13 files changed, 252 insertions, 111 deletions
diff --git a/roles/openshift_excluder/README.md b/roles/openshift_excluder/README.md
index 6c90b4e96..80cb88d45 100644
--- a/roles/openshift_excluder/README.md
+++ b/roles/openshift_excluder/README.md
@@ -1,36 +1,69 @@
 OpenShift Excluder
-================
+==================
 
 Manages the excluder packages which add yum and dnf exclusions ensuring that
-the packages we care about are not inadvertantly updated. See
+the packages we care about are not inadvertently updated. See
 https://github.com/openshift/origin/tree/master/contrib/excluder
 
 Requirements
 ------------
-openshift_facts
 
+None
 
-Facts
------
+Inventory Variables
+-------------------
 
-| Name                       | Default Value | Description                            |
------------------------------|---------------|----------------------------------------|
-| docker_excluder_enabled | none          | Records the status of docker excluder |
-| openshift_excluder_enabled | none | Records the status of the openshift excluder |
+| Name                                 | Default Value              | Description                            |
+---------------------------------------|----------------------------|----------------------------------------|
+| openshift_enable_excluders           | True                       | Enable all excluders                   |
+| openshift_enable_docker_excluder     | openshift_enable_excluders | Enable docker excluder. If not set, the docker excluder is ignored. |
+| openshift_enable_openshift_excluder  | openshift_enable_excluders | Enable openshift excluder. If not set, the openshift excluder is ignored. |
 
 Role Variables
 --------------
-None
+
+| Name                                      | Default | Choices         | Description                                                               |
+|-------------------------------------------|---------|-----------------|---------------------------------------------------------------------------|
+| r_openshift_excluder_action               | enable  | enable, disable | Action to perform when calling this role                                  |
+| r_openshift_excluder_verify_upgrade       | false   | true, false     | When upgrading, this variable should be set to true when calling the role |
+| r_openshift_excluder_package_state        | present | present, latest | Use 'latest' to upgrade openshift_excluder package                        |
+| r_openshift_excluder_docker_package_state | present | present, latest | Use 'latest' to upgrade docker_excluder package                           |
+| r_openshift_excluder_service_type         | None    |                 | (Required) Defined as openshift.common.service_type e.g. atomic-openshift |
+| r_openshift_excluder_upgrade_target       | None    |                 | Required when r_openshift_excluder_verify_upgrade is true, defined as openshift_upgrade_target by Upgrade playbooks e.g. '3.6'|
 
 Dependencies
 ------------
 
+- lib_utils
+
 Example Playbook
 ----------------
 
+```yaml
+- name: Demonstrate OpenShift Excluder usage
+  hosts: oo_masters_to_config:oo_nodes_to_config
+  roles:
+  # Disable all excluders
+  - role: openshift_excluder
+    r_openshift_excluder_action: disable
+    r_openshift_excluder_service_type: "{{ openshift.common.service_type }}"
+  # Enable all excluders
+  - role: openshift_excluder
+    r_openshift_excluder_action: enable
+    r_openshift_excluder_service_type: "{{ openshift.common.service_type }}"
+  # Disable all excluders and verify appropriate excluder packages are available for upgrade
+  - role: openshift_excluder
+    r_openshift_excluder_action: disable
+    r_openshift_excluder_service_type: "{{ openshift.common.service_type }}"
+    r_openshift_excluder_verify_upgrade: true
+    r_openshift_excluder_upgrade_target: "{{ openshift_upgrade_target }}"
+    r_openshift_excluder_package_state: latest
+    r_openshift_excluder_docker_package_state: latest
+```
 
 TODO
 ----
+
 It should be possible to manage the two excluders independently though that's not a hard requirement. However it should be done to manage docker on RHEL Containerized hosts.
 
