From a0b6fc7db1be2cf6190d982f90e96f4c39a4c699 Mon Sep 17 00:00:00 2001 From: Tobias Florek Date: Wed, 23 Sep 2015 13:51:41 +0200 Subject: Initial containerization work from @ibotty copied from https://github.com/eparis/kubernetes-ansible/blob/17f98edd7ff53e649b43e26822b8fbc0be42b233/roles/common/tasks/main.yml --- roles/openshift_master/tasks/main.yml | 27 ++++++++++++++++++++++++++- 1 file changed, 26 insertions(+), 1 deletion(-) (limited to 'roles/openshift_master/tasks') diff --git a/roles/openshift_master/tasks/main.yml b/roles/openshift_master/tasks/main.yml index 43647cc49..6844a16cc 100644 --- a/roles/openshift_master/tasks/main.yml +++ b/roles/openshift_master/tasks/main.yml @@ -21,6 +21,10 @@ msg: "openshift_master_cluster_password must be set for multi-master installations" when: openshift_master_ha | bool and openshift_master_cluster_method == "pacemaker" and (openshift_master_cluster_password is not defined or not openshift_master_cluster_password) +- fail: + msg: "openshift_master_ha is not yet supported on atomic hosts" + when: openshift_master_ha | bool and is_atomic + - name: Set master facts openshift_facts: role: master @@ -79,6 +83,25 @@ - name: Install Master package action: "{{ ansible_pkg_mgr }} name={{ openshift.common.service_type }}-master{{ openshift_version }} state=present" + when: not is_atomic + +# TODO: enable when ansible#1993 lands and is widespread enough +# - name: Docker image present +# docker: +# image: "{{ openshift.common.docker.image }}" +# state: image_present +# when: is_atomic + +- name: Install Master docker service file + template: + dest: "/etc/systemd/system/{{ openshift.common.service_type }}-master.service" + src: openshift.docker.master.service + register: install_result + when: is_atomic + +- name: Reload systemd units + command: systemctl daemon-reload + when: is_atomic and install_result | changed - name: Re-gather package dependent master facts openshift_facts: @@ -113,6 +136,7 @@ action: "{{ ansible_pkg_mgr }} name=httpd-tools state=present" when: (item.kind == 'HTPasswdPasswordIdentityProvider') with_items: openshift.master.identity_providers + when: not is_atomic - name: Ensure htpasswd directory exists file: @@ -251,7 +275,7 @@ - name: Install cluster packages action: "{{ ansible_pkg_mgr }} name=pcs state=present" - when: openshift_master_ha | bool and openshift.master.cluster_method == 'pacemaker' + when: openshift_master_ha | bool and openshift.master.cluster_method == 'pacemaker' and not is_atomic register: install_result - name: Start and enable cluster service @@ -283,6 +307,7 @@ command: cp {{ openshift_master_config_dir }}/admin.kubeconfig ~{{ item }}/.kube/config args: creates: ~{{ item }}/.kube/config + when: not is_atomic with_items: - root - "{{ ansible_ssh_user }}" -- cgit v1.2.3 From 8e7c5c970b8adc83fd6d5cad115f4edb06b36d98 Mon Sep 17 00:00:00 2001 From: Scott Dodson Date: Mon, 5 Oct 2015 12:53:10 -0400 Subject: Containerization work by @sdodson --- README_CONTAINERIZED_INSTALLATION.md | 101 ++++++++++++++++++++ playbooks/adhoc/uninstall.yml | 32 ++++++- playbooks/common/openshift-cluster/config.yml | 2 + .../update_repos_and_packages.yml | 3 +- playbooks/common/openshift-docker/config.yml | 8 ++ playbooks/common/openshift-docker/filter_plugins | 1 + playbooks/common/openshift-docker/lookup_plugins | 1 + playbooks/common/openshift-docker/roles | 1 + playbooks/common/openshift-etcd/config.yml | 6 +- playbooks/common/openshift-master/config.yml | 4 +- playbooks/common/openshift-node/config.yml | 2 +- roles/docker/README.md | 2 +- roles/docker/tasks/main.yml | 12 ++- roles/etcd/defaults/main.yaml | 1 + roles/etcd/handlers/main.yml | 3 +- roles/etcd/tasks/main.yml | 38 +++++++- roles/etcd/templates/etcd.conf.j2 | 22 ++--- roles/etcd/templates/etcd.docker.service | 13 +++ roles/fluentd_master/tasks/main.yml | 2 +- roles/fluentd_node/tasks/main.yml | 2 +- roles/kube_nfs_volumes/tasks/main.yml | 4 +- roles/openshift_docker/meta/main.yml | 16 ++++ roles/openshift_docker/tasks/main.yml | 27 ++++++ roles/openshift_examples/defaults/main.yml | 2 +- roles/openshift_expand_partition/tasks/main.yml | 5 +- roles/openshift_facts/library/openshift_facts.py | 70 +++++++++++--- roles/openshift_facts/tasks/main.yml | 14 --- roles/openshift_master/tasks/main.yml | 61 ++++++++---- .../atomic-openshift-master-api.docker.service.j2 | 26 ++++++ ...-openshift-master-controllers.docker.service.j2 | 25 +++++ .../templates/master.docker.service.j2 | 16 ++++ .../templates/openshift.docker.master.service | 11 --- roles/openshift_master/vars/main.yml | 2 - roles/openshift_master_ca/tasks/main.yml | 7 +- roles/openshift_master_ca/vars/main.yml | 3 - roles/openshift_master_certificates/tasks/main.yml | 2 + roles/openshift_master_cluster/tasks/main.yml | 2 +- roles/openshift_node/tasks/main.yml | 102 ++++++++------------- .../openshift_node/tasks/storage_plugins/main.yml | 5 +- .../templates/openshift.docker.node.service | 13 ++- .../templates/openvswitch.docker.service | 13 +++ roles/openshift_node/vars/main.yml | 3 - roles/openshift_repos/tasks/main.yaml | 15 +-- roles/openshift_storage_nfs_lvm/tasks/main.yml | 5 + roles/openshift_storage_nfs_lvm/tasks/nfs.yml | 2 +- roles/os_env_extras/tasks/main.yaml | 2 +- roles/os_firewall/tasks/firewall/iptables.yml | 2 +- roles/os_update_latest/tasks/main.yml | 4 +- roles/os_zabbix/tasks/main.yml | 2 +- roles/yum_repos/tasks/main.yml | 2 +- 50 files changed, 536 insertions(+), 183 deletions(-) create mode 100644 README_CONTAINERIZED_INSTALLATION.md create mode 100644 playbooks/common/openshift-docker/config.yml create mode 120000 playbooks/common/openshift-docker/filter_plugins create mode 120000 playbooks/common/openshift-docker/lookup_plugins create mode 120000 playbooks/common/openshift-docker/roles create mode 100644 roles/etcd/templates/etcd.docker.service create mode 100644 roles/openshift_docker/meta/main.yml create mode 100644 roles/openshift_docker/tasks/main.yml create mode 100644 roles/openshift_master/templates/atomic-openshift-master-api.docker.service.j2 create mode 100644 roles/openshift_master/templates/atomic-openshift-master-controllers.docker.service.j2 create mode 100644 roles/openshift_master/templates/master.docker.service.j2 delete mode 100644 roles/openshift_master/templates/openshift.docker.master.service create mode 100644 roles/openshift_node/templates/openvswitch.docker.service (limited to 'roles/openshift_master/tasks') diff --git a/README_CONTAINERIZED_INSTALLATION.md b/README_CONTAINERIZED_INSTALLATION.md new file mode 100644 index 000000000..5f51b9507 --- /dev/null +++ b/README_CONTAINERIZED_INSTALLATION.md @@ -0,0 +1,101 @@ +# Overview + +Users may now deploy containerized versions of OpenShift Origin, OpenShift +Enterprise, or Atomic Enterprise Platform on Atomic +Host[https://projectatomic.io] or RHEL, Centos, and Fedora. This includes +OpenvSwitch based SDN. + + +## Installing on Atomic Host + +When installing on Atomic Host you will automatically have containerized +installation methods selected for you based on detection of _/run/ostree-booted_ + +## Installing on RHEL, Centos, or Fedora + +Currently the default installation method for traditional operating systems is +via RPMs. If you wish to deploy using containerized installation you may set the +ansible variable 'containerized=true' on a per host basis. This means that you +may easily deploy environments mixing containerized and RPM based installs. At +this point we suggest deploying heterogeneous environments. + +## CLI Wrappers + +When using containerized installations openshift-ansible will deploy a wrapper +script on each master located in _/usr/local/bin/openshift_ and a set of +symbolic links _/usr/local/bin/oc_, _/usr/local/bin/oadm_, and +_/usr/local/bin/kubectl_ to ease administrative tasks. The wrapper script spawns +a new container on each invocation so you may notice it's slightly slower than +native clients. + +The wrapper scripts mount a limited subset of paths, _~/.kube_, _/etc/origin/_, +and _/tmp_. Be mindful of this when passing in files to be processed by `oc` or + `oadm`. You may find it easier to redirect input like this : + + `oc create -f - < my_file.json` + +## Technical Notes + +### Requisite Images + +Based on your deployment_type the installer will make use of the following +images. Because you may make use of a private repository we've moved the +configuration of docker additional, insecure, and blocked registries to the +beginning of the installation process ensuring that these settings are applied +before attempting to pull any of the following images. + + Origin + openshift/origin + openshift/node (node + openshift-sdn + openvswitch rpm for client tools) + openshift/openvswitch (centos7 + openvswitch rpm, runs ovsdb ovsctl processes) + registry.access.redhat.com/rhel7/etcd + OpenShift Enterprise + openshift3/ose + openshift3/node + openshift3/openvswitch + registry.access.redhat.com/rhel7/etcd + Atomic Enterprise Platform + aep3/aep + aep3/node + aep3/openvswitch + registry.access.redhat.com/rhel7/etcd + + * note openshift3/* and aep3/* images come from registry.access.redhat.com and +rely on the --additional-repository flag being set appropriately. + +### Starting and Stopping Containers + +The installer will create relevant systemd units which can be used to start, +stop, and poll services via normal systemctl commands. These unit names match +those of an RPM installation with the exception of the etcd service which will +be named 'etcd_container'. This change is necessary as currently Atomic Host +ships with etcd package installed as part of Atomic Host and we will instead use +a containerized version. The installer will disable the built in etcd service. +etcd is slated to be removed from os-tree in the future. + +### File Paths + +All configuration files are placed in the same locations as RPM based +installations and will survive os-tree upgrades. + +The examples are installed into _/etc/origin/examples_ rather than +_/usr/share/openshift/examples_ because that is read-only on Atomic Host. + + +### Storage Requirements + +Atomic Host installs normally have a very small root filesystem. However the +etcd, master, and node containers will persist data in /var/lib. Please ensure +that you have enough space on the root filesystem. + +### OpenvSwitch SDN Initialization + +OpenShift SDN initialization requires that the docker bridge be reconfigured and +docker is restarted. This complicates the situation when the node is running +within a container. When using the OVS SDN you'll see the node start, +reconfigure docker, restart docker which will restart all containers, and +finally start successfully. + +The node service may fail to start and be restarted a few times because the +master services are also restarted along with docker. We currently work around +this by relying on Restart=always in the docker based systemd units. diff --git a/playbooks/adhoc/uninstall.yml b/playbooks/adhoc/uninstall.yml index 9161076e5..55df78a3f 100644 --- a/playbooks/adhoc/uninstall.yml +++ b/playbooks/adhoc/uninstall.yml @@ -19,15 +19,19 @@ failed_when: false register: ostree_output + # Since we're not calling openshift_facts we'll do this for now - set_fact: is_atomic: "{{ ostree_output.rc == 0 }}" + - set_fact: + is_containerized: "{{ is_atomic or containerized | default(false) | bool }}" - name: Remove br0 interface shell: ovs-vsctl del-br br0 changed_when: False failed_when: False - - service: name={{ item }} state=stopped + - name: Stop services + service: name={{ item }} state=stopped with_items: - atomic-enterprise-master - atomic-enterprise-node @@ -46,8 +50,10 @@ - origin-master-controllers - origin-node - pcsd + failed_when: false - - action: "{{ ansible_pkg_mgr }} name={{ item }} state=absent" + - name: Remove packages + action: "{{ ansible_pkg_mgr }} name={{ item }} state=absent" when: not is_atomic | bool with_items: - atomic-enterprise @@ -132,14 +138,26 @@ with_items: - registry\.access\..*redhat\.com/openshift3 - registry\.access\..*redhat\.com/aep3 + - registry\.access\..*redhat\.com/rhel7/etcd - docker.io/openshift - shell: "docker rmi -f {{ item.stdout_lines | join(' ') }}" changed_when: False failed_when: False with_items: "{{ images_to_delete.results }}" + + - name: Remove sdn drop files + file: + path: /run/openshift-sdn + state: absent + + - name: restart docker + service: + name: docker + state: restarted - - file: path={{ item }} state=absent + - name: Remove remaining files + file: path={{ item }} state=absent with_items: - "~{{ ansible_ssh_user }}/.kube" - /etc/ansible/facts.d/openshift.fact @@ -149,7 +167,15 @@ - /etc/openshift - /etc/openshift-sdn - /etc/origin + - /etc/systemd/system/atomic-openshift-master.service + - /etc/systemd/system/atomic-openshift-master-api.service + - /etc/systemd/system/atomic-openshift-master-controllers.service + - /etc/systemd/system/atomic-openshift-node.service + - /etc/systemd/system/etcd_container.service + - /etc/systemd/system/openvswitch.service - /etc/sysconfig/atomic-enterprise-master + - /etc/sysconfig/atomic-enterprise-master-api + - /etc/sysconfig/atomic-enterprise-master-controllers - /etc/sysconfig/atomic-enterprise-node - /etc/sysconfig/atomic-openshift-master - /etc/sysconfig/atomic-openshift-master-api diff --git a/playbooks/common/openshift-cluster/config.yml b/playbooks/common/openshift-cluster/config.yml index 482fa8441..a62d60167 100644 --- a/playbooks/common/openshift-cluster/config.yml +++ b/playbooks/common/openshift-cluster/config.yml @@ -1,6 +1,8 @@ --- - include: evaluate_groups.yml +- include: ../openshift-docker/config.yml + - include: ../openshift-etcd/config.yml - include: ../openshift-master/config.yml diff --git a/playbooks/common/openshift-cluster/update_repos_and_packages.yml b/playbooks/common/openshift-cluster/update_repos_and_packages.yml index 6e4ad7d3f..9a303c62d 100644 --- a/playbooks/common/openshift-cluster/update_repos_and_packages.yml +++ b/playbooks/common/openshift-cluster/update_repos_and_packages.yml @@ -8,5 +8,6 @@ ansible_distribution == "RedHat" and lookup('oo_option', 'rhel_skip_subscription') | default(rhsub_skip, True) | default('no', True) | lower in ['no', 'false'] - - {role: openshift_repos, when: not is_atomic} + and not openshift.common.is_atomic | bool + - openshift_repos - os_update_latest diff --git a/playbooks/common/openshift-docker/config.yml b/playbooks/common/openshift-docker/config.yml new file mode 100644 index 000000000..c3541e544 --- /dev/null +++ b/playbooks/common/openshift-docker/config.yml @@ -0,0 +1,8 @@ +- name: Configure docker hosts + hosts: oo_masters_to_config:oo_nodes_to_config:oo_etcd_to_config:oo_lb_to_config + vars: + docker_additional_registries: "{{ lookup('oo_option', 'docker_additional_registries') | oo_split }}" + docker_insecure_registries: "{{ lookup('oo_option', 'docker_insecure_registries') | oo_split }}" + docker_blocked_registries: "{{ lookup('oo_option', 'docker_blocked_registries') | oo_split }}" + roles: + - openshift-docker diff --git a/playbooks/common/openshift-docker/filter_plugins b/playbooks/common/openshift-docker/filter_plugins new file mode 120000 index 000000000..99a95e4ca --- /dev/null +++ b/playbooks/common/openshift-docker/filter_plugins @@ -0,0 +1 @@ +../../../filter_plugins \ No newline at end of file diff --git a/playbooks/common/openshift-docker/lookup_plugins b/playbooks/common/openshift-docker/lookup_plugins new file mode 120000 index 000000000..ac79701db --- /dev/null +++ b/playbooks/common/openshift-docker/lookup_plugins @@ -0,0 +1 @@ +../../../lookup_plugins \ No newline at end of file diff --git a/playbooks/common/openshift-docker/roles b/playbooks/common/openshift-docker/roles new file mode 120000 index 000000000..20c4c58cf --- /dev/null +++ b/playbooks/common/openshift-docker/roles @@ -0,0 +1 @@ +../../../roles \ No newline at end of file diff --git a/playbooks/common/openshift-etcd/config.yml b/playbooks/common/openshift-etcd/config.yml