16 files changed, 290 insertions, 34 deletions
diff --git a/.tito/packages/openshift-ansible b/.tito/packages/openshift-ansible
index bde176e44..efc0cbe26 100644
--- a/.tito/packages/openshift-ansible
+++ b/.tito/packages/openshift-ansible
@@ -1 +1 @@
-3.4.17-1 ./
+3.5.0-1 ./
diff --git a/.tito/releasers.conf b/.tito/releasers.conf
index daa350cf6..032212b24 100644
--- a/.tito/releasers.conf
+++ b/.tito/releasers.conf
@@ -27,6 +27,12 @@ releaser = tito.release.DistGitReleaser
 branches = rhaos-3.4-rhel-7
 srpm_disttag = .el7aos
 
+[aos-3.5]
+releaser = tito.release.DistGitReleaser
+branches = rhaos-3.5-rhel-7
+srpm_disttag = .el7aos
+
+
 [copr-openshift-ansible]
 releaser = tito.release.CoprReleaser
 project_name = @OpenShiftOnlineOps/openshift-ansible
diff --git a/openshift-ansible.spec b/openshift-ansible.spec
index 4961d23ef..665ede1cb 100644
--- a/openshift-ansible.spec
+++ b/openshift-ansible.spec
@@ -5,7 +5,7 @@
 }
 
 Name:           openshift-ansible
-Version:        3.4.17
+Version:        3.5.0
 Release:        1%{?dist}
 Summary:        Openshift and Atomic Enterprise Ansible
 License:        ASL 2.0
@@ -249,6 +249,233 @@ Atomic OpenShift Utilities includes
 
