14 files changed, 108 insertions, 67 deletions
diff --git a/playbooks/common/openshift-cluster/upgrades/files/openshift_container_versions.sh b/playbooks/common/openshift-cluster/upgrades/files/openshift_container_versions.sh
index 7a1edf38f..96944a78b 100644
--- a/playbooks/common/openshift-cluster/upgrades/files/openshift_container_versions.sh
+++ b/playbooks/common/openshift-cluster/upgrades/files/openshift_container_versions.sh
@@ -3,19 +3,19 @@
 # Here we don't really care if this is a master, api, controller or node image.
 # We just need to know the version of one of them.
 unit_file=$(ls /etc/systemd/system/${1}*.service | head -n1)
-installed_container_name=$(basename -s .service ${unit_file})
-installed=$(docker exec ${installed_container_name} openshift version 2> /dev/null | grep openshift | awk '{ print $2 }' | cut -f1 -d"-" | tr -d 'v')
 
 if [ ${1} == "origin" ]; then
     image_name="openshift/origin"
 elif grep aep $unit_file 2>&1 > /dev/null; then
-    image_name="aep3/aep"
+    image_name="aep3/node"
 elif grep openshift3 $unit_file 2>&1 > /dev/null; then
-    image_name="openshift3/ose"
+    image_name="openshift3/node"
 fi
 
+installed=$(docker run --rm --entrypoint=/bin/openshift ${image_name} version 2> /dev/null | grep openshift | awk '{ print $2 }' | cut -f1 -d"-" | tr -d 'v')
+
 docker pull ${image_name} 2>&1 > /dev/null
-available=$(docker run --rm ${image_name} version 2> /dev/null | grep openshift | awk '{ print $2 }' | cut -f1 -d"-" | tr -d 'v')
+available=$(docker run --rm --entrypoint=/bin/openshift ${image_name} version 2> /dev/null | grep openshift | awk '{ print $2 }' | cut -f1 -d"-" | tr -d 'v')
 
 echo "---"
 echo "curr_version: ${installed}"
diff --git a/playbooks/common/openshift-cluster/upgrades/v3_0_minor/upgrade.yml b/playbooks/common/openshift-cluster/upgrades/v3_0_minor/upgrade.yml
index 63c8ef756..5b2bf9f93 100644
--- a/playbooks/common/openshift-cluster/upgrades/v3_0_minor/upgrade.yml
+++ b/playbooks/common/openshift-cluster/upgrades/v3_0_minor/upgrade.yml
@@ -36,16 +36,17 @@
 - name: Ensure AOS 3.0.2 or Origin 1.0.6
   hosts: oo_first_master
   tasks:
-    fail: This playbook requires Origin 1.0.6 or Atomic OpenShift 3.0.2 or later
+  - fail:
+      msg: "This playbook requires Origin 1.0.6 or Atomic OpenShift 3.0.2 or later"
     when: _new_version.stdout | version_compare('1.0.6','<') or ( _new_version.stdout | version_compare('3.0','>=' and _new_version.stdout | version_compare('3.0.2','<') )
 
 - name: Update cluster policy
   hosts: oo_first_master
   tasks:
-    - name: oadm policy reconcile-cluster-roles --confirm
+    - name: oadm policy reconcile-cluster-roles --additive-only=true --confirm
       command: >
         {{ openshift.common.admin_binary}} --config={{ openshift.common.config_base }}/master/admin.kubeconfig
-        policy reconcile-cluster-roles --confirm
+        policy reconcile-cluster-roles --additive-only=true --confirm
 
