diff options
| -rw-r--r-- | playbooks/provisioning/openstack/README.md | 53 | ||||
| -rw-r--r-- | playbooks/provisioning/openstack/post-provision-openstack.yml | 42 | ||||
| -rw-r--r-- | playbooks/provisioning/openstack/provision-openstack.yml | 48 | ||||
| -rw-r--r-- | playbooks/provisioning/openstack/sample-inventory/group_vars/all.yml | 51 | ||||
| -rw-r--r-- | playbooks/provisioning/openstack/stack_params.yaml | 23 | ||||
| -rw-r--r-- | roles/openshift-prep/defaults/main.yml | 11 | ||||
| -rw-r--r-- | roles/openshift-prep/tasks/prerequisites.yml | 13 | ||||
| -rw-r--r-- | roles/openstack-stack/defaults/main.yml | 1 | ||||
| -rw-r--r-- | roles/openstack-stack/tasks/main.yml | 5 | ||||
| -rw-r--r-- | roles/openstack-stack/tasks/subnet_update_dns_servers.yaml | 8 | ||||
| -rw-r--r-- | roles/openstack-stack/templates/heat_stack.yaml.j2 | 48 |
11 files changed, 183 insertions, 120 deletions
diff --git a/playbooks/provisioning/openstack/README.md b/playbooks/provisioning/openstack/README.md index df00e5507..34b548b9b 100644 --- a/playbooks/provisioning/openstack/README.md +++ b/playbooks/provisioning/openstack/README.md @@ -5,12 +5,19 @@ OpenStack resources (servers, networking, volumes, security groups, etc.). The result is an environment ready for openshift-ansible. -## Dependencies +## Dependencies for localhost (ansible control/admin node) * [Ansible 2.3](https://pypi.python.org/pypi/ansible) +* [jinja2](http://jinja.pocoo.org/docs/2.9/) * [shade](https://pypi.python.org/pypi/shade) -* python-dns +* python-dns / [dnspython](https://pypi.python.org/pypi/dnspython) +* Become (sudo) is not required. +## Dependencies for OpenStack hosted cluster nodes (servers) + +There are no additional dependencies for the cluster nodes. Required +configuration steps are done by Heat given a specific user data config +that normally should not be changed. ## What does it do @@ -41,12 +48,27 @@ etc.). The result is an environment ready for openshift-ansible. Pay special attention to the values in the first paragraph -- these will depend on your OpenStack environment. -The `env_id` and `openstack_dns_domain` will form the DNS domain all +The `env_id` and `public_dns_domain` will form the cluster's DNS domain all your servers will be under. With the default values, this will be -`openshift.example.com`. - -`openstack_nameservers` is a list of DNS servers accessible from all -the created Nova servers. These will be serve as your DNS forwarders. +`openshift.example.com`. For workloads, the default subdomain is 'apps'. +That sudomain can be set as well by the `openshift_app_domain` variable in +the inventory. + +The `public_dns_nameservers` is a list of DNS servers accessible from all +the created Nova servers. These will be serving as your DNS forwarders for +external FQDNs that do not belong to the cluster's DNS domain and its subdomains. + +The `openshift_use_dnsmasq` controls either dnsmasq is deployed or not. +By default, dnsmasq is deployed and comes as the hosts' /etc/resolv.conf file +first nameserver entry that points to the local host instance of the dnsmasq +daemon that in turn proxies DNS requests to the authoritative DNS server. +When Network Manager is enabled for provisioned cluster nodes, which is +normally the case, you should not change the defaults and always deploy dnsmasq. + +Note that the authoritative DNS server is configured on post provsision +steps, and the Neutron subnet for the Heat stack is updated to point to that +server in the end. So the provisioned servers will start using it natively +as a default nameserver that comes from the NetworkManager and cloud-init. `openstack_ssh_key` is a Nova keypair -- you can see your keypairs with `openstack keypair list`. @@ -67,11 +89,18 @@ The `openstack_num_masters`, `openstack_num_infra` and `openstack_num_nodes` values specify the number of Master, Infra and App nodes to create. +The `openstack_nodes_to_remove` allows you to specify the