 
 %changelog
+* Mon Jan 09 2017 Scott Dodson <sdodson@redhat.com> 3.5.0-1
+- Update manpage version. (tbielawa@redhat.com)
+- Fix openshift_image_tag=latest. (abutcher@redhat.com)
+- Use registry.access.redhat.com/rhel7/etcd instead of etcd3
+  (sdodson@redhat.com)
+- Fix repo defaults (sdodson@redhat.com)
+- Use openshift.common.hostname when verifying API port available.
+  (abutcher@redhat.com)
+- Re-add when condition which was removed mistakenly in #3036
+  (maszulik@redhat.com)
+- logging-deployer pull fixes from origin-aggregated-logging/#317
+  (sdodson@redhat.com)
+- Don't upgrade etcd on atomic host, ever. (sdodson@redhat.com)
+- Change wording in the quick installer callback plugin (tbielawa@redhat.com)
+- Fix jsonpath expected output when checking registry volume secrets
+  (maszulik@redhat.com)
+- Enable repos defined in openshift_additional_repos by default
+  (sdodson@redhat.com)
+- Add required python-six package to installation (tbielawa@redhat.com)
+- Hush the sudo privs check in oo-installer (tbielawa@redhat.com)
+- Add future versions to openshift_facts (ccoleman@redhat.com)
+- Cast openshift_enable_origin_repo to bool. (abutcher@redhat.com)
+- Update CFME template to point to GA build (simaishi@redhat.com)
+- Update aoi manpage with correct operation count (tbielawa@redhat.com)
+- Add templates for CFME Beta pod images (simaishi@redhat.com)
+- Add osnl_volume_reclaim_policy variable to nfs_lvm role
+  (ando.roots@bigbank.ee)
+- remove duplicate filter name and oo_pdb (jdetiber@redhat.com)
+- remove old Ops tooling (jdetiber@redhat.com)
+- enable pip cache for travis (jdetiber@redhat.com)
+- python3 support, add tox for better local testing against multiple python
+  versions (jdetiber@redhat.com)
+- modify_yaml: handle None value during update. (abutcher@redhat.com)
+- Update the openshift-certificate-expiry README to reflect latest changes
+  (tbielawa@redhat.com)
+- Deprecate node 'evacuation' with 'drain' (tbielawa@redhat.com)
+- Add master config hook for 3.4 upgrade and fix facts ordering for config hook
+  run. (abutcher@redhat.com)
+- The next registry.access.redhat.com/rhel7/etcd image will be 3.0.15
+  (sdodson@redhat.com)
+- [uninstall] Remove excluder packages (sdodson@redhat.com)
+- Check embedded etcd certs now, too (tbielawa@redhat.com)
+- Include 'total' and 'ok' in check results (tbielawa@redhat.com)
+- Enable firewalld by default (rteague@redhat.com)
+- Fix access_modes initialization (luis.fernandezalvarez@epfl.ch)
+- Updated OpenShift Master iptables rules (rteague@redhat.com)
+- YAML Linting (rteague@redhat.com)
+- Make both backup and upgrade optional (sdodson@redhat.com)
+- [upgrades] Upgrade etcd by default (sdodson@redhat.com)
+- upgrades - Fix logic error about when to backup etcd (sdodson@redhat.com)
+- Limit node certificate SAN to node hostnames/ips. (abutcher@redhat.com)
+- Make 'cover-erase' a config file setting. Move VENT target to pre-req for all
+  ci-* targets (tbielawa@redhat.com)
+- Fixes to 'make ci' (tbielawa@redhat.com)
+- Resolved lint issues (rteague@redhat.com)
+- Minimum Ansible version check (rteague@redhat.com)
+- Removed verify_ansible_version playbook refs (rteague@redhat.com)
+- Fix coverage not appending new data (tbielawa@redhat.com)
+- Drop 3.2 upgrade playbooks. (dgoodwin@redhat.com)
+- Silence warnings when using rpm directly (dag@wieers.com)
+- Silence warnings when using rpm directly (dag@wieers.com)
+- Silence warnings when using rpm directly (dag@wieers.com)
+- Remove Hostname from 1.1 and 1.2 predicates (jdetiber@redhat.com)
+- Properly handle x.y.z formatted versions for openshift_release
+  (jdetiber@redhat.com)
+- etcd_upgrade: Simplify package installation (sdodson@redhat.com)
+- Speed up 'make ci' and trim the output (tbielawa@redhat.com)
+- add comments and remove debug code (jdetiber@redhat.com)
+- Pre-pull master/node/ovs images during upgrade. (dgoodwin@redhat.com)
+- Handle updating of scheduler config during upgrade (jdetiber@redhat.com)
+- Fix templating (jdetiber@redhat.com)
+- test updates (jdetiber@redhat.com)
+- Always install latest etcd for containerized hosts (sdodson@redhat.com)
+- etcd_upgrade : Use different variables for rpm vs container versions
+  (sdodson@redhat.com)
+- Switch back to using etcd rather than etcd3 (sdodson@redhat.com)
+- node_dnsmasq - restart dnsmasq if it's not currently running
+  (sdodson@redhat.com)
+- Conditionalize master config update for admission_plugin_config.
+  (abutcher@redhat.com)
+- upgrade_control_plane.yml: systemd_units.yaml nees the master facts
+  (mchappel@redhat.com)
+- openshift-master/restart : use openshift.common.hostname instead of
+  inventory_hostname (mchappel@redhat.com)
+- Update scheduler predicate/priorities vars (jdetiber@redhat.com)
+- fix tags (jdetiber@redhat.com)
+- openshift_node_dnsmasq - Remove strict-order option from dnsmasq
+  (sdodson@redhat.com)
+- Fix metricsPublicURL only being set correctly on first master.
+  (dgoodwin@redhat.com)
+- Explictly set etcd vars for byo scaleup (smunilla@redhat.com)
+- Cleanup ovs file and restart docker on every upgrade. (dgoodwin@redhat.com)
+- Sync latest image stream and templates for v1.3 and v1.4 (sdodson@redhat.com)
+- xpaas v1.3.5 (sdodson@redhat.com)
+- Ansible version check update (tbielawa@redhat.com)
+- allow 'latest' origin_image_tag (sjenning@redhat.com)
+- Remove duplicate when key (rteague@redhat.com)
+- refactor handling of scheduler defaults (jdetiber@redhat.com)
+- update tests and flake8/pylint fixes (jdetiber@redhat.com)
+- fix tagging (jdetiber@redhat.com)
+- do not report changed for group mapping (jdetiber@redhat.com)
+- fix selinux issues with etcd container (dusty@dustymabe.com)
+- etcd upgrade playbook is not currently applicable to embedded etcd installs
+  (sdodson@redhat.com)
+- Fix invalid embedded etcd fact in etcd upgrade playbook.
+  (dgoodwin@redhat.com)
+- Gracefully handle OpenSSL module absence (misc@redhat.com)
+- Refactored to use Ansible systemd module (rteague@redhat.com)
+- Updating docs for Ansible 2.2 requirements (rteague@redhat.com)
+- Fix the list done after cluster creation on libvirt and OpenStack
+  (lhuard@amadeus.com)
+- Set nameservers on DHCPv6 event (alexandre.lossent@cern.ch)
+- Systemd `systemctl show` workaround (rteague@redhat.com)
+- Verify the presence of dbus python binding (misc@redhat.com)
+- Update README.md (jf.cron0@gmail.com)
+- Reference master binaries when delegating from node hosts which may be
+  containerized. (abutcher@redhat.com)
+- Merge kube_admission_plugin_config with admission_plugin_config
+  (smunilla@redhat.com)
+- Added a BYO playbook for configuring NetworkManager on nodes
+  (skuznets@redhat.com)
