diff options
77 files changed, 471 insertions, 351 deletions
| diff --git a/inventory/hosts.example b/inventory/hosts.example index 8c2590078..d786146fc 100644 --- a/inventory/hosts.example +++ b/inventory/hosts.example @@ -197,6 +197,10 @@ openshift_release=v3.7  #openshift_additional_repos=[{'id': 'openshift-origin-copr', 'name': 'OpenShift Origin COPR', 'baseurl': 'https://copr-be.cloud.fedoraproject.org/results/maxamillion/origin-next/epel-7-$basearch/', 'enabled': 1, 'gpgcheck': 1, 'gpgkey': 'https://copr-be.cloud.fedoraproject.org/results/maxamillion/origin-next/pubkey.gpg'}]  #openshift_repos_enable_testing=false +# If the image for etcd needs to be pulled from anywhere else than registry.access.redhat.com, e.g. in +# a disconnected and containerized installation, use osm_etcd_image to specify the image to use: +#osm_etcd_image=rhel7/etcd +  # htpasswd auth  openshift_master_identity_providers=[{'name': 'htpasswd_auth', 'login': 'true', 'challenge': 'true', 'kind': 'HTPasswdPasswordIdentityProvider', 'filename': '/etc/origin/master/htpasswd'}]  # Defining htpasswd users @@ -284,6 +288,16 @@ openshift_master_identity_providers=[{'name': 'htpasswd_auth', 'login': 'true',  #  # GCE  #openshift_cloudprovider_kind=gce +# +# vSphere +#openshift_cloudprovider_kind=vsphere +#openshift_cloudprovider_vsphere_username=username +#openshift_cloudprovider_vsphere_password=password +#openshift_cloudprovider_vsphere_host=vcenter_host or vsphere_host +#openshift_cloudprovider_vsphere_datacenter=datacenter +#openshift_cloudprovider_vsphere_datastore=datastore +#openshift_cloudprovider_vsphere_folder=optional_folder_name +  # Project Configuration  #osm_project_request_message='' diff --git a/playbooks/aws/provisioning_vars.yml.example b/playbooks/aws/provisioning_vars.yml.example index 2eb7d23d4..f6b1a6b5d 100644 --- a/playbooks/aws/provisioning_vars.yml.example +++ b/playbooks/aws/provisioning_vars.yml.example @@ -93,6 +93,11 @@ openshift_aws_ssh_key_name: # myuser_key  # --------- #  # Variables in this section apply to building a node AMI for use in your  # openshift cluster. +# openshift-ansible will perform the container runtime storage setup when specified +# The current storage setup with require a drive if using a separate storage device +# for the container runtime. +container_runtime_docker_storage_type: overlay2 +container_runtime_docker_storage_setup_device: /dev/xvdb  # must specify a base_ami when building an AMI  openshift_aws_base_ami: # ami-12345678 diff --git a/playbooks/common/openshift-cluster/upgrades/create_service_signer_cert.yml b/playbooks/common/openshift-cluster/upgrades/create_service_signer_cert.yml index 21352b8d2..6d82fa928 100644 --- a/playbooks/common/openshift-cluster/upgrades/create_service_signer_cert.yml +++ b/playbooks/common/openshift-cluster/upgrades/create_service_signer_cert.yml @@ -2,7 +2,6 @@  - name: Create local temp directory for syncing certs    hosts: localhost    connection: local -  become: no    gather_facts: no    tasks:    - name: Create local temp directory for syncing certs @@ -11,6 +10,11 @@      changed_when: false      when: not (hostvars[groups.oo_first_master.0].service_signer_cert_stat.stat.exists | bool) +  - name: Chmod local temp directory +    local_action: command chmod 777 "{{ local_cert_sync_tmpdir.stdout }}" +    changed_when: false +    when: not (hostvars[groups.oo_first_master.0].service_signer_cert_stat.stat.exists | bool) +  - name: Create service signer certificate    hosts: oo_first_master    roles: @@ -67,7 +71,6 @@  - name: Delete local temp directory    hosts: localhost    connection: local -  become: no    gather_facts: no    tasks:    - name: Delete local temp directory diff --git a/playbooks/common/openshift-cluster/upgrades/pre/config.yml b/playbooks/common/openshift-cluster/upgrades/pre/config.yml index cfc0c8745..da63450b8 100644 --- a/playbooks/common/openshift-cluster/upgrades/pre/config.yml +++ b/playbooks/common/openshift-cluster/upgrades/pre/config.yml @@ -1,4 +1,6 @@  --- +# for control-plane upgrade, several variables may be passed in to this play +# why may affect the tasks here and in imported playbooks.  # Pre-upgrade  - import_playbook: ../initialize_nodes_to_upgrade.yml @@ -48,6 +50,8 @@      # defined, and overriding the normal behavior of protecting the installed version      openshift_release: "{{ openshift_upgrade_target }}"      openshift_protect_installed_version: False +    # l_openshift_version_set_hosts is passed via upgrade_control_plane.yml +    # l_openshift_version_check_hosts is passed via upgrade_control_plane.yml  # If we're only upgrading nodes, we need to ensure masters are already upgraded  - name: Verify masters are already upgraded diff --git a/playbooks/common/openshift-cluster/upgrades/upgrade_control_plane.yml b/playbooks/common/openshift-cluster/upgrades/upgrade_control_plane.yml index 3fb028a16..ecb7c360c 100644 --- a/playbooks/common/openshift-cluster/upgrades/upgrade_control_plane.yml +++ b/playbooks/common/openshift-cluster/upgrades/upgrade_control_plane.yml @@ -109,7 +109,6 @@  - name: Gate on master update    hosts: localhost    connection: local -  become: no    tasks:    - set_fact:        master_update_completed: "{{ hostvars @@ -244,7 +243,6 @@  - name: Gate on reconcile    hosts: localhost    connection: local -  become: no    tasks:    - set_fact:        reconcile_completed: "{{ hostvars diff --git a/playbooks/common/openshift-cluster/upgrades/v3_6/upgrade_control_plane.yml b/playbooks/common/openshift-cluster/upgrades/v3_6/upgrade_control_plane.yml index a956fdde5..eb5f07ae0 100644 --- a/playbooks/common/openshift-cluster/upgrades/v3_6/upgrade_control_plane.yml +++ b/playbooks/common/openshift-cluster/upgrades/v3_6/upgrade_control_plane.yml @@ -14,6 +14,7 @@  - import_playbook: ../init.yml    vars:      l_upgrade_no_switch_firewall_hosts: "oo_masters_to_config:oo_etcd_to_config:oo_lb_to_config" +    l_upgrade_non_node_hosts: "oo_masters_to_config:oo_etcd_to_config:oo_lb_to_config"  - name: Configure the upgrade target for the common upgrade tasks    hosts: oo_masters_to_config:oo_etcd_to_config:oo_lb_to_config @@ -23,7 +24,11 @@        openshift_upgrade_min: "{{ '1.5' if openshift_deployment_type == 'origin' else '3.5' }}"  - import_playbook: ../pre/config.yml +  # These vars a meant to exclude oo_nodes from plays that would otherwise include +  # them by default.    vars: +    l_openshift_version_set_hosts: "oo_etcd_to_config:oo_masters_to_config:!oo_first_master" +    l_openshift_version_check_hosts: "oo_masters_to_config:!oo_first_master"      l_upgrade_repo_hosts: "oo_masters_to_config:oo_etcd_to_config:oo_lb_to_config"      l_upgrade_no_proxy_hosts: "oo_masters_to_config"      l_upgrade_health_check_hosts: "oo_masters_to_config:oo_etcd_to_config:oo_lb_to_config" diff --git a/playbooks/common/openshift-cluster/upgrades/v3_7/upgrade_control_plane.yml b/playbooks/common/openshift-cluster/upgrades/v3_7/upgrade_control_plane.yml index 1750148d4..8d42e4c91 100644 --- a/playbooks/common/openshift-cluster/upgrades/v3_7/upgrade_control_plane.yml +++ b/playbooks/common/openshift-cluster/upgrades/v3_7/upgrade_control_plane.yml @@ -14,6 +14,7 @@  - import_playbook: ../init.yml    vars:      l_upgrade_no_switch_firewall_hosts: "oo_masters_to_config:oo_etcd_to_config:oo_lb_to_config" +    l_upgrade_non_node_hosts: "oo_masters_to_config:oo_etcd_to_config:oo_lb_to_config"  - name: Configure the upgrade target for the common upgrade tasks    hosts: oo_masters_to_config:oo_etcd_to_config:oo_lb_to_config @@ -23,7 +24,11 @@        openshift_upgrade_min: '3.6'  - import_playbook: ../pre/config.yml +  # These vars a meant to exclude oo_nodes from plays that would otherwise include +  # them by default.    vars: +    l_openshift_version_set_hosts: "oo_etcd_to_config:oo_masters_to_config:!oo_first_master" +    l_openshift_version_check_hosts: "oo_masters_to_config:!oo_first_master"      l_upgrade_repo_hosts: "oo_masters_to_config:oo_etcd_to_config:oo_lb_to_config"      l_upgrade_no_proxy_hosts: "oo_masters_to_config"      l_upgrade_health_check_hosts: "oo_masters_to_config:oo_etcd_to_config:oo_lb_to_config" diff --git a/playbooks/common/openshift-cluster/upgrades/v3_8/upgrade_control_plane.yml b/playbooks/common/openshift-cluster/upgrades/v3_8/upgrade_control_plane.yml index 08bfd239f..a2f316c25 100644 --- a/playbooks/common/openshift-cluster/upgrades/v3_8/upgrade_control_plane.yml +++ b/playbooks/common/openshift-cluster/upgrades/v3_8/upgrade_control_plane.yml @@ -14,6 +14,7 @@  - import_playbook: ../init.yml    vars:      l_upgrade_no_switch_firewall_hosts: "oo_masters_to_config:oo_etcd_to_config:oo_lb_to_config" +    l_upgrade_non_node_hosts: "oo_masters_to_config:oo_etcd_to_config:oo_lb_to_config"  - name: Configure the upgrade target for the common upgrade tasks    hosts: oo_masters_to_config:oo_etcd_to_config:oo_lb_to_config @@ -23,7 +24,11 @@        openshift_upgrade_min: '3.7'  - import_playbook: ../pre/config.yml +  # These vars a meant to exclude oo_nodes from plays that would otherwise include +  # them by default.    