 License
diff --git a/roles/openshift_excluder/defaults/main.yml b/roles/openshift_excluder/defaults/main.yml
new file mode 100644
index 000000000..d4f151142
--- /dev/null
+++ b/roles/openshift_excluder/defaults/main.yml
@@ -0,0 +1,19 @@
+---
+# keep the 'current' package or update to 'latest' if available?
+r_openshift_excluder_package_state: present
+r_openshift_excluder_docker_package_state: present
+
+# Legacy variables are included for backwards compatibility with v3.5
+# Inventory variables                   Legacy
+# openshift_enable_excluders            enable_excluders
+# openshift_enable_openshift_excluder   enable_openshift_excluder
+# openshift_enable_docker_excluder      enable_docker_excluder
+r_openshift_excluder_enable_excluders: "{{ openshift_enable_excluders | default(enable_excluders) | default(true) }}"
+r_openshift_excluder_enable_openshift_excluder: "{{ openshift_enable_openshift_excluder | default(enable_openshift_excluder) | default(r_openshift_excluder_enable_excluders) }}"
+r_openshift_excluder_enable_docker_excluder: "{{ openshift_enable_docker_excluder | default(enable_docker_excluder) | default(r_openshift_excluder_enable_excluders) }}"
+
+# Default action when calling this role
+r_openshift_excluder_action: enable
+
+# When upgrading, this variable should be set to true when calling the role
+r_openshift_excluder_verify_upgrade: false
diff --git a/roles/openshift_excluder/meta/main.yml b/roles/openshift_excluder/meta/main.yml
index 8bca38e77..871081c19 100644
--- a/roles/openshift_excluder/meta/main.yml
+++ b/roles/openshift_excluder/meta/main.yml
@@ -1,7 +1,7 @@
 ---
 galaxy_info:
   author: Scott Dodson
-  description: OpenShift Examples
+  description: OpenShift Excluder
   company: Red Hat, Inc.
   license: Apache License, Version 2.0
   min_ansible_version: 2.2
@@ -12,4 +12,4 @@ galaxy_info:
   categories:
   - cloud
 dependencies:
-- { role: openshift_facts }
+- role: lib_utils
diff --git a/roles/openshift_excluder/tasks/disable.yml b/roles/openshift_excluder/tasks/disable.yml
new file mode 100644
index 000000000..5add25b45
--- /dev/null
+++ b/roles/openshift_excluder/tasks/disable.yml
@@ -0,0 +1,40 @@
+---
+- when: r_openshift_excluder_verify_upgrade
+  block:
+  - name: Include verify_upgrade.yml when upgrading
+    include: verify_upgrade.yml
+
+# unexclude the current openshift/origin-excluder if it is installed so it can be updated
+- name: Disable excluders before the upgrade to remove older excluding expressions
+  include: unexclude.yml
+  vars:
+    # before the docker excluder can be updated, it needs to be disabled
+    # to remove older excluded packages that are no longer excluded
+    unexclude_docker_excluder: "{{ r_openshift_excluder_enable_docker_excluder }}"
+    unexclude_openshift_excluder: "{{ r_openshift_excluder_enable_openshift_excluder }}"
+
+# Install any excluder that is enabled
+- name: Include install.yml
+  include: install.yml
+
+# And finally adjust an excluder in order to update host components correctly. First
+# exclude then unexclude
+- name: Include exclude.yml
+  include: exclude.yml
+  vars:
+    # Enable the docker excluder only if it is overridden
+    # BZ #1430612: docker excluders should be enabled even during installation and upgrade
+    exclude_docker_excluder: "{{ r_openshift_excluder_enable_docker_excluder }}"
+    # excluder is to be disabled by default
+    exclude_openshift_excluder: false
+
+# All excluders that are to be disabled are disabled
+- name: Include unexclude.yml
+  include: unexclude.yml
+  vars:
+    # If the docker override  is not set, default to the generic behaviour
+    # BZ #1430612: docker excluders should be enabled even during installation and upgrade
+    unexclude_docker_excluder: false
+    # disable openshift excluder is never overridden to be enabled
+    # disable it if the docker excluder is enabled
+    unexclude_openshift_excluder: "{{ r_openshift_excluder_enable_openshift_excluder }}"
diff --git a/roles/openshift_excluder/tasks/enable.yml b/roles/openshift_excluder/tasks/enable.yml
new file mode 100644
index 000000000..fce44cfb5
--- /dev/null
+++ b/roles/openshift_excluder/tasks/enable.yml
@@ -0,0 +1,6 @@
+---
+- name: Install excluders
+  include: install.yml
+
+- name: Enable excluders
+  include: exclude.yml
diff --git a/roles/openshift_excluder/tasks/exclude.yml b/roles/openshift_excluder/tasks/exclude.yml
index 570183aef..1b4818df9 100644
--- a/roles/openshift_excluder/tasks/exclude.yml
+++ b/roles/openshift_excluder/tasks/exclude.yml
@@ -1,11 +1,22 @@
 ---
-- include: install.yml
-  when: not openshift.common.is_containerized | bool
+- name: Check for docker-excluder
+  stat:
+    path: /sbin/{{ r_openshift_excluder_service_type }}-docker-excluder
+  register: docker_excluder_stat
 
