11 files changed, 188 insertions, 46 deletions

diff --git a/roles/openshift_node/README.md b/roles/openshift_node/README.md
index c3c17b848..3aff81274 100644
--- a/roles/openshift_node/README.md
+++ b/roles/openshift_node/README.md
@@ -1,28 +1,28 @@
-OpenShift Node
-==============
+OpenShift/Atomic Enterprise Node
+================================
 
-OpenShift Node service installation
+Node service installation
 
 Requirements
 ------------
 
-One or more OpenShift Master servers.
+One or more Master servers.
 
 A RHEL 7.1 host pre-configured with access to the rhel-7-server-rpms,
-rhel-7-server-extras-rpms, and rhel-server-7-ose-beta-rpms repos.
+rhel-7-server-extras-rpms, and rhel-7-server-ose-3.0-rpms repos.
 
 Role Variables
 --------------
 From this role:
-| Name                                     | Default value         |                                        |
-|------------------------------------------|-----------------------|----------------------------------------|
-| openshift_node_debug_level               | openshift_debug_level | Verbosity of the debug logs for openshift-node |
-| oreg_url                                 | UNDEF (Optional)      | Default docker registry to use |
+| Name                                     | Default value         |                                                        |
+|------------------------------------------|-----------------------|--------------------------------------------------------|
+| openshift_node_debug_level               | openshift_debug_level | Verbosity of the debug logs for node |
+| oreg_url                                 | UNDEF (Optional)      | Default docker registry to use                         |
 
 From openshift_common:
-| Name                          |  Default Value      |                     | 
+| Name                          |  Default Value      |                     |
 |-------------------------------|---------------------|---------------------|
-| openshift_debug_level         | 0                   | Global openshift debug log verbosity |
+| openshift_debug_level         | 2                   | Global openshift debug log verbosity |
 | openshift_public_ip           | UNDEF (Required)    | Public IP address to use for this host |
 | openshift_hostname            | UNDEF (Required)    | hostname to use for this instance |
 
@@ -34,6 +34,18 @@ openshift_common
 Example Playbook
 ----------------
 
+Notes
+-----
+
+Currently we support re-labeling nodes but we don't re-schedule running pods nor remove existing labels. That means you will have to trigger the re-schedulling manually. To re-schedule your pods, just follow the steps below:
+
+```
+oadm manage-node --schedulable=false ${NODE}
+oadm manage-node --evacuate ${NODE}
+oadm manage-node --schedulable=true ${NODE}
+````
+
+
 TODO
 
 License
diff --git a/roles/openshift_node/defaults/main.yml b/roles/openshift_node/defaults/main.yml
index be51195f2..fffbf2994 100644
--- a/roles/openshift_node/defaults/main.yml
+++ b/roles/openshift_node/defaults/main.yml
@@ -1,8 +1,15 @@
 ---
 os_firewall_allow:
-- service: OpenShift kubelet
+- service: Kubernetes kubelet
   port: 10250/tcp
 - service: http
   port: 80/tcp
 - service: https
   port: 443/tcp
+- service: Openshift kubelet ReadOnlyPort
+  port: 10255/tcp
+- service: Openshift kubelet ReadOnlyPort udp
+  port: 10255/udp
+- service: OpenShift OVS sdn
+  port: 4789/udp
+  when: openshift.node.use_openshift_sdn | bool
diff --git a/roles/openshift_node/handlers/main.yml b/roles/openshift_node/handlers/main.yml
index 953a1421b..447ca85f3 100644
--- a/roles/openshift_node/handlers/main.yml
+++ b/roles/openshift_node/handlers/main.yml
@@ -1,3 +1,7 @@
 ---
-- name: restart openshift-node
-  service: name=openshift-node state=restarted
+- name: restart node
+  service: name={{ openshift.common.service_type }}-node state=restarted
+  when: not node_service_status_changed | default(false)
+
+- name: restart docker
+  service: name=docker state=restarted
diff --git a/roles/openshift_node/tasks/main.yml b/roles/openshift_node/tasks/main.yml
index 15d18f510..aea60b75c 100644
--- a/roles/openshift_node/tasks/main.yml
+++ b/roles/openshift_node/tasks/main.yml
@@ -1,7 +1,16 @@
 ---
 # TODO: allow for overriding default ports where possible
+- fail:
+    msg: This role requres that osn_cluster_dns_domain is set
+  when: osn_cluster_dns_domain is not defined or not osn_cluster_dns_domain
+- fail:
+    msg: This role requres that osn_cluster_dns_ip is set
+  when: osn_cluster_dns_ip is not defined or not osn_cluster_dns_ip
+- fail:
+    msg: "SELinux is disabled, This deployment type requires that SELinux is enabled."
+  when: (not ansible_selinux or ansible_selinux.status != 'enabled') and deployment_type in ['enterprise', 'online']
 