vars: +    l_openshift_version_set_hosts: "oo_etcd_to_config:oo_masters_to_config:!oo_first_master" +    l_openshift_version_check_hosts: "oo_masters_to_config:!oo_first_master"      l_upgrade_repo_hosts: "oo_masters_to_config:oo_etcd_to_config:oo_lb_to_config"      l_upgrade_no_proxy_hosts: "oo_masters_to_config"      l_upgrade_health_check_hosts: "oo_masters_to_config:oo_etcd_to_config:oo_lb_to_config" diff --git a/playbooks/common/openshift-cluster/upgrades/v3_9/upgrade.yml b/playbooks/common/openshift-cluster/upgrades/v3_9/upgrade.yml index 0aea5069d..552bea5e7 100644 --- a/playbooks/common/openshift-cluster/upgrades/v3_9/upgrade.yml +++ b/playbooks/common/openshift-cluster/upgrades/v3_9/upgrade.yml @@ -41,13 +41,13 @@    roles:    - role: openshift_facts    tasks: -  - name: Stop {{ openshift.common.service_type }}-master-controllers +  - name: Stop {{ openshift_service_type }}-master-controllers      systemd: -      name: "{{ openshift.common.service_type }}-master-controllers" +      name: "{{ openshift_service_type }}-master-controllers"        state: stopped -  - name: Start {{ openshift.common.service_type }}-master-controllers +  - name: Start {{ openshift_service_type }}-master-controllers      systemd: -      name: "{{ openshift.common.service_type }}-master-controllers" +      name: "{{ openshift_service_type }}-master-controllers"        state: started  - import_playbook: ../upgrade_nodes.yml diff --git a/playbooks/common/openshift-cluster/upgrades/v3_9/upgrade_control_plane.yml b/playbooks/common/openshift-cluster/upgrades/v3_9/upgrade_control_plane.yml index 05aa737c6..ef9871008 100644 --- a/playbooks/common/openshift-cluster/upgrades/v3_9/upgrade_control_plane.yml +++ b/playbooks/common/openshift-cluster/upgrades/v3_9/upgrade_control_plane.yml @@ -14,6 +14,7 @@  - import_playbook: ../init.yml    vars:      l_upgrade_no_switch_firewall_hosts: "oo_masters_to_config:oo_etcd_to_config:oo_lb_to_config" +    l_upgrade_non_node_hosts: "oo_masters_to_config:oo_etcd_to_config:oo_lb_to_config"  - name: Configure the upgrade target for the common upgrade tasks    hosts: oo_masters_to_config:oo_etcd_to_config:oo_lb_to_config @@ -23,7 +24,11 @@        openshift_upgrade_min: '3.7'  - import_playbook: ../pre/config.yml +  # These vars a meant to exclude oo_nodes from plays that would otherwise include +  # them by default.    vars: +    l_openshift_version_set_hosts: "oo_etcd_to_config:oo_masters_to_config:!oo_first_master" +    l_openshift_version_check_hosts: "oo_masters_to_config:!oo_first_master"      l_upgrade_repo_hosts: "oo_masters_to_config:oo_etcd_to_config:oo_lb_to_config"      l_upgrade_no_proxy_hosts: "oo_masters_to_config"      l_upgrade_health_check_hosts: "oo_masters_to_config:oo_etcd_to_config:oo_lb_to_config" diff --git a/playbooks/init/evaluate_groups.yml b/playbooks/init/evaluate_groups.yml index 8087f6ffc..c4cd226c9 100644 --- a/playbooks/init/evaluate_groups.yml +++ b/playbooks/init/evaluate_groups.yml @@ -2,7 +2,6 @@  - name: Populate config host groups    hosts: localhost    connection: local -  become: no    gather_facts: no    tasks:    - name: Load group name mapping variables diff --git a/playbooks/init/facts.yml b/playbooks/init/facts.yml index 6759240c9..8e4206948 100644 --- a/playbooks/init/facts.yml +++ b/playbooks/init/facts.yml @@ -5,7 +5,9 @@    tasks:  - name: Initialize host facts -  hosts: oo_all_hosts +  # l_upgrade_non_node_hosts is passed in via play during control-plane-only +  # upgrades; otherwise oo_all_hosts is used. +  hosts: "{{ l_upgrade_non_node_hosts | default('oo_all_hosts') }}"    tasks:    - name: load openshift_facts module      import_role: @@ -100,3 +102,5 @@        # We need to setup openshift_client_binary here for special uses of delegate_to in        # later roles and plays.        first_master_client_binary: "{{  openshift_client_binary }}" +      #Some roles may require this to be set for first master +      openshift_client_binary: "{{ openshift_client_binary }}" diff --git a/playbooks/init/main.yml b/playbooks/init/main.yml index 20457e508..8a3f4682d 100644 --- a/playbooks/init/main.yml +++ b/playbooks/init/main.yml @@ -17,12 +17,12 @@  - import_playbook: facts.yml -- import_playbook: sanity_checks.yml -  when: not (skip_sanity_checks | default(False)) -  - import_playbook: version.yml    when: not (skip_verison | default(False)) +- import_playbook: sanity_checks.yml +  when: not (skip_sanity_checks | default(False)) +  - name: Initialization Checkpoint End    hosts: all    gather_facts: false diff --git a/playbooks/init/version.yml b/playbooks/init/version.yml index 37a5284d5..962ee7220 100644 --- a/playbooks/init/version.yml +++ b/playbooks/init/version.yml @@ -2,20 +2,32 @@  # NOTE: requires openshift_facts be run  - name: Determine openshift_version to configure on first master    hosts: oo_first_master -  roles: -  - openshift_version +  tasks: +  - include_role: +      name: openshift_version +      tasks_from: first_master.yml +  - debug: msg="openshift_pkg_version set to {{ openshift_pkg_version | default('') }}"  # NOTE: We set this even on etcd hosts as they may also later run as masters,  # and we don't want to install wrong version of docker and have to downgrade  # later.  - name: Set openshift_version for etcd, node, and master hosts -  hosts: oo_etcd_to_config:oo_nodes_to_config:oo_masters_to_config:!oo_first_master +  hosts: "{{ l_openshift_version_set_hosts | default(l_default_version_set_hosts) }}"    vars: -    openshift_version: "{{ hostvars[groups.oo_first_master.0].openshift_version }}" -  pre_tasks: +    l_default_version_set_hosts: "oo_etcd_to_config:oo_nodes_to_config:oo_masters_to_config:!oo_first_master" +    l_first_master_openshift_version: "{{ hostvars[groups.oo_first_master.0].openshift_version }}" +    l_first_master_openshift_pkg_version: "{{ hostvars[groups.oo_first_master.0].openshift_pkg_version | default('') }}" +    l_first_master_openshift_image_tag: "{{ hostvars[groups.oo_first_master.0].openshift_image_tag}}" +  tasks:    - set_fact: -      openshift_pkg_version: -{{ openshift_version }} -    when: openshift_pkg_version is not defined -  - debug: msg="openshift_pkg_version set to {{ openshift_pkg_version }}" -  roles: -  - openshift_version +      openshift_version: "{{ l_first_master_openshift_version }}" +      openshift_pkg_version: "{{ l_first_master_openshift_pkg_version }}" +      openshift_image_tag: "{{ l_first_master_openshift_image_tag }}" + +# NOTE: These steps should only be run against masters and nodes. +- name: Ensure the requested version packages are available. +  hosts: "{{ l_openshift_version_check_hosts | default('oo_nodes_to_config:oo_masters_to_config:!oo_first_master') }}" +  tasks: +  - include_role: +      name: openshift_version +      tasks_from: masters_and_nodes.yml diff --git a/playbooks/openshift-etcd/private/embedded2external.yml b/playbooks/openshift-etcd/private/embedded2external.yml index b71eaacd0..674bd5088 100644 --- a/playbooks/openshift-etcd/private/embedded2external.yml +++ b/playbooks/openshift-etcd/private/embedded2external.yml @@ -89,7 +89,10 @@      local_action: command mktemp -d /tmp/etcd_backup-XXXXXXX      register: g_etcd_client_mktemp      changed_when: False -    become: no + +  - name: Chmod local temp directory for syncing etcd backup +    local_action: command chmod 777 "{{ g_etcd_client_mktemp.stdout }}" +    changed_when: False    - import_role:        name: etcd @@ -116,7 +119,6 @@    - name: Delete temporary directory      local_action: file path="{{ g_etcd_client_mktemp.stdout }}" state=absent      changed_when: False -    become: no  # 7. force new cluster from the backup  - name: Force new etcd cluster diff --git a/playbooks/openshift-etcd/private/migrate.yml b/playbooks/openshift-etcd/private/migrate.yml index 0a2ac7f1a..3f8b44032 100644 --- a/playbooks/openshift-etcd/private/migrate.yml +++ b/playbooks/openshift-etcd/private/migrate.yml @@ -2,7 +2,6 @@  - name: Check if the master has embedded etcd    hosts: localhost    connection: local -  become: no    gather_facts: no    tags:    - always @@ -53,7 +52,6 @@  - name: Gate on etcd backup    hosts: localhost    connection: local -  become: no    tasks:    - set_fact:        etcd_backup_completed: "{{ hostvars diff --git a/playbooks/openshift-etcd/private/redeploy-ca.yml b/playbooks/openshift-etcd/private/redeploy-ca.yml index 7b0d99255..a3acf6945 100644 --- a/playbooks/openshift-etcd/private/redeploy-ca.yml +++ b/playbooks/openshift-etcd/private/redeploy-ca.yml @@ -26,7 +26,6 @@  - name: Create temp directory for syncing certs    hosts: localhost    connection: local -  become: no    gather_facts: no    tasks:    - name: Create local temp directory for syncing certs @@ -34,6 +33,10 @@      register: g_etcd_mktemp      changed_when: false +  - name: Chmod local temp directory for syncing certs +    local_action: command chmod 777 "{{ g_etcd_mktemp.stdout }}" +    changed_when: false +  - name: Distribute etcd CA to etcd hosts    hosts: oo_etcd_to_config    tasks: @@ -74,7 +77,6 @@  - name: Delete temporary directory on localhost    hosts: localhost    connection: local -  