summaryrefslogtreecommitdiffstats
path: root/roles
diff options
context:
space:
mode:
Diffstat (limited to 'roles')
-rw-r--r--roles/cockpit/tasks/main.yml2
-rw-r--r--roles/dns/tasks/main.yml3
-rw-r--r--roles/docker/tasks/main.yml2
-rw-r--r--roles/etcd/tasks/etcdctl.yml3
-rw-r--r--roles/etcd/tasks/main.yml2
-rw-r--r--roles/etcd_ca/tasks/main.yml2
-rw-r--r--roles/etcd_server_certificates/tasks/main.yml2
-rw-r--r--roles/flannel/tasks/main.yml2
-rw-r--r--roles/kube_nfs_volumes/tasks/main.yml5
-rw-r--r--roles/kube_nfs_volumes/tasks/nfs.yml2
-rw-r--r--roles/nickhammond.logrotate/tasks/main.yml2
-rw-r--r--roles/nuage_ca/tasks/main.yaml4
-rw-r--r--roles/nuage_master/tasks/serviceaccount.yml2
-rw-r--r--roles/openshift_ca/tasks/main.yml4
-rw-r--r--roles/openshift_cli/tasks/main.yml4
-rw-r--r--roles/openshift_clock/tasks/main.yaml2
-rw-r--r--roles/openshift_common/tasks/main.yml4
-rw-r--r--roles/openshift_expand_partition/tasks/main.yml2
-rw-r--r--roles/openshift_facts/tasks/main.yml11
-rw-r--r--roles/openshift_loadbalancer/tasks/main.yml2
-rw-r--r--roles/openshift_manage_node/tasks/main.yml6
-rw-r--r--roles/openshift_manageiq/tasks/main.yaml10
-rw-r--r--roles/openshift_manageiq/vars/main.yml15
-rw-r--r--roles/openshift_master/tasks/main.yml8
-rw-r--r--roles/openshift_node/tasks/main.yml16
-rw-r--r--roles/openshift_node/tasks/storage_plugins/ceph.yml4
-rw-r--r--roles/openshift_node/tasks/storage_plugins/glusterfs.yml2
-rw-r--r--roles/openshift_node/tasks/storage_plugins/iscsi.yml2
-rw-r--r--roles/openshift_node/tasks/storage_plugins/nfs.yml2
-rw-r--r--roles/openshift_node_certificates/tasks/main.yml4
-rw-r--r--roles/openshift_node_dnsmasq/tasks/main.yml3
-rw-r--r--roles/openshift_repos/tasks/main.yaml2
-rw-r--r--roles/openshift_storage_nfs/tasks/main.yml2
-rw-r--r--roles/openshift_storage_nfs_lvm/tasks/nfs.yml4
-rw-r--r--roles/os_firewall/README.md2
-rwxr-xr-xroles/os_firewall/library/os_firewall_manage_iptables.py3
-rw-r--r--roles/os_firewall/meta/main.yml10
-rw-r--r--roles/os_firewall/tasks/firewall/firewalld.yml67
-rw-r--r--roles/os_firewall/tasks/firewall/iptables.yml56
-rw-r--r--roles/os_update_latest/tasks/main.yml2
40 files changed, 125 insertions, 157 deletions
diff --git a/roles/cockpit/tasks/main.yml b/roles/cockpit/tasks/main.yml
index 681029332..1975b92e6 100644
--- a/roles/cockpit/tasks/main.yml
+++ b/roles/cockpit/tasks/main.yml
@@ -1,6 +1,6 @@
---
- name: Install cockpit-ws
- action: "{{ ansible_pkg_mgr }} name={{ item }} state=present"
+ package: name={{ item }} state=present
with_items:
- cockpit-ws
- cockpit-shell
diff --git a/roles/dns/tasks/main.yml b/roles/dns/tasks/main.yml
index 57a7e6269..2abe0d9dd 100644
--- a/roles/dns/tasks/main.yml
+++ b/roles/dns/tasks/main.yml
@@ -1,5 +1,6 @@
+---
- name: Install Bind
- action: "{{ ansible_pkg_mgr }} name=bind"
