11 files changed, 48 insertions, 27 deletions

diff --git a/roles/docker/meta/main.yml b/roles/docker/meta/main.yml
index dadd62c93..ad28cece9 100644
--- a/roles/docker/meta/main.yml
+++ b/roles/docker/meta/main.yml
@@ -11,4 +11,3 @@ galaxy_info:
     - 7
 dependencies:
 - role: os_firewall
-  os_firewall_use_firewalld: False
diff --git a/roles/docker/tasks/main.yml b/roles/docker/tasks/main.yml
index a93bdc2ad..57da23e0a 100644
--- a/roles/docker/tasks/main.yml
+++ b/roles/docker/tasks/main.yml
@@ -43,16 +43,18 @@
   package: name=docker{{ '-' + docker_version if docker_version is defined else '' }} state=present
   when: not openshift.common.is_atomic | bool
 
-- name: Ensure docker.service.d directory exists
-  file:
-    path: "{{ docker_systemd_dir }}"
-    state: directory
-
-# Extend the default Docker service unit file
-- name: Configure Docker service unit file
-  template:
-    dest: "{{ docker_systemd_dir }}/custom.conf"
-    src: custom.conf.j2
+- block:
+  # Extend the default Docker service unit file when using iptables-services
+  - name: Ensure docker.service.d directory exists
+    file:
+      path: "{{ docker_systemd_dir }}"
+      state: directory
+
+  - name: Configure Docker service unit file
+    template:
+      dest: "{{ docker_systemd_dir }}/custom.conf"
+      src: custom.conf.j2
+  when: not os_firewall_use_firewalld | default(True) | bool
 
 - include: udev_workaround.yml
   when: docker_udev_workaround | default(False) | bool
diff --git a/roles/openshift_facts/library/openshift_facts.py b/roles/openshift_facts/library/openshift_facts.py
index 05b0377bc..d7e3596fd 100755
--- a/roles/openshift_facts/library/openshift_facts.py
+++ b/roles/openshift_facts/library/openshift_facts.py
@@ -896,23 +896,31 @@ def set_version_facts_if_unset(facts):
                 version_gte_3_2_or_1_2 = version >= LooseVersion('1.2.0')
                 version_gte_3_3_or_1_3 = version >= LooseVersion('1.3.0')
                 version_gte_3_4_or_1_4 = version >= LooseVersion('1.4.0')
+                version_gte_3_5_or_1_5 = version >= LooseVersion('1.5.0')
+                version_gte_3_6_or_1_6 = version >= LooseVersion('1.6.0')
             else:
                 version_gte_3_1_or_1_1 = version >= LooseVersion('3.0.2.905')
                 version_gte_3_1_1_or_1_1_1 = version >= LooseVersion('3.1.1')
                 version_gte_3_2_or_1_2 = version >= LooseVersion('3.1.1.901')
                 version_gte_3_3_or_1_3 = version >= LooseVersion('3.3.0')
                 version_gte_3_4_or_1_4 = version >= LooseVersion('3.4.0')
+                version_gte_3_5_or_1_5 = version >= LooseVersion('3.5.0')
+                version_gte_3_6_or_1_6 = version >= LooseVersion('3.6.0')
         else:
             version_gte_3_1_or_1_1 = True
             version_gte_3_1_1_or_1_1_1 = True
             version_gte_3_2_or_1_2 = True
             version_gte_3_3_or_1_3 = True
             version_gte_3_4_or_1_4 = False
+            version_gte_3_5_or_1_5 = False
+            version_gte_3_6_or_1_6 = False
         facts['common']['version_gte_3_1_or_1_1'] = version_gte_3_1_or_1_1
         facts['common']['version_gte_3_1_1_or_1_1_1'] = version_gte_3_1_1_or_1_1_1
         facts['common']['version_gte_3_2_or_1_2'] = version_gte_3_2_or_1_2
         facts['common']['version_gte_3_3_or_1_3'] = version_gte_3_3_or_1_3
         facts['common']['version_gte_3_4_or_1_4'] = version_gte_3_4_or_1_4
+        facts['common']['version_gte_3_5_or_1_5'] = version_gte_3_5_or_1_5
+        facts['common']['version_gte_3_6_or_1_6'] = version_gte_3_6_or_1_6
 