+- Make the role work on F25 Cloud (misc@redhat.com)
+- Make os_firewall_manage_iptables run on python3 (misc@redhat.com)
+- Modified the error message being checked for (vishal.patil@nuagenetworks.net)
+- Only run tuned-adm if tuned exists. (dusty@dustymabe.com)
+- Delegate openshift_manage_node tasks to master host. (abutcher@redhat.com)
+- Fix rare failure to deploy new registry/router after upgrade.
+  (dgoodwin@redhat.com)
+- Refactor os_firewall role (rteague@redhat.com)
+- Allow ansible to continue when a node is unaccessible or fails.
+  (abutcher@redhat.com)
+- Create the file in two passes, atomicly copy it over (sdodson@redhat.com)
+- Escape LOGNAME variable according to GCE rules (jacek.suchenia@ocado.com)
+- node_dnsmasq -- Set dnsmasq as our only nameserver (sdodson@redhat.com)
+- Refactor to use Ansible package module (rteague@redhat.com)
+- Allow users to disable the origin repo creation (sdodson@redhat.com)
+- Fix yum/subman version check on Atomic. (dgoodwin@redhat.com)
+- Check for bad versions of yum and subscription-manager. (dgoodwin@redhat.com)
+- Corrected syntax and typos (rteague@redhat.com)
+- Fix GCE cluster creation (lhuard@amadeus.com)
+- Optimize the cloud-specific list.yml playbooks (lhuard@amadeus.com)
+- Added ip forwarding for nuage (vishal.patil@nuagenetworks.net)
+- Fix typo (sdodson@redhat.com)
+- Fix a few places where we're not specifying the admin kubeconfig
+  (sdodson@redhat.com)
+- Add rolebinding-reader (sdodson@redhat.com)
+- Add view permissions to hawkular sa (sdodson@redhat.com)
+- Use multiple '-v's when creating the metrics deployer command
+  (tbielawa@redhat.com)
+- Sync logging deployer changes from origin to enterprise (sdodson@redhat.com)
+- Docker daemon is started prematurely. (eric.mountain@amadeus.com)
+- Sync latest enterprise/metrics-deployer.yaml (sdodson@redhat.com)
+- Sync latest s2i content (sdodson@redhat.com)
+- Actually upgrade host etcdctl no matter what (sdodson@redhat.com)
+- Make etcd containerized upgrade stepwise (sdodson@redhat.com)
+- Fix commit-offsets in version detection for containerized installs
+  (tbielawa@redhat.com)
+- Fix HA upgrade when fact cache deleted. (dgoodwin@redhat.com)
+- Fix openshift_hosted_metrics_deployer_version set_fact. (abutcher@redhat.com)
+- Added dependency of os_firewall to docker role (rteague@redhat.com)
+- Add updates for containerized (sdodson@redhat.com)
+- Add etcd upgrade for RHEL and Fedora (sdodson@redhat.com)
+- Drop /etc/profile.d/etcdctl.sh (sdodson@redhat.com)
+- Move backups to a separate file for re-use (sdodson@redhat.com)
+- Uninstall etcd3 package (sdodson@redhat.com)
+- Resolve docker and iptables service dependencies (rteague@redhat.com)
+- Add Travis integration (rhcarvalho@gmail.com)
+- Default groups.oo_etcd_to_config when setting embedded_etcd in control plane
+  upgrade. (abutcher@redhat.com)
+- Enable quiet output for all a-o-i commands (tbielawa@redhat.com)
+- Update override cluster_hostname (smunilla@redhat.com)
+- Reconcile role bindings for jenkins pipeline during upgrade.
+  (dgoodwin@redhat.com)
+- Fix typos in openshift_facts gce cloud provider (sdodson@redhat.com)
+- Don't upgrade etcd on backup operations (sdodson@redhat.com)
+- Bump ansible requirement to 2.2.0.0-1 (GA) (sdodson@redhat.com)
+- Fix etcd backup failure due to corrupted facts. (dgoodwin@redhat.com)
+- Re-sync v1.4 image streams (andrew@andrewklau.com)
+- Revert "Revert openshift.node.nodename changes" (sdodson@redhat.com)
+- Change to allow cni deployments without openshift SDN (yfauser@vmware.com)
+- README: fix markdown formatting (rhcarvalho@gmail.com)
+- Create contribution guide (rhcarvalho@gmail.com)
+- Remove README_AEP.md (rhcarvalho@gmail.com)
+- Install flannel RPM on containerized but not atomic (sdodson@redhat.com)
+- README: move structure overview to the top (rhcarvalho@gmail.com)
+- README: cleanup setup steps (rhcarvalho@gmail.com)
+- README: remove OSX setup requirements (rhcarvalho@gmail.com)
+- Add missing symlink for node openvswitch oom fix. (dgoodwin@redhat.com)
+- README: improve first paragraph (rhcarvalho@gmail.com)
+- README: add links, fix typos (rhcarvalho@gmail.com)
+- README: improve markdown formatting (rhcarvalho@gmail.com)
+- Make it easier to run Python tests (rhcarvalho@gmail.com)
+- FIx flannel var name (jprovazn@redhat.com)
+- Always add local dns domain to no_proxy (jawed.khelil@amadeus.com)
+- Refactor default sdn_cluster_network_cidr and sdn_host_subnet_length
+  (sdodson@redhat.com)
+- Revert "Fix the nodeName of the OpenShift nodes on OpenStack"
+  (sdodson@redhat.com)
+- Revert "Fix OpenStack cloud provider" (sdodson@redhat.com)
+- Revert "Check that OpenStack hostnames are resolvable" (sdodson@redhat.com)
+- set AWS creds task with no_logs (somalley@redhat.com)
+- Change the logic to just compare against masters and nodes.
+  (tbielawa@redhat.com)
+- Append /inventory/README.md to explain what is BYO inventory folder #2742
+  (contact@stephane-klein.info)
+- Remove unused openshift-ansible/inventory/hosts file #2740 (contact@stephane-
+  klein.info)
+- Remove unused playbooks adhoc metrics_setup files #2717 (contact@stephane-
+  klein.info)
+- a-o-i: remove dummy data_file (rhcarvalho@gmail.com)
+- a-o-i: remove script leftover from OpenShift v2 (rhcarvalho@gmail.com)
+- [openstack] allows timeout option for heat create stack
+  (douglaskippsmith@gmail.com)
+- [openstack] updates documentation to show that you need to install shade
+  (douglaskippsmith@gmail.com)
+- default to multizone GCE config (sjenning@redhat.com)
+- Add some tests for utils to get the coverage up. (tbielawa@redhat.com)
+- Update defaults for clusterNetworkCIDR & hostSubnetLength
+  (smunilla@redhat.com)
+- Add hawkular admin cluster role to management admin (fsimonce@redhat.com)
+- Prevent useless master by reworking template for master service enf file
+  (jkhelil@gmail.com)
+- support 3rd party scheduler (jannleno1@gmail.com)
+- Add nuage rest server port to haproxy firewall rules. (abutcher@redhat.com)
+- Port openshift_facts to py3 (misc@redhat.com)
+- storage/nfs_lvm: Also export as ReadWriteOnce (walters@verbum.org)
+
 * Fri Nov 04 2016 Scott Dodson <sdodson@redhat.com> 3.4.17-1
 - Fix indentation for flannel etcd vars (smunilla@redhat.com)
 - Update hosted_templates (sdodson@redhat.com)
diff --git a/playbooks/common/openshift-cluster/upgrades/etcd/containerized_tasks.yml b/playbooks/common/openshift-cluster/upgrades/etcd/containerized_tasks.yml
index f88981a0b..5f8b59e17 100644
--- a/playbooks/common/openshift-cluster/upgrades/etcd/containerized_tasks.yml
+++ b/playbooks/common/openshift-cluster/upgrades/etcd/containerized_tasks.yml
@@ -8,8 +8,7 @@
 