numerical indexes +of App nodes that should be removed; for example, ['0', '2'], + The `openstack_flat_secgrp`, controls Neutron security groups creation for Heat stacks. Set it to true, if you experience issues with sec group rules quotas. It trades security for number of rules, by sharing the same set of firewall rules for master, node, etcd and infra nodes. +The `required_packages` variable also provides a list of the additional +prerequisite packages to be installed before to deploy an OpenShift cluster. +Those are ignored though, if the `manage_packages: False`. + #### Security notes Configure required `*_ingress_cidr` variables to restrict public access @@ -83,6 +112,12 @@ nodes' ephemeral ports range. Note, the command ``curl https://api.ipify.org`` helps fiding an external IP address of your box (the ansible admin node). +There is also the `manage_packages` variable (defaults to True) you +may want to turn off in order to speed up the provisioning tasks. This may +be the case for development environments. When turned off, the servers will +be provisioned omitting the ``yum update`` command. This brings security +implications though, and is not recommended for production deployments. + ### Update the DNS names in `inventory/hosts` The different server groups are currently grouped by the domain name, @@ -132,8 +167,8 @@ Once it succeeds, you can install openshift by running: ansible-playbook --become --user openshift --private-key ~/.ssh/openshift -i inventory/ openshift-ansible/playbooks/byo/openshift-node/network_manager.yml ansible-playbook --become --user openshift --private-key ~/.ssh/openshift -i inventory/ openshift-ansible/playbooks/byo/config.yml -Note, the `network_manager.yml` is only required if you're deploying OpenShift -origin. +Note, the `network_manager.yml` step is mandatory and is required for persisting +the hosts' DNS configs. ## License diff --git a/playbooks/provisioning/openstack/post-provision-openstack.yml b/playbooks/provisioning/openstack/post-provision-openstack.yml index 918f9e065..412ccd221 100644 --- a/playbooks/provisioning/openstack/post-provision-openstack.yml +++ b/playbooks/provisioning/openstack/post-provision-openstack.yml @@ -1,6 +1,6 @@ --- -# Assign hostnames -- hosts: cluster_hosts +- name: Assign hostnames + hosts: cluster_hosts gather_facts: False become: true pre_tasks: @@ -8,8 +8,8 @@ roles: - role: hostnames -# Subscribe DNS Host to allow for configuration below -- hosts: dns +- name: Subscribe DNS Host to allow for configuration below + hosts: dns gather_facts: False become: true roles: @@ -17,15 +17,15 @@ when: hostvars.localhost.rhsm_register tags: 'subscription-manager' -# Determine which DNS server(s) to use for our generated records -- hosts: localhost +- name: Determine which DNS server(s) to use for our generated records + hosts: localhost gather_facts: False become: False roles: - dns-server-detect -# Build the DNS Server Views and Configure DNS Server(s) -- hosts: dns +- name: Build the DNS Server Views and Configure DNS Server(s) + hosts: dns gather_facts: False become: true pre_tasks: @@ -35,8 +35,8 @@ roles: - role: dns-server -# Build and process DNS Records -- hosts: localhost +- name: Build and process DNS Records + hosts: localhost gather_facts: False become: False pre_tasks: @@ -46,18 +46,22 @@ roles: - role: dns -# OpenShift Pre-Requisites -- hosts: OSEv3 +- name: Switch the stack subnet to the configured private DNS server + hosts: localhost + gather_facts: False + become: False + vars_files: + - stack_params.yaml + tasks: + - include_role: + name: openstack-stack + tasks_from: subnet_update_dns_servers + +- name: OpenShift Pre-Requisites + hosts: OSEv3 gather_facts: False become: true tasks: - - name: "Edit /etc/resolv.conf on masters/nodes" - lineinfile: - state: present - dest: /etc/resolv.conf - regexp: "nameserver {{ hostvars['localhost'].private_dns_server }}" - line: "nameserver {{ hostvars['localhost'].private_dns_server }}" - insertafter: search* - name: "Include DNS configuration to ensure proper name resolution" lineinfile: state: present diff --git a/playbooks/provisioning/openstack/provision-openstack.yml b/playbooks/provisioning/openstack/provision-openstack.yml index a2cf7b110..0c673af2f 100644 --- a/playbooks/provisioning/openstack/provision-openstack.yml +++ b/playbooks/provisioning/openstack/provision-openstack.yml @@ -2,32 +2,12 @@ - hosts: localhost gather_facts: True become: False + vars_files: + - stack_params.yaml pre_tasks: - - include: pre_tasks.yml + - include: pre_tasks.yml roles: - - role: openstack-stack - stack_name: "{{ env_id }}.{{ public_dns_domain }}" - dns_domain: "{{ public_dns_domain }}" - dns_nameservers: "{{ public_dns_nameservers }}" - subnet_prefix: "{{ openstack_subnet_prefix }}" - ssh_public_key: "{{ openstack_ssh_public_key }}" - openstack_image: "{{ openstack_default_image_name }}" - lb_flavor: "{{ openstack_default_flavor | default('m1.small') }}" - etcd_flavor: "{{ openstack_default_flavor | default('m1.small') }}" - master_flavor: "{{ openstack_default_flavor | default('m1.medium') }}" - node_flavor: "{{ openstack_default_flavor | default('m1.medium') }}" - infra_flavor: "{{ openstack_default_flavor | default('m1.medium') }}" - dns_flavor: "{{ openstack_default_flavor | default('m1.small') }}" - external_network: "{{ openstack_external_network_name }}" - num_etcd: "{{ openstack_num_etcd | default(0) }}" - num_masters: "{{ openstack_num_masters }}" - num_nodes: "{{ openstack_num_nodes }}" - num_infra: "{{ openstack_num_infra }}" - num_dns: "{{ openstack_num_dns | default(1) }}" - master_volume_size: "{{ docker_volume_size }}" - app_volume_size: "{{ docker_volume_size }}" - infra_volume_size: "{{ docker_volume_size }}" - + - role: openstack-stack - name: Refresh Server inventory hosts: localhost @@ -35,17 +15,21 @@ become: False gather_facts: False tasks: - - meta: refresh_inventory + - meta: refresh_inventory + +- hosts: cluster_hosts + name: Wait for the the nodes to come up + become: False + gather_facts: False + tasks: + - wait_for_connection: - hosts: cluster_hosts gather_facts: True tasks: - - name: Debug hostvar - debug: - msg: "{{ hostvars[inventory_hostname] }}" - verbosity: 2 - - name: waiting for server to come back - local_action: wait_for host={{ hostvars[inventory_hostname]['ansible_ssh_host'] }} port=22 delay=30 timeout=300 - become: false + - name: Debug hostvar + debug: + msg: "{{ hostvars[inventory_hostname] }}" + verbosity: 2 - include: post-provision-openstack.yml diff --git a/playbooks/provisioning/openstack/sample-inventory/group_vars/all.yml b/playbooks/provisioning/openstack/sample-inventory/group_vars/all.yml index 047923253..7c9033828 100644 --- a/playbooks/provisioning/openstack/sample-inventory/group_vars/all.yml +++ b/playbooks/provisioning/openstack/sample-inventory/group_vars/all.yml @@ -12,46 +12,49 @@ openstack_num_masters: 1 openstack_num_infra: 1 openstack_num_nodes: 2 +# # Numerical index of nodes to remove +# openstack_nodes_to_remove: [] + docker_volume_size: "15" openstack_subnet_prefix: "192.168.99" # # Red Hat subscription # # Using Red Hat Satellite: -# rhsm_register: True -# rhsm_satellite: 'sat-6.example.com' -# rhsm_org: 'OPENSHIFT_ORG' -# rhsm_activationkey: '<activation-key>' +#rhsm_register: True +#rhsm_satellite: 'sat-6.example.com' +#rhsm_org: 'OPENSHIFT_ORG' +#rhsm_activationkey: '<activation-key>' # # Or using RHN username, password and optionally pool: -# rhsm_register: True -# rhsm_username: '<username>' -# rhsm_password: '<password>' -# rhsm_pool: '<pool id>' +#rhsm_register: True +#rhsm_username: '<username>' +#rhsm_password: '<password>' +#rhsm_pool: '<pool id>' -# rhsm_repos: -# - "rhel-7-server-rpms" -# - "rhel-7-server-ose-3.5-rpms" -# - "rhel-7-server-extras-rpms" -# - "rhel-7-fast-datapath-rpms" +#rhsm_repos: +# - "rhel-7-server-rpms" +# - "rhel-7-server-ose-3.5-rpms" +# - "rhel-7-server-extras-rpms" +# - "rhel-7-fast-datapath-rpms" # # Roll-your-own