| Age | Commit message (Collapse) | Author |
|---|
|
For testing cases it's sometimes useful to not create Cinder volumes for
the VMs. It can also sometimes be a little faster and more robust (but
unfit for production).
This adds an option called `ephemeral_volumes` that will use the VM's
storage instead of creating volumes when set to true.
|
|
With the move to the static inventory, we don't need it anymore so it's
now just an unnecessary step in the deployment.
Note that the users may still want to use clouds.yaml for openstack
credentials instead of sourcing the `OS_*` environment variables, but
they can do that at their discression.
The reason we had the clouds.yaml here was because the `openstack.py`
dynamic inventory used the servers' UUID's as ansible hosts by default
and the options we put in caused it to use the hostnames (as desired).
|
|
|
|
Add wildcard record for Private DNS
|
|
Signed-off-by: Bogdan Dobrelya <bdobreli@redhat.com>
|
|
|
|
|
|
* At the provisioning stage, allow users to auto-generate SSH config,
when using a static inventory.
* Run playbooks to provsion and post-provision as a separate, when
using a bastion. This re-applies the SSH config, which ansible can't
do on the fly.
* Support a pre-installed bastion node, colocated with the 1st infra
node.
* With a bastion enabled, reduce floating IP footprint to infra and
dns nodes only, effectively isolating a cluster in a private
network.
Signed-off-by: Bogdan Dobrelya <bdobreli@redhat.com>
|
|
* README in provisioning: note about infra-ansible not updating versions if one exists
* README in provisioning: minor change
* README: improved readability
|
|
* At the provisioning stage, allow users to auto-generate a static
inventory w/o manual steps needed. The alternative to
go fully dynamic TBD.
* Move openshift pre-install playbook to the post provision playbook,
where the second part of the pre install tasks is already placed.
Signed-off-by: Bogdan Dobrelya <bdobreli@redhat.com>
|
|
* Autogenerate inventory/hosts when 'inventory: static' (Default),
with the shade-inventory tool.
* Drop unused anymore: openstack.py and associated GPL notes,
an example static inventory, omit manual updates for the
inventory DNS names in the deployment guide.
* Switch openstack.py formatted inventory hostvars
to the shade-inventory format (omit openstack.* from hostvars).
* Populate node labels from inventory vars instead of the heat
templates combined with inventory vars.
* Add app (k8s minions) nodes group for primary node labels.
Signed-off-by: Bogdan Dobrelya <bdobreli@redhat.com>
|
|
Added prerequisity for python-openstackclient installation
|
|
Because openshift-ansible requires root on the cluster nodes, but it
doesn't explicitly set it in the playbooks (like we do), let's set it
in our inventory instead of requiring to pass `--become` to
`ansible-playbook`.
That will simplify the installation steps as well as let us include
the provisioning and openshift-ansible playbooks in a single playbook.
|
|
|
|
|
|
dependencies
|
|
python-openstackclient installation
|
|
* Set up NetworkManager automatically
This removes the extra step of running the
`openshift-ansible/playbooks/byo/openshift-node/network_manager.yml`
before installing openshift. In addition, the playbook relies on a
host group that the provisioning doesn't provide (oo_all_hosts).
Instead, we set up NetworkManager on CentOS nodes automatically. And
we restart it on RHEL (which is necessary for the nodes to pick up the
new DNS we configured the subnet with).
This makes the provisioning easier and more resilient.
* Apply the node-network-manager role to every node
It makes the code simpler and more consistent across distros.
|
|
* Switch the sample inventory to CentOS
This changes the image name and deployment types to use centos instead
of rhel and sets `rhsm_register` to false.
With these changes, the inventory should be immediately deployable
using the default values (assuming the image, network and flavor names
match).
Ideally, the upstream CI will just end up using this inventory with
little to no changes, too at some point.
* Specify the origin openshift_release
|
|
* Add defaults values for some openstack vars
Ansible shows errors when the `rhsm_register` and
`openstack_flat_secgrp` values are not present in the inventory even
though they have sensible default values.
This makes them both default to false when they're not specified.