 - name: Upgrade default router
   hosts: oo_first_master
diff --git a/playbooks/common/openshift-cluster/upgrades/v3_0_to_v3_1/upgrade.yml b/playbooks/common/openshift-cluster/upgrades/v3_0_to_v3_1/upgrade.yml
index 31ba8c4a9..a72749a2b 100644
--- a/playbooks/common/openshift-cluster/upgrades/v3_0_to_v3_1/upgrade.yml
+++ b/playbooks/common/openshift-cluster/upgrades/v3_0_to_v3_1/upgrade.yml
@@ -490,7 +490,7 @@
   - name: Reconcile Cluster Roles
     command: >
       {{ openshift.common.admin_binary}} --config={{ openshift.common.config_base }}/master/admin.kubeconfig
-      policy reconcile-cluster-roles --confirm
+      policy reconcile-cluster-roles --additive-only=true --confirm
     run_once: true
 
   - name: Reconcile Cluster Role Bindings
diff --git a/playbooks/common/openshift-cluster/upgrades/v3_1_minor/upgrade.yml b/playbooks/common/openshift-cluster/upgrades/v3_1_minor/upgrade.yml
index 54bb251f7..5e62b43a3 100644
--- a/playbooks/common/openshift-cluster/upgrades/v3_1_minor/upgrade.yml
+++ b/playbooks/common/openshift-cluster/upgrades/v3_1_minor/upgrade.yml
@@ -103,7 +103,7 @@
   - name: Reconcile Cluster Roles
     command: >
       {{ openshift.common.admin_binary}} --config={{ openshift.common.config_base }}/master/admin.kubeconfig
-      policy reconcile-cluster-roles --confirm
+      policy reconcile-cluster-roles --additive-only=true --confirm
     run_once: true
 
   - name: Reconcile Cluster Role Bindings
diff --git a/playbooks/common/openshift-cluster/upgrades/v3_1_to_v3_2/atomic-openshift-master.j2 b/playbooks/common/openshift-cluster/upgrades/v3_1_to_v3_2/atomic-openshift-master.j2
new file mode 120000
index 000000000..cf20e8959
--- /dev/null
+++ b/playbooks/common/openshift-cluster/upgrades/v3_1_to_v3_2/atomic-openshift-master.j2
@@ -0,0 +1 @@
+../../../../../roles/openshift_master/templates/atomic-openshift-master.j2
+\ No newline at end of file
diff --git a/playbooks/common/openshift-cluster/upgrades/v3_1_to_v3_2/containerized_upgrade.yml b/playbooks/common/openshift-cluster/upgrades/v3_1_to_v3_2/containerized_upgrade.yml
index cc587bfa1..319758a06 100644
--- a/playbooks/common/openshift-cluster/upgrades/v3_1_to_v3_2/containerized_upgrade.yml
+++ b/playbooks/common/openshift-cluster/upgrades/v3_1_to_v3_2/containerized_upgrade.yml
@@ -1,7 +1,7 @@
 - include_vars: ../../../../../roles/openshift_node/vars/main.yml
 
 - name: Update systemd units
-  include: ../../../../../roles/openshift_node/tasks/systemd_units.yml openshift_version=g_aos_versions.avail_version
+  include: ../../../../../roles/openshift_node/tasks/systemd_units.yml openshift_version=v{{ g_new_version }}
 