-- name: Set node OpenShift facts
+- name: Set node facts
   openshift_facts:
     role: "{{ item.role }}"
     local_facts: "{{ item.local_facts }}"
@@ -13,40 +22,41 @@
       deployment_type: "{{ openshift_deployment_type }}"
   - role: node
     local_facts:
-      resources_cpu: "{{ openshift_node_resources_cpu | default(none) }}"
-      resources_memory: "{{ openshift_node_resources_memory | default(none) }}"
-      pod_cidr: "{{ openshift_node_pod_cidr | default(none) }}"
-      labels: "{{ openshift_node_labels | default(none) }}"
+      labels: "{{ lookup('oo_option', 'openshift_node_labels') | default( openshift_node_labels | default(none), true) }}"
       annotations: "{{ openshift_node_annotations | default(none) }}"
       registry_url: "{{ oreg_url | default(none) }}"
       debug_level: "{{ openshift_node_debug_level | default(openshift.common.debug_level) }}"
       portal_net: "{{ openshift_master_portal_net | default(None) }}"
+      kubelet_args: "{{ openshift_node_kubelet_args | default(None) }}"
+      sdn_mtu: "{{ openshift_node_sdn_mtu | default(None) }}"
+      schedulable: "{{ openshift_schedulable | default(openshift_scheduleable) | default(None) }}"
+      docker_log_driver:  "{{ lookup( 'oo_option' , 'docker_log_driver'  )  | default('',True) }}"
+      docker_log_options: "{{ lookup( 'oo_option' , 'docker_log_options' )  | default('',True) }}"
+      storage_plugin_deps: "{{ osn_storage_plugin_deps | default(None) }}"
 
-- name: Install OpenShift Node package
-  yum: pkg=openshift-node state=present
+# We have to add tuned-profiles in the same transaction otherwise we run into depsolving
+# problems because the rpms don't pin the version properly.
+- name: Install Node package
+  yum: pkg={{ openshift.common.service_type }}-node{{ openshift_version  }},tuned-profiles-{{ openshift.common.service_type }}-node{{ openshift_version  }} state=present
   register: node_install_result
 
-- name: Install openshift-sdn-ovs
-  yum: pkg=openshift-sdn-ovs state=present
+- name: Install sdn-ovs package
+  yum: pkg={{ openshift.common.service_type }}-sdn-ovs{{ openshift_version }} state=present
   register: sdn_install_result
   when: openshift.common.use_openshift_sdn
 
-- name: Reload systemd units
-  command: systemctl daemon-reload
-  when: (node_install_result | changed or (openshift.common.use_openshift_sdn
-          and sdn_install_result | changed))
-
 # TODO: add the validate parameter when there is a validation command to run
 - name: Create the Node config
   template:
     dest: "{{ openshift_node_config_file }}"
     src: node.yaml.v1.j2
+    backup: true
   notify:
-  - restart openshift-node
+  - restart node
 
-- name: Configure OpenShift Node settings
+- name: Configure Node settings
   lineinfile:
-    dest: /etc/sysconfig/openshift-node
+    dest: /etc/sysconfig/{{ openshift.common.service_type }}-node
     regexp: "{{ item.regex }}"
     line: "{{ item.line }}"
   with_items:
@@ -55,21 +65,72 @@
     - regex: '^CONFIG_FILE='
       line: "CONFIG_FILE={{ openshift_node_config_file }}"
   notify:
-  - restart openshift-node
+  - restart node
 
