From a6bf0552961c7b8c63639850fd0501941e89938f Mon Sep 17 00:00:00 2001 From: Tomas Sedovic Date: Fri, 16 Jun 2017 18:59:45 +0200 Subject: Add an Openstack provider (#397) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit * First cut at the rhc-ose-ansible structure * New OSE3 docker host builder and OpenStack ansible provisioning support * Support for supplying flavor name and moved around variables * Refactored OpenStack provisioning to be a generic role. Created OpenShift specific playbook * Registry Role for ansible playbooks * Added immediate=yes to have firwalld port take affect; restructured registry role; changed true to yes in module parameters * added post_install role * adding playbook * Migration of CICD server provisioning to Ansible * Adding nginx auth layer * Removing key name from registry * Refactoring and renaming * adding openshift-ansible's post install roles * removing deprecated files * Shell for role variable info * removing extra files * Add OpenStack SSH key parameter check * Replacing yum commands and normalizing comments * fixed README * Renaming template files with .j2 for clarity * Add OpenStack security group detection and creation resolves #106 * Change to using split to iterate and SSH rule create only once * Reorder instances names to sort by env_id * Change default_env_id of "testenv" to local env OS_USERNAME resolves #142 * Prepend 'casl' to default_env_id * Add connection test to OpenStack before proceeding * First cut at DNS ansible roles * Updated defaults and tasks for dns-server * Add subscription-manager support for Hosted or Satellite * Refactor role to dynamically determine rhsm_method * Removes rhsm_method * Renames rhsm_server to rhsm_satellite * Add additional pre_task checks (hosted + key) * Change conditionals from rhsm_method check to rhsm_satellite defined * Change repos disable/enable from key to if repos are defined * Update README and examples in inventory file * Fix bad syntax with extra 'and' in when using rhsm_pool * Refactor use of rhsm_password to prevent display to CLI * Cosmetic changes to task names and move yum clean all to prereqs * Remove vars_prompt, add info to README to re-enable and for ansible-vault * Add openstack pre_tasks and ansible_sudo when calling role * Add deprovision playbook using nova list with sanity checks - Add minimum length check for env_id - Add max_instances check - Remove dynamic openstack.py inventory - Add override to bypass checks * Refactor debug flag to be dry_run and other small changes - Removed debug statements and instead display on pause prompt - Moved to playbooks directory * Add ansible_sudo: true to subscription-manager task * This matches PR#133 enabling ansible_sudo: true when calling that role * Also changes max_instances check from >= to just > to allow 2 full default environments to be removed (6 max_instances) * Updated to fix broken/missing 'defaults'... * Add unique image logic and rename playbook to terminate.yml * Add OSE provision prerequisites - Install required packages - Update pacakges (moved from main.yml) - Install and disable firewalld - Install iptables-services and disable iptables - Verify and set hostname if needed * Add SELinux check and fail if not enforcing * Remove getenforce and firewall tasks and use facts - Uses Ansible collected facts to determine SELinux status - Adds ansible_sudo: true when calling role - Adds tag to role when calling it * Add docker role - Largely taken from cicd docker.yml - Changed to using a template for docker-storage-setup - Using variables for both DEV and VG defined in defaults - Using pvs command to check for use of DEV and VG before proceeding * Add org parameter to Satellite with user/pass * Fix typo in task name * Updated dns-server role based on feedback * Changes by JayKayy for a full provision of OpenShift on OpenStack * Role for disconnected git server * Added additional yum dependency and corrected spelling * Added example of disconnected git inventory file * Changes to allow runs from inside a container. Also allows for running upstream openshift-ansible installer * Reverting previous commit and making template adjustments * Subscription manager role should accomodate orgs with spaces * Fixing unescaped newline * Channging hard coded host groups to match openshift-ansible expected host groups. Importing byo playbook now instead of nested ansible run. Need to refactor how we generate hostnames to make it fit this. * Updated to run as root rather than cloud-user, for now... * Updated inventory template to include openshift_hostname and openshift_public_hostname * Wrapping in a script to tie the two playbooks together * Updating ose-provision with DNS workarounds / fixes * Removed spaces causing issues... * DNS fix to support OSEv3.2 * Add floating IP support when using Neutron * Updated to remove repos from playbook + fix typo * Cleande up hostname role to make it more generic * Image name for DNS server becomes configurable. * Updated inventory and template file to make cluster config optional * Removing temporary file * Loosen up the DNS server a bit to allow for ETL OSP installs * Re-implements original subscription-manager role