 - name: Set new_etcd_image
   set_fact:
-    new_etcd_image: "{{ current_image.stdout | regex_replace('/etcd.*$','/etcd3:' ~ upgrade_version ) if upgrade_version | version_compare('3.0','>=')
-                        else current_image.stdout.split(':')[0] ~ ':' ~ upgrade_version }}"
+    new_etcd_image: "{{ current_image.stdout | regex_replace('/etcd.*$','/etcd:' ~ upgrade_version ) }}"
 
 - name: Pull new etcd image
   command: "docker pull {{ new_etcd_image }}"
diff --git a/roles/docker/meta/main.yml b/roles/docker/meta/main.yml
index dadd62c93..ad28cece9 100644
--- a/roles/docker/meta/main.yml
+++ b/roles/docker/meta/main.yml
@@ -11,4 +11,3 @@ galaxy_info:
     - 7
 dependencies:
 - role: os_firewall
-  os_firewall_use_firewalld: False
diff --git a/roles/docker/tasks/main.yml b/roles/docker/tasks/main.yml
index a93bdc2ad..57da23e0a 100644
--- a/roles/docker/tasks/main.yml
+++ b/roles/docker/tasks/main.yml
@@ -43,16 +43,18 @@
   package: name=docker{{ '-' + docker_version if docker_version is defined else '' }} state=present
   when: not openshift.common.is_atomic | bool
 