become: no    gather_facts: no    tasks:    - file: diff --git a/playbooks/openshift-etcd/private/upgrade_backup.yml b/playbooks/openshift-etcd/private/upgrade_backup.yml index 97b6edba5..081c024fc 100644 --- a/playbooks/openshift-etcd/private/upgrade_backup.yml +++ b/playbooks/openshift-etcd/private/upgrade_backup.yml @@ -14,7 +14,6 @@  - name: Gate on etcd backup    hosts: localhost    connection: local -  become: no    tasks:    - set_fact:        etcd_backup_completed: "{{ hostvars diff --git a/playbooks/openshift-master/private/redeploy-openshift-ca.yml b/playbooks/openshift-master/private/redeploy-openshift-ca.yml index 9d3c12ba1..663c39868 100644 --- a/playbooks/openshift-master/private/redeploy-openshift-ca.yml +++ b/playbooks/openshift-master/private/redeploy-openshift-ca.yml @@ -125,7 +125,6 @@  - name: Create temp directory for syncing certs    hosts: localhost    connection: local -  become: no    gather_facts: no    tasks:    - name: Create local temp directory for syncing certs @@ -133,6 +132,10 @@      register: g_master_mktemp      changed_when: false +  - name: Chmod local temp directory for syncing certs +    local_action: command chmod 777 "{{ g_master_mktemp.stdout }}" +    changed_when: false +  - name: Retrieve OpenShift CA    hosts: oo_first_master    vars: @@ -264,7 +267,6 @@  - name: Delete temporary directory on localhost    hosts: localhost    connection: local -  become: no    gather_facts: no    tasks:    - file: diff --git a/playbooks/openshift-master/private/tasks/restart_hosts.yml b/playbooks/openshift-master/private/tasks/restart_hosts.yml index a5dbe0590..76e1ea5f3 100644 --- a/playbooks/openshift-master/private/tasks/restart_hosts.yml +++ b/playbooks/openshift-master/private/tasks/restart_hosts.yml @@ -27,7 +27,6 @@        delay=10        timeout=600        port="{{ ansible_port | default(ansible_ssh_port | default(22,boolean=True),boolean=True) }}" -  become: no  # Now that ssh is back up we can wait for API on the remote system,  # avoiding some potential connection issues from local system: diff --git a/playbooks/openshift-master/private/validate_restart.yml b/playbooks/openshift-master/private/validate_restart.yml index 1077d0b9c..60b0e5bb6 100644 --- a/playbooks/openshift-master/private/validate_restart.yml +++ b/playbooks/openshift-master/private/validate_restart.yml @@ -21,7 +21,6 @@  - name: Create temp file on localhost    hosts: localhost    connection: local -  become: no    gather_facts: no    tasks:    - local_action: command mktemp @@ -38,7 +37,6 @@  - name: Cleanup temp file on localhost    hosts: localhost    connection: local -  become: no    gather_facts: no    tasks:    - file: path="{{ hostvars.localhost.mktemp.stdout }}" state=absent diff --git a/playbooks/openshift-master/scaleup.yml b/playbooks/openshift-master/scaleup.yml index f717cd0e9..7d31340a2 100644 --- a/playbooks/openshift-master/scaleup.yml +++ b/playbooks/openshift-master/scaleup.yml @@ -4,7 +4,6 @@  - name: Ensure there are new_masters or new_nodes    hosts: localhost    connection: local -  become: no    gather_facts: no    tasks:    - fail: diff --git a/playbooks/openshift-node/private/setup.yml b/playbooks/openshift-node/private/setup.yml index 802dce37e..41c323f2b 100644 --- a/playbooks/openshift-node/private/setup.yml +++ b/playbooks/openshift-node/private/setup.yml @@ -8,7 +8,6 @@  - name: Evaluate node groups    hosts: localhost -  become: no    connection: local    tasks:    - name: Evaluate oo_containerized_master_nodes diff --git a/playbooks/openshift-node/scaleup.yml b/playbooks/openshift-node/scaleup.yml index bdfd3d3e6..cf13692ae 100644 --- a/playbooks/openshift-node/scaleup.yml +++ b/playbooks/openshift-node/scaleup.yml @@ -4,7 +4,6 @@  - name: Ensure there are new_nodes    hosts: localhost    connection: local -  become: no    gather_facts: no    tasks:    - fail: diff --git a/roles/container_runtime/tasks/systemcontainer_docker.yml b/roles/container_runtime/tasks/systemcontainer_docker.yml index dc0452553..5f715cd21 100644 --- a/roles/container_runtime/tasks/systemcontainer_docker.yml +++ b/roles/container_runtime/tasks/systemcontainer_docker.yml @@ -42,6 +42,12 @@  - debug:      var: l_docker_image +# Do the authentication before pulling the container engine system container +# as the pull might be from an authenticated registry. +- include_tasks: registry_auth.yml +  vars: +    openshift_docker_alternative_creds: True +  # NOTE: no_proxy added as a workaround until https://github.com/projectatomic/atomic/pull/999 is released  - name: Pre-pull Container Engine System Container image    command: "atomic pull --storage ostree {{ l_docker_image }}" diff --git a/roles/etcd/tasks/migration/migrate.yml b/roles/etcd/tasks/migration/migrate.yml index 847b1d722..630640ab1 100644 --- a/roles/etcd/tasks/migration/migrate.yml +++ b/roles/etcd/tasks/migration/migrate.yml @@ -1,7 +1,7 @@  ---  # Should this be run in a serial manner?  - set_fact: -    l_etcd_service: "{{ 'etcd_container' if openshift_is_containerized else 'etcd' }}" +    l_etcd_service: "{{ 'etcd_container' if (openshift_is_containerized | bool) else 'etcd' }}"  - name: Migrate etcd data    command: > diff --git a/roles/flannel/handlers/main.yml b/roles/flannel/handlers/main.yml index 7d79bd3d4..f94399fab 100644 --- a/roles/flannel/handlers/main.yml +++ b/roles/flannel/handlers/main.yml @@ -21,3 +21,7 @@    until: not (l_restart_node_result is failed)    retries: 3    delay: 30 + +- name: save iptable rules +  become: yes +  command: 'iptables-save' diff --git a/roles/flannel/tasks/main.yml b/roles/flannel/tasks/main.yml index 4627bf69c..11981fb80 100644 --- a/roles/flannel/tasks/main.yml +++ b/roles/flannel/tasks/main.yml @@ -41,3 +41,13 @@    notify:      - restart docker      - restart node + +- name: Enable Pod to Pod communication +  command: /sbin/iptables --wait -I FORWARD -d {{ hostvars[groups.oo_first_master.0].openshift.master.sdn_cluster_network_cidr }} -i {{ flannel_interface }} -j ACCEPT -m comment --comment "Pod to Pod communication" +  notify: +    - save iptable rules + +- name: Allow external network access +  command: /sbin/iptables -t nat -A POSTROUTING -o {{ flannel_interface }}  -j MASQUERADE -m comment --comment "Allow external network access" +  notify: +    - save iptable rules diff --git a/roles/lib_utils/action_plugins/sanity_checks.py b/roles/lib_utils/action_plugins/sanity_checks.py index 1bf332678..09ce55e8f 100644 --- a/roles/lib_utils/action_plugins/sanity_checks.py +++ b/roles/lib_utils/action_plugins/sanity_checks.py @@ -2,6 +2,8 @@  Ansible action plugin to ensure inventory variables are set  appropriately and no conflicting options have been provided.  """ +import re +  from ansible.plugins.action import ActionBase  from ansible import errors @@ -15,6 +17,27 @@ NET_PLUGIN_LIST = (('openshift_use_openshift_sdn', True),                     ('openshift_use_contiv', False),                     ('openshift_use_calico', False)) +ENTERPRISE_TAG_REGEX_ERROR = """openshift_image_tag must be in the format +v#.#[.#[.#]]. Examples: v1.2, v3.4.1, v3.5.1.3, +v3.5.1.3.4, v1.2-1, v1.2.3-4, v1.2.3-4.5, v1.2.3-4.5.6 +You specified openshift_image_tag={}""" + +ORIGIN_TAG_REGEX_ERROR = """openshift_image_tag must be in the format +v#.#.#[-optional.#]. Examples: v1.2.3, v3.5.1-alpha.1 +You specified openshift_image_tag={}""" + +ORIGIN_TAG_REGEX = {'re': '(^v?\\d+\\.\\d+\\.\\d+(-[\\w\\-\\.]*)?$)', +                    'error_msg': ORIGIN_TAG_REGEX_ERROR} +ENTERPRISE_TAG_REGEX = {'re': '(^v\\d+\\.\\d+(\\.\\d+)*(-\\d+(\\.\\d+)*)?$)', +                        'error_msg': ENTERPRISE_TAG_REGEX_ERROR} +IMAGE_TAG_REGEX = {'origin': ORIGIN_TAG_REGEX, +                   'openshift-enterprise': ENTERPRISE_TAG_REGEX} + +CONTAINERIZED_NO_TAG_ERROR_MSG = """To install a containerized Origin release, +you must set openshift_release or openshift_image_tag in your inventory to +specify which version of the OpenShift component images to use. +(Suggestion: add openshift_release="x.y" to inventory.)""" +  def to_bool(var_to_check):      """Determine a boolean value given the multiple @@ -44,6 +67,7 @@ class ActionModule(ActionBase):              type_strings = ", ".join(VALID_DEPLOYMENT_TYPES)              msg = "openshift_deployment_type must be defined and one of {}".format(type_strings)              raise errors.AnsibleModuleError(msg) +        return openshift_deployment_type      def check_python_version(self, hostvars, host, distro):          """Ensure python version is 3 for Fedora and python 2 for others""" @@ -58,6 +82,35 @@ class ActionModule(ActionBase):              if ansible_python['version']['major'] != 2:                  msg = "openshift-ansible requires Python 2 for {};".format(distro) +    def check_image_tag_format(self, hostvars, host, openshift_deployment_type): +        """Ensure openshift_image_tag is formatted correctly""" +        openshift_image_tag = self.template_var(hostvars, host, 'openshift_image_tag') +        if not openshift_image_tag or openshift_image_tag == 'latest': +            return None +        regex_to_match = IMAGE_TAG_REGEX[openshift_deployment_type]['re'] +        res = re.match(regex_to_match, str(openshift_image_tag)) +        if res is None: +            msg = IMAGE_TAG_REGEX[openshift_deployment_type]['error_msg'] +            msg = msg.format(str(openshift_image_tag)) +            raise errors.AnsibleModuleError(msg) + +    def no_origin_image_version(self, hostvars, host, openshift_deployment_type): +        """Ensure we can determine what image version to use with origin +          fail when: +          - openshift_is_containerized +          - openshift_deployment_type == 'origin' +          - openshift_release is not defined +          - openshift_image_tag is not defined""" +        if not openshift_deployment_type == 'origin': +            return None +        oic = self.template_var(hostvars, host, 'openshift_is_containerized') +        if not to_bool(oic): +            return None +        orelease = self.template_var(hostvars, host, 'openshift_release') +        oitag = self.template_var(hostvars, host, 'openshift_image_tag') +        if not orelease and not oitag: +            raise errors.AnsibleModuleError(CONTAINERIZED_NO_TAG_ERROR_MSG) +      def network_plugin_check(self, hostvars, host):          """Ensure only one type of network plugin is enabled"""          res = [] @@ -88,8 +141,10 @@ class ActionModule(ActionBase):      def run_checks(self, hostvars, host):          """Execute the hostvars validations against host"""          distro = self.template_var(hostvars, host, 'ansible_distribution') -        self.check_openshift_deployment_type(hostvars, host) +        odt = self.check_openshift_deployment_type(hostvars, host)          self.check_python_version(hostvars, host, distro) +        self.check_image_tag_format(hostvars, host, odt) +        self.no_origin_image_version(hostvars, host, odt)          self.network_plugin_check(hostvars, host)          self.check_hostname_vars(hostvars, host) diff --git a/roles/openshift_aws/tasks/provision_instance.yml b/roles/openshift_aws/tasks/provision_instance.yml index 7eadd1522..786db1570 100644 --- a/roles/openshift_aws/tasks/provision_instance.yml +++ b/roles/openshift_aws/tasks/provision_instance.yml @@ -42,5 +42,5 @@  - name: add host to nodes    add_host: -    groups: nodes +    groups: nodes,g_new_node_hosts      name: "{{ instancesout.instances[0].public_dns_name }}" diff --git a/roles/openshift_certificate_expiry/filter_plugins/oo_cert_expiry.py b/roles/openshift_certificate_expiry/filter_plugins/oo_cert_expiry.py index a2bc9ecdb..58b228fee 100644 --- a/roles/openshift_certificate_expiry/filter_plugins/oo_cert_expiry.py +++ b/roles/openshift_certificate_expiry/filter_plugins/oo_cert_expiry.py @@ -31,7 +31,6 @@ certificates  Example playbook usage:    - name: Generate expiration results JSON -    become: no      run_once: yes      delegate_to: localhost      when: openshift_certificate_expiry_save_json_results|bool diff --git a/roles/openshift_certificate_expiry/tasks/main.yml b/roles/openshift_certificate_expiry/tasks/main.yml index b5234bd1e..8dea2c07f 100644 --- a/roles/openshift_certificate_expiry/tasks/main.yml +++ b/roles/openshift_certificate_expiry/tasks/main.yml @@ -7,7 +7,6 @@    register: check_results  - name: Generate expiration report HTML -  become: no    run_once: yes    template:      src: cert-expiry-table.html.j2 @@ -21,7 +20,6 @@    when: openshift_certificate_expiry_save_json_results|bool  - name: Generate results JSON file -  become: no    run_once: yes    template:      src: save_json_results.j2 diff --git a/roles/openshift_cloud_provider/tasks/main.yml b/roles/openshift_cloud_provider/tasks/main.yml index dff492a69..3513577fa 100644 --- a/roles/openshift_cloud_provider/tasks/main.yml +++ b/roles/openshift_cloud_provider/tasks/main.yml @@ -19,3 +19,6 @@  - include_tasks: gce.yml    when: cloudprovider_is_gce | bool + +- include_tasks: vsphere.yml +  when: cloudprovider_is_vsphere | bool diff --git a/roles/openshift_cloud_provider/tasks/vsphere.yml b/roles/openshift_cloud_provider/tasks/vsphere.yml new file mode 100644 index 000000000..3a33df241 --- /dev/null +++ b/roles/openshift_cloud_provider/tasks/vsphere.yml @@ -0,0 +1,6 @@ +--- +- name: Create cloud config +  template: +    dest: "{{ openshift.common.config_base }}/cloudprovider/vsphere.conf" +    src: vsphere.conf.j2 +  when: openshift_cloudprovider_vsphere_username is defined and openshift_cloudprovider_vsphere_password is defined and openshift_cloudprovider_vsphere_host is defined and openshift_cloudprovider_vsphere_datacenter is defined and openshift_cloudprovider_vsphere_datastore is defined diff --git a/roles/openshift_cloud_provider/templates/vsphere.conf.j2 b/roles/openshift_cloud_provider/templates/vsphere.conf.j2 new file mode 100644 index 000000000..84e5e371c --- /dev/null +++ b/roles/openshift_cloud_provider/templates/vsphere.conf.j2 @@ -0,0 +1,15 @@ +[Global] +user = "{{ openshift_cloudprovider_vsphere_username }}" +password = "{{ openshift_cloudprovider_vsphere_password }}" +server = "{{ openshift_cloudprovider_vsphere_host }}" +port = 443 +insecure-flag = 1 +datacenter = {{ openshift_cloudprovider_vsphere_datacenter }} +datastore = {{ openshift_cloudprovider_vsphere_datastore }} +{% if openshift_cloudprovider_vsphere_folder is defined %} +working-dir = /{{ openshift_cloudprovider_vsphere_datacenter }}/vm/{{ openshift_cloudprovider_vsphere_folder }}/ +{% else %} +working-dir = /{{ openshift_cloudprovider_vsphere_datacenter }}/vm/ +{% endif %} +[Disk] +scsicontrollertype = pvscsi diff --git a/roles/openshift_cloud_provider/vars/main.yml b/roles/openshift_cloud_provider/vars/main.yml index c9d953f58..e71db80b9 100644 --- a/roles/openshift_cloud_provider/vars/main.yml +++ b/roles/openshift_cloud_provider/vars/main.yml @@ -3,3 +3,4 @@ has_cloudprovider: "{{ openshift_cloudprovider_kind | default(None) != None }}"  cloudprovider_is_aws: "{{ has_cloudprovider | bool and openshift_cloudprovider_kind == 'aws' }}"  cloudprovider_is_openstack: "{{ has_cloudprovider | bool and openshift_cloudprovider_kind == 'openstack' }}"  cloudprovider_is_gce: "{{ has_cloudprovider | bool and openshift_cloudprovider_kind == 'gce' }}" +cloudprovider_is_vsphere: "{{ has_cloudprovider | bool and openshift_cloudprovider_kind == 'vsphere' }}" diff --git a/roles/openshift_etcd_facts/vars/main.yml b/roles/openshift_etcd_facts/vars/main.yml index 9e635b34f..d716c9505 100644 --- a/roles/openshift_etcd_facts/vars/main.yml +++ b/roles/openshift_etcd_facts/vars/main.yml @@ -1,5 +1,5 @@  --- -etcd_is_containerized: "{{ openshift_is_containerized }}" +etcd_is_containerized: "{{ openshift_is_containerized | bool }}"  etcd_is_atomic: "{{ openshift_is_atomic }}"  etcd_hostname: "{{ openshift.common.hostname }}"  etcd_ip: "{{ openshift.common.ip }}" diff --git a/roles/openshift_examples/tasks/main.yml b/roles/openshift_examples/tasks/main.yml index ff04cdf9c..7787da4f0 100644 --- a/roles/openshift_examples/tasks/main.yml +++ b/roles/openshift_examples/tasks/main.yml @@ -16,8 +16,8 @@    register: copy_examples_mktemp    run_once: True -- name: Create local temp dir for OpenShift examples copy -  local_action: command chmod 755 "{{ copy_examples_mktemp.stdout }}" +- name: Chmod local temp dir for OpenShift examples copy +  local_action: command chmod 777 "{{ copy_examples_mktemp.stdout }}"    run_once: True  - name: Create tar of OpenShift examples @@ -27,7 +27,7 @@      # Consider using unarchive module rather than running tar      warn: no -- name: Create local temp dir for OpenShift examples copy +- name: Chmod local temp dir for OpenShift examples copy    local_action: command chmod 744 "{{ copy_examples_mktemp.stdout }}/openshift-examples.tar"    run_once: True diff --git a/roles/openshift_expand_partition/README.md b/roles/openshift_expand_partition/README.md index c9c7b378c..402c3dc3e 100644 --- a/roles/openshift_expand_partition/README.md +++ b/roles/openshift_expand_partition/README.md @@ -45,7 +45,6 @@ space on /dev/xvda, and the file system will be expanded to fill the new  partition space.      - hosts: mynodes -      become: no        remote_user: root        gather_facts: no        roles: @@ -68,7 +67,6 @@ partition space.  * Create an ansible playbook, say `expandvar.yaml`:      ```      - hosts: mynodes -      become: no        remote_user: root        gather_facts: no        roles: diff --git a/roles/openshift_facts/defaults/main.yml b/roles/openshift_facts/defaults/main.yml index 980350d14..a223ffba6 100644 --- a/roles/openshift_facts/defaults/main.yml +++ b/roles/openshift_facts/defaults/main.yml @@ -1,5 +1,5 @@  --- -openshift_client_binary: "{{ openshift_is_containerized | ternary('/usr/local/bin/oc', 'oc') }}" +openshift_client_binary: "{{ (openshift_is_containerized | bool) | ternary('/usr/local/bin/oc', 'oc') }}"  openshift_cli_image_dict:    origin: 'openshift/origin' diff --git a/roles/openshift_health_checker/callback_plugins/zz_failure_summary.py b/roles/openshift_health_checker/callback_plugins/zz_failure_summary.py index dcaf87eca..c83adb26d 100644 --- a/roles/openshift_health_checker/callback_plugins/zz_failure_summary.py +++ b/roles/openshift_health_checker/callback_plugins/zz_failure_summary.py @@ -175,6 +175,8 @@ def format_failure(failure):      play = failure['play']      task = failure['task']      msg = failure['msg'] +    if not isinstance(msg, string_types): +        msg = str(msg)      checks = failure['checks']      fields = (          (u'Hosts', host), diff --git a/roles/openshift_hosted/defaults/main.yml b/roles/openshift_hosted/defaults/main.yml index b6501d288..f40085976 100644 --- a/roles/openshift_hosted/defaults/main.yml +++ b/roles/openshift_hosted/defaults/main.yml @@ -69,7 +69,7 @@ r_openshift_hosted_router_os_firewall_allow: []  ############  openshift_hosted_registry_selector: "{{ openshift_registry_selector | default(openshift_hosted_infra_selector) }}" -penshift_hosted_registry_registryurl: "{{ openshift_hosted_images_dict[openshift_deployment_type] }}" +openshift_hosted_registry_registryurl: "{{ openshift_hosted_images_dict[openshift_deployment_type] }}"  openshift_hosted_registry_routecertificates: {}  openshift_hosted_registry_routetermination: "passthrough" diff --git a/roles/openshift_hosted_templates/tasks/main.yml b/roles/openshift_hosted_templates/tasks/main.yml index 672d25b4d..34d39f3a5 100644 --- a/roles/openshift_hosted_templates/tasks/main.yml +++ b/roles/openshift_hosted_templates/tasks/main.yml @@ -6,8 +6,8 @@    # AUDIT:changed_when: not set here because this task actually    # creates something -- name: Create local temp dir for OpenShift examples copy -  local_action: command chmod 755 "{{ copy_hosted_templates_mktemp.stdout }}" +- name: Chmod local temp dir for OpenShift examples copy +  local_action: command chmod 777 "{{ copy_hosted_templates_mktemp.stdout }}"    run_once: True  - name: Create tar of OpenShift examples @@ -17,7 +17,7 @@      # Consider using unarchive module rather than running tar      warn: no -- name: Create local temp dir for OpenShift examples copy +- name: Chmod local tar of OpenShift examples    local_action: command chmod 744 "{{ copy_hosted_templates_mktemp.stdout }}/openshift-hosted-templates.tar"    run_once: True diff --git a/roles/openshift_logging/README.md b/roles/openshift_logging/README.md index 27cfc17d6..a192bd67e 100644 --- a/roles/openshift_logging/README.md +++ b/roles/openshift_logging/README.md @@ -177,6 +177,9 @@ Elasticsearch OPS too, if using an OPS cluster:    clients will use to connect to mux, and will be used in the TLS server cert    subject.  - `openshift_logging_mux_port`: 24284 +- `openshift_logging_mux_external_address`: The IP address that mux will listen + on for connections from *external* clients.  Default is the default ipv4 + interface as reported by the `ansible_default_ipv4` fact.  - `openshift_logging_mux_cpu_request`: 100m  - `openshift_logging_mux_memory_limit`: 512Mi  - `openshift_logging_mux_default_namespaces`: Default `["mux-undefined"]` - the diff --git a/roles/openshift_logging/library/openshift_logging_facts.py b/roles/openshift_logging/library/openshift_logging_facts.py index 302a9b4c9..37ffb0204 100644 --- a/roles/openshift_logging/library/openshift_logging_facts.py +++ b/roles/openshift_logging/library/openshift_logging_facts.py @@ -276,7 +276,7 @@ class OpenshiftLoggingFacts(OCBaseCommand):              return          for item in role["subjects"]:              comp = self.comp(item["name"]) -            if comp is not None and namespace == item["namespace"]: +            if comp is not None and namespace == item.get("namespace"):                  self.add_facts_for(comp, "clusterrolebindings", "cluster-readers", dict())  # this needs to end up nested under the service account... @@ -288,7 +288,7 @@ class OpenshiftLoggingFacts(OCBaseCommand):              return          for item in role["subjects"]:              comp = self.comp(item["name"]) -            if comp is not None and namespace == item["namespace"]: +            if comp is not None and namespace == item.get("namespace"):                  self.add_facts_for(comp, "rolebindings", "logging-elasticsearch-view-role", dict())      # pylint: disable=no-self-use, too-many-return-statements diff --git a/roles/openshift_logging/tasks/generate_jks.yaml b/roles/openshift_logging/tasks/generate_jks.yaml index d6ac88dcc..6e3204589 100644 --- a/roles/openshift_logging/tasks/generate_jks.yaml +++ b/roles/openshift_logging/tasks/generate_jks.yaml @@ -24,25 +24,21 @@    local_action: file path="{{local_tmp.stdout}}/elasticsearch.jks" state=touch mode="u=rw,g=r,o=r"    when: elasticsearch_jks.stat.exists    changed_when: False -  become: no  - name: Create placeholder for previously created JKS certs to prevent recreating...    local_action: file path="{{local_tmp.stdout}}/logging-es.jks" state=touch mode="u=rw,g=r,o=r"    when: logging_es_jks.stat.exists    changed_when: False -  become: no  - name: Create placeholder for previously created JKS certs to prevent recreating...    local_action: file path="{{local_tmp.stdout}}/system.admin.jks" state=touch mode="u=rw,g=r,o=r"    when: system_admin_jks.stat.exists    changed_when: False -  become: no  - name: Create placeholder for previously created JKS certs to prevent recreating...    local_action: file path="{{local_tmp.stdout}}/truststore.jks" state=touch mode="u=rw,g=r,o=r"    when: truststore_jks.stat.exists    changed_when: False -  become: no  - name: pulling down signing items from host    fetch: @@ -61,12 +57,10 @@    vars:      - top_dir: "{{local_tmp.stdout}}"    when: not elasticsearch_jks.stat.exists or not logging_es_jks.stat.exists or not system_admin_jks.stat.exists or not truststore_jks.stat.exists -  become: no  - name: Run JKS generation script    local_action: script generate-jks.sh {{local_tmp.stdout}} {{openshift_logging_namespace}}    check_mode: no -  become: no    when: not elasticsearch_jks.stat.exists or not logging_es_jks.stat.exists or not system_admin_jks.stat.exists or not truststore_jks.stat.exists  - name: Pushing locally generated JKS certs to remote host... diff --git a/roles/openshift_logging/tasks/main.yaml b/roles/openshift_logging/tasks/main.yaml index 9949bb95d..60cc399fa 100644 --- a/roles/openshift_logging/tasks/main.yaml +++ b/roles/openshift_logging/tasks/main.yaml @@ -17,7 +17,11 @@    register: local_tmp    changed_when: False    check_mode: no -  become: no + +- name: Chmod local temp directory for doing work in +  local_action: command chmod 777 "{{ local_tmp.stdout }}" +  changed_when: False +  check_mode: no  - include_tasks: install_logging.yaml    when: @@ -31,4 +35,3 @@    local_action: file path="{{local_tmp.stdout}}" state=absent    tags: logging_cleanup    changed_when: False -  become: no diff --git a/roles/openshift_logging_elasticsearch/tasks/determine_version.yaml b/roles/openshift_logging_elasticsearch/tasks/determine_version.yaml index c53a06019..c55e7c5ea 100644 --- a/roles/openshift_logging_elasticsearch/tasks/determine_version.yaml +++ b/roles/openshift_logging_elasticsearch/tasks/determine_version.yaml @@ -15,3 +15,5 @@  - fail:      msg: Invalid version specified for Elasticsearch    when: es_version not in __allowed_es_versions + +- include_tasks: get_es_version.yml diff --git a/roles/openshift_logging_elasticsearch/tasks/get_es_version.yml b/roles/openshift_logging_elasticsearch/tasks/get_es_version.yml new file mode 100644 index 000000000..9182bddb2 --- /dev/null +++ b/roles/openshift_logging_elasticsearch/tasks/get_es_version.yml @@ -0,0 +1,42 @@ +--- +- command: > +    oc get pod -l component=es,provider=openshift -n {{ openshift_logging_elasticsearch_namespace }} -o jsonpath={.items[*].metadata.name} +  register: _cluster_pods + +- name: "Getting ES version for logging-es cluster" +  command: > +    oc exec {{ _cluster_pods.stdout.split(' ')[0] }} -c elasticsearch -n {{ openshift_logging_elasticsearch_namespace }} -- {{ __es_local_curl }} -XGET 'https://localhost:9200/' +  register: _curl_output +  when: _cluster_pods.stdout_lines | count > 0 + +- command: > +    oc get pod -l component=es-ops,provider=openshift -n {{ openshift_logging_elasticsearch_namespace }} -o jsonpath={.items[*].metadata.name} +  register: _ops_cluster_pods + +- name: "Getting ES version for logging-es-ops cluster" +  command: > +    oc exec {{ _ops_cluster_pods.stdout.split(' ')[0] }} -c elasticsearch -n {{ openshift_logging_elasticsearch_namespace }} -- {{ __es_local_curl }} -XGET 'https://localhost:9200/' +  register: _ops_curl_output +  when: _ops_cluster_pods.stdout_lines | count > 0 + +- set_fact: +    _es_output: "{{ _curl_output.stdout | from_json }}" +  when: _curl_output.stdout is defined + +- set_fact: +    _es_ops_output: "{{ _ops_curl_output.stdout | from_json }}" +  when: _ops_curl_output.stdout is defined + +- set_fact: +    _es_installed_version: "{{ _es_output.version.number }}" +  when: +    - _es_output is defined +    - _es_output.version is defined +    - _es_output.version.number is defined + +- set_fact: +    _es_ops_installed_version: "{{ _es_ops_output.version.number }}" +  when: +    - _es_ops_output is defined +    - _es_ops_output.version is defined +    - _es_ops_output.version.number is defined diff --git a/roles/openshift_logging_elasticsearch/tasks/main.yaml b/roles/openshift_logging_elasticsearch/tasks/main.yaml index bf3b743af..ff5ad1045 100644 --- a/roles/openshift_logging_elasticsearch/tasks/main.yaml +++ b/roles/openshift_logging_elasticsearch/tasks/main.yaml @@ -32,6 +32,18 @@  - include_tasks: determine_version.yaml +- set_fact: +    full_restart_cluster: True +  when: +    - _es_installed_version is defined +    - _es_installed_version.split('.')