invokation that was removed in PR# 168. * Enhanced provisioning script with better error checking, diretory awareness, and improved help output * Should be looking for generated inventory file in SCRIPTS_BASE_DIR * Add Neutron floating IP support for Issue #195 * Add check for and set_fact if Neutron is in use which is used by several tasks * This PR was originally longer and contained the now split off PR #197 * first attempt at securing the registry * Minor updates for ansible 2.1 compatibility * Updated CICD implementation to support ETL OSP env * Updated OSE inventory file with some clean-up * Add enhancements for for terminate playbook * Fixes Issue #206 * Add check for valid item when attempting to delete objects * Add debug on all variables when using dry_run * Changed default ansible_ssh_user to cloud-user in line with standard cloud guest image * Add count for ips and volumes to display since these may not always be the same as instance count * Enhance displayed warning/note message to include new counts * It is possible for an instance to not have a floating IP for whatever reason (such as manually deallocating or releasing the IP), in this case SSH will not work to the instance so it will not be included in the host group to attempt subscription manager unregister, but will still be deleted * It is possible that an instance will have a volume created but not attached. In this case as a precautionary measure I am excluding these unattached volumes from the deletion in case this was intentionally detached to preserve data. We can further discuss if this should be a parameter to override instead or if we need to change this behavior. * Excluded instances in ERROR state as they will most likely not delete. We can discuss if this should be parameterized instead. * Added prompt variable defaulted to true but can be set to false * Added unregister variable defaulted to true but can be set to false * Adding NFS support and fixing template labels so we get a router and registry out of the box. * testing changes * tested changes * fixing defaults and removing host from test playbook * adding clenaup test book and fixed typo * Allow passing of ansible extra-vars in provisioning script * Change --environment to --extra-vars and add usage. * added check for already secured registry and uses actualy openshift_common dependency * fixed readiness probe by adding logic for 3.1 vs 3.2 * Fix malformed file to address Issue #210 * Pulling out file paths into variables to account for containerized installs * fixed error message logic for already secured registry * added tasks to disable and re-enable deployment triggers, remove debug task * Fixes Issue #163 if rhsm_password is not defined * Adding a post-install playbook with secure-registry and ssh key sync. * Node storage now uses node specific storage var; search for generated inventory file sorts by timestamp not name * Initial commit exposing registry service * move registry_hostname to inventory * Updated env_id to be a sub-domain + make the logic a bit more flexible * Enabled default subdomain/'apps' * Updated inventory template file to include 'openshift_deployment_type' * Adding LDAP and HTPasswd examples for an auth provider to base inventory file * Fixing port number in LDAP example * Refactor OpenStack security group creation * Adds new openstack-security-groups role * Addresses Issue #211 and adds all instances to default group * Defines default security group variable with all groups/rules * Sets security group variables per type (master,node,nfs,dns) * Supports specifying no security group for a type (e.g. nfs) * Uses new Ansible 2.x modules * Refactor to playbook and split data structure out * Split single security group variable into one per type * Moves 'default' security group from role into variable * Moves default security group variables back to openshift-common role * Converts openstack-security-group role into playbook * Playbook called on every openstack-create invocation as before * Simplifies security group tasks and removes type bhecking * Iterate through seucrity groups and build a comma-separated list of groups * Add detection of non-Neutron env * Add UDP 8053 to default master security group * Adjusting docker role, adding support for logging/metrics, and updating client container * OpenShift Management Role * Fixing ansible impl to work with OSP9 and ansible 2.2 * Correcting formatting * Added process / contribution info * Updated default security group rules (#7) * Openstack heat (#2) * Adding a role to invoke openstack heat * Adding readme * Pulling parameters out to inventory file * start of end-to-end playbook * More enhancements and refactoring to make dynamic inventory the driver for an openshift install * Switching to variable substituted path to config.yaml playbook * Changes to allow defining of number of nodes/infranodes. * Added labels to inventory * Start of end-to-end functionality * Enhancements to support openstack heat provisioning * Updating inventory sample to remove some deprecation warnings * Working towards making the secure-registry role 'become' aware * Fixing node labels and removing secure-registry as it's no