* Comment out the flat security group option in inv
It's no longer required to be there so let's comment it out.
|
|
Signed-off-by: Bogdan Dobrelya <bdobreli@redhat.com>
|
|
provisioning (#518)
* prerequisites.yml: check prerequisites on localhost needed for provisioning
provision.yml: includes prerequisites.yml
* prerequisites: indentation fixed
* prerequisites.yml: used ansible_version variable, openstack modules for ansible
* prerequisites.yml: os_keypair is not suitable for this purpose
* prerequisites.yml: openstack keypair command exchanged for shade
- there is no Ansible module for this now
- os_keypair is not suitable for this purpose
- python-openstackclient dependency is not desirable
|
|
Manage packages to install/update for openstack provider
|
|
* Firstly, provision a Heat stack with given public resolvers.
* After the DNS node configured as an authoritative server,
switch the Heat stack's Neutron subnet to that resolver
(private_dns_server) the way it to become the first entry pushed
into the hosts /etc/resolv.conf. It will be serving the cluster
domain requests for OpenShift nodes and workloads.
* Drop post-provision /etc/reslov.conf nameserver hacks as not
needed anymore.
* Fix dns floating IPs output and add the priv IPs output as well.
* Update docs, clarify localhost vs servers requirements, add
required Network Manager setup step.
* Use post-provision task names instead of comments.
Signed-off-by: Bogdan Dobrelya <bdobreli@redhat.com>
|
|
Allow required packages and yum update all steps to be optionally
disabled.
Signed-off-by: Bogdan Dobrelya <bdobreli@redhat.com>
|
|
|
|
The `wait_for_connection` module is more reliable as it uses Ansible's `ping`
to verify the nodes are really accessible. Using `wait_for` and checking that
port 22 is open runs into the possibility of SSH being up but the public keys
or users not being set up yet (as that's done with cloud-init).
In addition, we were gathering facts before running the wait_for task which
rendered it useless.
|
|
|
|
|
|
Add node_removal_policies variable to openstack provisioning to allow for scaling down
|
|
all.yml: removed whitespaces in front of variables
|
|
|
|
|
|
OSEv3.yml: added option to ignore set hardware limits for RAM and DISK
|
|
Fix flat sec group and infra/dns sec rules
|
|
|
|
|
|
|
|
Make flat sec group to only merge node/master/etcd sec rules.
Add basic dns/ssh sec group and assign it to all but dns node groups.
Assign only dns sec group for dns nodes.
Assign only infra (and basic) sec groups for ingra nodes.
Add security notes for openstack provider.
Signed-off-by: Bogdan Dobrelya <bdobreli@redhat.com>
|
|
|
|
Prohibit sudoing for localhost played tasks, like DNS setup.
Re-use cached facts to speed up deployment.
Signed-off-by: Bogdan Dobrelya <bdobreli@redhat.com>
|
|
Tune an example ansible.cfg to include
tasks profiling info and improve displaying
of skipped tasks.
Signed-off-by: Bogdan Dobrelya <bdobreli@redhat.com>
|
|
|
|
|
|
|
|
Provision tasks use facts like ansible_hostname and few others.
W/o gathering facts, those expire, and the provision playbook cannot
be reapplied in order to update the existing heat stack.
Refresh the facts cache by specifying gather_facts: true.
Signed-off-by: Bogdan Dobrelya <bdobreli@redhat.com>
|
|
TODO use with
when: ansible_distribution == 'CentOS'
Also update docs for origin
Signed-off-by: Bogdan Dobrelya <bdobreli@redhat.com>
|
|
Signed-off-by: Bogdan Dobrelya <bdobreli@redhat.com>
|
|
Add a openstack_flat_secgroup, defaults to False.
When set, merges sec rules for master, node, etcd, infra nodes into a
single group. Less secure, but might help to mitigate quota limitations.
Update docs. Use timeout 30s to mitigate the error:
Timeout (12s) waiting for privilege escalation prompt.
Signed-off-by: Bogdan Dobrelya <bdobreli@redhat.com>
|
|
|
