9 files changed, 99 insertions, 66 deletions

diff --git a/playbooks/adhoc/openshift_hosted_logging_efk.yaml b/playbooks/adhoc/openshift_hosted_logging_efk.yaml
new file mode 100644
index 000000000..a3121d046
--- /dev/null
+++ b/playbooks/adhoc/openshift_hosted_logging_efk.yaml
@@ -0,0 +1,6 @@
+---
+- hosts: masters[0]
+  roles:
+  - role: openshift_hosted_logging
+    openshift_hosted_logging_cleanup: no 
+
diff --git a/playbooks/common/openshift-cluster/upgrades/files/ensure_system_units_have_version.sh b/playbooks/common/openshift-cluster/upgrades/files/ensure_system_units_have_version.sh
deleted file mode 100644
index 239f43314..000000000
--- a/playbooks/common/openshift-cluster/upgrades/files/ensure_system_units_have_version.sh
+++ /dev/null
@@ -1,51 +0,0 @@
-#!/bin/bash
-set -e
-
-SERVICE_TYPE=$1
-DEPLOYMENT_TYPE=$2
-VERSION="v${3}"
-
-add_image_version_to_sysconfig () {
-    unit_name=$2
-    sysconfig_file=/etc/sysconfig/${unit_name}
-
-    if ! grep IMAGE_VERSION ${sysconfig_file}; then
-        sed -i "/CONFIG_FILE/a IMAGE_VERSION=${1}" ${sysconfig_file}
-    else
-        sed -i "s/\(IMAGE_VERSION=\).*/\1${1}/" ${sysconfig_file}
-    fi
-}
-
-add_image_version_to_unit () {
-    deployment_type=$1
-    unit_file=$2
-
-    if ! grep IMAGE_VERSION $unit_file; then
-        image_namespace="openshift/"
-        if [ $deployment_type == "atomic-enterprise" ]; then
-            image_namespace="aep3/"
-        elif [ $deployment_type == "openshift-enterprise" ]; then
-            image_namespace="openshift3/"
-        fi
-
-        sed -i "s|\(${image_namespace}[a-zA-Z0-9]\+\)|\1:\${IMAGE_VERSION}|" $unit_file
-    fi
-}
-
-for unit_file in $(ls /etc/systemd/system/${SERVICE_TYPE}*.service); do
-    unit_name=$(basename -s .service ${unit_file})
-    add_image_version_to_sysconfig $VERSION $unit_name
-    add_image_version_to_unit $DEPLOYMENT_TYPE $unit_file
-done
-
-if [ -e /etc/sysconfig/openvswitch ]; then
-    add_image_version_to_sysconfig $VERSION openvswitch
-else
-    echo IMAGE_VERSION=${VERSION} > /etc/sysconfig/openvswitch
-fi 
-if ! grep EnvironmentFile /etc/systemd/system/openvswitch.service > /dev/null; then
-    sed -i "/Service/a EnvironmentFile=/etc/sysconfig/openvswitch" /etc/systemd/system/openvswitch.service
-fi
-add_image_version_to_unit $DEPLOYMENT_TYPE /etc/systemd/system/openvswitch.service
-
-systemctl daemon-reload
diff --git a/playbooks/common/openshift-cluster/upgrades/v3_1_to_v3_2/containerized_upgrade.yml b/playbooks/common/openshift-cluster/upgrades/v3_1_to_v3_2/containerized_upgrade.yml
index 696994688..cc587bfa1 100644
--- a/playbooks/common/openshift-cluster/upgrades/v3_1_to_v3_2/containerized_upgrade.yml
+++ b/playbooks/common/openshift-cluster/upgrades/v3_1_to_v3_2/containerized_upgrade.yml
@@ -1,8 +1,10 @@
-- name: Update system_units
-  script: ../files/ensure_system_units_have_version.sh {{ openshift.common.service_type }} {{ openshift.common.deployment_type }} {{ g_new_version }}
+- include_vars: ../../../../../roles/openshift_node/vars/main.yml
+
+- name: Update systemd units
+  include: ../../../../../roles/openshift_node/tasks/systemd_units.yml openshift_version=g_aos_versions.avail_version
 
 - name: Verifying the correct version was configured
-  command: grep {{ verify_upgrade_version }} {{ item }}
+  shell: grep {{ verify_upgrade_version }} {{ item }}
   with_items:
     - /etc/sysconfig/openvswitch
     - /etc/sysconfig/{{ openshift.common.service_type }}*
diff --git a/playbooks/common/openshift-cluster/upgrades/v3_1_to_v3_2/pre.yml b/playbooks/common/openshift-cluster/upgrades/v3_1_to_v3_2/pre.yml
index 668a80996..6804de992 100644
--- a/playbooks/common/openshift-cluster/upgrades/v3_1_to_v3_2/pre.yml
+++ b/playbooks/common/openshift-cluster/upgrades/v3_1_to_v3_2/pre.yml
@@ -47,32 +47,39 @@
 
