diff options
Diffstat (limited to 'roles/openshift_excluder')
-rw-r--r-- | roles/openshift_excluder/README.md | 53 | ||||
-rw-r--r-- | roles/openshift_excluder/defaults/main.yml | 19 | ||||
-rw-r--r-- | roles/openshift_excluder/meta/main.yml | 4 | ||||
-rw-r--r-- | roles/openshift_excluder/tasks/disable.yml | 40 | ||||
-rw-r--r-- | roles/openshift_excluder/tasks/enable.yml | 6 | ||||
-rw-r--r-- | roles/openshift_excluder/tasks/exclude.yml | 25 | ||||
-rw-r--r-- | roles/openshift_excluder/tasks/install.yml | 36 | ||||
-rw-r--r-- | roles/openshift_excluder/tasks/main.yml | 38 | ||||
-rw-r--r-- | roles/openshift_excluder/tasks/reset.yml | 12 | ||||
-rw-r--r-- | roles/openshift_excluder/tasks/status.yml | 58 | ||||
-rw-r--r-- | roles/openshift_excluder/tasks/unexclude.yml | 28 | ||||
-rw-r--r-- | roles/openshift_excluder/tasks/verify_excluder.yml | 32 | ||||
-rw-r--r-- | roles/openshift_excluder/tasks/verify_upgrade.yml | 12 |
13 files changed, 252 insertions, 111 deletions
diff --git a/roles/openshift_excluder/README.md b/roles/openshift_excluder/README.md index 6c90b4e96..80cb88d45 100644 --- a/roles/openshift_excluder/README.md +++ b/roles/openshift_excluder/README.md @@ -1,36 +1,69 @@ OpenShift Excluder -================ +================== Manages the excluder packages which add yum and dnf exclusions ensuring that -the packages we care about are not inadvertantly updated. See +the packages we care about are not inadvertently updated. See https://github.com/openshift/origin/tree/master/contrib/excluder Requirements ------------ -openshift_facts +None -Facts ------ +Inventory Variables +------------------- -| Name | Default Value | Description | ------------------------------|---------------|----------------------------------------| -| docker_excluder_enabled | none | Records the status of docker excluder | -| openshift_excluder_enabled | none | Records the status of the openshift excluder | +| Name | Default Value | Description | +---------------------------------------|----------------------------|----------------------------------------| +| openshift_enable_excluders | True | Enable all excluders | +| openshift_enable_docker_excluder | openshift_enable_excluders | Enable docker excluder. If not set, the docker excluder is ignored. | +| openshift_enable_openshift_excluder | openshift_enable_excluders | Enable openshift excluder. If not set, the openshift excluder is ignored. | Role Variables -------------- -None + +| Name | Default | Choices | Description | +|-------------------------------------------|---------|-----------------|---------------------------------------------------------------------------| +| r_openshift_excluder_action | enable | enable, disable | Action to perform when calling this role | +| r_openshift_excluder_verify_upgrade | false | true, false | When upgrading, this variable should be set to true when calling the role | +| r_openshift_excluder_package_state | present | present, latest | Use 'latest' to upgrade openshift_excluder package | +| r_openshift_excluder_docker_package_state | present | present, latest | Use 'latest' to upgrade docker_excluder package | +| r_openshift_excluder_service_type | None | | (Required) Defined as openshift.common.service_type e.g. atomic-openshift | +| r_openshift_excluder_upgrade_target | None | | Required when r_openshift_excluder_verify_upgrade is true, defined as openshift_upgrade_target by Upgrade playbooks e.g. '3.6'| Dependencies ------------ +- lib_utils + Example Playbook ---------------- +```yaml +- name: Demonstrate OpenShift Excluder usage + hosts: oo_masters_to_config:oo_nodes_to_config + roles: + # Disable all excluders + - role: openshift_excluder + r_openshift_excluder_action: disable + r_openshift_excluder_service_type: "{{ openshift.common.service_type }}" + # Enable all excluders + - role: openshift_excluder + r_openshift_excluder_action: enable + r_openshift_excluder_service_type: "{{ openshift.common.service_type }}" + # Disable all excluders and verify appropriate excluder packages are available for upgrade + - role: openshift_excluder + r_openshift_excluder_action: disable + r_openshift_excluder_service_type: "{{ openshift.common.service_type }}" + r_openshift_excluder_verify_upgrade: true + r_openshift_excluder_upgrade_target: "{{ openshift_upgrade_target }}" + r_openshift_excluder_package_state: latest + r_openshift_excluder_docker_package_state: latest +``` TODO ---- + It should be possible to manage the two excluders independently though that's not a hard requirement. However it should be done to manage docker on RHEL Containerized hosts. License diff --git a/roles/openshift_excluder/defaults/main.yml b/roles/openshift_excluder/defaults/main.yml new file mode 100644 index 000000000..d4f151142 --- /dev/null +++ b/roles/openshift_excluder/defaults/main.yml @@ -0,0 +1,19 @@ +--- +# keep the 'current' package or update to 'latest' if available? +r_openshift_excluder_package_state: present +r_openshift_excluder_docker_package_state: present + +# Legacy variables are included for backwards compatibility with v3.5 +# Inventory variables Legacy +# openshift_enable_excluders enable_excluders +# openshift_enable_openshift_excluder enable_openshift_excluder +# openshift_enable_docker_excluder enable_docker_excluder +r_openshift_excluder_enable_excluders: "{{ openshift_enable_excluders | default(enable_excluders) | default(true) }}" +r_openshift_excluder_enable_openshift_excluder: "{{ openshift_enable_openshift_excluder | default(enable_openshift_excluder) | default(r_openshift_excluder_enable_excluders) }}" +r_openshift_excluder_enable_docker_excluder: "{{ openshift_enable_docker_excluder | default(enable_docker_excluder) | default(r_openshift_excluder_enable_excluders) }}" + +# Default action when calling this role +r_openshift_excluder_action: enable + +# When upgrading, this variable should be set to true when calling the role +r_openshift_excluder_verify_upgrade: false diff --git a/roles/openshift_excluder/meta/main.yml b/roles/openshift_excluder/meta/main.yml index 8bca38e77..871081c19 100644 --- a/roles/openshift_excluder/meta/main.yml +++ b/roles/openshift_excluder/meta/main.yml @@ -1,7 +1,7 @@ --- galaxy_info: author: Scott Dodson - description: OpenShift Examples + description: OpenShift Excluder company: Red Hat, Inc. license: Apache License, Version 2.0 min_ansible_version: 2.2 @@ -12,4 +12,4 @@ galaxy_info: categories: - cloud dependencies: -- { role: openshift_facts } +- role: lib_utils diff --git a/roles/openshift_excluder/tasks/disable.yml b/roles/openshift_excluder/tasks/disable.yml new file mode 100644 index 000000000..5add25b45 --- /dev/null +++ b/roles/openshift_excluder/tasks/disable.yml @@ -0,0 +1,40 @@ +--- +- when: r_openshift_excluder_verify_upgrade + block: + - name: Include verify_upgrade.yml when upgrading + include: verify_upgrade.yml + +# unexclude the current openshift/origin-excluder if it is installed so it can be updated +- name: Disable excluders before the upgrade to remove older excluding expressions + include: unexclude.yml + vars: + # before the docker excluder can be updated, it needs to be disabled + # to remove older excluded packages that are no longer excluded + unexclude_docker_excluder: "{{ r_openshift_excluder_enable_docker_excluder }}" + unexclude_openshift_excluder: "{{ r_openshift_excluder_enable_openshift_excluder }}" + +# Install any excluder that is enabled +- name: Include install.yml + include: install.yml + +# And finally adjust an excluder in order to update host components correctly. First +# exclude then unexclude +- name: Include exclude.yml + include: exclude.yml + vars: + # Enable the docker excluder only if it is overridden + # BZ #1430612: docker excluders should be enabled even during installation and upgrade + exclude_docker_excluder: "{{ r_openshift_excluder_enable_docker_excluder }}" + # excluder is to be disabled by default + exclude_openshift_excluder: false + +# All excluders that are to be disabled are disabled +- name: Include unexclude.yml + include: unexclude.yml + vars: + # If the docker override is not set, default to the generic behaviour + # BZ #1430612: docker excluders should be enabled even during installation and upgrade + unexclude_docker_excluder: false + # disable openshift excluder is never overridden to be enabled + # disable it if the docker excluder is enabled + unexclude_openshift_excluder: "{{ r_openshift_excluder_enable_openshift_excluder }}" diff --git a/roles/openshift_excluder/tasks/enable.yml b/roles/openshift_excluder/tasks/enable.yml new file mode 100644 index 000000000..fce44cfb5 --- /dev/null +++ b/roles/openshift_excluder/tasks/enable.yml @@ -0,0 +1,6 @@ +--- +- name: Install excluders + include: install.yml + +- name: Enable excluders + include: exclude.yml diff --git a/roles/openshift_excluder/tasks/exclude.yml b/roles/openshift_excluder/tasks/exclude.yml index 570183aef..1b4818df9 100644 --- a/roles/openshift_excluder/tasks/exclude.yml +++ b/roles/openshift_excluder/tasks/exclude.yml @@ -1,11 +1,22 @@ --- -- include: install.yml - when: not openshift.common.is_containerized | bool +- name: Check for docker-excluder + stat: + path: /sbin/{{ r_openshift_excluder_service_type }}-docker-excluder + register: docker_excluder_stat - name: Enable docker excluder - command: "{{ openshift.common.service_type }}-docker-excluder exclude" - when: not openshift.common.is_containerized | bool + command: "/sbin/{{ r_openshift_excluder_service_type }}-docker-excluder exclude" + when: + - r_openshift_excluder_enable_docker_excluder | bool + - docker_excluder_stat.stat.exists -- name: Enable excluder - command: "{{ openshift.common.service_type }}-excluder exclude" - when: not openshift.common.is_containerized | bool +- name: Check for openshift excluder + stat: + path: /sbin/{{ r_openshift_excluder_service_type }}-excluder + register: openshift_excluder_stat + +- name: Enable openshift excluder + command: "/sbin/{{ r_openshift_excluder_service_type }}-excluder exclude" + when: + - r_openshift_excluder_enable_openshift_excluder | bool + - openshift_excluder_stat.stat.exists diff --git a/roles/openshift_excluder/tasks/install.yml b/roles/openshift_excluder/tasks/install.yml index ee4cb2c05..3a866cedf 100644 --- a/roles/openshift_excluder/tasks/install.yml +++ b/roles/openshift_excluder/tasks/install.yml @@ -1,16 +1,24 @@ --- -- name: Install latest excluder - package: - name: "{{ openshift.common.service_type }}-excluder" - state: latest - when: - - openshift_excluder_enabled | default(false) | bool - - not openshift.common.is_containerized | bool -- name: Install latest docker excluder - package: - name: "{{ openshift.common.service_type }}-excluder" - state: latest - when: - - docker_excluder_enabled | default(false) | bool - - not openshift.common.is_containerized | bool +- when: + - not openshift.common.is_atomic | bool + - r_openshift_excluder_install_ran is not defined + + block: + + - name: Install docker excluder + package: + name: "{{ r_openshift_excluder_service_type }}-docker-excluder{{ openshift_pkg_version | default('') | oo_image_tag_to_rpm_version(include_dash=True) + '*' }}" + state: "{{ r_openshift_excluder_docker_package_state }}" + when: + - r_openshift_excluder_enable_docker_excluder | bool + + - name: Install openshift excluder + package: + name: "{{ r_openshift_excluder_service_type }}-excluder{{ openshift_pkg_version | default('') | oo_image_tag_to_rpm_version(include_dash=True) + '*' }}" + state: "{{ r_openshift_excluder_package_state }}" + when: + - r_openshift_excluder_enable_openshift_excluder | bool + + - set_fact: + r_openshift_excluder_install_ran: True diff --git a/roles/openshift_excluder/tasks/main.yml b/roles/openshift_excluder/tasks/main.yml index 78a3d37cb..db20b4012 100644 --- a/roles/openshift_excluder/tasks/main.yml +++ b/roles/openshift_excluder/tasks/main.yml @@ -1,2 +1,38 @@ --- -include: status.yml +- name: Detecting Atomic Host Operating System + stat: + path: /run/ostree-booted + register: ostree_booted + +- block: + + - name: Debug r_openshift_excluder_enable_docker_excluder + debug: + var: r_openshift_excluder_enable_docker_excluder + + - name: Debug r_openshift_excluder_enable_openshift_excluder + debug: + var: r_openshift_excluder_enable_openshift_excluder + + - name: Fail if invalid openshift_excluder_action provided + fail: + msg: "openshift_excluder role can only be called with 'enable' or 'disable'" + when: r_openshift_excluder_action not in ['enable', 'disable'] + + - name: Fail if r_openshift_excluder_service_type is not defined + fail: + msg: "r_openshift_excluder_service_type must be specified for this role" + when: r_openshift_excluder_service_type is not defined + + - name: Fail if r_openshift_excluder_upgrade_target is not defined + fail: + msg: "r_openshift_excluder_upgrade_target must be provided when using this role for upgrades" + when: + - r_openshift_excluder_verify_upgrade | bool + - r_openshift_excluder_upgrade_target is not defined + + - name: Include main action task file + include: "{{ r_openshift_excluder_action }}.yml" + + when: + - not ostree_booted.stat.exists | bool diff --git a/roles/openshift_excluder/tasks/reset.yml b/roles/openshift_excluder/tasks/reset.yml deleted file mode 100644 index 486a23fd0..000000000 --- a/roles/openshift_excluder/tasks/reset.yml +++ /dev/null @@ -1,12 +0,0 @@ ---- -- name: Enable docker excluder - command: "{{ openshift.common.service_type }}-docker-excluder exclude" - when: - - docker_excluder_enabled | default(false) | bool - - not openshift.common.is_containerized | bool - -- name: Enable excluder - command: "{{ openshift.common.service_type }}-excluder exclude" - when: - - openshift_excluder_enabled | default(false) | bool - - not openshift.common.is_containerized | bool diff --git a/roles/openshift_excluder/tasks/status.yml b/roles/openshift_excluder/tasks/status.yml deleted file mode 100644 index ef118d94c..000000000 --- a/roles/openshift_excluder/tasks/status.yml +++ /dev/null @@ -1,58 +0,0 @@ ---- -# Latest versions of the excluders include a status function, old packages dont -# So, if packages are installed, upgrade them to the latest so we get the status -# If they're not installed when we should assume they're disabled - -- name: Determine if excluder packages are installed - rpm_q: - name: "{{ openshift.common.service_type }}-excluder" - state: present - register: openshift_excluder_installed - failed_when: false - -- name: Determine if docker packages are installed - rpm_q: - name: "{{ openshift.common.service_type }}-excluder" - state: present - register: docker_excluder_installed - failed_when: false - -- name: Update to latest excluder packages - package: - name: "{{ openshift.common.service_type }}-excluder" - state: latest - when: - - "{{ openshift_excluder_installed.installed_versions | default([]) | length > 0 }}" - - not openshift.common.is_containerized | bool - -- name: Update to the latest docker-excluder packages - package: - name: "{{ openshift.common.service_type }}-docker-excluder" - state: latest - when: - - "{{ docker_excluder_installed.installed_versions | default([]) | length > 0 }}" - - not openshift.common.is_containerized | bool - -- name: Record excluder status - command: "{{ openshift.common.service_type }}-excluder" - register: excluder_status - when: - - "{{ openshift_excluder_installed.installed_versions | default([]) | length > 0 }}" - - not openshift.common.is_containerized | bool - failed_when: false - -- name: Record docker excluder status - command: "{{ openshift.common.service_type }}-docker-excluder" - register: docker_excluder_status - when: - - "{{ docker_excluder_installed.installed_versions | default([]) | length > 0 }}" - - not