5 files changed, 106 insertions, 28 deletions

diff --git a/roles/openshift_certificate_expiry/library/openshift_cert_expiry.py b/roles/openshift_certificate_expiry/library/openshift_cert_expiry.py
index 7161b5277..a474b36b0 100644
--- a/roles/openshift_certificate_expiry/library/openshift_cert_expiry.py
+++ b/roles/openshift_certificate_expiry/library/openshift_cert_expiry.py
@@ -4,17 +4,13 @@
 
 """For details on this module see DOCUMENTATION (below)"""
 
-# router/registry cert grabbing
-import subprocess
-# etcd config file
-import ConfigParser
-# Expiration parsing
 import datetime
-# File path stuff
 import os
-# Config file parsing
+import subprocess
+
+from six.moves import configparser
+
 import yaml
-# Certificate loading
 import OpenSSL.crypto
 
 DOCUMENTATION = '''
@@ -260,7 +256,10 @@ Return:
 # This is our module MAIN function after all, so there's bound to be a
 # lot of code bundled up into one block
 #
-# pylint: disable=too-many-locals,too-many-locals,too-many-statements,too-many-branches
+# Reason: These checks are disabled because the issue was introduced
+# during a period where the pylint checks weren't enabled for this file
+# Status: temporarily disabled pending future refactoring
+# pylint: disable=too-many-locals,too-many-statements,too-many-branches
 def main():
     """This module examines certificates (in various forms) which compose
 an OpenShift Container Platform cluster
@@ -479,13 +478,17 @@ an OpenShift Container Platform cluster
     etcd_cert_params.append('dne')
     try:
         with open('/etc/etcd/etcd.conf', 'r') as fp:
-            etcd_config = ConfigParser.ConfigParser()
+            etcd_config = configparser.ConfigParser()
+            # Reason: This check is disabled because the issue was introduced
+            # during a period where the pylint checks weren't enabled for this file
+            # Status: temporarily disabled pending future refactoring
+            # pylint: disable=deprecated-method
             etcd_config.readfp(FakeSecHead(fp))
 
         for param in etcd_cert_params:
             try:
                 etcd_certs_to_check.add(etcd_config.get('ETCD', param))
-            except ConfigParser.NoOptionError:
+            except configparser.NoOptionError:
                 # That parameter does not exist, oh well...
                 pass
     except IOError:
diff --git a/roles/openshift_facts/library/openshift_facts.py b/roles/openshift_facts/library/openshift_facts.py
index d7e3596fd..6baf9d016 100755
--- a/roles/openshift_facts/library/openshift_facts.py
+++ b/roles/openshift_facts/library/openshift_facts.py
@@ -7,13 +7,6 @@
 
 """Ansible module for retrieving and setting openshift related facts"""
 
-try:
-    # python2
-    import ConfigParser
-except ImportError:
-    # python3
-    import configparser as ConfigParser
-
 # pylint: disable=no-name-in-module, import-error, wrong-import-order
 import copy
 import errno
@@ -26,8 +19,8 @@ import struct
 import socket
 from distutils.util import strtobool
 from distutils.version import LooseVersion
-from six import string_types
-from six import text_type
+from six import string_types, text_type
+from six.moves import configparser
 
 # ignore pylint errors related to the module_utils import
 # pylint: disable=redefined-builtin, unused-wildcard-import, wildcard-import
@@ -776,7 +769,7 @@ def set_etcd_facts_if_unset(facts):
             # Add a fake section for parsing:
             ini_str = text_type('[root]\n' + open('/etc/etcd/etcd.conf', 'r').read(), 'utf-8')
             ini_fp = io.StringIO(ini_str)
-            config = ConfigParser.RawConfigParser()
+            config = configparser.RawConfigParser()
             config.readfp(ini_fp)
             etcd_data_dir = config.get('root', 'ETCD_DATA_DIR')
             if etcd_data_dir.startswith('"') and etcd_data_dir.endswith('"'):
@@ -1256,6 +1249,13 @@ def is_service_running(service):
     return service_running
 
 
+def rpm_rebuilddb():
+    """
+    Runs rpm --rebuilddb to ensure the db is in good shape.
+    """
+    module.run_command(['/usr/bin/rpm', '--rebuilddb'])  # noqa: F405
+
+
 def get_version_output(binary, version_cmd):
     """ runs and returns the version output for a command """
     cmd = []
@@ -1292,7 +1292,7 @@ def get_hosted_registry_insecure():
         try:
             ini_str = text_type('[root]\n' + open('/etc/sysconfig/docker', 'r').read(), 'utf-8')
             ini_fp = io.StringIO(ini_str)
-            config = ConfigParser.RawConfigParser()
+            config = configparser.RawConfigParser()
             config.readfp(ini_fp)
             options = config.get('root', 'OPTIONS')
             if 'insecure-registry' in options:
@@ -1561,15 +1561,15 @@ def get_local_facts_from_file(filename):
     local_facts = dict()
     try:
         # Handle conversion of INI style facts file to json style
-        ini_facts = ConfigParser.SafeConfigParser()
+        ini_facts = configparser.SafeConfigParser()
         ini_facts.read(filename)
         for section in ini_facts.sections():
             local_facts[section] = dict()
             for key, value in ini_facts.items(section):
                 local_facts[section][key] = value
 