 - name: Verify upgrade can proceed
   hosts: oo_masters_to_config
-  vars:
-    openshift_master_ha: "{{ groups.oo_masters_to_config | length > 1 }}"
+  roles:
+  - openshift_facts
   tasks:
   - name: Ensure Master is running
     service:
       name: "{{ openshift.common.service_type }}-master"
       state: started
       enabled: yes
-    when: not openshift_master_ha | bool and openshift.common.is_containerized | bool
+    when: openshift.master.ha is defined and not openshift.master.ha | bool and openshift.common.is_containerized | bool
 
   - name: Ensure HA Master is running
     service:
       name: "{{ openshift.common.service_type }}-master-api"
       state: started
       enabled: yes
-    when: openshift_master_ha | bool and openshift.common.is_containerized | bool
+    when: openshift.master.ha is defined and openshift.master.ha | bool and openshift.common.is_containerized | bool
 
   - name: Ensure HA Master is running
     service:
       name: "{{ openshift.common.service_type }}-master-controllers"
       state: started
       enabled: yes
-    when: openshift_master_ha | bool and openshift.common.is_containerized | bool
+    when: openshift.master.ha is defined and openshift.master.ha | bool and openshift.common.is_containerized | bool
+  post_tasks:
+  - openshift_facts:
+      role: master
+      local_facts:
+        ha: "{{ groups.oo_masters_to_config | length > 1 }}"
 
 - name: Verify upgrade can proceed
   hosts: oo_nodes_to_config
+  roles:
+  - openshift_facts
   tasks:
   - name: Ensure Node is running
     service:
@@ -85,6 +92,11 @@
   hosts: oo_masters_to_config:oo_nodes_to_config
   vars:
     target_version: "{{ '1.2' if deployment_type == 'origin' else '3.1.1.900' }}"
+    openshift_docker_hosted_registry_insecure: True
+    openshift_docker_hosted_registry_network: "{{ hostvars[groups.oo_first_master.0].openshift.master.portal_net }}"
+  handlers:
+  - include: ../../../../../roles/openshift_master/handlers/main.yml
+  - include: ../../../../../roles/openshift_node/handlers/main.yml
   roles:
   - openshift_cli
   tasks:
@@ -130,9 +142,19 @@
       msg: Verifying the correct version was found
     when: verify_upgrade_version is defined and g_new_version != verify_upgrade_version
 
+  - include_vars: ../../../../../roles/openshift_master/vars/main.yml
+    when: inventory_hostname in groups.oo_masters_to_config
+
   - name: Update systemd units
-    script: ../files/ensure_system_units_have_version.sh {{ openshift.common.service_type }} {{ openshift.common.deployment_type }} {{ g_aos_versions.curr_version }}
-    when: openshift.common.is_containerized | bool
+    include: ../../../../../roles/openshift_master/tasks/systemd_units.yml openshift_version=g_aos_versions.curr_version
+    when: inventory_hostname in groups.oo_masters_to_config
+
+  - include_vars: ../../../../../roles/openshift_node/vars/main.yml
+    when: inventory_hostname in groups.oo_nodes_to_config
+
+  - name: Update systemd units
+    include: ../../../../../roles/openshift_node/tasks/systemd_units.yml openshift_version=g_aos_versions.curr_version
+    when: inventory_hostname in groups.oo_nodes_to_config
 
   # Note: the version number is hardcoded here in hopes of catching potential
   # bugs in how g_aos_versions.curr_version is set
@@ -143,6 +165,13 @@
       - /etc/sysconfig/{{ openshift.common.service_type }}*
     when: verify_upgrade_version is defined
 
+  - name: Verifying the image version is used in the systemd unit
+    shell: grep IMAGE_VERSION {{ item }}
+    with_items:
+      - /etc/systemd/system/openvswitch.service
+      - /etc/systemd/system/{{ openshift.common.service_type }}*.service
+    when: openshift.common.is_containerized | bool
+
   - fail:
       msg: This playbook requires Origin 1.1 or later
     when: deployment_type == 'origin' and g_aos_versions.curr_version | version_compare('1.1','<')
diff --git a/playbooks/common/openshift-cluster/upgrades/v3_1_to_v3_2/upgrade.yml b/playbooks/common/openshift-cluster/upgrades/v3_1_to_v3_2/upgrade.yml
index d84d9f674..b393b64fe 100644
--- a/playbooks/common/openshift-cluster/upgrades/v3_1_to_v3_2/upgrade.yml
+++ b/playbooks/common/openshift-cluster/upgrades/v3_1_to_v3_2/upgrade.yml
@@ -1,4 +1,33 @@
 ---
+# This is a workaround for authenticated registries
+- name: Download new images
+  hosts: oo_nodes_to_config
+  roles:
+  - openshift_facts
+  tasks:
+  - name: Pull Images
+    command: >
+      docker pull {{ item }}:v{{ g_new_version }}
+    with_items:
+    - "{{ openshift.node.node_image }}"
+    - "{{ openshift.node.ovs_image }}"
+    - "{{ openshift.common.pod_image }}"
+    - "{{ openshift.common.router_image }}"
+    - "{{ openshift.common.registry_image }}"
+    - "{{ openshift.common.deployer_image }}"
+
+# This is a workaround for authenticated registries
+- name: Download new images
+  hosts: oo_masters_to_config
+  roles:
+  - openshift_facts
+  tasks:
+  - name: Pull Images
+    command: >
+      docker pull {{ item }}:v{{ g_new_version }}
+    with_items:
+    - "{{ openshift.master.master_image }}"
+
 ###############################################################################
 # The restart playbook should be run after this playbook completes.
 ###############################################################################
@@ -16,14 +45,18 @@
 ###############################################################################
 - name: Upgrade master
   hosts: oo_masters_to_config
+  handlers:
+  - include: ../../../../../roles/openshift_master/handlers/main.yml
   roles:
   - openshift_facts
   tasks:
   - include: rpm_upgrade.yml component=master
     when: not openshift.common.is_containerized | bool
 
-  - include: containerized_upgrade.yml
-    when: openshift.common.is_containerized | bool
+  - include_vars: ../../../../../roles/openshift_master/vars/main.yml
+
+  - name: Update systemd units
+    include: ../../../../../roles/openshift_master/tasks/systemd_units.yml openshift_version=g_aos_versions.avail_version 
 
 #  - name: Upgrade master configuration
 #    openshift_upgrade_config:
@@ -63,6 +96,8 @@
   hosts: oo_nodes_to_config
   roles:
   - openshift_facts
+  handlers:
+  - include: ../../../../../roles/openshift_node/handlers/main.yml
   tasks:
   - include: rpm_upgrade.yml
     vars:
@@ -108,7 +143,8 @@
   vars:
     origin_reconcile_bindings: "{{ deployment_type == 'origin' and g_new_version | version_compare('1.0.6', '>') }}"
     ent_reconcile_bindings: true
-    openshift_master_ha: "{{ groups.oo_masters_to_config | length > 1 }}"
+    openshift_docker_hosted_registry_insecure: True
+    openshift_docker_hosted_registry_network: "{{ hostvars[groups.oo_first_master.0].openshift.master.portal_net }}"
   tasks:
   - name: Verifying the correct commandline tools are available
     shell: grep {{ verify_upgrade_version }} {{ openshift.common.admin_binary}}
diff --git a/playbooks/common/openshift-etcd/config.yml b/playbooks/common/openshift-etcd/config.yml
index 06fbd6862..2f07b2f51 100644
--- a/playbooks/common/openshift-etcd/config.yml
+++ b/playbooks/common/openshift-etcd/config.yml
@@ -103,7 +103,7 @@
       dest: "{{ etcd_cert_config_dir }}"
     when: etcd_server_certs_missing
   roles:
-  - etcd
+  - openshift_etcd
   - role: nickhammond.logrotate
 
 - name: Delete temporary directory on localhost
diff --git a/playbooks/common/openshift-master/config.yml b/playbooks/common/openshift-master/config.yml
index 972427c53..f1eaf8e16 100644
--- a/playbooks/common/openshift-master/config.yml
+++ b/playbooks/common/openshift-master/config.yml
@@ -311,13 +311,14 @@
     file:
       path: "{{ named_certs_dir }}"
       state: directory
+      mode: 0700
     when: named_certs_specified | bool
   - name: Land named certificates
     copy: src="{{ item.certfile }}" dest="{{ named_certs_dir }}"
     with_items: openshift_master_named_certificates
     when: named_certs_specified | bool
   - name: Land named certificate keys
-    copy: src="{{ item.keyfile }}" dest="{{ named_certs_dir }}"
+    copy: src="{{ item.keyfile }}" dest="{{ named_certs_dir }}" mode=0600
     with_items: openshift_master_named_certificates
     when: named_certs_specified | bool
 
diff --git a/playbooks/openstack/openshift-cluster/files/heat_stack.yaml b/playbooks/openstack/openshift-cluster/files/heat_stack.yaml
index af774aa32..dd6a22cbe 100644
--- a/playbooks/openstack/openshift-cluster/files/heat_stack.yaml
+++ b/playbooks/openstack/openshift-cluster/files/heat_stack.yaml
@@ -598,6 +598,10 @@ resources:
               template: |
                 #cloud-config
                 write_files:
+                  - path: /etc/sudoers.d/00-openshift-no-requiretty
+                    permissions: 440
+                    content: |
+                      Defaults:openshift !requiretty
                   - path: /etc/sysconfig/network-scripts/ifcfg-eth0
                     content: |
                       DEVICE="eth0"
diff --git a/playbooks/openstack/openshift-cluster/files/user-data b/playbooks/openstack/openshift-cluster/files/user-data
index e789a5b69..eb65f7cec 100644
--- a/playbooks/openstack/openshift-cluster/files/user-data
+++ b/playbooks/openstack/openshift-cluster/files/user-data
@@ -5,3 +5,9 @@ system_info:
   default_user:
     name: openshift
     sudo: ["ALL=(ALL) NOPASSWD: ALL"]
+
+write_files:
+  - path: /etc/sudoers.d/00-openshift-no-requiretty
+    permissions: 440
+    content: |
+      Defaults:openshift !requiretty