DNS -# openstack_num_dns: 0 -# external_nsupdate_keys: -# public: -# key_secret: 'SKqKNdpfk7llKxZ57bbxUnUDobaaJp9t8CjXLJPl+fRI5mPcSBuxTAyvJPa6Y9R7vUg9DwCy/6WTpgLNqnV4Hg==' -# key_algorithm: 'hmac-md5' -# server: '192.168.1.1' -# private: -# key_secret: 'kVE2bVTgZjrdJipxPhID8BEZmbHD8cExlVPR+zbFpW6la8kL5wpXiwOh8q5AAosXQI5t95UXwq3Inx8QT58duw==' -# key_algorithm: 'hmac-md5' -# server: '192.168.1.2' +#openstack_num_dns: 0 +#external_nsupdate_keys: +# public: +# key_secret: 'SKqKNdpfk7llKxZ57bbxUnUDobaaJp9t8CjXLJPl+fRI5mPcSBuxTAyvJPa6Y9R7vUg9DwCy/6WTpgLNqnV4Hg==' +# key_algorithm: 'hmac-md5' +# server: '192.168.1.1' +# private: +# key_secret: 'kVE2bVTgZjrdJipxPhID8BEZmbHD8cExlVPR+zbFpW6la8kL5wpXiwOh8q5AAosXQI5t95UXwq3Inx8QT58duw==' +# key_algorithm: 'hmac-md5' +# server: '192.168.1.2' # NOTE(shadower): Do not change this value. The Ansible user is currently # hardcoded to `openshift`. ansible_user: openshift -# Use a single security group for a cluster +# # Use a single security group for a cluster openstack_flat_secgrp: false diff --git a/playbooks/provisioning/openstack/stack_params.yaml b/playbooks/provisioning/openstack/stack_params.yaml new file mode 100644 index 000000000..9c0b09b45 --- /dev/null +++ b/playbooks/provisioning/openstack/stack_params.yaml @@ -0,0 +1,23 @@ +--- +stack_name: "{{ env_id }}.{{ public_dns_domain }}" +dns_domain: "{{ public_dns_domain }}" +dns_nameservers: "{{ public_dns_nameservers }}" +subnet_prefix: "{{ openstack_subnet_prefix }}" +ssh_public_key: "{{ openstack_ssh_public_key }}" +openstack_image: "{{ openstack_default_image_name }}" +lb_flavor: "{{ openstack_default_flavor | default('m1.small') }}" +etcd_flavor: "{{ openstack_default_flavor | default('m1.small') }}" +master_flavor: "{{ openstack_default_flavor | default('m1.medium') }}" +node_flavor: "{{ openstack_default_flavor | default('m1.medium') }}" +infra_flavor: "{{ openstack_default_flavor | default('m1.medium') }}" +dns_flavor: "{{ openstack_default_flavor | default('m1.small') }}" +external_network: "{{ openstack_external_network_name }}" +num_etcd: "{{ openstack_num_etcd | default(0) }}" +num_masters: "{{ openstack_num_masters }}" +num_nodes: "{{ openstack_num_nodes }}" +num_infra: "{{ openstack_num_infra }}" +num_dns: "{{ openstack_num_dns | default(1) }}" +master_volume_size: "{{ docker_volume_size }}" +app_volume_size: "{{ docker_volume_size }}" +infra_volume_size: "{{ docker_volume_size }}" +nodes_to_remove: "{{ openstack_nodes_to_remove | default([]) | to_yaml }}" diff --git a/roles/openshift-prep/defaults/main.yml b/roles/openshift-prep/defaults/main.yml new file mode 100644 index 000000000..fac25dcc1 --- /dev/null +++ b/roles/openshift-prep/defaults/main.yml @@ -0,0 +1,11 @@ +--- +# Defines either to install required packages and update all +manage_packages: true +required_packages: + - wget + - git + - net-tools + - bind-utils + - bridge-utils + - bash-completion + - vim-enhanced diff --git a/roles/openshift-prep/tasks/prerequisites.yml b/roles/openshift-prep/tasks/prerequisites.yml index 60507636f..433c1c4e3 100644 --- a/roles/openshift-prep/tasks/prerequisites.yml +++ b/roles/openshift-prep/tasks/prerequisites.yml @@ -6,19 +6,14 @@ yum: name: "{{ item }}" state: latest - with_items: - - wget - - git - - net-tools - - bind-utils - - bridge-utils - - bash-completion - - vim-enhanced + with_items: "{{ required_packages }}" + when: manage_packages|bool - name: "Update all packages (this can take a very long time)" yum: - name: "*" + name: '*' state: latest + when: manage_packages|bool - name: "Verify hostname" shell: hostnamectl status | awk "/Static hostname/"'{ print $3 }' diff --git a/roles/openstack-stack/defaults/main.yml b/roles/openstack-stack/defaults/main.yml index 2a4ef3a45..4831d6bc4 100644 --- a/roles/openstack-stack/defaults/main.yml +++ b/roles/openstack-stack/defaults/main.yml @@ -9,4 +9,5 @@ num_masters: 1 num_nodes: 1 