 - stat: path=/etc/sysconfig/docker
   register: docker_check
 
   # TODO: Enable secure registry when code available in origin
-- name: Secure OpenShift Registry
+- name: Secure Registry and Logs Options
   lineinfile:
     dest: /etc/sysconfig/docker
-    regexp: '^OPTIONS=.*'
-    line: "OPTIONS='--insecure-registry={{ openshift.node.portal_net }} --selinux-enabled'"
+    regexp: '^OPTIONS=.*$'
+    line: "OPTIONS='--insecure-registry={{ openshift.node.portal_net }} \
+{% if ansible_selinux and ansible_selinux.status == '''enabled''' %}--selinux-enabled{% endif %} \
+{% if openshift.node.docker_log_driver is defined  %} --log-driver {{ openshift.node.docker_log_driver }}  {% endif %} \
+{% if openshift.node.docker_log_options is defined %}   {{ openshift.node.docker_log_options |  oo_split() | oo_prepend_strings_in_list('--log-opt ') | join(' ')}}  {% endif %} '"
   when: docker_check.stat.isreg
+  notify:
+    - restart docker
+
+- set_fact:
+    docker_additional_registries: "{{ lookup('oo_option', 'docker_additional_registries')
+                                      | oo_split() | union(['registry.access.redhat.com'])
+                                      | difference(['']) }}"
+  when: openshift.common.deployment_type == 'enterprise'
+- set_fact:
+    docker_additional_registries: "{{ lookup('oo_option', 'docker_additional_registries')
+                                      | oo_split() | difference(['']) }}"
+  when: openshift.common.deployment_type != 'enterprise'
+
+- name: Add personal registries
+  lineinfile:
+    dest: /etc/sysconfig/docker
+    regexp: '^ADD_REGISTRY=.*$'
+    line: "ADD_REGISTRY='{{ docker_additional_registries
+                            | oo_prepend_strings_in_list('--add-registry ') | join(' ') }}'"
+  when: docker_check.stat.isreg and docker_additional_registries
+  notify:
+    - restart docker
+
+- name: Block registries
+  lineinfile:
+    dest: /etc/sysconfig/docker
+    regexp: '^BLOCK_REGISTRY=.*$'
+    line: "BLOCK_REGISTRY='{{ lookup('oo_option', 'docker_blocked_registries') | oo_split()
+                              | oo_prepend_strings_in_list('--block-registry ') | join(' ') }}'"
+  when: docker_check.stat.isreg and
+        lookup('oo_option', 'docker_blocked_registries') != ''
+  notify:
+    - restart docker
+
+- name: Grant access to additional insecure registries
+  lineinfile:
+    dest: /etc/sysconfig/docker
+    regexp: '^INSECURE_REGISTRY=.*'
+    line: "INSECURE_REGISTRY='{{ lookup('oo_option', 'docker_insecure_registries') | oo_split()
+                              | oo_prepend_strings_in_list('--insecure-registry ') | join(' ') }}'"
+  when: docker_check.stat.isreg and
+        lookup('oo_option', 'docker_insecure_registries') != ''
+  notify:
+    - restart docker
+
+- name: Additional storage plugin configuration
+  include: storage_plugins/main.yml
 
-- name: Allow NFS access for VMs
-  seboolean: name=virt_use_nfs state=yes persistent=yes
+- name: Start and enable node
+  service: name={{ openshift.common.service_type }}-node enabled=yes state=started
+  register: start_result
 