+ package: name=bind state=present
when: not openshift.common.is_containerized | bool
- name: Create docker build dir
diff --git a/roles/docker/tasks/main.yml b/roles/docker/tasks/main.yml
index 9b7ef0830..a2b18baa1 100644
--- a/roles/docker/tasks/main.yml
+++ b/roles/docker/tasks/main.yml
@@ -40,7 +40,7 @@
# Make sure Docker is installed, but does not update a running version.
# Docker upgrades are handled by a separate playbook.
- name: Install Docker
- action: "{{ ansible_pkg_mgr }} name=docker{{ '-' + docker_version if docker_version is defined else '' }} state=present"
+ package: name=docker{{ '-' + docker_version if docker_version is defined else '' }} state=present
when: not openshift.common.is_atomic | bool
- name: Ensure docker.service.d directory exists
diff --git a/roles/etcd/tasks/etcdctl.yml b/roles/etcd/tasks/etcdctl.yml
index 32c176449..bb6fabf64 100644
--- a/roles/etcd/tasks/etcdctl.yml
+++ b/roles/etcd/tasks/etcdctl.yml
@@ -1,5 +1,6 @@
+---
- name: Install etcd for etcdctl
- action: "{{ ansible_pkg_mgr }} name=etcd state=present"
+ package: name=etcd state=present
when: not openshift.common.is_atomic | bool
- name: Configure etcd profile.d alises
diff --git a/roles/etcd/tasks/main.yml b/roles/etcd/tasks/main.yml
index 790eb3c5a..7b61e9b73 100644
--- a/roles/etcd/tasks/main.yml
+++ b/roles/etcd/tasks/main.yml
@@ -7,7 +7,7 @@
etcd_ip: "{{ etcd_ip }}"
- name: Install etcd
- action: "{{ ansible_pkg_mgr }} name=etcd state=present"
+ package: name=etcd state=present
when: not etcd_is_containerized | bool
- name: Pull etcd container
diff --git a/roles/etcd_ca/tasks/main.yml b/roles/etcd_ca/tasks/main.yml
index 4e68bc962..c4d5efa14 100644
--- a/roles/etcd_ca/tasks/main.yml
+++ b/roles/etcd_ca/tasks/main.yml
@@ -1,6 +1,6 @@
---
- name: Install openssl
- action: "{{ ansible_pkg_mgr }} name=openssl state=present"
+ package: name=openssl state=present
when: not etcd_is_atomic | bool
delegate_to: "{{ etcd_ca_host }}"
run_once: true
diff --git a/roles/etcd_server_certificates/tasks/main.yml b/roles/etcd_server_certificates/tasks/main.yml
index d66a0a7bf..b0fd117ed 100644
--- a/roles/etcd_server_certificates/tasks/main.yml
+++ b/roles/etcd_server_certificates/tasks/main.yml
@@ -1,6 +1,6 @@
---
- name: Install etcd
- action: "{{ ansible_pkg_mgr }} name=etcd state=present"
+ package: name=etcd state=present
when: not etcd_is_containerized | bool
- name: Check status of etcd certificates
diff --git a/roles/flannel/tasks/main.yml b/roles/flannel/tasks/main.yml
index bf400cfe8..a51455bae 100644
--- a/roles/flannel/tasks/main.yml
+++ b/roles/flannel/tasks/main.yml
@@ -1,7 +1,7 @@
---
- name: Install flannel
become: yes
- action: "{{ ansible_pkg_mgr }} name=flannel state=present"
+ package: name=flannel state=present
when: not openshift.common.is_atomic | bool
- name: Set flannel etcd options
diff --git a/roles/kube_nfs_volumes/tasks/main.yml b/roles/kube_nfs_volumes/tasks/main.yml
index 5eff30f6f..67f709c8c 100644
--- a/roles/kube_nfs_volumes/tasks/main.yml
+++ b/roles/kube_nfs_volumes/tasks/main.yml
@@ -4,7 +4,10 @@
when: openshift.common.is_atomic | bool
- name: Install pyparted (RedHat/Fedora)
- action: "{{ ansible_pkg_mgr }} name=pyparted,python-httplib2 state=present"
+ package: name={{ item }} state=present
+ with_items:
+ - pyparted
+ - python-httplib2
when: not openshift.common.is_containerized | bool
- name: partition the drives
diff --git a/roles/kube_nfs_volumes/tasks/nfs.yml b/roles/kube_nfs_volumes/tasks/nfs.yml
index 474ec69e5..ebd3d349a 100644
--- a/roles/kube_nfs_volumes/tasks/nfs.yml
+++ b/roles/kube_nfs_volumes/tasks/nfs.yml
@@ -1,6 +1,6 @@
---
- name: Install NFS server
- action: "{{ ansible_pkg_mgr }} name=nfs-utils state=present"
+ package: name=nfs-utils state=present
when: not openshift.common.is_containerized | bool
- name: Start rpcbind on Fedora/Red Hat
diff --git a/roles/nickhammond.logrotate/tasks/main.yml b/roles/nickhammond.logrotate/tasks/main.yml
index 1979c851f..657cb10ec 100644
--- a/roles/nickhammond.logrotate/tasks/main.yml
+++ b/roles/nickhammond.logrotate/tasks/main.yml
@@ -1,6 +1,6 @@
---
- name: nickhammond.logrotate | Install logrotate
- action: "{{ ansible_pkg_mgr }} name=logrotate state=present"
+ package: name=logrotate state=present
when: not openshift.common.is_atomic | bool
- name: nickhammond.logrotate | Setup logrotate.d scripts
diff --git a/roles/nuage_ca/tasks/main.yaml b/roles/nuage_ca/tasks/main.yaml
index 9cfa40b8a..8d73e6840 100644
--- a/roles/nuage_ca/tasks/main.yaml
+++ b/roles/nuage_ca/tasks/main.yaml
@@ -1,6 +1,6 @@
---
- name: Install openssl
- action: "{{ ansible_pkg_mgr }} name=openssl state=present"
+ package: name=openssl state=present
when: not openshift.common.is_atomic | bool
- name: Create CA directory
@@ -41,6 +41,6 @@
delegate_to: "{{ nuage_ca_master }}"
- name: Copy SSL config file
- copy: src=openssl.cnf dest="{{ nuage_ca_dir }}/openssl.cnf"
+ copy: src=openssl.cnf dest="{{ nuage_ca_dir }}/openssl.cnf"
run_once: true
delegate_to: "{{ nuage_ca_master }}"
diff --git a/roles/nuage_master/tasks/serviceaccount.yml b/roles/nuage_master/tasks/serviceaccount.yml
index 2b3ae0454..41143772e 100644
--- a/roles/nuage_master/tasks/serviceaccount.yml
+++ b/roles/nuage_master/tasks/serviceaccount.yml
@@ -29,7 +29,7 @@
--config={{nuage_tmp_conf}}
with_items: "{{nuage_tasks}}"
register: osnuage_perm_task
- failed_when: "'already exists' not in osnuage_perm_task.stderr and osnuage_perm_task.rc != 0"
+ failed_when: "'the object has been modified' not in osnuage_perm_task.stderr and osnuage_perm_task.rc != 0"
changed_when: osnuage_perm_task.rc == 0
- name: Generate the node client config
diff --git a/roles/openshift_ca/tasks/main.yml b/roles/openshift_ca/tasks/main.yml
index b6d403067..e2a12e5ff 100644
--- a/roles/openshift_ca/tasks/main.yml
+++ b/roles/openshift_ca/tasks/main.yml
@@ -8,7 +8,9 @@
when: openshift_master_ca_certificate is defined and ('certfile' not in openshift_master_ca_certificate or 'keyfile' not in openshift_master_ca_certificate)
- name: Install the base package for admin tooling
- action: "{{ ansible_pkg_mgr }} name={{ openshift.common.service_type }}{{ openshift_pkg_version | default('') | oo_image_tag_to_rpm_version(include_dash=True) }} state=present"
+ package:
+ name: "{{ openshift.common.service_type }}{{ openshift_pkg_version | default('') | oo_image_tag_to_rpm_version(include_dash=True) }}"
+ state: present
when: not openshift.common.is_containerized | bool
register: install_result
delegate_to: "{{ openshift_ca_host }}"
diff --git a/roles/openshift_cli/tasks/main.yml b/roles/openshift_cli/tasks/main.yml
index 11c73b25c..07a00189c 100644
--- a/roles/openshift_cli/tasks/main.yml
+++ b/roles/openshift_cli/tasks/main.yml
@@ -1,6 +1,6 @@
---
- name: Install clients
- action: "{{ ansible_pkg_mgr }} name={{ openshift.common.service_type }}-clients state=present"
+ package: name={{ openshift.common.service_type }}-clients state=present
when: not openshift.common.is_containerized | bool
- name: Pull CLI Image
@@ -20,5 +20,5 @@
openshift_facts:
- name: Install bash completion for oc tools
- action: "{{ ansible_pkg_mgr }} name=bash-completion state=present"
+ package: name=bash-completion state=present
when: not openshift.common.is_containerized | bool
diff --git a/roles/openshift_clock/tasks/main.yaml b/roles/openshift_clock/tasks/main.yaml
index 5a8403f68..3911201ea 100644
--- a/roles/openshift_clock/tasks/main.yaml
+++ b/roles/openshift_clock/tasks/main.yaml
@@ -6,7 +6,7 @@
enabled: "{{ openshift_clock_enabled | default(None) }}"
- name: Install ntp package
- action: "{{ ansible_pkg_mgr }} name=ntp state=present"
+ package: name=ntp state=present
when: openshift.clock.enabled | bool and not openshift.clock.chrony_installed | bool
- name: Start and enable ntpd/chronyd
diff --git a/roles/openshift_common/tasks/main.yml b/roles/openshift_common/tasks/main.yml