longer needed * No longer need insecure registry line, as installer will secure our registry * Adjusted dynamic inventory to filter by clusterid * Minor updates to dynamic inventory bug * Adding a refactored sample inventory directory * Refactoring playbooks for better directory structure, and to narrow down host groups * Adding volume mounts to heat template * Moving dns playbooks back to original location * Fixing incorrect file path * Cleaning up inventory samples * One more hostname to clean up * Changing var name * changed openshift-provision to openshift-prep * Adjusting current provision script to avoid breakage by new openstack-heat code * Updating PR Template with Team mention (#10) * Install playbook defaults to the assumption that casl-ansible and openshift-ansible are checked out to the same directory * Removing unnecessary task * Fixing two significant bugs in the HEAT deployment (#13) * Updated values in sample inventory (#17) * Adding documentation and docker containers so others can begin testin… (#16) * Adding documentation and docker containers so others can begin testing cluster provisioning * Making updates per comments by @oybed * Fixing formatting changes for links * Renaming openstack images to align with CoP naming (#18) * Defaulting the DNS instance to a small flavor (#20) * Nagios (#11) * First cut at the nagios work * Added NRPE service enabled * Updated implementation to be a bit more flexible * Updated logic to include checks for services * Added support for DNS and NFS checks * Updated templates and config files * Updated check_service script to simplify and avoid false negatives * Added support for OpenShift checks * Added README for the playbook * Updated README * DNS server should NOT run docker (#25) * Readme (#26) * Updated documentation and example inventory * Update README.md Added "hint" * Update README.md Fix numbering in the markdown * Update README.md * Added docker_volume_size to the sample inventory * Added rhsm_pool to the sample inventory * Updated README per comments * Ensure DNS configuration has wildcards set for infra nodes (#24) * Ensure DNS configuration has wildcards set for infra nodes * Updated to include all cluster hosts for DNS entries * Updated DNS server role + example playbook (#27) * Updated DNS server role + example playbook * Updated DNS server role + example playbook * Dns selinux (#28) * Updated DNS server role + example playbook * Updated DNS server role + example playbook * Updated for SELinux boolean * Openshift mgmt (#30) Added prune_projects to the openshift-management role along with Ansible tower support * Created initial CHANGELOG.md * Updating to development release of ansible 2.3.0 to pull down bug fixes in HEAT module (#21) * Workaround for Ansible 2.3 breakage (#31) * Added quotes where needed and fixed some other minor bugs (#33) * Fixing awk check (#34) * Updating client image to lock it to ansible 2.3 and install some addi… (#32) * Updating client image to lock it to ansible 2.3 and install some additional dependencies * First attempt at a docker-compose based solution * Renaming image * Stack refactor (#38) * Refactored openstack-stack role to: - Convert static heat template files to ansible templates - Include native ansible groups via openstack metadata. This removes the need for a playbook to map host groups - Some code cleanup * Deleting commentd out code and irrelevant plays * Refactored openstack-stack role to: - Convert static heat template files to ansible templates - Include native ansible groups via openstack metadata. This removes the need for a playbook to map host groups - Some code cleanup * Deleting commentd out code and irrelevant plays * Replacing stack parameters with jinja expressions * Updating sample inventory to work with latest dynamic inventory changes * updating inventory with host group mapping. making sync keys optional * Missing cluster_hosts group * Updating to add infra_hosts * Updating inventory per comments from oybed and sabre1041 * First attempt at a simple multi-master support (#39) * First attempt at a simple multi-master support * Removing unneeded inventory * adding default number of masters and lower number of nodes * Some fixes (#41) * Fix the sample inventory The `openstack_nameservers` variable needs to be a list of strings, we need to set the Openshift labels in OSv3.yml and we show an example of using the username/password/poll for RHEL subscriptions. * Update the READMEs This fixes some of the paths, explains that we need to pass `openstack_ssh_public_key` to the end-to-end playbook and includes the full Docker command since there is no `run.sh` script. Oh and Heat is not an acronym :). * Fixes to the readme and inventory * Use docker-compose * Correcting the sample inventory for an HA cluster (#40) * Correcting the sample inventory for an HA cluster * Adding node label mapping * Updating to mre generic IPs * Updating to OSP ocata repo, as there are some bugs with newton's channel (#44) * Use the correct variable name in create_users (#43) The user creation was failing, because it was looking for the `demo_users` variable while the samples put the data under `create_users`. * Upgrading jinja2 to work correctly with latest templates (#45) * Fix rpm deps (#46) * Upgrading jinja2 to work correctly with latest templates * Updated to solve rpm deps + other version issues * Clean-up * Updating control-host settings and env * Updating control-host settings and env * Updating README and names to align across all components * Setting the TERM var for better shell experience * Conditionally set the openshift_master_default_subdomain to avoid overriding it unecessary (#47) * Update README.md * Update CASL to use nsupdate for DNS records (#48) * Updated to use nsupdate for DNS records * Updated formatting of dict * Updating descriptive text * Support for external DNS config * Upgrading jinja2 to work correctly with latest templates * Latest update for nsupdate * Updated to use nsupdate for DNS records * Updated formatting of dict * Updating descriptive text * Support for external DNS config * Latest update for nsupdate * Updated to support external public/private DNS server(s) * Updated DNS server handling * Updated DNS server handling * Updated DNS server handling * Eliminated the from the sample inventories * Updated sample inventory to point to 2 separate DNS servers for private/public * Playbook clean-up * Adding 'python-dns' * splitting subscription manager calls to allow for a clean pre-install playbook * Move the openstack provisioning playbooks They'll live in playbooks/provisioning/openstack from now on. * Add a single provisioning playbook * Symlink roles to provisioning/openstack/roles * Add a sample inventory for openstack provisioning * Add license for openstack.py in inventory It's under the GPLv3+ while the rest of the repo is Apache 2. * Add readme * Move pre_tasks from to the openstack provisioner We should probably not pollute the role namespace with a name as common as "common". Moving the pre_task.yml to provisioners/openstack instead. * Add default values to provision-openstack.yml * Fix privileges in the pre-install playbook * Always let the openshift nodes access the DNS When `node_ingress_cidr` to limit the IP range for the DNS server, this can prevent the actual openshift nodes from accessing it as well. This commit makes the access from the `openstack_subnet_prefix` always pass through and uses `node_ingress_cidr` for additional access control. * Add a flat sec group for openstack provider Add a openstack_flat_secgroup, defaults to False. When set, merges sec rules for master, node, etcd, infra nodes into a single group. Less secure, but might help to mitigate quota limitations. Update docs. Use timeout 30s to mitigate the error: Timeout (12s) waiting for privilege escalation prompt. Signed-off-by: Bogdan Dobrelya * Add ansible.cfg for openstack provider Signed-off-by: Bogdan Dobrelya * Drop atomic-openshift-utils, update docs for origin TODO use with when: ansible_distribution == 'CentOS' Also update docs for origin Signed-off-by: Bogdan Dobrelya * Gather facts for provision playbook Provision tasks use facts like ansible_hostname and few others. W/o gathering facts, those expire, and the provision playbook cannot be reapplied in order to update the existing heat stack. Refresh the facts cache by specifying gather_facts: true. Signed-off-by: Bogdan Dobrelya * Update sample inventory with the latest changes * Fix yamllint errors * Remove the extraneous DNS directory It's a CASL-specific helper, not necessary for the provisioning playbooks. * Fix flake8 errors with the openstack inventory --- roles/openshift-prep/tasks/main.yml | 4 ++++ roles/openshift-prep/tasks/prerequisites.yml | 35 ++++++++++++++++++++++++++++ 2 files changed, 39 insertions(+) create mode 100644 roles/openshift-prep/tasks/main.yml create mode 100644 roles/openshift-prep/tasks/prerequisites.yml (limited to 'roles/openshift-prep') diff --git a/roles/openshift-prep/tasks/main.yml b/roles/openshift-prep/tasks/main.yml new file mode 100644 index 000000000..5e484e75f --- /dev/null +++ b/roles/openshift-prep/tasks/main.yml @@ -0,0 +1,4 @@ +--- +# Starting Point for OpenShift Installation and Configuration +- include: prerequisites.yml + tags: [prerequisites] diff --git a/roles/openshift-prep/tasks/prerequisites.yml b/roles/openshift-prep/tasks/prerequisites.yml new file mode 100644 index 000000000..60507636f --- /dev/null +++ b/roles/openshift-prep/tasks/prerequisites.yml @@ -0,0 +1,35 @@ +--- +- name: "Cleaning yum repositories" + command: "yum clean all" + +- name: "Install required packages" + yum: + name: "{{ item }}" + state: latest + with_items: + - wget + - git + - net-tools + - bind-utils + - bridge-utils + - bash-completion + - vim-enhanced + +- name: "Update all packages (this can take a very long time)" + yum: + name: "*" + state: latest + +- name: "Verify hostname" + shell: hostnamectl status | awk "/Static hostname/"'{ print $3 }' + register: hostname_fqdn + +- name: "Set hostname if required" + hostname: + name: "{{ ansible_fqdn }}" + when: hostname_fqdn.stdout != ansible_fqdn + +- name: "Verify SELinux is enforcing" + fail: + msg: "SELinux is required for OpenShift and has been detected as '{{ ansible_selinux.config_mode }}'" + when: ansible_selinux.config_mode != "enforcing" -- cgit v1.2.3