 - name: Verifying the correct version was configured
   shell: grep {{ verify_upgrade_version }} {{ item }}
diff --git a/playbooks/common/openshift-cluster/upgrades/v3_1_to_v3_2/docker b/playbooks/common/openshift-cluster/upgrades/v3_1_to_v3_2/docker
new file mode 120000
index 000000000..5a3dd12b3
--- /dev/null
+++ b/playbooks/common/openshift-cluster/upgrades/v3_1_to_v3_2/docker
@@ -0,0 +1 @@
+../../../../../roles/openshift_master/templates/docker
+\ No newline at end of file
diff --git a/playbooks/common/openshift-cluster/upgrades/v3_1_to_v3_2/docker-cluster b/playbooks/common/openshift-cluster/upgrades/v3_1_to_v3_2/docker-cluster
new file mode 120000
index 000000000..3ee319365
--- /dev/null
+++ b/playbooks/common/openshift-cluster/upgrades/v3_1_to_v3_2/docker-cluster
@@ -0,0 +1 @@
+../../../../../roles/openshift_master/templates/docker-cluster
+\ No newline at end of file
diff --git a/playbooks/common/openshift-cluster/upgrades/v3_1_to_v3_2/native-cluster b/playbooks/common/openshift-cluster/upgrades/v3_1_to_v3_2/native-cluster
new file mode 120000
index 000000000..f44f8eb4f
--- /dev/null
+++ b/playbooks/common/openshift-cluster/upgrades/v3_1_to_v3_2/native-cluster
@@ -0,0 +1 @@
+../../../../../roles/openshift_master/templates/native-cluster
+\ No newline at end of file
diff --git a/playbooks/common/openshift-cluster/upgrades/v3_1_to_v3_2/node_upgrade.yml b/playbooks/common/openshift-cluster/upgrades/v3_1_to_v3_2/node_upgrade.yml
new file mode 100644
index 000000000..a911f12be
--- /dev/null
+++ b/playbooks/common/openshift-cluster/upgrades/v3_1_to_v3_2/node_upgrade.yml
@@ -0,0 +1,24 @@
+- name: Prepare for Node evacuation
+  command: >
+    {{ openshift.common.admin_binary }} manage-node {{ openshift.common.hostname | lower }} --schedulable=false
+  delegate_to: "{{ groups.oo_first_master.0 }}"
+
+- name: Evacuate Node for Kubelet upgrade
+  command: >
+    {{ openshift.common.admin_binary }} manage-node {{ openshift.common.hostname | lower }} --evacuate --force
+  delegate_to: "{{ groups.oo_first_master.0 }}"
+
+- include: rpm_upgrade.yml
+  vars:
+     component: "node"
+     openshift_version: "{{ openshift_pkg_version | default('') }}"
+  when: not openshift.common.is_containerized | bool
+
+- include: containerized_upgrade.yml
+  when: openshift.common.is_containerized | bool
+
+- name: Set node schedulability
+  command: >
+    {{ openshift.common.admin_binary }} manage-node {{ openshift.common.hostname | lower }} --schedulable=true
+  delegate_to: "{{ groups.oo_first_master.0 }}"
+  when: openshift.node.schedulable | bool
diff --git a/playbooks/common/openshift-cluster/upgrades/v3_1_to_v3_2/post.yml b/playbooks/common/openshift-cluster/upgrades/v3_1_to_v3_2/post.yml
index 3fd97ac14..12e2edfb9 100644
--- a/playbooks/common/openshift-cluster/upgrades/v3_1_to_v3_2/post.yml
+++ b/playbooks/common/openshift-cluster/upgrades/v3_1_to_v3_2/post.yml
@@ -10,6 +10,7 @@
     router_image: "{{ openshift.master.registry_url | replace( '${component}', 'haproxy-router' ) | replace ( '${version}', 'v' + g_new_version ) }}"
     oc_cmd: "{{ openshift.common.client_binary }} --config={{ openshift.common.config_base }}/master/admin.kubeconfig"
   roles:
+  - openshift_manageiq
   # Create the new templates shipped in 3.2, existing templates are left
   # unmodified. This prevents the subsequent role definition for
   # openshift_examples from failing when trying to replace templates that do
diff --git a/playbooks/common/openshift-cluster/upgrades/v3_1_to_v3_2/pre.yml b/playbooks/common/openshift-cluster/upgrades/v3_1_to_v3_2/pre.yml
index d6abeb345..dd9843290 100644
--- a/playbooks/common/openshift-cluster/upgrades/v3_1_to_v3_2/pre.yml
+++ b/playbooks/common/openshift-cluster/upgrades/v3_1_to_v3_2/pre.yml
@@ -2,10 +2,11 @@
 ###############################################################################
 # Evaluate host groups and gather facts
 ###############################################################################
-- name: Load openshift_facts
+- name: Load openshift_facts and update repos
   hosts: oo_masters_to_config:oo_nodes_to_config:oo_etcd_to_config:oo_lb_to_config
   roles:
   - openshift_facts
+  - openshift_repos
 