 - name: Enable docker excluder
-  command: "{{ openshift.common.service_type }}-docker-excluder exclude"
-  when: not openshift.common.is_containerized | bool
+  command: "/sbin/{{ r_openshift_excluder_service_type }}-docker-excluder exclude"
+  when:
+  - r_openshift_excluder_enable_docker_excluder | bool
+  - docker_excluder_stat.stat.exists
 
-- name: Enable excluder
-  command: "{{ openshift.common.service_type }}-excluder exclude"
-  when: not openshift.common.is_containerized | bool
+- name: Check for openshift excluder
+  stat:
+    path: /sbin/{{ r_openshift_excluder_service_type }}-excluder
+  register: openshift_excluder_stat
+
+- name: Enable openshift excluder
+  command: "/sbin/{{ r_openshift_excluder_service_type }}-excluder exclude"
+  when:
+  - r_openshift_excluder_enable_openshift_excluder | bool
+  - openshift_excluder_stat.stat.exists
diff --git a/roles/openshift_excluder/tasks/install.yml b/roles/openshift_excluder/tasks/install.yml
index ee4cb2c05..3a866cedf 100644
--- a/roles/openshift_excluder/tasks/install.yml
+++ b/roles/openshift_excluder/tasks/install.yml
@@ -1,16 +1,24 @@
 ---
-- name: Install latest excluder
-  package:
-    name: "{{ openshift.common.service_type }}-excluder"
-    state: latest
-  when:
-  - openshift_excluder_enabled | default(false) | bool
-  - not openshift.common.is_containerized | bool
 