index a0dd330e7..9a5ae0e6b 100644 --- a/playbooks/common/openshift-etcd/config.yml +++ b/playbooks/common/openshift-etcd/config.yml @@ -14,7 +14,8 @@ public_hostname: "{{ openshift_public_hostname | default(None) }}" deployment_type: "{{ openshift_deployment_type }}" - role: etcd - local_facts: {} + local_facts: + etcd_image: "{{ osm_etcd_image | default(None) }}" - name: Check status of etcd certificates stat: path: "{{ item }}" @@ -87,7 +88,8 @@ when: etcd_server_certs_missing roles: - etcd - - { role: nickhammond.logrotate, when: not is_atomic } + - role: nickhammond.logrotate + when: not openshift.common.is_containerized | bool - name: Delete temporary directory on localhost hosts: localhost diff --git a/playbooks/common/openshift-master/config.yml b/playbooks/common/openshift-master/config.yml index 453adb4ff..9c800af39 100644 --- a/playbooks/common/openshift-master/config.yml +++ b/playbooks/common/openshift-master/config.yml @@ -328,7 +328,7 @@ roles: - openshift_master - role: nickhammond.logrotate - when: not is_atomic + when: not openshift.common.is_containerized | bool - role: fluentd_master when: openshift.common.use_fluentd | bool post_tasks: @@ -357,7 +357,7 @@ cockpit_plugins: "{{ osm_cockpit_plugins | default(['cockpit-kubernetes']) }}" roles: - role: cockpit - when: ( deployment_type in ['atomic-enterprise','openshift-enterprise'] ) and + when: not openshift.common.is_containerized and ( deployment_type in ['atomic-enterprise','openshift-enterprise'] ) and (osm_use_cockpit | bool or osm_use_cockpit is undefined ) - name: Configure flannel diff --git a/playbooks/common/openshift-node/config.yml b/playbooks/common/openshift-node/config.yml index 6eee75064..80098d240 100644 --- a/playbooks/common/openshift-node/config.yml +++ b/playbooks/common/openshift-node/config.yml @@ -181,7 +181,7 @@ - role: flannel when: openshift.common.use_flannel | bool - role: nickhammond.logrotate - when: not is_atomic + when: not openshift.common.is_containerized | bool - role: fluentd_node when: openshift.common.use_fluentd | bool tasks: diff --git a/roles/docker/README.md b/roles/docker/README.md index 46f259eb7..6b5ee4421 100644 --- a/roles/docker/README.md +++ b/roles/docker/README.md @@ -1,4 +1,4 @@ -Role Name +Docker ========= Ensures docker package is installed, and optionally raises timeout for systemd-udevd.service to 5 minutes. diff --git a/roles/docker/tasks/main.yml b/roles/docker/tasks/main.yml index 7939221a1..4e24fd3b3 100644 --- a/roles/docker/tasks/main.yml +++ b/roles/docker/tasks/main.yml @@ -1,10 +1,18 @@ --- # tasks file for docker - name: Install docker - action: "{{ ansible_pkg_mgr }} name=docker state=present" and not is_atomic + action: "{{ ansible_pkg_mgr }} name=docker state=present" + when: not openshift.common.is_atomic | bool - name: enable and start the docker service - service: name=docker enabled=yes state=started + service: + name: docker + enabled: yes + state: started + register: start_result + +- set_fact: + docker_service_status_changed = start_result | changed - include: udev_workaround.yml when: docker_udev_workaround | default(False) diff --git a/roles/etcd/defaults/main.yaml b/roles/etcd/defaults/main.yaml index 0fd3de585..9e7fa59cf 100644 --- a/roles/etcd/defaults/main.yaml +++ b/roles/etcd/defaults/main.yaml @@ -1,4 +1,5 @@ --- +etcd_service: "{{ 'etcd' if not openshift.common.is_containerized else 'etcd_container' }}" etcd_interface: "{{ ansible_default_ipv4.interface }}" etcd_client_port: 2379 etcd_peer_port: 2380 diff --git a/roles/etcd/handlers/main.yml b/roles/etcd/handlers/main.yml index 4c0efb97b..aeb26d6b2 100644 --- a/roles/etcd/handlers/main.yml +++ b/roles/etcd/handlers/main.yml @@ -1,4 +1,5 @@ --- + - name: restart etcd - service: name=etcd state=restarted + service: name={{ etcd_service }} state=restarted when: not etcd_service_status_changed | default(false) diff --git a/roles/etcd/tasks/main.yml b/roles/etcd/tasks/main.yml index d661ce437..aef52886b 100644 --- a/roles/etcd/tasks/main.yml +++ b/roles/etcd/tasks/main.yml @@ -7,8 +7,42 @@ msg: IPv4 address not found for {{ etcd_interface }} when: "'ipv4' not in hostvars[inventory_hostname]['ansible_' ~ etcd_interface] or 'address' not in hostvars[inventory_hostname]['ansible_' ~ etcd_interface].ipv4" +- debug: var=openshift.common.is_containerized +- debug: var=openshift.common.is_atomic + - name: Install etcd - action: "{{ ansible_pkg_mgr }} name=etcd-2.* state=present" and not is_atomic + action: "{{ ansible_pkg_mgr }} name=etcd-2.* state=present" + when: not openshift.common.is_containerized | bool + +- name: Pull etcd container + command: > + docker pull {{ openshift.etcd.etcd_image }} + when: openshift.common.is_containerized | bool + +- name: Install etcd container service file + template: + dest: "/etc/systemd/system/etcd_container.service" + src: etcd.docker.service + register: install_etcd_result + when: openshift.common.is_containerized | bool + +- name: Ensure etcd datadir exists + when: openshift.common.is_containerized | bool + file: + path: "{{ etcd_data_dir }}" + state: directory + mode: 0700 + +- name: Disable system etcd when containerized + when: openshift.common.is_containerized | bool + service: + name: etcd + state: stopped + enabled: no + +- name: Reload systemd units + command: systemctl daemon-reload + when: openshift.common.is_containerized and ( install_etcd_result | changed ) - name: Validate permissions on the config dir file: @@ -52,7 +86,7 @@ - name: Enable etcd service: - name: etcd + name: "{{ etcd_service }}" state: started enabled: yes register: start_result diff --git a/roles/etcd/templates/etcd.conf.j2 b/roles/etcd/templates/etcd.conf.j2 index 32577c96c..28816fd87 100644 --- a/roles/etcd/templates/etcd.conf.j2 +++ b/roles/etcd/templates/etcd.conf.j2 @@ -15,13 +15,13 @@ ETCD_LISTEN_PEER_URLS={{ etcd_listen_peer_urls }} ETCD_NAME=default {% endif %} ETCD_DATA_DIR={{ etcd_data_dir }} -#ETCD_SNAPSHOT_COUNTER="10000" -ETCD_HEARTBEAT_INTERVAL="500" -ETCD_ELECTION_TIMEOUT="2500" +#ETCD_SNAPSHOT_COUNTER=10000 +ETCD_HEARTBEAT_INTERVAL=500 +ETCD_ELECTION_TIMEOUT=2500 ETCD_LISTEN_CLIENT_URLS={{ etcd_listen_client_urls }} -#ETCD_MAX_SNAPSHOTS="5" -#ETCD_MAX_WALS="5" -#ETCD_CORS="" +#ETCD_MAX_SNAPSHOTS=5 +#ETCD_MAX_WALS=5 +#ETCD_CORS= {% if groups[etcd_peers_group] and groups[etcd_peers_group] | length > 1 %} #[cluster] @@ -29,15 +29,15 @@ ETCD_INITIAL_ADVERTISE_PEER_URLS={{ etcd_initial_advertise_peer_urls }} ETCD_INITIAL_CLUSTER={{ initial_cluster() }} ETCD_INITIAL_CLUSTER_STATE={{ etcd_initial_cluster_state }} ETCD_INITIAL_CLUSTER_TOKEN={{ etcd_initial_cluster_token }} -#ETCD_DISCOVERY="" -#ETCD_DISCOVERY_SRV="" -#ETCD_DISCOVERY_FALLBACK="proxy" -#ETCD_DISCOVERY_PROXY="" +#ETCD_DISCOVERY= +#ETCD_DISCOVERY_SRV= +#ETCD_DISCOVERY_FALLBACK=proxy +#ETCD_DISCOVERY_PROXY= {% endif %} ETCD_ADVERTISE_CLIENT_URLS={{ etcd_advertise_client_urls }} #[proxy] -#ETCD_PROXY="off" +#ETCD_PROXY=off #[security] {% if etcd_url_scheme == 'https' -%} diff --git a/roles/etcd/templates/etcd.docker.service b/roles/etcd/templates/etcd.docker.service new file mode 100644 index 000000000..8058fa188 --- /dev/null +++ b/roles/etcd/templates/etcd.docker.service @@ -0,0 +1,13 @@ +[Unit] +Description=The Etcd Server container +After=docker.service + +[Service] +EnvironmentFile=/etc/etcd/etcd.conf +ExecStartPre=-/usr/bin/docker rm -f {{ etcd_service }} +ExecStart=/usr/bin/docker run --name {{ etcd_service }} --rm -v /var/lib/etcd:/var/lib/etcd:z -v /etc/etcd:/etc/etcd:z --env-file=/etc/etcd/etcd.conf --net=host --entrypoint=/usr/bin/etcd {{ openshift.etcd.etcd_image }} +ExecStop=/usr/bin/docker stop {{ etcd_service }} +Restart=always + +[Install] +WantedBy=multi-user.target diff --git a/roles/fluentd_master/tasks/main.yml b/roles/fluentd_master/tasks/main.yml index ddfa39284..a9531eecf 100644 --- a/roles/fluentd_master/tasks/main.yml +++ b/roles/fluentd_master/tasks/main.yml @@ -1,7 +1,7 @@ --- - fail: msg: "fluentd master is not yet supported on atomic hosts" - when: is_atomic + when: openshift.common.is_containerized | bool # TODO: Update fluentd install and configuration when packaging is complete - name: download and install td-agent diff --git a/roles/fluentd_node/tasks/main.yml b/roles/fluentd_node/tasks/main.yml index 4a29d1270..0c0dae973 100644 --- a/roles/fluentd_node/tasks/main.yml +++ b/roles/fluentd_node/tasks/main.yml @@ -1,7 +1,7 @@ --- - fail: msg: "fluentd node is not yet supported on atomic hosts" - when: is_atomic + when: openshift.common.is_containerized | bool # TODO: Update fluentd install and configuration when packaging is complete - name: download and install td-agent diff --git a/roles/kube_nfs_volumes/tasks/main.yml b/roles/kube_nfs_volumes/tasks/main.yml index 85338cd84..b3fe2f185 100644 --- a/roles/kube_nfs_volumes/tasks/main.yml +++ b/roles/kube_nfs_volumes/tasks/main.yml @@ -1,7 +1,7 @@ --- - fail: - msg: "That playbook is not yet supported on atomic hosts" - when: is_atomic + msg: "This role is not yet supported on atomic hosts" + when: openshift.common.is_atomic | bool - name: Install pyparted (RedHat/Fedora) action: "{{ ansible_pkg_mgr }} name=pyparted,python-httplib2 state=present" diff --git a/roles/openshift_docker/meta/main.yml b/roles/openshift_docker/meta/main.yml new file mode 100644 index 000000000..1e8f8b719 --- /dev/null +++ b/roles/openshift_docker/meta/main.yml @@ -0,0 +1,16 @@ +--- +galaxy_info: + author: Jason DeTiberus + description: OpenShift Docker + company: Red Hat, Inc. + license: Apache License, Version 2.0 + min_ansible_version: 1.9 + platforms: + - name: EL + versions: + - 7 + categories: + - cloud +dependencies: +- { role: openshift_common } +- { role: docker } diff --git a/roles/openshift_docker/tasks/main.yml b/roles/openshift_docker/tasks/main.yml new file mode 100644 index 000000000..f63b3acd5 --- /dev/null +++ b/roles/openshift_docker/tasks/main.yml @@ -0,0 +1,27 @@ +--- +- openshift_facts: + - role: common + local_facts: + deployment_type: "{{ openshift_deployment_type }}" + docker_additional_registries: "{{ docker_additional_registries | oo_split() }}" + docker_insecure_registries: "{{ docker_insecure_registries | oo_split() }}" + docker_blocked_registries: "{{ docker_blocked_registries | oo_split() }}" + +- name: Set registry params + lineinfile: + dest: /etc/sysconfig/docker + regexp: '^{{ reg_conf_var }}=.*$' + line: "{{ reg_conf_var }}='{{ reg_fact_val | oo_prepend_strings_in_list(reg_flag ~ ' ') | join(' ') }}'" + when: "'docker_additional_registries' in openshift.common" + with_items: + - reg_conf_var: ADD_REGISTRY + reg_fact_val: {{ openshift.common.docker_additional_registries }} + reg_flag: --add-registry + - reg_conf_var: BLOCK_REGISTRY + reg_fact_val: {{ openshift.common.docker_blocked_registries }} + reg_flag: --block-registry + - reg_conf_var: INSECURE_REGISTRY + reg_fact_val: {{ openshift.common.docker_insecure_registries }} + reg_flag: --insecure-registry + notify: + - restart docker diff --git a/roles/openshift_examples/defaults/main.yml b/roles/openshift_examples/defaults/main.yml index ae642fae1..d318d17e3 100644 --- a/roles/openshift_examples/defaults/main.yml +++ b/roles/openshift_examples/defaults/main.yml @@ -8,7 +8,7 @@ openshift_examples_load_quickstarts: true content_version: "{{ 'v1.1' if openshift.common.version_greater_than_3_1_or_1_1 else 'v1.0' }}" -examples_base: "{% if is_atomic %}{{ openshift.common.config_base }}{% else %}/usr/share/openshift{% endif %}/examples" +examples_base: "{% if openshift.common.is_atomic %}{{ openshift.common.config_base }}{% else %}/usr/share/openshift{% endif %}/examples" image_streams_base: "{{ examples_base }}/image-streams" centos_image_streams: "{{ image_streams_base}}/image-streams-centos7.json" rhel_image_streams: "{{ image_streams_base}}/image-streams-rhel7.json" diff --git a/roles/openshift_expand_partition/tasks/main.yml b/roles/openshift_expand_partition/tasks/main.yml index b74d635d5..cdd813e6a 100644 --- a/roles/openshift_expand_partition/tasks/main.yml +++ b/roles/openshift_expand_partition/tasks/main.yml @@ -1,13 +1,14 @@ --- - name: Ensure growpart is installed - action: "{{ ansible_pkg_mgr }} name=cloud-utils-growpart state=present" and not is_atomic + action: "{{ ansible_pkg_mgr }} name=cloud-utils-growpart state=present" + when: not openshift.common.is_containerized | bool - name: Determine if growpart is installed command: "rpm -q cloud-utils-growpart" register: has_growpart failed_when: "has_growpart.cr != 0 and 'package cloud-utils-growpart is not installed' not in has_growpart.stdout" changed_when: false - when: is_atomic + when: openshift.common.is_containerized | bool - name: Grow the partitions command: "growpart {{oep_drive}} {{oep_partition}}" diff --git a/roles/openshift_facts/library/openshift_facts.py b/roles/openshift_facts/library/openshift_facts.py index 4278111c2..8e733a3a2 100755 --- a/roles/openshift_facts/library/openshift_facts.py +++ b/roles/openshift_facts/library/openshift_facts.py @@ -643,6 +643,20 @@ def set_deployment_facts_if_unset(facts): data_dir = '/var/lib/openshift' facts['common']['data_dir'] = data_dir + # remove duplicate and empty strings from registry lists + for cat in ['additional', 'blocked', 'insecure']: + key = 'docker_{0}_registries'.format(cat) + if key in facts['common']: + facts['common'][key] = set(facts['common'][key]) - set(['']) + + + if deployment_type in ['enterprise', 'atomic-enterprise', 'openshift-enterprise']: + addtl_regs = facts['common']['docker_additional_registries']: + ent_reg = 'registry.access.redhat.com' + if ent_reg not in addtl_regs + facts['common']['docker_additional_registries'].append(ent_reg) + + for role in ('master', 'node'): if role in facts: deployment_type = facts['common']['deployment_type'] @@ -1032,7 +1046,7 @@ class OpenShiftFacts(object): facts = set_version_facts_if_unset(facts) facts = set_aggregate_facts(facts) facts = set_etcd_facts_if_unset(facts) - facts = self.init_in_docker_facts(facts) + facts = self.set_containerized_facts_if_unset(facts) return dict(openshift=facts) def get_defaults(self, roles): @@ -1199,26 +1213,54 @@ class OpenShiftFacts(object): self.changed = changed return new_local_facts - def init_in_docker_facts(self, facts): - facts['is_atomic'] = os.path.isfile('/run/ostree-booted') - - docker = dict() - docker['image_name'] = 'openshift/origin' - # TODO: figure out right way to set the version - docker['image_version'] = 'latest' - docker['image'] = "%s:%s" % (docker['image_name'], docker['image_version']) + def set_containerized_facts_if_unset(self, facts): + deployment_type = facts['common']['deployment_type'] + if deployment_type in ['enterprise','openshift-enterprise']: + master_image = 'openshift3/ose' + cli_image = master_image + node_image = 'openshift3/node' + ovs_image = 'openshift3/openvswitch' + etcd_image = 'registry.access.redhat.com/rhel7/etcd' + elif deployment_type == 'atomic-enterprise': + master_image = 'aep3_beta/aep' + cli_image = master_image + node_image = 'aep3_beta/node' + ovs_image = 'aep3_beta/openvswitch' + etcd_image = 'registry.access.redhat.com/rhel7/etcd' + else: + master_image = 'openshift/origin' + cli_image = master_image + node_image = 'openshift/node' + ovs_image = 'openshift/openvswitch' + etcd_image = 'registry.access.redhat.com/rhel7/etcd' + + facts['common']['is_atomic'] = os.path.isfile('/run/ostree-booted') + if 'is_containerized' not in facts['common']: + facts['common']['is_containerized'] = facts['common']['is_atomic'] + if 'cli_image' not in facts['common']: + facts['common']['cli_image'] = cli_image + if 'master' in facts: + if 'master_image' not in facts['master']: + facts['master']['master_image'] = master_image + if 'node' in facts: + if 'node_image' not in facts ['node']: + facts['node']['node_image'] = node_image + if 'ovs_image' not in facts ['node']: + facts['node']['ovs_image'] = ovs_image + if 'etcd' in facts: + if 'etcd_image' not in facts['etcd']: + facts['etcd']['etcd_image'] = etcd_image # shared /tmp/openshift