From df8f5f0e251a014ab30dabd62c17e151b7fe36e8 Mon Sep 17 00:00:00 2001 From: Bogdan Dobrelya Date: Wed, 12 Jul 2017 13:09:45 +0200 Subject: Options for bastion, SSH config, static inventory autogeneration * At the provisioning stage, allow users to auto-generate SSH config, when using a static inventory. * Run playbooks to provsion and post-provision as a separate, when using a bastion. This re-applies the SSH config, which ansible can't do on the fly. * Support a pre-installed bastion node, colocated with the 1st infra node. * With a bastion enabled, reduce floating IP footprint to infra and dns nodes only, effectively isolating a cluster in a private network. Signed-off-by: Bogdan Dobrelya --- playbooks/provisioning/openstack/README.md | 31 ++++++++++++++++++++++++++---- 1 file changed, 27 insertions(+), 4 deletions(-) (limited to 'playbooks/provisioning/openstack/README.md') diff --git a/playbooks/provisioning/openstack/README.md b/playbooks/provisioning/openstack/README.md index 1ff586b49..6b9e5a3a9 100644 --- a/playbooks/provisioning/openstack/README.md +++ b/playbooks/provisioning/openstack/README.md @@ -40,7 +40,7 @@ Alternatively you can install directly from github: -p openshift-ansible-contrib/roles Notes: -* This assumes we're in the directory that contains the clonned +* This assumes we're in the directory that contains the clonned openshift-ansible-contrib repo in its root path. * When trying to install a different version, the previous one must be removed first (`infra-ansible` directory from [roles](https://github.com/openshift/openshift-ansible-contrib/tree/master/roles)). @@ -177,16 +177,30 @@ variables for the `inventory/group_vars/OSEv3.yml`, `all.yml`: origin_release: 1.5.1 openshift_deployment_type: "{{ deployment_type }}" -### Configure static inventory +### Configure static inventory and access via a bastion node Example inventory variables: + openstack_use_bastion: true + bastion_ingress_cidr: "{{openstack_subnet_prefix}}.0/24" openstack_private_ssh_key: ~/.ssh/openshift openstack_inventory: static openstack_inventory_path: ../../../../inventory + openstack_ssh_config_path: /tmp/ssh.config.openshift.ansible.openshift.example.com +The `openstack_subnet_prefix` is the openstack private network for your cluster. +And the `bastion_ingress_cidr` defines accepted range for SSH connections to nodes +additionally to the `ssh_ingress_cidr`` (see the security notes above). -In this guide, the latter points to the current directory, where you run ansible commands +The SSH config will be stored on the ansible control node by the +gitven path. Ansible uses it automatically. To access the cluster nodes with +that ssh config, use the `-F` prefix, f.e.: + + ssh -F /tmp/ssh.config.openshift.ansible.openshift.example.com master-0.openshift.example.com echo OK + +Note, relative paths will not work for the `openstack_ssh_config_path`, but it +works for the `openstack_private_ssh_key` and `openstack_inventory_path`. In this +guide, the latter points to the current directory, where you run ansible commands from. To verify nodes connectivity, use the command: @@ -194,7 +208,7 @@ To verify nodes connectivity, use the command: ansible -v -i inventory/hosts -m ping all If something is broken, double-check the inventory variables, paths and the -generated `/hosts` file. +generated `/hosts` and `openstack_ssh_config_path` files. The `inventory: dynamic` can be used instead to access cluster nodes directly via floating IPs. In this mode you can not use a bastion node and should specify @@ -213,6 +227,15 @@ this is how you stat the provisioning process from your ansible control node: Note, here you start with an empty inventory. The static inventory will be populated with data so you can omit providing additional arguments for future ansible commands. +If bastion enabled, the generates SSH config must be applied for ansible. +Otherwise, it is auto included by the previous step. In order to execute it +as a separate playbook, use the following command: + + ansible-playbook openshift-ansible-contrib/playbooks/provisioning/openstack/post-provision-openstack.yml + +The first infra node then becomes a bastion node as well and proxies access +for future ansible commands. The post-provision step also configures Satellite, +if requested, and DNS server, and ensures other OpenShift requirements to be met. ### Install OpenShift -- cgit v1.2.3 From 56bd0c0417b4a5d79a106a0aed771a4ca477d572 Mon Sep 17 00:00:00 2001 From: Bogdan Dobrelya Date: Fri, 28 Jul 2017 16:44:36 +0200 Subject: Note about