-- name: Install latest docker excluder
-  package:
-    name: "{{ openshift.common.service_type }}-excluder"
-    state: latest
-  when:
-  - docker_excluder_enabled | default(false) | bool
-  - not openshift.common.is_containerized | bool
+- when:
+  - not openshift.common.is_atomic | bool
+  - r_openshift_excluder_install_ran is not defined
+
+  block:
+
+  - name: Install docker excluder
+    package:
+      name: "{{ r_openshift_excluder_service_type }}-docker-excluder{{ openshift_pkg_version | default('') | oo_image_tag_to_rpm_version(include_dash=True) +  '*' }}"
+      state: "{{ r_openshift_excluder_docker_package_state }}"
+    when:
+    - r_openshift_excluder_enable_docker_excluder | bool
+
+  - name: Install openshift excluder
+    package:
+      name: "{{ r_openshift_excluder_service_type }}-excluder{{ openshift_pkg_version | default('') | oo_image_tag_to_rpm_version(include_dash=True) + '*' }}"
+      state: "{{ r_openshift_excluder_package_state }}"
+    when:
+    - r_openshift_excluder_enable_openshift_excluder | bool
+
+  - set_fact:
+      r_openshift_excluder_install_ran: True
diff --git a/roles/openshift_excluder/tasks/main.yml b/roles/openshift_excluder/tasks/main.yml
index 78a3d37cb..db20b4012 100644
--- a/roles/openshift_excluder/tasks/main.yml
+++ b/roles/openshift_excluder/tasks/main.yml
@@ -1,2 +1,38 @@
 ---
-include: status.yml
+- name: Detecting Atomic Host Operating System
+  stat:
+    path: /run/ostree-booted
+  register: ostree_booted
+
+- block:
+
+  - name: Debug r_openshift_excluder_enable_docker_excluder
+    debug:
+      var: r_openshift_excluder_enable_docker_excluder
+
+  - name: Debug r_openshift_excluder_enable_openshift_excluder
+    debug:
+      var: r_openshift_excluder_enable_openshift_excluder
+
+  - name: Fail if invalid openshift_excluder_action provided
+    fail:
+      msg: "openshift_excluder role can only be called with 'enable' or 'disable'"
+    when: r_openshift_excluder_action not in ['enable', 'disable']
+
+  - name: Fail if r_openshift_excluder_service_type is not defined
+    fail:
+      msg: "r_openshift_excluder_service_type must be specified for this role"
+    when: r_openshift_excluder_service_type is not defined
+
+  - name: Fail if r_openshift_excluder_upgrade_target is not defined
+    fail:
+      msg: "r_openshift_excluder_upgrade_target must be provided when using this role for upgrades"
+    when:
+    - r_openshift_excluder_verify_upgrade | bool
+    - r_openshift_excluder_upgrade_target is not defined
+
+  - name: Include main action task file
+    include: "{{ r_openshift_excluder_action }}.yml"
+
+  when:
+  - not ostree_booted.stat.exists | bool
diff --git a/roles/openshift_excluder/tasks/reset.yml b/roles/openshift_excluder/tasks/reset.yml
deleted file mode 100644
index 486a23fd0..000000000
--- a/roles/openshift_excluder/tasks/reset.yml
+++ /dev/null
@@ -1,12 +0,0 @@
----
-- name: Enable docker excluder
-  command: "{{ openshift.common.service_type }}-docker-excluder exclude"
-  when:
-  - docker_excluder_enabled | default(false) | bool
-  - not openshift.common.is_containerized | bool
-
-- name: Enable excluder
-  command: "{{ openshift.common.service_type }}-excluder exclude"
-  when:
-  - openshift_excluder_enabled | default(false) | bool
-  - not openshift.common.is_containerized | bool
diff --git a/roles/openshift_excluder/tasks/status.yml b/roles/openshift_excluder/tasks/status.yml
deleted file mode 100644
index ef118d94c..000000000
--- a/roles/openshift_excluder/tasks/status.yml
+++ /dev/null
@@ -1,58 +0,0 @@
----
-# Latest versions of the excluders include a status function, old packages dont
-# So, if packages are installed, upgrade them to the latest so we get the status
-# If they're not installed when we should assume they're disabled
-
-- name: Determine if excluder packages are installed
-  rpm_q:
-    name: "{{ openshift.common.service_type }}-excluder"
-    state: present
-  register: openshift_excluder_installed
-  failed_when: false
-
-- name: Determine if docker packages are installed
-  rpm_q:
-    name: "{{ openshift.common.service_type }}-excluder"
-    state: present
-  register: docker_excluder_installed
-  failed_when: false
-
-- name: Update to latest excluder packages
-  package:
-    name: "{{ openshift.common.service_type }}-excluder"
-    state: latest
-  when:
-  - "{{ openshift_excluder_installed.installed_versions | default([]) | length > 0 }}"
-  - not openshift.common.is_containerized | bool
-
-- name: Update to the latest docker-excluder packages
-  package:
-    name: "{{ openshift.common.service_type }}-docker-excluder"
-    state: latest
-  when:
-  - "{{ docker_excluder_installed.installed_versions | default([]) | length > 0 }}"
-  - not openshift.common.is_containerized | bool
-
-- name: Record excluder status
-  command: "{{ openshift.common.service_type }}-excluder"
-  register: excluder_status
-  when:
-  - "{{ openshift_excluder_installed.installed_versions | default([]) | length > 0 }}"
-  - not openshift.common.is_containerized | bool
-  failed_when: false
-
-- name: Record docker excluder status
-  command: "{{ openshift.common.service_type }}-docker-excluder"
-  register: docker_excluder_status
-  when:
-  - "{{ docker_excluder_installed.installed_versions | default([]) | length > 0 }}"
-  - not openshift.common.is_containerized | bool
-  failed_when: false
-
-- name: Set excluder status facts
-  set_fact:
-    docker_excluder_enabled: "{{ 'false' if docker_excluder_status.rc | default(0) == 0 or docker_excluder_installed.installed_versions | default(0) | length == 0 else 'true' }}"
-    openshift_excluder_enabled: "{{ 'false' if docker_excluder_status.rc | default(0) == 0 or openshift_excluder_installed.installed_versions | default(0) | length == 0 else 'true' }}"
-
-- debug: var=docker_excluder_enabled
-- debug: var=openshift_excluder_enabled
diff --git a/roles/openshift_excluder/tasks/unexclude.yml b/roles/openshift_excluder/tasks/unexclude.yml
index 38f0759aa..a68165bde 100644
--- a/roles/openshift_excluder/tasks/unexclude.yml
+++ b/roles/openshift_excluder/tasks/unexclude.yml
@@ -1,12 +1,26 @@
 ---
+# input variables:
+# - unexclude_docker_excluder
+# - unexclude_openshift_excluder
+
+- name: Check for docker-excluder
+  stat:
+    path: /sbin/{{ r_openshift_excluder_service_type }}-docker-excluder
+  register: docker_excluder_stat
+
 - name: disable docker excluder
-  command: "{{ openshift.common.service_type }}-docker-excluder unexclude"
+  command: "/sbin/{{ r_openshift_excluder_service_type }}-docker-excluder unexclude"
   when:
-  - docker_excluder_enabled | bool
-  - not openshift.common.is_containerized | bool
+  - unexclude_docker_excluder | default(false) | bool
+  - docker_excluder_stat.stat.exists
+
+- name: Check for openshift excluder
+  stat:
+    path: /sbin/{{ r_openshift_excluder_service_type }}-excluder
+  register: openshift_excluder_stat
 
