configuration include: nfs.yml + when: not openshift.common.is_containerized | bool - name: GlusterFS storage plugin configuration include: glusterfs.yml - when: "'glusterfs' in openshift.node.storage_plugin_deps" + when: "'glusterfs' in openshift.node.storage_plugin_deps and not openshift.common.is_containerized | bool " - name: Ceph storage plugin configuration include: ceph.yml - when: "'ceph' in openshift.node.storage_plugin_deps" + when: "'ceph' in openshift.node.storage_plugin_deps and not openshift.common.is_containerized | bool" diff --git a/roles/openshift_node/templates/openshift.docker.node.service b/roles/openshift_node/templates/openshift.docker.node.service index e9df34940..7a11a10fa 100644 --- a/roles/openshift_node/templates/openshift.docker.node.service +++ b/roles/openshift_node/templates/openshift.docker.node.service @@ -1,11 +1,20 @@ [Unit] After=docker.service -Require=docker.service +After={{ openshift.common.service_type }}-master.service +After=openvswitch.service +{% if openshift.common.use_openshift_sdn %} +Requires=openvswitch.service +{% endif %} +Requires=docker.service +PartOf=docker.service [Service] EnvironmentFile=/etc/sysconfig/{{ openshift.common.service_type }}-node -ExecStart=/usr/bin/docker run --rm --privileged --net=host --name "{{ openshift.common.service_type }}-node" -v /:/rootfs:ro -v {{ openshift.common.data_dir }}:{{ openshift.common.data_dir }} -v /var/run/docker.sock:/var/run/docker.sock -v {{ openshift.common.config_base }}:{{ openshift.common.config_base }} {{ openshift_docker_image }} start node --config=${CONFIG_FILE} ${OPTIONS} +ExecStartPre=-/usr/bin/docker rm -f {{ openshift.common.service_type }}-node +ExecStart=/usr/bin/docker run --name {{ openshift.common.service_type }}-node --rm --privileged --net=host --pid=host -v /:/rootfs:ro -e CONFIG_FILE=${CONFIG_FILE} -e OPTIONS=${OPTIONS} -e HOST=/rootfs -e HOST_ETC=/host-etc -v {{ openshift.common.data_dir }}:{{ openshift.common.data_dir }} -v {{ openshift.common.config_base }}/node:{{ openshift.common.config_base }}/node -v /etc/localtime:/etc/localtime:ro -v /etc/machine-id:/etc/machine-id:ro -v /run:/run -v /sys:/sys:ro -v /usr/bin/docker:/usr/bin/docker:ro -v /var/lib/docker:/var/lib/docker -v /lib/modules:/lib/modules -v /etc/origin/openvswitch:/etc/openvswitch -v /etc/origin/sdn:/etc/openshift-sdn -v /etc/systemd/system:/host-etc/systemd/system {{ openshift.node.node_image }} +ExecStartPost=/usr/bin/sleep 10 ExecStop=/usr/bin/docker stop {{ openshift.common.service_type }}-node +Restart=always [Install] WantedBy=multi-user.target diff --git a/roles/openshift_node/templates/openvswitch.docker.service b/roles/openshift_node/templates/openvswitch.docker.service new file mode 100644 index 000000000..0b42ca6d5 --- /dev/null +++ b/roles/openshift_node/templates/openvswitch.docker.service @@ -0,0 +1,13 @@ +[Unit] +After=docker.service +Requires=docker.service +PartOf=docker.service + +[Service] +ExecStartPre=-/usr/bin/docker rm -f openvswitch +ExecStart=/usr/bin/docker run --name openvswitch --rm --privileged --net=host --pid=host -v /lib/modules:/lib/modules -v /run:/run -v /sys:/sys:ro -v /etc/origin/openvswitch:/etc/openvswitch {{ openshift.node.ovs_image }} +ExecStop=/usr/bin/docker stop openvswitch +Restart=always + +[Install] +WantedBy=multi-user.target diff --git a/roles/openshift_node/vars/main.yml b/roles/openshift_node/vars/main.yml index c57d1bcca..43dc50ca8 100644 --- a/roles/openshift_node/vars/main.yml +++ b/roles/openshift_node/vars/main.yml @@ -2,6 +2,3 @@ openshift_node_config_dir: "{{ openshift.common.config_base }}/node" openshift_node_config_file: "{{ openshift_node_config_dir }}/node-config.yaml" openshift_version: "{{ openshift_pkg_version | default('') }}" - -openshift_docker_image_name: openshift/origin -openshift_docker_image: "{{ openshift_docker_image_name }}:{{ openshift_pkg_version | default('latest') }}" diff --git a/roles/openshift_repos/tasks/main.yaml b/roles/openshift_repos/tasks/main.yaml index 6d0d1d493..6d910a66e 100644 --- a/roles/openshift_repos/tasks/main.yaml +++ b/roles/openshift_repos/tasks/main.yaml @@ -12,20 +12,20 @@ - name: Ensure libselinux-python is installed action: "{{ ansible_pkg_mgr }} name=libselinux-python state=present" - when: not is_atomic + when: not openshift.common.is_containerized | bool - name: Create any additional repos that are defined template: src: yum_repo.j2 dest: /etc/yum.repos.d/openshift_additional.repo - when: openshift_additional_repos | length > 0 and not is_atomic + when: openshift_additional_repos | length > 0 and not openshift.common.is_containerized | bool notify: refresh cache - name: Remove the additional repos if no longer defined file: dest: /etc/yum.repos.d/openshift_additional.repo state: absent - when: openshift_additional_repos | length == 0 and not is_atomic + when: openshift_additional_repos | length == 0 and not openshift.common.is_containerized | bool notify: refresh cache - name: Remove any yum repo files for other deployment types RHEL/CentOS @@ -36,7 +36,7 @@ - '*/repos/*' when: not (item | search("/files/" ~ openshift_deployment_type ~ "/repos")) and (ansible_os_family == "RedHat" and ansible_distribution != "Fedora") - and not is_atomic + and not openshift.common.is_containerized | bool notify: refresh cache - name: Remove any yum repo files for other deployment types Fedora @@ -47,7 +47,7 @@ - '*/repos/*' when: not (item | search("/files/fedora-" ~ openshift_deployment_type ~ "/repos")) and (ansible_distribution == "Fedora") - and not is_atomic + and not openshift.common.is_containerized | bool notify: refresh cache - name: Configure gpg keys if needed @@ -55,6 +55,7 @@ with_fileglob: - "{{ openshift_deployment_type }}/gpg_keys/*" notify: refresh cache + when: not openshift.common.is_containerized | bool - name: Configure yum repositories RHEL/CentOS copy: src={{ item }} dest=/etc/yum.repos.d/ @@ -62,11 +63,11 @@ - "{{ openshift_deployment_type }}/repos/*" notify: refresh cache when: (ansible_os_family == "RedHat" and ansible_distribution != "Fedora") - and not is_atomic + and not openshift.common.is_containerized | bool - name: Configure yum repositories Fedora copy: src={{ item }} dest=/etc/yum.repos.d/ with_fileglob: - "fedora-{{ openshift_deployment_type }}/repos/*" notify: refresh cache - when: (ansible_distribution == "Fedora") and not is_atomic + when: (ansible_distribution == "Fedora") and not openshift.common.is_containerized | bool diff --git a/roles/openshift_storage_nfs_lvm/tasks/main.yml b/roles/openshift_storage_nfs_lvm/tasks/main.yml index