jmespath requirement for control node (#599) Signed-off-by: Bogdan Dobrelya --- playbooks/provisioning/openstack/README.md | 1 + 1 file changed, 1 insertion(+) (limited to 'playbooks/provisioning/openstack/README.md') diff --git a/playbooks/provisioning/openstack/README.md b/playbooks/provisioning/openstack/README.md index 6b9e5a3a9..8e99dd14b 100644 --- a/playbooks/provisioning/openstack/README.md +++ b/playbooks/provisioning/openstack/README.md @@ -10,6 +10,7 @@ etc.). The result is an environment ready for openshift-ansible. * [Ansible-galaxy](https://pypi.python.org/pypi/ansible-galaxy-local-deps) * [jinja2](http://jinja.pocoo.org/docs/2.9/) * [shade](https://pypi.python.org/pypi/shade) +* python-jmespath / [jmespath](https://pypi.python.org/pypi/jmespath) * python-dns / [dnspython](https://pypi.python.org/pypi/dnspython) * Become (sudo) is not required. -- cgit v1.2.3 From bc73ea59b62f6b24426171c9dc370ad6509e99a7 Mon Sep 17 00:00:00 2001 From: Tomas Sedovic Date: Fri, 4 Aug 2017 14:12:05 +0200 Subject: Remove clouds.yaml from sample-inventory With the move to the static inventory, we don't need it anymore so it's now just an unnecessary step in the deployment. Note that the users may still want to use clouds.yaml for openstack credentials instead of sourcing the `OS_*` environment variables, but they can do that at their discression. The reason we had the clouds.yaml here was because the `openstack.py` dynamic inventory used the servers' UUID's as ansible hosts by default and the options we put in caused it to use the hostnames (as desired). --- playbooks/provisioning/openstack/README.md | 4 ---- 1 file changed, 4 deletions(-) (limited to 'playbooks/provisioning/openstack/README.md') diff --git a/playbooks/provisioning/openstack/README.md b/playbooks/provisioning/openstack/README.md index 8e99dd14b..c7b2ea975 100644 --- a/playbooks/provisioning/openstack/README.md +++ b/playbooks/provisioning/openstack/README.md @@ -63,10 +63,6 @@ Otherwise, even if there are differences between the two versions, installation cp -r openshift-ansible-contrib/playbooks/provisioning/openstack/sample-inventory inventory -### Copy clouds.yaml - - cp openshift-ansible-contrib/playbooks/provisioning/openstack/sample-inventory/clouds.yaml clouds.yaml - ### Copy ansible config cp openshift-ansible-contrib/playbooks/provisioning/openstack/sample-inventory/ansible.cfg ansible.cfg -- cgit v1.2.3 From 784443b0d88597b988c3d5c58bc6358f5c73675e Mon Sep 17 00:00:00 2001 From: Bogdan Dobrelya Date: Tue, 15 Aug 2017 17:48:58 +0200 Subject: Support multiple private networks for static inventory (#604) Add openstack_private_network_name to filter by a wanted private network. Signed-off-by: Bogdan Dobrelya --- playbooks/provisioning/openstack/README.md | 4 ++++ 1 file changed, 4 insertions(+) (limited to 'playbooks/provisioning/openstack/README.md') diff --git a/playbooks/provisioning/openstack/README.md b/playbooks/provisioning/openstack/README.md index c7b2ea975..98c847d88 100644 --- a/playbooks/provisioning/openstack/README.md +++ b/playbooks/provisioning/openstack/README.md @@ -110,6 +110,10 @@ providing external connectivity. It is often called `public`, `external` or `ext-net`. You can see your networks with `openstack network list`. +`openstack_private_network_name` is the name of the private Neutron network +providing admin/control access for ansible. It can be merged with other +cluster networks, there are no special requirements for networking. + The `openstack_num_masters`, `openstack_num_infra` and `openstack_num_nodes` values specify the number of Master, Infra and App nodes to create. -- cgit v1.2.3 From 3d9676911df8eb0fc4ce03c5ccfab049b430f87b Mon Sep 17 00:00:00 2001 From: Tlacenka Date: Tue, 15 Aug 2017 19:17:59 +0200 Subject: Specify different image names for roles (#637) * all.yml: set up new variables for specifying images for roles * stack_params.yaml: add image name variables for different roles * more roles added * heat_stack.yaml.j2: openstack_image changed to updated image names * README: updated documentation for specifying image names --- playbooks/provisioning/openstack/README.md | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) (limited to 'playbooks/provisioning/openstack/README.md') diff --git a/playbooks/provisioning/openstack/README.md b/playbooks/provisioning/openstack/README.md index 98c847d88..216205947 100644 --- a/playbooks/provisioning/openstack/README.md +++ b/playbooks/provisioning/openstack/README.md @@ -98,9 +98,12 @@ as a default nameserver that comes from the NetworkManager and cloud-init. `openstack keypair list`. This guide assumes that its corresponding private key is `~/.ssh/openshift`, stored on the ansible admin (control) node. -`openstack_default_image_name` is the name of the Glance image the -servers will use. You can -see your images with `openstack image list`. +`openstack_default_image_name` is the default name of the Glance image the +servers will use. You can see your images with `openstack image list`. +In order to set a different image for a role, uncomment the line with the +corresponding variable (e.g. `openstack_lb_image_name` for load balancer) and +set its value to another available image name. `openstack_default_image_name` +must stay defined as it is used as a default value for the rest of the roles. `openstack_default_flavor` is the Nova flavor the servers will use. You can see your flavors with `openstack flavor list`. -- cgit v1.2.3 From 4ddb3fb369008395f8e2dc225cb6e08ca59a115b Mon Sep 17 00:00:00 2001 From: Tlacenka Date: Tue, 15 Aug 2017 20:37:18 +0200 Subject: group_vars/all.yml, stack_params.yaml, README: specifying flavors enabled and documented (#638) --- playbooks/provisioning/openstack/README.md | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) (limited to 'playbooks/provisioning/openstack/README.md') diff --git a/playbooks/provisioning/openstack/README.md b/playbooks/provisioning/openstack/README.md index 216205947..79e153fe1 100644 --- a/playbooks/provisioning/openstack/README.md +++ b/playbooks/provisioning/openstack/README.md @@ -105,8 +105,12 @@ corresponding variable (e.g. `openstack_lb_image_name` for load balancer) and set its value to another available image name. `openstack_default_image_name` must stay defined as it is used as a default value for the rest of the roles. -`openstack_default_flavor` is the Nova flavor the servers will use. +`openstack_default_flavor` is the default Nova flavor the servers will use. You can see your flavors with `openstack flavor list`. +In order to set a different flavor for a role, uncomment the line with the +corresponding variable (e.g. `openstack_lb_flavor` for load balancer) and +set its value to another available flavor. `openstack_default_flavor` must +stay defined as it is used as a default value for the rest of the roles. `openstack_external_network_name` is the name of the Neutron network providing external connectivity. It is often called `public`, -- cgit v1.2.3 From 6ebad037254b0c254638f6e6dfbd48e451a1ceeb Mon Sep 17 00:00:00 2001 From: Bogdan Dobrelya Date: Wed, 16 Aug 2017 09:14:06 +0200 Subject: Access UI via a bastion node (#596) When using a bastion and a single master, use the lb-secgrp to access UI port allowed from the ingress bastion node cidr. For HA (masters>1), UI still should be accessed via the LB node's ingress cidr, omitting the bastion. Signed-off-by: Bogdan Dobrelya --- playbooks/provisioning/openstack/README.md | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) (limited to 'playbooks/provisioning/openstack/README.md') diff --git a/playbooks/provisioning/openstack/README.md b/playbooks/provisioning/openstack/README.md index 79e153fe1..d7fa76b0f 100644 --- a/playbooks/provisioning/openstack/README.md +++ b/playbooks/provisioning/openstack/README.md @@ -251,6 +251,24 @@ Once it succeeds, you can install openshift by running: ansible-playbook openshift-ansible/playbooks/byo/config.yml +### Access UI + +OpenShift UI may be accessed via the 1st master node FQDN, port 8443. + +When using a bastion, you may want to make an SSH tunnel from your control node +to access UI on the `https://localhost:8443`, with this inventory variable: + + openshift_ui_ssh_tunnel: True + +Note, this requires sudo rights on the ansible control node and an absolute path +for the `openstack_private_ssh_key`. You should also update the control node's +`/etc/hosts`: + + 127.0.0.1 master-0.openshift.example.com + +In order to access UI, the ssh-tunnel service will be created and started on the +control node. Make sure to remove these changes and the service manually, when not +needed anymore. ## License -- cgit v1.2.3 From d41308f238b1c8dac35682e64f661c2e4b01c317 Mon Sep 17 00:00:00 2001 From: Tlacenka Date: Wed, 16 Aug 2017 11:09:02 +0200 Subject: Set custom hostnames for servers (#643) * README, all.yml, stack_params.yml, heat_stack.yaml.j2: hostname customisation added * hostnames customisation: default set in stack_params * heat_stack: bug fix * fixed commented defaults in group_vars/all.yml --- playbooks/provisioning/openstack/README.md | 4 ++++ 1 file changed, 4 insertions(+) (limited to 'playbooks/provisioning/openstack/README.md') diff --git a/playbooks/provisioning/openstack/README.md b/playbooks/provisioning/openstack/README.md index d7fa76b0f..afaeb430b 100644 --- a/playbooks/provisioning/openstack/README.md +++ b/playbooks/provisioning/openstack/README.md @@ -78,6 +78,10 @@ your servers will be under. With the default values, this will be That sudomain can be set as well by the `openshift_app_domain` variable in the inventory. +The `openstack__hostname` is a set of variables used for customising +hostnames of servers with a given role. When such a variable stays commented, +default hostname (usually the role name) is used. + The `public_dns_nameservers` is a list of DNS servers accessible from all the created Nova servers. These will be serving as your DNS forwarders for external FQDNs that do not belong to the cluster's DNS domain and its subdomains. -- cgit v1.2.3 From 6a528d5803619f93c734c23be44a2021f1d35ee9 Mon Sep 17 00:00:00 2001 From: Tlacenka Date: Thu, 17 Aug 2017 13:48:20 +0200 Subject: Configure different Docker volume sizes for different roles (#644) * README, all.yml, stack_params.yaml, openstack-stack: added docker volume size customisation - app_volume_size changed to node_volume_size (it is node everywhere else) * all.yml, stack_params.yaml,openstack-stack: added customisation for lb, etcd, dns * README: updated * README: updated info about ephemeral volumes --- playbooks/provisioning/openstack/README.md | 10 ++++++++++ 1 file changed, 10 insertions(+) (limited to 'playbooks/provisioning/openstack/README.md') diff --git a/playbooks/provisioning/openstack/README.md b/playbooks/provisioning/openstack/README.md index afaeb430b..ae572f9b6 100644 --- a/playbooks/provisioning/openstack/README.md +++ b/playbooks/provisioning/openstack/README.md @@ -135,6 +135,16 @@ cluster node groups, like app or infra nodes. For example: `{'region': 'infra'}` The `openstack_nodes_to_remove` allows you to specify the numerical indexes of App nodes that should be removed; for example, ['0', '2'], +The `docker_volume_size` is the default Docker volume size the servers will use. +In order to set a different volume size for a role, +uncomment the line with the corresponding variable (e. g. `docker_master_volume_size` +for master) and change its value. `docker_volume_size` must stay defined as it is +used as a default value for some of the servers (master, infra, app node). +The rest of the roles (etcd, load balancer, dns) have their defaults hard-coded. + +**Note**: If the `ephemeral_volumes` is set to `true`, the `*_volume_size` variables +will be ignored and the deployment will not create any cinder volumes. + The `openstack_flat_secgrp`, controls Neutron security groups creation for Heat stacks. Set it to true, if you experience issues with sec group rules quotas. It trades security for number of rules, by sharing the same set -- cgit v1.2.3 From ec07a43c6ac64d220458b688ded7ce3634eeb0d7 Mon Sep 17 00:00:00 2001 From: Tomas Sedovic Date: Mon, 21 Aug 2017 12:22:54 +0200 Subject: Update openshift_release in the sample inventory (#647) * Update openshift_release in the sample inventory This removes setting the version for Openshift Origin, because the only the latest release is actually available. So if a new Origin release comes up, the installation will fail. --- playbooks/provisioning/openstack/README.md | 1 - 1 file changed, 1 deletion(-) (limited to 'playbooks/provisioning/openstack/README.md') diff --git a/playbooks/provisioning/openstack/README.md b/playbooks/provisioning/openstack/README.md index ae572f9b6..099b017bb 100644 --- a/playbooks/provisioning/openstack/README.md +++ b/playbooks/provisioning/openstack/README.md @@ -196,7 +196,6 @@ Note, that in order to deploy OpenShift origin, you should update the following variables for the `inventory/group_vars/OSEv3.yml`, `all.yml`: deployment_type: origin - origin_release: 1.5.1 openshift_deployment_type: "{{ deployment_type }}" ### Configure static inventory and access via a bastion node -- cgit v1.2.3 From f4b584fcef4fad12be931631e0c95ac677799ee7 Mon Sep 17 00:00:00 2001 From: Bogdan Dobrelya Date: Wed, 16 Aug 2017 11:04:27 +0200 Subject: Add docs and defaults for multi-master setup Additionally, add the lb group to contain lb nodes to the static inventory template. Include the lb group into the OSEv3 group, in order to apply the cluster group vars to it. Signed-off-by: Bogdan Dobrelya --- playbooks/provisioning/openstack/README.md | 13 +++++++++++++ 1 file changed, 13 insertions(+) (limited to 'playbooks/provisioning/openstack/README.md') diff --git a/playbooks/provisioning/openstack/README.md b/playbooks/provisioning/openstack/README.md index 099b017bb..358ed182b 100644 --- a/playbooks/provisioning/openstack/README.md +++ b/playbooks/provisioning/openstack/README.md @@ -162,6 +162,19 @@ The `openstack_inventory_path` points the directory to host the generated static It should point to the copied example inventory directory, otherwise ti creates a new one for you. +#### Multi-master configuration + +Please refer to the official documentation for the +[multi-master setup](https://docs.openshift.com/container-platform/3.6/install_config/install/advanced_install.html#multiple-masters) +and define the corresponding [inventory +variables](https://docs.openshift.com/container-platform/3.6/install_config/install/advanced_install.html#configuring-cluster-variables) +in `inventory/group_vars/OSEv3.yml`. For example, given a load balancer node +under the ansible group named `ext_lb`: + + openshift_master_cluster_method: native + openshift_master_cluster_hostname: "{{ groups.ext_lb.0 }}" + openshift_master_cluster_public_hostname: "{{ groups.ext_lb.0 }}" + #### Security notes Configure required `*_ingress_cidr` variables to restrict public access -- cgit v1.2.3 From ce9b66f71b60857f644cc5a3559a5c21af5d9b24 Mon Sep 17 00:00:00 2001 From: tzumainn Date: Wed, 23 Aug 2017 09:58:07 -0400 Subject: Add documentation regarding running custom post-provision tasks (#678) * Add documentation regarding running custom post-provision tasks * moved post-provision doc to openstack README * added reference to OSEv3, clarified some text --- playbooks/provisioning/openstack/README.md | 38 ++++++++++++++++++++++++++++++ 1 file changed, 38 insertions(+) (limited to 'playbooks/provisioning/openstack/README.md') diff --git a/playbooks/provisioning/openstack/README.md b/playbooks/provisioning/openstack/README.md index 358ed182b..002c2f6aa 100644 --- a/playbooks/provisioning/openstack/README.md +++ b/playbooks/provisioning/openstack/README.md @@ -271,6 +271,44 @@ The first infra node then becomes a bastion node as well and proxies access for future ansible commands. The post-provision step also configures Satellite, if requested, and DNS server, and ensures other OpenShift requirements to be met. +### Running Custom Post-Provision Actions + +If you'd like to run post-provision actions, you can do so by creating a custom playbook. Here's one example that adds additional YUM repositories: + +``` +--- +- hosts: app + tasks: + + # enable EPL + - name: Add repository + yum_repository: + name: epel + description: EPEL YUM repo + baseurl: https://download.fedoraproject.org/pub/epel/$releasever/$basearch/ +``` + +This example runs against app nodes. The list of options include: + + - cluster_hosts (all hosts: app, infra, masters, dns, lb) + - OSEv3 (app, infra, masters) + - app + - dns + - masters + - infra_hosts + +After writing your custom playbook, run it like this: + +``` +ansible-playbook --private-key ~/.ssh/openshift -i myinventory/ custom-playbook.yaml +``` + +If you'd like to limit the run to one particular host, you can do so as follows: + +``` +ansible-playbook --private-key ~/.ssh/openshift -i myinventory/ custom-playbook.yaml -l app-node-0.openshift.example.com +``` + ### Install OpenShift Once it succeeds, you can install openshift by running: -- cgit v1.2.3 From 2a0afda0940b63d71f05c0d11834e3b4582f4e90 Mon Sep 17 00:00:00 2001 From: Tlacenka Date: Wed, 23 Aug 2017 16:39:17 +0200 Subject: Fix node label customisation (#679) * node labels: add checks for custom labels - README: add more info about customising labels - pre_tasks: add checks for label values, set to empty dict if undefined - group_vars: move labels customisation from OSEv3 to all * pre_tasks: tried a new approach to updating variables * pre_tasks: variable update fixed * pre_tasks: rollback upscaling changes (to be added in upscaling PR) * pre_tasks: blank line removed * pre_tasks: add check for undefined variable (should not happen though) * pre_tasks: be sure to have regions defined --- playbooks/provisioning/openstack/README.md | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) (limited to 'playbooks/provisioning/openstack/README.md') diff --git a/playbooks/provisioning/openstack/README.md b/playbooks/provisioning/openstack/README.md index 002c2f6aa..c9f651032 100644 --- a/playbooks/provisioning/openstack/README.md +++ b/playbooks/provisioning/openstack/README.md @@ -130,7 +130,15 @@ The `openstack_num_masters`, `openstack_num_infra` and App nodes to create. The `openshift_cluster_node_labels` defines custom labels for your openshift -cluster node groups, like app or infra nodes. For example: `{'region': 'infra'}`. +cluster node groups. It currently supports app and infra node groups. +The default value of this variable sets `region: primary` to app nodes and +`region: infra` to infra nodes. +An example of setting a customised label: +``` +openshift_cluster_node_labels: + app: + mylabel: myvalue +``` The `openstack_nodes_to_remove` allows you to specify the numerical indexes of App nodes that should be removed; for example, ['0', '2'], -- cgit v1.2.3 From 2ea1ccfb37461a70d329655f7eeaaab090f1ca0d Mon Sep 17 00:00:00 2001 From: Bogdan Dobrelya Date: Fri, 25 Aug 2017 16:15:40 +0200 Subject: Support external/pre-provisioned authoritative cluster DNS (#690) * Document how to use fully external DNS servers w/o provisioning dns servers group with Heat. * Document how to use a mixed servers setup for dynamic records updates mathing public or private views. * Allow custom nsupdate key names for OSP10 dns service compatibility. The osp-dns configures the named service with the fixed key_name 'update-key'. Add optional key_name for the external_nsupdate_keys public section to allow custom key names. --- playbooks/provisioning/openstack/README.md | 56 ++++++++++++++++++++++++++---- 1 file changed, 50 insertions(+), 6 deletions(-) (limited to 'playbooks/provisioning/openstack/README.md') diff --git a/playbooks/provisioning/openstack/README.md b/playbooks/provisioning/openstack/README.md index c9f651032..2eb9aa9cd 100644 --- a/playbooks/provisioning/openstack/README.md +++ b/playbooks/provisioning/openstack/README.md @@ -53,8 +53,9 @@ Otherwise, even if there are differences between the two versions, installation * Assigns Cinder volumes to the servers * Set up an `openshift` user with sudo privileges * Optionally attach Red Hat subscriptions -* Set up a bind-based DNS server -* When deploying more than one master, set up a HAproxy server +* Sets up a bind-based DNS server or configures the cluster servers to use an external DNS server. +* Supports mixed in-stack/external DNS servers for dynamic updates. +* When deploying more than one master, sets up a HAproxy server ## Set up @@ -69,9 +70,17 @@ Otherwise, even if there are differences between the two versions, installation ### Update `inventory/group_vars/all.yml` +#### DNS configuration variables + Pay special attention to the values in the first paragraph -- these will depend on your OpenStack environment. +Note that the provsisioning playbooks update the original Neutron subnet +created with the Heat stack to point to the configured DNS servers. +So the provisioned cluster nodes will start using those natively as +default nameservers. Technically, this allows to deploy OpenShift clusters +without dnsmasq proxies. + The `env_id` and `public_dns_domain` will form the cluster's DNS domain all your servers will be under. With the default values, this will be `openshift.example.com`. For workloads, the default subdomain is 'apps'. @@ -93,10 +102,45 @@ daemon that in turn proxies DNS requests to the authoritative DNS server. When Network Manager is enabled for provisioned cluster nodes, which is normally the case, you should not change the defaults and always deploy dnsmasq. -Note that the authoritative DNS server is configured on post provsision -steps, and the Neutron subnet for the Heat stack is updated to point to that -server in the end. So the provisioned servers will start using it natively -as a default nameserver that comes from the NetworkManager and cloud-init. +`external_nsupdate_keys` describes an external authoritative DNS server(s) +processing dynamic records updates in the public and private cluster views: + + external_nsupdate_keys: + public: + key_secret: + key_algorithm: 'hmac-md5' + key_name: 'update-key' + server: + private: + key_secret: + key_algorithm: 'hmac-sha256' + server: + +Here, for the public view section, we specified another key algorithm and +optional `key_name`, which normally defaults to the cluster's DNS domain. +This just illustrates a compatibility mode with a DNS service deployed +by OpenShift on OSP10 reference architecture, and used in a mixed mode with +another external DNS server. + +Another example defines an external DNS server for the public view +additionally to the in-stack DNS server used for the private view only: + + external_nsupdate_keys: + public: + key_secret: + key_algorithm: 'hmac-sha256' + server: + +Here, updates matching the public view will be hitting the given public +server IP. While updates matching the private view will be sent to the +auto evaluated in-stack DNS server's **public** IP. + +Note, for the in-stack DNS server, private view updates may be sent only +via the public IP of the server. You can not send updates via the private +IP yet. This forces the in-stack private server to have a floating IP. +See also the [security notes](#security-notes) + +#### Other configuration variables `openstack_ssh_key` is a Nova keypair - you can see your keypairs with `openstack keypair list`. This guide assumes that its corresponding private -- cgit v1.2.3 From 8008fd49227a750a6a5cf5cae8700f0fe0970bce Mon Sep 17 00:00:00 2001 From: tzumainn Date: Thu, 31 Aug 2017 04:38:38 -0400 Subject: Add custom post-provision playbook for adding yum repos (#697) * Add custom post-provision playbook for adding yum repos * fixed formatting issues * requested corrections and formatting changes --- playbooks/provisioning/openstack/README.md | 26 +++++++++++++++++--------- 1 file changed, 17 insertions(+), 9 deletions(-) (limited to 'playbooks/provisioning/openstack/README.md') diff --git a/playbooks/provisioning/openstack/README.md b/playbooks/provisioning/openstack/README.md index 2eb9aa9cd..57d5839c8 100644 --- a/playbooks/provisioning/openstack/README.md +++ b/playbooks/provisioning/openstack/README.md @@ -325,7 +325,19 @@ if requested, and DNS server, and ensures other OpenShift requirements to be met ### Running Custom Post-Provision Actions -If you'd like to run post-provision actions, you can do so by creating a custom playbook. Here's one example that adds additional YUM repositories: +A custom playbook can be run like this: + +``` +ansible-playbook --private-key ~/.ssh/openshift -i inventory/ openshift-ansible-contrib/playbooks/provisioning/openstack/custom-actions/custom-playbook.yml +``` + +If you'd like to limit the run to one particular host, you can do so as follows: + +``` +ansible-playbook --private-key ~/.ssh/openshift -i inventory/ openshift-ansible-contrib/playbooks/provisioning/openstack/custom-actions/custom-playbook.yml -l app-node-0.openshift.example.com +``` + +You can also create your own custom playbook. Here's one example that adds additional YUM repositories: ``` --- @@ -349,17 +361,13 @@ This example runs against app nodes. The list of options include: - masters - infra_hosts -After writing your custom playbook, run it like this: +Please consider contributing your custom playbook back to openshift-ansible-contrib! -``` -ansible-playbook --private-key ~/.ssh/openshift -i myinventory/ custom-playbook.yaml -``` +A library of custom post-provision actions exists in `openshift-ansible-contrib/playbooks/provisioning/openstack/custom-actions`. Playbooks include: -If you'd like to limit the run to one particular host, you can do so as follows: +##### add-yum-repos.yml -``` -ansible-playbook --private-key ~/.ssh/openshift -i myinventory/ custom-playbook.yaml -l app-node-0.openshift.example.com -``` +[add-yum-repos.yml](https://github.com/openshift/openshift-ansible-contrib/blob/master/playbooks/provisioning/openstack/custom-actions/add-yum-repos.yml) adds a list of custom yum repositories to every node in the cluster. ### Install OpenShift -- cgit v1.2.3 From 06abd17792fafc3adec3916f56c69800690b1431 Mon Sep 17 00:00:00 2001 From: Bogdan Dobrelya Date: Tue, 5 Sep 2017 15:56:43 +0200 Subject: Document global DNS security options (#694) * Document global DNS security options Related changes: * Do not create a view if externally managed. * Allow to specify the recursion settings for public/private views defined by the dns-view role. Signed-off-by: Bogdan Dobrelya * Document public_dns_nameservers better Also use it as the private view forwarder Signed-off-by: Bogdan Dobrelya --- playbooks/provisioning/openstack/README.md | 14 ++++++++++++++ 1 file changed, 14 insertions(+) (limited to 'playbooks/provisioning/openstack/README.md') diff --git a/playbooks/provisioning/openstack/README.md b/playbooks/provisioning/openstack/README.md index 57d5839c8..b898351e6 100644 --- a/playbooks/provisioning/openstack/README.md +++ b/playbooks/provisioning/openstack/README.md @@ -94,6 +94,8 @@ default hostname (usually the role name) is used. The `public_dns_nameservers` is a list of DNS servers accessible from all the created Nova servers. These will be serving as your DNS forwarders for external FQDNs that do not belong to the cluster's DNS domain and its subdomains. +If you're unsure what to put in here, you can try the google or opendns servers, +but note that some organizations may be blocking them. The `openshift_use_dnsmasq` controls either dnsmasq is deployed or not. By default, dnsmasq is deployed and comes as the hosts' /etc/resolv.conf file @@ -244,6 +246,18 @@ be the case for development environments. When turned off, the servers will be provisioned omitting the ``yum update`` command. This brings security implications though, and is not recommended for production deployments. +##### DNS servers security options + +Aside from `node_ingress_cidr` restricting public access to in-stack DNS +servers, there are following (bind/named specific) DNS security +options available: + + named_public_recursion: 'no' + named_private_recursion: 'yes' + +External DNS servers, which is not included in the 'dns' hosts group, +are not managed. It is up to you to configure such ones. + ### Configure the OpenShift parameters Finally, you need to update the DNS entry in -- cgit v1.2.3 From daa0b91119d2c16860a19b4ead2d0d128f8bc5ce Mon Sep 17 00:00:00 2001 From: Tomas Sedovic Date: Wed, 6 Sep 2017 10:24:16 +0200 Subject: Allow using a provider network (#701) * Allow using a provider network This adds a new option `openstack_provider_network_name` which will take a name of an existing network and put the servers there. It will also prevent creating floating IP addresses as the provider network's IPs should already be accessible without any additional routing required. Fixes #622 * Requested changes Don't fail on external/private networks and use role defaults for the provider network. * Add missing endif --- playbooks/provisioning/openstack/README.md | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) (limited to 'playbooks/provisioning/openstack/README.md') diff --git a/playbooks/provisioning/openstack/README.md b/playbooks/provisioning/openstack/README.md index b898351e6..4e74627dc 100644 --- a/playbooks/provisioning/openstack/README.md +++ b/playbooks/provisioning/openstack/README.md @@ -229,6 +229,24 @@ under the ansible group named `ext_lb`: openshift_master_cluster_hostname: "{{ groups.ext_lb.0 }}" openshift_master_cluster_public_hostname: "{{ groups.ext_lb.0 }}" +#### Provider Network + +Normally, the playbooks create a new Neutron network and subnet and attach +floating IP addresses to each node. If you have a provider network set up, this +is all unnecessary as you can just access servers that are placed in the +provider network directly. + +To use a provider network, set its name in `openstack_provider_network_name` in +`inventory/group_vars/all.yml`. + +If you set the provider network name, the `openstack_external_network_name` and +`openstack_private_network_name` fields will be ignored. + +**NOTE**: this will not update the nodes' DNS, so running openshift-ansible +right after provisioning will fail (unless you're using an external DNS server +your provider network knows about). You must make sure your nodes are able to +resolve each other by name. + #### Security notes Configure required `*_ingress_cidr` variables to restrict public access -- cgit v1.2.3 From 97c99ad8582370803e2841b07985260886614eb2 Mon Sep 17 00:00:00 2001 From: tzumainn Date: Wed, 6 Sep 2017 09:36:09 -0400 Subject: Point openshift_master_cluster_public_hostname at master or lb if defined (#706) * Point openshift_master_cluster_public_hostname at master or load balancer if specified * cleanup * remove extraneous brackets * corrections * added doc section * add private records --- playbooks/provisioning/openstack/README.md | 9 +++++++++ 1 file changed, 9 insertions(+) (limited to 'playbooks/provisioning/openstack/README.md') diff --git a/playbooks/provisioning/openstack/README.md b/playbooks/provisioning/openstack/README.md index 4e74627dc..8b9a37537 100644 --- a/playbooks/provisioning/openstack/README.md +++ b/playbooks/provisioning/openstack/README.md @@ -295,6 +295,15 @@ variables for the `inventory/group_vars/OSEv3.yml`, `all.yml`: deployment_type: origin openshift_deployment_type: "{{ deployment_type }}" +#### Setting a custom entrypoint + +In order to set a custom entrypoint, update `openshift_master_cluster_public_hostname` + + openshift_master_cluster_public_hostname: api.openshift.example.com + +Note than an empty hostname does not work, so if your domain is `openshift.example.com`, +you cannot set this value to simply `openshift.example.com`. + ### Configure static inventory and access via a bastion node Example inventory variables: -- cgit v1.2.3