-- name: Ensure docker.service.d directory exists
-  file:
-    path: "{{ docker_systemd_dir }}"
-    state: directory
-
-# Extend the default Docker service unit file
-- name: Configure Docker service unit file
-  template:
-    dest: "{{ docker_systemd_dir }}/custom.conf"
-    src: custom.conf.j2
+- block:
+  # Extend the default Docker service unit file when using iptables-services
+  - name: Ensure docker.service.d directory exists
+    file:
+      path: "{{ docker_systemd_dir }}"
+      state: directory
+
+  - name: Configure Docker service unit file
+    template:
+      dest: "{{ docker_systemd_dir }}/custom.conf"
+      src: custom.conf.j2
+  when: not os_firewall_use_firewalld | default(True) | bool
 
 - include: udev_workaround.yml
   when: docker_udev_workaround | default(False) | bool
diff --git a/roles/openshift_master_facts/lookup_plugins/openshift_master_facts_default_predicates.py b/roles/openshift_master_facts/lookup_plugins/openshift_master_facts_default_predicates.py
index b0984b004..29a59a0d3 100644
--- a/roles/openshift_master_facts/lookup_plugins/openshift_master_facts_default_predicates.py
+++ b/roles/openshift_master_facts/lookup_plugins/openshift_master_facts_default_predicates.py
@@ -40,10 +40,10 @@ class LookupModule(LookupBase):
                 # pylint: disable=line-too-long
                 raise AnsibleError("Either OpenShift needs to be installed or openshift_release needs to be specified")
         if deployment_type == 'origin':
-            if short_version not in ['1.1', '1.2', '1.3', '1.4', '1.5', '1.6']:
+            if short_version not in ['1.1', '1.2', '1.3', '1.4', '1.5', '1.6', 'latest']:
                 raise AnsibleError("Unknown short_version %s" % short_version)
         elif deployment_type == 'openshift-enterprise':
-            if short_version not in ['3.1', '3.2', '3.3', '3.4', '3.5', '3.6']:
+            if short_version not in ['3.1', '3.2', '3.3', '3.4', '3.5', '3.6', 'latest']:
                 raise AnsibleError("Unknown short_version %s" % short_version)
         else:
             raise AnsibleError("Unknown deployment_type %s" % deployment_type)
diff --git a/roles/openshift_master_facts/lookup_plugins/openshift_master_facts_default_priorities.py b/roles/openshift_master_facts/lookup_plugins/openshift_master_facts_default_priorities.py
index 4d6572dae..36022597f 100644
--- a/roles/openshift_master_facts/lookup_plugins/openshift_master_facts_default_priorities.py
+++ b/roles/openshift_master_facts/lookup_plugins/openshift_master_facts_default_priorities.py
@@ -45,10 +45,10 @@ class LookupModule(LookupBase):
                 raise AnsibleError("Either OpenShift needs to be installed or openshift_release needs to be specified")
 
