diff options
Diffstat (limited to 'roles/etcd/tasks')
-rw-r--r-- | roles/etcd/tasks/etcdctl.yml | 12 | ||||
-rw-r--r-- | roles/etcd/tasks/firewall.yml | 40 | ||||
-rw-r--r-- | roles/etcd/tasks/main.yml | 14 | ||||
-rw-r--r-- | roles/etcd/tasks/system_container.yml | 62 |
4 files changed, 113 insertions, 15 deletions
diff --git a/roles/etcd/tasks/etcdctl.yml b/roles/etcd/tasks/etcdctl.yml deleted file mode 100644 index 6cb456677..000000000 --- a/roles/etcd/tasks/etcdctl.yml +++ /dev/null @@ -1,12 +0,0 @@ ---- -- name: Install etcd for etcdctl - package: name=etcd{{ '-' + etcd_version if etcd_version is defined else '' }} state=present - when: not openshift.common.is_atomic | bool - -- name: Configure etcd profile.d alises - template: - dest: "/etc/profile.d/etcdctl.sh" - src: etcdctl.sh.j2 - mode: 0755 - owner: root - group: root diff --git a/roles/etcd/tasks/firewall.yml b/roles/etcd/tasks/firewall.yml new file mode 100644 index 000000000..4d0f6290a --- /dev/null +++ b/roles/etcd/tasks/firewall.yml @@ -0,0 +1,40 @@ +--- +- when: r_etcd_firewall_enabled | bool and not r_etcd_use_firewalld | bool + block: + - name: Add iptables allow rules + os_firewall_manage_iptables: + name: "{{ item.service }}" + action: add + protocol: "{{ item.port.split('/')[1] }}" + port: "{{ item.port.split('/')[0] }}" + when: item.cond | default(True) + with_items: "{{ r_etcd_os_firewall_allow }}" + + - name: Remove iptables rules + os_firewall_manage_iptables: + name: "{{ item.service }}" + action: remove + protocol: "{{ item.port.split('/')[1] }}" + port: "{{ item.port.split('/')[0] }}" + when: item.cond | default(True) + with_items: "{{ r_etcd_os_firewall_deny }}" + +- when: r_etcd_firewall_enabled | bool and r_etcd_use_firewalld | bool + block: + - name: Add firewalld allow rules + firewalld: + port: "{{ item.port }}" + permanent: true + immediate: true + state: enabled + when: item.cond | default(True) + with_items: "{{ r_etcd_os_firewall_allow }}" + + - name: Remove firewalld allow rules + firewalld: + port: "{{ item.port }}" + permanent: true + immediate: true + state: disabled + when: item.cond | default(True) + with_items: "{{ r_etcd_os_firewall_deny }}" diff --git a/roles/etcd/tasks/main.yml b/roles/etcd/tasks/main.yml index 35117225b..78e543ef1 100644 --- a/roles/etcd/tasks/main.yml +++ b/roles/etcd/tasks/main.yml @@ -6,10 +6,21 @@ etcd_hostname: "{{ etcd_hostname }}" etcd_ip: "{{ etcd_ip }}" +- name: setup firewall + include: firewall.yml + static: yes + - name: Install etcd package: name=etcd{{ '-' + etcd_version if etcd_version is defined else '' }} state=present when: not etcd_is_containerized | bool +- include_role: + name: etcd_common + vars: + r_etcd_common_action: drop_etcdctl + when: + - openshift_etcd_etcdctl_profile | default(true) | bool + - block: - name: Pull etcd container command: docker pull {{ openshift.etcd.etcd_image }} @@ -120,9 +131,6 @@ enabled: yes register: start_result -- include: etcdctl.yml - when: openshift_etcd_etcdctl_profile | default(true) | bool - - name: Set fact etcd_service_status_changed set_fact: etcd_service_status_changed: "{{ start_result | changed }}" diff --git a/roles/etcd/tasks/system_container.yml b/roles/etcd/tasks/system_container.yml index 72ffadbd2..e735bf50a 100644 --- a/roles/etcd/tasks/system_container.yml +++ b/roles/etcd/tasks/system_container.yml @@ -1,4 +1,7 @@ --- +- set_fact: + l_etcd_src_data_dir: "{{ '/var/lib/origin/openshift.local.etcd' if r_etcd_common_embedded_etcd | bool else '/var/lib/etcd/' }}" + - name: Pull etcd system container command: atomic pull --storage=ostree {{ openshift.etcd.etcd_image }} register: pull_result @@ -15,6 +18,63 @@ {%- endif -%} {% endfor -%} +- name: Check etcd system container package + command: > + atomic containers list --no-trunc -a -f container=etcd -f backend=ostree + register: etcd_result + +- name: Unmask etcd service + systemd: + name: etcd + state: stopped + enabled: no + masked: no + daemon_reload: yes + register: task_result + failed_when: task_result|failed and 'could not' not in task_result.msg|lower + when: "'etcd' not in etcd_result.stdout" + +- name: Disable etcd_container + systemd: + name: etcd_container + state: stopped + enabled: no + daemon_reload: yes + register: task_result + failed_when: task_result|failed and 'could not' not in task_result.msg|lower + +- name: Remove etcd_container.service + file: + path: /etc/systemd/system/etcd_container.service + state: absent + +- name: Systemd reload configuration + systemd: name=etcd_container daemon_reload=yes + +- name: Check for previous etcd data store + stat: + path: "{{ l_etcd_src_data_dir }}/member/" + register: src_datastore + +- name: Check for etcd system container data store + stat: + path: "{{ r_etcd_common_system_container_host_dir }}/etcd.etcd/member" + register: dest_datastore + +- name: Ensure that etcd system container data dirs exist + file: path="{{ item }}" state=directory + with_items: + - "{{ r_etcd_common_system_container_host_dir }}/etc" + - "{{ r_etcd_common_system_container_host_dir }}/etcd.etcd" + +- name: Copy etcd data store + command: > + cp -a {{ l_etcd_src_data_dir }}/member + {{ r_etcd_common_system_container_host_dir }}/etcd.etcd/member + when: + - src_datastore.stat.exists + - not dest_datastore.stat.exists + - name: Install or Update Etcd system container package oc_atomic_container: name: etcd @@ -35,3 +95,5 @@ - ETCD_PEER_CA_FILE={{ etcd_system_container_conf_dir }}/ca.crt - ETCD_PEER_CERT_FILE={{ etcd_system_container_conf_dir }}/peer.crt - ETCD_PEER_KEY_FILE={{ etcd_system_container_conf_dir }}/peer.key + - ETCD_TRUSTED_CA_FILE={{ etcd_system_container_conf_dir }}/ca.crt + - ETCD_PEER_TRUSTED_CA_FILE={{ etcd_system_container_conf_dir }}/ca.crt |