 - name: Evaluate additional groups for upgrade
   hosts: localhost
@@ -25,6 +26,7 @@
   hosts: oo_first_master
   vars:
     target_version: "{{ '1.2' if deployment_type == 'origin' else '3.1.1.900' }}"
+    g_pacemaker_upgrade_url_segment: "{{ 'org/latest' if deployment_type =='origin' else '.com/enterprise/3.1' }}"
   gather_facts: no
   tasks:
   - fail:
@@ -35,6 +37,12 @@
 
   - fail:
       msg: >
+        This upgrade does not support Pacemaker:
+        https://docs.openshift.{{ g_pacemaker_upgrade_url_segment }}/install_config/upgrading/pacemaker_to_native_ha.html
+    when: openshift.master.cluster_method is defined and openshift.master.cluster_method == 'pacemaker'
+
+  - fail:
+      msg: >
         openshift_pkg_version is {{ openshift_pkg_version }} which is not a
         valid version for a {{ target_version }} upgrade
     when: openshift_pkg_version is defined and openshift_pkg_version.split('-',1).1 | version_compare(target_version ,'<')
@@ -50,6 +58,11 @@
   roles:
   - openshift_facts
   tasks:
+  - openshift_facts:
+      role: master
+      local_facts:
+        ha: "{{ groups.oo_masters_to_config | length > 1 }}"
+
   - name: Ensure Master is running
     service:
       name: "{{ openshift.common.service_type }}-master"
@@ -87,14 +100,18 @@
   hosts: oo_masters_to_config:oo_nodes_to_config
   vars:
     target_version: "{{ '1.2' if deployment_type == 'origin' else '3.1.1.900' }}"
-    openshift_docker_hosted_registry_insecure: True
-    openshift_docker_hosted_registry_network: "{{ hostvars[groups.oo_first_master.0].openshift.master.portal_net }}"
+    openshift_docker_hosted_registry_network: "{{ hostvars[groups.oo_first_master.0].openshift.common.portal_net }}"
+    upgrading: True
   handlers:
   - include: ../../../../../roles/openshift_master/handlers/main.yml
   - include: ../../../../../roles/openshift_node/handlers/main.yml
   roles:
-  - openshift_cli
-  tasks:
+  # We want the cli role to evaluate so that the containerized oc/oadm wrappers
+  # are modified to use the correct image tag.  However, this can trigger a
+  # docker restart if new configuration is laid down which would immediately
+  # pull the latest image and defeat the purpose of these tasks.
+  - { role: openshift_cli }
+  pre_tasks:
   - name: Clean package cache
     command: "{{ ansible_pkg_mgr }} clean all"
     when: not openshift.common.is_atomic | bool
@@ -135,20 +152,24 @@
 
   - fail:
       msg: Verifying the correct version was found
+    when: g_aos_versions.curr_version == ""
+
+  - fail:
+      msg: Verifying the correct version was found
     when: verify_upgrade_version is defined and g_new_version != verify_upgrade_version
 
   - include_vars: ../../../../../roles/openshift_master/vars/main.yml
     when: inventory_hostname in groups.oo_masters_to_config
 
   - name: Update systemd units
-    include: ../../../../../roles/openshift_master/tasks/systemd_units.yml openshift_version=g_aos_versions.curr_version
+    include: ../../../../../roles/openshift_master/tasks/systemd_units.yml openshift_version=v{{ g_new_version }}
     when: inventory_hostname in groups.oo_masters_to_config
 
   - include_vars: ../../../../../roles/openshift_node/vars/main.yml
     when: inventory_hostname in groups.oo_nodes_to_config
 