index 3f8ea5dce..c9a44b3f5 100644
--- a/roles/openshift_common/tasks/main.yml
+++ b/roles/openshift_common/tasks/main.yml
@@ -29,7 +29,9 @@
use_dnsmasq: "{{ openshift_use_dnsmasq | default(None) }}"
- name: Install the base package for versioning
- action: "{{ ansible_pkg_mgr }} name={{ openshift.common.service_type }}{{ openshift_pkg_version | default('') | oo_image_tag_to_rpm_version(include_dash=True) }} state=present"
+ package:
+ name: "{{ openshift.common.service_type }}{{ openshift_pkg_version | default('') | oo_image_tag_to_rpm_version(include_dash=True) }}"
+ state: present
when: not openshift.common.is_containerized | bool
- name: Set version facts
diff --git a/roles/openshift_expand_partition/tasks/main.yml b/roles/openshift_expand_partition/tasks/main.yml
index cdd813e6a..00603f4fa 100644
--- a/roles/openshift_expand_partition/tasks/main.yml
+++ b/roles/openshift_expand_partition/tasks/main.yml
@@ -1,6 +1,6 @@
---
- name: Ensure growpart is installed
- action: "{{ ansible_pkg_mgr }} name=cloud-utils-growpart state=present"
+ package: name=cloud-utils-growpart state=present
when: not openshift.common.is_containerized | bool
- name: Determine if growpart is installed
diff --git a/roles/openshift_facts/tasks/main.yml b/roles/openshift_facts/tasks/main.yml
index 4d4a232cc..70cf49dd4 100644
--- a/roles/openshift_facts/tasks/main.yml
+++ b/roles/openshift_facts/tasks/main.yml
@@ -10,12 +10,11 @@
- set_fact:
l_is_containerized: "{{ (l_is_atomic | bool) or (containerized | default(false) | bool) }}"
-- name: Ensure PyYaml is installed
- action: "{{ ansible_pkg_mgr }} name=PyYAML state=present"
- when: not l_is_atomic | bool
-
-- name: Ensure yum-utils is installed
- action: "{{ ansible_pkg_mgr }} name=yum-utils state=present"
+- name: Ensure PyYaml and yum-utils are installed
+ package: name={{ item }} state=present
+ with_items:
+ - PyYAML
+ - yum-utils
when: not l_is_atomic | bool
- name: Gather Cluster facts and set is_containerized if needed
diff --git a/roles/openshift_loadbalancer/tasks/main.yml b/roles/openshift_loadbalancer/tasks/main.yml
index 863738143..1d2804279 100644
--- a/roles/openshift_loadbalancer/tasks/main.yml
+++ b/roles/openshift_loadbalancer/tasks/main.yml
@@ -3,7 +3,7 @@
when: openshift.common.is_containerized | bool
- name: Install haproxy
- action: "{{ ansible_pkg_mgr }} name=haproxy state=present"
+ package: name=haproxy state=present
- name: Configure systemd service directory for haproxy
file:
diff --git a/roles/openshift_manage_node/tasks/main.yml b/roles/openshift_manage_node/tasks/main.yml
index 88cdd2d89..c06758833 100644
--- a/roles/openshift_manage_node/tasks/main.yml
+++ b/roles/openshift_manage_node/tasks/main.yml
@@ -47,7 +47,7 @@
- name: Wait for Node Registration
command: >
- {{ openshift.common.client_binary }} get node {{ openshift.node.nodename }}
+ {{ hostvars[openshift_master_host].openshift.common.client_binary }} get node {{ openshift.node.nodename }}
--config={{ openshift_manage_node_kubeconfig }}
-n default
register: omd_get_node
@@ -60,7 +60,7 @@
- name: Set node schedulability
command: >
- {{ openshift.common.client_binary }} adm manage-node {{ openshift.node.nodename }} --schedulable={{ 'true' if openshift.node.schedulable | bool else 'false' }}
+ {{ hostvars[openshift_master_host].openshift.common.client_binary }} adm manage-node {{ openshift.node.nodename }} --schedulable={{ 'true' if openshift.node.schedulable | bool else 'false' }}
--config={{ openshift_manage_node_kubeconfig }}
-n default
when: "'nodename' in openshift.node"
@@ -68,7 +68,7 @@
- name: Label nodes
command: >
- {{ openshift.common.client_binary }} label --overwrite node {{ openshift.node.nodename }} {{ openshift.node.labels | oo_combine_dict }}
+ {{ hostvars[openshift_master_host].openshift.common.client_binary }} label --overwrite node {{ openshift.node.nodename }} {{ openshift.node.labels | oo_combine_dict }}
--config={{ openshift_manage_node_kubeconfig }}
-n default
when: "'nodename' in openshift.node and 'labels' in openshift.node and openshift.node.labels != {}"
diff --git a/roles/openshift_manageiq/tasks/main.yaml b/roles/openshift_manageiq/tasks/main.yaml
index bdaf64b3f..a7214482f 100644
--- a/roles/openshift_manageiq/tasks/main.yaml
+++ b/roles/openshift_manageiq/tasks/main.yaml
@@ -50,6 +50,16 @@
failed_when: "'already exists' not in osmiq_create_cluster_role.stderr and osmiq_create_cluster_role.rc != 0"
changed_when: osmiq_create_cluster_role.rc == 0
+- name: Create Hawkular Metrics Admin Cluster Role
+ shell: >
+ echo {{ manageiq_metrics_admin_clusterrole | to_json | quote }} |
+ {{ openshift.common.client_binary }}
+ --config={{manage_iq_tmp_conf}}
+ create -f -
+ register: oshawkular_create_cluster_role
+ failed_when: "'already exists' not in oshawkular_create_cluster_role.stderr and oshawkular_create_cluster_role.rc != 0"
+ changed_when: oshawkular_create_cluster_role.rc == 0
+
- name: Configure role/user permissions
command: >
{{ openshift.common.client_binary }} adm {{item}}
diff --git a/roles/openshift_manageiq/vars/main.yml b/roles/openshift_manageiq/vars/main.yml
index 6a0c5b41b..37d4679ef 100644
--- a/roles/openshift_manageiq/vars/main.yml
+++ b/roles/openshift_manageiq/vars/main.yml
@@ -9,6 +9,20 @@ manageiq_cluster_role:
verbs:
- '*'
+manageiq_metrics_admin_clusterrole:
+ apiVersion: v1
+ kind: ClusterRole
+ metadata:
+ name: hawkular-metrics-admin
+ rules:
+ - apiGroups:
+ - ""
+ resources:
+ - hawkular-metrics
+ - hawkular-alerts
+ verbs:
+ - '*'
+
manageiq_service_account:
apiVersion: v1
kind: ServiceAccount
@@ -31,6 +45,7 @@ manage_iq_tasks:
- policy add-cluster-role-to-user system:image-puller system:serviceaccount:management-infra:inspector-admin
- policy add-scc-to-user privileged system:serviceaccount:management-infra:inspector-admin
- policy add-cluster-role-to-user self-provisioner system:serviceaccount:management-infra:management-admin
+ - policy add-cluster-role-to-user hawkular-metrics-admin system:serviceaccount:management-infra:management-admin
manage_iq_openshift_3_2_tasks:
- policy add-cluster-role-to-user system:image-auditor system:serviceaccount:management-infra:management-admin
diff --git a/roles/openshift_master/tasks/main.yml b/roles/openshift_master/tasks/main.yml
index 1d6758c4a..79c62e985 100644
--- a/roles/openshift_master/tasks/main.yml
+++ b/roles/openshift_master/tasks/main.yml
@@ -24,7 +24,9 @@
when: openshift_master_ha | bool and openshift_master_cluster_method == "pacemaker" and openshift.common.is_containerized | bool
- name: Install Master package
- action: "{{ ansible_pkg_mgr }} name={{ openshift.common.service_type }}-master{{ openshift_pkg_version | default('') | oo_image_tag_to_rpm_version(include_dash=True) }} state=present"
+ package:
+ name: "{{ openshift.common.service_type }}-master{{ openshift_pkg_version | default('') | oo_image_tag_to_rpm_version(include_dash=True) }}"
+ state: present
when: not openshift.common.is_containerized | bool
- name: Pull master image
@@ -77,7 +79,7 @@
- restart master controllers
- name: Install httpd-tools if needed
- action: "{{ ansible_pkg_mgr }} name=httpd-tools state=present"
+ package: name=httpd-tools state=present
when: (item.kind == 'HTPasswdPasswordIdentityProvider') and
not openshift.common.is_atomic | bool
with_items: "{{ openshift.master.identity_providers }}"
@@ -292,7 +294,7 @@
when: openshift_master_ha | bool and openshift.master.cluster_method == 'native'
- name: Install cluster packages
- action: "{{ ansible_pkg_mgr }} name=pcs state=present"
+ package: name=pcs state=present
when: openshift_master_ha | bool and openshift.master.cluster_method == 'pacemaker'
and not openshift.common.is_containerized | bool
register: install_result
diff --git a/roles/openshift_node/tasks/main.yml b/roles/openshift_node/tasks/main.yml
index 6022694bc..612cc0e20 100644
--- a/roles/openshift_node/tasks/main.yml
+++ b/roles/openshift_node/tasks/main.yml
@@ -35,15 +35,25 @@
# We have to add tuned-profiles in the same transaction otherwise we run into depsolving
# problems because the rpms don't pin the version properly. This was fixed in 3.1 packaging.
- name: Install Node package
- action: "{{ ansible_pkg_mgr }} name={{ openshift.common.service_type }}-node{{ openshift_pkg_version | default('') | oo_image_tag_to_rpm_version(include_dash=True) }},tuned-profiles-{{ openshift.common.service_type }}-node{{ openshift_pkg_version | default('') | oo_image_tag_to_rpm_version(include_dash=True) }} state=present"
+ package:
+ name: "{{ openshift.common.service_type }}-node{{ openshift_pkg_version | default('') | oo_image_tag_to_rpm_version(include_dash=True) }},tuned-profiles-{{ openshift.common.service_type }}-node{{ openshift_pkg_version | default('') | oo_image_tag_to_rpm_version(include_dash=True) }}"
+ state: present
when: not openshift.common.is_containerized | bool
+- name: Check for tuned package
+ command: rpm -q tuned
+ register: tuned_installed
+ changed_when: false
+ failed_when: false
+
- name: Set atomic-guest tuned profile
command: "tuned-adm profile atomic-guest"
- when: openshift.common.is_atomic | bool
+ when: tuned_installed.rc == 0 and openshift.common.is_atomic | bool
- name: Install sdn-ovs package
- action: "{{ ansible_pkg_mgr }} name={{ openshift.common.service_type }}-sdn-ovs{{ openshift_pkg_version | oo_image_tag_to_rpm_version(include_dash=True) }} state=present"
+ package:
+ name: "{{ openshift.common.service_type }}-sdn-ovs{{ openshift_pkg_version | oo_image_tag_to_rpm_version(include_dash=True) }}"
+ state: present
when: openshift.common.use_openshift_sdn and not openshift.common.is_containerized | bool
- name: Pull node image
diff --git a/roles/openshift_node/tasks/storage_plugins/ceph.yml b/roles/openshift_node/tasks/storage_plugins/ceph.yml
index eed3c99a3..037efe81a 100644
--- a/roles/openshift_node/tasks/storage_plugins/ceph.yml
+++ b/roles/openshift_node/tasks/storage_plugins/ceph.yml
@@ -1,4 +1,4 @@
---
- name: Install Ceph storage plugin dependencies
- action: "{{ ansible_pkg_mgr }} name=ceph-common state=present"
- when: not openshift.common.is_atomic | bool \ No newline at end of file
+ package: name=ceph-common state=present
+ when: not openshift.common.is_atomic | bool
diff --git a/roles/openshift_node/tasks/storage_plugins/glusterfs.yml b/roles/openshift_node/tasks/storage_plugins/glusterfs.yml
index 4fd9cd10b..7d8c42ee2 100644
--- a/roles/openshift_node/tasks/storage_plugins/glusterfs.yml
+++ b/roles/openshift_node/tasks/storage_plugins/glusterfs.yml
@@ -1,6 +1,6 @@
---
- name: Install GlusterFS storage plugin dependencies
- action: "{{ ansible_pkg_mgr }} name=glusterfs-fuse state=present"
+ package: name=glusterfs-fuse state=present
when: not openshift.common.is_atomic | bool
- name: Check for existence of virt_use_fusefs seboolean
diff --git a/roles/openshift_node/tasks/storage_plugins/iscsi.yml b/roles/openshift_node/tasks/storage_plugins/iscsi.yml
index d6684b34a..1c5478c55 100644
--- a/roles/openshift_node/tasks/storage_plugins/iscsi.yml
+++ b/roles/openshift_node/tasks/storage_plugins/iscsi.yml
@@ -1,4 +1,4 @@
---
- name: Install iSCSI storage plugin dependencies
- action: "{{ ansible_pkg_mgr }} name=iscsi-initiator-utils state=present"
+ package: name=iscsi-initiator-utils state=present
when: not openshift.common.is_atomic | bool
diff --git a/roles/openshift_node/tasks/storage_plugins/nfs.yml b/roles/openshift_node/tasks/storage_plugins/nfs.yml
index 5f99f129c..d40ae66cb 100644
--- a/roles/openshift_node/tasks/storage_plugins/nfs.yml
+++ b/roles/openshift_node/tasks/storage_plugins/nfs.yml
@@ -1,6 +1,6 @@
---
- name: Install NFS storage plugin dependencies
- action: "{{ ansible_pkg_mgr }} name=nfs-utils state=present"
+ package: name=nfs-utils state=present
when: not openshift.common.is_atomic | bool
- name: Check for existence of seboolean
diff --git a/roles/openshift_node_certificates/tasks/main.yml b/roles/openshift_node_certificates/tasks/main.yml
index 69bcd3668..35f84c2cf 100644
--- a/roles/openshift_node_certificates/tasks/main.yml
+++ b/roles/openshift_node_certificates/tasks/main.yml
@@ -44,7 +44,7 @@
- name: Generate the node client config
command: >
- {{ openshift.common.client_binary }} adm create-api-client-config
+ {{ hostvars[openshift_ca_host].openshift.common.client_binary }} adm create-api-client-config
{% for named_ca_certificate in hostvars[openshift_ca_host].openshift.master.named_certificates | default([]) | oo_collect('cafile') %}
--certificate-authority {{ named_ca_certificate }}
{% endfor %}
@@ -63,7 +63,7 @@
- name: Generate the node server certificate
command: >