openshift.common.is_containerized | bool - failed_when: false - -- name: Set excluder status facts - set_fact: - docker_excluder_enabled: "{{ 'false' if docker_excluder_status.rc | default(0) == 0 or docker_excluder_installed.installed_versions | default(0) | length == 0 else 'true' }}" - openshift_excluder_enabled: "{{ 'false' if docker_excluder_status.rc | default(0) == 0 or openshift_excluder_installed.installed_versions | default(0) | length == 0 else 'true' }}" - -- debug: var=docker_excluder_enabled -- debug: var=openshift_excluder_enabled diff --git a/roles/openshift_excluder/tasks/unexclude.yml b/roles/openshift_excluder/tasks/unexclude.yml index 38f0759aa..a68165bde 100644 --- a/roles/openshift_excluder/tasks/unexclude.yml +++ b/roles/openshift_excluder/tasks/unexclude.yml @@ -1,12 +1,26 @@ --- +# input variables: +# - unexclude_docker_excluder +# - unexclude_openshift_excluder + +- name: Check for docker-excluder + stat: + path: /sbin/{{ r_openshift_excluder_service_type }}-docker-excluder + register: docker_excluder_stat + - name: disable docker excluder - command: "{{ openshift.common.service_type }}-docker-excluder unexclude" + command: "/sbin/{{ r_openshift_excluder_service_type }}-docker-excluder unexclude" when: - - docker_excluder_enabled | bool - - not openshift.common.is_containerized | bool + - unexclude_docker_excluder | default(false) | bool + - docker_excluder_stat.stat.exists + +- name: Check for openshift excluder + stat: + path: /sbin/{{ r_openshift_excluder_service_type }}-excluder + register: openshift_excluder_stat -- name: disable excluder - command: "{{ openshift.common.service_type }}-excluder unexclude" +- name: disable openshift excluder + command: "/sbin/{{ r_openshift_excluder_service_type }}-excluder unexclude" when: - - openshift_excluder_enabled | bool - - not openshift.common.is_containerized | bool + - unexclude_openshift_excluder | default(false) | bool + - openshift_excluder_stat.stat.exists diff --git a/roles/openshift_excluder/tasks/verify_excluder.yml b/roles/openshift_excluder/tasks/verify_excluder.yml new file mode 100644 index 000000000..c35639c1b --- /dev/null +++ b/roles/openshift_excluder/tasks/verify_excluder.yml @@ -0,0 +1,32 @@ +--- +# input variables: +# - excluder +- name: Get available excluder version + repoquery: + name: "{{ excluder }}" + ignore_excluders: true + register: repoquery_out + +- name: Fail when excluder package is not found + fail: + msg: "Package {{ excluder }} not found" + when: not repoquery_out.results.package_found + +- name: Set fact excluder_version + set_fact: + excluder_version: "{{ repoquery_out.results.versions.available_versions.0 }}" + +- name: "{{ excluder }} version detected" + debug: + msg: "{{ excluder }}: {{ excluder_version }}" + +- name: Printing upgrade target version + debug: + msg: "{{ r_openshift_excluder_upgrade_target }}" + +- name: Check the available {{ excluder }} version is at most of the upgrade target version + fail: + msg: "Available {{ excluder }} version {{ excluder_version }} is higher than the upgrade target version" + when: + - excluder_version != '' + - excluder_version.split('.')[0:2] | join('.') | version_compare(r_openshift_excluder_upgrade_target.split('.')[0:2] | join('.'), '>', strict=True) diff --git a/roles/openshift_excluder/tasks/verify_upgrade.yml b/roles/openshift_excluder/tasks/verify_upgrade.yml new file mode 100644 index 000000000..42026664a --- /dev/null +++ b/roles/openshift_excluder/tasks/verify_upgrade.yml @@ -0,0 +1,12 @@ +--- +- name: Verify Docker Excluder version + include: verify_excluder.yml + vars: + excluder: "{{ r_openshift_excluder_service_type }}-docker-excluder" + when: r_openshift_excluder_enable_docker_excluder | bool + +- name: Verify OpenShift Excluder version + include: verify_excluder.yml + vars: + excluder: "{{ r_openshift_excluder_service_type }}-excluder" + when: r_openshift_excluder_enable_openshift_excluder | bool |