diff options
Diffstat (limited to 'roles/openshift_excluder')
-rw-r--r-- | roles/openshift_excluder/README.md | 77 | ||||
-rw-r--r-- | roles/openshift_excluder/defaults/main.yml | 19 | ||||
-rw-r--r-- | roles/openshift_excluder/meta/main.yml | 15 | ||||
-rw-r--r-- | roles/openshift_excluder/tasks/disable.yml | 40 | ||||
-rw-r--r-- | roles/openshift_excluder/tasks/enable.yml | 6 | ||||
-rw-r--r-- | roles/openshift_excluder/tasks/exclude.yml | 22 | ||||
-rw-r--r-- | roles/openshift_excluder/tasks/install.yml | 51 | ||||
-rw-r--r-- | roles/openshift_excluder/tasks/main.yml | 38 | ||||
-rw-r--r-- | roles/openshift_excluder/tasks/unexclude.yml | 26 | ||||
-rw-r--r-- | roles/openshift_excluder/tasks/verify_excluder.yml | 32 | ||||
-rw-r--r-- | roles/openshift_excluder/tasks/verify_upgrade.yml | 12 |
11 files changed, 338 insertions, 0 deletions
diff --git a/roles/openshift_excluder/README.md b/roles/openshift_excluder/README.md new file mode 100644 index 000000000..80cb88d45 --- /dev/null +++ b/roles/openshift_excluder/README.md @@ -0,0 +1,77 @@ +OpenShift Excluder +================== + +Manages the excluder packages which add yum and dnf exclusions ensuring that +the packages we care about are not inadvertently updated. See +https://github.com/openshift/origin/tree/master/contrib/excluder + +Requirements +------------ + +None + +Inventory Variables +------------------- + +| Name | Default Value | Description | +---------------------------------------|----------------------------|----------------------------------------| +| openshift_enable_excluders | True | Enable all excluders | +| openshift_enable_docker_excluder | openshift_enable_excluders | Enable docker excluder. If not set, the docker excluder is ignored. | +| openshift_enable_openshift_excluder | openshift_enable_excluders | Enable openshift excluder. If not set, the openshift excluder is ignored. | + +Role Variables +-------------- + +| Name | Default | Choices | Description | +|-------------------------------------------|---------|-----------------|---------------------------------------------------------------------------| +| r_openshift_excluder_action | enable | enable, disable | Action to perform when calling this role | +| r_openshift_excluder_verify_upgrade | false | true, false | When upgrading, this variable should be set to true when calling the role | +| r_openshift_excluder_package_state | present | present, latest | Use 'latest' to upgrade openshift_excluder package | +| r_openshift_excluder_docker_package_state | present | present, latest | Use 'latest' to upgrade docker_excluder package | +| r_openshift_excluder_service_type | None | | (Required) Defined as openshift.common.service_type e.g. atomic-openshift | +| r_openshift_excluder_upgrade_target | None | | Required when r_openshift_excluder_verify_upgrade is true, defined as openshift_upgrade_target by Upgrade playbooks e.g. '3.6'| + +Dependencies +------------ + +- lib_utils + +Example Playbook +---------------- + +```yaml +- name: Demonstrate OpenShift Excluder usage + hosts: oo_masters_to_config:oo_nodes_to_config + roles: + # Disable all excluders + - role: openshift_excluder + r_openshift_excluder_action: disable + r_openshift_excluder_service_type: "{{ openshift.common.service_type }}" + # Enable all excluders + - role: openshift_excluder + r_openshift_excluder_action: enable + r_openshift_excluder_service_type: "{{ openshift.common.service_type }}" + # Disable all excluders and verify appropriate excluder packages are available for upgrade + - role: openshift_excluder + r_openshift_excluder_action: disable + r_openshift_excluder_service_type: "{{ openshift.common.service_type }}" + r_openshift_excluder_verify_upgrade: true + r_openshift_excluder_upgrade_target: "{{ openshift_upgrade_target }}" + r_openshift_excluder_package_state: latest + r_openshift_excluder_docker_package_state: latest +``` + +TODO +---- + +It should be possible to manage the two excluders independently though that's not