vol is for file exchange with ansible # --privileged is required to read the config dir # --net host to access openshift from the container # maybe -v /var/run/docker.sock:/var/run/docker.sock is required as well - docker['runner'] = "docker run --rm --privileged --net host -v /tmp/openshift:/tmp/openshift -v {datadir}:{datadir} -v {confdir}:{confdir} -e KUBECONFIG={confdir}/master/admin.kubeconfig {image}".format(confdir=facts['common']['config_base'], datadir=facts['common']['data_dir'], image=docker['image']) + runner = "docker run --rm --privileged --net host -v /tmp/openshift:/tmp/openshift -v {datadir}:{datadir} -v {confdir}:{confdir} -e KUBECONFIG={confdir}/master/admin.kubeconfig {image}".format(confdir=facts['common']['config_base'], datadir=facts['common']['data_dir'], image=facts['common']['cli_image']) - if facts['is_atomic']: - facts['common']['client_binary'] = '%s cli' % docker['runner'] - facts['common']['admin_binary'] = '%s admin' % docker['runner'] + if facts['common']['is_containerized']: + facts['common']['client_binary'] = '%s cli' % runner + facts['common']['admin_binary'] = '%s admin' % runner - facts['docker'] = docker return facts diff --git a/roles/openshift_facts/tasks/main.yml b/roles/openshift_facts/tasks/main.yml index e98b7c591..832f7ad84 100644 --- a/roles/openshift_facts/tasks/main.yml +++ b/roles/openshift_facts/tasks/main.yml @@ -6,20 +6,6 @@ - ansible_version | version_compare('1.9.0', 'ne') - ansible_version | version_compare('1.9.0.1', 'ne') -- name: Determine if Atomic - stat: path=/run/ostree-booted - register: s - changed_when: false - -- name: Init the is_atomic fact - set_fact: - is_atomic: false - -- name: Set the is_atomic fact - set_fact: - is_atomic: true - when: s.stat.exists - - name: Ensure PyYaml is installed action: "{{ ansible_pkg_mgr }} name=PyYAML state=present" diff --git a/roles/openshift_master/tasks/main.yml b/roles/openshift_master/tasks/main.yml index 6844a16cc..e9e77d231 100644 --- a/roles/openshift_master/tasks/main.yml +++ b/roles/openshift_master/tasks/main.yml @@ -20,10 +20,9 @@ - fail: msg: "openshift_master_cluster_password must be set for multi-master installations" when: openshift_master_ha | bool and openshift_master_cluster_method == "pacemaker" and (openshift_master_cluster_password is not defined or not openshift_master_cluster_password) - - fail: - msg: "openshift_master_ha is not yet supported on atomic hosts" - when: openshift_master_ha | bool and is_atomic + msg: "Pacemaker based HA is not supported at this time when used with containerized installs" + when: openshift_master_ha | bool and openshift_master_cluster_method == "pacemaker" and openshift.common.is_containerized | bool - name: Set master facts openshift_facts: @@ -80,28 +79,38 @@ disabled_features: "{{ osm_disabled_features | default(None) }}" master_count: "{{ openshift_master_count | default(None) }}" controller_lease_ttl: "{{ osm_controller_lease_ttl | default(None) }}" + master_image: "{{ osm_image | default(None) }}" - name: Install Master package action: "{{ ansible_pkg_mgr }} name={{ openshift.common.service_type }}-master{{ openshift_version }} state=present" - when: not is_atomic + when: not openshift.common.is_containerized | bool # TODO: enable when ansible#1993 lands and is widespread enough # - name: Docker image present # docker: # image: "{{ openshift.common.docker.image }}" # state: image_present -# when: is_atomic +# when: openshift.common.is_containerized | bool - name: Install Master docker service file template: dest: "/etc/systemd/system/{{ openshift.common.service_type }}-master.service" - src: openshift.docker.master.service - register: install_result - when: is_atomic + src: master.docker.service.j2 + register: install_result + when: openshift.common.is_containerized | bool and not openshift_master_ha | bool + +- name: Create openshift.common.data_dir + file: + path: "{{ openshift.common.data_dir }}" + state: directory + mode: 0755 + owner: root + group: root + when: openshift.common.is_containerized | bool -- name: Reload systemd units +- name: Reload systemd units command: systemctl daemon-reload - when: is_atomic and install_result | changed + when: openshift.common.is_containerized | bool and install_result | changed - name: Re-gather package dependent master facts openshift_facts: @@ -134,9 +143,9 @@ - name: Install httpd-tools if needed action: "{{ ansible_pkg_mgr }} name=httpd-tools state=present" - when: (item.kind == 'HTPasswdPasswordIdentityProvider') + when: (item.kind == 'HTPasswdPasswordIdentityProvider') and + not openshift.common.is_containerized | bool with_items: openshift.master.identity_providers - when: not is_atomic - name: Ensure htpasswd directory exists file: @@ -154,16 +163,27 @@ when: item.kind == 'HTPasswdPasswordIdentityProvider' with_items: openshift.master.identity_providers +- name: Init HA Service Info + set_fact: + ha_suffix: "" + ha_svcdir: "/usr/lib/systemd/system" + +- name: Set HA Service Info for containerized installs + set_fact: + ha_suffix: ".docker" + ha_svcdir: "/etc/systemd/system" + when: openshift.common.is_containerized | bool + # workaround for missing systemd unit files for controllers/api - name: Create the api service file template: - src: atomic-openshift-master-api.service.j2 - dest: /usr/lib/systemd/system/{{ openshift.common.service_type }}-master-api.service + src: atomic-openshift-master-api{{ ha_suffix }}.service.j2 + dest: "{{ ha_svcdir }}/{{ openshift.common.service_type }}-master-api.service" when: openshift_master_ha | bool and openshift_master_cluster_method == "native" - name: Create the controllers service file template: - src: atomic-openshift-master-controllers.service.j2 - dest: /usr/lib/systemd/system/{{ openshift.common.service_type }}-master-controllers.service + src: atomic-openshift-master-controllers{{ ha_suffix }}.service.j2 + dest: "{{ ha_svcdir }}/{{ openshift.common.service_type }}-master-controllers.service" when: openshift_master_ha | bool and openshift_master_cluster_method == "native" - name: Create the api env file template: @@ -251,6 +271,10 @@ when: not openshift_master_ha | bool register: start_result +- name: Stop and disable non HA master when running HA + service: name={{ openshift.common.service_type }}-master enabled=no state=stopped + when: openshift_master_ha | bool + - set_fact: master_service_status_changed: start_result | changed when: not openshift_master_ha | bool @@ -275,12 +299,14 @@ - name: Install cluster packages action: "{{ ansible_pkg_mgr }} name=pcs state=present" - when: openshift_master_ha | bool and openshift.master.cluster_method == 'pacemaker' and not is_atomic + when: openshift_master_ha | bool and openshift.master.cluster_method == 'pacemaker' + and not openshift.common.is_containerized | bool register: install_result - name: Start and enable cluster service service: name=pcsd enabled=yes state=started when: openshift_master_ha | bool and openshift.master.cluster_method == 'pacemaker' + and not openshift.common.is_containerized | bool - name: Set the cluster user password shell: echo {{ openshift_master_cluster_password | quote }} | passwd --stdin hacluster @@ -307,7 +333,6 @@ command: cp {{ openshift_master_config_dir }}/admin.kubeconfig ~{{ item }}/.kube/config args: creates: ~{{ item }}/.kube/config - when: not is_atomic with_items: - root - "{{ ansible_ssh_user }}" diff --git a/roles/openshift_master/templates/atomic-openshift-master-api.docker.service.j2 b/roles/openshift_master/templates/atomic-openshift-master-api.docker.service.j2 new file mode 100644 index 000000000..936c39edf --- /dev/null +++ b/roles/openshift_master/templates/atomic-openshift-master-api.docker.service.j2 @@ -0,0 +1,26 @@ +[Unit] +Description=Atomic OpenShift Master API +Documentation=https://github.com/openshift/origin +After=network.target +After=etcd.service +Before={{ openshift.common.service_type }}-node.service +Requires=network.target +Requires=docker.service +PartOf=docker.service + +[Service] +EnvironmentFile=/etc/sysconfig/{{ openshift.common.service_type }}-master-api +Environment=GOTRACEBACK=crash +ExecStartPre=-/usr/bin/docker rm -f {{ openshift.common.service_type}}-master-api +ExecStart=/usr/bin/docker run --rm --privileged --net=host --name {{ openshift.common.service_type }}-master-api -v {{ openshift.common.data_dir }}:{{ openshift.common.data_dir }} -v /var/run/docker.sock:/var/run/docker.sock -v {{ openshift.common.config_base }}:{{ openshift.common.config_base }} {{ openshift.master.master_image }} start master api --config=${CONFIG_FILE} $OPTIONS +ExecStartPost=/usr/bin/sleep 10 +ExecStop=/usr/bin/docker stop {{ openshift.common.service_type }}-master-api +LimitNOFILE=131072 +LimitCORE=infinity +WorkingDirectory={{ openshift.common.data_dir }} +SyslogIdentifier=atomic-openshift-master-api +Restart=always + +[Install] +WantedBy=multi-user.target +WantedBy={{ openshift.common.service_type }}-node.service \ No newline at end of file diff --git a/roles/openshift_master/templates/atomic-openshift-master-controllers.docker.service.j2 b/roles/openshift_master/templates/atomic-openshift-master-controllers.docker.service.j2 new file mode 100644 index 000000000..6ba7d6e2a --- /dev/null +++ b/roles/openshift_master/templates/atomic-openshift-master-controllers.docker.service.j2 @@ -0,0 +1,25 @@ +[Unit] +Description=Atomic OpenShift Master Controllers +Documentation=https://github.com/openshift/origin +After=network.target +After={{ openshift.common.service_type }}-master-api.service +Before={{ openshift.common.service_type }}-node.service +Requires=docker.service +PartOf=docker.service + +[Service] +EnvironmentFile=/etc/sysconfig/{{ openshift.common.service_type }}-master-controllers +Environment=GOTRACEBACK=crash +ExecStartPre=-/usr/bin/docker rm -f {{ openshift.common.service_type}}-master-controllers +ExecStart=/usr/bin/docker run --rm --privileged --net=host --name {{ openshift.common.service_type }}-master-controllers -v {{ openshift.common.data_dir }}:{{ openshift.common.data_dir }} -v /var/run/docker.sock:/var/run/docker.sock -v {{ openshift.common.config_base }}:{{ openshift.common.config_base }} {{ openshift.master.master_image }} start master controllers --config=${CONFIG_FILE} $OPTIONS +ExecStartPost=/usr/bin/sleep 10 +ExecStop=/usr/bin/docker stop {{ openshift.common.service_type }}-master-controllers +LimitNOFILE=131072 +LimitCORE=infinity +WorkingDirectory={{ openshift.common.data_dir }} +SyslogIdentifier={{ openshift.common.service_type }}-master-controllers +Restart=on-failure + +[Install] +WantedBy=multi-user.target +WantedBy={{ openshift.common.service_type }}-node.service diff --git a/roles/openshift_master/templates/master.docker.service.j2 b/roles/openshift_master/templates/master.docker.service.j2 new file mode 100644 index 000000000..8b23d70b1 --- /dev/null +++ b/roles/openshift_master/templates/master.docker.service.j2 @@ -0,0 +1,16 @@ +[Unit] +After=docker.service +Before={{ openshift.common.service_type }}-node.service +Requires=docker.service +PartOf=docker.service + +[Service] +EnvironmentFile=/etc/sysconfig/{{ openshift.common.service_type }}-master +ExecStartPre=-/usr/bin/docker rm -f {{ openshift.common.service_type}}-master +ExecStart=/usr/bin/docker run --rm --privileged --net=host --name {{ openshift.common.service_type }}-master -v {{ openshift.common.data_dir }}:{{ openshift.common.data_dir }} -v /var/run/docker.sock:/var/run/docker.sock -v {{ openshift.common.config_base }}:{{ openshift.common.config_base }} {{ openshift.master.master_image }} start master --config=${CONFIG_FILE} $OPTIONS +ExecStartPost=/usr/bin/sleep 10 +ExecStop=/usr/bin/docker stop {{ openshift.common.service_type }}-master +Restart=always + +[Install] +WantedBy=multi-user.target diff --git a/roles/openshift_master/templates/openshift.docker.master.service b/roles/openshift_master/templates/openshift.docker.master.service deleted file mode 100644 index 9e436f8eb..000000000 --- a/roles/openshift_master/templates/openshift.docker.master.service +++ /dev/null @@ -1,11 +0,0 @@ -[Unit] -After=docker.service -Require=docker.service - -[Service] -EnvironmentFile=/etc/sysconfig/{{ openshift.common.service_type }}-master -ExecStart=/usr/bin/docker run --rm --privileged --net=host --name {{ openshift.common.service_type }}-master -v {{ openshift.common.data_dir }}:{{ openshift.common.data_dir }} -v /var/run/docker.sock:/var/run/docker.sock -v {{ openshift.common.config_base }}:{{ openshift.common.config_base }} {{ openshift_docker_image }} start master --config=${CONFIG_FILE} ${OPTIONS} -ExecStop=/usr/bin/docker stop {{ openshift.common.service_type }}-master - -[Install] -WantedBy=multi-user.target diff --git a/roles/openshift_master/vars/main.yml b/roles/openshift_master/vars/main.yml index 875d61a3b..534465451 100644 --- a/roles/openshift_master/vars/main.yml +++ b/roles/openshift_master/vars/main.yml @@ -5,8 +5,6 @@ openshift_master_scheduler_conf: "{{ openshift_master_config_dir }}/scheduler.js openshift_master_session_secrets_file: "{{ openshift_master_config_dir }}/session-secrets.yaml" openshift_master_policy: "{{ openshift_master_config_dir }}/policy.json" openshift_version: "{{ openshift_pkg_version | default('') }}" -openshift_docker_image_name: openshift/origin -openshift_docker_image: "{{ openshift_docker_image_name }}:{{ openshift_pkg_version | default('latest') }}" openshift_master_valid_grant_methods: - auto diff --git a/roles/openshift_master_ca/tasks/main.yml b/roles/openshift_master_ca/tasks/main.yml index c179ceb61..17d832d26 100644 --- a/roles/openshift_master_ca/tasks/main.yml +++ b/roles/openshift_master_ca/tasks/main.yml @@ -1,7 +1,7 @@ --- - name: Install the base package for admin tooling action: "{{ ansible_pkg_mgr }} name={{ openshift.common.service_type }}{{ openshift_version }} state=present" - when: not is_atomic + when: openshift.common.is_containerized | bool - name: Reload generated facts openshift_facts: @@ -12,6 +12,11 @@ path: "{{ openshift_master_config_dir }}" state: directory +- name: Pull required docker image + command: > + docker pull {{ openshift.common.cli_image }} + when: openshift.common.is_containerized | bool + - name: Create the master certificates if they do not already exist command: > {{ openshift.common.admin_binary }} create-master-certs diff --git a/roles/openshift_master_ca/vars/main.yml b/roles/openshift_master_ca/vars/main.yml index 0f1f32a34..b35339b18 100644 --- a/roles/openshift_master_ca/vars/main.yml +++ b/roles/openshift_master_ca/vars/main.yml @@ -4,6 +4,3 @@ openshift_master_ca_cert: "{{ openshift_master_config_dir }}/ca.crt" openshift_master_ca_key: "{{ openshift_master_config_dir }}/ca.key" openshift_master_ca_serial: "{{ openshift_master_config_dir }}/ca.serial.txt" openshift_version: "{{ openshift_pkg_version | default('') }}" - -openshift_docker_image_name: openshift/origin -openshift_docker_image: "{{ openshift_docker_image_name }}:{{ openshift_pkg_version | default('latest') }}" diff --git a/roles/openshift_master_certificates/tasks/main.yml b/roles/openshift_master_certificates/tasks/main.yml index 13e5d7a4b..36d953111 100644 --- a/roles/openshift_master_certificates/tasks/main.yml +++ b/roles/openshift_master_certificates/tasks/main.yml @@ -16,6 +16,8 @@ - admin.kubeconfig - master.kubelet-client.crt - master.kubelet-client.key + - master.server.crt + - master.server.key - openshift-master.crt - openshift-master.key - openshift-master.kubeconfig diff --git a/roles/openshift_master_cluster/tasks/main.yml b/roles/openshift_master_cluster/tasks/main.yml index 978e2920d..40705d357 100644 --- a/roles/openshift_master_cluster/tasks/main.yml +++ b/roles/openshift_master_cluster/tasks/main.yml @@ -1,7 +1,7 @@ --- - fail: msg: "Not possible on atomic hosts for now" - when: is_atomic + when: openshift.common.is_containerized | bool - name: Test if cluster is already configured command: pcs status diff --git a/roles/openshift_node/tasks/main.yml b/roles/openshift_node/tasks/main.yml index 8607aa3fb..67c6387a3 100644 --- a/roles/openshift_node/tasks/main.yml +++ b/roles/openshift_node/tasks/main.yml @@ -4,10 +4,6 @@ msg: "SELinux is disabled, This deployment type requires that SELinux is enabled." when: (not ansible_selinux or ansible_selinux.status != 'enabled') and deployment_type in ['enterprise', 'online', 'atomic-enterprise', 'openshift-enterprise'] -- fail: - msg: "This playbook does not support using SDN on atomic hosts yet" - when: openshift.common.use_openshift_sdn and is_atomic - - name: Set node facts openshift_facts: role: "{{ item.role }}" @@ -37,16 +33,50 @@ sdn_mtu: "{{ openshift_node_sdn_mtu | default(None) }}" storage_plugin_deps: "{{ osn_storage_plugin_deps | default(None) }}" set_node_ip: "{{ openshift_set_node_ip | default(None) }}" + node_image: "{{ osn_image | default(None) }}" + ovs_image: "{{ osn_ovs_image | default(None) }}" # We have to add tuned-profiles in the same transaction otherwise we run into depsolving -# problems because the rpms don't pin the version properly. +# problems because the rpms don't pin the version properly. This was fixed in 3.1 packaging. - name: Install Node package action: "{{ ansible_pkg_mgr }} name={{ openshift.common.service_type }}-node{{ openshift_version }},tuned-profiles-{{ openshift.common.service_type }}-node{{ openshift_version }} state=present" - when: not is_atomic + when: not openshift.common.is_containerized | bool - name: Install sdn-ovs package action: "{{ ansible_pkg_mgr }} name={{ openshift.common.service_type }}-sdn-ovs{{ openshift_version }} state=present" - when: openshift.common.use_openshift_sdn and not is_atomic + when: openshift.common.use_openshift_sdn and not openshift.common.is_containerized | bool + +- name: Install Node docker service file + template: + dest: "/etc/systemd/system/{{ openshift.common.service_type }}-node.service" + src: openshift.docker.node.service + register: install_node_result + when: openshift.common.is_containerized | bool + +- name: Create openshift.common.data_dir + file: + path: openshift.common.data_dir + state: directory + mode: 0755 + owner: root + group: root + when: openshift.common.is_containerized | bool + +- name: Install OpenvSwitch docker service file + template: + dest: "/etc/systemd/system/openvswitch.service" + src: openvswitch.docker.service + register: install_ovs_result + when: openshift.common.is_containerized | bool and openshift.common.use_openshift_sdn | bool + +- name: Reload systemd units + command: systemctl daemon-reload + when: openshift.common.is_containerized and ( ( install_node_result | changed ) + or ( install_ovs_result | changed ) ) + +- name: Start and enable openvswitch docker service + service: name=openvswitch.service enabled=yes state=started + when: openshift.common.is_containerized | bool and openshift.common.use_openshift_sdn | bool # TODO: add the validate parameter when there is a validation command to run - name: Create the Node config @@ -71,64 +101,6 @@ notify: - restart node -- stat: path=/etc/sysconfig/docker - register: docker_check - - # TODO: Enable secure registry when code available in origin -- name: Secure Registry and Logs Options - lineinfile: - dest: /etc/sysconfig/docker - regexp: '^OPTIONS=.*$' - line: "OPTIONS='--insecure-registry={{ openshift.node.portal_net }} \ -{% if ansible_selinux and ansible_selinux.status == '''enabled''' %}--selinux-enabled{% endif %} \ -{% if openshift.node.docker_log_driver is defined %} --log-driver {{ openshift.node.docker_log_driver }} {% endif %} \ -{% if openshift.node.docker_log_options is defined %} {{ openshift.node.docker_log_options | oo_split() | oo_prepend_strings_in_list('--log-opt ') | join(' ')}} {% endif %} '" - when: docker_check.stat.isreg - notify: - - restart docker - -- set_fact: - docker_additional_registries: "{{ lookup('oo_option', 'docker_additional_registries') - | oo_split() | union(['registry.access.redhat.com']) - | difference(['']) }}" - when: openshift.common.deployment_type in ['enterprise', 'openshift-enterprise', 'atomic-enterprise'] -- set_fact: - docker_additional_registries: "{{ lookup('oo_option', 'docker_additional_registries') - | oo_split() | difference(['']) }}" - when: openshift.common.deployment_type not in ['enterprise', 'openshift-enterprise', 'atomic-enterprise'] - -- name: Add personal registries - lineinfile: - dest: /etc/sysconfig/docker - regexp: '^ADD_REGISTRY=.*$' - line: "ADD_REGISTRY='{{ docker_additional_registries - | oo_prepend_strings_in_list('--add-registry ') | join(' ') }}'" - when: docker_check.stat.isreg and docker_additional_registries - notify: - - restart docker - -- name: Block registries - lineinfile: - dest: /etc/sysconfig/docker - regexp: '^BLOCK_REGISTRY=.*$' - line: "BLOCK_REGISTRY='{{ lookup('oo_option', 'docker_blocked_registries') | oo_split() - | oo_prepend_strings_in_list('--block-registry ') | join(' ') }}'" - when: docker_check.stat.isreg and - lookup('oo_option', 'docker_blocked_registries') != '' - notify: - - restart docker - -- name: Grant access to additional insecure registries - lineinfile: - dest: /etc/sysconfig/docker - regexp: '^INSECURE_REGISTRY=.*' - line: "INSECURE_REGISTRY='{{ lookup('oo_option', 'docker_insecure_registries') | oo_split() - | oo_prepend_strings_in_list('--insecure-registry ') | join(' ') }}'" - when: docker_check.stat.isreg and - lookup('oo_option', 'docker_insecure_registries') != '' - notify: - - restart docker - - name: Additional storage plugin configuration include: storage_plugins/main.yml diff --git a/roles/openshift_node/tasks/storage_plugins/main.yml b/roles/openshift_node/tasks/storage_plugins/main.yml index 39c7b9390..d237c26ec 100644 --- a/roles/openshift_node/tasks/storage_plugins/main.yml +++ b/roles/openshift_node/tasks/storage_plugins/main.yml @@ -3,11 +3,12 @@ # additional package dependencies - name: NFS storage plugin configuration include: nfs.yml + when: not openshift.common.is_containerized | bool - name: GlusterFS storage plugin configuration include: glusterfs.yml - when: "'glusterfs' in openshift.node.storage_plugin_deps" + when: "'glusterfs' in openshift.node.storage_plugin_deps and not openshift.common.is_containerized | bool " - name: Ceph storage plugin configuration include: ceph.yml - when: "'ceph' in openshift.node.storage_plugin_deps" + when: "'ceph' in openshift.node.storage_plugin_deps and not openshift.common.is_containerized | bool" diff --git a/roles/openshift_node/templates/openshift.docker.node.service b/roles/openshift_node/templates/openshift.docker.node.service index e9df34940..7a11a10fa 100644 --- a/roles/openshift_node/templates/openshift.docker.node.service +++ b/roles/openshift_node/templates/openshift.docker.node.service @@ -1,11 +1,20 @@ [Unit] After=docker.service -Require=docker.service +After={{ openshift.common.service_type }}-master.service +After=openvswitch.service +{% if openshift.common.use_openshift_sdn %} +Requires=openvswitch.service +{% endif %} +Requires=docker.service +PartOf=docker.service [Service] EnvironmentFile=/etc/sysconfig/{{ openshift.common.service_type }}-node -ExecStart=/usr/bin/docker run --rm --privileged --net=host --name "{{ openshift.common.service_type }}-node" -v /:/rootfs:ro -v {{ openshift.common.data_dir }}:{{ openshift.common.data_dir }} -v /var/run/docker.sock:/var/run/docker.sock -v {{ openshift.common.config_base }}:{{ openshift.common.config_base }} {{ openshift_docker_image }} start node --config=${CONFIG_FILE} ${OPTIONS} +ExecStartPre=-/usr/bin/docker rm -f {{ openshift.common.service_type }}-node +ExecStart=/usr/bin/docker run --name {{ openshift.common.service_type }}-node --rm --privileged --net=host --pid=host -v /:/rootfs:ro -e CONFIG_FILE=${CONFIG_FILE} -e OPTIONS=${OPTIONS} -e HOST=/rootfs -e HOST_ETC=/host-etc -v {{ openshift.common.data_dir }}:{{ openshift.common.data_dir }} -v {{ openshift.common.config_base }}/node:{{ openshift.common.config_base }}/node -v /etc/localtime:/etc/localtime:ro -v /etc/machine-id:/etc/machine-id:ro -v /run:/run -v /sys:/sys:ro -v /usr/bin/docker:/usr/bin/docker:ro -v /var/lib/docker:/var/lib/docker -v /lib/modules:/lib/modules -v /etc/origin/openvswitch:/etc/openvswitch -v /etc/origin/sdn:/etc/openshift-sdn -v /etc/systemd/system:/host-etc/systemd/system {{ openshift.node.node_image }} +ExecStartPost=/usr/bin/sleep 10 ExecStop=/usr/bin/docker stop {{ openshift.common.service_type }}-node +Restart=always [Install] WantedBy=multi-user.target diff --git a/roles/openshift_node/templates/openvswitch.docker.service b/roles/openshift_node/templates/openvswitch.docker.service new file mode 100644 index 000000000..0b42ca6d5 --- /dev/null +++ b/roles/openshift_node/templates/openvswitch.docker.service @@ -0,0 +1,13 @@ +[Unit] +After=docker.service +Requires=docker.service +PartOf=docker.service + +[Service] +ExecStartPre=-/usr/bin/docker rm -f openvswitch +ExecStart=/usr/bin/docker run --name openvswitch --rm --privileged --net=host --pid=host -v /lib/modules:/lib/modules -v /run:/run -v /sys:/sys:ro -v /etc/origin/openvswitch:/etc/openvswitch {{ openshift.node.ovs_image }} +ExecStop=/usr/bin/docker stop openvswitch +Restart=always + +[Install] +WantedBy=multi-user.target diff --git a/roles/openshift_node/vars/main.yml b/roles/openshift_node/vars/main.yml index c57d1bcca..43dc50ca8 100644 --- a/roles/openshift_node/vars/main.yml +++ b/roles/openshift_node/vars/main.yml @@ -2,6 +2,3 @@ openshift_node_config_dir: "{{ openshift.common.config_base }}/node" openshift_node_config_file: "{{ openshift_node_config_dir }}/node-config.yaml" openshift_version: "{{ openshift_pkg_version | default('') }}" - -openshift_docker_image_name: openshift/origin -openshift_docker_image: "{{ openshift_docker_image_name }}:{{ openshift_pkg_version | default('latest') }}" diff --git a/roles/openshift_repos/tasks/main.yaml b/roles/openshift_repos/tasks/main.yaml index 6d0d1d493..6d910a66e 100644 --- a/roles/openshift_repos/tasks/main.yaml +++ b/roles/openshift_repos/tasks/main.yaml @@ -12,20 +12,20 @@ - name: Ensure libselinux-python is installed action: "{{ ansible_pkg_mgr }} name=libselinux-python state=present" - when: not is_atomic + when: not openshift.common.is_containerized | bool - name: Create any additional repos that are defined template: src: yum_repo.j2 dest: /etc/yum.repos.d/openshift_additional.repo - when: openshift_additional_repos | length > 0 and not is_atomic + when: openshift_additional_repos | length > 0 and not openshift.common.is_containerized | bool notify: refresh cache - name: Remove the additional repos if no longer defined file: dest: /etc/yum.repos.d/openshift_additional.repo state: absent - when: openshift_additional_repos | length == 0 and not is_atomic + when: openshift_additional_repos | length == 0 and not openshift.common.is_containerized | bool notify: refresh cache - name: Remove any yum repo files for other deployment types RHEL/CentOS @@ -36,7 +36,7 @@ - '*/repos/*' when: not (item | search("/files/" ~ openshift_deployment_type ~ "/repos")) and (ansible_os_family == "RedHat" and ansible_distribution != "Fedora") - and not is_atomic + and not openshift.common.is_containerized | bool notify: refresh cache - name: Remove any yum repo files for other deployment types Fedora @@ -47,7 +47,7 @@ - '*/repos/*' when: not (item | search("/files/fedora-" ~ openshift_deployment_type ~ "/repos")) and (ansible_distribution == "Fedora") - and not is_atomic + and not openshift.common.is_containerized | bool notify: refresh cache - name: Configure gpg keys if needed @@ -55,6 +55,7 @@ with_fileglob: - "{{ openshift_deployment_type }}/gpg_keys/*" notify: refresh cache + when: not openshift.common.is_containerized | bool - name: Configure yum repositories RHEL/CentOS copy: src={{ item }} dest=/etc/yum.repos.d/ @@ -62,11 +63,11 @@ - "{{ openshift_deployment_type }}/repos/*" notify: refresh cache when: (ansible_os_family == "RedHat" and ansible_distribution != "Fedora") - and not is_atomic + and not openshift.common.is_containerized | bool - name: Configure yum repositories Fedora copy: src={{ item }} dest=/etc/yum.repos.d/ with_fileglob: - "fedora-{{ openshift_deployment_type }}/repos/*" notify: refresh cache - when: (ansible_distribution == "Fedora") and not is_atomic + when: (ansible_distribution == "Fedora") and not openshift.common.is_containerized | bool diff --git a/roles/openshift_storage_nfs_lvm/tasks/main.yml b/roles/openshift_storage_nfs_lvm/tasks/main.yml index ead81b876..ea0cc2a94 100644 --- a/roles/openshift_storage_nfs_lvm/tasks/main.yml +++ b/roles/openshift_storage_nfs_lvm/tasks/main.yml @@ -1,4 +1,9 @@ --- +# TODO -- this may actually work on atomic hosts +- fail: + msg: "openshift_storage_nfs_lvm is not compatible with atomic host" + when: openshift.common.is_atomic | true + - name: Create lvm volumes lvol: vg={{osnl_volume_group}} lv={{ item }} size={{osnl_volume_size}}G with_sequence: start={{osnl_volume_num_start}} count={{osnl_number_of_volumes}} format={{osnl_volume_prefix}}{{osnl_volume_size}}g%04d diff --git a/roles/openshift_storage_nfs_lvm/tasks/nfs.yml b/roles/openshift_storage_nfs_lvm/tasks/nfs.yml index df7c0e57d..fc8de1cb5 100644 --- a/roles/openshift_storage_nfs_lvm/tasks/nfs.yml +++ b/roles/openshift_storage_nfs_lvm/tasks/nfs.yml @@ -1,7 +1,7 @@ --- - name: Install NFS server action: "{{ ansible_pkg_mgr }} name=nfs-utils state=present" - when: not is_atomic + when: not openshift.common.is_containerized | bool - name: Start rpcbind service: name=rpcbind state=started enabled=yes diff --git a/roles/os_env_extras/tasks/main.yaml b/roles/os_env_extras/tasks/main.yaml index d52795289..628df713a 100644 --- a/roles/os_env_extras/tasks/main.yaml +++ b/roles/os_env_extras/tasks/main.yaml @@ -13,4 +13,4 @@ - name: Bash Completion action: "{{ ansible_pkg_mgr }} name=bash-completion state=present" - when: not is_atomic \ No newline at end of file + when: not openshift.common.is_containerized | bool \ No newline at end of file diff --git a/roles/os_firewall/tasks/firewall/iptables.yml b/roles/os_firewall/tasks/firewall/iptables.yml index 01b8263d5..d26ba7ee9 100644 --- a/roles/os_firewall/tasks/firewall/iptables.yml +++ b/roles/os_firewall/tasks/firewall/iptables.yml @@ -5,7 +5,7 @@ - iptables - iptables-services register: install_result - when: not is_atomic + when: not openshift.common.is_containerized | bool - name: Check if firewalld is installed command: rpm -q firewalld diff --git a/roles/os_update_latest/tasks/main.yml b/roles/os_update_latest/tasks/main.yml index 3c3e80979..2400164fa 100644 --- a/roles/os_update_latest/tasks/main.yml +++ b/roles/os_update_latest/tasks/main.yml @@ -1,8 +1,8 @@ --- - fail: msg: "Update is not yet supported by this playbook on atomic hosts" - when: is_atomic + when: openshift.common.is_containerized | bool - name: Update all packages action: "{{ ansible_pkg_mgr }} name=* state=latest" - when: not is_atomic \ No newline at end of file + when: not openshift.common.is_containerized | bool \ No newline at end of file diff --git a/roles/os_zabbix/tasks/main.yml b/roles/os_zabbix/tasks/main.yml index bd879c25f..a8b65dd56 100644 --- a/roles/os_zabbix/tasks/main.yml +++ b/roles/os_zabbix/tasks/main.yml @@ -1,7 +1,7 @@ --- - fail: msg: "Zabbix config is not yet supported on atomic hosts" - when: is_atomic + when: openshift.common.is_containerized | bool - name: Main List all templates zbx_template: diff --git a/roles/yum_repos/tasks/main.yml b/roles/yum_repos/tasks/main.yml index 252dc71d5..46928a00b 100644 --- a/roles/yum_repos/tasks/main.yml +++ b/roles/yum_repos/tasks/main.yml @@ -45,4 +45,4 @@ src: yumrepo.j2 dest: /etc/yum.repos.d/{{ item.id }}.repo with_items: repo_files - when: not is_atomic + when: not openshift.common.is_containerized | bool -- cgit v1.2.3 From 043d6b3a7e3c6b799ddf4157ccdf2b2b67451d81 Mon Sep 17 00:00:00 2001 From: Jason DeTiberus Date: Fri, 20 Nov 2015 15:45:39 -0500 Subject: fixes --- playbooks/common/openshift-docker/config.yml | 3 +- roles/docker/handlers/main.yml | 5 +- roles/etcd/tasks/main.yml | 17 ++- roles/openshift_docker/tasks/main.yml | 18 +-- roles/openshift_examples/defaults/main.yml | 8 +- roles/openshift_facts/library/openshift_facts.py | 126 ++++++++++++--------- roles/openshift_facts/tasks/main.yml | 5 +- roles/openshift_manage_node/tasks/main.yml | 1 + roles/openshift_master/tasks/main.yml | 1 + .../templates/master.docker.service.j2 | 2 +- roles/openshift_node/meta/main.yml | 1 - roles/openshift_serviceaccounts/tasks/main.yml | 1 + 12 files changed, 104 insertions(+), 84 deletions(-) (limited to 'roles/openshift_master/tasks') diff --git a/playbooks/common/openshift-docker/config.yml b/playbooks/common/openshift-docker/config.yml index c3541e544..f838dd66c 100644 --- a/playbooks/common/openshift-docker/config.yml +++ b/playbooks/common/openshift-docker/config.yml @@ -5,4 +5,5 @@ docker_insecure_registries: "{{ lookup('oo_option', 'docker_insecure_registries') | oo_split }}" docker_blocked_registries: "{{ lookup('oo_option', 'docker_blocked_registries') | oo_split }}" roles: - - openshift-docker + - openshift_facts + - openshift_docker diff --git a/roles/docker/handlers/main.yml b/roles/docker/handlers/main.yml index 7d60f1891..9f827417f 100644 --- a/roles/docker/handlers/main.yml +++ b/roles/docker/handlers/main.yml @@ -1,7 +1,10 @@ --- - name: restart docker - service: name=docker state=restarted + service: + name: docker + state: restarted + when: not docker_service_status_changed | default(false) - name: restart udev service: diff --git a/roles/etcd/tasks/main.yml b/roles/etcd/tasks/main.yml index aef52886b..6906244e9 100644 --- a/roles/etcd/tasks/main.yml +++ b/roles/etcd/tasks/main.yml @@ -7,9 +7,6 @@ msg: IPv4 address not found for {{ etcd_interface }} when: "'ipv4' not in hostvars[inventory_hostname]['ansible_' ~ etcd_interface] or 'address' not in hostvars[inventory_hostname]['ansible_' ~ etcd_interface].ipv4" -- debug: var=openshift.common.is_containerized -- debug: var=openshift.common.is_atomic - - name: Install etcd action: "{{ ansible_pkg_mgr }} name=etcd-2.