- {{ openshift.common.client_binary }} adm ca create-server-cert
+ {{ hostvars[openshift_ca_host].openshift.common.client_binary }} adm ca create-server-cert
--cert={{ openshift_node_generated_config_dir }}/server.crt
--key={{ openshift_generated_configs_dir }}/node-{{ openshift.common.hostname }}/server.key
--overwrite=true
diff --git a/roles/openshift_node_dnsmasq/tasks/main.yml b/roles/openshift_node_dnsmasq/tasks/main.yml
index 396c27295..0167b02b1 100644
--- a/roles/openshift_node_dnsmasq/tasks/main.yml
+++ b/roles/openshift_node_dnsmasq/tasks/main.yml
@@ -4,13 +4,14 @@
systemctl show NetworkManager
register: nm_show
changed_when: false
+ ignore_errors: True
- name: Set fact using_network_manager
set_fact:
network_manager_active: "{{ True if 'ActiveState=active' in nm_show.stdout else False }}"
- name: Install dnsmasq
- action: "{{ ansible_pkg_mgr }} name=dnsmasq state=installed"
+ package: name=dnsmasq state=installed
when: not openshift.common.is_atomic | bool
- name: Install dnsmasq configuration
diff --git a/roles/openshift_repos/tasks/main.yaml b/roles/openshift_repos/tasks/main.yaml
index a81867b98..d5ed9c09d 100644
--- a/roles/openshift_repos/tasks/main.yaml
+++ b/roles/openshift_repos/tasks/main.yaml
@@ -12,7 +12,7 @@
when: not openshift.common.is_containerized | bool
- name: Ensure libselinux-python is installed
- action: "{{ ansible_pkg_mgr }} name=libselinux-python state=present"
+ package: name=libselinux-python state=present
when: not openshift.common.is_containerized | bool
- name: Create any additional repos that are defined
diff --git a/roles/openshift_storage_nfs/tasks/main.yml b/roles/openshift_storage_nfs/tasks/main.yml
index 4716c77ae..ecc52e4af 100644
--- a/roles/openshift_storage_nfs/tasks/main.yml
+++ b/roles/openshift_storage_nfs/tasks/main.yml
@@ -1,6 +1,6 @@
---
- name: Install nfs-utils
- action: "{{ ansible_pkg_mgr }} name=nfs-utils state=present"
+ package: name=nfs-utils state=present
- name: Configure NFS
lineinfile:
diff --git a/roles/openshift_storage_nfs_lvm/tasks/nfs.yml b/roles/openshift_storage_nfs_lvm/tasks/nfs.yml
index fc8de1cb5..e0be9f0b7 100644
--- a/roles/openshift_storage_nfs_lvm/tasks/nfs.yml
+++ b/roles/openshift_storage_nfs_lvm/tasks/nfs.yml
@@ -1,8 +1,8 @@
---
- name: Install NFS server
- action: "{{ ansible_pkg_mgr }} name=nfs-utils state=present"
+ package: name=nfs-utils state=present
when: not openshift.common.is_containerized | bool
-
+
- name: Start rpcbind
service: name=rpcbind state=started enabled=yes
diff --git a/roles/os_firewall/README.md b/roles/os_firewall/README.md
index c6c70b81d..bb7fc2384 100644
--- a/roles/os_firewall/README.md
+++ b/roles/os_firewall/README.md
@@ -31,7 +31,6 @@ Use iptables and open tcp ports 80 and 443:
---
- hosts: servers
vars:
- os_firewall_use_firewalld: false
os_firewall_allow:
- service: httpd
port: 80/tcp
@@ -46,6 +45,7 @@ Use firewalld and open tcp port 443 and close previously open tcp port 80:
---
- hosts: servers
vars:
+ os_firewall_use_firewalld: true
os_firewall_allow:
- service: https
port: 443/tcp
diff --git a/roles/os_firewall/library/os_firewall_manage_iptables.py b/roles/os_firewall/library/os_firewall_manage_iptables.py
index bd638b69b..37bb16f35 100755
--- a/roles/os_firewall/library/os_firewall_manage_iptables.py
+++ b/roles/os_firewall/library/os_firewall_manage_iptables.py
@@ -139,7 +139,7 @@ class IpTablesManager(object): # pylint: disable=too-many-instance-attributes
output = check_output(cmd, stderr=subprocess.STDOUT)
# break the input rules into rows and columns
- input_rules = [s.split() for s in output.split('\n')]
+ input_rules = [s.split() for s in to_native(output).split('\n')]
# Find the last numbered rule
last_rule_num = None
@@ -269,5 +269,6 @@ def main():
# pylint: disable=redefined-builtin, unused-wildcard-import, wildcard-import
# import module snippets
from ansible.module_utils.basic import *
+from ansible.module_utils._text import to_native
if __name__ == '__main__':
main()
diff --git a/roles/os_firewall/meta/main.yml b/roles/os_firewall/meta/main.yml
index 6df7c9f2b..4cfc72011 100644
--- a/roles/os_firewall/meta/main.yml
+++ b/roles/os_firewall/meta/main.yml
@@ -6,11 +6,11 @@ galaxy_info:
license: Apache License, Version 2.0
min_ansible_version: 1.7
platforms:
- - name: EL
- versions:
- - 7
+ - name: EL
+ versions:
+ - 7
categories:
- - system
+ - system
allow_duplicates: yes
dependencies:
-- { role: openshift_facts }
+ - role: openshift_facts
diff --git a/roles/os_firewall/tasks/firewall/firewalld.yml b/roles/os_firewall/tasks/firewall/firewalld.yml
index 5ddca1fc0..1101870be 100644
--- a/roles/os_firewall/tasks/firewall/firewalld.yml
+++ b/roles/os_firewall/tasks/firewall/firewalld.yml
@@ -1,88 +1,45 @@
---
- name: Install firewalld packages
- action: "{{ ansible_pkg_mgr }} name=firewalld state=present"