         if deployment_type == 'origin':
-            if short_version not in ['1.1', '1.2', '1.3', '1.4', '1.5', '1.6']:
+            if short_version not in ['1.1', '1.2', '1.3', '1.4', '1.5', '1.6', 'latest']:
                 raise AnsibleError("Unknown short_version %s" % short_version)
         elif deployment_type == 'openshift-enterprise':
-            if short_version not in ['3.1', '3.2', '3.3', '3.4', '3.5', '3.6']:
+            if short_version not in ['3.1', '3.2', '3.3', '3.4', '3.5', '3.6', 'latest']:
                 raise AnsibleError("Unknown short_version %s" % short_version)
         else:
             raise AnsibleError("Unknown deployment_type %s" % deployment_type)
diff --git a/roles/openshift_version/tasks/set_version_containerized.yml b/roles/openshift_version/tasks/set_version_containerized.yml
index 718537287..cd0f20ae9 100644
--- a/roles/openshift_version/tasks/set_version_containerized.yml
+++ b/roles/openshift_version/tasks/set_version_containerized.yml
@@ -1,8 +1,9 @@
 ---
 - name: Set containerized version to configure if openshift_image_tag specified
   set_fact:
-    # Expects a leading "v" in inventory, strip it off here:
-    openshift_version: "{{ openshift_image_tag[1:].split('-')[0] }}"
+    # Expects a leading "v" in inventory, strip it off here unless
+    # openshift_image_tag=latest
+    openshift_version: "{{ openshift_image_tag[1:].split('-')[0] if openshift_image_tag != 'latest' else openshift_image_tag }}"
   when: openshift_image_tag is defined and openshift_version is not defined
 
 - name: Set containerized version to configure if openshift_release specified
diff --git a/roles/os_firewall/README.md b/roles/os_firewall/README.md
index c13c5dfc9..43db3cc74 100644
--- a/roles/os_firewall/README.md
+++ b/roles/os_firewall/README.md
@@ -4,6 +4,9 @@ OS Firewall
 OS Firewall manages firewalld and iptables firewall settings for a minimal use
 case (Adding/Removing rules based on protocol and port number).
 
+Note: firewalld is not supported on Atomic Host
+https://bugzilla.redhat.com/show_bug.cgi?id=1403331
+
 Requirements
 ------------
 
@@ -14,7 +17,7 @@ Role Variables
 
 | Name                      | Default |                                        |
 |---------------------------|---------|----------------------------------------|
-| os_firewall_use_firewalld | False   | If false, use iptables                 |
+| os_firewall_use_firewalld | True    | If false, use iptables                 |
 | os_firewall_allow         | []      | List of service,port mappings to allow |
 | os_firewall_deny          | []      | List of service, port mappings to deny |
 
@@ -31,6 +34,7 @@ Use iptables and open tcp ports 80 and 443:
 ---
 - hosts: servers
   vars:
+    os_firewall_use_firewalld: false
     os_firewall_allow:
     - service: httpd
       port: 80/tcp
@@ -45,7 +49,6 @@ Use firewalld and open tcp port 443 and close previously open tcp port 80:
 ---
 - hosts: servers
   vars:
-    os_firewall_use_firewalld: true
     os_firewall_allow:
     - service: https
       port: 443/tcp
diff --git a/roles/os_firewall/defaults/main.yml b/roles/os_firewall/defaults/main.yml
index c870a301a..4c544122f 100644
--- a/roles/os_firewall/defaults/main.yml
+++ b/roles/os_firewall/defaults/main.yml
@@ -1,9 +1,7 @@
 ---
 os_firewall_enabled: True
-# TODO: Upstream kubernetes only supports iptables currently
-# TODO: it might be possible to still use firewalld if we wire up the created
-# chains with the public zone (or the zone associated with the correct
-# interfaces)
-os_firewall_use_firewalld: False
+# firewalld is not supported on Atomic Host
+# https://bugzilla.redhat.com/show_bug.cgi?id=1403331
+os_firewall_use_firewalld: "{{ False if openshift.common.is_atomic | bool else True }}"
 os_firewall_allow: []
 os_firewall_deny: []
diff --git a/roles/os_firewall/tasks/main.yml b/roles/os_firewall/tasks/main.yml
index 076e5e311..20efe5b0d 100644
--- a/roles/os_firewall/tasks/main.yml
+++ b/roles/os_firewall/tasks/main.yml
@@ -1,4 +1,10 @@
 ---
+- name: Assert - Do not use firewalld on Atomic Host
+  assert:
+    that: not os_firewall_use_firewalld | bool
+    msg: "Firewalld is not supported on Atomic Host"
+  when: openshift.common.is_atomic | bool
+
 - include: firewall/firewalld.yml
   when: os_firewall_enabled | bool and os_firewall_use_firewalld | bool
 
