diff options
Diffstat (limited to 'roles')
| -rw-r--r-- | roles/openshift_common/README.md | 30 | ||||
| -rw-r--r-- | roles/openshift_common/meta/main.yml | 2 | ||||
| -rw-r--r-- | roles/openshift_master/README.md | 38 | ||||
| -rw-r--r-- | roles/openshift_master/meta/main.yml | 2 | ||||
| -rw-r--r-- | roles/openshift_master/tasks/main.yml | 7 | ||||
| -rw-r--r-- | roles/openshift_node/README.md | 42 | ||||
| -rw-r--r-- | roles/openshift_node/defaults/main.yml | 4 | ||||
| -rw-r--r-- | roles/openshift_node/meta/main.yml | 2 | ||||
| -rw-r--r-- | roles/openshift_node/tasks/main.yml | 5 | ||||
| -rw-r--r-- | roles/openshift_sdn_master/README.md | 29 | ||||
| -rw-r--r-- | roles/openshift_sdn_master/meta/main.yml | 2 | ||||
| -rw-r--r-- | roles/openshift_sdn_node/README.md | 39 | ||||
| -rw-r--r-- | roles/openshift_sdn_node/meta/main.yml | 2 | ||||
| -rw-r--r-- | roles/os_firewall/README.md | 2 | ||||
| -rw-r--r-- | roles/os_firewall/meta/main.yml | 2 | ||||
| -rw-r--r-- | roles/os_firewall/tasks/firewall/firewalld.yml | 45 | ||||
| -rw-r--r-- | roles/os_firewall/tasks/firewall/iptables.yml | 33 |
17 files changed, 175 insertions, 111 deletions
diff --git a/roles/openshift_common/README.md b/roles/openshift_common/README.md index 225dd44b9..c2ae609ff 100644 --- a/roles/openshift_common/README.md +++ b/roles/openshift_common/README.md @@ -1,38 +1,42 @@ -Role Name -========= +OpenShift Common +================ -A brief description of the role goes here. +OpenShift common installation and configuration tasks. Requirements ------------ -Any pre-requisites that may not be covered by Ansible itself or the role should be mentioned here. For instance, if the role uses the EC2 module, it may be a good idea to mention in this section that the boto package is required. +A RHEL 7.1 host pre-configured with access to the rhel-7-server-rpms, +rhel-7-server-extra-rpms, and rhel-7-server-ose-beta-rpms repos. Role Variables -------------- -A description of the settable variables for this role should go here, including any variables that are in defaults/main.yml, vars/main.yml, and any variables that can/should be set via parameters to the role. Any variables that are read from other roles and/or the global scope (ie. hostvars, group vars, etc.) should be mentioned here as well. +| Name | Default value | | +|-------------------------------|------------------------------|----------------------------------------| +| openshift_bind_ip | ansible_default_ipv4.address | IP to use for local binding | +| openshift_debug_level | 0 | Global openshift debug log verbosity | +| openshift_hostname_workaround | True | Workaround needed to set hostname to IP address | +| openshift_hostname | openshift_public_ip if openshift_hostname_workaround else ansible_fqdn | hostname to use for this instance | +| openshift_public_ip | UNDEF (Required) | Public IP address to use for this host | +| openshift_env | default | Envrionment name if multiple OpenShift instances | Dependencies ------------ -A list of other roles hosted on Galaxy should go here, plus any details in regards to parameters that may need to be set for other roles, or variables that are used from other roles. +os_firewall Example Playbook ---------------- -Including an example of how to use your role (for instance, with variables passed in as parameters) is always nice for users too: - - - hosts: servers - roles: - - { role: username.rolename, x: 42 } +TODO License ------- -BSD +Apache License, Version 2.0 Author Information ------------------ -An optional section for the role authors to include contact information, or a website (HTML is not allowed). +TODO diff --git a/roles/openshift_common/meta/main.yml b/roles/openshift_common/meta/main.yml index 7dc4603d0..88b7677d0 100644 --- a/roles/openshift_common/meta/main.yml +++ b/roles/openshift_common/meta/main.yml @@ -3,7 +3,7 @@ galaxy_info: author: Jason DeTiberus description: OpenShift Common company: Red Hat, Inc. - license: ASL 2.0 + license: Apache License, Version 2.0 min_ansible_version: 1.7 platforms: - name: EL diff --git a/roles/openshift_master/README.md b/roles/openshift_master/README.md index 225dd44b9..5a1b889b2 100644 --- a/roles/openshift_master/README.md +++ b/roles/openshift_master/README.md @@ -1,38 +1,50 @@ -Role Name -========= +OpenShift Master +================ -A brief description of the role goes here. +OpenShift Master service installation Requirements ------------ -Any pre-requisites that may not be covered by Ansible itself or the role should be mentioned here. For instance, if the role uses the EC2 module, it may be a good idea to mention in this section that the boto package is required. +A RHEL 7.1 host pre-configured with access to the rhel-7-server-rpms, +rhel-7-server-extras-rpms, and rhel-server-7-ose-beta-rpms repos. Role Variables -------------- -A description of the settable variables for this role should go here, including any variables that are in defaults/main.yml, vars/main.yml, and any variables that can/should be set via parameters to the role. Any variables that are read from other roles and/or the global scope (ie. hostvars, group vars, etc.) should be mentioned here as well. +From this role: +| Name | Default value | +| +|------------------------------------------|-----------------------|----------------------------------------| +| openshift_master_manage_service_externally | False | Should the openshift-master role manage the openshift-master service? | +| openshift_master_debug_level | openshift_debug_level | Verbosity of the debug logs for openshift-master | +| openshift_node_ips | [] | List of the openshift node ip addresses, that we want to pre-register to the system when openshift-master starts up | +| openshift_registry_url | UNDEF (Optional) | Default docker registry to use | + +From openshift_common: +| Name | Default Value | | +|-------------------------------|---------------------|---------------------| +| openshift_debug_level | 0 | Global openshift debug log verbosity | +| openshift_hostname_workaround | True | | +| openshift_public_ip | UNDEF (Required) | Public IP address to use for this host | +| openshift_hostname | openshift_public_ip if openshift_hostname_workaround else ansible_fqdn | hostname to use for this instance | Dependencies ------------ -A list of other roles hosted on Galaxy should go here, plus any details in regards to parameters that may need to be set for other roles, or variables that are used from other roles. +openshift_common Example Playbook ---------------- -Including an example of how to use your role (for instance, with variables passed in as parameters) is always nice for users too: - - - hosts: servers - roles: - - { role: username.rolename, x: 42 } +TODO License ------- -BSD +Apache License, Version 2.0 Author Information ------------------ -An optional section for the role authors to include contact information, or a website (HTML is not allowed). +TODO diff --git a/roles/openshift_master/meta/main.yml b/roles/openshift_master/meta/main.yml index bb0fc00e9..41a183c3b 100644 --- a/roles/openshift_master/meta/main.yml +++ b/roles/openshift_master/meta/main.yml @@ -3,7 +3,7 @@ galaxy_info: author: Jhon Honce description: OpenShift Master company: Red Hat, Inc. - license: ASL 2.0 + license: Apache License, Version 2.0 min_ansible_version: 1.7 platforms: - name: EL diff --git a/roles/openshift_master/tasks/main.yml b/roles/openshift_master/tasks/main.yml index a96184d70..7a7f02be9 100644 --- a/roles/openshift_master/tasks/main.yml +++ b/roles/openshift_master/tasks/main.yml @@ -6,8 +6,9 @@ lineinfile: dest: /etc/sysconfig/openshift-master regexp: '^OPTIONS=' - line: "OPTIONS=\"--public-master={{ openshift_hostname }} --nodes={{ openshift_node_ips - | join(',') }} --loglevel={{ openshift_master_debug_level }}\"" + line: "OPTIONS=\"--public-master={{ openshift_hostname }} {% if + openshift_node_ips %} --nodes={{ openshift_node_ips + | join(',') }} {% endif %} --loglevel={{ openshift_master_debug_level }}\"" notify: - restart openshift-master @@ -56,7 +57,7 @@ file: path: /root/.kube state: directory - mode: 700 + mode: 0700 - name: Configure root user kubeconfig command: cp /var/lib/openshift/openshift.local.certificates/admin/.kubeconfig /root/.kube/.kubeconfig args: diff --git a/roles/openshift_node/README.md b/roles/openshift_node/README.md index 225dd44b9..9210bab16 100644 --- a/roles/openshift_node/README.md +++ b/roles/openshift_node/README.md @@ -1,38 +1,52 @@ -Role Name -========= +OpenShift Node +============== -A brief description of the role goes here. +OpenShift Node service installation Requirements ------------ -Any pre-requisites that may not be covered by Ansible itself or the role should be mentioned here. For instance, if the role uses the EC2 module, it may be a good idea to mention in this section that the boto package is required. +One or more OpenShift Master servers. + +A RHEL 7.1 host pre-configured with access to the rhel-7-server-rpms, +rhel-7-server-extras-rpms, and rhel-server-7-ose-beta-rpms repos. Role Variables -------------- - -A description of the settable variables for this role should go here, including any variables that are in defaults/main.yml, vars/main.yml, and any variables that can/should be set via parameters to the role. Any variables that are read from other roles and/or the global scope (ie. hostvars, group vars, etc.) should be mentioned here as well. +From this role: +| Name | Default value | | +|------------------------------------------|-----------------------|----------------------------------------| +| openshift_node_manage_service_externally | False | Should the openshift-node role manage the openshift-node service? | +| openshift_node_debug_level | openshift_debug_level | Verbosity of the debug logs for openshift-node | +| openshift_master_public_ips | UNDEF (Required) | List of the public IPs for the openhift-master hosts | +| openshift_master_ips | UNDEF (Required) | List of IP addresses for the openshift-master hosts to be used for node -> master communication | +| openshift_registry_url | UNDEF (Optional) | Default docker registry to use | +| openshift_node_resources | { capacity: { cpu: , memory: } } | Resource specification for this node, cpu is the number of CPUs to advertise and memory is the amount of memory in bytes to advertise. Default values chosen when not set are the number of logical CPUs for the host and 75% of total system memory | + +From openshift_common: +| Name | Default Value | | +|-------------------------------|---------------------|---------------------| +| openshift_debug_level | 0 | Global openshift debug log verbosity | +| openshift_hostname_workaround | True | | +| openshift_public_ip | UNDEF (Required) | Public IP address to use for this host | +| openshift_hostname | openshift_public_ip if openshift_hostname_workaround else ansible_fqdn | hostname to use for this instance | Dependencies ------------ -A list of other roles hosted on Galaxy should go here, plus any details in regards to parameters that may need to be set for other roles, or variables that are used from other roles. +openshift_common Example Playbook ---------------- -Including an example of how to use your role (for instance, with variables passed in as parameters) is always nice for users too: - - - hosts: servers - roles: - - { role: username.rolename, x: 42 } +TODO License ------- -BSD +Apache License, Version 2.0 Author Information ------------------ -An optional section for the role authors to include contact information, or a website (HTML is not allowed). +TODO diff --git a/roles/openshift_node/defaults/main.yml b/roles/openshift_node/defaults/main.yml index 6dc73a96e..c45524f16 100644 --- a/roles/openshift_node/defaults/main.yml +++ b/roles/openshift_node/defaults/main.yml @@ -4,3 +4,7 @@ openshift_node_debug_level: "{{ openshift_debug_level | default(0) }}" os_firewall_allow: - service: OpenShift kubelet port: 10250/tcp +openshift_node_resources: + capacity: + cpu: + memory: diff --git a/roles/openshift_node/meta/main.yml b/roles/openshift_node/meta/main.yml index 674a320cb..c92008a77 100644 --- a/roles/openshift_node/meta/main.yml +++ b/roles/openshift_node/meta/main.yml @@ -3,7 +3,7 @@ galaxy_info: author: Jhon Honce description: OpenShift Node company: Red Hat, Inc. - license: ASL 2.0 + license: Apache License, Version 2.0 min_ansible_version: 1.7 platforms: - name: EL diff --git a/roles/openshift_node/tasks/main.yml b/roles/openshift_node/tasks/main.yml index f52827b8e..6721c7401 100644 --- a/roles/openshift_node/tasks/main.yml +++ b/roles/openshift_node/tasks/main.yml @@ -66,14 +66,13 @@ file: path: /root/.kube state: directory - mode: 700 + mode: 0700 - name: Configure root user kubeconfig command: cp /var/lib/openshift/openshift.local.certificates/admin/.kubeconfig /root/.kube/.kubeconfig args: creates: /root/.kube/.kubeconfig -# TODO: expose openshift_register_node options to allow for overriding the -# defaults. - name: Register node (if not already registered) openshift_register_node: name: "{{ openshift_hostname }}" + resources: "{{ openshift_node_resources }}" diff --git a/roles/openshift_sdn_master/README.md b/roles/openshift_sdn_master/README.md index 225dd44b9..d0dcf6d11 100644 --- a/roles/openshift_sdn_master/README.md +++ b/roles/openshift_sdn_master/README.md @@ -1,38 +1,41 @@ -Role Name -========= +OpenShift SDN Master +==================== -A brief description of the role goes here. +OpenShift SDN Master service installation Requirements ------------ -Any pre-requisites that may not be covered by Ansible itself or the role should be mentioned here. For instance, if the role uses the EC2 module, it may be a good idea to mention in this section that the boto package is required. +A host with the openshift_master role applied Role Variables -------------- -A description of the settable variables for this role should go here, including any variables that are in defaults/main.yml, vars/main.yml, and any variables that can/should be set via parameters to the role. Any variables that are read from other roles and/or the global scope (ie. hostvars, group vars, etc.) should be mentioned here as well. +From this role: +| Name | Default value | | +|----------------------------------|-----------------------|--------------------------------------------------| +| openshift_sdn_master_debug_level | openshift_debug_level | Verbosity of the debug logs for openshift-master | + +From openshift_common: +| Name | Default value | | +|-----------------------|---------------|--------------------------------------| +| openshift_debug_level | 0 | Global openshift debug log verbosity | Dependencies ------------ -A list of other roles hosted on Galaxy should go here, plus any details in regards to parameters that may need to be set for other roles, or variables that are used from other roles. Example Playbook ---------------- -Including an example of how to use your role (for instance, with variables passed in as parameters) is always nice for users too: - - - hosts: servers - roles: - - { role: username.rolename, x: 42 } +TODO License ------- -BSD +Apache License, Version 2.0 Author Information ------------------ -An optional section for the role authors to include contact information, or a website (HTML is not allowed). +TODO diff --git a/roles/openshift_sdn_master/meta/main.yml b/roles/openshift_sdn_master/meta/main.yml index 2fd6c64e0..e6e5514d1 100644 --- a/roles/openshift_sdn_master/meta/main.yml +++ b/roles/openshift_sdn_master/meta/main.yml @@ -3,7 +3,7 @@ galaxy_info: author: Jason DeTiberus description: OpenShift SDN Master company: Red Hat, Inc. - license: ASL 2.0 + license: Apache License, Version 2.0 min_ansible_version: 1.7 platforms: - name: EL diff --git a/roles/openshift_sdn_node/README.md b/roles/openshift_sdn_node/README.md index 225dd44b9..294550219 100644 --- a/roles/openshift_sdn_node/README.md +++ b/roles/openshift_sdn_node/README.md @@ -1,38 +1,51 @@ -Role Name -========= +OpenShift SDN Node +================== -A brief description of the role goes here. +OpenShift SDN Node service installation Requirements ------------ -Any pre-requisites that may not be covered by Ansible itself or the role should be mentioned here. For instance, if the role uses the EC2 module, it may be a good idea to mention in this section that the boto package is required. +A host with the openshift_node role applied Role Variables -------------- -A description of the settable variables for this role should go here, including any variables that are in defaults/main.yml, vars/main.yml, and any variables that can/should be set via parameters to the role. Any variables that are read from other roles and/or the global scope (ie. hostvars, group vars, etc.) should be mentioned here as well. +From this role: +| Name | Default value | | +|--------------------------------|-----------------------|--------------------------------------------------| +| openshift_sdn_node_debug_level | openshift_debug_level | Verbosity of the debug logs for openshift-master | + + +From openshift_node: +| Name | Default value | | +|-----------------------|------------------|--------------------------------------| +| openshift_master_ips | UNDEF (Required) | List of IP addresses for the openshift-master hosts to be used for node -> master communication | + + +From openshift_common: +| Name | Default value | | +|-------------------------------|---------------------|----------------------------------------| +| openshift_debug_level | 0 | Global openshift debug log verbosity | +| openshift_hostname_workaround | True | | +| openshift_public_ip | UNDEF (Required) | Public IP address to use for this host | +| openshift_hostname | openshift_public_ip if openshift_hostname_workaround else ansible_fqdn | hostname to use for this instance | Dependencies ------------ -A list of other roles hosted on Galaxy should go here, plus any details in regards to parameters that may need to be set for other roles, or variables that are used from other roles. Example Playbook ---------------- -Including an example of how to use your role (for instance, with variables passed in as parameters) is always nice for users too: - - - hosts: servers - roles: - - { role: username.rolename, x: 42 } +TODO License ------- -BSD +Apache License, Version 2.0 Author Information ------------------ -An optional section for the role authors to include contact information, or a website (HTML is not allowed). +TODO diff --git a/roles/openshift_sdn_node/meta/main.yml b/roles/openshift_sdn_node/meta/main.yml index a68ae8e54..ab45ff51e 100644 --- a/roles/openshift_sdn_node/meta/main.yml +++ b/roles/openshift_sdn_node/meta/main.yml @@ -3,7 +3,7 @@ galaxy_info: author: Jason DeTiberus description: OpenShift SDN Node company: Red Hat, Inc. - license: ASL 2.0 + license: Apache License, Version 2.0 min_ansible_version: 1.7 platforms: - name: EL diff --git a/roles/os_firewall/README.md b/roles/os_firewall/README.md index fe6318184..187d74b06 100644 --- a/roles/os_firewall/README.md +++ b/roles/os_firewall/README.md @@ -59,7 +59,7 @@ Use firewalld and open tcp port 443 and close previously open tcp port 80: License ------- -ASL 2.0 +Apache License, Version 2.0 Author Information ------------------ diff --git a/roles/os_firewall/meta/main.yml b/roles/os_firewall/meta/main.yml index e431f531c..7a8cef6c5 100644 --- a/roles/os_firewall/meta/main.yml +++ b/roles/os_firewall/meta/main.yml @@ -2,7 +2,7 @@ galaxy_info: author: Jason DeTiberus description: os_firewall company: Red Hat, Inc. - license: ASL 2.0 + license: Apache License, Version 2.0 min_ansible_version: 1.7 platforms: - name: EL diff --git a/roles/os_firewall/tasks/firewall/firewalld.yml b/roles/os_firewall/tasks/firewall/firewalld.yml index f6d5fe2eb..469cfab6f 100644 --- a/roles/os_firewall/tasks/firewall/firewalld.yml +++ b/roles/os_firewall/tasks/firewall/firewalld.yml @@ -4,6 +4,22 @@ name: firewalld state: present +- name: Check if iptables-services is installed + command: rpm -q iptables-services + register: pkg_check + failed_when: pkg_check.rc > 1 + changed_when: no + +- name: Ensure iptables services are not enabled + service: + name: "{{ item }}" + state: stopped + enabled: no + with_items: + - iptables + - ip6tables + when: pkg_check.rc == 0 + - name: Start and enable firewalld service service: name: firewalld @@ -15,23 +31,14 @@ pause: seconds=10 when: result | changed -- name: Ensure iptables services are not enabled - service: - name: "{{ item }}" - state: stopped - enabled: no - with_items: - - iptables - - ip6tables - - name: Mask iptables services command: systemctl mask "{{ item }}" register: result - failed_when: result.rc != 0 - changed_when: False + changed_when: "'iptables' in result.stdout" with_items: - iptables - ip6tables + when: pkg_check.rc == 0 # TODO: Ansible 1.9 will eliminate the need for separate firewalld tasks for # enabling rules and making them permanent with the immediate flag @@ -40,29 +47,29 @@ port: "{{ item.port }}" permanent: false state: enabled - with_items: allow - when: allow is defined + with_items: os_firewall_allow + when: os_firewall_allow is defined - name: Persist firewalld allow rules firewalld: port: "{{ item.port }}" permanent: true state: enabled - with_items: allow - when: allow is defined + with_items: os_firewall_allow + when: os_firewall_allow is defined - name: Remove firewalld allow rules firewalld: port: "{{ item.port }}" permanent: false state: disabled - with_items: deny - when: deny is defined + with_items: os_firewall_deny + when: os_firewall_deny is defined - name: Persist removal of firewalld allow rules firewalld: port: "{{ item.port }}" permanent: true state: disabled - with_items: deny - when: deny is defined + with_items: os_firewall_deny + when: os_firewall_deny is defined diff --git a/roles/os_firewall/tasks/firewall/iptables.yml b/roles/os_firewall/tasks/firewall/iptables.yml index 24c87d5e3..87e77c083 100644 --- a/roles/os_firewall/tasks/firewall/iptables.yml +++ b/roles/os_firewall/tasks/firewall/iptables.yml @@ -7,6 +7,19 @@ - iptables - iptables-services +- name: Check if firewalld is installed + command: rpm -q firewalld + register: pkg_check + failed_when: pkg_check.rc > 1 + changed_when: no + +- name: Ensure firewalld service is not enabled + service: + name: firewalld + state: stopped + enabled: no + when: pkg_check.rc == 0 + - name: Start and enable iptables services service: name: "{{ item }}" @@ -21,18 +34,12 @@ pause: seconds=10 when: result | changed -- name: Ensure firewalld service is not enabled - service: - name: firewalld - state: stopped - enabled: no - +# TODO: submit PR upstream to add mask/unmask to service module - name: Mask firewalld service command: systemctl mask firewalld register: result - failed_when: result.rc != 0 - changed_when: False - ignore_errors: yes + changed_when: "'firewalld' in result.stdout" + when: pkg_check.rc == 0 - name: Add iptables allow rules os_firewall_manage_iptables: @@ -40,8 +47,8 @@ action: add protocol: "{{ item.port.split('/')[1] }}" port: "{{ item.port.split('/')[0] }}" - with_items: allow - when: allow is defined + with_items: os_firewall_allow + when: os_firewall_allow is defined - name: Remove iptables rules os_firewall_manage_iptables: @@ -49,5 +56,5 @@ action: remove protocol: "{{ item.port.split('/')[1] }}" port: "{{ item.port.split('/')[0] }}" - with_items: deny - when: deny is defined + with_items: os_firewall_deny + when: os_firewall_deny is defined |