a hard requirement. However it should be done to manage docker on RHEL Containerized hosts. + +License +------- + +Apache License, Version 2.0 + +Author Information +------------------ + +Scott Dodson (sdodson@redhat.com) diff --git a/roles/openshift_excluder/defaults/main.yml b/roles/openshift_excluder/defaults/main.yml new file mode 100644 index 000000000..d4f151142 --- /dev/null +++ b/roles/openshift_excluder/defaults/main.yml @@ -0,0 +1,19 @@ +--- +# keep the 'current' package or update to 'latest' if available? +r_openshift_excluder_package_state: present +r_openshift_excluder_docker_package_state: present + +# Legacy variables are included for backwards compatibility with v3.5 +# Inventory variables Legacy +# openshift_enable_excluders enable_excluders +# openshift_enable_openshift_excluder enable_openshift_excluder +# openshift_enable_docker_excluder enable_docker_excluder +r_openshift_excluder_enable_excluders: "{{ openshift_enable_excluders | default(enable_excluders) | default(true) }}" +r_openshift_excluder_enable_openshift_excluder: "{{ openshift_enable_openshift_excluder | default(enable_openshift_excluder) | default(r_openshift_excluder_enable_excluders) }}" +r_openshift_excluder_enable_docker_excluder: "{{ openshift_enable_docker_excluder | default(enable_docker_excluder) | default(r_openshift_excluder_enable_excluders) }}" + +# Default action when calling this role +r_openshift_excluder_action: enable + +# When upgrading, this variable should be set to true when calling the role +r_openshift_excluder_verify_upgrade: false diff --git a/roles/openshift_excluder/meta/main.yml b/roles/openshift_excluder/meta/main.yml new file mode 100644 index 000000000..871081c19 --- /dev/null +++ b/roles/openshift_excluder/meta/main.yml @@ -0,0 +1,15 @@ +--- +galaxy_info: + author: Scott Dodson + description: OpenShift Excluder + company: Red Hat, Inc. + license: Apache License, Version 2.0 + min_ansible_version: 2.2 + platforms: + - name: EL + versions: + - 7 + categories: + - cloud +dependencies: +- role: lib_utils diff --git a/roles/openshift_excluder/tasks/disable.yml b/roles/openshift_excluder/tasks/disable.yml new file mode 100644 index 000000000..5add25b45 --- /dev/null +++ b/roles/openshift_excluder/tasks/disable.yml @@ -0,0 +1,40 @@ +--- +- when: r_openshift_excluder_verify_upgrade + block: + - name: Include verify_upgrade.yml when upgrading + include: verify_upgrade.yml + +# unexclude the current openshift/origin-excluder if it is installed so it can be updated +- name: Disable excluders before the upgrade to remove older excluding expressions + include: unexclude.yml + vars: + # before the docker excluder can be updated, it needs to be disabled + # to remove older excluded packages that are no longer excluded + unexclude_docker_excluder: "{{ r_openshift_excluder_enable_docker_excluder }}" + unexclude_openshift_excluder: "{{ r_openshift_excluder_enable_openshift_excluder }}" + +# Install any excluder that is enabled +- name: Include install.yml + include: install.yml + +# And finally adjust an excluder in order to update host components correctly. First +# exclude then unexclude +- name: Include exclude.yml + include: exclude.yml + vars: + # Enable the docker excluder only if it is overridden + # BZ #1430612: docker excluders should be enabled even during installation and upgrade + exclude_docker_excluder: "{{ r_openshift_excluder_enable_docker_excluder }}" + # excluder is to be disabled by default + exclude_openshift_excluder: false + +# All excluders that are to be disabled are disabled +- name: Include unexclude.yml + include: unexclude.yml + vars: + # If the docker override is not set, default to the generic behaviour + # BZ #1430612: docker excluders should be enabled even during installation and upgrade + unexclude_docker_excluder: false + # disable openshift excluder is never overridden to be enabled + # disable it if the docker excluder is enabled + unexclude_openshift_excluder: "{{ r_openshift_excluder_enable_openshift_excluder }}" diff --git a/roles/openshift_excluder/tasks/enable.yml b/roles/openshift_excluder/tasks/enable.yml new file mode 100644 index 000000000..fce44cfb5 --- /dev/null +++ b/roles/openshift_excluder/tasks/enable.yml @@ -0,0 +1,6 @@ +--- +- name: Install excluders + include: install.yml + +- name: Enable excluders + include: exclude.yml diff --git a/roles/openshift_excluder/tasks/exclude.yml b/roles/openshift_excluder/tasks/exclude.yml new file mode 100644 index 000000000..1b4818df9 --- /dev/null +++ b/roles/openshift_excluder/tasks/exclude.yml @@ -0,0 +1,22 @@ +--- +- name: Check for docker-excluder + stat: + path: /sbin/{{ r_openshift_excluder_service_type }}-docker-excluder + register: docker_excluder_stat + +- name: Enable docker excluder + command: "/sbin/{{ r_openshift_excluder_service_type }}-docker-excluder exclude" + when: + - r_openshift_excluder_enable_docker_excluder | bool + - docker_excluder_stat.stat.exists + +- name: Check for openshift excluder + stat: + path: /sbin/{{ r_openshift_excluder_service_type }}-excluder + register: openshift_excluder_stat + +- name: Enable openshift excluder + command: "/sbin/{{ r_openshift_excluder_service_type }}-excluder exclude" + when: + - r_openshift_excluder_enable_openshift_excluder | bool + - openshift_excluder_stat.stat.exists diff --git a/roles/openshift_excluder/tasks/install.yml b/roles/openshift_excluder/tasks/install.yml new file mode 100644 index 000000000..7a5bebf6f --- /dev/null +++ b/roles/openshift_excluder/tasks/install.yml @@ -0,0 +1,51 @@ +--- + +- when: + - not openshift.common.is_atomic | bool + - r_openshift_excluder_install_ran is not defined + + block: + + - name: Install docker excluder - yum + package: + name: "{{ r_openshift_excluder_service_type }}-docker-excluder{{ openshift_pkg_version | default('') | oo_image_tag_to_rpm_version(include_dash=True) + '*' }}" + state: "{{ r_openshift_excluder_docker_package_state }}" + when: + - r_openshift_excluder_enable_docker_excluder | bool + - ansible_pkg_mgr == "yum" + + + # For DNF we do not need the "*" and if we add it, it causes an error because + # it's not a valid pkg_spec + # + # https://bugzilla.redhat.com/show_bug.cgi?id=1199432 + - name: Install docker excluder - dnf + package: + name: "{{ r_openshift_excluder_service_type }}-docker-excluder{{ openshift_pkg_version | default('') | oo_image_tag_to_rpm_version(include_dash=True) }}" + state: "{{ r_openshift_excluder_docker_package_state }}" + when: + - r_openshift_excluder_enable_docker_excluder | bool + - ansible_pkg_mgr == "dnf" + + - name: Install openshift excluder - yum + package: + name: "{{ r_openshift_excluder_service_type }}-excluder{{ openshift_pkg_version | default('') | oo_image_tag_to_rpm_version(include_dash=True) + '*' }}" + state: "{{ r_openshift_excluder_package_state }}" + when: + - r_openshift_excluder_enable_openshift_excluder | bool + - ansible_pkg_mgr == "yum" + + # For DNF we do not need the "*" and if we add it, it causes an error because + # it's not a valid pkg_spec + # + # https://bugzilla.redhat.com/show_bug.cgi?id=1199432 + - name: Install openshift excluder - dnf + package: + name: "{{ r_openshift_excluder_service_type }}-excluder{{ openshift_pkg_version | default('') | oo_image_tag_to_rpm_version(include_dash=True) }}" + state: "{{ r_openshift_excluder_package_state }}" + when: + - r_openshift_excluder_enable_openshift_excluder | bool + - ansible_pkg_mgr == "dnf" + + - set_fact: + r_openshift_excluder_install_ran: True diff --git a/roles/openshift_excluder/tasks/main.yml b/roles/openshift_excluder/tasks/main.yml new file mode 100644 index 000000000..db20b4012 --- /dev/null +++ b/roles/openshift_excluder/tasks/main.yml @@ -0,0 +1,38 @@ +--- +- name: Detecting Atomic Host Operating System + stat: + path: /run/ostree-booted + register: ostree_booted + +- block: + + - name: Debug r_openshift_excluder_enable_docker_excluder + debug: + var: r_openshift_excluder_enable_docker_excluder + + - name: Debug