         if version_gte_3_4_or_1_4:
             examples_content_version = 'v1.4'
diff --git a/roles/openshift_master_facts/lookup_plugins/openshift_master_facts_default_predicates.py b/roles/openshift_master_facts/lookup_plugins/openshift_master_facts_default_predicates.py
index 4f7461827..29a59a0d3 100644
--- a/roles/openshift_master_facts/lookup_plugins/openshift_master_facts_default_predicates.py
+++ b/roles/openshift_master_facts/lookup_plugins/openshift_master_facts_default_predicates.py
@@ -40,10 +40,10 @@ class LookupModule(LookupBase):
                 # pylint: disable=line-too-long
                 raise AnsibleError("Either OpenShift needs to be installed or openshift_release needs to be specified")
         if deployment_type == 'origin':
-            if short_version not in ['1.1', '1.2', '1.3', '1.4']:
+            if short_version not in ['1.1', '1.2', '1.3', '1.4', '1.5', '1.6', 'latest']:
                 raise AnsibleError("Unknown short_version %s" % short_version)
         elif deployment_type == 'openshift-enterprise':
-            if short_version not in ['3.1', '3.2', '3.3', '3.4']:
+            if short_version not in ['3.1', '3.2', '3.3', '3.4', '3.5', '3.6', 'latest']:
                 raise AnsibleError("Unknown short_version %s" % short_version)
         else:
             raise AnsibleError("Unknown deployment_type %s" % deployment_type)
diff --git a/roles/openshift_master_facts/lookup_plugins/openshift_master_facts_default_priorities.py b/roles/openshift_master_facts/lookup_plugins/openshift_master_facts_default_priorities.py
index 7087ff03c..36022597f 100644
--- a/roles/openshift_master_facts/lookup_plugins/openshift_master_facts_default_priorities.py
+++ b/roles/openshift_master_facts/lookup_plugins/openshift_master_facts_default_priorities.py
@@ -45,10 +45,10 @@ class LookupModule(LookupBase):
                 raise AnsibleError("Either OpenShift needs to be installed or openshift_release needs to be specified")
 
         if deployment_type == 'origin':
-            if short_version not in ['1.1', '1.2', '1.3', '1.4']:
+            if short_version not in ['1.1', '1.2', '1.3', '1.4', '1.5', '1.6', 'latest']:
                 raise AnsibleError("Unknown short_version %s" % short_version)
         elif deployment_type == 'openshift-enterprise':
-            if short_version not in ['3.1', '3.2', '3.3', '3.4']:
+            if short_version not in ['3.1', '3.2', '3.3', '3.4', '3.5', '3.6', 'latest']:
                 raise AnsibleError("Unknown short_version %s" % short_version)
         else:
             raise AnsibleError("Unknown deployment_type %s" % deployment_type)
diff --git a/roles/openshift_master_facts/test/openshift_master_facts_default_predicates_tests.py b/roles/openshift_master_facts/test/openshift_master_facts_default_predicates_tests.py
index c95356908..07bac6826 100644
--- a/roles/openshift_master_facts/test/openshift_master_facts_default_predicates_tests.py
+++ b/roles/openshift_master_facts/test/openshift_master_facts_default_predicates_tests.py
@@ -65,7 +65,11 @@ TEST_VARS = [
     ('1.3', 'origin', DEFAULT_PREDICATES_1_3),
     ('3.3', 'openshift-enterprise', DEFAULT_PREDICATES_1_3),
     ('1.4', 'origin', DEFAULT_PREDICATES_1_4),
-    ('3.4', 'openshift-enterprise', DEFAULT_PREDICATES_1_4)
+    ('3.4', 'openshift-enterprise', DEFAULT_PREDICATES_1_4),
+    ('1.5', 'origin', DEFAULT_PREDICATES_1_4),
+    ('3.5', 'openshift-enterprise', DEFAULT_PREDICATES_1_4),
+    ('1.6', 'origin', DEFAULT_PREDICATES_1_4),
+    ('3.6', 'openshift-enterprise', DEFAULT_PREDICATES_1_4),
 ]
 
 
diff --git a/roles/openshift_repos/templates/yum_repo.j2 b/roles/openshift_repos/templates/yum_repo.j2
index 0ec0045eb..ef2cd6603 100644
--- a/roles/openshift_repos/templates/yum_repo.j2
+++ b/roles/openshift_repos/templates/yum_repo.j2
@@ -2,9 +2,9 @@
 [{{ repo.id }}]
 name={{ repo.name | default(repo.id) }}
 baseurl={{ repo.baseurl }}
-{% set enable_repo = repo.enabled | default(1,True) %}
+{% set enable_repo = repo.enabled | default(1) %}
 enabled={{ 1 if ( enable_repo == 1 or enable_repo == True ) else 0 }}
-{% set enable_gpg_check = repo.gpgcheck | default(1,True) %}
+{% set enable_gpg_check = repo.gpgcheck | default(1) %}
 gpgcheck={{ 1 if ( enable_gpg_check == 1 or enable_gpg_check == True ) else 0 }}
 {% for key, value in repo.iteritems() %}
 {% if key not in ['id', 'name', 'baseurl', 'enabled', 'gpgcheck'] and value is defined %}
diff --git a/roles/openshift_version/tasks/set_version_containerized.yml b/roles/openshift_version/tasks/set_version_containerized.yml
index 718537287..cd0f20ae9 100644
--- a/roles/openshift_version/tasks/set_version_containerized.yml
+++ b/roles/openshift_version/tasks/set_version_containerized.yml
@@ -1,8 +1,9 @@
 ---
 - name: Set containerized version to configure if openshift_image_tag specified
   set_fact:
-    # Expects a leading "v" in inventory, strip it off here:
-    openshift_version: "{{ openshift_image_tag[1:].split('-')[0] }}"
+    # Expects a leading "v" in inventory, strip it off here unless
+    # openshift_image_tag=latest
+    openshift_version: "{{ openshift_image_tag[1:].split('-')[0] if openshift_image_tag != 'latest' else openshift_image_tag }}"
   when: openshift_image_tag is defined and openshift_version is not defined
 
 - name: Set containerized version to configure if openshift_release specified
diff --git a/roles/os_firewall/README.md b/roles/os_firewall/README.md
index c13c5dfc9..43db3cc74 100644
--- a/roles/os_firewall/README.md
+++ b/roles/os_firewall/README.md
@@ -4,6 +4,9 @@ OS Firewall
 OS Firewall manages firewalld and iptables firewall settings for a minimal use
 case (Adding/Removing rules based on protocol and port number).
 
+Note: firewalld is not supported on Atomic Host
+https://bugzilla.redhat.com/show_bug.cgi?id=1403331
+
 Requirements
 ------------
 
@@ -14,7 +17,7 @@ Role Variables
 
 | Name                      | Default |                                        |
 |---------------------------|---------|----------------------------------------|
-| os_firewall_use_firewalld | False   | If false, use iptables                 |
+| os_firewall_use_firewalld | True    | If false, use iptables                 |
 | os_firewall_allow         | []      | List of service,port mappings to allow |
 | os_firewall_deny          | []      | List of service, port mappings to deny |
 
@@ -31,6 +34,7 @@ Use iptables and open tcp ports 80 and 443:
 ---
 - hosts: servers
   vars:
+    os_firewall_use_firewalld: false
     os_firewall_allow:
     - service: httpd
       port: 80/tcp
@@ -45,7 +49,6 @@ Use firewalld and open tcp port 443 and close previously open tcp port 80:
 ---
 - hosts: servers
   vars:
-    os_firewall_use_firewalld: true
     os_firewall_allow:
     - service: https
       port: 443/tcp
diff --git a/roles/os_firewall/defaults/main.yml b/roles/os_firewall/defaults/main.yml
index c870a301a..4c544122f 100644
--- a/roles/os_firewall/defaults/main.yml
+++ b/roles/os_firewall/defaults/main.yml
@@ -1,9 +1,7 @@
 ---
 os_firewall_enabled: True
-# TODO: Upstream kubernetes only supports iptables currently
-# TODO: it might be possible to still use firewalld if we wire up the created
-# chains with the public zone (or the zone associated with the correct
-# interfaces)
-os_firewall_use_firewalld: False
+# firewalld is not supported on Atomic Host
+# https://bugzilla.redhat.com/show_bug.cgi?id=1403331
+os_firewall_use_firewalld: "{{ False if openshift.common.is_atomic | bool else True }}"
 os_firewall_allow: []
 os_firewall_deny: []
diff --git a/roles/os_firewall/tasks/main.yml b/roles/os_firewall/tasks/main.yml
index 076e5e311..20efe5b0d 100644
--- a/roles/os_firewall/tasks/main.yml
+++ b/roles/os_firewall/tasks/main.yml
@@ -1,4 +1,10 @@
 ---
+- name: Assert - Do not use firewalld on Atomic Host
+  assert:
+    that: not os_firewall_use_firewalld | bool
+    msg: "Firewalld is not supported on Atomic Host"
+  when: openshift.common.is_atomic | bool
+
 - include: firewall/firewalld.yml
   when: os_firewall_enabled | bool and os_firewall_use_firewalld | bool