-- name: disable excluder
-  command: "{{ openshift.common.service_type }}-excluder unexclude"
+- name: disable openshift excluder
+  command: "/sbin/{{ r_openshift_excluder_service_type }}-excluder unexclude"
   when:
-  - openshift_excluder_enabled | bool
-  - not openshift.common.is_containerized | bool
+  - unexclude_openshift_excluder | default(false) | bool
+  - openshift_excluder_stat.stat.exists
diff --git a/roles/openshift_excluder/tasks/verify_excluder.yml b/roles/openshift_excluder/tasks/verify_excluder.yml
new file mode 100644
index 000000000..c35639c1b
--- /dev/null
+++ b/roles/openshift_excluder/tasks/verify_excluder.yml
@@ -0,0 +1,32 @@
+---
+# input variables:
+# - excluder
+- name: Get available excluder version
+  repoquery:
+    name: "{{ excluder }}"
+    ignore_excluders: true
+  register: repoquery_out
+
+- name: Fail when excluder package is not found
+  fail:
+    msg: "Package {{ excluder }} not found"
+  when: not repoquery_out.results.package_found
+
+- name: Set fact excluder_version
+  set_fact:
+    excluder_version: "{{ repoquery_out.results.versions.available_versions.0 }}"
+
+- name: "{{ excluder }} version detected"
+  debug:
+    msg: "{{ excluder }}: {{ excluder_version }}"
+
+- name: Printing upgrade target version
+  debug:
+    msg: "{{ r_openshift_excluder_upgrade_target }}"
+
+- name: Check the available {{ excluder }} version is at most of the upgrade target version
+  fail:
+    msg: "Available {{ excluder }} version {{ excluder_version }} is higher than the upgrade target version"
+  when:
+  - excluder_version != ''
+  - excluder_version.split('.')[0:2] | join('.') | version_compare(r_openshift_excluder_upgrade_target.split('.')[0:2] | join('.'), '>', strict=True)
diff --git a/roles/openshift_excluder/tasks/verify_upgrade.yml b/roles/openshift_excluder/tasks/verify_upgrade.yml
new file mode 100644
index 000000000..42026664a
--- /dev/null
+++ b/roles/openshift_excluder/tasks/verify_upgrade.yml
@@ -0,0 +1,12 @@
+---
+- name: Verify Docker Excluder version
+  include: verify_excluder.yml
+  vars:
+    excluder: "{{ r_openshift_excluder_service_type }}-docker-excluder"
+  when: r_openshift_excluder_enable_docker_excluder | bool
+
+- name: Verify OpenShift Excluder version
+  include: verify_excluder.yml
+  vars:
+    excluder: "{{ r_openshift_excluder_service_type }}-excluder"
+  when: r_openshift_excluder_enable_openshift_excluder | bool