diff options
114 files changed, 603 insertions, 467 deletions
@@ -35,14 +35,16 @@ not practical to start over at 1.0. *** Requirements: - - Ansible >= 2.1.0 (>= 2.2 is preferred for performance reasons) + - Ansible >= 2.2.0 - Jinja >= 2.7 + - pyOpenSSL + - python-lxml *** Fedora: ``` - dnf install -y ansible pyOpenSSL python-cryptography + dnf install -y ansible pyOpenSSL python-cryptography python-lxml ``` 2. Setup for a specific cloud: diff --git a/docs/best_practices_guide.adoc b/docs/best_practices_guide.adoc index e9d904965..7f3d85d40 100644 --- a/docs/best_practices_guide.adoc +++ b/docs/best_practices_guide.adoc @@ -2,7 +2,7 @@ = openshift-ansible Best Practices Guide -The purpose of this guide is to describe the preferred patterns and best practices used in this repository (both in ansible and python). +The purpose of this guide is to describe the preferred patterns and best practices used in this repository (both in Ansible and Python). It is important to note that this repository may not currently comply with all best practices, but the intention is that it will. @@ -76,7 +76,7 @@ def add_person(first_name, last_name, age=None): === PyLint -http://www.pylint.org/[PyLint] is used in an attempt to keep the python code as clean and as manageable as possible. The build bot runs each pull request through PyLint and any warnings or errors cause the build bot to fail the pull request. +http://www.pylint.org/[PyLint] is used in an attempt to keep the Python code as clean and as manageable as possible. The build bot runs each pull request through PyLint and any warnings or errors cause the build bot to fail the pull request. ''' [[PyLint-rules-MUST-NOT-be-disabled-on-a-whole-file]] @@ -338,9 +338,9 @@ If an Ansible role requires certain variables to be set, it's best to check for [cols="2v,v"] |=== | <<Ansible-tasks-SHOULD-NOT-be-used-in-ansible-playbooks-Instead-use-pre_tasks-and-post_tasks, Rule>> -| Ansible tasks SHOULD NOT be used in ansible playbooks. Instead, use pre_tasks and post_tasks. +| Ansible tasks SHOULD NOT be used in Ansible playbooks. Instead, use pre_tasks and post_tasks. |=== -An Ansible play is defined as a Yaml dictionary. Because of that, ansible doesn't know if the play's tasks list or roles list was specified first. Therefore Ansible always runs tasks after roles. +An Ansible play is defined as a Yaml dictionary. Because of that, Ansible doesn't know if the play's tasks list or roles list was specified first. Therefore Ansible always runs tasks after roles. This can be quite confusing if the tasks list is defined in the playbook before the roles list because people assume in order execution in Ansible. @@ -484,31 +484,23 @@ If you want to use default with variables that evaluate to false you have to set ---- -In other words, normally the `default` filter will only replace the value if it's undefined. By setting the second parameter to `true`, it will also replace the value if it defaults to a false value in python, so None, empty list, empty string, etc. +In other words, normally the `default` filter will only replace the value if it's undefined. By setting the second parameter to `true`, it will also replace the value if it defaults to a false value in Python, so None, empty list, empty string, etc. This is almost always more desirable than an empty list, string, etc. === Yum and DNF ''' -[[Package-installation-MUST-use-ansible-action-module-to-abstract-away-dnf-yum]] +[[Package-installation-MUST-use-ansible-package-module-to-abstract-away-dnf-yum]] [cols="2v,v"] |=== -| <<Package-installation-MUST-use-ansible-action-module-to-abstract-away-dnf-yum, Rule>> -| Package installation MUST use ansible action module to abstract away dnf/yum. +| <<Package-installation-MUST-use-ansible-package-module-to-abstract-away-dnf-yum, Rule>> +| Package installation MUST use Ansible `package` module to abstract away dnf/yum. |=== -[[Package-installation-MUST-use-name-and-state-present-rather-than-pkg-and-state-installed-respectively]] -[cols="2v,v"] -|=== -| <<Package-installation-MUST-use-name-and-state-present-rather-than-pkg-and-state-installed-respectively, Rule>> -| Package installation MUST use name= and state=present rather than pkg= and state=installed respectively. -|=== +The Ansible `package` module calls the associated package manager for the underlying OS. -This is done primarily because if you're registering the result of the -installation and you have two conditional tasks based on whether or not yum or -dnf are in use you'll end up inadvertently overwriting the value. It also -reduces duplication. name= and state=present are common between dnf and yum -modules. +.Reference +* https://docs.ansible.com/ansible/package_module.html[Ansible package module] .Bad: [source,yaml] @@ -516,12 +508,12 @@ modules. --- # tasks.yml - name: Install etcd (for etcdctl) - yum: name=etcd state=latest" + yum: name=etcd state=latest when: "ansible_pkg_mgr == yum" register: install_result - name: Install etcd (for etcdctl) - dnf: name=etcd state=latest" + dnf: name=etcd state=latest when: "ansible_pkg_mgr == dnf" register: install_result ---- @@ -533,6 +525,6 @@ modules. --- # tasks.yml - name: Install etcd (for etcdctl) - action: "{{ ansible_pkg_mgr }} name=etcd state=latest" + package: name=etcd state=latest register: install_result - ---- +---- diff --git a/filter_plugins/oo_filters.py b/filter_plugins/oo_filters.py index 38bc3ad6b..997634777 100644 --- a/filter_plugins/oo_filters.py +++ b/filter_plugins/oo_filters.py @@ -10,7 +10,14 @@ from collections import Mapping from distutils.util import strtobool from distutils.version import LooseVersion from operator import itemgetter -import OpenSSL.crypto + +HAS_OPENSSL=False +try: + import OpenSSL.crypto + HAS_OPENSSL=True +except ImportError: + pass + import os import pdb import pkg_resources @@ -516,6 +523,9 @@ class FilterModule(object): if not isinstance(internal_hostnames, list): raise errors.AnsibleFilterError("|failed expects internal_hostnames is list") + if not HAS_OPENSSL: + raise errors.AnsibleFilterError("|missing OpenSSL python bindings") + for certificate in certificates: if 'names' in certificate.keys(): continue diff --git a/inventory/byo/hosts.origin.example b/inventory/byo/hosts.origin.example index e769537f9..324e2477f 100644 --- a/inventory/byo/hosts.origin.example +++ b/inventory/byo/hosts.origin.example @@ -619,6 +619,9 @@ openshift_master_identity_providers=[{'name': 'htpasswd_auth', 'login': 'true', # masterConfig.volumeConfig.dynamicProvisioningEnabled, configurable as of 1.2/3.2, enabled by default #openshift_master_dynamic_provisioning_enabled=False +# Admission plugin config +#openshift_master_admission_plugin_config={"ProjectRequestLimit":{"configuration":{"apiVersion":"v1","kind":"ProjectRequestLimitConfig","limits":[{"selector":{"admin":"true"}},{"maxProjects":"1"}]}},"PodNodeConstraints":{"configuration":{"apiVersion":"v1","kind":"PodNodeConstraintsConfig"}}} + # Configure usage of openshift_clock role. #openshift_clock_enabled=true @@ -634,6 +637,10 @@ openshift_master_identity_providers=[{'name': 'htpasswd_auth', 'login': 'true', # Enable API service auditing, available as of 1.3 #openshift_master_audit_config={"basicAuditEnabled": true} +# Enable origin repos that point at Centos PAAS SIG, defaults to true, only used +# by deployment_type=origin +#openshift_enable_origin_repo=false + # host group for masters [masters] ose3-master[1:3]-ansible.test.example.com diff --git a/inventory/byo/hosts.ose.example b/inventory/byo/hosts.ose.example index be919c105..4a2925599 100644 --- a/inventory/byo/hosts.ose.example +++ b/inventory/byo/hosts.ose.example @@ -619,6 +619,9 @@ openshift_master_identity_providers=[{'name': 'htpasswd_auth', 'login': 'true', # masterConfig.volumeConfig.dynamicProvisioningEnabled, configurable as of 1.2/3.2, enabled by default #openshift_master_dynamic_provisioning_enabled=False +# Admission plugin config +#openshift_master_admission_plugin_config={"ProjectRequestLimit":{"configuration":{"apiVersion":"v1","kind":"ProjectRequestLimitConfig","limits":[{"selector":{"admin":"true"}},{"maxProjects":"1"}]}},"PodNodeConstraints":{"configuration":{"apiVersion":"v1","kind":"PodNodeConstraintsConfig"}}} + # Configure usage of openshift_clock role. #openshift_clock_enabled=true diff --git a/playbooks/adhoc/uninstall.yml b/playbooks/adhoc/uninstall.yml index 4ea639cbe..be1070f73 100644 --- a/playbooks/adhoc/uninstall.yml +++ b/playbooks/adhoc/uninstall.yml @@ -84,7 +84,7 @@ - firewalld - name: Remove packages - action: "{{ ansible_pkg_mgr }} name={{ item }} state=absent" + package: name={{ item }} state=absent when: not is_atomic | bool with_items: - atomic-enterprise @@ -114,7 +114,7 @@ - tuned-profiles-origin-node - name: Remove flannel package - action: "{{ ansible_pkg_mgr }} name=flannel state=absent" + package: name=flannel state=absent when: openshift_use_flannel | default(false) | bool and not is_atomic | bool - shell: systemctl reset-failed @@ -247,7 +247,7 @@ - atomic-openshift-master - name: Remove packages - action: "{{ ansible_pkg_mgr }} name={{ item }} state=absent" + package: name={{ item }} state=absent when: not is_atomic | bool with_items: - atomic-enterprise @@ -349,7 +349,7 @@ failed_when: false - name: Remove packages - action: "{{ ansible_pkg_mgr }} name={{ item }} state=absent" + package: name={{ item }} state=absent when: not is_atomic | bool with_items: - etcd @@ -388,7 +388,7 @@ - firewalld - name: Remove packages - action: "{{ ansible_pkg_mgr }} name={{ item }} state=absent" + package: name={{ item }} state=absent when: not is_atomic | bool with_items: - haproxy diff --git a/playbooks/byo/openshift-node/network_manager.yml b/playbooks/byo/openshift-node/network_manager.yml new file mode 100644 index 000000000..8c810096f --- /dev/null +++ b/playbooks/byo/openshift-node/network_manager.yml @@ -0,0 +1,36 @@ +--- +- hosts: localhost + connection: local + become: no + gather_facts: no + tasks: + - include_vars: ../../byo/openshift-cluster/cluster_hosts.yml + - add_host: + name: "{{ item }}" + groups: l_oo_all_hosts + with_items: "{{ g_all_hosts }}" + +- hosts: l_oo_all_hosts + become: yes + tasks: + - name: install NetworkManager + package: + name: 'NetworkManager' + state: present + + - name: configure NetworkManager + lineinfile: + dest: "/etc/sysconfig/network-scripts/ifcfg-{{ ansible_default_ipv4['interface'] }}" + regexp: '^{{ item }}=' + line: '{{ item }}=yes' + state: present + create: yes + with_items: + - 'USE_PEERDNS' + - 'NM_CONTROLLED' + + - name: enable and start NetworkManager + service: + name: 'NetworkManager' + state: started + enabled: yes
\ No newline at end of file diff --git a/playbooks/common/openshift-cluster/initialize_facts.yml b/playbooks/common/openshift-cluster/initialize_facts.yml index 6d83d2527..18f99728c 100644 --- a/playbooks/common/openshift-cluster/initialize_facts.yml +++ b/playbooks/common/openshift-cluster/initialize_facts.yml @@ -1,7 +1,11 @@ --- +- name: Ensure that all non-node hosts are accessible + hosts: oo_masters_to_config:oo_etcd_to_config:oo_lb_to_config:oo_nfs_to_config + any_errors_fatal: true + tasks: + - name: Initialize host facts hosts: oo_all_hosts - any_errors_fatal: true roles: - openshift_facts tasks: diff --git a/playbooks/common/openshift-cluster/initialize_openshift_version.yml b/playbooks/common/openshift-cluster/initialize_openshift_version.yml index 2f384ddea..a1bd1bd92 100644 --- a/playbooks/common/openshift-cluster/initialize_openshift_version.yml +++ b/playbooks/common/openshift-cluster/initialize_openshift_version.yml @@ -12,9 +12,10 @@ {{ repoquery_cmd }} --installed --qf '%{version}' "yum" register: yum_ver_test changed_when: false + when: not openshift.common.is_atomic | bool - fail: msg: Incompatible versions of yum and subscription-manager found. You may need to update yum and yum-utils. - when: "'Plugin \"search-disabled-repos\" requires API 2.7. Supported API is 2.6.' in yum_ver_test.stdout" + when: "not openshift.common.is_atomic | bool and 'Plugin \"search-disabled-repos\" requires API 2.7. Supported API is 2.6.' in yum_ver_test.stdout" - name: Determine openshift_version to configure on first master hosts: oo_first_master diff --git a/playbooks/common/openshift-cluster/upgrades/docker/upgrade.yml b/playbooks/common/openshift-cluster/upgrades/docker/upgrade.yml index 417096dd0..5d753447c 100644 --- a/playbooks/common/openshift-cluster/upgrades/docker/upgrade.yml +++ b/playbooks/common/openshift-cluster/upgrades/docker/upgrade.yml @@ -35,7 +35,7 @@ - service: name=docker state=stopped - name: Upgrade Docker - action: "{{ ansible_pkg_mgr }} name=docker{{ '-' + docker_version }} state=present" + package: name=docker{{ '-' + docker_version }} state=present - service: name=docker state=started diff --git a/playbooks/common/openshift-cluster/upgrades/etcd/backup.yml b/playbooks/common/openshift-cluster/upgrades/etcd/backup.yml index 57b156b1c..b7f0267c1 100644 --- a/playbooks/common/openshift-cluster/upgrades/etcd/backup.yml +++ b/playbooks/common/openshift-cluster/upgrades/etcd/backup.yml @@ -1,7 +1,7 @@ - name: Backup etcd hosts: etcd_hosts_to_backup vars: - embedded_etcd: "{{ hostvars[groups.oo_first_master.0].openshift.master.embedded_etcd }}" + embedded_etcd: "{{ groups.oo_etcd_to_config | default([]) | length == 0 }}" timestamp: "{{ lookup('pipe', 'date +%Y%m%d%H%M%S') }}" roles: - openshift_facts @@ -42,7 +42,7 @@ when: (embedded_etcd | bool) and (etcd_disk_usage.stdout|int > avail_disk.stdout|int) - name: Install etcd (for etcdctl) - action: "{{ ansible_pkg_mgr }} name=etcd state=present" + package: name=etcd state=present when: not openshift.common.is_atomic | bool - name: Generate etcd backup diff --git a/playbooks/common/openshift-cluster/upgrades/etcd/containerized_tasks.yml b/playbooks/common/openshift-cluster/upgrades/etcd/containerized_tasks.yml index 35f391f8c..f88981a0b 100644 --- a/playbooks/common/openshift-cluster/upgrades/etcd/containerized_tasks.yml +++ b/playbooks/common/openshift-cluster/upgrades/etcd/containerized_tasks.yml @@ -30,7 +30,7 @@ ## will fail on atomic host. We need to revisit how to do etcd backups there as ## the container may be newer than etcdctl on the host. Assumes etcd3 obsoletes etcd (7.3.1) - name: Upgrade etcd for etcdctl when not atomic - action: "{{ ansible_pkg_mgr }} name=etcd ensure=latest" + package: name=etcd state=latest when: not openshift.common.is_atomic | bool - name: Verify cluster is healthy diff --git a/playbooks/common/openshift-cluster/upgrades/etcd/main.yml b/playbooks/common/openshift-cluster/upgrades/etcd/main.yml index cce844403..192799376 100644 --- a/playbooks/common/openshift-cluster/upgrades/etcd/main.yml +++ b/playbooks/common/openshift-cluster/upgrades/etcd/main.yml @@ -14,6 +14,9 @@ connection: local become: no tasks: + - fail: + msg: 'The etcd upgrade playbook does not support upgrading embedded etcd, simply run the normal playbooks and etcd will be upgraded when your master is updated.' + when: "{{ groups.oo_etcd_to_config | default([]) | length == 0 }}" - name: Evaluate etcd_hosts_to_upgrade add_host: name: "{{ item }}" diff --git a/playbooks/common/openshift-cluster/upgrades/rpm_upgrade.yml b/playbooks/common/openshift-cluster/upgrades/rpm_upgrade.yml index cd1139b29..d7d1fe548 100644 --- a/playbooks/common/openshift-cluster/upgrades/rpm_upgrade.yml +++ b/playbooks/common/openshift-cluster/upgrades/rpm_upgrade.yml @@ -1,9 +1,10 @@ +--- # We verified latest rpm available is suitable, so just yum update. - name: Upgrade packages - action: "{{ ansible_pkg_mgr }} name={{ openshift.common.service_type }}-{{ component }}{{ openshift_pkg_version }} state=present" + package: "name={{ openshift.common.service_type }}-{{ component }}{{ openshift_pkg_version }} state=present" - name: Ensure python-yaml present for config upgrade - action: "{{ ansible_pkg_mgr }} name=PyYAML state=present" + package: name=PyYAML state=present when: not openshift.common.is_atomic | bool - name: Restart node service diff --git a/playbooks/common/openshift-cluster/upgrades/upgrade_nodes.yml b/playbooks/common/openshift-cluster/upgrades/upgrade_nodes.yml index 1f314c854..53d670196 100644 --- a/playbooks/common/openshift-cluster/upgrades/upgrade_nodes.yml +++ b/playbooks/common/openshift-cluster/upgrades/upgrade_nodes.yml @@ -17,7 +17,7 @@ # we merge upgrade functionality into the base roles and a normal config.yml playbook run. - name: Determine if node is currently scheduleable command: > - {{ openshift.common.client_binary }} get node {{ openshift.node.nodename | lower }} -o json + {{ hostvars[groups.oo_first_master.0].openshift.common.client_binary }} get node {{ openshift.node.nodename | lower }} -o json register: node_output delegate_to: "{{ groups.oo_first_master.0 }}" changed_when: false @@ -29,7 +29,7 @@ - name: Mark unschedulable if host is a node command: > - {{ openshift.common.client_binary }} adm manage-node {{ openshift.node.nodename | lower }} --schedulable=false + {{ hostvars[groups.oo_first_master.0].openshift.common.client_binary }} adm manage-node {{ openshift.node.nodename | lower }} --schedulable=false delegate_to: "{{ groups.oo_first_master.0 }}" when: inventory_hostname in groups.oo_nodes_to_upgrade # NOTE: There is a transient "object has been modified" error here, allow a couple @@ -41,7 +41,7 @@ - name: Evacuate Node for Kubelet upgrade command: > - {{ openshift.common.client_binary }} adm manage-node {{ openshift.node.nodename | lower }} --evacuate --force + {{ hostvars[groups.oo_first_master.0].openshift.common.client_binary }} adm manage-node {{ openshift.node.nodename | lower }} --evacuate --force delegate_to: "{{ groups.oo_first_master.0 }}" when: inventory_hostname in groups.oo_nodes_to_upgrade tasks: @@ -64,7 +64,7 @@ - name: Set node schedulability command: > - {{ openshift.common.client_binary }} adm manage-node {{ openshift.node.nodename | lower }} --schedulable=true + {{ hostvars[groups.oo_first_master.0].openshift.common.client_binary }} adm manage-node {{ openshift.node.nodename | lower }} --schedulable=true delegate_to: "{{ groups.oo_first_master.0 }}" when: inventory_hostname in groups.oo_nodes_to_upgrade and was_schedulable | bool register: node_sched diff --git a/playbooks/common/openshift-cluster/upgrades/v3_3/master_config_upgrade.yml b/playbooks/common/openshift-cluster/upgrades/v3_3/master_config_upgrade.yml index 684eea343..8c0bd272c 100644 --- a/playbooks/common/openshift-cluster/upgrades/v3_3/master_config_upgrade.yml +++ b/playbooks/common/openshift-cluster/upgrades/v3_3/master_config_upgrade.yml @@ -48,3 +48,18 @@ dest: "{{ openshift.common.config_base}}/master/master-config.yaml" yaml_key: 'controllerConfig.servicesServingCert.signer.keyFile' yaml_value: service-signer.key + +- modify_yaml: + dest: "{{ openshift.common.config_base}}/master/master-config.yaml" + yaml_key: 'admissionConfig.pluginConfig' + yaml_value: "{{ openshift.master.admission_plugin_config }}" + +- modify_yaml: + dest: "{{ openshift.common.config_base}}/master/master-config.yaml" + yaml_key: 'admissionConfig.pluginOrderOverride' + yaml_value: + +- modify_yaml: + dest: "{{ openshift.common.config_base}}/master/master-config.yaml" + yaml_key: 'kubernetesMasterConfig.admissionConfig' + yaml_value: diff --git a/playbooks/common/openshift-cluster/upgrades/v3_4/master_config_upgrade.yml b/playbooks/common/openshift-cluster/upgrades/v3_4/master_config_upgrade.yml new file mode 100644 index 000000000..32de9d94a --- /dev/null +++ b/playbooks/common/openshift-cluster/upgrades/v3_4/master_config_upgrade.yml @@ -0,0 +1,15 @@ +--- +- modify_yaml: + dest: "{{ openshift.common.config_base}}/master/master-config.yaml" + yaml_key: 'admissionConfig.pluginConfig' + yaml_value: "{{ openshift.master.admission_plugin_config }}" + +- modify_yaml: + dest: "{{ openshift.common.config_base}}/master/master-config.yaml" + yaml_key: 'admissionConfig.pluginOrderOverride' + yaml_value: + +- modify_yaml: + dest: "{{ openshift.common.config_base}}/master/master-config.yaml" + yaml_key: 'kubernetesMasterConfig.admissionConfig' + yaml_value: diff --git a/playbooks/common/openshift-node/config.yml b/playbooks/common/openshift-node/config.yml index 4824eeef3..e28da5713 100644 --- a/playbooks/common/openshift-node/config.yml +++ b/playbooks/common/openshift-node/config.yml @@ -139,6 +139,8 @@ - role: nuage_node when: openshift.common.use_nuage | bool - role: nickhammond.logrotate + - role: openshift_manage_node + openshift_master_host: "{{ groups.oo_first_master.0 }}" tasks: - name: Create group for deployment type group_by: key=oo_nodes_deployment_type_{{ openshift.common.deployment_type }} @@ -152,35 +154,3 @@ tasks: - file: name={{ mktemp.stdout }} state=absent changed_when: False - -- name: Set node schedulability - hosts: oo_first_master - vars: - openshift_nodes: "{{ groups.oo_nodes_to_config | default([]) }}" - pre_tasks: - # Necessary because when you're on a node that's also a master the master will be - # restarted after the node restarts docker and it will take up to 60 seconds for - # systemd to start the master again - - name: Wait for master API to become available before proceeding - # Using curl here since the uri module requires python-httplib2 and - # wait_for port doesn't provide health information. - command: > - curl --silent --tlsv1.2 - {% if openshift.common.version_gte_3_2_or_1_2 | bool %} - --cacert {{ openshift.common.config_base }}/master/ca-bundle.crt - {% else %} - --cacert {{ openshift.common.config_base }}/master/ca.crt - {% endif %} - {{ openshift.master.api_url }}/healthz/ready - args: - # Disables the following warning: - # Consider using get_url or uri module rather than running curl - warn: no - register: api_available_output - until: api_available_output.stdout == 'ok' - retries: 120 - delay: 1 - changed_when: false - when: openshift.common.is_containerized | bool - roles: - - openshift_manage_node diff --git a/playbooks/gce/openshift-cluster/tasks/launch_instances.yml b/playbooks/gce/openshift-cluster/tasks/launch_instances.yml index b7604580c..87b30aee4 100644 --- a/playbooks/gce/openshift-cluster/tasks/launch_instances.yml +++ b/playbooks/gce/openshift-cluster/tasks/launch_instances.yml @@ -13,7 +13,7 @@ # unsupported in 1.9.+ #service_account_permissions: "datastore,logging-write" tags: - - created-by-{{ lookup('env', 'LOGNAME') |default(cluster, true) }} + - created-by-{{ lookup('env', 'LOGNAME') | regex_replace('[^a-z0-9]+', '') | default(cluster, true) }} - environment-{{ cluster_env }} - clusterid-{{ cluster_id }} - host-type-{{ type }} diff --git a/playbooks/libvirt/openshift-cluster/tasks/launch_instances.yml b/playbooks/libvirt/openshift-cluster/tasks/launch_instances.yml index e0afc43ba..31a13aa2a 100644 --- a/playbooks/libvirt/openshift-cluster/tasks/launch_instances.yml +++ b/playbooks/libvirt/openshift-cluster/tasks/launch_instances.yml @@ -116,6 +116,7 @@ ansible_become: "{{ deployment_vars[deployment_type].become }}" groups: "tag_environment-{{ cluster_env }}, tag_host-type-{{ type }}, tag_sub-host-type-{{ g_sub_host_type }}, tag_clusterid-{{ cluster_id }}" openshift_node_labels: "{{ node_label }}" + libvirt_ip_address: "{{ item.1 }}" with_together: - '{{ instances }}' - '{{ ips }}' diff --git a/playbooks/openstack/openshift-cluster/launch.yml b/playbooks/openstack/openshift-cluster/launch.yml index 7e037f2af..f460b14c8 100644 --- a/playbooks/openstack/openshift-cluster/launch.yml +++ b/playbooks/openstack/openshift-cluster/launch.yml @@ -107,6 +107,9 @@ groups: 'meta-environment_{{ cluster_env }}, meta-host-type_etcd, meta-sub-host-type_default, meta-clusterid_{{ cluster_id }}' openshift_node_labels: type: "etcd" + openstack: + public_v4: '{{ item[2] }}' + private_v4: '{{ item[1] }}' with_together: - '{{ parsed_outputs.etcd_names }}' - '{{ parsed_outputs.etcd_ips }}' @@ -121,6 +124,9 @@ groups: 'meta-environment_{{ cluster_env }}, meta-host-type_master, meta-sub-host-type_default, meta-clusterid_{{ cluster_id }}' openshift_node_labels: type: "master" + openstack: + public_v4: '{{ item[2] }}' + private_v4: '{{ item[1] }}' with_together: - '{{ parsed_outputs.master_names }}' - '{{ parsed_outputs.master_ips }}' @@ -135,6 +141,9 @@ groups: 'meta-environment_{{ cluster_env }}, meta-host-type_node, meta-sub-host-type_compute, meta-clusterid_{{ cluster_id }}' openshift_node_labels: type: "compute" + openstack: + public_v4: '{{ item[2] }}' + private_v4: '{{ item[1] }}' with_together: - '{{ parsed_outputs.node_names }}' - '{{ parsed_outputs.node_ips }}' @@ -149,6 +158,9 @@ groups: 'meta-environment_{{ cluster_env }}, meta-host-type_node, meta-sub-host-type_infra, meta-clusterid_{{ cluster_id }}' openshift_node_labels: type: "infra" + openstack: + public_v4: '{{ item[2] }}' + private_v4: '{{ item[1] }}' with_together: - '{{ parsed_outputs.infra_names }}' - '{{ parsed_outputs.infra_ips }}' diff --git a/roles/cockpit/meta/main.yml b/roles/cockpit/meta/main.yml index 43047902d..0f507e75e 100644 --- a/roles/cockpit/meta/main.yml +++ b/roles/cockpit/meta/main.yml @@ -4,7 +4,7 @@ galaxy_info: description: Deploy and Enable cockpit-ws plus optional plugins company: Red Hat, Inc. license: Apache License, Version 2.0 - min_ansible_version: 1.7 + min_ansible_version: 2.2 platforms: - name: EL versions: diff --git a/roles/cockpit/tasks/main.yml b/roles/cockpit/tasks/main.yml index 681029332..bddad778f 100644 --- a/roles/cockpit/tasks/main.yml +++ b/roles/cockpit/tasks/main.yml @@ -1,6 +1,6 @@ --- - name: Install cockpit-ws - action: "{{ ansible_pkg_mgr }} name={{ item }} state=present" + package: name={{ item }} state=present with_items: - cockpit-ws - cockpit-shell @@ -10,7 +10,7 @@ when: not openshift.common.is_containerized | bool - name: Enable cockpit-ws - service: + systemd: name: cockpit.socket enabled: true state: started diff --git a/roles/dns/README.md b/roles/dns/README.md index 7e0140772..9a88ce97c 100644 --- a/roles/dns/README.md +++ b/roles/dns/README.md @@ -6,7 +6,7 @@ Configure a DNS server serving IPs of all the nodes of the cluster Requirements ------------ -None +Ansible 2.2 Role Variables -------------- diff --git a/roles/dns/handlers/main.yml b/roles/dns/handlers/main.yml index ef101785e..61fd7a10e 100644 --- a/roles/dns/handlers/main.yml +++ b/roles/dns/handlers/main.yml @@ -1,4 +1,5 @@ +--- - name: restart bind - service: + systemd: name: named state: restarted diff --git a/roles/dns/meta/main.yml b/roles/dns/meta/main.yml index 048274c49..64d56114e 100644 --- a/roles/dns/meta/main.yml +++ b/roles/dns/meta/main.yml @@ -4,5 +4,6 @@ galaxy_info: description: Deploy and configure a DNS server company: Amadeus SAS license: ASL 2.0 + min_ansible_version: 2.2 dependencies: - { role: openshift_facts } diff --git a/roles/dns/tasks/main.yml b/roles/dns/tasks/main.yml index 57a7e6269..c5ab53b4d 100644 --- a/roles/dns/tasks/main.yml +++ b/roles/dns/tasks/main.yml @@ -1,5 +1,6 @@ +--- - name: Install Bind - action: "{{ ansible_pkg_mgr }} name=bind" + package: name=bind state=present when: not openshift.common.is_containerized | bool - name: Create docker build dir @@ -10,7 +11,6 @@ template: dest: "/tmp/dockerbuild/Dockerfile" src: Dockerfile - register: install_result when: openshift.common.is_containerized | bool - name: Build Bind image @@ -21,13 +21,8 @@ template: dest: "/etc/systemd/system/named.service" src: named.service.j2 - register: install_result when: openshift.common.is_containerized | bool -- name: reload systemd - command: /usr/bin/systemctl --system daemon-reload - when: openshift.common.is_containerized | bool and install_result | changed - - name: Create bind zone dir file: path=/var/named state=directory when: openshift.common.is_containerized | bool @@ -44,7 +39,8 @@ notify: restart bind - name: Enable Bind - service: + systemd: name: named state: started enabled: yes + daemon_reload: yes diff --git a/roles/docker/README.md b/roles/docker/README.md index 1f0d94da0..ea06fd41a 100644 --- a/roles/docker/README.md +++ b/roles/docker/README.md @@ -6,7 +6,7 @@ Ensures docker package is installed, and optionally raises timeout for systemd-u Requirements ------------ -None +Ansible 2.2 Role Variables -------------- diff --git a/roles/docker/handlers/main.yml b/roles/docker/handlers/main.yml index aff905bc8..9ccb306fc 100644 --- a/roles/docker/handlers/main.yml +++ b/roles/docker/handlers/main.yml @@ -1,12 +1,13 @@ --- - name: restart docker - service: + systemd: name: docker state: restarted when: not docker_service_status_changed | default(false) | bool - name: restart udev - service: + systemd: name: systemd-udevd state: restarted + daemon_reload: yes diff --git a/roles/docker/meta/main.yml b/roles/docker/meta/main.yml index 3d362158d..c5c95c0d2 100644 --- a/roles/docker/meta/main.yml +++ b/roles/docker/meta/main.yml @@ -4,7 +4,7 @@ galaxy_info: description: docker package install company: Red Hat, Inc license: ASL 2.0 - min_ansible_version: 1.2 + min_ansible_version: 2.2 platforms: - name: EL versions: diff --git a/roles/docker/tasks/main.yml b/roles/docker/tasks/main.yml index 9b7ef0830..a2b18baa1 100644 --- a/roles/docker/tasks/main.yml +++ b/roles/docker/tasks/main.yml @@ -40,7 +40,7 @@ # Make sure Docker is installed, but does not update a running version. # Docker upgrades are handled by a separate playbook. - name: Install Docker - action: "{{ ansible_pkg_mgr }} name=docker{{ '-' + docker_version if docker_version is defined else '' }} state=present" + package: name=docker{{ '-' + docker_version if docker_version is defined else '' }} state=present when: not openshift.common.is_atomic | bool - name: Ensure docker.service.d directory exists diff --git a/roles/docker/tasks/udev_workaround.yml b/roles/docker/tasks/udev_workaround.yml index aa7af0cb3..257c3123d 100644 --- a/roles/docker/tasks/udev_workaround.yml +++ b/roles/docker/tasks/udev_workaround.yml @@ -21,10 +21,4 @@ owner: root mode: "0644" notify: - - restart udev - register: udevw_override_conf - -- name: reload systemd config files - command: systemctl daemon-reload - when: udevw_override_conf | changed - + - restart udev diff --git a/roles/etcd/README.md b/roles/etcd/README.md index 329a926c0..c936dbabc 100644 --- a/roles/etcd/README.md +++ b/roles/etcd/README.md @@ -6,7 +6,8 @@ Configures an etcd cluster for an arbitrary number of hosts Requirements ------------ -This role assumes it's being deployed on a RHEL/Fedora based host with package +* Ansible 2.2 +* This role assumes it's being deployed on a RHEL/Fedora based host with package named 'etcd' available via yum or dnf (conditionally). Role Variables diff --git a/roles/etcd/handlers/main.yml b/roles/etcd/handlers/main.yml index e00e1cac4..95076b19e 100644 --- a/roles/etcd/handlers/main.yml +++ b/roles/etcd/handlers/main.yml @@ -1,5 +1,5 @@ --- - name: restart etcd - service: name={{ etcd_service }} state=restarted + systemd: name={{ etcd_service }} state=restarted when: not (etcd_service_status_changed | default(false) | bool) diff --git a/roles/etcd/meta/main.yml b/roles/etcd/meta/main.yml index cfd72dfbc..532f9e313 100644 --- a/roles/etcd/meta/main.yml +++ b/roles/etcd/meta/main.yml @@ -7,7 +7,7 @@ galaxy_info: description: etcd management company: Red Hat, Inc. license: Apache License, Version 2.0 - min_ansible_version: 2.1 + min_ansible_version: 2.2 platforms: - name: EL versions: diff --git a/roles/etcd/tasks/etcdctl.yml b/roles/etcd/tasks/etcdctl.yml index 32c176449..bb6fabf64 100644 --- a/roles/etcd/tasks/etcdctl.yml +++ b/roles/etcd/tasks/etcdctl.yml @@ -1,5 +1,6 @@ +--- - name: Install etcd for etcdctl - action: "{{ ansible_pkg_mgr }} name=etcd state=present" + package: name=etcd state=present when: not openshift.common.is_atomic | bool - name: Configure etcd profile.d alises diff --git a/roles/etcd/tasks/main.yml b/roles/etcd/tasks/main.yml index 790eb3c5a..41f25be70 100644 --- a/roles/etcd/tasks/main.yml +++ b/roles/etcd/tasks/main.yml @@ -7,7 +7,7 @@ etcd_ip: "{{ etcd_ip }}" - name: Install etcd - action: "{{ ansible_pkg_mgr }} name=etcd state=present" + package: name=etcd state=present when: not etcd_is_containerized | bool - name: Pull etcd container @@ -20,36 +20,25 @@ template: dest: "/etc/systemd/system/etcd_container.service" src: etcd.docker.service - register: install_etcd_result when: etcd_is_containerized | bool -- name: Ensure etcd datadir exists - when: etcd_is_containerized | bool +- name: Ensure etcd datadir exists when containerized file: path: "{{ etcd_data_dir }}" state: directory mode: 0700 - -- name: Check for etcd service presence - command: systemctl show etcd.service - register: etcd_show - changed_when: false - failed_when: false + when: etcd_is_containerized | bool - name: Disable system etcd when containerized - when: etcd_is_containerized | bool and etcd_show.rc == 0 and 'LoadState=not-found' not in etcd_show.stdout - service: + systemd: name: etcd state: stopped enabled: no - -- name: Mask system etcd when containerized - when: etcd_is_containerized | bool and etcd_show.rc == 0 and 'LoadState=not-found' not in etcd_show.stdout - command: systemctl mask etcd - -- name: Reload systemd units - command: systemctl daemon-reload - when: etcd_is_containerized | bool and ( install_etcd_result | changed ) + masked: yes + daemon_reload: yes + when: etcd_is_containerized | bool + register: task_result + failed_when: "task_result|failed and 'could not' not in task_result.msg|lower" - name: Validate permissions on the config dir file: @@ -68,7 +57,7 @@ - restart etcd - name: Enable etcd - service: + systemd: name: "{{ etcd_service }}" state: started enabled: yes @@ -77,5 +66,6 @@ - include: etcdctl.yml when: openshift_etcd_etcdctl_profile | default(true) | bool -- set_fact: +- name: Set fact etcd_service_status_changed + set_fact: etcd_service_status_changed: "{{ start_result | changed }}" diff --git a/roles/etcd/templates/etcd.docker.service b/roles/etcd/templates/etcd.docker.service index cf957ede8..ae059b549 100644 --- a/roles/etcd/templates/etcd.docker.service +++ b/roles/etcd/templates/etcd.docker.service @@ -7,7 +7,7 @@ PartOf=docker.service [Service] EnvironmentFile=/etc/etcd/etcd.conf ExecStartPre=-/usr/bin/docker rm -f {{ etcd_service }} -ExecStart=/usr/bin/docker run --name {{ etcd_service }} --rm -v /var/lib/etcd:/var/lib/etcd:z -v /etc/etcd:/etc/etcd:z --env-file=/etc/etcd/etcd.conf --net=host --entrypoint=/usr/bin/etcd {{ openshift.etcd.etcd_image }} +ExecStart=/usr/bin/docker run --name {{ etcd_service }} --rm -v /var/lib/etcd:/var/lib/etcd:z -v /etc/etcd:/etc/etcd:ro --env-file=/etc/etcd/etcd.conf --net=host --entrypoint=/usr/bin/etcd {{ openshift.etcd.etcd_image }} ExecStop=/usr/bin/docker stop {{ etcd_service }} SyslogIdentifier=etcd_container Restart=always diff --git a/roles/etcd_ca/tasks/main.yml b/roles/etcd_ca/tasks/main.yml index 4e68bc962..c4d5efa14 100644 --- a/roles/etcd_ca/tasks/main.yml +++ b/roles/etcd_ca/tasks/main.yml @@ -1,6 +1,6 @@ --- - name: Install openssl - action: "{{ ansible_pkg_mgr }} name=openssl state=present" + package: name=openssl state=present when: not etcd_is_atomic | bool delegate_to: "{{ etcd_ca_host }}" run_once: true diff --git a/roles/etcd_server_certificates/tasks/main.yml b/roles/etcd_server_certificates/tasks/main.yml index d66a0a7bf..b0fd117ed 100644 --- a/roles/etcd_server_certificates/tasks/main.yml +++ b/roles/etcd_server_certificates/tasks/main.yml @@ -1,6 +1,6 @@ --- - name: Install etcd - action: "{{ ansible_pkg_mgr }} name=etcd state=present" + package: name=etcd state=present when: not etcd_is_containerized | bool - name: Check status of etcd certificates diff --git a/roles/flannel/README.md b/roles/flannel/README.md index 84e2c5c49..0c7347603 100644 --- a/roles/flannel/README.md +++ b/roles/flannel/README.md @@ -6,7 +6,8 @@ Configure flannel on openshift nodes Requirements ------------ -This role assumes it's being deployed on a RHEL/Fedora based host with package +* Ansible 2.2 +* This role assumes it's being deployed on a RHEL/Fedora based host with package named 'flannel' available via yum or dnf (conditionally), in version superior to 0.3. diff --git a/roles/flannel/handlers/main.yml b/roles/flannel/handlers/main.yml index 981ea5c7a..94d1d18fb 100644 --- a/roles/flannel/handlers/main.yml +++ b/roles/flannel/handlers/main.yml @@ -1,8 +1,8 @@ --- - name: restart flanneld become: yes - service: name=flanneld state=restarted + systemd: name=flanneld state=restarted - name: restart docker become: yes - service: name=docker state=restarted + systemd: name=docker state=restarted diff --git a/roles/flannel/meta/main.yml b/roles/flannel/meta/main.yml index 616ae61d2..35f825586 100644 --- a/roles/flannel/meta/main.yml +++ b/roles/flannel/meta/main.yml @@ -4,7 +4,7 @@ galaxy_info: description: flannel management company: Red Hat, Inc. license: Apache License, Version 2.0 - min_ansible_version: 2.1 + min_ansible_version: 2.2 platforms: - name: EL versions: diff --git a/roles/flannel/tasks/main.yml b/roles/flannel/tasks/main.yml index bf400cfe8..3a8945a82 100644 --- a/roles/flannel/tasks/main.yml +++ b/roles/flannel/tasks/main.yml @@ -1,7 +1,7 @@ --- - name: Install flannel become: yes - action: "{{ ansible_pkg_mgr }} name=flannel state=present" + package: name=flannel state=present when: not openshift.common.is_atomic | bool - name: Set flannel etcd options @@ -27,7 +27,7 @@ - name: Enable flanneld become: yes - service: + systemd: name: flanneld state: started enabled: yes diff --git a/roles/kube_nfs_volumes/README.md b/roles/kube_nfs_volumes/README.md index dd91ad8b1..8cf7c0cd4 100644 --- a/roles/kube_nfs_volumes/README.md +++ b/roles/kube_nfs_volumes/README.md @@ -11,8 +11,8 @@ system) on the disks! ## Requirements +* Ansible 2.2 * Running Kubernetes with NFS persistent volume support (on a remote machine). - * Works only on RHEL/Fedora-like distros. ## Role Variables diff --git a/roles/kube_nfs_volumes/handlers/main.yml b/roles/kube_nfs_volumes/handlers/main.yml index 52f3ceffe..9ce8b783d 100644 --- a/roles/kube_nfs_volumes/handlers/main.yml +++ b/roles/kube_nfs_volumes/handlers/main.yml @@ -1,3 +1,3 @@ --- - name: restart nfs - service: name=nfs-server state=restarted + systemd: name=nfs-server state=restarted diff --git a/roles/kube_nfs_volumes/meta/main.yml b/roles/kube_nfs_volumes/meta/main.yml index dc4ccdfee..be6ca6b88 100644 --- a/roles/kube_nfs_volumes/meta/main.yml +++ b/roles/kube_nfs_volumes/meta/main.yml @@ -4,7 +4,7 @@ galaxy_info: description: Partition disks and use them as Kubernetes NFS physical volumes. company: Red Hat, Inc. license: license (Apache) - min_ansible_version: 1.4 + min_ansible_version: 2.2 platforms: - name: EL versions: diff --git a/roles/kube_nfs_volumes/tasks/main.yml b/roles/kube_nfs_volumes/tasks/main.yml index 5eff30f6f..67f709c8c 100644 --- a/roles/kube_nfs_volumes/tasks/main.yml +++ b/roles/kube_nfs_volumes/tasks/main.yml @@ -4,7 +4,10 @@ when: openshift.common.is_atomic | bool - name: Install pyparted (RedHat/Fedora) - action: "{{ ansible_pkg_mgr }} name=pyparted,python-httplib2 state=present" + package: name={{ item }} state=present + with_items: + - pyparted + - python-httplib2 when: not openshift.common.is_containerized | bool - name: partition the drives diff --git a/roles/kube_nfs_volumes/tasks/nfs.yml b/roles/kube_nfs_volumes/tasks/nfs.yml index 474ec69e5..9eeff9260 100644 --- a/roles/kube_nfs_volumes/tasks/nfs.yml +++ b/roles/kube_nfs_volumes/tasks/nfs.yml @@ -1,13 +1,19 @@ --- - name: Install NFS server - action: "{{ ansible_pkg_mgr }} name=nfs-utils state=present" + package: name=nfs-utils state=present when: not openshift.common.is_containerized | bool - name: Start rpcbind on Fedora/Red Hat - service: name=rpcbind state=started enabled=yes + systemd: + name: rpcbind + state: started + enabled: yes - name: Start nfs on Fedora/Red Hat - service: name=nfs-server state=started enabled=yes + systemd: + name: nfs-server + state: started + enabled: yes - name: Export the directories lineinfile: dest=/etc/exports diff --git a/roles/nickhammond.logrotate/tasks/main.yml b/roles/nickhammond.logrotate/tasks/main.yml index 1979c851f..657cb10ec 100644 --- a/roles/nickhammond.logrotate/tasks/main.yml +++ b/roles/nickhammond.logrotate/tasks/main.yml @@ -1,6 +1,6 @@ --- - name: nickhammond.logrotate | Install logrotate - action: "{{ ansible_pkg_mgr }} name=logrotate state=present" + package: name=logrotate state=present when: not openshift.common.is_atomic | bool - name: nickhammond.logrotate | Setup logrotate.d scripts diff --git a/roles/nuage_ca/tasks/main.yaml b/roles/nuage_ca/tasks/main.yaml index 9cfa40b8a..8d73e6840 100644 --- a/roles/nuage_ca/tasks/main.yaml +++ b/roles/nuage_ca/tasks/main.yaml @@ -1,6 +1,6 @@ --- - name: Install openssl - action: "{{ ansible_pkg_mgr }} name=openssl state=present" + package: name=openssl state=present when: not openshift.common.is_atomic | bool - name: Create CA directory @@ -41,6 +41,6 @@ delegate_to: "{{ nuage_ca_master }}" - name: Copy SSL config file - copy: src=openssl.cnf dest="{{ nuage_ca_dir }}/openssl.cnf" + copy: src=openssl.cnf dest="{{ nuage_ca_dir }}/openssl.cnf" run_once: true delegate_to: "{{ nuage_ca_master }}" diff --git a/roles/nuage_master/README.md b/roles/nuage_master/README.md index de101dd19..0f1f6f2b1 100644 --- a/roles/nuage_master/README.md +++ b/roles/nuage_master/README.md @@ -5,4 +5,6 @@ Setup Nuage Kubernetes Monitor on the Master node Requirements ------------ -This role assumes it has been deployed on RHEL/Fedora + +* Ansible 2.2 +* This role assumes it has been deployed on RHEL/Fedora diff --git a/roles/nuage_master/handlers/main.yaml b/roles/nuage_master/handlers/main.yaml index 56224cf82..162aaae1a 100644 --- a/roles/nuage_master/handlers/main.yaml +++ b/roles/nuage_master/handlers/main.yaml @@ -1,18 +1,24 @@ --- - name: restart nuage-openshift-monitor become: yes - service: name=nuage-openshift-monitor state=restarted + systemd: name=nuage-openshift-monitor state=restarted - name: restart master - service: name={{ openshift.common.service_type }}-master state=restarted + systemd: name={{ openshift.common.service_type }}-master state=restarted when: (not openshift_master_ha | bool) and (not master_service_status_changed | default(false)) - name: restart master api - service: name={{ openshift.common.service_type }}-master-api state=restarted - when: (openshift_master_ha | bool) and (not master_api_service_status_changed | default(false)) and openshift.master.cluster_method == 'native' + systemd: name={{ openshift.common.service_type }}-master-api state=restarted + when: > + (openshift_master_ha | bool) and + (not master_api_service_status_changed | default(false)) and + openshift.master.cluster_method == 'native' # TODO: need to fix up ignore_errors here - name: restart master controllers - service: name={{ openshift.common.service_type }}-master-controllers state=restarted - when: (openshift_master_ha | bool) and (not master_controllers_service_status_changed | default(false)) and openshift.master.cluster_method == 'native' + systemd: name={{ openshift.common.service_type }}-master-controllers state=restarted + when: > + (openshift_master_ha | bool) and + (not master_controllers_service_status_changed | default(false)) and + openshift.master.cluster_method == 'native' ignore_errors: yes diff --git a/roles/nuage_master/meta/main.yml b/roles/nuage_master/meta/main.yml index 51b89fbf6..b2a47ef71 100644 --- a/roles/nuage_master/meta/main.yml +++ b/roles/nuage_master/meta/main.yml @@ -1,10 +1,10 @@ --- galaxy_info: - author: Vishal Patil + author: Vishal Patil description: company: Nuage Networks license: Apache License, Version 2.0 - min_ansible_version: 1.8 + min_ansible_version: 2.2 platforms: - name: EL versions: @@ -18,5 +18,5 @@ dependencies: - role: openshift_etcd_client_certificates - role: os_firewall os_firewall_allow: - - service: openshift-monitor + - service: openshift-monitor port: "{{ nuage_mon_rest_server_port }}/tcp" diff --git a/roles/nuage_master/tasks/serviceaccount.yml b/roles/nuage_master/tasks/serviceaccount.yml index 2b3ae0454..41143772e 100644 --- a/roles/nuage_master/tasks/serviceaccount.yml +++ b/roles/nuage_master/tasks/serviceaccount.yml @@ -29,7 +29,7 @@ --config={{nuage_tmp_conf}} with_items: "{{nuage_tasks}}" register: osnuage_perm_task - failed_when: "'already exists' not in osnuage_perm_task.stderr and osnuage_perm_task.rc != 0" + failed_when: "'the object has been modified' not in osnuage_perm_task.stderr and osnuage_perm_task.rc != 0" changed_when: osnuage_perm_task.rc == 0 - name: Generate the node client config diff --git a/roles/nuage_node/README.md b/roles/nuage_node/README.md index 02a3cbc77..75a75ca6b 100644 --- a/roles/nuage_node/README.md +++ b/roles/nuage_node/README.md @@ -6,4 +6,5 @@ Setup Nuage VRS (Virtual Routing Switching) on the Openshift Node Requirements ------------ -This role assumes it has been deployed on RHEL/Fedora +* Ansible 2.2 +* This role assumes it has been deployed on RHEL/Fedora diff --git a/roles/nuage_node/handlers/main.yaml b/roles/nuage_node/handlers/main.yaml index fd06d9025..8384856ff 100644 --- a/roles/nuage_node/handlers/main.yaml +++ b/roles/nuage_node/handlers/main.yaml @@ -1,11 +1,11 @@ --- - name: restart vrs become: yes - service: name=openvswitch state=restarted + systemd: name=openvswitch state=restarted - name: restart node become: yes - service: name={{ openshift.common.service_type }}-node state=restarted + systemd: name={{ openshift.common.service_type }}-node state=restarted - name: save iptable rules become: yes diff --git a/roles/nuage_node/meta/main.yml b/roles/nuage_node/meta/main.yml index a6fbcba61..f96318611 100644 --- a/roles/nuage_node/meta/main.yml +++ b/roles/nuage_node/meta/main.yml @@ -1,10 +1,10 @@ --- galaxy_info: - author: Vishal Patil + author: Vishal Patil description: company: Nuage Networks license: Apache License, Version 2.0 - min_ansible_version: 1.8 + min_ansible_version: 2.2 platforms: - name: EL versions: @@ -17,7 +17,7 @@ dependencies: - role: nuage_ca - role: os_firewall os_firewall_allow: - - service: vxlan + - service: vxlan port: 4789/udp - service: nuage-monitor port: "{{ nuage_mon_rest_server_port }}/tcp" diff --git a/roles/openshift_ca/tasks/main.yml b/roles/openshift_ca/tasks/main.yml index b6d403067..e2a12e5ff 100644 --- a/roles/openshift_ca/tasks/main.yml +++ b/roles/openshift_ca/tasks/main.yml @@ -8,7 +8,9 @@ when: openshift_master_ca_certificate is defined and ('certfile' not in openshift_master_ca_certificate or 'keyfile' not in openshift_master_ca_certificate) - name: Install the base package for admin tooling - action: "{{ ansible_pkg_mgr }} name={{ openshift.common.service_type }}{{ openshift_pkg_version | default('') | oo_image_tag_to_rpm_version(include_dash=True) }} state=present" + package: + name: "{{ openshift.common.service_type }}{{ openshift_pkg_version | default('') | oo_image_tag_to_rpm_version(include_dash=True) }}" + state: present when: not openshift.common.is_containerized | bool register: install_result delegate_to: "{{ openshift_ca_host }}" diff --git a/roles/openshift_cli/tasks/main.yml b/roles/openshift_cli/tasks/main.yml index 11c73b25c..07a00189c 100644 --- a/roles/openshift_cli/tasks/main.yml +++ b/roles/openshift_cli/tasks/main.yml @@ -1,6 +1,6 @@ --- - name: Install clients - action: "{{ ansible_pkg_mgr }} name={{ openshift.common.service_type }}-clients state=present" + package: name={{ openshift.common.service_type }}-clients state=present when: not openshift.common.is_containerized | bool - name: Pull CLI Image @@ -20,5 +20,5 @@ openshift_facts: - name: Install bash completion for oc tools - action: "{{ ansible_pkg_mgr }} name=bash-completion state=present" + package: name=bash-completion state=present when: not openshift.common.is_containerized | bool diff --git a/roles/openshift_clock/tasks/main.yaml b/roles/openshift_clock/tasks/main.yaml index 5a8403f68..3911201ea 100644 --- a/roles/openshift_clock/tasks/main.yaml +++ b/roles/openshift_clock/tasks/main.yaml @@ -6,7 +6,7 @@ enabled: "{{ openshift_clock_enabled | default(None) }}" - name: Install ntp package - action: "{{ ansible_pkg_mgr }} name=ntp state=present" + package: name=ntp state=present when: openshift.clock.enabled | bool and not openshift.clock.chrony_installed | bool - name: Start and enable ntpd/chronyd diff --git a/roles/openshift_common/tasks/main.yml b/roles/openshift_common/tasks/main.yml index 3f8ea5dce..c9a44b3f5 100644 --- a/roles/openshift_common/tasks/main.yml +++ b/roles/openshift_common/tasks/main.yml @@ -29,7 +29,9 @@ use_dnsmasq: "{{ openshift_use_dnsmasq | default(None) }}" - name: Install the base package for versioning - action: "{{ ansible_pkg_mgr }} name={{ openshift.common.service_type }}{{ openshift_pkg_version | default('') | oo_image_tag_to_rpm_version(include_dash=True) }} state=present" + package: + name: "{{ openshift.common.service_type }}{{ openshift_pkg_version | default('') | oo_image_tag_to_rpm_version(include_dash=True) }}" + state: present when: not openshift.common.is_containerized | bool - name: Set version facts diff --git a/roles/openshift_expand_partition/tasks/main.yml b/roles/openshift_expand_partition/tasks/main.yml index cdd813e6a..00603f4fa 100644 --- a/roles/openshift_expand_partition/tasks/main.yml +++ b/roles/openshift_expand_partition/tasks/main.yml @@ -1,6 +1,6 @@ --- - name: Ensure growpart is installed - action: "{{ ansible_pkg_mgr }} name=cloud-utils-growpart state=present" + package: name=cloud-utils-growpart state=present when: not openshift.common.is_containerized | bool - name: Determine if growpart is installed diff --git a/roles/openshift_facts/library/openshift_facts.py b/roles/openshift_facts/library/openshift_facts.py index d797eb4d3..ad4b1e47b 100755 --- a/roles/openshift_facts/library/openshift_facts.py +++ b/roles/openshift_facts/library/openshift_facts.py @@ -22,9 +22,14 @@ from distutils.util import strtobool from distutils.version import LooseVersion import struct import socket -from dbus import SystemBus, Interface -from dbus.exceptions import DBusException +HAVE_DBUS=False +try: + from dbus import SystemBus, Interface + from dbus.exceptions import DBusException + HAVE_DBUS=True +except ImportError: + pass DOCUMENTATION = ''' --- @@ -102,14 +107,6 @@ def migrate_node_facts(facts): facts['node'][param] = facts[role].pop(param) return facts -def migrate_local_facts(facts): - """ Apply migrations of local facts """ - migrated_facts = copy.deepcopy(facts) - migrated_facts = migrate_docker_facts(migrated_facts) - migrated_facts = migrate_common_facts(migrated_facts) - migrated_facts = migrate_node_facts(migrated_facts) - migrated_facts = migrate_hosted_facts(migrated_facts) - return migrated_facts def migrate_hosted_facts(facts): """ Apply migrations for master facts """ @@ -128,6 +125,30 @@ def migrate_hosted_facts(facts): facts['hosted']['registry']['selector'] = facts['master'].pop('registry_selector') return facts +def migrate_admission_plugin_facts(facts): + if 'master' in facts: + if 'kube_admission_plugin_config' in facts['master']: + if 'admission_plugin_config' not in facts['master']: + facts['master']['admission_plugin_config'] = dict() + # Merge existing kube_admission_plugin_config with admission_plugin_config. + facts['master']['admission_plugin_config'] = merge_facts(facts['master']['admission_plugin_config'], + facts['master']['kube_admission_plugin_config'], + additive_facts_to_overwrite=[], + protected_facts_to_overwrite=[]) + # Remove kube_admission_plugin_config fact + facts['master'].pop('kube_admission_plugin_config', None) + return facts + +def migrate_local_facts(facts): + """ Apply migrations of local facts """ + migrated_facts = copy.deepcopy(facts) + migrated_facts = migrate_docker_facts(migrated_facts) + migrated_facts = migrate_common_facts(migrated_facts) + migrated_facts = migrate_node_facts(migrated_facts) + migrated_facts = migrate_hosted_facts(migrated_facts) + migrated_facts = migrate_admission_plugin_facts(migrated_facts) + return migrated_facts + def first_ip(network): """ Return the first IPv4 address in network @@ -1567,14 +1588,14 @@ def set_proxy_facts(facts): builddefaults['git_http_proxy'] = builddefaults['http_proxy'] if 'git_https_proxy' not in builddefaults and 'https_proxy' in builddefaults: builddefaults['git_https_proxy'] = builddefaults['https_proxy'] - # If we're actually defining a proxy config then create kube_admission_plugin_config + # If we're actually defining a proxy config then create admission_plugin_config # if it doesn't exist, then merge builddefaults[config] structure - # into kube_admission_plugin_config - if 'kube_admission_plugin_config' not in facts['master']: - facts['master']['kube_admission_plugin_config'] = dict() + # into admission_plugin_config + if 'admission_plugin_config' not in facts['master']: + facts['master']['admission_plugin_config'] = dict() if 'config' in builddefaults and ('http_proxy' in builddefaults or \ 'https_proxy' in builddefaults): - facts['master']['kube_admission_plugin_config'].update(builddefaults['config']) + facts['master']['admission_plugin_config'].update(builddefaults['config']) facts['builddefaults'] = builddefaults return facts @@ -2277,6 +2298,9 @@ def main(): add_file_common_args=True, ) + if not HAVE_DBUS: + module.fail_json(msg="This module requires dbus python bindings") + module.params['gather_subset'] = ['hardware', 'network', 'virtual', 'facter'] module.params['gather_timeout'] = 10 module.params['filter'] = '*' diff --git a/roles/openshift_facts/tasks/main.yml b/roles/openshift_facts/tasks/main.yml index 4d4a232cc..70cf49dd4 100644 --- a/roles/openshift_facts/tasks/main.yml +++ b/roles/openshift_facts/tasks/main.yml @@ -10,12 +10,11 @@ - set_fact: l_is_containerized: "{{ (l_is_atomic | bool) or (containerized | default(false) | bool) }}" -- name: Ensure PyYaml is installed - action: "{{ ansible_pkg_mgr }} name=PyYAML state=present" - when: not l_is_atomic | bool - -- name: Ensure yum-utils is installed - action: "{{ ansible_pkg_mgr }} name=yum-utils state=present" +- name: Ensure PyYaml and yum-utils are installed + package: name={{ item }} state=present + with_items: + - PyYAML + - yum-utils when: not l_is_atomic | bool - name: Gather Cluster facts and set is_containerized if needed diff --git a/roles/openshift_loadbalancer/README.md b/roles/openshift_loadbalancer/README.md index 03e837e46..bea4c509b 100644 --- a/roles/openshift_loadbalancer/README.md +++ b/roles/openshift_loadbalancer/README.md @@ -6,6 +6,8 @@ OpenShift HaProxy Loadbalancer Configuration Requirements ------------ +* Ansible 2.2 + This role is intended to be applied to the [lb] host group which is separate from OpenShift infrastructure components. diff --git a/roles/openshift_loadbalancer/handlers/main.yml b/roles/openshift_loadbalancer/handlers/main.yml index 5b8691b26..3bf052460 100644 --- a/roles/openshift_loadbalancer/handlers/main.yml +++ b/roles/openshift_loadbalancer/handlers/main.yml @@ -1,6 +1,6 @@ --- - name: restart haproxy - service: + systemd: name: haproxy state: restarted when: not (haproxy_start_result_changed | default(false) | bool) diff --git a/roles/openshift_loadbalancer/meta/main.yml b/roles/openshift_loadbalancer/meta/main.yml index 0b29df2a0..0dffb545f 100644 --- a/roles/openshift_loadbalancer/meta/main.yml +++ b/roles/openshift_loadbalancer/meta/main.yml @@ -4,7 +4,7 @@ galaxy_info: description: OpenShift haproxy loadbalancer company: Red Hat, Inc. license: Apache License, Version 2.0 - min_ansible_version: 1.9 + min_ansible_version: 2.2 platforms: - name: EL versions: diff --git a/roles/openshift_loadbalancer/tasks/main.yml b/roles/openshift_loadbalancer/tasks/main.yml index 863738143..400f80715 100644 --- a/roles/openshift_loadbalancer/tasks/main.yml +++ b/roles/openshift_loadbalancer/tasks/main.yml @@ -3,7 +3,7 @@ when: openshift.common.is_containerized | bool - name: Install haproxy - action: "{{ ansible_pkg_mgr }} name=haproxy state=present" + package: name=haproxy state=present - name: Configure systemd service directory for haproxy file: @@ -27,11 +27,6 @@ option: LimitNOFILE value: "{{ openshift_loadbalancer_limit_nofile | default(100000) }}" notify: restart haproxy - register: nofile_limit_result - -- name: Reload systemd if needed - command: systemctl daemon-reload - when: nofile_limit_result | changed - name: Configure haproxy template: @@ -43,10 +38,11 @@ notify: restart haproxy - name: Enable and start haproxy - service: + systemd: name: haproxy state: started enabled: yes + daemon_reload: yes register: start_result - set_fact: diff --git a/roles/openshift_manage_node/tasks/main.yml b/roles/openshift_manage_node/tasks/main.yml index 28e4e46e9..c06758833 100644 --- a/roles/openshift_manage_node/tasks/main.yml +++ b/roles/openshift_manage_node/tasks/main.yml @@ -3,18 +3,51 @@ command: mktemp -d /tmp/openshift-ansible-XXXXXX register: mktemp changed_when: False + delegate_to: "{{ openshift_master_host }}" + run_once: true - set_fact: openshift_manage_node_kubeconfig: "{{ mktemp.stdout }}/admin.kubeconfig" + delegate_to: "{{ openshift_master_host }}" + run_once: true - name: Copy the admin client config(s) command: > cp {{ openshift.common.config_base }}/master/admin.kubeconfig {{ openshift_manage_node_kubeconfig }} changed_when: False + delegate_to: "{{ openshift_master_host }}" + run_once: true + +# Necessary because when you're on a node that's also a master the master will be +# restarted after the node restarts docker and it will take up to 60 seconds for +# systemd to start the master again +- name: Wait for master API to become available before proceeding + # Using curl here since the uri module requires python-httplib2 and + # wait_for port doesn't provide health information. + command: > + curl --silent --tlsv1.2 + {% if openshift.common.version_gte_3_2_or_1_2 | bool %} + --cacert {{ openshift.common.config_base }}/master/ca-bundle.crt + {% else %} + --cacert {{ openshift.common.config_base }}/master/ca.crt + {% endif %} + {{ openshift_node_master_api_url }}/healthz/ready + args: + # Disables the following warning: + # Consider using get_url or uri module rather than running curl + warn: no + register: api_available_output + until: api_available_output.stdout == 'ok' + retries: 120 + delay: 1 + changed_when: false + when: openshift.common.is_containerized | bool + delegate_to: "{{ openshift_master_host }}" + run_once: true - name: Wait for Node Registration command: > - {{ openshift.common.client_binary }} get node {{ hostvars[item].openshift.node.nodename }} + {{ hostvars[openshift_master_host].openshift.common.client_binary }} get node {{ openshift.node.nodename }} --config={{ openshift_manage_node_kubeconfig }} -n default register: omd_get_node @@ -22,26 +55,29 @@ retries: 50 delay: 5 changed_when: false - with_items: "{{ openshift_nodes }}" + when: "'nodename' in openshift.node" + delegate_to: "{{ openshift_master_host }}" - name: Set node schedulability command: > - {{ openshift.common.client_binary }} adm manage-node {{ hostvars[item].openshift.node.nodename }} --schedulable={{ 'true' if hostvars[item].openshift.node.schedulable | bool else 'false' }} + {{ hostvars[openshift_master_host].openshift.common.client_binary }} adm manage-node {{ openshift.node.nodename }} --schedulable={{ 'true' if openshift.node.schedulable | bool else 'false' }} --config={{ openshift_manage_node_kubeconfig }} -n default - with_items: "{{ openshift_nodes }}" - when: hostvars[item].openshift.node.nodename is defined + when: "'nodename' in openshift.node" + delegate_to: "{{ openshift_master_host }}" - name: Label nodes command: > - {{ openshift.common.client_binary }} label --overwrite node {{ hostvars[item].openshift.node.nodename }} {{ hostvars[item].openshift.node.labels | oo_combine_dict }} + {{ hostvars[openshift_master_host].openshift.common.client_binary }} label --overwrite node {{ openshift.node.nodename }} {{ openshift.node.labels | oo_combine_dict }} --config={{ openshift_manage_node_kubeconfig }} -n default - with_items: "{{ openshift_nodes }}" - when: hostvars[item].openshift.node.nodename is defined and 'labels' in hostvars[item].openshift.node and hostvars[item].openshift.node.labels != {} + when: "'nodename' in openshift.node and 'labels' in openshift.node and openshift.node.labels != {}" + delegate_to: "{{ openshift_master_host }}" - name: Delete temp directory file: name: "{{ mktemp.stdout }}" state: absent changed_when: False + delegate_to: "{{ openshift_master_host }}" + run_once: true diff --git a/roles/openshift_manageiq/tasks/main.yaml b/roles/openshift_manageiq/tasks/main.yaml index bdaf64b3f..a7214482f 100644 --- a/roles/openshift_manageiq/tasks/main.yaml +++ b/roles/openshift_manageiq/tasks/main.yaml @@ -50,6 +50,16 @@ failed_when: "'already exists' not in osmiq_create_cluster_role.stderr and osmiq_create_cluster_role.rc != 0" changed_when: osmiq_create_cluster_role.rc == 0 +- name: Create Hawkular Metrics Admin Cluster Role + shell: > + echo {{ manageiq_metrics_admin_clusterrole | to_json | quote }} | + {{ openshift.common.client_binary }} + --config={{manage_iq_tmp_conf}} + create -f - + register: oshawkular_create_cluster_role + failed_when: "'already exists' not in oshawkular_create_cluster_role.stderr and oshawkular_create_cluster_role.rc != 0" + changed_when: oshawkular_create_cluster_role.rc == 0 + - name: Configure role/user permissions command: > {{ openshift.common.client_binary }} adm {{item}} diff --git a/roles/openshift_manageiq/vars/main.yml b/roles/openshift_manageiq/vars/main.yml index 6a0c5b41b..37d4679ef 100644 --- a/roles/openshift_manageiq/vars/main.yml +++ b/roles/openshift_manageiq/vars/main.yml @@ -9,6 +9,20 @@ manageiq_cluster_role: verbs: - '*' +manageiq_metrics_admin_clusterrole: + apiVersion: v1 + kind: ClusterRole + metadata: + name: hawkular-metrics-admin + rules: + - apiGroups: + - "" + resources: + - hawkular-metrics + - hawkular-alerts + verbs: + - '*' + manageiq_service_account: apiVersion: v1 kind: ServiceAccount @@ -31,6 +45,7 @@ manage_iq_tasks: - policy add-cluster-role-to-user system:image-puller system:serviceaccount:management-infra:inspector-admin - policy add-scc-to-user privileged system:serviceaccount:management-infra:inspector-admin - policy add-cluster-role-to-user self-provisioner system:serviceaccount:management-infra:management-admin + - policy add-cluster-role-to-user hawkular-metrics-admin system:serviceaccount:management-infra:management-admin manage_iq_openshift_3_2_tasks: - policy add-cluster-role-to-user system:image-auditor system:serviceaccount:management-infra:management-admin diff --git a/roles/openshift_master/README.md b/roles/openshift_master/README.md index 663ac08b8..c3300a7ef 100644 --- a/roles/openshift_master/README.md +++ b/roles/openshift_master/README.md @@ -6,7 +6,8 @@ Master service installation Requirements ------------ -A RHEL 7.1 host pre-configured with access to the rhel-7-server-rpms, +* Ansible 2.2 +* A RHEL 7.1 host pre-configured with access to the rhel-7-server-rpms, rhel-7-server-extras-rpms, and rhel-7-server-ose-3.0-rpms repos. Role Variables diff --git a/roles/openshift_master/handlers/main.yml b/roles/openshift_master/handlers/main.yml index e119db1a2..69c5a1663 100644 --- a/roles/openshift_master/handlers/main.yml +++ b/roles/openshift_master/handlers/main.yml @@ -1,16 +1,16 @@ --- - name: restart master - service: name={{ openshift.common.service_type }}-master state=restarted + systemd: name={{ openshift.common.service_type }}-master state=restarted when: (openshift.master.ha is not defined or not openshift.master.ha | bool) and (not (master_service_status_changed | default(false) | bool)) notify: Verify API Server - name: restart master api - service: name={{ openshift.common.service_type }}-master-api state=restarted + systemd: name={{ openshift.common.service_type }}-master-api state=restarted when: (openshift.master.ha is defined and openshift.master.ha | bool) and (not (master_api_service_status_changed | default(false) | bool)) and openshift.master.cluster_method == 'native' notify: Verify API Server - name: restart master controllers - service: name={{ openshift.common.service_type }}-master-controllers state=restarted + systemd: name={{ openshift.common.service_type }}-master-controllers state=restarted when: (openshift.master.ha is defined and openshift.master.ha | bool) and (not (master_controllers_service_status_changed | default(false) | bool)) and openshift.master.cluster_method == 'native' - name: Verify API Server diff --git a/roles/openshift_master/meta/main.yml b/roles/openshift_master/meta/main.yml index a2f665702..7457e4378 100644 --- a/roles/openshift_master/meta/main.yml +++ b/roles/openshift_master/meta/main.yml @@ -4,7 +4,7 @@ galaxy_info: description: Master company: Red Hat, Inc. license: Apache License, Version 2.0 - min_ansible_version: 2.1 + min_ansible_version: 2.2 platforms: - name: EL versions: diff --git a/roles/openshift_master/tasks/main.yml b/roles/openshift_master/tasks/main.yml index 1d6758c4a..2de5cd3f3 100644 --- a/roles/openshift_master/tasks/main.yml +++ b/roles/openshift_master/tasks/main.yml @@ -24,7 +24,9 @@ when: openshift_master_ha | bool and openshift_master_cluster_method == "pacemaker" and openshift.common.is_containerized | bool - name: Install Master package - action: "{{ ansible_pkg_mgr }} name={{ openshift.common.service_type }}-master{{ openshift_pkg_version | default('') | oo_image_tag_to_rpm_version(include_dash=True) }} state=present" + package: + name: "{{ openshift.common.service_type }}-master{{ openshift_pkg_version | default('') | oo_image_tag_to_rpm_version(include_dash=True) }}" + state: present when: not openshift.common.is_containerized | bool - name: Pull master image @@ -62,9 +64,9 @@ args: creates: "{{ openshift_master_policy }}" notify: - - restart master - - restart master api - - restart master controllers + - restart master + - restart master api + - restart master controllers - name: Create the scheduler config copy: @@ -72,12 +74,12 @@ dest: "{{ openshift_master_scheduler_conf }}" backup: true notify: - - restart master - - restart master api - - restart master controllers + - restart master + - restart master api + - restart master controllers - name: Install httpd-tools if needed - action: "{{ ansible_pkg_mgr }} name=httpd-tools state=present" + package: name=httpd-tools state=present when: (item.kind == 'HTPasswdPasswordIdentityProvider') and not openshift.common.is_atomic | bool with_items: "{{ openshift.master.identity_providers }}" @@ -145,8 +147,8 @@ mode: 0600 when: openshift.master.session_auth_secrets is defined and openshift.master.session_encryption_secrets is defined notify: - - restart master - - restart master api + - restart master + - restart master api - set_fact: translated_identity_providers: "{{ openshift.master.identity_providers | translate_idps('v1', openshift.common.version, openshift.common.deployment_type) }}" @@ -161,9 +163,9 @@ group: root mode: 0600 notify: - - restart master - - restart master api - - restart master controllers + - restart master + - restart master api + - restart master controllers - include: set_loopback_context.yml when: openshift.common.version_gte_3_2_or_1_2 @@ -177,7 +179,10 @@ # https://github.com/openshift/origin/issues/6065 # https://github.com/openshift/origin/issues/6447 - name: Start and enable master - service: name={{ openshift.common.service_type }}-master enabled=yes state=started + systemd: + name: "{{ openshift.common.service_type }}-master" + enabled: yes + state: started when: not openshift_master_ha | bool register: start_result until: not start_result | failed @@ -185,29 +190,30 @@ delay: 60 notify: Verify API Server -- name: Check for non-HA master service presence - command: systemctl show {{ openshift.common.service_type }}-master.service - register: master_svc_show - changed_when: false - failed_when: false - - name: Stop and disable non-HA master when running HA - service: + systemd: name: "{{ openshift.common.service_type }}-master" enabled: no state: stopped - when: openshift_master_ha | bool and master_svc_show.rc == 0 and 'LoadState=not-found' not in master_svc_show.stdout + when: openshift_master_ha | bool + register: task_result + failed_when: "task_result|failed and 'could not' not in task_result.msg|lower" - set_fact: master_service_status_changed: "{{ start_result | changed }}" when: not openshift_master_ha | bool - name: Mask master service - command: systemctl mask {{ openshift.common.service_type }}-master - when: openshift_master_ha | bool and openshift.master.cluster_method == 'native' and not openshift.common.is_containerized | bool + systemd: + name: "{{ openshift.common.service_type }}-master" + masked: yes + when: > + openshift_master_ha | bool and + openshift.master.cluster_method == 'native' and + not openshift.common.is_containerized | bool - name: Start and enable master api on first master - service: + systemd: name: "{{ openshift.common.service_type }}-master-api" enabled: yes state: started @@ -226,7 +232,7 @@ when: openshift_master_ha | bool and openshift.master.cluster_method == 'native' - name: Start and enable master api all masters - service: + systemd: name: "{{ openshift.common.service_type }}-master-api" enabled: yes state: started @@ -262,7 +268,7 @@ when: openshift_master_ha | bool and openshift.master.cluster_method == 'native' and master_api_service_status_changed | bool - name: Start and enable master controller on first master - service: + systemd: name: "{{ openshift.common.service_type }}-master-controllers" enabled: yes state: started @@ -272,12 +278,13 @@ retries: 1 delay: 60 -- pause: +- name: Wait for master controller service to start on first master + pause: seconds: 15 when: openshift_master_ha | bool and openshift.master.cluster_method == 'native' - name: Start and enable master controller on all masters - service: + systemd: name: "{{ openshift.common.service_type }}-master-controllers" enabled: yes state: started @@ -292,13 +299,16 @@ when: openshift_master_ha | bool and openshift.master.cluster_method == 'native' - name: Install cluster packages - action: "{{ ansible_pkg_mgr }} name=pcs state=present" + package: name=pcs state=present when: openshift_master_ha | bool and openshift.master.cluster_method == 'pacemaker' and not openshift.common.is_containerized | bool register: install_result - name: Start and enable cluster service - service: name=pcsd enabled=yes state=started + systemd: + name: pcsd + enabled: yes + state: started when: openshift_master_ha | bool and openshift.master.cluster_method == 'pacemaker' and not openshift.common.is_containerized | bool diff --git a/roles/openshift_master/templates/master.yaml.v1.j2 b/roles/openshift_master/templates/master.yaml.v1.j2 index a52ae578c..dc9226a5a 100644 --- a/roles/openshift_master/templates/master.yaml.v1.j2 +++ b/roles/openshift_master/templates/master.yaml.v1.j2 @@ -1,7 +1,4 @@ admissionConfig: -{% if 'admission_plugin_order' in openshift.master %} - pluginOrderOverride:{{ openshift.master.admission_plugin_order | to_padded_yaml(level=2) }} -{% endif %} {% if 'admission_plugin_config' in openshift.master %} pluginConfig:{{ openshift.master.admission_plugin_config | to_padded_yaml(level=2) }} {% endif %} @@ -116,13 +113,6 @@ kubernetesMasterConfig: - v1beta3 - v1 {% endif %} - admissionConfig: -{% if 'kube_admission_plugin_order' in openshift.master %} - pluginOrderOverride:{{ openshift.master.kube_admission_plugin_order | to_padded_yaml(level=3) }} -{% endif %} -{% if 'kube_admission_plugin_config' in openshift.master %} - pluginConfig:{{ openshift.master.kube_admission_plugin_config | to_padded_yaml(level=3) }} -{% endif %} apiServerArguments: {{ openshift.master.api_server_args | default(None) | to_padded_yaml( level=2 ) }} controllerArguments: {{ openshift.master.controller_args | default(None) | to_padded_yaml( level=2 ) }} masterCount: {{ openshift.master.master_count if openshift.master.cluster_method | default(None) == 'native' else 1 }} diff --git a/roles/openshift_master_cluster/README.md b/roles/openshift_master_cluster/README.md index f150981fa..58dd19ac3 100644 --- a/roles/openshift_master_cluster/README.md +++ b/roles/openshift_master_cluster/README.md @@ -6,7 +6,7 @@ TODO Requirements ------------ -TODO +* Ansible 2.2 Role Variables -------------- diff --git a/roles/openshift_master_cluster/meta/main.yml b/roles/openshift_master_cluster/meta/main.yml index 0c8881521..f2a67bc54 100644 --- a/roles/openshift_master_cluster/meta/main.yml +++ b/roles/openshift_master_cluster/meta/main.yml @@ -4,7 +4,7 @@ galaxy_info: description: company: Red Hat, Inc. license: Apache License, Version 2.0 - min_ansible_version: 1.8 + min_ansible_version: 2.2 platforms: - name: EL versions: diff --git a/roles/openshift_master_facts/tasks/main.yml b/roles/openshift_master_facts/tasks/main.yml index 62ac1aef5..1f27a2c1d 100644 --- a/roles/openshift_master_facts/tasks/main.yml +++ b/roles/openshift_master_facts/tasks/main.yml @@ -66,10 +66,8 @@ master_image: "{{ osm_image | default(None) }}" scheduler_predicates: "{{ openshift_master_scheduler_predicates | default(None) }}" scheduler_priorities: "{{ openshift_master_scheduler_priorities | default(None) }}" - admission_plugin_order: "{{openshift_master_admission_plugin_order | default(None) }}" admission_plugin_config: "{{openshift_master_admission_plugin_config | default(None) }}" - kube_admission_plugin_order: "{{openshift_master_kube_admission_plugin_order | default(None) }}" - kube_admission_plugin_config: "{{openshift_master_kube_admission_plugin_config | default(None) }}" + kube_admission_plugin_config: "{{openshift_master_kube_admission_plugin_config | default(None) }}" # deprecated, merged with admission_plugin_config oauth_template: "{{ openshift_master_oauth_template | default(None) }}" # deprecated in origin 1.2 / OSE 3.2 oauth_templates: "{{ openshift_master_oauth_templates | default(None) }}" oauth_always_show_provider_selection: "{{ openshift_master_oauth_always_show_provider_selection | default(None) }}" diff --git a/roles/openshift_metrics/README.md b/roles/openshift_metrics/README.md index 30a0a608d..f3c0f3474 100644 --- a/roles/openshift_metrics/README.md +++ b/roles/openshift_metrics/README.md @@ -5,8 +5,10 @@ OpenShift Metrics Installation Requirements ------------ -It requires subdomain fqdn to be set. -If persistence is enabled, then it also requires NFS. + +* Ansible 2.2 +* It requires subdomain fqdn to be set. +* If persistence is enabled, then it also requires NFS. Role Variables -------------- diff --git a/roles/openshift_metrics/handlers/main.yml b/roles/openshift_metrics/handlers/main.yml index e119db1a2..69c5a1663 100644 --- a/roles/openshift_metrics/handlers/main.yml +++ b/roles/openshift_metrics/handlers/main.yml @@ -1,16 +1,16 @@ --- - name: restart master - service: name={{ openshift.common.service_type }}-master state=restarted + systemd: name={{ openshift.common.service_type }}-master state=restarted when: (openshift.master.ha is not defined or not openshift.master.ha | bool) and (not (master_service_status_changed | default(false) | bool)) notify: Verify API Server - name: restart master api - service: name={{ openshift.common.service_type }}-master-api state=restarted + systemd: name={{ openshift.common.service_type }}-master-api state=restarted when: (openshift.master.ha is defined and openshift.master.ha | bool) and (not (master_api_service_status_changed | default(false) | bool)) and openshift.master.cluster_method == 'native' notify: Verify API Server - name: restart master controllers - service: name={{ openshift.common.service_type }}-master-controllers state=restarted + systemd: name={{ openshift.common.service_type }}-master-controllers state=restarted when: (openshift.master.ha is defined and openshift.master.ha | bool) and (not (master_controllers_service_status_changed | default(false) | bool)) and openshift.master.cluster_method == 'native' - name: Verify API Server diff --git a/roles/openshift_metrics/meta/main.yaml b/roles/openshift_metrics/meta/main.yaml index 5f8d4f5c5..a89467de5 100644 --- a/roles/openshift_metrics/meta/main.yaml +++ b/roles/openshift_metrics/meta/main.yaml @@ -1,3 +1,17 @@ +--- +galaxy_info: + author: David MartÃn + description: + company: + license: Apache License, Version 2.0 + min_ansible_version: 2.2 + platforms: + - name: EL + versions: + - 7 + categories: + - cloud + - system dependencies: - { role: openshift_examples } -- { role: openshift_facts }
\ No newline at end of file +- { role: openshift_facts } diff --git a/roles/openshift_node/README.md b/roles/openshift_node/README.md index cafecd343..d1920c485 100644 --- a/roles/openshift_node/README.md +++ b/roles/openshift_node/README.md @@ -6,10 +6,10 @@ Node service installation Requirements ------------ -One or more Master servers. - -A RHEL 7.1 host pre-configured with access to the rhel-7-server-rpms, -rhel-7-server-extras-rpms, and rhel-7-server-ose-3.0-rpms repos. +* Ansible 2.2 +* One or more Master servers +* A RHEL 7.1 host pre-configured with access to the rhel-7-server-rpms, +rhel-7-server-extras-rpms, and rhel-7-server-ose-3.0-rpms repos Role Variables -------------- diff --git a/roles/openshift_node/handlers/main.yml b/roles/openshift_node/handlers/main.yml index 34071964a..ebe584588 100644 --- a/roles/openshift_node/handlers/main.yml +++ b/roles/openshift_node/handlers/main.yml @@ -1,6 +1,6 @@ --- - name: restart openvswitch - service: name=openvswitch state=restarted + systemd: name=openvswitch state=restarted when: not (ovs_service_status_changed | default(false) | bool) and openshift.common.use_openshift_sdn | bool notify: - restart openvswitch pause @@ -10,5 +10,5 @@ when: openshift.common.is_containerized | bool - name: restart node - service: name={{ openshift.common.service_type }}-node state=restarted + systemd: name={{ openshift.common.service_type }}-node state=restarted when: not (node_service_status_changed | default(false) | bool) diff --git a/roles/openshift_node/tasks/main.yml b/roles/openshift_node/tasks/main.yml index 6022694bc..31d07838d 100644 --- a/roles/openshift_node/tasks/main.yml +++ b/roles/openshift_node/tasks/main.yml @@ -2,48 +2,60 @@ # TODO: allow for overriding default ports where possible - fail: msg: "SELinux is disabled, This deployment type requires that SELinux is enabled." - when: (not ansible_selinux or ansible_selinux.status != 'enabled') and deployment_type in ['enterprise', 'online', 'atomic-enterprise', 'openshift-enterprise'] + when: > + (not ansible_selinux or ansible_selinux.status != 'enabled') and + deployment_type in ['enterprise', 'online', 'atomic-enterprise', 'openshift-enterprise'] - name: Set node facts openshift_facts: role: "{{ item.role }}" local_facts: "{{ item.local_facts }}" with_items: - # Reset node labels to an empty dictionary. - - role: node - local_facts: - labels: {} - - role: node - local_facts: - annotations: "{{ openshift_node_annotations | default(none) }}" - debug_level: "{{ openshift_node_debug_level | default(openshift.common.debug_level) }}" - iptables_sync_period: "{{ openshift_node_iptables_sync_period | default(None) }}" - kubelet_args: "{{ openshift_node_kubelet_args | default(None) }}" - labels: "{{ lookup('oo_option', 'openshift_node_labels') | default( openshift_node_labels | default(none), true) }}" - registry_url: "{{ oreg_url | default(none) }}" - schedulable: "{{ openshift_schedulable | default(openshift_scheduleable) | default(None) }}" - sdn_mtu: "{{ openshift_node_sdn_mtu | default(None) }}" - storage_plugin_deps: "{{ osn_storage_plugin_deps | default(None) }}" - set_node_ip: "{{ openshift_set_node_ip | default(None) }}" - node_image: "{{ osn_image | default(None) }}" - ovs_image: "{{ osn_ovs_image | default(None) }}" - proxy_mode: "{{ openshift_node_proxy_mode | default('iptables') }}" - local_quota_per_fsgroup: "{{ openshift_node_local_quota_per_fsgroup | default(None) }}" - dns_ip: "{{ openshift_dns_ip | default(none) | get_dns_ip(hostvars[inventory_hostname])}}" - env_vars: "{{ openshift_node_env_vars | default(None) }}" + # Reset node labels to an empty dictionary. + - role: node + local_facts: + labels: {} + - role: node + local_facts: + annotations: "{{ openshift_node_annotations | default(none) }}" + debug_level: "{{ openshift_node_debug_level | default(openshift.common.debug_level) }}" + iptables_sync_period: "{{ openshift_node_iptables_sync_period | default(None) }}" + kubelet_args: "{{ openshift_node_kubelet_args | default(None) }}" + labels: "{{ lookup('oo_option', 'openshift_node_labels') | default( openshift_node_labels | default(none), true) }}" + registry_url: "{{ oreg_url | default(none) }}" + schedulable: "{{ openshift_schedulable | default(openshift_scheduleable) | default(None) }}" + sdn_mtu: "{{ openshift_node_sdn_mtu | default(None) }}" + storage_plugin_deps: "{{ osn_storage_plugin_deps | default(None) }}" + set_node_ip: "{{ openshift_set_node_ip | default(None) }}" + node_image: "{{ osn_image | default(None) }}" + ovs_image: "{{ osn_ovs_image | default(None) }}" + proxy_mode: "{{ openshift_node_proxy_mode | default('iptables') }}" + local_quota_per_fsgroup: "{{ openshift_node_local_quota_per_fsgroup | default(None) }}" + dns_ip: "{{ openshift_dns_ip | default(none) | get_dns_ip(hostvars[inventory_hostname])}}" + env_vars: "{{ openshift_node_env_vars | default(None) }}" # We have to add tuned-profiles in the same transaction otherwise we run into depsolving # problems because the rpms don't pin the version properly. This was fixed in 3.1 packaging. - name: Install Node package - action: "{{ ansible_pkg_mgr }} name={{ openshift.common.service_type }}-node{{ openshift_pkg_version | default('') | oo_image_tag_to_rpm_version(include_dash=True) }},tuned-profiles-{{ openshift.common.service_type }}-node{{ openshift_pkg_version | default('') | oo_image_tag_to_rpm_version(include_dash=True) }} state=present" + package: + name: "{{ openshift.common.service_type }}-node{{ openshift_pkg_version | default('') | oo_image_tag_to_rpm_version(include_dash=True) }},tuned-profiles-{{ openshift.common.service_type }}-node{{ openshift_pkg_version | default('') | oo_image_tag_to_rpm_version(include_dash=True) }}" + state: present when: not openshift.common.is_containerized | bool +- name: Check for tuned package + command: rpm -q tuned + register: tuned_installed + changed_when: false + failed_when: false + - name: Set atomic-guest tuned profile command: "tuned-adm profile atomic-guest" - when: openshift.common.is_atomic | bool + when: tuned_installed.rc == 0 and openshift.common.is_atomic | bool - name: Install sdn-ovs package - action: "{{ ansible_pkg_mgr }} name={{ openshift.common.service_type }}-sdn-ovs{{ openshift_pkg_version | oo_image_tag_to_rpm_version(include_dash=True) }} state=present" + package: + name: "{{ openshift.common.service_type }}-sdn-ovs{{ openshift_pkg_version | oo_image_tag_to_rpm_version(include_dash=True) }}" + state: present when: openshift.common.use_openshift_sdn and not openshift.common.is_containerized | bool - name: Pull node image @@ -70,7 +82,10 @@ sysctl: name="net.ipv4.ip_forward" value=1 sysctl_set=yes state=present reload=yes - name: Start and enable openvswitch docker service - service: name=openvswitch.service enabled=yes state=started + systemd: + name: openvswitch.service + enabled: yes + state: started when: openshift.common.is_containerized | bool and openshift.common.use_openshift_sdn | bool register: ovs_start_result @@ -92,7 +107,7 @@ group: root mode: 0600 notify: - - restart node + - restart node - name: Configure AWS Cloud Provider Settings lineinfile: @@ -108,7 +123,7 @@ no_log: True when: "openshift_cloudprovider_kind is defined and openshift_cloudprovider_kind == 'aws' and openshift_cloudprovider_aws_access_key is defined and openshift_cloudprovider_aws_secret_key is defined" notify: - - restart node + - restart node - name: Configure Node Environment Variables lineinfile: @@ -118,7 +133,7 @@ create: true with_dict: "{{ openshift.node.env_vars | default({}) }}" notify: - - restart node + - restart node - name: NFS storage plugin configuration include: storage_plugins/nfs.yml @@ -158,11 +173,17 @@ when: openshift.common.is_containerized | bool - name: Start and enable node dep - service: name={{ openshift.common.service_type }}-node-dep enabled=yes state=started + systemd: + name: "{{ openshift.common.service_type }}-node-dep" + enabled: yes + state: started when: openshift.common.is_containerized | bool - name: Start and enable node - service: name={{ openshift.common.service_type }}-node enabled=yes state=started + systemd: + name: "{{ openshift.common.service_type }}-node" + enabled: yes + state: started register: node_start_result until: not node_start_result | failed retries: 1 diff --git a/roles/openshift_node/tasks/storage_plugins/ceph.yml b/roles/openshift_node/tasks/storage_plugins/ceph.yml index eed3c99a3..037efe81a 100644 --- a/roles/openshift_node/tasks/storage_plugins/ceph.yml +++ b/roles/openshift_node/tasks/storage_plugins/ceph.yml @@ -1,4 +1,4 @@ --- - name: Install Ceph storage plugin dependencies - action: "{{ ansible_pkg_mgr }} name=ceph-common state=present" - when: not openshift.common.is_atomic | bool
\ No newline at end of file + package: name=ceph-common state=present + when: not openshift.common.is_atomic | bool diff --git a/roles/openshift_node/tasks/storage_plugins/glusterfs.yml b/roles/openshift_node/tasks/storage_plugins/glusterfs.yml index 4fd9cd10b..7d8c42ee2 100644 --- a/roles/openshift_node/tasks/storage_plugins/glusterfs.yml +++ b/roles/openshift_node/tasks/storage_plugins/glusterfs.yml @@ -1,6 +1,6 @@ --- - name: Install GlusterFS storage plugin dependencies - action: "{{ ansible_pkg_mgr }} name=glusterfs-fuse state=present" + package: name=glusterfs-fuse state=present when: not openshift.common.is_atomic | bool - name: Check for existence of virt_use_fusefs seboolean diff --git a/roles/openshift_node/tasks/storage_plugins/iscsi.yml b/roles/openshift_node/tasks/storage_plugins/iscsi.yml index d6684b34a..1c5478c55 100644 --- a/roles/openshift_node/tasks/storage_plugins/iscsi.yml +++ b/roles/openshift_node/tasks/storage_plugins/iscsi.yml @@ -1,4 +1,4 @@ --- - name: Install iSCSI storage plugin dependencies - action: "{{ ansible_pkg_mgr }} name=iscsi-initiator-utils state=present" + package: name=iscsi-initiator-utils state=present when: not openshift.common.is_atomic | bool diff --git a/roles/openshift_node/tasks/storage_plugins/nfs.yml b/roles/openshift_node/tasks/storage_plugins/nfs.yml index 5f99f129c..d40ae66cb 100644 --- a/roles/openshift_node/tasks/storage_plugins/nfs.yml +++ b/roles/openshift_node/tasks/storage_plugins/nfs.yml @@ -1,6 +1,6 @@ --- - name: Install NFS storage plugin dependencies - action: "{{ ansible_pkg_mgr }} name=nfs-utils state=present" + package: name=nfs-utils state=present when: not openshift.common.is_atomic | bool - name: Check for existence of seboolean diff --git a/roles/openshift_node_certificates/README.md b/roles/openshift_node_certificates/README.md index f56066b29..f4215950f 100644 --- a/roles/openshift_node_certificates/README.md +++ b/roles/openshift_node_certificates/README.md @@ -6,6 +6,8 @@ This role determines if OpenShift node certificates must be created, delegates c Requirements ------------ +* Ansible 2.2 + Role Variables -------------- diff --git a/roles/openshift_node_certificates/handlers/main.yml b/roles/openshift_node_certificates/handlers/main.yml index f2299cecf..a74668b13 100644 --- a/roles/openshift_node_certificates/handlers/main.yml +++ b/roles/openshift_node_certificates/handlers/main.yml @@ -2,9 +2,9 @@ - name: update ca trust command: update-ca-trust notify: - - restart docker after updating ca trust + - restart docker after updating ca trust - name: restart docker after updating ca trust - service: + systemd: name: docker state: restarted diff --git a/roles/openshift_node_certificates/meta/main.yml b/roles/openshift_node_certificates/meta/main.yml index 50a862ee9..93216c1d2 100644 --- a/roles/openshift_node_certificates/meta/main.yml +++ b/roles/openshift_node_certificates/meta/main.yml @@ -4,7 +4,7 @@ galaxy_info: description: OpenShift Node Certificates company: Red Hat, Inc. license: Apache License, Version 2.0 - min_ansible_version: 2.1 + min_ansible_version: 2.2 platforms: - name: EL versions: diff --git a/roles/openshift_node_certificates/tasks/main.yml b/roles/openshift_node_certificates/tasks/main.yml index 69bcd3668..35f84c2cf 100644 --- a/roles/openshift_node_certificates/tasks/main.yml +++ b/roles/openshift_node_certificates/tasks/main.yml @@ -44,7 +44,7 @@ - name: Generate the node client config command: > - {{ openshift.common.client_binary }} adm create-api-client-config + {{ hostvars[openshift_ca_host].openshift.common.client_binary }} adm create-api-client-config {% for named_ca_certificate in hostvars[openshift_ca_host].openshift.master.named_certificates | default([]) | oo_collect('cafile') %} --certificate-authority {{ named_ca_certificate }} {% endfor %} @@ -63,7 +63,7 @@ - name: Generate the node server certificate command: > - {{ openshift.common.client_binary }} adm ca create-server-cert + {{ hostvars[openshift_ca_host].openshift.common.client_binary }} adm ca create-server-cert --cert={{ openshift_node_generated_config_dir }}/server.crt --key={{ openshift_generated_configs_dir }}/node-{{ openshift.common.hostname }}/server.key --overwrite=true diff --git a/roles/openshift_node_dnsmasq/files/networkmanager/99-origin-dns.sh b/roles/openshift_node_dnsmasq/files/networkmanager/99-origin-dns.sh index ced0fa663..089c3f7e4 100755 --- a/roles/openshift_node_dnsmasq/files/networkmanager/99-origin-dns.sh +++ b/roles/openshift_node_dnsmasq/files/networkmanager/99-origin-dns.sh @@ -28,7 +28,7 @@ cd /etc/sysconfig/network-scripts [ -f ../network ] && . ../network -if [[ $2 =~ ^(up|dhcp4-change)$ ]]; then +if [[ $2 =~ ^(up|dhcp4-change|dhcp6-change)$ ]]; then # If the origin-upstream-dns config file changed we need to restart NEEDS_RESTART=0 UPSTREAM_DNS='/etc/dnsmasq.d/origin-upstream-dns.conf' @@ -36,6 +36,7 @@ if [[ $2 =~ ^(up|dhcp4-change)$ ]]; then UPSTREAM_DNS_TMP=`mktemp` UPSTREAM_DNS_TMP_SORTED=`mktemp` CURRENT_UPSTREAM_DNS_SORTED=`mktemp` + NEW_RESOLV_CONF=`mktemp` ###################################################################### # couldn't find an existing method to determine if the interface owns the @@ -85,13 +86,17 @@ EOF systemctl restart dnsmasq fi - sed -i '0,/^nameserver/ s/^nameserver.*$/nameserver '"${def_route_ip}"'/g' /etc/resolv.conf - - if ! grep -q '99-origin-dns.sh' /etc/resolv.conf; then - echo "# nameserver updated by /etc/NetworkManager/dispatcher.d/99-origin-dns.sh" >> /etc/resolv.conf + # Only if dnsmasq is running properly make it our only nameserver + if `systemctl -q is-active dnsmasq.service`; then + sed -e '/^nameserver.*$/d' /etc/resolv.conf > ${NEW_RESOLV_CONF} + echo "nameserver "${def_route_ip}"" >> ${NEW_RESOLV_CONF} + if ! grep -q '99-origin-dns.sh' ${NEW_RESOLV_CONF}; then + echo "# nameserver updated by /etc/NetworkManager/dispatcher.d/99-origin-dns.sh" >> ${NEW_RESOLV_CONF} + fi + cp -Z ${NEW_RESOLV_CONF} /etc/resolv.conf fi fi # Clean up after yourself - rm -f $UPSTREAM_DNS_TMP $UPSTREAM_DNS_TMP_SORTED $CURRENT_UPSTREAM_DNS_SORTED + rm -f $UPSTREAM_DNS_TMP $UPSTREAM_DNS_TMP_SORTED $CURRENT_UPSTREAM_DNS_SORTED $NEW_RESOLV_CONF fi diff --git a/roles/openshift_node_dnsmasq/handlers/main.yml b/roles/openshift_node_dnsmasq/handlers/main.yml index 7d43b6106..b4a0c3583 100644 --- a/roles/openshift_node_dnsmasq/handlers/main.yml +++ b/roles/openshift_node_dnsmasq/handlers/main.yml @@ -1,10 +1,10 @@ --- - name: restart NetworkManager - service: + systemd: name: NetworkManager state: restarted - name: restart dnsmasq - service: + systemd: name: dnsmasq state: restarted diff --git a/roles/openshift_node_dnsmasq/meta/main.yml b/roles/openshift_node_dnsmasq/meta/main.yml index c83d64ae4..18e04e06d 100644 --- a/roles/openshift_node_dnsmasq/meta/main.yml +++ b/roles/openshift_node_dnsmasq/meta/main.yml @@ -4,7 +4,7 @@ galaxy_info: description: OpenShift Node DNSMasq support company: Red Hat, Inc. license: Apache License, Version 2.0 - min_ansible_version: 1.7 + min_ansible_version: 2.2 platforms: - name: EL versions: diff --git a/roles/openshift_node_dnsmasq/tasks/main.yml b/roles/openshift_node_dnsmasq/tasks/main.yml index 396c27295..3311f7006 100644 --- a/roles/openshift_node_dnsmasq/tasks/main.yml +++ b/roles/openshift_node_dnsmasq/tasks/main.yml @@ -4,13 +4,14 @@ systemctl show NetworkManager register: nm_show changed_when: false + ignore_errors: True - name: Set fact using_network_manager set_fact: network_manager_active: "{{ True if 'ActiveState=active' in nm_show.stdout else False }}" - name: Install dnsmasq - action: "{{ ansible_pkg_mgr }} name=dnsmasq state=installed" + package: name=dnsmasq state=installed when: not openshift.common.is_atomic | bool - name: Install dnsmasq configuration @@ -21,16 +22,16 @@ - name: Deploy additional dnsmasq.conf template: - src: "{{ openshift_node_dnsmasq_additional_config_file }}" - dest: /etc/dnsmasq.d/openshift-ansible.conf - owner: root - group: root - mode: 0644 + src: "{{ openshift_node_dnsmasq_additional_config_file }}" + dest: /etc/dnsmasq.d/openshift-ansible.conf + owner: root + group: root + mode: 0644 when: openshift_node_dnsmasq_additional_config_file is defined notify: restart dnsmasq - name: Enable dnsmasq - service: + systemd: name: dnsmasq enabled: yes state: started diff --git a/roles/openshift_repos/tasks/main.yaml b/roles/openshift_repos/tasks/main.yaml index 9be168611..d5ed9c09d 100644 --- a/roles/openshift_repos/tasks/main.yaml +++ b/roles/openshift_repos/tasks/main.yaml @@ -12,7 +12,7 @@ when: not openshift.common.is_containerized | bool - name: Ensure libselinux-python is installed - action: "{{ ansible_pkg_mgr }} name=libselinux-python state=present" + package: name=libselinux-python state=present when: not openshift.common.is_containerized | bool - name: Create any additional repos that are defined @@ -37,6 +37,7 @@ when: ansible_os_family == "RedHat" and ansible_distribution != "Fedora" and openshift_deployment_type == 'origin' and not openshift.common.is_containerized | bool + and openshift_enable_origin_repo | default(true) - name: Configure origin yum repositories RHEL/CentOS copy: @@ -46,3 +47,4 @@ when: ansible_os_family == "RedHat" and ansible_distribution != "Fedora" and openshift_deployment_type == 'origin' and not openshift.common.is_containerized | bool + and openshift_enable_origin_repo | default(true) diff --git a/roles/openshift_storage_nfs/README.md b/roles/openshift_storage_nfs/README.md index b0480a958..817b007e8 100644 --- a/roles/openshift_storage_nfs/README.md +++ b/roles/openshift_storage_nfs/README.md @@ -6,10 +6,10 @@ OpenShift NFS Server Installation Requirements ------------ -This role is intended to be applied to the [nfs] host group which is +* Ansible 2.2 +* This role is intended to be applied to the [nfs] host group which is separate from OpenShift infrastructure components. - -Requires access to the 'nfs-utils' package. +* Requires access to the 'nfs-utils' package. Role Variables -------------- diff --git a/roles/openshift_storage_nfs/handlers/main.yml b/roles/openshift_storage_nfs/handlers/main.yml index a1377a203..0d1149db8 100644 --- a/roles/openshift_storage_nfs/handlers/main.yml +++ b/roles/openshift_storage_nfs/handlers/main.yml @@ -1,6 +1,6 @@ --- - name: restart nfs-server - service: + systemd: name: nfs-server state: restarted when: not (nfs_service_status_changed | default(false)) diff --git a/roles/openshift_storage_nfs/meta/main.yml b/roles/openshift_storage_nfs/meta/main.yml index 865865d9c..62e38bd8c 100644 --- a/roles/openshift_storage_nfs/meta/main.yml +++ b/roles/openshift_storage_nfs/meta/main.yml @@ -4,7 +4,7 @@ galaxy_info: description: OpenShift NFS Server company: Red Hat, Inc. license: Apache License, Version 2.0 - min_ansible_version: 1.9 + min_ansible_version: 2.2 platforms: - name: EL versions: diff --git a/roles/openshift_storage_nfs/tasks/main.yml b/roles/openshift_storage_nfs/tasks/main.yml index 4716c77ae..fd935f105 100644 --- a/roles/openshift_storage_nfs/tasks/main.yml +++ b/roles/openshift_storage_nfs/tasks/main.yml @@ -1,6 +1,6 @@ --- - name: Install nfs-utils - action: "{{ ansible_pkg_mgr }} name=nfs-utils state=present" + package: name=nfs-utils state=present - name: Configure NFS lineinfile: @@ -10,7 +10,7 @@ register: nfs_config - name: Restart nfs-config - service: name=nfs-config state=restarted + systemd: name=nfs-config state=restarted when: nfs_config | changed - name: Ensure exports directory exists @@ -26,9 +26,9 @@ owner: nfsnobody group: nfsnobody with_items: - - "{{ openshift.hosted.registry }}" - - "{{ openshift.hosted.metrics }}" - - "{{ openshift.hosted.logging }}" + - "{{ openshift.hosted.registry }}" + - "{{ openshift.hosted.metrics }}" + - "{{ openshift.hosted.logging }}" - name: Configure exports @@ -36,7 +36,7 @@ dest: /etc/exports.d/openshift-ansible.exports src: exports.j2 notify: - - restart nfs-server + - restart nfs-server # Now that we're putting our exports in our own file clean up the old ones - name: register exports @@ -51,16 +51,14 @@ with_items: "{{ exports_out.stdout_lines | default([]) }}" when: exports_out.rc == 0 notify: - - restart nfs-server + - restart nfs-server - name: Enable and start services - service: - name: "{{ item }}" + systemd: + name: nfs-server state: started enabled: yes register: start_result - with_items: - - nfs-server - set_fact: nfs_service_status_changed: "{{ start_result | changed }}" diff --git a/roles/openshift_storage_nfs_lvm/README.md b/roles/openshift_storage_nfs_lvm/README.md index 3680ef5b5..8b8471745 100644 --- a/roles/openshift_storage_nfs_lvm/README.md +++ b/roles/openshift_storage_nfs_lvm/README.md @@ -8,10 +8,9 @@ create persistent volumes. ## Requirements -* NFS server with NFS, iptables, and everything setup. - +* Ansible 2.2 +* NFS server with NFS, iptables, and everything setup * A lvm volume group created on the nfs server (default: openshiftvg) - * The lvm volume needs to have as much free space as you are allocating ## Role Variables diff --git a/roles/openshift_storage_nfs_lvm/handlers/main.yml b/roles/openshift_storage_nfs_lvm/handlers/main.yml index 52f3ceffe..9ce8b783d 100644 --- a/roles/openshift_storage_nfs_lvm/handlers/main.yml +++ b/roles/openshift_storage_nfs_lvm/handlers/main.yml @@ -1,3 +1,3 @@ --- - name: restart nfs - service: name=nfs-server state=restarted + systemd: name=nfs-server state=restarted diff --git a/roles/openshift_storage_nfs_lvm/meta/main.yml b/roles/openshift_storage_nfs_lvm/meta/main.yml index 62ea54883..bed1216f8 100644 --- a/roles/openshift_storage_nfs_lvm/meta/main.yml +++ b/roles/openshift_storage_nfs_lvm/meta/main.yml @@ -4,7 +4,7 @@ galaxy_info: description: Create LVM volumes and use them as openshift persistent volumes. company: Red Hat, Inc. license: license (Apache) - min_ansible_version: 1.4 + min_ansible_version: 2.2 platforms: - name: EL versions: diff --git a/roles/openshift_storage_nfs_lvm/tasks/nfs.yml b/roles/openshift_storage_nfs_lvm/tasks/nfs.yml index fc8de1cb5..03f4fcec0 100644 --- a/roles/openshift_storage_nfs_lvm/tasks/nfs.yml +++ b/roles/openshift_storage_nfs_lvm/tasks/nfs.yml @@ -1,17 +1,26 @@ --- - name: Install NFS server - action: "{{ ansible_pkg_mgr }} name=nfs-utils state=present" + package: name=nfs-utils state=present when: not openshift.common.is_containerized | bool - + - name: Start rpcbind - service: name=rpcbind state=started enabled=yes + systemd: + name: rpcbind + state: started + enabled: yes - name: Start nfs - service: name=nfs-server state=started enabled=yes + systemd: + name: nfs-server + state: started + enabled: yes - name: Export the directories lineinfile: dest=/etc/exports regexp="^{{ osnl_mount_dir }}/{{ item }} " line="{{ osnl_mount_dir }}/{{ item }} {{osnl_nfs_export_options}}" - with_sequence: start={{osnl_volume_num_start}} count={{osnl_number_of_volumes}} format={{osnl_volume_prefix}}{{osnl_volume_size}}g%04d + with_sequence: + start: "{{osnl_volume_num_start}}" + count: "{{osnl_number_of_volumes}}" + format: "{{osnl_volume_prefix}}{{osnl_volume_size}}g%04d" notify: restart nfs diff --git a/roles/openshift_storage_nfs_lvm/templates/nfs.json.j2 b/roles/openshift_storage_nfs_lvm/templates/nfs.json.j2 index 0f3d84e75..3c4d2f56c 100644 --- a/roles/openshift_storage_nfs_lvm/templates/nfs.json.j2 +++ b/roles/openshift_storage_nfs_lvm/templates/nfs.json.j2 @@ -11,7 +11,7 @@ "capacity": { "storage": "{{ osnl_volume_size }}Gi" }, - "accessModes": [ "ReadWriteMany" ], + "accessModes": [ "ReadWriteOnce", "ReadWriteMany" ], "persistentVolumeReclaimPolicy": "Recycle", "nfs": { "Server": "{{ inventory_hostname }}", diff --git a/roles/os_firewall/README.md b/roles/os_firewall/README.md index c6c70b81d..c13c5dfc9 100644 --- a/roles/os_firewall/README.md +++ b/roles/os_firewall/README.md @@ -7,7 +7,7 @@ case (Adding/Removing rules based on protocol and port number). Requirements ------------ -None. +Ansible 2.2 Role Variables -------------- @@ -31,7 +31,6 @@ Use iptables and open tcp ports 80 and 443: --- - hosts: servers vars: - os_firewall_use_firewalld: false os_firewall_allow: - service: httpd port: 80/tcp @@ -46,6 +45,7 @@ Use firewalld and open tcp port 443 and close previously open tcp port 80: --- - hosts: servers vars: + os_firewall_use_firewalld: true os_firewall_allow: - service: https port: 443/tcp diff --git a/roles/os_firewall/library/os_firewall_manage_iptables.py b/roles/os_firewall/library/os_firewall_manage_iptables.py index bd638b69b..37bb16f35 100755 --- a/roles/os_firewall/library/os_firewall_manage_iptables.py +++ b/roles/os_firewall/library/os_firewall_manage_iptables.py @@ -139,7 +139,7 @@ class IpTablesManager(object): # pylint: disable=too-many-instance-attributes output = check_output(cmd, stderr=subprocess.STDOUT) # break the input rules into rows and columns - input_rules = [s.split() for s in output.split('\n')] + input_rules = [s.split() for s in to_native(output).split('\n')] # Find the last numbered rule last_rule_num = None @@ -269,5 +269,6 @@ def main(): # pylint: disable=redefined-builtin, unused-wildcard-import, wildcard-import # import module snippets from ansible.module_utils.basic import * +from ansible.module_utils._text import to_native if __name__ == '__main__': main() diff --git a/roles/os_firewall/meta/main.yml b/roles/os_firewall/meta/main.yml index 6df7c9f2b..dca5fc5ff 100644 --- a/roles/os_firewall/meta/main.yml +++ b/roles/os_firewall/meta/main.yml @@ -4,13 +4,13 @@ galaxy_info: description: os_firewall company: Red Hat, Inc. license: Apache License, Version 2.0 - min_ansible_version: 1.7 + min_ansible_version: 2.2 platforms: - - name: EL - versions: - - 7 + - name: EL + versions: + - 7 categories: - - system + - system allow_duplicates: yes dependencies: -- { role: openshift_facts } + - role: openshift_facts diff --git a/roles/os_firewall/tasks/firewall/firewalld.yml b/roles/os_firewall/tasks/firewall/firewalld.yml index 5ddca1fc0..1101870be 100644 --- a/roles/os_firewall/tasks/firewall/firewalld.yml +++ b/roles/os_firewall/tasks/firewall/firewalld.yml @@ -1,88 +1,45 @@ --- - name: Install firewalld packages - action: "{{ ansible_pkg_mgr }} name=firewalld state=present" + package: name=firewalld state=present when: not openshift.common.is_containerized | bool - register: install_result - -- name: Check if iptables-services is installed - command: rpm -q iptables-services - register: pkg_check - failed_when: pkg_check.rc > 1 - changed_when: no - name: Ensure iptables services are not enabled - service: + systemd: name: "{{ item }}" state: stopped enabled: no + masked: yes with_items: - - iptables - - ip6tables - when: pkg_check.rc == 0 - -- name: Reload systemd units - command: systemctl daemon-reload - when: install_result | changed - -- name: Determine if firewalld service masked - command: > - systemctl is-enabled firewalld - register: os_firewall_firewalld_masked_output - changed_when: false - failed_when: false - -- name: Unmask firewalld service - command: > - systemctl unmask firewalld - when: os_firewall_firewalld_masked_output.stdout == "masked" + - iptables + - ip6tables + register: task_result + failed_when: "task_result|failed and 'could not' not in task_result.msg|lower" - name: Start and enable firewalld service - service: + systemd: name: firewalld state: started enabled: yes + masked: no + daemon_reload: yes register: result - name: need to pause here, otherwise the firewalld service starting can sometimes cause ssh to fail pause: seconds=10 when: result | changed -- name: Mask iptables services - command: systemctl mask "{{ item }}" - register: result - changed_when: "'iptables' in result.stdout" - with_items: - - iptables - - ip6tables - when: pkg_check.rc == 0 - ignore_errors: yes - -# TODO: Ansible 1.9 will eliminate the need for separate firewalld tasks for -# enabling rules and making them permanent with the immediate flag - name: Add firewalld allow rules firewalld: port: "{{ item.port }}" - permanent: false - state: enabled - with_items: "{{ os_firewall_allow }}" - -- name: Persist firewalld allow rules - firewalld: - port: "{{ item.port }}" permanent: true + immediate: true state: enabled with_items: "{{ os_firewall_allow }}" - name: Remove firewalld allow rules firewalld: port: "{{ item.port }}" - permanent: false - state: disabled - with_items: "{{ os_firewall_deny }}" - -- name: Persist removal of firewalld allow rules - firewalld: - port: "{{ item.port }}" permanent: true + immediate: true state: disabled with_items: "{{ os_firewall_deny }}" diff --git a/roles/os_firewall/tasks/firewall/iptables.yml b/roles/os_firewall/tasks/firewall/iptables.yml index 470d4f4f9..930b32cf2 100644 --- a/roles/os_firewall/tasks/firewall/iptables.yml +++ b/roles/os_firewall/tasks/firewall/iptables.yml @@ -1,64 +1,28 @@ --- -- name: Check if firewalld is installed - command: rpm -q firewalld - args: - # Disables the following warning: - # Consider using yum, dnf or zypper module rather than running rpm - warn: no - register: pkg_check - failed_when: pkg_check.rc > 1 - changed_when: no - name: Ensure firewalld service is not enabled - service: + systemd: name: firewalld state: stopped enabled: no - when: pkg_check.rc == 0 - -# TODO: submit PR upstream to add mask/unmask to service module -- name: Mask firewalld service - command: systemctl mask firewalld - register: result - changed_when: "'firewalld' in result.stdout" - when: pkg_check.rc == 0 - ignore_errors: yes + masked: yes + register: task_result + failed_when: "task_result|failed and 'could not' not in task_result.msg|lower" - name: Install iptables packages - action: "{{ ansible_pkg_mgr }} name={{ item }} state=present" + package: name={{ item }} state=present with_items: - - iptables - - iptables-services - register: install_result + - iptables + - iptables-services when: not openshift.common.is_atomic | bool -- name: Reload systemd units - command: systemctl daemon-reload - when: install_result | changed - -- name: Determine if iptables service masked - command: > - systemctl is-enabled {{ item }} - with_items: - - iptables - - ip6tables - register: os_firewall_iptables_masked_output - changed_when: false - failed_when: false - -- name: Unmask iptables service - command: > - systemctl unmask {{ item }} - with_items: - - iptables - - ip6tables - when: "'masked' in os_firewall_iptables_masked_output.results | map(attribute='stdout')" - - name: Start and enable iptables service - service: + systemd: name: iptables state: started enabled: yes + masked: no + daemon_reload: yes register: result - name: need to pause here, otherwise the iptables service starting can sometimes cause ssh to fail diff --git a/roles/os_update_latest/tasks/main.yml b/roles/os_update_latest/tasks/main.yml index ff2b52275..6b5fd0106 100644 --- a/roles/os_update_latest/tasks/main.yml +++ b/roles/os_update_latest/tasks/main.yml @@ -1,3 +1,3 @@ --- - name: Update all packages - action: "{{ ansible_pkg_mgr }} name=* state=latest" + package: name=* state=latest |