diff --git a/utils/Makefile b/utils/Makefile
index 0e1cd79dd..2a37b922c 100644
--- a/utils/Makefile
+++ b/utils/Makefile
@@ -30,7 +30,8 @@ SHORTNAME := ooinstall
 # directory of the target file ($@), kinda like `dirname`.
 ASCII2MAN = a2x -D $(dir $@) -d manpage -f manpage $<
 MANPAGES := docs/man/man1/atomic-openshift-installer.1
-VERSION := 1.3
+# slipped into the manpage template before a2x processing
+VERSION := 1.4
 
 # YAMLFILES: Skipping all '/files/' folders due to conflicting yaml file definitions
 YAMLFILES = $(shell find ../ -name $(VENV) -prune -o -name .tox -prune -o \( -name '*.yml' -o -name '*.yaml' \) ! -path "*/files/*" -print 2>&1)
diff --git a/utils/docs/man/man1/atomic-openshift-installer.1 b/utils/docs/man/man1/atomic-openshift-installer.1
index 072833ce8..827ce224b 100644
--- a/utils/docs/man/man1/atomic-openshift-installer.1
+++ b/utils/docs/man/man1/atomic-openshift-installer.1
@@ -2,12 +2,12 @@
 .\"     Title: atomic-openshift-installer
 .\"    Author: [see the "AUTHOR" section]
 .\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/>
-.\"      Date: 10/20/2016
+.\"      Date: 12/28/2016
 .\"    Manual: atomic-openshift-installer
-.\"    Source: atomic-openshift-utils 1.3
+.\"    Source: atomic-openshift-utils 1.4
 .\"  Language: English
 .\"
-.TH "ATOMIC\-OPENSHIFT\-I" "1" "10/20/2016" "atomic\-openshift\-utils 1\&.3" "atomic\-openshift\-installer"
+.TH "ATOMIC\-OPENSHIFT\-I" "1" "12/28/2016" "atomic\-openshift\-utils 1\&.4" "atomic\-openshift\-installer"
 .\" -----------------------------------------------------------------
 .\" * Define some portability stuff
 .\" -----------------------------------------------------------------
@@ -86,7 +86,7 @@ Show the usage help and exit\&.
 .RE
 .SH "COMMANDS"
 .sp
-\fBatomic\-openshift\-installer\fR has three modes of operation:
+\fBatomic\-openshift\-installer\fR has four modes of operation:
 .sp
 .RS 4
 .ie n \{\
diff --git a/utils/docs/man/man1/atomic-openshift-installer.1.asciidoc.in b/utils/docs/man/man1/atomic-openshift-installer.1.asciidoc.in
index 9b02c4d14..2917e9992 100644
--- a/utils/docs/man/man1/atomic-openshift-installer.1.asciidoc.in
+++ b/utils/docs/man/man1/atomic-openshift-installer.1.asciidoc.in
@@ -68,7 +68,7 @@ Show the usage help and exit.
 COMMANDS
 --------
 
-**atomic-openshift-installer** has three modes of operation:
+**atomic-openshift-installer** has four modes of operation:
 
 * **install**
 * **uninstall**
diff --git a/utils/src/ooinstall/cli_installer.py b/utils/src/ooinstall/cli_installer.py
index b70bd1817..0bc9aa45e 100644
--- a/utils/src/ooinstall/cli_installer.py
+++ b/utils/src/ooinstall/cli_installer.py
@@ -1124,6 +1124,20 @@ def scaleup(ctx, gen_inventory):
 
     click.echo('Welcome to the OpenShift Enterprise 3 Scaleup utility.')
 
+    # Scaleup requires manual data entry. Therefore, we do not support
+    # unattended operations.
+    if unattended:
+        msg = """
+---
+
+The 'scaleup' operation does not support unattended
+functionality. Re-run the installer without the '-u' or '--unattended'
+option to continue.
+"""
+        click.echo(msg)
+        sys.exit(1)
+
+    # Resume normal scaleup workflow
     print_installation_summary(installed_hosts,
                                oo_cfg.settings['variant_version'],
                                verbose=False,)