r_openshift_excluder_enable_openshift_excluder + debug: + var: r_openshift_excluder_enable_openshift_excluder + + - name: Fail if invalid openshift_excluder_action provided + fail: + msg: "openshift_excluder role can only be called with 'enable' or 'disable'" + when: r_openshift_excluder_action not in ['enable', 'disable'] + + - name: Fail if r_openshift_excluder_service_type is not defined + fail: + msg: "r_openshift_excluder_service_type must be specified for this role" + when: r_openshift_excluder_service_type is not defined + + - name: Fail if r_openshift_excluder_upgrade_target is not defined + fail: + msg: "r_openshift_excluder_upgrade_target must be provided when using this role for upgrades" + when: + - r_openshift_excluder_verify_upgrade | bool + - r_openshift_excluder_upgrade_target is not defined + + - name: Include main action task file + include: "{{ r_openshift_excluder_action }}.yml" + + when: + - not ostree_booted.stat.exists | bool diff --git a/roles/openshift_excluder/tasks/unexclude.yml b/roles/openshift_excluder/tasks/unexclude.yml new file mode 100644 index 000000000..a68165bde --- /dev/null +++ b/roles/openshift_excluder/tasks/unexclude.yml @@ -0,0 +1,26 @@ +--- +# input variables: +# - unexclude_docker_excluder +# - unexclude_openshift_excluder + +- name: Check for docker-excluder + stat: + path: /sbin/{{ r_openshift_excluder_service_type }}-docker-excluder + register: docker_excluder_stat + +- name: disable docker excluder + command: "/sbin/{{ r_openshift_excluder_service_type }}-docker-excluder unexclude" + when: + - unexclude_docker_excluder | default(false) | bool + - docker_excluder_stat.stat.exists + +- name: Check for openshift excluder + stat: + path: /sbin/{{ r_openshift_excluder_service_type }}-excluder + register: openshift_excluder_stat + +- name: disable openshift excluder + command: "/sbin/{{ r_openshift_excluder_service_type }}-excluder unexclude" + when: + - unexclude_openshift_excluder | default(false) | bool + - openshift_excluder_stat.stat.exists diff --git a/roles/openshift_excluder/tasks/verify_excluder.yml b/roles/openshift_excluder/tasks/verify_excluder.yml new file mode 100644 index 000000000..c35639c1b --- /dev/null +++ b/roles/openshift_excluder/tasks/verify_excluder.yml @@ -0,0 +1,32 @@ +--- +# input variables: +# - excluder +- name: Get available excluder version + repoquery: + name: "{{ excluder }}" + ignore_excluders: true + register: repoquery_out + +- name: Fail when excluder package is not found + fail: + msg: "Package {{ excluder }} not found" + when: not repoquery_out.results.package_found + +- name: Set fact excluder_version + set_fact: + excluder_version: "{{ repoquery_out.results.versions.available_versions.0 }}" + +- name: "{{ excluder }} version detected" + debug: + msg: "{{ excluder }}: {{ excluder_version }}" + +- name: Printing upgrade target version + debug: + msg: "{{ r_openshift_excluder_upgrade_target }}" + +- name: Check the available {{ excluder }} version is at most of the upgrade target version + fail: + msg: "Available {{ excluder }} version {{ excluder_version }} is higher than the upgrade target version" + when: + - excluder_version != '' + - excluder_version.split('.')[0:2] | join('.') | version_compare(r_openshift_excluder_upgrade_target.split('.')[0:2] | join('.'), '>', strict=True) diff --git a/roles/openshift_excluder/tasks/verify_upgrade.yml b/roles/openshift_excluder/tasks/verify_upgrade.yml new file mode 100644 index 000000000..42026664a --- /dev/null +++ b/roles/openshift_excluder/tasks/verify_upgrade.yml @@ -0,0 +1,12 @@ +--- +- name: Verify Docker Excluder version + include: verify_excluder.yml + vars: + excluder: "{{ r_openshift_excluder_service_type }}-docker-excluder" + when: r_openshift_excluder_enable_docker_excluder | bool + +- name: Verify OpenShift Excluder version + include: verify_excluder.yml + vars: + excluder: "{{ r_openshift_excluder_service_type }}-excluder" + when: r_openshift_excluder_enable_openshift_excluder | bool |