* state=present" when: not openshift.common.is_containerized | bool @@ -25,7 +22,7 @@ src: etcd.docker.service register: install_etcd_result when: openshift.common.is_containerized | bool - + - name: Ensure etcd datadir exists when: openshift.common.is_containerized | bool file: @@ -48,16 +45,16 @@ file: path: "{{ etcd_conf_dir }}" state: directory - owner: etcd - group: etcd + owner: "{{ 'etcd' if not openshift.common.is_containerized | bool else omit }}" + group: "{{ 'etcd' if not openshift.common.is_containerized | bool else omit }}" mode: 0700 - name: Validate permissions on certificate files file: path: "{{ item }}" mode: 0600 - group: etcd - owner: etcd + owner: "{{ 'etcd' if not openshift.common.is_containerized | bool else omit }}" + group: "{{ 'etcd' if not openshift.common.is_containerized | bool else omit }}" when: etcd_url_scheme == 'https' with_items: - "{{ etcd_ca_file }}" @@ -68,8 +65,8 @@ file: path: "{{ item }}" mode: 0600 - group: etcd - owner: etcd + owner: "{{ 'etcd' if not openshift.common.is_containerized | bool else omit }}" + group: "{{ 'etcd' if not openshift.common.is_containerized | bool else omit }}" when: etcd_peer_url_scheme == 'https' with_items: - "{{ etcd_peer_ca_file }}" diff --git a/roles/openshift_docker/tasks/main.yml b/roles/openshift_docker/tasks/main.yml index f63b3acd5..4f9fe1f97 100644 --- a/roles/openshift_docker/tasks/main.yml +++ b/roles/openshift_docker/tasks/main.yml @@ -1,27 +1,27 @@ --- - openshift_facts: - - role: common + role: common local_facts: deployment_type: "{{ openshift_deployment_type }}" - docker_additional_registries: "{{ docker_additional_registries | oo_split() }}" - docker_insecure_registries: "{{ docker_insecure_registries | oo_split() }}" - docker_blocked_registries: "{{ docker_blocked_registries | oo_split() }}" + docker_additional_registries: "{{ docker_additional_registries }}" + docker_insecure_registries: "{{ docker_insecure_registries }}" + docker_blocked_registries: "{{ docker_blocked_registries }}" - name: Set registry params lineinfile: dest: /etc/sysconfig/docker - regexp: '^{{ reg_conf_var }}=.*$' - line: "{{ reg_conf_var }}='{{ reg_fact_val | oo_prepend_strings_in_list(reg_flag ~ ' ') | join(' ') }}'" + regexp: '^{{ item.reg_conf_var }}=.*$' + line: "{{ item.reg_conf_var }}='{{ item.reg_fact_val | oo_prepend_strings_in_list(item.reg_flag ~ ' ') | join(' ') }}'" when: "'docker_additional_registries' in openshift.common" with_items: - reg_conf_var: ADD_REGISTRY - reg_fact_val: {{ openshift.common.docker_additional_registries }} + reg_fact_val: "{{ openshift.common.docker_additional_registries }}" reg_flag: --add-registry - reg_conf_var: BLOCK_REGISTRY - reg_fact_val: {{ openshift.common.docker_blocked_registries }} + reg_fact_val: "{{ openshift.common.docker_blocked_registries }}" reg_flag: --block-registry - reg_conf_var: INSECURE_REGISTRY - reg_fact_val: {{ openshift.common.docker_insecure_registries }} + reg_fact_val: "{{ openshift.common.docker_insecure_registries }}" reg_flag: --insecure-registry notify: - restart docker diff --git a/roles/openshift_examples/defaults/main.yml b/roles/openshift_examples/defaults/main.yml index d318d17e3..e27f4e0a6 100644 --- a/roles/openshift_examples/defaults/main.yml +++ b/roles/openshift_examples/defaults/main.yml @@ -1,14 +1,14 @@ --- # By default install rhel and xpaas streams on enterprise installs -openshift_examples_load_centos: "{{ openshift_deployment_type not in ['enterprise','openshift-enterprise','atomic-enterprise','online'] }}" -openshift_examples_load_rhel: "{{ openshift_deployment_type in ['enterprise','openshift-enterprise','atomic-enterprise','online'] }}" +openshift_examples_load_centos: "{{ openshift_deployment_type == 'origin' }}" +openshift_examples_load_rhel: "{{ openshift_deployment_type != 'origin' }}" openshift_examples_load_db_templates: true -openshift_examples_load_xpaas: "{{ openshift_deployment_type in ['enterprise','openshift-enterprise','atomic-enterprise','online'] }}" +openshift_examples_load_xpaas: "{{ openshift_deployment_type != 'origin' }}" openshift_examples_load_quickstarts: true content_version: "{{ 'v1.1' if openshift.common.version_greater_than_3_1_or_1_1 else 'v1.0' }}" -examples_base: "{% if openshift.common.is_atomic %}{{ openshift.common.config_base }}{% else %}/usr/share/openshift{% endif %}/examples" +examples_base: "{{ openshift.common.config_base if openshift.common.is_containerized else '/usr/share/openshift' }}/examples" image_streams_base: "{{ examples_base }}/image-streams" centos_image_streams: "{{ image_streams_base}}/image-streams-centos7.json" rhel_image_streams: "{{ image_streams_base}}/image-streams-rhel7.json" diff --git a/roles/openshift_facts/library/openshift_facts.py b/roles/openshift_facts/library/openshift_facts.py index 8e733a3a2..b5454dd81 100755 --- a/roles/openshift_facts/library/openshift_facts.py +++ b/roles/openshift_facts/library/openshift_facts.py @@ -647,14 +647,14 @@ def set_deployment_facts_if_unset(facts): for cat in ['additional', 'blocked', 'insecure']: key = 'docker_{0}_registries'.format(cat) if key in facts['common']: - facts['common'][key] = set(facts['common'][key]) - set(['']) + facts['common'][key] = list(set(facts['common'][key]) - set([''])) if deployment_type in ['enterprise', 'atomic-enterprise', 'openshift-enterprise']: - addtl_regs = facts['common']['docker_additional_registries']: - ent_reg = 'registry.access.redhat.com' - if ent_reg not in addtl_regs - facts['common']['docker_additional_registries'].append(ent_reg) + addtl_regs = facts['common'].get('docker_additional_registries', []) + ent_reg = ['registry.access.redhat.com'] + if ent_reg not in addtl_regs: + facts['common']['docker_additional_registries'] = addtl_regs + ent_reg for role in ('master', 'node'): @@ -934,6 +934,7 @@ def save_local_facts(filename, facts): os.makedirs(fact_dir) with open(filename, 'w') as fact_file: fact_file.write(module.jsonify(facts)) + os.chmod(filename, 0o600) except (IOError, OSError) as ex: raise OpenShiftFactsFileWriteError( "Could not create fact file: %s, error: %s" % (filename, ex) @@ -969,6 +970,69 @@ def get_local_facts_from_file(filename): return local_facts +def set_container_facts_if_unset(facts): + """ Set containerized facts. + + Args: + facts (dict): existing facts + Returns: + dict: the facts dict updated with the generated containerization + facts + """ + deployment_type = facts['common']['deployment_type'] + if deployment_type in ['enterprise', 'openshift-enterprise']: + master_image = 'openshift3/ose' + cli_image = master_image + node_image = 'openshift3/node' + ovs_image = 'openshift3/openvswitch' + etcd_image = 'registry.access.redhat.com/rhel7/etcd' + elif deployment_type == 'atomic-enterprise': + master_image = 'aep3_beta/aep' + cli_image = master_image + node_image = 'aep3_beta/node' + ovs_image = 'aep3_beta/openvswitch' + etcd_image = 'registry.access.redhat.com/rhel7/etcd' + else: + master_image = 'openshift/origin' + cli_image = master_image + node_image = 'openshift/node' + ovs_image = 'openshift/openvswitch' + etcd_image = 'registry.access.redhat.com/rhel7/etcd' + + facts['common']['is_atomic'] = os.path.isfile('/run/ostree-booted') + if 'is_containerized' not in facts['common']: + facts['common']['is_containerized'] = facts['common']['is_atomic'] + if 'cli_image' not in facts['common']: + facts['common']['cli_image'] = cli_image + if 'etcd' in facts and 'etcd_image' not in facts['etcd']: + facts['etcd']['etcd_image'] = etcd_image + if 'master' in facts and 'master_image' not in facts['master']: + facts['master']['master_image'] = master_image + if 'node' in facts: + if 'node_image' not in facts['node']: + facts['node']['node_image'] = node_image + if 'ovs_image' not in facts['node']: + facts['node']['ovs_image'] = ovs_image + + # shared /tmp/openshift vol is for file exchange with ansible + # --privileged is required to read the config dir + # --net host to access openshift from the container + # maybe -v /var/run/docker.sock:/var/run/docker.sock is required as well + runner = ("docker run --rm --privileged --net host -v " + "/tmp/openshift:/tmp/openshift -v {datadir}:{datadir} " + "-v {confdir}:{confdir} " + "-e KUBECONFIG={confdir}/master/admin.kubeconfig " + "{image}").format(confdir=facts['common']['config_base'], + datadir=facts['common']['data_dir'], + image=facts['common']['cli_image']) + + if facts['common']['is_containerized']: + facts['common']['client_binary'] = '%s cli' % runner + facts['common']['admin_binary'] = '%s admin' % runner + + return facts + + class OpenShiftFactsUnsupportedRoleError(Exception): """Origin Facts Unsupported Role Error""" pass @@ -1046,7 +1110,7 @@ class OpenShiftFacts(object): facts = set_version_facts_if_unset(facts) facts = set_aggregate_facts(facts) facts = set_etcd_facts_if_unset(facts) - facts = self.set_containerized_facts_if_unset(facts) + facts = set_container_facts_if_unset(facts) return dict(openshift=facts) def get_defaults(self, roles): @@ -1213,56 +1277,6 @@ class OpenShiftFacts(object): self.changed = changed return new_local_facts - def set_containerized_facts_if_unset(self, facts): - deployment_type = facts['common']['deployment_type'] - if deployment_type in ['enterprise','openshift-enterprise']: - master_image = 'openshift3/ose' - cli_image = master_image - node_image = 'openshift3/node' - ovs_image = 'openshift3/openvswitch' - etcd_image = 'registry.access.redhat.com/rhel7/etcd' - elif deployment_type == 'atomic-enterprise': - master_image = 'aep3_beta/aep' - cli_image = master_image - node_image = 'aep3_beta/node' - ovs_image = 'aep3_beta/openvswitch' - etcd_image = 'registry.access.redhat.com/rhel7/etcd' - else: - master_image = 'openshift/origin' - cli_image = master_image - node_image = 'openshift/node' - ovs_image = 'openshift/openvswitch' - etcd_image = 'registry.access.redhat.com/rhel7/etcd' - - facts['common']['is_atomic'] = os.path.isfile('/run/ostree-booted') - if 'is_containerized' not in facts['common']: - facts['common']['is_containerized'] = facts['common']['is_atomic'] - if 'cli_image' not in facts['common']: - facts['common']['cli_image'] = cli_image - if 'master' in facts: - if 'master_image' not in facts['master']: - facts['master']['master_image'] = master_image - if 'node' in facts: - if 'node_image' not in facts ['node']: - facts['node']['node_image'] = node_image - if 'ovs_image' not in facts ['node']: - facts['node']['ovs_image'] = ovs_image - if 'etcd' in facts: - if 'etcd_image' not in facts['etcd']: - facts['etcd']['etcd_image'] = etcd_image - - # shared /tmp/openshift vol is for file exchange with ansible - # --privileged is required to read the config dir - # --net host to access openshift from the container - # maybe -v /var/run/docker.sock:/var/run/docker.sock is required as well - runner = "docker run --rm --privileged --net host -v /tmp/openshift:/tmp/openshift -v {datadir}:{datadir} -v {confdir}:{confdir} -e KUBECONFIG={confdir}/master/admin.kubeconfig {image}".format(confdir=facts['common']['config_base'], datadir=facts['common']['data_dir'], image=facts['common']['cli_image']) - - if facts['common']['is_containerized']: - facts['common']['client_binary'] = '%s cli' % runner - facts['common']['admin_binary'] = '%s admin' % runner - - return facts - def main(): """ main """ diff --git a/roles/openshift_facts/tasks/main.yml b/roles/openshift_facts/tasks/main.yml index 832f7ad84..55071436f 100644 --- a/roles/openshift_facts/tasks/main.yml +++ b/roles/openshift_facts/tasks/main.yml @@ -9,5 +9,8 @@ - name: Ensure PyYaml is installed action: "{{ ansible_pkg_mgr }} name=PyYAML state=present" -- name: Gather Cluster facts +- name: Gather Cluster facts and set is_containerized if needed openshift_facts: + role: common + local_facts: + is_containerized: "{{ openshift_containerized | default(None) }}" diff --git a/roles/openshift_manage_node/tasks/main.yml b/roles/openshift_manage_node/tasks/main.yml index 637e494ea..06f12053a 100644 --- a/roles/openshift_manage_node/tasks/main.yml +++ b/roles/openshift_manage_node/tasks/main.yml @@ -5,6 +5,7 @@ until: omd_get_node.rc == 0 retries: 20 delay: 5 + changed_when: false with_items: openshift_nodes - name: Set node schedulability diff --git a/roles/openshift_master/tasks/main.yml b/roles/openshift_master/tasks/main.yml index e9e77d231..0c7718299 100644 --- a/roles/openshift_master/tasks/main.yml +++ b/roles/openshift_master/tasks/main.yml @@ -314,6 +314,7 @@ - name: Lookup default group for ansible_ssh_user command: "/usr/bin/id -g {{ ansible_ssh_user }}" + changed_when: false register: _ansible_ssh_user_gid - name: Create the client config dir(s) diff --git a/roles/openshift_master/templates/master.docker.service.j2 b/roles/openshift_master/templates/master.docker.service.j2 index 8b23d70b1..23781a313 100644 --- a/roles/openshift_master/templates/master.docker.service.j2 +++ b/roles/openshift_master/templates/master.docker.service.j2 @@ -6,7 +6,7 @@ PartOf=docker.service [Service] EnvironmentFile=/etc/sysconfig/{{ openshift.common.service_type }}-master -ExecStartPre=-/usr/bin/docker rm -f {{ openshift.common.service_type}}-master +ExecStartPre=-/usr/bin/docker rm -f {{ openshift.common.service_type }}-master ExecStart=/usr/bin/docker run --rm --privileged --net=host --name {{ openshift.common.service_type }}-master -v {{ openshift.common.data_dir }}:{{ openshift.common.data_dir }} -v /var/run/docker.sock:/var/run/docker.sock -v {{ openshift.common.config_base }}:{{ openshift.common.config_base }} {{ openshift.master.master_image }} start master --config=${CONFIG_FILE} $OPTIONS ExecStartPost=/usr/bin/sleep 10 ExecStop=/usr/bin/docker stop {{ openshift.common.service_type }}-master diff --git a/roles/openshift_node/meta/main.yml b/roles/openshift_node/meta/main.yml index 9d40ae3b3..c92008a77 100644 --- a/roles/openshift_node/meta/main.yml +++ b/roles/openshift_node/meta/main.yml @@ -13,4 +13,3 @@ galaxy_info: - cloud dependencies: - { role: openshift_common } -- { role: docker } diff --git a/roles/openshift_serviceaccounts/tasks/main.yml b/roles/openshift_serviceaccounts/tasks/main.yml index eb9c9b2c9..4c7faa6fe 100644 --- a/roles/openshift_serviceaccounts/tasks/main.yml +++ b/roles/openshift_serviceaccounts/tasks/main.yml @@ -23,6 +23,7 @@ shell: > {{ openshift.common.client_binary }} get scc privileged -o yaml --output-version=v1 > /tmp/openshift/scc.yaml + changed_when: false - name: Add security context constraint for {{ item }} lineinfile: -- cgit v1.2.3 From d3edce9c192c8d1eba572ba45ca25c06d0fbb830 Mon Sep 17 00:00:00 2001 From: Jason DeTiberus Date: Fri, 20 Nov 2015 22:23:43 -0500 Subject: pull docker images only if not already present --- roles/etcd/tasks/main.yml | 11 ++++++++--- roles/openshift_master/tasks/main.yml | 16 ++++++++++------ roles/openshift_master_ca/tasks/main.yml | 8 +++++++- roles/openshift_node/tasks/main.yml | 16 ++++++++++++++++ 4 files changed, 41 insertions(+), 10 deletions(-) (limited to 'roles/openshift_master/tasks') diff --git a/roles/etcd/tasks/main.yml b/roles/etcd/tasks/main.yml index 6906244e9..a03c693d6 100644 --- a/roles/etcd/tasks/main.yml +++ b/roles/etcd/tasks/main.yml @@ -11,10 +11,15 @@ action: "{{ ansible_pkg_mgr }} name=etcd-2.