num_dns: 1 num_infra: 1 +nodes_to_remove: [] etcd_volume_size: 2 diff --git a/roles/openstack-stack/tasks/main.yml b/roles/openstack-stack/tasks/main.yml index 71c7bbe0d..a53e6350b 100644 --- a/roles/openstack-stack/tasks/main.yml +++ b/roles/openstack-stack/tasks/main.yml @@ -35,6 +35,11 @@ template: "{{ stack_template_path }}" wait: yes +# NOTE(bogdando) OS::Neutron::Subnet doesn't support live updates for +# dns_nameservers, so we can't do that for the "create stack" task. +- include: subnet_update_dns_servers.yaml + when: private_dns_server is defined + - name: cleanup temp files file: path: "{{ stack_template_pre.path }}" diff --git a/roles/openstack-stack/tasks/subnet_update_dns_servers.yaml b/roles/openstack-stack/tasks/subnet_update_dns_servers.yaml new file mode 100644 index 000000000..be4f07b97 --- /dev/null +++ b/roles/openstack-stack/tasks/subnet_update_dns_servers.yaml @@ -0,0 +1,8 @@ +--- +- name: Live update the subnet's DNS servers + os_subnet: + name: openshift-ansible-{{ stack_name }}-subnet + network_name: openshift-ansible-{{ stack_name }}-net + state: present + use_default_subnetpool: yes + dns_nameservers: "{{ [private_dns_server|default(public_dns_nameservers[0])]|union(public_dns_nameservers)|unique }}" diff --git a/roles/openstack-stack/templates/heat_stack.yaml.j2 b/roles/openstack-stack/templates/heat_stack.yaml.j2 index cba03e2ca..8bf76b57c 100644 --- a/roles/openstack-stack/templates/heat_stack.yaml.j2 +++ b/roles/openstack-stack/templates/heat_stack.yaml.j2 @@ -61,18 +61,13 @@ outputs: - dns - name - dns_floating_ip: - description: Floating IP of the DNS - value: - get_attr: - - dns - - addresses - - str_replace: - template: openshift-ansible-cluster_id-net - params: - cluster_id: {{ stack_name }} - - 1 - - addr + dns_floating_ips: + description: Floating IPs of the DNS + value: { get_attr: [ dns, floating_ip ] } + + dns_private_ips: + description: Private IPs of the DNS + value: { get_attr: [ dns, private_ip ] } resources: @@ -111,9 +106,9 @@ resources: params: subnet_24_prefix: {{ subnet_prefix }} dns_nameservers: - {% for nameserver in dns_nameservers %} +{% for nameserver in dns_nameservers %} - {{ nameserver }} - {% endfor %} +{% endfor %} router: type: OS::Neutron::Router @@ -152,7 +147,7 @@ resources: cluster_id: {{ stack_name }} description: str_replace: - template: Basic ssh/dns security group for cluster_id OpenShift cluster + template: Basic ssh/icmp security group for cluster_id OpenShift cluster params: cluster_id: {{ stack_name }} rules: @@ -162,13 +157,8 @@ resources: port_range_max: 22 remote_ip_prefix: {{ ssh_ingress_cidr }} - direction: ingress - protocol: tcp - port_range_min: 53 - port_range_max: 53 - - direction: ingress - protocol: udp - port_range_min: 53 - port_range_max: 53 + protocol: icmp + remote_ip_prefix: {{ ssh_ingress_cidr }} {% if openstack_flat_secgrp|bool %} flat-secgrp: @@ -423,11 +413,6 @@ resources: cluster_id: {{ stack_name }} rules: - direction: ingress - protocol: tcp - port_range_min: 22 - port_range_max: 22 - remote_ip_prefix: {{ ssh_ingress_cidr }} - - direction: ingress protocol: udp port_range_min: 53 port_range_max: 53 @@ -602,6 +587,8 @@ resources: type: OS::Heat::ResourceGroup properties: count: {{ num_nodes }} + removal_policies: + - resource_list: {{ nodes_to_remove }} resource_def: type: server.yaml properties: @@ -674,6 +661,12 @@ resources: net: { get_resource: net } subnet: { get_resource: subnet } secgrp: +# TODO(bogdando) filter only required node rules into infra-secgrp +{% if openstack_flat_secgrp|bool %} + - { get_resource: flat-secgrp } +{% else %} + - { get_resource: node-secgrp } +{% endif %} - { get_resource: infra-secgrp } - { get_resource: common-secgrp } floating_network: {{ external_network }} @@ -715,6 +708,7 @@ resources: subnet: { get_resource: subnet } secgrp: - { get_resource: dns-secgrp } + - { get_resource: common-secgrp } floating_network: {{ external_network }} net_name: str_replace: |