   - name: Update systemd units
-    include: ../../../../../roles/openshift_node/tasks/systemd_units.yml openshift_version=g_aos_versions.curr_version
+    include: ../../../../../roles/openshift_node/tasks/systemd_units.yml openshift_version=v{{ g_new_version }}
     when: inventory_hostname in groups.oo_nodes_to_config
 
   # Note: the version number is hardcoded here in hopes of catching potential
@@ -199,8 +220,7 @@
 
   - fail:
       msg: This playbook requires access to Docker 1.9 or later
-    when: not openshift.common.is_atomic | bool
-          and (g_docker_version.avail_version | default(g_docker_version.curr_version, true) | version_compare('1.9','<'))
+    when: g_docker_version.avail_version | default(g_docker_version.curr_version, true) | version_compare('1.9','<')
 
   # TODO: add check to upgrade ostree to get latest Docker
 
diff --git a/playbooks/common/openshift-cluster/upgrades/v3_1_to_v3_2/rpm_upgrade.yml b/playbooks/common/openshift-cluster/upgrades/v3_1_to_v3_2/rpm_upgrade.yml
index 7a2718e1b..5c96ad094 100644
--- a/playbooks/common/openshift-cluster/upgrades/v3_1_to_v3_2/rpm_upgrade.yml
+++ b/playbooks/common/openshift-cluster/upgrades/v3_1_to_v3_2/rpm_upgrade.yml
@@ -4,3 +4,6 @@
 - name: Ensure python-yaml present for config upgrade
   action: "{{ ansible_pkg_mgr }} name=PyYAML state=present"
   when: not openshift.common.is_atomic | bool
+
+- name: Restart node service
+  service: name="{{ openshift.common.service_type }}-node" state=restarted
diff --git a/playbooks/common/openshift-cluster/upgrades/v3_1_to_v3_2/upgrade.yml b/playbooks/common/openshift-cluster/upgrades/v3_1_to_v3_2/upgrade.yml
index b393b64fe..c93bf2a17 100644
--- a/playbooks/common/openshift-cluster/upgrades/v3_1_to_v3_2/upgrade.yml
+++ b/playbooks/common/openshift-cluster/upgrades/v3_1_to_v3_2/upgrade.yml
@@ -1,33 +1,4 @@
 ---
-# This is a workaround for authenticated registries
-- name: Download new images
-  hosts: oo_nodes_to_config
-  roles:
-  - openshift_facts
-  tasks:
-  - name: Pull Images
-    command: >
-      docker pull {{ item }}:v{{ g_new_version }}
-    with_items:
-    - "{{ openshift.node.node_image }}"
-    - "{{ openshift.node.ovs_image }}"
-    - "{{ openshift.common.pod_image }}"
-    - "{{ openshift.common.router_image }}"
-    - "{{ openshift.common.registry_image }}"
-    - "{{ openshift.common.deployer_image }}"
-
-# This is a workaround for authenticated registries
-- name: Download new images
-  hosts: oo_masters_to_config
-  roles:
-  - openshift_facts
-  tasks:
-  - name: Pull Images
-    command: >
-      docker pull {{ item }}:v{{ g_new_version }}
-    with_items:
-    - "{{ openshift.master.master_image }}"
-
 ###############################################################################
 # The restart playbook should be run after this playbook completes.
 ###############################################################################
@@ -39,6 +10,32 @@
   tasks:
   - include: docker_upgrade.yml
     when: not openshift.common.is_atomic | bool
+  - name: Set post docker install facts
+    openshift_facts:
+      role: "{{ item.role }}"
+      local_facts: "{{ item.local_facts }}"
+    with_items:
+    - role: docker
+      local_facts:
+        openshift_image_tag: "v{{ g_new_version }}"
+        openshift_version: "{{ g_new_version }}"
+
+# The cli image is used by openshift_docker_facts to determine the currently installed
+# version.  We need to explicitly pull the latest image to handle cases where
+# the locally cached 'latest' tag is older the g_new_version.
+- name: Download cli image
+  hosts: oo_masters_to_config:oo_nodes_to_config
+  roles:
+  - { role: openshift_docker_facts }
+  vars:
+    openshift_docker_hosted_registry_network: "{{ hostvars[groups.oo_first_master.0].openshift.common.portal_net }}"
+  tasks:
+  - name: Pull Images
+    command: >
+      docker pull {{ item }}:latest
+    with_items:
+    - "{{ openshift.common.cli_image }}"
+    when: openshift.common.is_containerized | bool
 