* state=present" when: not openshift.common.is_containerized | bool -- name: Pull etcd container - command: > - docker pull {{ openshift.etcd.etcd_image }} +- name: Get docker images + command: docker images + changed_when: false when: openshift.common.is_containerized | bool + register: docker_images + +- name: Pull etcd container + command: docker pull {{ openshift.etcd.etcd_image }} + when: openshift.common.is_containerized | bool and openshift.etcd.etcd_image not in docker_images.stdout - name: Install etcd container service file template: diff --git a/roles/openshift_master/tasks/main.yml b/roles/openshift_master/tasks/main.yml index 0c7718299..0695693ff 100644 --- a/roles/openshift_master/tasks/main.yml +++ b/roles/openshift_master/tasks/main.yml @@ -85,12 +85,16 @@ action: "{{ ansible_pkg_mgr }} name={{ openshift.common.service_type }}-master{{ openshift_version }} state=present" when: not openshift.common.is_containerized | bool -# TODO: enable when ansible#1993 lands and is widespread enough -# - name: Docker image present -# docker: -# image: "{{ openshift.common.docker.image }}" -# state: image_present -# when: openshift.common.is_containerized | bool +- name: Get docker images + command: docker images + changed_when: false + when: openshift.common.is_containerized | bool + register: docker_images + +- name: Pull required docker image + command: > + docker pull {{ openshift.master.master_image }} + when: openshift.common.is_containerized | bool and openshift.master.master_image not in docker_images.stdout - name: Install Master docker service file template: diff --git a/roles/openshift_master_ca/tasks/main.yml b/roles/openshift_master_ca/tasks/main.yml index 17d832d26..3114c2464 100644 --- a/roles/openshift_master_ca/tasks/main.yml +++ b/roles/openshift_master_ca/tasks/main.yml @@ -12,10 +12,16 @@ path: "{{ openshift_master_config_dir }}" state: directory +- name: Get docker images + command: docker images + changed_when: false + when: openshift.common.is_containerized | bool + register: docker_images + - name: Pull required docker image command: > docker pull {{ openshift.common.cli_image }} - when: openshift.common.is_containerized | bool + when: openshift.common.is_containerized | bool and openshift.common.cli_image not in docker_images.stdout - name: Create the master certificates if they do not already exist command: > diff --git a/roles/openshift_node/tasks/main.yml b/roles/openshift_node/tasks/main.yml index 67c6387a3..f77e0250d 100644 --- a/roles/openshift_node/tasks/main.yml +++ b/roles/openshift_node/tasks/main.yml @@ -46,6 +46,17 @@ action: "{{ ansible_pkg_mgr }} name={{ openshift.common.service_type }}-sdn-ovs{{ openshift_version }} state=present" when: openshift.common.use_openshift_sdn and not openshift.common.is_containerized | bool +- name: Get docker images + command: docker images + changed_when: false + when: openshift.common.is_containerized | bool + register: docker_images + +- name: Pull required docker image + command: > + docker pull {{ openshift.node.node_image }} + when: openshift.common.is_containerized | bool and openshift.node.node_image not in docker_images.stdout + - name: Install Node docker service file template: dest: "/etc/systemd/system/{{ openshift.common.service_type }}-node.service" @@ -62,6 +73,11 @@ group: root when: openshift.common.is_containerized | bool +- name: Pull required docker image + command: > + docker pull {{ openshift.node.ovs_image }} + when: openshift.common.is_containerized | bool and openshift.node.ovs_image not in docker_images.stdout + - name: Install OpenvSwitch docker service file template: dest: "/etc/systemd/system/openvswitch.service" -- cgit v1.2.3 From 5e2e55e4aa09468a054ce7c9901c51d9563cc85a Mon Sep 17 00:00:00 2001 From: Scott Dodson Date: Wed, 16 Dec 2015 10:55:07 -0500 Subject: Install httpd-tools when not is_atomic --- roles/openshift_master/tasks/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'roles/openshift_master/tasks') diff --git a/roles/openshift_master/tasks/main.yml b/roles/openshift_master/tasks/main.yml index 0695693ff..405183186 100644 --- a/roles/openshift_master/tasks/main.yml +++ b/roles/openshift_master/tasks/main.yml @@ -148,7 +148,7 @@ - name: Install httpd-tools if needed action: "{{ ansible_pkg_mgr }} name=httpd-tools state=present" when: (item.kind == 'HTPasswdPasswordIdentityProvider') and - not openshift.common.is_containerized | bool + not openshift.common.is_atomic | bool with_items: openshift.master.identity_providers - name: Ensure htpasswd directory exists -- cgit v1.2.3 From 48778f29f265380a3e6fa2e882621ebc3781736b Mon Sep 17 00:00:00 2001 From: Scott Dodson Date: Wed, 16 Dec 2015 14:14:42 -0500 Subject: Add some guards to wait for images to be pulled before moving on --- roles/etcd/tasks/main.yml | 10 ++++++++++ roles/openshift_cli/tasks/main.yml | 16 ++++++++++++++++ roles/openshift_master/tasks/main.yml | 12 +++++++++++- roles/openshift_node/tasks/main.yml | 31 ++++++++++++++++++++++++++----- 4 files changed, 63 insertions(+), 6 deletions(-) (limited to 'roles/openshift_master/tasks') diff --git a/roles/etcd/tasks/main.yml b/roles/etcd/tasks/main.yml index a03c693d6..2160ed817 100644 --- a/roles/etcd/tasks/main.yml +++ b/roles/etcd/tasks/main.yml @@ -20,6 +20,16 @@ - name: Pull etcd container command: docker pull {{ openshift.etcd.etcd_image }} when: openshift.common.is_containerized | bool and openshift.etcd.etcd_image not in docker_images.stdout + +- name: Wait for etcd image + command: > + docker images + register: docker_images + until: openshift.etcd.etcd_image in docker_images.stdout + retries: 30 + delay: 10 + changed_when: false + when: openshift.common.is_containerized | bool - name: Install etcd container service file template: diff --git a/roles/openshift_cli/tasks/main.yml b/roles/openshift_cli/tasks/main.yml index c0ea66e70..8d7686ffd 100644 --- a/roles/openshift_cli/tasks/main.yml +++ b/roles/openshift_cli/tasks/main.yml @@ -8,10 +8,26 @@ yum: pkg={{ openshift.common.service_type }}-clients state=installed when: not openshift.common.is_containerized | bool +- name: List Docker images + command: > + docker images + register: docker_images + - name: Pull CLI Image command: > docker pull {{ openshift.common.cli_image }} + when: openshift.common.is_containerized | bool and openshift.common.cli_image not in docker_images.stdout + +- name: Wait for CLI image + command: > + docker images + register: docker_images + until: openshift.common.cli_image in docker_images.stdout + retries: 30 + delay: 10 + changed_when: false when: openshift.common.is_containerized | bool + - name: Create /usr/local/bin/openshift cli wrapper template: diff --git a/roles/openshift_master/tasks/main.yml b/roles/openshift_master/tasks/main.yml index 405183186..9caf15f9e 100644 --- a/roles/openshift_master/tasks/main.yml +++ b/roles/openshift_master/tasks/main.yml @@ -91,10 +91,20 @@ when: openshift.common.is_containerized | bool register: docker_images -- name: Pull required docker image +- name: Pull master image command: > docker pull {{ openshift.master.master_image }} when: openshift.common.is_containerized | bool and openshift.master.master_image not in docker_images.stdout + +- name: Wait for master image + command: > + docker images + register: docker_images + until: openshift.master.master_image in docker_images.stdout + retries: 30 + delay: 10 + changed_when: false + when: openshift.common.is_containerized | bool - name: Install Master docker service file template: diff --git a/roles/openshift_node/tasks/main.yml b/roles/openshift_node/tasks/main.yml index 11577dd8b..96383439c 100644 --- a/roles/openshift_node/tasks/main.yml +++ b/roles/openshift_node/tasks/main.yml @@ -54,6 +54,32 @@ command: > docker pull {{ openshift.node.node_image }} when: openshift.common.is_containerized | bool and openshift.node.node_image not in docker_images.stdout + +- name: Wait for node image + command: > + docker images + register: docker_images + until: openshift.node.node_image in docker_images.stdout + retries: 30 + delay: 10 + changed_when: false + when: openshift.common.is_containerized | bool + +- name: Pull OpenVSwitch image + command: > + docker pull {{ openshift.node.ovs_image }} + when: openshift.common.is_containerized | bool and openshift.node.ovs_image not in docker_images.stdout + and openshift.common.use_openshift_sdn | bool + +- name: Wait for OpenVSwitch image + command: > + docker images + register: docker_images + until: openshift.node.ovs_image in docker_images.stdout + retries: 30 + delay: 10 + changed_when: false + when: openshift.common.is_containerized | bool and openshift.common.use_openshift_sdn | bool - name: Install Node docker service file template: @@ -62,11 +88,6 @@ register: install_node_result when: openshift.common.is_containerized | bool -- name: Pull OpenvSwitch docker image - command: > - docker pull {{ openshift.node.ovs_image }} - when: openshift.common.is_containerized | bool and openshift.node.ovs_image not in docker_images.stdout - - name: Install OpenvSwitch docker service file template: dest: "/etc/systemd/system/openvswitch.service" -- cgit v1.2.3 From 6c1e495bcf0ba919c3ad8d4095db12fcda918b03 Mon Sep 17 00:00:00 2001 From: git001 Date: Mon, 21 Dec 2015 15:17:23 +0100 Subject: add the necessary URLs for logging and metrics add the necessary URLs for logging and metrics use the dict in the right way add the new variables into the hosts file add the new variables into the hosts file add the new variables into the hosts file Adopted the config text --- inventory/byo/hosts.aep.example | 8 ++++++++ inventory/byo/hosts.origin.example | 8 ++++++++ inventory/byo/hosts.ose.example | 8 ++++++++ roles/openshift_master/tasks/main.yml | 2 ++ roles/openshift_master/templates/master.yaml.v1.j2 | 6 ++++++ 5 files changed, 32 insertions(+) (limited to 'roles/openshift_master/tasks') diff --git a/inventory/byo/hosts.aep.example b/inventory/byo/hosts.aep.example index 096d806a3..33d15c89b 100644 --- a/inventory/byo/hosts.aep.example +++ b/inventory/byo/hosts.aep.example @@ -27,6 +27,14 @@ deployment_type=atomic-enterprise # Enable cluster metrics #use_cluster_metrics=true +# Configure metricsPublicURL in the master config for cluster metrics +# See: https://docs.openshift.com/enterprise/latest/install_config/cluster_metrics.html +#openshift_master_metrics_public_url=https://hawkular-metrics.example.com/hawkular/metrics + +# Configure loggingPublicURL in the master config for aggregate logging +# See: https://docs.openshift.com/enterprise/latest/install_config/aggregate_logging.html +#openshift_master_logging_public_url=https://kibana.example.com + # Add additional, insecure, and blocked registries to global docker configuration # For enterprise deployment types we ensure that registry.access.redhat.com is # included if you do not include it diff --git a/inventory/byo/hosts.origin.example b/inventory/byo/hosts.origin.example index 6f015c404..3dfc7c052 100644 --- a/inventory/byo/hosts.origin.example +++ b/inventory/byo/hosts.origin.example @@ -27,6 +27,14 @@ deployment_type=origin # Enable cluster metrics #use_cluster_metrics=true +# Configure metricsPublicURL in the master config for cluster metrics +# See: https://docs.openshift.org/latest/install_config/cluster_metrics.html +#openshift_master_metrics_public_url=https://hawkular-metrics.example.com/hawkular/metrics + +# Configure loggingPublicURL in the master config for aggregate logging +# See: https://docs.openshift.org/latest/install_config/aggregate_logging.html +#openshift_master_logging_public_url=https://kibana.example.com + # Add additional, insecure, and blocked registries to global docker configuration # For enterprise deployment types we ensure that registry.access.redhat.com is # included if you do not include it diff --git a/inventory/byo/hosts.ose.example b/inventory/byo/hosts.ose.example index 778bbfb3a..3e1ce8e2b 100644 --- a/inventory/byo/hosts.ose.example +++ b/inventory/byo/hosts.ose.example @@ -27,6 +27,14 @@ deployment_type=openshift-enterprise # Enable cluster metrics #use_cluster_metrics=true +# Configure metricsPublicURL in the master config for cluster metrics +# See: https://docs.openshift.com/enterprise/latest/install_config/cluster_metrics.html +#openshift_master_metrics_public_url=https://hawkular-metrics.example.com/hawkular/metrics + +# Configure loggingPublicURL in the master config for aggregate logging +# See: https://docs.openshift.com/enterprise/latest/install_config/aggregate_logging.html +#openshift_master_logging_public_url=https://kibana.example.com + # Add additional, insecure, and blocked registries to global docker configuration # For enterprise deployment types we ensure that registry.access.redhat.com is # included if you do not include it diff --git a/roles/openshift_master/tasks/main.yml b/roles/openshift_master/tasks/main.yml index 43647cc49..e00dd0a9e 100644 --- a/roles/openshift_master/tasks/main.yml +++ b/roles/openshift_master/tasks/main.yml @@ -38,6 +38,8 @@ console_url: "{{ openshift_master_console_url | default(None) }}" console_use_ssl: "{{ openshift_master_console_use_ssl | default(None) }}" public_console_url: "{{ openshift_master_public_console_url | default(None) }}" + logging_public_url: "{{ openshift_master_logging_public_url | default(None) }}" + metrics_public_url: "{{ openshift_master_metrics_public_url | default(None) }}" etcd_hosts: "{{ openshift_master_etcd_hosts | default(None)}}" etcd_port: "{{ openshift_master_etcd_port | default(None) }}" etcd_use_ssl: "{{ openshift_master_etcd_use_ssl | default(None) }}" diff --git a/roles/openshift_master/templates/master.yaml.v1.j2 b/roles/openshift_master/templates/master.yaml.v1.j2 index cadb02fa3..5f73461d4 100644 --- a/roles/openshift_master/templates/master.yaml.v1.j2 +++ b/roles/openshift_master/templates/master.yaml.v1.j2 @@ -8,6 +8,12 @@ assetConfig: logoutURL: "" masterPublicURL: {{ openshift.master.public_api_url }} publicURL: {{ openshift.master.public_console_url }}/ +{% if 'logging_public_url' in openshift.master %} + loggingPublicURL: {{ openshift.master.logging_public_url }} +{% endif %} +{% if 'metrics_public_url' in openshift.master %} + metricsPublicURL: {{ openshift.master.metrics_public_url }} +{% endif %} servingInfo: bindAddress: {{ openshift.master.bind_addr }}:{{ openshift.master.console_port }} bindNetwork: tcp4 -- cgit v1.2.3 From 3f85ca5e72538110a4962cdb4961fa9e9f122648 Mon Sep 17 00:00:00 2001 From: Andrew Butcher Date: Fri, 18 Dec 2015 17:16:17 -0500 Subject: Fix restart handlers. --- roles/etcd/handlers/main.yml | 2 +- roles/etcd/tasks/main.yml | 2 +- roles/openshift_master/handlers/main.yml | 6 +++--- roles/openshift_master/tasks/main.yml | 6 +++--- roles/openshift_node/handlers/main.yml | 2 +- roles/openshift_node/tasks/main.yml | 2 +- 6 files changed, 10 insertions(+), 10 deletions(-) (limited to 'roles/openshift_master/tasks') diff --git a/roles/etcd/handlers/main.yml b/roles/etcd/handlers/main.yml index aeb26d6b2..e00e1cac4 100644 --- a/roles/etcd/handlers/main.yml +++ b/roles/etcd/handlers/main.yml @@ -2,4 +2,4 @@ - name: restart etcd service: name={{ etcd_service }} state=restarted - when: not etcd_service_status_changed | default(false) + when: not (etcd_service_status_changed | default(false) | bool) diff --git a/roles/etcd/tasks/main.yml b/roles/etcd/tasks/main.yml index 2160ed817..663f6e537 100644 --- a/roles/etcd/tasks/main.yml +++ b/roles/etcd/tasks/main.yml @@ -104,4 +104,4 @@ register: start_result - set_fact: - etcd_service_status_changed = start_result | changed + etcd_service_status_changed = "{{ start_result | changed }}" diff --git a/roles/openshift_master/handlers/main.yml b/roles/openshift_master/handlers/main.yml index d9c4ba1d7..e1b95eda4 100644 --- a/roles/openshift_master/handlers/main.yml +++ b/roles/openshift_master/handlers/main.yml @@ -1,12 +1,12 @@ --- - name: restart master service: name={{ openshift.common.service_type }}-master state=restarted - when: (not openshift_master_ha | bool) and (not master_service_status_changed | default(false)) + when: (not openshift_master_ha | bool) and (not (master_service_status_changed | default(false) | bool)) - name: restart master api service: name={{ openshift.common.service_type }}-master-api state=restarted - when: (openshift_master_ha | bool) and (not master_api_service_status_changed | default(false)) and openshift.master.cluster_method == 'native' + when: (openshift_master_ha | bool) and (not (master_api_service_status_changed | default(false) | bool)) and openshift.master.cluster_method == 'native' - name: restart master controllers service: name={{ openshift.common.service_type }}-master-controllers state=restarted - when: (openshift_master_ha | bool) and (not master_controllers_service_status_changed | default(false)) and openshift.master.cluster_method == 'native' + when: (openshift_master_ha | bool) and (not (master_controllers_service_status_changed | default(false) | bool)) and openshift.master.cluster_method == 'native' diff --git a/roles/openshift_master/tasks/main.yml b/roles/openshift_master/tasks/main.yml index 46a8cea96..a22654678 100644 --- a/roles/openshift_master/tasks/main.yml +++ b/roles/openshift_master/tasks/main.yml @@ -292,7 +292,7 @@ when: openshift_master_ha | bool - set_fact: - master_service_status_changed: start_result | changed + master_service_status_changed: "{{ start_result | changed }}" when: not openshift_master_ha | bool - name: Start and enable master api @@ -301,7 +301,7 @@ register: start_result - set_fact: - master_api_service_status_changed: start_result | changed + master_api_service_status_changed: "{{ start_result | changed }}" when: openshift_master_ha | bool and openshift.master.cluster_method == 'native' - name: Start and enable master controller @@ -310,7 +310,7 @@ register: start_result - set_fact: - master_controllers_service_status_changed: start_result | changed + master_controllers_service_status_changed: "{{ start_result | changed }}" when: openshift_master_ha | bool and openshift.master.cluster_method == 'native' - name: Install cluster packages diff --git a/roles/openshift_node/handlers/main.yml b/roles/openshift_node/handlers/main.yml index 447ca85f3..c288f4d05 100644 --- a/roles/openshift_node/handlers/main.yml +++ b/roles/openshift_node/handlers/main.yml @@ -1,7 +1,7 @@ --- - name: restart node service: name={{ openshift.common.service_type }}-node state=restarted - when: not node_service_status_changed | default(false) + when: not (node_service_status_changed | default(false) | bool) - name: restart docker service: name=docker state=restarted diff --git a/roles/openshift_node/tasks/main.yml b/roles/openshift_node/tasks/main.yml index 96383439c..33852d7f8 100644 --- a/roles/openshift_node/tasks/main.yml +++ b/roles/openshift_node/tasks/main.yml @@ -135,4 +135,4 @@ register: start_result - set_fact: - node_service_status_changed: start_result | changed + node_service_status_changed: "{{ start_result | changed }}" -- cgit v1.2.3 From 9b760b0a89a77c5be0b3521a2c35b5afcb2a20d2 Mon Sep 17 00:00:00 2001 From: Andrew Butcher Date: Thu, 3 Dec 2015 14:09:42 -0500 Subject: Clean up idempotency issues with session secrets. --- filter_plugins/oo_filters.py | 19 ++++++--- playbooks/common/openshift-master/config.yml | 46 +++++++++++++--------- roles/openshift_master/tasks/main.yml | 11 +++++- roles/openshift_master/templates/master.yaml.v1.j2 | 2 + .../templates/sessionSecretsFile.yaml.v1.j2 | 6 +-- 5 files changed, 55 insertions(+), 29 deletions(-) (limited to 'roles/openshift_master/tasks') diff --git a/filter_plugins/oo_filters.py b/filter_plugins/oo_filters.py index 48e27a24a..326c36f6c 100644 --- a/filter_plugins/oo_filters.py +++ b/filter_plugins/oo_filters.py @@ -8,12 +8,11 @@ Custom filters for use in openshift-ansible from ansible import errors from operator import itemgetter import OpenSSL.crypto -import os.path +import os import pdb import re import json - class FilterModule(object): ''' Custom ansible filters ''' @@ -366,9 +365,6 @@ class FilterModule(object): "keyfile": "/etc/origin/master/named_certificates/custom2.key", "names": [ "some-hostname.com" ] }] ''' - if not issubclass(type(certificates), list): - raise errors.AnsibleFilterError("|failed expects certificates is a list") - if not issubclass(type(named_certs_dir), unicode): raise errors.AnsibleFilterError("|failed expects named_certs_dir is unicode") @@ -468,6 +464,16 @@ class FilterModule(object): pass return clusters + @staticmethod + def oo_generate_secret(num_bytes): + ''' generate a session secret ''' + + if not issubclass(type(num_bytes), int): + raise errors.AnsibleFilterError("|failed expects num_bytes is int") + + secret = os.urandom(num_bytes) + return secret.encode('base-64').strip() + def filters(self): ''' returns a mapping of filters to methods ''' return { @@ -486,5 +492,6 @@ class FilterModule(object): "oo_parse_heat_stack_outputs": self.oo_parse_heat_stack_outputs, "oo_parse_named_certificates": self.oo_parse_named_certificates, "oo_haproxy_backend_masters": self.oo_haproxy_backend_masters, - "oo_pretty_print_cluster": self.oo_pretty_print_cluster + "oo_pretty_print_cluster": self.oo_pretty_print_cluster, + "oo_generate_secret": self.oo_generate_secret } diff --git a/playbooks/common/openshift-master/config.yml b/playbooks/common/openshift-master/config.yml index fae37d70c..07ee4aca6 100644 --- a/playbooks/common/openshift-master/config.yml +++ b/playbooks/common/openshift-master/config.yml @@ -236,29 +236,39 @@ - role: haproxy when: groups.oo_masters_to_config | length > 1 -- name: Generate master session keys +- name: Check for cached session secrets hosts: oo_first_master - tasks: + pre_tasks: - fail: msg: "Both openshift_master_session_auth_secrets and openshift_master_session_encryption_secrets must be provided if either variable is set" when: (openshift_master_session_auth_secrets is defined and openshift_master_session_encryption_secrets is not defined) or (openshift_master_session_encryption_secrets is defined and openshift_master_session_auth_secrets is not defined) - fail: msg: "openshift_master_session_auth_secrets and openshift_master_encryption_secrets must be equal length" when: (openshift_master_session_auth_secrets is defined and openshift_master_session_encryption_secrets is defined) and (openshift_master_session_auth_secrets | length != openshift_master_session_encryption_secrets | length) - - name: Install OpenSSL package - action: "{{ ansible_pkg_mgr }} name=openssl state=present" - when: not openshift.common.is_atomic | bool - - name: Generate session authentication key - command: /usr/bin/openssl rand -base64 24 - register: session_auth_output - when: openshift_master_session_auth_secrets is undefined - - name: Generate session encryption key - command: /usr/bin/openssl rand -base64 24 - register: session_encryption_output - when: openshift_master_session_encryption_secrets is undefined - - set_fact: - session_auth_secret: "{{ openshift_master_session_auth_secrets | default([session_auth_output.stdout]) }}" - session_encryption_secret: "{{ openshift_master_session_encryption_secrets | default([session_encryption_output.stdout]) }}" + roles: + - role: openshift_facts + post_tasks: + - openshift_facts: + role: master + local_facts: + session_auth_secrets: "{{ openshift_master_session_auth_secrets | default(openshift.master.session_auth_secrets | default(None)) }}" + session_encryption_secrets: "{{ openshift_master_session_encryption_secrets | default(openshift.master.session_encryption_secrets | default(None)) }}" + +- name: Generate master session secrets + hosts: oo_first_master + vars: + g_session_secrets_present: "{{ (openshift.master.session_auth_secrets | default([]) and openshift.master.session_encryption_secrets | default([])) | length > 0 }}" + g_session_auth_secrets: "{{ [ 24 | oo_generate_secret ] }}" + g_session_encryption_secrets: "{{ [ 24 | oo_generate_secret ] }}" + roles: + - role: openshift_facts + tasks: + - openshift_facts: + role: master + local_facts: + session_auth_secrets: "{{ g_session_auth_secrets }}" + session_encryption_secrets: "{{ g_session_encryption_secrets }}" + when: not g_session_secrets_present | bool - name: Parse named certificates hosts: localhost @@ -314,8 +324,8 @@ sync_tmpdir: "{{ hostvars.localhost.g_master_mktemp.stdout }}" openshift_master_ha: "{{ groups.oo_masters_to_config | length > 1 }}" openshift_master_count: "{{ groups.oo_masters_to_config | length }}" - openshift_master_session_auth_secrets: "{{ hostvars[groups['oo_first_master'][0]]['session_auth_secret'] }}" - openshift_master_session_encryption_secrets: "{{ hostvars[groups['oo_first_master'][0]]['session_encryption_secret'] }}" + openshift_master_session_auth_secrets: "{{ hostvars[groups.oo_first_master.0].openshift.master.session_auth_secrets }}" + openshift_master_session_encryption_secrets: "{{ hostvars[groups.oo_first_master.0].openshift.master.session_encryption_secrets }}" pre_tasks: - name: Ensure certificate directory exists file: diff --git a/roles/openshift_master/tasks/main.yml b/roles/openshift_master/tasks/main.yml index a22654678..1c7fdfcf9 100644 --- a/roles/openshift_master/tasks/main.yml +++ b/roles/openshift_master/tasks/main.yml @@ -9,6 +9,13 @@ Invalid OAuth grant method: {{ openshift_master_oauth_grant_method }} when: openshift_master_oauth_grant_method is defined and openshift_master_oauth_grant_method not in openshift_master_valid_grant_methods +# Session Options Validation +- fail: + msg: "Both openshift_master_session_auth_secrets and openshift_master_session_encryption_secrets must be provided if either variable is set" + when: (openshift_master_session_auth_secrets is defined and openshift_master_session_encryption_secrets is not defined) or (openshift_master_session_encryption_secrets is defined and openshift_master_session_auth_secrets is not defined) +- fail: + msg: "openshift_master_session_auth_secrets and openshift_master_encryption_secrets must be equal length" + when: (openshift_master_session_auth_secrets is defined and openshift_master_session_encryption_secrets is defined) and (openshift_master_session_auth_secrets | length != openshift_master_session_encryption_secrets | length) # HA Variable Validation - fail: @@ -55,9 +62,9 @@ portal_net: "{{ openshift_master_portal_net | default(None) }}" session_max_seconds: "{{ openshift_master_session_max_seconds | default(None) }}" session_name: "{{ openshift_master_session_name | default(None) }}" + session_secrets_file: "{{ openshift_master_session_secrets_file | default(None) }}" session_auth_secrets: "{{ openshift_master_session_auth_secrets | default(None) }}" session_encryption_secrets: "{{ openshift_master_session_encryption_secrets | default(None) }}" - session_secrets_file: "{{ openshift_master_session_secrets_file | default(None) }}" access_token_max_seconds: "{{ openshift_master_access_token_max_seconds | default(None) }}" auth_token_max_seconds: "{{ openshift_master_auth_token_max_seconds | default(None) }}" identity_providers: "{{ openshift_master_identity_providers | default(None) }}" @@ -221,7 +228,7 @@ template: dest: "{{ openshift.master.session_secrets_file }}" src: sessionSecretsFile.yaml.v1.j2 - force: no + when: openshift.master.session_auth_secrets is defined and openshift.master.session_encryption_secrets is defined notify: - restart master - restart master api diff --git a/roles/openshift_master/templates/master.yaml.v1.j2 b/roles/openshift_master/templates/master.yaml.v1.j2 index 5f73461d4..da3209970 100644 --- a/roles/openshift_master/templates/master.yaml.v1.j2 +++ b/roles/openshift_master/templates/master.yaml.v1.j2 @@ -127,7 +127,9 @@ oauthConfig: sessionConfig: sessionMaxAgeSeconds: {{ openshift.master.session_max_seconds }} sessionName: {{ openshift.master.session_name }} +{% if openshift.master.session_auth_secrets is defined and openshift.master.session_encryption_secrets is defined %} sessionSecretsFile: {{ openshift.master.session_secrets_file }} +{% endif %} tokenConfig: accessTokenMaxAgeSeconds: {{ openshift.master.access_token_max_seconds }} authorizeTokenMaxAgeSeconds: {{ openshift.master.auth_token_max_seconds }} diff --git a/roles/openshift_master/templates/sessionSecretsFile.yaml.v1.j2 b/roles/openshift_master/templates/sessionSecretsFile.yaml.v1.j2 index d12d9db90..3d4b573a9 100644 --- a/roles/openshift_master/templates/sessionSecretsFile.yaml.v1.j2 +++ b/roles/openshift_master/templates/sessionSecretsFile.yaml.v1.j2 @@ -1,7 +1,7 @@ apiVersion: v1 kind: SessionSecrets secrets: -{% for secret in openshift_master_session_auth_secrets %} -- authentication: "{{ openshift_master_session_auth_secrets[loop.index0] }}" - encryption: "{{ openshift_master_session_encryption_secrets[loop.index0] }}" +{% for secret in openshift.master.session_auth_secrets %} +- authentication: "{{ openshift.master.session_auth_secrets[loop.index0] }}" + encryption: "{{ openshift.master.session_encryption_secrets[loop.index0] }}" {% endfor %} -- cgit v1.2.3 From ef014ae06a50c5f2050aa183638165895154db5f Mon Sep 17 00:00:00 2001 From: Andrew Butcher Date: Wed, 16 Dec 2015 17:56:09 -0500 Subject: Secrets validation. --- filter_plugins/openshift_master.py | 29 +++++++++++++++++++++++++++- playbooks/common/openshift-master/config.yml | 14 ++++++++++++-- roles/openshift_master/tasks/main.yml | 14 ++++++++++++-- 3 files changed, 52 insertions(+), 5 deletions(-) (limited to 'roles/openshift_master/tasks') diff --git a/filter_plugins/openshift_master.py b/filter_plugins/openshift_master.py index f12017967..40c1083e0 100644 --- a/filter_plugins/openshift_master.py +++ b/filter_plugins/openshift_master.py @@ -463,7 +463,34 @@ class FilterModule(object): IdentityProviderBase.validate_idp_list(idp_list) return yaml.safe_dump([idp.to_dict() for idp in idp_list], default_flow_style=False) + @staticmethod + def validate_auth_secrets(secrets): + ''' validate type and length ''' + + if not issubclass(type(secrets), list): + raise errors.AnsibleFilterError("|failed expects openshift_master_session_auth_secrets is a list") + + for secret in secrets: + if len(secret) < 32: + return False + return True + + @staticmethod + def validate_encryption_secrets(secrets): + ''' validate type and length ''' + + if not issubclass(type(secrets), list): + raise errors.AnsibleFilterError("|failed expects openshift_master_session_encryption_secrets is a list") + + for secret in secrets: + if len(secret) not in [16, 24, 32]: + return False + return True def filters(self): ''' returns a mapping of filters to methods ''' - return {"translate_idps": self.translate_idps} + return { + "translate_idps": self.translate_idps, + "validate_auth_secrets": self.validate_auth_secrets, + "validate_encryption_secrets": self.validate_encryption_secrets + } diff --git a/playbooks/common/openshift-master/config.yml b/playbooks/common/openshift-master/config.yml index 07ee4aca6..b7e9362cd 100644 --- a/playbooks/common/openshift-master/config.yml +++ b/playbooks/common/openshift-master/config.yml @@ -240,11 +240,21 @@ hosts: oo_first_master pre_tasks: - fail: - msg: "Both openshift_master_session_auth_secrets and openshift_master_session_encryption_secrets must be provided if either variable is set" + msg: > + Both openshift_master_session_auth_secrets and openshift_master_session_encryption_secrets must be provided if either variable is set when: (openshift_master_session_auth_secrets is defined and openshift_master_session_encryption_secrets is not defined) or (openshift_master_session_encryption_secrets is defined and openshift_master_session_auth_secrets is not defined) - fail: - msg: "openshift_master_session_auth_secrets and openshift_master_encryption_secrets must be equal length" + msg: > + openshift_master_session_auth_secrets and openshift_master_encryption_secrets must be equal length when: (openshift_master_session_auth_secrets is defined and openshift_master_session_encryption_secrets is defined) and (openshift_master_session_auth_secrets | length != openshift_master_session_encryption_secrets | length) + - fail: + msg: > + Invalid secret length in openshift_master_session_auth_secrets: secrets must be at least 32 characters + when: openshift_master_session_auth_secrets is defined and not openshift_master_session_auth_secrets | validate_auth_secrets | bool + - fail: + msg: > + Invalid secret length in openshift_master_session_encryption_secrets: secrets must be 16, 24, or 32 characters + when: openshift_master_session_encryption_secrets is defined and not openshift_master_session_encryption_secrets | validate_encryption_secrets | bool roles: - role: openshift_facts post_tasks: diff --git a/roles/openshift_master/tasks/main.yml b/roles/openshift_master/tasks/main.yml index 1c7fdfcf9..e6ddd1c49 100644 --- a/roles/openshift_master/tasks/main.yml +++ b/roles/openshift_master/tasks/main.yml @@ -11,11 +11,21 @@ # Session Options Validation - fail: - msg: "Both openshift_master_session_auth_secrets and openshift_master_session_encryption_secrets must be provided if either variable is set" + msg: > + Both openshift_master_session_auth_secrets and openshift_master_session_encryption_secrets must be provided if either variable is set when: (openshift_master_session_auth_secrets is defined and openshift_master_session_encryption_secrets is not defined) or (openshift_master_session_encryption_secrets is defined and openshift_master_session_auth_secrets is not defined) - fail: - msg: "openshift_master_session_auth_secrets and openshift_master_encryption_secrets must be equal length" + msg: > + openshift_master_session_auth_secrets and openshift_master_encryption_secrets must be equal length when: (openshift_master_session_auth_secrets is defined and openshift_master_session_encryption_secrets is defined) and (openshift_master_session_auth_secrets | length != openshift_master_session_encryption_secrets | length) +- fail: + msg: > + Invalid secret length in openshift_master_session_auth_secrets: secrets must be at least 32 characters + when: openshift_master_session_auth_secrets is defined and not openshift_master_session_auth_secrets | validate_auth_secrets | bool +- fail: + msg: > + Invalid secret length in openshift_master_session_encryption_secrets: secrets must be 16, 24, or 32 characters + when: openshift_master_session_encryption_secrets is defined and not openshift_master_session_encryption_secrets | validate_encryption_secrets | bool # HA Variable Validation - fail: -- cgit v1.2.3 From 62fcc9436db024d189f3ff8107aeb7e2a1ae812f Mon Sep 17 00:00:00 2001 From: Andrew Butcher Date: Fri, 18 Dec 2015 11:02:52 -0500 Subject: openshift_facts validation --- filter_plugins/openshift_master.py | 30 +------------ playbooks/common/openshift-master/config.yml | 8 ---- roles/openshift_facts/library/openshift_facts.py | 55 +++++++++++++++++++++++- roles/openshift_master/tasks/main.yml | 8 ---- 4 files changed, 55 insertions(+), 46 deletions(-) (limited to 'roles/openshift_master/tasks') diff --git a/filter_plugins/openshift_master.py b/filter_plugins/openshift_master.py index 40c1083e0..8d7c62ad1 100644 --- a/filter_plugins/openshift_master.py +++ b/filter_plugins/openshift_master.py @@ -463,34 +463,6 @@ class FilterModule(object): IdentityProviderBase.validate_idp_list(idp_list) return yaml.safe_dump([idp.to_dict() for idp in idp_list], default_flow_style=False) - @staticmethod - def validate_auth_secrets(secrets): - ''' validate type and length ''' - - if not issubclass(type(secrets), list): - raise errors.AnsibleFilterError("|failed expects openshift_master_session_auth_secrets is a list") - - for secret in secrets: - if len(secret) < 32: - return False - return True - - @staticmethod - def validate_encryption_secrets(secrets): - ''' validate type and length ''' - - if not issubclass(type(secrets), list): - raise errors.AnsibleFilterError("|failed expects openshift_master_session_encryption_secrets is a list") - - for secret in secrets: - if len(secret) not in [16, 24, 32]: - return False - return True - def filters(self): ''' returns a mapping of filters to methods ''' - return { - "translate_idps": self.translate_idps, - "validate_auth_secrets": self.validate_auth_secrets, - "validate_encryption_secrets": self.validate_encryption_secrets - } + return {"translate_idps": self.translate_idps} diff --git a/playbooks/common/openshift-master/config.yml b/playbooks/common/openshift-master/config.yml index b7e9362cd..0334a002e 100644 --- a/playbooks/common/openshift-master/config.yml +++ b/playbooks/common/openshift-master/config.yml @@ -247,14 +247,6 @@ msg: > openshift_master_session_auth_secrets and openshift_master_encryption_secrets must be equal length when: (openshift_master_session_auth_secrets is defined and openshift_master_session_encryption_secrets is defined) and (openshift_master_session_auth_secrets | length != openshift_master_session_encryption_secrets | length) - - fail: - msg: > - Invalid secret length in openshift_master_session_auth_secrets: secrets must be at least 32 characters - when: openshift_master_session_auth_secrets is defined and not openshift_master_session_auth_secrets | validate_auth_secrets | bool - - fail: - msg: > - Invalid secret length in openshift_master_session_encryption_secrets: secrets must be 16, 24, or 32 characters - when: openshift_master_session_encryption_secrets is defined and not openshift_master_session_encryption_secrets | validate_encryption_secrets | bool roles: - role: openshift_facts post_tasks: diff --git a/roles/openshift_facts/library/openshift_facts.py b/roles/openshift_facts/library/openshift_facts.py index fed00132a..133de758f 100755 --- a/roles/openshift_facts/library/openshift_facts.py +++ b/roles/openshift_facts/library/openshift_facts.py @@ -1043,6 +1043,7 @@ class OpenShiftFacts(object): facts (dict): facts for the host Args: + module (AnsibleModule): an AnsibleModule object role (str): role for setting local facts filename (str): local facts file to use local_facts (dict): local facts to set @@ -1257,14 +1258,66 @@ class OpenShiftFacts(object): del facts[key] if new_local_facts != local_facts: - changed = True + self.validate_local_facts(new_local_facts) if not module.check_mode: + changed = True save_local_facts(self.filename, new_local_facts) self.changed = changed return new_local_facts + def validate_local_facts(self, facts=None): + """ Validate local facts + + Args: + facts (dict): local facts to validate + """ + invalid_facts = dict() + invalid_facts = self.validate_master_facts(facts, invalid_facts) + if invalid_facts: + msg = 'Invalid facts detected:\n' + for key in invalid_facts.keys(): + msg += '{0}: {1}\n'.format(key, invalid_facts[key]) + module.fail_json(msg=msg, + changed=self.changed) + + # disabling pylint errors for line-too-long since we're dealing + # with best effort reduction of error messages here. + # pylint: disable=line-too-long + @staticmethod + def validate_master_facts(facts, invalid_facts): + """ Validate master facts + + Args: + facts (dict): local facts to validate + invalid_facts (dict): collected invalid_facts + + Returns: + dict: Invalid facts + """ + if 'master' in facts: + # openshift.master.session_auth_secrets + if 'session_auth_secrets' in facts['master']: + session_auth_secrets = facts['master']['session_auth_secrets'] + if not issubclass(type(session_auth_secrets), list): + invalid_facts['session_auth_secrets'] = 'Expects session_auth_secrets is a list.' + else: + for secret in session_auth_secrets: + if len(secret) < 32: + invalid_facts['session_auth_secrets'] = ('Invalid secret in session_auth_secrets. ' + 'Secrets must be at least 32 characters in length.') + # openshift.master.session_encryption_secrets + if 'session_encryption_secrets' in facts['master']: + session_encryption_secrets = facts['master']['session_encryption_secrets'] + if not issubclass(type(session_encryption_secrets), list): + invalid_facts['session_encryption_secrets'] = 'Expects session_encryption_secrets is a list.' + else: + for secret in session_encryption_secrets: + if len(secret) not in [16, 24, 32]: + invalid_facts['session_encryption_secrets'] = ('Invalid secret in session_encryption_secrets. ' + 'Secrets must be 16, 24, or 32 characters in length.') + return invalid_facts def main(): """ main """ diff --git a/roles/openshift_master/tasks/main.yml b/roles/openshift_master/tasks/main.yml index e6ddd1c49..a3cddfd63 100644 --- a/roles/openshift_master/tasks/main.yml +++ b/roles/openshift_master/tasks/main.yml @@ -18,14 +18,6 @@ msg: > openshift_master_session_auth_secrets and openshift_master_encryption_secrets must be equal length when: (openshift_master_session_auth_secrets is defined and openshift_master_session_encryption_secrets is defined) and (openshift_master_session_auth_secrets | length != openshift_master_session_encryption_secrets | length) -- fail: - msg: > - Invalid secret length in openshift_master_session_auth_secrets: secrets must be at least 32 characters - when: openshift_master_session_auth_secrets is defined and not openshift_master_session_auth_secrets | validate_auth_secrets | bool -- fail: - msg: > - Invalid secret length in openshift_master_session_encryption_secrets: secrets must be 16, 24, or 32 characters - when: openshift_master_session_encryption_secrets is defined and not openshift_master_session_encryption_secrets | validate_encryption_secrets | bool # HA Variable Validation - fail: -- cgit v1.2.3 From 82db6897085a1278e6b982a403875ed8671190bb Mon Sep 17 00:00:00 2001 From: Andrew Butcher Date: Wed, 6 Jan 2016 13:01:25 -0500 Subject: Move extra secret validations into openshift_facts. --- playbooks/common/openshift-master/config.yml | 9 --------- roles/openshift_facts/library/openshift_facts.py | 18 +++++++++++++++--- roles/openshift_master/tasks/main.yml | 10 ---------- 3 files changed, 15 insertions(+), 22 deletions(-) (limited to 'roles/openshift_master/tasks') diff --git a/playbooks/common/openshift-master/config.yml b/playbooks/common/openshift-master/config.yml index 0334a002e..a41f489ea 100644 --- a/playbooks/common/openshift-master/config.yml +++ b/playbooks/common/openshift-master/config.yml @@ -238,15 +238,6 @@ - name: Check for cached session secrets hosts: oo_first_master - pre_tasks: - - fail: - msg: > - Both openshift_master_session_auth_secrets and openshift_master_session_encryption_secrets must be provided if either variable is set - when: (openshift_master_session_auth_secrets is defined and openshift_master_session_encryption_secrets is not defined) or (openshift_master_session_encryption_secrets is defined and openshift_master_session_auth_secrets is not defined) - - fail: - msg: > - openshift_master_session_auth_secrets and openshift_master_encryption_secrets must be equal length - when: (openshift_master_session_auth_secrets is defined and openshift_master_session_encryption_secrets is defined) and (openshift_master_session_auth_secrets | length != openshift_master_session_encryption_secrets | length) roles: - role: openshift_facts post_tasks: diff --git a/roles/openshift_facts/library/openshift_facts.py b/roles/openshift_facts/library/openshift_facts.py index 133de758f..9cebbcce1 100755 --- a/roles/openshift_facts/library/openshift_facts.py +++ b/roles/openshift_facts/library/openshift_facts.py @@ -1259,9 +1259,8 @@ class OpenShiftFacts(object): if new_local_facts != local_facts: self.validate_local_facts(new_local_facts) - + changed = True if not module.check_mode: - changed = True save_local_facts(self.filename, new_local_facts) self.changed = changed @@ -1284,7 +1283,9 @@ class OpenShiftFacts(object): # disabling pylint errors for line-too-long since we're dealing # with best effort reduction of error messages here. - # pylint: disable=line-too-long + # disabling errors for too-many-branches since we require checking + # many conditions. + # pylint: disable=line-too-long, too-many-branches @staticmethod def validate_master_facts(facts, invalid_facts): """ Validate master facts @@ -1302,6 +1303,13 @@ class OpenShiftFacts(object): session_auth_secrets = facts['master']['session_auth_secrets'] if not issubclass(type(session_auth_secrets), list): invalid_facts['session_auth_secrets'] = 'Expects session_auth_secrets is a list.' + elif 'session_encryption_secrets' not in facts['master']: + invalid_facts['session_auth_secrets'] = ('openshift_master_session_encryption secrets must be set ' + 'if openshift_master_session_auth_secrets is provided.') + elif len(session_auth_secrets) != len(facts['master']['session_encryption_secrets']): + invalid_facts['session_auth_secrets'] = ('openshift_master_session_auth_secrets and ' + 'openshift_master_session_encryption_secrets must be ' + 'equal length.') else: for secret in session_auth_secrets: if len(secret) < 32: @@ -1312,6 +1320,10 @@ class OpenShiftFacts(object): session_encryption_secrets = facts['master']['session_encryption_secrets'] if not issubclass(type(session_encryption_secrets), list): invalid_facts['session_encryption_secrets'] = 'Expects session_encryption_secrets is a list.' + elif 'session_auth_secrets' not in facts['master']: + invalid_facts['session_encryption_secrets'] = ('openshift_master_session_auth_secrets must be ' + 'set if openshift_master_session_encryption_secrets ' + 'is provided.') else: for secret in session_encryption_secrets: if len(secret) not in [16, 24, 32]: diff --git a/roles/openshift_master/tasks/main.yml b/roles/openshift_master/tasks/main.yml index a3cddfd63..397122631 100644 --- a/roles/openshift_master/tasks/main.yml +++ b/roles/openshift_master/tasks/main.yml @@ -9,16 +9,6 @@ Invalid OAuth grant method: {{ openshift_master_oauth_grant_method }} when: openshift_master_oauth_grant_method is defined and openshift_master_oauth_grant_method not in openshift_master_valid_grant_methods -# Session Options Validation -- fail: - msg: > - Both openshift_master_session_auth_secrets and openshift_master_session_encryption_secrets must be provided if either variable is set - when: (openshift_master_session_auth_secrets is defined and openshift_master_session_encryption_secrets is not defined) or (openshift_master_session_encryption_secrets is defined and openshift_master_session_auth_secrets is not defined) -- fail: - msg: > - openshift_master_session_auth_secrets and openshift_master_encryption_secrets must be equal length - when: (openshift_master_session_auth_secrets is defined and openshift_master_session_encryption_secrets is defined) and (openshift_master_session_auth_secrets | length != openshift_master_session_encryption_secrets | length) - # HA Variable Validation - fail: msg: "openshift_master_cluster_method must be set to either 'native' or 'pacemaker' for multi-master installations" -- cgit v1.2.3