+ package: name=firewalld state=present
when: not openshift.common.is_containerized | bool
- register: install_result
-
-- name: Check if iptables-services is installed
- command: rpm -q iptables-services
- register: pkg_check
- failed_when: pkg_check.rc > 1
- changed_when: no
- name: Ensure iptables services are not enabled
- service:
+ systemd:
name: "{{ item }}"
state: stopped
enabled: no
+ masked: yes
with_items:
- - iptables
- - ip6tables
- when: pkg_check.rc == 0
-
-- name: Reload systemd units
- command: systemctl daemon-reload
- when: install_result | changed
-
-- name: Determine if firewalld service masked
- command: >
- systemctl is-enabled firewalld
- register: os_firewall_firewalld_masked_output
- changed_when: false
- failed_when: false
-
-- name: Unmask firewalld service
- command: >
- systemctl unmask firewalld
- when: os_firewall_firewalld_masked_output.stdout == "masked"
+ - iptables
+ - ip6tables
+ register: task_result
+ failed_when: "task_result|failed and 'could not' not in task_result.msg|lower"
- name: Start and enable firewalld service
- service:
+ systemd:
name: firewalld
state: started
enabled: yes
+ masked: no
+ daemon_reload: yes
register: result
- name: need to pause here, otherwise the firewalld service starting can sometimes cause ssh to fail
pause: seconds=10
when: result | changed
-- name: Mask iptables services
- command: systemctl mask "{{ item }}"
- register: result
- changed_when: "'iptables' in result.stdout"
- with_items:
- - iptables
- - ip6tables
- when: pkg_check.rc == 0
- ignore_errors: yes
-
-# TODO: Ansible 1.9 will eliminate the need for separate firewalld tasks for
-# enabling rules and making them permanent with the immediate flag
- name: Add firewalld allow rules
firewalld:
port: "{{ item.port }}"
- permanent: false
- state: enabled
- with_items: "{{ os_firewall_allow }}"
-
-- name: Persist firewalld allow rules
- firewalld:
- port: "{{ item.port }}"
permanent: true
+ immediate: true
state: enabled
with_items: "{{ os_firewall_allow }}"
- name: Remove firewalld allow rules
firewalld:
port: "{{ item.port }}"
- permanent: false
- state: disabled
- with_items: "{{ os_firewall_deny }}"
-
-- name: Persist removal of firewalld allow rules
- firewalld:
- port: "{{ item.port }}"
permanent: true
+ immediate: true
state: disabled
with_items: "{{ os_firewall_deny }}"
diff --git a/roles/os_firewall/tasks/firewall/iptables.yml b/roles/os_firewall/tasks/firewall/iptables.yml
index 470d4f4f9..930b32cf2 100644
--- a/roles/os_firewall/tasks/firewall/iptables.yml
+++ b/roles/os_firewall/tasks/firewall/iptables.yml
@@ -1,64 +1,28 @@
---
-- name: Check if firewalld is installed
- command: rpm -q firewalld
- args:
- # Disables the following warning:
- # Consider using yum, dnf or zypper module rather than running rpm
- warn: no
- register: pkg_check
- failed_when: pkg_check.rc > 1
- changed_when: no
- name: Ensure firewalld service is not enabled
- service:
+ systemd:
name: firewalld
state: stopped
enabled: no
- when: pkg_check.rc == 0
-
-# TODO: submit PR upstream to add mask/unmask to service module
-- name: Mask firewalld service
- command: systemctl mask firewalld
- register: result
- changed_when: "'firewalld' in result.stdout"
- when: pkg_check.rc == 0
- ignore_errors: yes
+ masked: yes
+ register: task_result
+ failed_when: "task_result|failed and 'could not' not in task_result.msg|lower"
- name: Install iptables packages
- action: "{{ ansible_pkg_mgr }} name={{ item }} state=present"
+ package: name={{ item }} state=present
with_items:
- - iptables
- - iptables-services
- register: install_result
+ - iptables
+ - iptables-services
when: not openshift.common.is_atomic | bool
-- name: Reload systemd units
- command: systemctl daemon-reload
- when: install_result | changed
-
-- name: Determine if iptables service masked
- command: >
- systemctl is-enabled {{ item }}
- with_items:
- - iptables
- - ip6tables
- register: os_firewall_iptables_masked_output
- changed_when: false
- failed_when: false
-
-- name: Unmask iptables service
- command: >
- systemctl unmask {{ item }}
- with_items:
- - iptables
- - ip6tables
- when: "'masked' in os_firewall_iptables_masked_output.results | map(attribute='stdout')"
-
- name: Start and enable iptables service
- service:
+ systemd:
name: iptables
state: started
enabled: yes
+ masked: no
+ daemon_reload: yes
register: result
- name: need to pause here, otherwise the iptables service starting can sometimes cause ssh to fail
diff --git a/roles/os_update_latest/tasks/main.yml b/roles/os_update_latest/tasks/main.yml
index ff2b52275..6b5fd0106 100644
--- a/roles/os_update_latest/tasks/main.yml
+++ b/roles/os_update_latest/tasks/main.yml
@@ -1,3 +1,3 @@
---
- name: Update all packages
- action: "{{ ansible_pkg_mgr }} name=* state=latest"
+ package: name=* state=latest