ead81b876..ea0cc2a94 100644 --- a/roles/openshift_storage_nfs_lvm/tasks/main.yml +++ b/roles/openshift_storage_nfs_lvm/tasks/main.yml @@ -1,4 +1,9 @@ --- +# TODO -- this may actually work on atomic hosts +- fail: + msg: "openshift_storage_nfs_lvm is not compatible with atomic host" + when: openshift.common.is_atomic | true + - name: Create lvm volumes lvol: vg={{osnl_volume_group}} lv={{ item }} size={{osnl_volume_size}}G with_sequence: start={{osnl_volume_num_start}} count={{osnl_number_of_volumes}} format={{osnl_volume_prefix}}{{osnl_volume_size}}g%04d diff --git a/roles/openshift_storage_nfs_lvm/tasks/nfs.yml b/roles/openshift_storage_nfs_lvm/tasks/nfs.yml index df7c0e57d..fc8de1cb5 100644 --- a/roles/openshift_storage_nfs_lvm/tasks/nfs.yml +++ b/roles/openshift_storage_nfs_lvm/tasks/nfs.yml @@ -1,7 +1,7 @@ --- - name: Install NFS server action: "{{ ansible_pkg_mgr }} name=nfs-utils state=present" - when: not is_atomic + when: not openshift.common.is_containerized | bool - name: Start rpcbind service: name=rpcbind state=started enabled=yes diff --git a/roles/os_env_extras/tasks/main.yaml b/roles/os_env_extras/tasks/main.yaml index d52795289..628df713a 100644 --- a/roles/os_env_extras/tasks/main.yaml +++ b/roles/os_env_extras/tasks/main.yaml @@ -13,4 +13,4 @@ - name: Bash Completion action: "{{ ansible_pkg_mgr }} name=bash-completion state=present" - when: not is_atomic
\ No newline at end of file + when: not openshift.common.is_containerized | bool
\ No newline at end of file diff --git a/roles/os_firewall/tasks/firewall/iptables.yml b/roles/os_firewall/tasks/firewall/iptables.yml index 01b8263d5..d26ba7ee9 100644 --- a/roles/os_firewall/tasks/firewall/iptables.yml +++ b/roles/os_firewall/tasks/firewall/iptables.yml @@ -5,7 +5,7 @@ - iptables - iptables-services register: install_result - when: not is_atomic + when: not openshift.common.is_containerized | bool - name: Check if firewalld is installed command: rpm -q firewalld diff --git a/roles/os_update_latest/tasks/main.yml b/roles/os_update_latest/tasks/main.yml index 3c3e80979..2400164fa 100644 --- a/roles/os_update_latest/tasks/main.yml +++ b/roles/os_update_latest/tasks/main.yml @@ -1,8 +1,8 @@ --- - fail: msg: "Update is not yet supported by this playbook on atomic hosts" - when: is_atomic + when: openshift.common.is_containerized | bool - name: Update all packages action: "{{ ansible_pkg_mgr }} name=* state=latest" - when: not is_atomic
\ No newline at end of file + when: not openshift.common.is_containerized | bool
\ No newline at end of file diff --git a/roles/os_zabbix/tasks/main.yml b/roles/os_zabbix/tasks/main.yml index bd879c25f..a8b65dd56 100644 --- a/roles/os_zabbix/tasks/main.yml +++ b/roles/os_zabbix/tasks/main.yml @@ -1,7 +1,7 @@ --- - fail: msg: "Zabbix config is not yet supported on atomic hosts" - when: is_atomic + when: openshift.common.is_containerized | bool - name: Main List all templates zbx_template: diff --git a/roles/yum_repos/tasks/main.yml b/roles/yum_repos/tasks/main.yml index 252dc71d5..46928a00b 100644 --- a/roles/yum_repos/tasks/main.yml +++ b/roles/yum_repos/tasks/main.yml @@ -45,4 +45,4 @@ src: yumrepo.j2 dest: /etc/yum.repos.d/{{ item.id }}.repo with_items: repo_files - when: not is_atomic + when: not openshift.common.is_containerized | bool |