-- name: Start and enable openshift-node
-  service: name=openshift-node enabled=yes state=started
+- set_fact:
+    node_service_status_changed = start_result | changed
diff --git a/roles/openshift_node/tasks/storage_plugins/ceph.yml b/roles/openshift_node/tasks/storage_plugins/ceph.yml
new file mode 100644
index 000000000..b6936618a
--- /dev/null
+++ b/roles/openshift_node/tasks/storage_plugins/ceph.yml
@@ -0,0 +1,5 @@
+---
+- name: Install Ceph storage plugin dependencies
+  yum:
+    pkg: ceph-common
+    state: installed
diff --git a/roles/openshift_node/tasks/storage_plugins/glusterfs.yml b/roles/openshift_node/tasks/storage_plugins/glusterfs.yml
new file mode 100644
index 000000000..b812e81df
--- /dev/null
+++ b/roles/openshift_node/tasks/storage_plugins/glusterfs.yml
@@ -0,0 +1,12 @@
+---
+- name: Install GlusterFS storage plugin dependencies
+  yum:
+    pkg: glusterfs-fuse
+    state: installed
+
+- name: Set seboolean to allow gluster storage plugin access from containers
+  seboolean:
+    name: virt_use_fusefs
+    state: yes
+    persistent: yes
+  when: ansible_selinux and ansible_selinux.status == "enabled"
diff --git a/roles/openshift_node/tasks/storage_plugins/main.yml b/roles/openshift_node/tasks/storage_plugins/main.yml
new file mode 100644
index 000000000..39c7b9390
--- /dev/null
+++ b/roles/openshift_node/tasks/storage_plugins/main.yml
@@ -0,0 +1,13 @@
+---
+# The NFS storage plugin is always enabled since it doesn't require any
+# additional package dependencies
+- name: NFS storage plugin configuration
+  include: nfs.yml
+
+- name: GlusterFS storage plugin configuration
+  include: glusterfs.yml
+  when: "'glusterfs' in openshift.node.storage_plugin_deps"
+
+- name: Ceph storage plugin configuration
+  include: ceph.yml
+  when: "'ceph' in openshift.node.storage_plugin_deps"
diff --git a/roles/openshift_node/tasks/storage_plugins/nfs.yml b/roles/openshift_node/tasks/storage_plugins/nfs.yml
new file mode 100644
index 000000000..1edf21d9b
--- /dev/null
+++ b/roles/openshift_node/tasks/storage_plugins/nfs.yml
@@ -0,0 +1,7 @@
+---
+- name: Set seboolean to allow nfs storage plugin access from containers
+  seboolean:
+    name: virt_use_nfs
+    state: yes
+    persistent: yes
+  when: ansible_selinux and ansible_selinux.status == "enabled"
diff --git a/roles/openshift_node/templates/node.yaml.v1.j2 b/roles/openshift_node/templates/node.yaml.v1.j2
index cab75cd49..4931d127e 100644
--- a/roles/openshift_node/templates/node.yaml.v1.j2
+++ b/roles/openshift_node/templates/node.yaml.v1.j2
@@ -1,18 +1,33 @@
 allowDisabledDocker: false
 apiVersion: v1
-dnsDomain: {{ hostvars[openshift_first_master].openshift.dns.domain }}
-dnsIP: {{ hostvars[openshift_first_master].openshift.dns.ip }}
+dnsDomain: {{ osn_cluster_dns_domain }}
+dnsIP: {{ osn_cluster_dns_ip }}
+dockerConfig:
+  execHandlerName: ""
 imageConfig:
   format: {{ openshift.node.registry_url }}
   latest: false
 kind: NodeConfig
-masterKubeConfig: node.kubeconfig
+{% if openshift.node.kubelet_args is defined and openshift.node.kubelet_args %}
+kubeletArguments: {{ openshift.node.kubelet_args | to_json }}
+{% endif %}
+masterKubeConfig: system:node:{{ openshift.common.hostname }}.kubeconfig
+{% if openshift.common.use_openshift_sdn %}
 networkPluginName: {{ openshift.common.sdn_network_plugin_name }}
-nodeName: {{ openshift.common.hostname }}
-podManifestConfig: null
+{% endif %}
+# networkConfig struct introduced in origin 1.0.6 and OSE 3.0.2 which
+# deprecates networkPluginName above. The two should match.
+networkConfig:
+   mtu: {{ openshift.node.sdn_mtu }}
+{% if openshift.common.use_openshift_sdn %}
+   networkPluginName: {{ openshift.common.sdn_network_plugin_name }}
+{% endif %}
+nodeName: {{ openshift.common.hostname | lower }}
+podManifestConfig:
 servingInfo:
   bindAddress: 0.0.0.0:10250
   certFile: server.crt
   clientCA: ca.crt
   keyFile: server.key
-volumeDirectory: {{ openshift_data_dir }}/openshift.local.volumes
+volumeDirectory: {{ openshift.common.data_dir }}/openshift.local.volumes
+{% include 'partials/kubeletArguments.j2' %}
diff --git a/roles/openshift_node/templates/partials/kubeletArguments.j2 b/roles/openshift_node/templates/partials/kubeletArguments.j2
new file mode 100644
index 000000000..6c3bd04c5
--- /dev/null
+++ b/roles/openshift_node/templates/partials/kubeletArguments.j2
@@ -0,0 +1,5 @@
+{% if openshift.common.use_cluster_metrics | bool %}
+kubeletArguments:
+  "read-only-port":
+    - "10255"
+{% endif %}
\ No newline at end of file
diff --git a/roles/openshift_node/vars/main.yml b/roles/openshift_node/vars/main.yml
index cf47f8354..43dc50ca8 100644
--- a/roles/openshift_node/vars/main.yml
+++ b/roles/openshift_node/vars/main.yml
@@ -1,3 +1,4 @@
 ---
-openshift_node_config_dir: /etc/openshift/node
+openshift_node_config_dir: "{{ openshift.common.config_base }}/node"
 openshift_node_config_file: "{{ openshift_node_config_dir }}/node-config.yaml"
+openshift_version: "{{ openshift_pkg_version | default('') }}"