 ###############################################################################
 # Upgrade Masters
@@ -56,7 +53,7 @@
   - include_vars: ../../../../../roles/openshift_master/vars/main.yml
 
   - name: Update systemd units
-    include: ../../../../../roles/openshift_master/tasks/systemd_units.yml openshift_version=g_aos_versions.avail_version 
+    include: ../../../../../roles/openshift_master/tasks/systemd_units.yml openshift_version=v{{ g_new_version }}
 
 #  - name: Upgrade master configuration
 #    openshift_upgrade_config:
@@ -94,23 +91,13 @@
 ###############################################################################
 - name: Upgrade nodes
   hosts: oo_nodes_to_config
+  serial: 1
   roles:
   - openshift_facts
   handlers:
   - include: ../../../../../roles/openshift_node/handlers/main.yml
   tasks:
-  - include: rpm_upgrade.yml
-    vars:
-       component: "node"
-       openshift_version: "{{ openshift_pkg_version | default('') }}"
-    when: not openshift.common.is_containerized | bool
-
-  - include: containerized_upgrade.yml
-    when: openshift.common.is_containerized | bool
-
-  # This will restart the node
-  - name: Restart openvswitch service
-    service: name="{{ openshift.common.service_type }}-node" state=restarted
+  - include: node_upgrade.yml
 
   - set_fact:
       node_update_complete: True
@@ -136,15 +123,16 @@
 ###############################################################################
 # Reconcile Cluster Roles, Cluster Role Bindings and Security Context Constraints
 ###############################################################################
+
 - name: Reconcile Cluster Roles and Cluster Role Bindings and Security Context Constraints
   hosts: oo_masters_to_config
   roles:
-  - { role: openshift_cli, openshift_image_tag: "v{{ g_new_version }}"  }
+  - { role: openshift_cli, openshift_image_tag: "v{{ g_new_version }}" }
   vars:
     origin_reconcile_bindings: "{{ deployment_type == 'origin' and g_new_version | version_compare('1.0.6', '>') }}"
     ent_reconcile_bindings: true
-    openshift_docker_hosted_registry_insecure: True
-    openshift_docker_hosted_registry_network: "{{ hostvars[groups.oo_first_master.0].openshift.master.portal_net }}"
+    openshift_docker_hosted_registry_network: "{{ hostvars[groups.oo_first_master.0].openshift.common.portal_net }}"
+    upgrading: True
   tasks:
   - name: Verifying the correct commandline tools are available
     shell: grep {{ verify_upgrade_version }} {{ openshift.common.admin_binary}}
@@ -153,7 +141,7 @@
   - name: Reconcile Cluster Roles
     command: >
       {{ openshift.common.admin_binary}} --config={{ openshift.common.config_base }}/master/admin.kubeconfig
-      policy reconcile-cluster-roles --confirm
+      policy reconcile-cluster-roles --additive-only=true --confirm
     run_once: true
 
   - name: Reconcile Cluster Role Bindings
@@ -170,7 +158,7 @@
 
   - name: Reconcile Security Context Constraints
     command: >
-      {{ openshift.common.admin_binary}} policy reconcile-sccs --confirm
+      {{ openshift.common.admin_binary}} policy reconcile-sccs --confirm --additive-only=true
     run_once: true
 
   - set_fact: