| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
Currently, registry authentication credentials are not
produced until after docker systemd service files are
created.
This commit ensures the credentials are
created before the systemd service files to ensure
the proper boolean is set to include the read-only
mount of credentials inside containerized nodes and
masters.
Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1316341
|
| |\
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Automatic merge from submit-queue
Move sysctl.conf customizations to a separate file
Move them from /etc/sysctl.conf to /etc/sysctl.d/99-openshift.conf
This is a good idea becuase:
1- /etc/sysctl.conf is evaluated later, so it can easily be overwritten by previous customizations
2- It's likely that there is an agent like puppet monitoring this file
3- It's easier to know what's being changed by OpenShift
|
| | |
| |
| |
| | |
Move them from /etc/sysctl.conf to /etc/sysctl.d/99-openshift.conf
|
| |\ \
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
Automatic merge from submit-queue
Add `openshift_node_open_ports` to allow arbitrary firewall exposure
It should be possible for an admin to define an arbitrary set of ports
to be exposed on each node that will relate to the cluster function.
This adds a new global variable for the node that supports
Array(Object{'service':<name>,'port':<port_spec>,'cond':<boolean>})
which is the same format accepted by the firewall role.
@sdodson as discussed, open to alternatives. I used this from origin-gce with
openshift_node_open_ports:
- service: Router stats
port: 1936/tcp
- service: Open node ports
port: 9000-10000/tcp
- service: Open node ports
port: 9000-10000/udp
Which then allows me to set firewall rules appropriately.
Alternatives considered:
* Simpler external format (have to parse inputs)
* Additional parameter to role - felt ugly
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
It should be possible for an admin to define an arbitrary set of ports
to be exposed on each node that will relate to the cluster function.
This adds a new global variable for the node that supports
Array(Object{'service':<name>,'port':<port_spec>,'cond':<boolean>})
which is the same format accepted by the firewall role.
|
| |\ \ \
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
Automatic merge from submit-queue
Only attempt to start iptables on hosts in the current batch
If os_firewall role is called from within a play that uses serial then
it was attempting to start iptables on hosts that may not have had
iptables installed on them yet. So limit the hosts to the current batch.
According to the ansible docs on plays where serial is unused this is
the same as ansible_play_hosts.
See http://docs.ansible.com/ansible/latest/playbooks_variables.html
Fixes https://bugzilla.redhat.com/show_bug.cgi?id=1490739
|
| | | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
If os_firewall role is called from within a play that uses serial then
it was attempting to start iptables on hosts that may not have had
iptables installed on them yet. So limit the hosts to the current batch.
According to the ansible docs on plays where serial is unused this is
the same as ansible_play_hosts.
See http://docs.ansible.com/ansible/latest/playbooks_variables.html
Fixes https://bugzilla.redhat.com/show_bug.cgi?id=1490739
|
| | | | | |
|
| |\ \ \ \
| | | | |
| | | | | |
add retries on repoquery
|
| | | | | | |
|
| | | | | | |
|
| |\ \ \ \ \
| | | | | |
| | | | | | |
Setup tuned after the node has been restarted.
|
| | | | | | | |
|
| |\ \ \ \ \ \
| | | | | | |
| | | | | | | |
Bug 1490304: Etcd scale-up playbook should add new member to etcdClientInfo of master-config.yaml
|
| | | |_|_|/ /
| |/| | | | |
|
| |\ \ \ \ \ \
| | | | | | |
| | | | | | | |
Merged by openshift-bot
|
| | | | | | | | |
|
| |\ \ \ \ \ \ \
| |_|_|/ / / /
|/| | | | | | |
Scaffold out the entire build defaults hash
|
| | | |_|/ / /
| |/| | | |
| | | | | |
| | | | | |
| | | | | | |
Some functions called later may expect sub-keys to exist which will
not with the current default empty-dict.
|
| |\ \ \ \ \ \
| | | | | | |
| | | | | | | |
Add IMAGE_VERSION to the image stream tag source
|
| | | |_|/ / /
| |/| | | | |
|
| |\ \ \ \ \ \
| | | | | | |
| | | | | | | |
GlusterFS: Correct firewall port names
|
| | | | | | | |
| | | | | | |
| | | | | | |
| | | | | | | |
Signed-off-by: Jose A. Rivera <jarrpa@redhat.com>
|
| |\ \ \ \ \ \ \
| | | | | | | |
| | | | | | | | |
GlusterFS: Various fixes
|
| | | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | | |
Signed-off-by: Jose A. Rivera <jarrpa@redhat.com>
|
| | | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | | |
Signed-off-by: Jose A. Rivera <jarrpa@redhat.com>
|
| | | | | | | | |
| | | | | | | |
| | | | | | | |
| | | | | | | | |
Signed-off-by: Jose A. Rivera <jarrpa@redhat.com>
|
| |\ \ \ \ \ \ \ \
| |_|_|_|_|_|/ /
|/| | | | | | | |
Merged by openshift-bot
|
| | | |_|_|_|/ /
| |/| | | | | |
|
| |\ \ \ \ \ \ \
| | | | | | | |
| | | | | | | | |
Removing setting of pod presets
|
| | | | | | | | | |
|
| |\ \ \ \ \ \ \ \
| |/ / / / / / /
|/| | | | | | | |
Merged by openshift-bot
|
| | | |_|_|/ / /
| |/| | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | | |
Currently, openshift-anisble supports authentication to
container registries to pull down openshift container images.
The openshift_verison role uses the docker cli to gather
image information from container registries before authentication
credentials are provided by openshift-ansible.
This commit creates the necessary token to authenticate to
private registries during openshift_version. The token
is generated by the role 'docker' on all hosts where
docker is installed/configured when oreg_auth_users
is defined.
This commit also adds a read-only mount into the
openshift master and node container services. This
mount is '/var/lib/origin/.docker:/root/.docker:ro'.
This is because the container images do not currently
read the values in '/var/lib/origin/.docker' as this
may be a bug upstream.
Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1316341
|
| | |_|_|_|/ /
|/| | | | |
| | | | | |
| | | | | | |
Signed-off-by: Steve Milner <smilner@redhat.com>
|
| |\ \ \ \ \ \
| | | | | | |
| | | | | | | |
Merged by openshift-bot
|
| | | | | | | | |
|
| | | |/ / / /
| |/| | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | | |
This workaround prevents the warnings on using Jinja2 templating
delimiters in `when:` conditions in cases where a variable is used as
the conditional. This has been fixed in Ansible 2.4.
https://github.com/ansible/ansible/pull/25092
|
| |\ \ \ \ \ \
| | | | | | |
| | | | | | | |
Merged by openshift-bot
|
| | |/ / / / / |
|
| |\ \ \ \ \ \
| | | | | | |
| | | | | | | |
Merged by openshift-bot
|
| | | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | | |
Can now set openshift_disable_check=* to disable all checks without
needing to know their names.
fixes bug 1462106
https://bugzilla.redhat.com/show_bug.cgi?id=1462106
|
| | | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | | |
An image in the docker index may be tagged by name or by registry plus
name. In order to find the image correctly locally and prevent looking
for it externally, make sure all possible variations are searched.
|
| | | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | |
| | | | | | | |
Probe whether the host has connectivity to the registry before trying to
inspect it for images, and remember the result. Also if later inspection
fails due to timeout, mark registry as unreachable. Note in failure
output if any registries were unreachable.
Registry order should match what is configured into docker now as well.
Fixes bug 1480195
https://bugzilla.redhat.com/show_bug.cgi?id=1480195
|
| | |/ / / / / |
|
| |\ \ \ \ \ \
| | | | | | |
| | | | | | | |
Merged by openshift-bot
|
| | | |/ / / /
| |/| | | | |
|
| |\ \ \ \ \ \
| | | | | | |
| | | | | | | |
Merged by openshift-bot
|
| | | | | | | | |
|
| |\ \ \ \ \ \ \
| |_|_|/ / / /
|/| | | | | | |
Skip failure dedup instead of crashing
|
| | | |/ / / /
| |/| | | |
| | | | | |
| | | | | |
| | | | | |
| | | | | | |
This makes the callback plugin behave better when dedup is not possible:
work with the original list of failures instead of raising an unhandled
exception and producing confusing output for users.
|