-    except (ConfigParser.MissingSectionHeaderError,
-            ConfigParser.ParsingError):
+    except (configparser.MissingSectionHeaderError,
+            configparser.ParsingError):
         try:
             with open(filename, 'r') as facts_file:
                 local_facts = json.load(facts_file)
@@ -1966,6 +1966,11 @@ class OpenShiftFacts(object):
         if 'docker' in roles:
             docker = dict(disable_push_dockerhub=False,
                           options='--log-driver=json-file --log-opt max-size=50m')
+            # NOTE: This is a workaround for a dnf output racecondition that can occur in
+            # some situations. See https://bugzilla.redhat.com/show_bug.cgi?id=918184
+            if self.system_facts['ansible_pkg_mgr'] == 'dnf':
+                rpm_rebuilddb()
+
             version_info = get_docker_version_info()
             if version_info is not None:
                 docker['api_version'] = version_info['api_version']
diff --git a/roles/openshift_hosted/meta/main.yml b/roles/openshift_hosted/meta/main.yml
index 74c50ae1d..ca5e88b15 100644
--- a/roles/openshift_hosted/meta/main.yml
+++ b/roles/openshift_hosted/meta/main.yml
@@ -11,4 +11,23 @@ galaxy_info:
     - 7
   categories:
   - cloud
-dependencies: []
+dependencies:
+- role: openshift_cli
+- role: openshift_hosted_facts
+- role: openshift_projects
+  openshift_projects: "{{ openshift_additional_projects | default({}) | oo_merge_dicts({'default':{'default_node_selector':''},'openshift-infra':{'default_node_selector':''},'logging':{'default_node_selector':''}}) }}"
+- role: openshift_serviceaccounts
+  openshift_serviceaccounts_names:
+  - router
+  openshift_serviceaccounts_namespace: default
+  openshift_serviceaccounts_sccs:
+  - hostnetwork
+  when: openshift.common.version_gte_3_2_or_1_2
+- role: openshift_serviceaccounts
+  openshift_serviceaccounts_names:
+  - router
+  - registry
+  openshift_serviceaccounts_namespace: default
+  openshift_serviceaccounts_sccs:
+  - privileged
+  when: not openshift.common.version_gte_3_2_or_1_2
diff --git a/roles/openshift_master/meta/main.yml b/roles/openshift_master/meta/main.yml
index 7457e4378..3a595b2d1 100644
--- a/roles/openshift_master/meta/main.yml
+++ b/roles/openshift_master/meta/main.yml
@@ -11,4 +11,33 @@ galaxy_info:
     - 7
   categories:
   - cloud
-dependencies: []
+dependencies:
+- role: openshift_master_facts
+- role: openshift_hosted_facts
+- role: openshift_master_certificates
+- role: openshift_etcd_client_certificates
+  etcd_cert_subdir: "openshift-master-{{ openshift.common.hostname }}"
+  etcd_cert_config_dir: "{{ openshift.common.config_base }}/master"
+  etcd_cert_prefix: "master.etcd-"
+  when: groups.oo_etcd_to_config | default([]) | length != 0
+- role: openshift_clock
+- role: openshift_cloud_provider
+- role: openshift_builddefaults
+- role: os_firewall
+  os_firewall_allow:
+  - service: api server https
+    port: "{{ openshift.master.api_port }}/tcp"
+  - service: api controllers https
+    port: "{{ openshift.master.controllers_port }}/tcp"
+  - service: skydns tcp
+    port: "{{ openshift.master.dns_port }}/tcp"
+  - service: skydns udp
+    port: "{{ openshift.master.dns_port }}/udp"
+- role: os_firewall
+  os_firewall_allow:
+  - service: etcd embedded
+    port: 4001/tcp
+  when: groups.oo_etcd_to_config | default([]) | length == 0
+- role: nickhammond.logrotate
+- role: nuage_master
+  when: openshift.common.use_nuage | bool
diff --git a/roles/openshift_node/meta/main.yml b/roles/openshift_node/meta/main.yml
index c39269f33..56dee2958 100644
--- a/roles/openshift_node/meta/main.yml
+++ b/roles/openshift_node/meta/main.yml
@@ -11,4 +11,26 @@ galaxy_info:
     - 7
   categories:
   - cloud
-dependencies: []
+dependencies:
+- role: openshift_common
+- role: openshift_clock
+- role: openshift_docker
+- role: openshift_node_certificates
+- role: openshift_cloud_provider
+- role: openshift_node_dnsmasq
+  when: openshift.common.use_dnsmasq | bool
+- role: os_firewall
+  os_firewall_allow:
+  - service: Kubernetes kubelet
+    port: 10250/tcp
+  - service: http
+    port: 80/tcp
+  - service: https
+    port: 443/tcp
+  - service: Openshift kubelet ReadOnlyPort
+    port: 10255/tcp
+  - service: Openshift kubelet ReadOnlyPort udp
+    port: 10255/udp
+  - service: OpenShift OVS sdn
+    port: 4789/udp
+    when: openshift.node.use_openshift_sdn | bool