[0] | int < __es_version.split('.')[0] | int + +- set_fact: +    full_restart_cluster: True +  when: +    - _es_ops_installed_version is defined +    - _es_ops_installed_version.split('.')[0] | int < __es_version.split('.')[0] | int +  # allow passing in a tempdir  - name: Create temp directory for doing work in    command: mktemp -d /tmp/openshift-logging-ansible-XXXXXX diff --git a/roles/openshift_logging_elasticsearch/tasks/restart_cluster.yml b/roles/openshift_logging_elasticsearch/tasks/restart_cluster.yml index 4a32453e3..d55beec86 100644 --- a/roles/openshift_logging_elasticsearch/tasks/restart_cluster.yml +++ b/roles/openshift_logging_elasticsearch/tasks/restart_cluster.yml @@ -1,4 +1,22 @@  --- +# Disable external communication for {{ _cluster_component }} +- name: Disable external communication for logging-{{ _cluster_component }} +  oc_service: +    state: present +    name: "logging-{{ _cluster_component }}" +    namespace: "{{ openshift_logging_elasticsearch_namespace }}" +    selector: +      component: "{{ _cluster_component }}" +      provider: openshift +      connection: blocked +    labels: +      logging-infra: 'support' +    ports: +      - port: 9200 +        targetPort: "restapi" +  when: +    - full_restart_cluster | bool +  ## get all pods for the cluster  - command: >      oc get pod -l component={{ _cluster_component }},provider=openshift -n {{ openshift_logging_elasticsearch_namespace }} -o jsonpath={.items[*].metadata.name} @@ -11,17 +29,38 @@    changed_when: "'\"acknowledged\":true' in _disable_output.stdout"    when: _cluster_pods.stdout_lines | count > 0 +# Flush ES +- name: "Flushing for logging-{{ _cluster_component }} cluster" +  command: > +    oc exec {{ _cluster_pods.stdout.split(' ')[0] }} -c elasticsearch -n {{ openshift_logging_elasticsearch_namespace }} -- {{ __es_local_curl }} -XPUT 'https://localhost:9200/_flush/synced' +  register: _flush_output +  changed_when: "'\"acknowledged\":true' in _flush_output.stdout" +  when: +    - _cluster_pods.stdout_lines | count > 0 +    - full_restart_cluster | bool +  - command: >      oc get dc -l component={{ _cluster_component }},provider=openshift -n {{ openshift_logging_elasticsearch_namespace }} -o jsonpath={.items[*].metadata.name}    register: _cluster_dcs +## restart all dcs for full restart +- name: "Restart ES node {{ _es_node }}" +  include_tasks: restart_es_node.yml +  with_items: "{{ _cluster_dcs }}" +  loop_control: +    loop_var: _es_node +  when: +    - full_restart_cluster | bool +  ## restart the node if it's dc is in the list of nodes to restart?  - name: "Restart ES node {{ _es_node }}"    include_tasks: restart_es_node.yml    with_items: "{{ _restart_logging_nodes }}"    loop_control:      loop_var: _es_node -  when: _es_node in _cluster_dcs.stdout +  when: +    - not full_restart_cluster | bool +    - _es_node in _cluster_dcs.stdout  ## we may need a new first pod to run against -- fetch them all again  - command: > @@ -33,3 +72,20 @@      oc exec {{ _cluster_pods.stdout.split(' ')[0] }} -c elasticsearch -n {{ openshift_logging_elasticsearch_namespace }} -- {{ __es_local_curl }} -XPUT 'https://localhost:9200/_cluster/settings' -d '{ "transient": { "cluster.routing.allocation.enable" : "all" } }'    register: _enable_output    changed_when: "'\"acknowledged\":true' in _enable_output.stdout" + +# Reenable external communication for {{ _cluster_component }} +- name: Reenable external communication for logging-{{ _cluster_component }} +  oc_service: +    state: present +    name: "logging-{{ _cluster_component }}" +    namespace: "{{ openshift_logging_elasticsearch_namespace }}" +    selector: +      component: "{{ _cluster_component }}" +      provider: openshift +    labels: +      logging-infra: 'support' +    ports: +      - port: 9200 +        targetPort: "restapi" +  when: +    - full_restart_cluster | bool diff --git a/roles/openshift_logging_elasticsearch/tasks/restart_es_node.yml b/roles/openshift_logging_elasticsearch/tasks/restart_es_node.yml index b07b232ce..6d0df40c8 100644 --- a/roles/openshift_logging_elasticsearch/tasks/restart_es_node.yml +++ b/roles/openshift_logging_elasticsearch/tasks/restart_es_node.yml @@ -14,6 +14,8 @@      - _dc_output.results.results[0].status is defined      - _dc_output.results.results[0].status.readyReplicas is defined      - _dc_output.results.results[0].status.readyReplicas > 0 +    - _dc_output.results.results[0].status.updatedReplicas is defined +    - _dc_output.results.results[0].status.updatedReplicas > 0    retries: 60    delay: 30 diff --git a/roles/openshift_logging_elasticsearch/vars/main.yml b/roles/openshift_logging_elasticsearch/vars/main.yml index 0e56a6eac..ef259cd3a 100644 --- a/roles/openshift_logging_elasticsearch/vars/main.yml +++ b/roles/openshift_logging_elasticsearch/vars/main.yml @@ -4,6 +4,7 @@ __allowed_es_versions: ["3_5", "3_6", "3_7", "3_8"]  __allowed_es_types: ["data-master", "data-client", "master", "client"]  __es_log_appenders: ['file', 'console']  __kibana_index_modes: ["unique", "shared_ops"] +__es_version: "2.4.4"  __es_local_curl: "curl -s --cacert /etc/elasticsearch/secret/admin-ca --cert /etc/elasticsearch/secret/admin-cert --key /etc/elasticsearch/secret/admin-key" @@ -14,3 +15,4 @@ es_min_masters_default: "{{ (openshift_logging_elasticsearch_replica_count | int  es_min_masters: "{{ (openshift_logging_elasticsearch_replica_count == 1) | ternary(1, es_min_masters_default) }}"  es_recover_after_nodes: "{{ openshift_logging_elasticsearch_replica_count | int }}"  es_recover_expected_nodes: "{{ openshift_logging_elasticsearch_replica_count | int }}" +full_restart_cluster: False diff --git a/roles/openshift_logging_fluentd/tasks/label_and_wait.yaml b/roles/openshift_logging_fluentd/tasks/label_and_wait.yaml index 1cef6c25e..2721438f0 100644 --- a/roles/openshift_logging_fluentd/tasks/label_and_wait.yaml +++ b/roles/openshift_logging_fluentd/tasks/label_and_wait.yaml @@ -8,4 +8,3 @@  # wait half a second between labels  - local_action: command sleep {{ openshift_logging_fluentd_label_delay | default('.5') }} -  become: no diff --git a/roles/openshift_logging_mux/defaults/main.yml b/roles/openshift_logging_mux/defaults/main.yml index db6f23126..dbf4549c4 100644 --- a/roles/openshift_logging_mux/defaults/main.yml +++ b/roles/openshift_logging_mux/defaults/main.yml @@ -30,6 +30,7 @@ openshift_logging_mux_allow_external: False  openshift_logging_use_mux: "{{ openshift_logging_mux_allow_external | default(False) }}"  openshift_logging_mux_hostname: "{{ 'mux.' ~ openshift_master_default_subdomain }}"  openshift_logging_mux_port: 24284 +openshift_logging_mux_external_address: "{{ ansible_default_ipv4.address }}"  # the namespace to use for undefined projects should come first, followed by any  # additional namespaces to create by default - users will typically not need to set this  openshift_logging_mux_default_namespaces: ["mux-undefined"] diff --git a/roles/openshift_logging_mux/tasks/main.yaml b/roles/openshift_logging_mux/tasks/main.yaml index 34bdb891c..7eba3cda4 100644 --- a/roles/openshift_logging_mux/tasks/main.yaml +++ b/roles/openshift_logging_mux/tasks/main.yaml @@ -148,7 +148,7 @@          port: "{{ openshift_logging_mux_port }}"          targetPort: "mux-forward"      external_ips: -      - "{{ ansible_eth0.ipv4.address }}" +      - "{{ openshift_logging_mux_external_address }}"    when: openshift_logging_mux_allow_external | bool  - name: Set logging-mux service for internal communication diff --git a/roles/openshift_master/tasks/upgrade/rpm_upgrade.yml b/roles/openshift_master/tasks/upgrade/rpm_upgrade.yml index f72710832..7870f43e2 100644 --- a/roles/openshift_master/tasks/upgrade/rpm_upgrade.yml +++ b/roles/openshift_master/tasks/upgrade/rpm_upgrade.yml @@ -12,11 +12,11 @@    package: name={{ master_pkgs | join(',') }} state=present    vars:      master_pkgs: -      - "{{ openshift_service_type }}{{ openshift_pkg_version }}" -      - "{{ openshift_service_type }}-master{{ openshift_pkg_version }}" -      - "{{ openshift_service_type }}-node{{ openshift_pkg_version }}" -      - "{{ openshift_service_type }}-sdn-ovs{{ openshift_pkg_version }}" -      - "{{ openshift_service_type }}-clients{{ openshift_pkg_version }}" -      - "tuned-profiles-{{ openshift_service_type }}-node{{ openshift_pkg_version }}" +      - "{{ openshift_service_type }}{{ openshift_pkg_version | default('') }}" +      - "{{ openshift_service_type }}-master{{ openshift_pkg_version | default('') }}" +      - "{{ openshift_service_type }}-node{{ openshift_pkg_version | default('') }}" +      - "{{ openshift_service_type }}-sdn-ovs{{ openshift_pkg_version | default('') }}" +      - "{{ openshift_service_type }}-clients{{ openshift_pkg_version | default('') }}" +      - "tuned-profiles-{{ openshift_service_type }}-node{{ openshift_pkg_version | default('') }}"    register: result    until: result is succeeded diff --git a/roles/openshift_master_certificates/tasks/main.yml b/roles/openshift_master_certificates/tasks/main.yml index 00cabe574..649a4bc5d 100644 --- a/roles/openshift_master_certificates/tasks/main.yml +++ b/roles/openshift_master_certificates/tasks/main.yml @@ -120,7 +120,11 @@    register: g_master_certs_mktemp    changed_when: False    when: master_certs_missing | bool -  become: no + +- name: Chmod local temp directory for syncing certs +  local_action: command chmod 777 "{{ g_master_certs_mktemp.stdout }}" +  changed_when: False +  when: master_certs_missing | bool  - name: Create a tarball of the master certs    command: > @@ -157,7 +161,6 @@    local_action: file path="{{ g_master_certs_mktemp.stdout }}" state=absent    changed_when: False    when: master_certs_missing | bool -  become: no  - name: Lookup default group for ansible_ssh_user    command: "/usr/bin/id -g {{ ansible_ssh_user | quote }}" diff --git a/roles/openshift_named_certificates/tasks/main.yml b/roles/openshift_named_certificates/tasks/main.yml index ad5472445..021fa8385 100644 --- a/roles/openshift_named_certificates/tasks/main.yml +++ b/roles/openshift_named_certificates/tasks/main.yml @@ -3,7 +3,6 @@      parsed_named_certificates: "{{ named_certificates | lib_utils_oo_parse_named_certificates(named_certs_dir, internal_hostnames) }}"    when: named_certificates | length > 0    delegate_to: localhost -  become: no    run_once: true  - openshift_facts: diff --git a/roles/openshift_node/tasks/install.yml b/roles/openshift_node/tasks/install.yml index 55738d759..a4a9c1237 100644 --- a/roles/openshift_node/tasks/install.yml +++ b/roles/openshift_node/tasks/install.yml @@ -1,28 +1,18 @@  --- -- when: not openshift_is_containerized | bool -  block: -  - name: Install Node package -    package: -      name: "{{ openshift_service_type }}-node{{ (openshift_pkg_version | default('')) | lib_utils_oo_image_tag_to_rpm_version(include_dash=True) }}" -      state: present -    register: result -    until: result is succeeded - -  - name: Install sdn-ovs package -    package: -      name: "{{ openshift_service_type }}-sdn-ovs{{ (openshift_pkg_version | default('')) | lib_utils_oo_image_tag_to_rpm_version(include_dash=True) }}" -      state: present -    when: -    - openshift_node_use_openshift_sdn | bool -    register: result -    until: result is succeeded - -  - name: Install conntrack-tools package -    package: -      name: "conntrack-tools" -      state: present -    register: result -    until: result is succeeded +- name: Install Node package, sdn-ovs, conntrack packages +  package: +    name: "{{ item.name }}" +    state: present +  register: result +  until: result is succeeded +  with_items: +  - name: "{{ openshift_service_type }}-node{{ (openshift_pkg_version | default('')) | lib_utils_oo_image_tag_to_rpm_version(include_dash=True) }}" +  - name: "{{ openshift_service_type }}-sdn-ovs{{ (openshift_pkg_version | default('')) | lib_utils_oo_image_tag_to_rpm_version(include_dash=True) }}" +    install: "{{ openshift_node_use_openshift_sdn | bool }}" +  - name: "conntrack-tools" +  when: +  - not openshift_is_containerized | bool +  - item['install'] | default(True) | bool  - when:    - openshift_is_containerized | bool diff --git a/roles/openshift_node/tasks/upgrade/config_changes.yml b/roles/openshift_node/tasks/upgrade/config_changes.yml index 210d174c2..721656117 100644 --- a/roles/openshift_node/tasks/upgrade/config_changes.yml +++ b/roles/openshift_node/tasks/upgrade/config_changes.yml @@ -1,7 +1,7 @@  ---  - name: Update systemd units    include_tasks: ../systemd_units.yml -  when: openshift_is_containerized +  when: openshift_is_containerized | bool  - name: Update oreg value    yedit: diff --git a/roles/openshift_node/tasks/upgrade/containerized_upgrade_pull.yml b/roles/openshift_node/tasks/upgrade/containerized_upgrade_pull.yml index 0a14e5174..e5477f389 100644 --- a/roles/openshift_node/tasks/upgrade/containerized_upgrade_pull.yml +++ b/roles/openshift_node/tasks/upgrade/containerized_upgrade_pull.yml @@ -10,6 +10,6 @@      docker pull {{ osn_ovs_image }}:{{ openshift_image_tag }}    register: pull_result    changed_when: "'Downloaded newer image' in pull_result.stdout" -  when: openshift_use_openshift_sdn | bool +  when: openshift_node_use_openshift_sdn | bool  - include_tasks: ../container_images.yml diff --git a/roles/openshift_node/tasks/upgrade/rpm_upgrade.yml b/roles/openshift_node/tasks/upgrade/rpm_upgrade.yml index 91a358095..d4b47bb9e 100644 --- a/roles/openshift_node/tasks/upgrade/rpm_upgrade.yml +++ b/roles/openshift_node/tasks/upgrade/rpm_upgrade.yml @@ -12,7 +12,7 @@    until: result is succeeded    vars:      openshift_node_upgrade_rpm_list: -      - "{{ openshift_service_type }}-node{{ openshift_pkg_version }}" +      - "{{ openshift_service_type }}-node{{ openshift_pkg_version | default('') }}"        - "PyYAML"        - "dnsmasq" diff --git a/roles/openshift_node/tasks/upgrade/rpm_upgrade_install.yml b/roles/openshift_node/tasks/upgrade/rpm_upgrade_install.yml index c9094e05a..ef5d8d662 100644 --- a/roles/openshift_node/tasks/upgrade/rpm_upgrade_install.yml +++ b/roles/openshift_node/tasks/upgrade/rpm_upgrade_install.yml @@ -14,6 +14,6 @@    until: result is succeeded    vars:      openshift_node_upgrade_rpm_list: -      - "{{ openshift_service_type }}-node{{ openshift_pkg_version }}" +      - "{{ openshift_service_type }}-node{{ openshift_pkg_version | default('') }}"        - "PyYAML"        - "openvswitch" diff --git a/roles/openshift_storage_nfs_lvm/README.md b/roles/openshift_storage_nfs_lvm/README.md index cc674d3fd..a11219f6d 100644 --- a/roles/openshift_storage_nfs_lvm/README.md +++ b/roles/openshift_storage_nfs_lvm/README.md @@ -1,7 +1,7 @@  # openshift_storage_nfs_lvm  This role is useful to create and export nfs disks for openshift persistent volumes. -It does so by creating lvm partitions on an already setup pv/vg, creating xfs  +It does so by creating lvm partitions on an already setup pv/vg, creating xfs  filesystem on each partition, mounting the partitions, exporting the mounts via NFS  and creating a json file for each mount that an openshift master can use to  create persistent volumes. @@ -20,7 +20,7 @@ create persistent volumes.  osnl_nfs_export_options: "*(rw,sync,all_squash)"  # Directory, where the created partitions should be mounted. They will be -# mounted as <osnl_mount_dir>/<lvm volume name>  +# mounted as <osnl_mount_dir>/<lvm volume name>  osnl_mount_dir: /exports/openshift  # Volume Group to use. @@ -64,11 +64,10 @@ None  ## Example Playbook  With this playbook, 2 5Gig lvm partitions are created, named stg5g0003 and stg5g0004 -Both of them are mounted into `/exports/openshift` directory.  Both directories are  +Both of them are mounted into `/exports/openshift` directory.  Both directories are  exported via NFS.  json files are created in /root.      - hosts: nfsservers -      become: no        remote_user: root        gather_facts: no        roles: @@ -94,7 +93,6 @@ exported via NFS.  json files are created in /root.  * Create an ansible playbook, say `setupnfs.yaml`:      ```      - hosts: nfsservers -      become: no        remote_user: root        gather_facts: no        roles: diff --git a/roles/openshift_version/defaults/main.yml b/roles/openshift_version/defaults/main.yml index 354699637..e2e6538c9 100644 --- a/roles/openshift_version/defaults/main.yml +++ b/roles/openshift_version/defaults/main.yml @@ -8,3 +8,5 @@ openshift_service_type_dict:  openshift_service_type: "{{ openshift_service_type_dict[openshift_deployment_type] }}"  openshift_use_crio_only: False + +l_first_master_version_task_file: "{{ openshift_is_containerized | ternary('first_master_containerized_version.yml', 'first_master_rpm_version.yml') }}" diff --git a/roles/openshift_version/tasks/check_available_rpms.yml b/roles/openshift_version/tasks/check_available_rpms.yml new file mode 100644 index 000000000..bdbc63d27 --- /dev/null +++ b/roles/openshift_version/tasks/check_available_rpms.yml @@ -0,0 +1,10 @@ +--- +- name: Get available {{ openshift_service_type}} version +  repoquery: +    name: "{{ openshift_service_type}}" +    ignore_excluders: true +  register: rpm_results + +- fail: +    msg: "Package {{ openshift_service_type}} not found" +  when: not rpm_results.results.package_found diff --git a/roles/openshift_version/tasks/first_master.yml b/roles/openshift_version/tasks/first_master.yml new file mode 100644 index 000000000..374725086 --- /dev/null +++ b/roles/openshift_version/tasks/first_master.yml @@ -0,0 +1,30 @@ +--- +# Determine the openshift_version to configure if none has been specified or set previously. + +# Protect the installed version by default unless explicitly told not to, or given an +# openshift_version already. +- name: Use openshift.common.version fact as version to configure if already installed +  set_fact: +    openshift_version: "{{ openshift.common.version }}" +  when: +  - openshift.common.version is defined +  - openshift_version is not defined or openshift_version == "" +  - openshift_protect_installed_version | bool + +- include_tasks: "{{ l_first_master_version_task_file }}" + +- block: +  - debug: +      msg: "openshift_pkg_version was not defined. Falling back to -{{ openshift_version }}" +  - set_fact: +      openshift_pkg_version: -{{ openshift_version }} +  when: +  - openshift_pkg_version is not defined +  - openshift_upgrade_target is not defined + +- block: +  - debug: +      msg: "openshift_image_tag was not defined. Falling back to v{{ openshift_version }}" +  - set_fact: +      openshift_image_tag: v{{ openshift_version }} +  when: openshift_image_tag is not defined diff --git a/roles/openshift_version/tasks/set_version_containerized.yml b/roles/openshift_version/tasks/first_master_containerized_version.yml index a808f050e..e02a75eab 100644 --- a/roles/openshift_version/tasks/set_version_containerized.yml +++ b/roles/openshift_version/tasks/first_master_containerized_version.yml @@ -21,7 +21,7 @@    register: cli_image_version    when:    - openshift_version is not defined -  - not openshift_use_crio_only | bool +  - not openshift_use_crio_only  # Origin latest = pre-release version (i.e. v1.3.0-alpha.1-321-gb095e3a)  - set_fact: @@ -30,7 +30,7 @@    - openshift_version is not defined    - openshift.common.deployment_type == 'origin'    - cli_image_version.stdout_lines[0].split('-') | length > 1 -  - not openshift_use_crio_only | bool +  - not openshift_use_crio_only  - set_fact:      openshift_version: "{{ cli_image_version.stdout_lines[0].split(' ')[1].split('-')[0][1:] }}" @@ -45,14 +45,14 @@    when:    - openshift_version is defined    - openshift_version.split('.') | length == 2 -  - not openshift_use_crio_only | bool +  - not openshift_use_crio_only  - set_fact:      openshift_version: "{{ cli_image_version.stdout_lines[0].split(' ')[1].split('-')[0:2][1:] | join('-') if openshift.common.deployment_type == 'origin' else cli_image_version.stdout_lines[0].split(' ')[1].split('-')[0][1:] }}"    when:    - openshift_version is defined    - openshift_version.split('.') | length == 2 -  - not openshift_use_crio_only | bool +  - not openshift_use_crio_only  # TODO: figure out a way to check for the openshift_version when using CRI-O.  # We should do that using the images in the ostree storage so we don't have diff --git a/roles/openshift_version/tasks/first_master_rpm_version.yml b/roles/openshift_version/tasks/first_master_rpm_version.yml new file mode 100644 index 000000000..264baca65 --- /dev/null +++ b/roles/openshift_version/tasks/first_master_rpm_version.yml @@ -0,0 +1,16 @@ +--- +- name: Set rpm version to configure if openshift_pkg_version specified +  set_fact: +    # Expects a leading "-" in inventory, strip it off here, and remove trailing release, +    openshift_version: "{{ openshift_pkg_version[1:].split('-')[0] }}" +  when: +  - openshift_pkg_version is defined +  - openshift_version is not defined + +# These tasks should only be run against masters and nodes +- name: Set openshift_version for rpm installation +  include_tasks: check_available_rpms.yml + +- set_fact: +    openshift_version: "{{ rpm_results.results.versions.available_versions.0 }}" +  when: openshift_version is not defined diff --git a/roles/openshift_version/tasks/main.yml b/roles/openshift_version/tasks/main.yml index 97e58ffac..b42794858 100644 --- a/roles/openshift_version/tasks/main.yml +++ b/roles/openshift_version/tasks/main.yml @@ -1,206 +1,2 @@  --- -# Determine the openshift_version to configure if none has been specified or set previously. - -# Block attempts to install origin without specifying some kind of version information. -# This is because the latest tags for origin are usually alpha builds, which should not -# be used by default. Users must indicate what they want. -- name: Abort when we cannot safely guess what Origin image version the user wanted -  fail: -    msg: |- -      To install a containerized Origin release, you must set openshift_release or -      openshift_image_tag in your inventory to specify which version of the OpenShift -      component images to use. You may want the latest (usually alpha) releases or -      a more stable release. (Suggestion: add openshift_release="x.y" to inventory.) -  when: -  - openshift_is_containerized | bool -  - openshift.common.deployment_type == 'origin' -  - openshift_release is not defined -  - openshift_image_tag is not defined - -# Normalize some values that we need in a certain format that might be confusing: -- set_fact: -    openshift_release: "{{ openshift_release[1:] }}" -  when: -  - openshift_release is defined -  - openshift_release[0] == 'v' - -- set_fact: -    openshift_release: "{{ openshift_release | string }}" -  when: -  - openshift_release is defined - -# Verify that the image tag is in a valid format -- when: -  - openshift_image_tag is defined -  - openshift_image_tag != "latest" -  block: - -  # Verifies that when the deployment type is origin the version: -  # - starts with a v -  # - Has 3 integers seperated by dots -  # It also allows for optional trailing data which: -  # - must start with a dash -  # - may contain numbers, letters, dashes and dots. -  - name: (Origin) Verify openshift_image_tag is valid -    when: openshift.common.deployment_type == 'origin' -    assert: -      that: -      - "{{ openshift_image_tag is match('(^v?\\d+\\.\\d+\\.\\d+(-[\\w\\-\\.]*)?$)') }}" -      msg: |- -        openshift_image_tag must be in the format v#.#.#[-optional.#]. Examples: v1.2.3, v3.5.1-alpha.1 -        You specified openshift_image_tag={{ openshift_image_tag }} - -  # Verifies that when the deployment type is openshift-enterprise the version: -  # - starts with a v -  # - Has at least 2 integers seperated by dots -  # It also allows for optional trailing data which: -  # - must start with a dash -  # - may contain numbers -  # - may containe dots (https://github.com/openshift/openshift-ansible/issues/5192) -  # -  - name: (Enterprise) Verify openshift_image_tag is valid -    when: openshift.common.deployment_type == 'openshift-enterprise' -    assert: -      that: -      - "{{ openshift_image_tag is match('(^v\\d+\\.\\d+(\\.\\d+)*(-\\d+(\\.\\d+)*)?$)') }}" -      msg: |- -        openshift_image_tag must be in the format v#.#[.#[.#]]. Examples: v1.2, v3.4.1, v3.5.1.3, -        v3.5.1.3.4, v1.2-1, v1.2.3-4, v1.2.3-4.5, v1.2.3-4.5.6 -        You specified openshift_image_tag={{ openshift_image_tag }} - -# Make sure we copy this to a fact if given a var: -- set_fact: -    openshift_version: "{{ openshift_version | string }}" -  when: openshift_version is defined - -# Protect the installed version by default unless explicitly told not to, or given an -# openshift_version already. -- name: Use openshift.common.version fact as version to configure if already installed -  set_fact: -    openshift_version: "{{ openshift.common.version }}" -  when: -  - openshift.common.version is defined -  - openshift_version is not defined or openshift_version == "" -  - openshift_protect_installed_version | bool - -# The rest of these tasks should only execute on -# masters and nodes as we can verify they have subscriptions -- when: -  - inventory_hostname in groups['oo_masters_to_config'] or inventory_hostname in groups['oo_nodes_to_config'] -  block: -  - name: Set openshift_version for rpm installation -    include_tasks: set_version_rpm.yml -    when: not openshift_is_containerized | bool - -  - name: Set openshift_version for containerized installation -    include_tasks: set_version_containerized.yml -    when: openshift_is_containerized | bool - -  - block: -    - name: Get available {{ openshift_service_type}} version -      repoquery: -        name: "{{ openshift_service_type}}" -        ignore_excluders: true -      register: rpm_results -    - fail: -        msg: "Package {{ openshift_service_type}} not found" -      when: not rpm_results.results.package_found -    - set_fact: -        openshift_rpm_version: "{{ rpm_results.results.versions.available_versions.0 | default('0.0', True) }}" -    - name: Fail if rpm version and docker image version are different -      fail: -        msg: "OCP rpm version {{ openshift_rpm_version }} is different from OCP image version {{ openshift_version }}" -      # Both versions have the same string representation -      when: -      - openshift_rpm_version != openshift_version -      # if openshift_pkg_version or openshift_image_tag is defined, user gives a permission the rpm and docker image versions can differ -      - openshift_pkg_version is not defined -      - openshift_image_tag is not defined -    when: -    - openshift_is_containerized | bool -    - not openshift_is_atomic | bool - -  # Warn if the user has provided an openshift_image_tag but is not doing a containerized install -  # NOTE: This will need to be modified/removed for future container + rpm installations work. -  - name: Warn if openshift_image_tag is defined when not doing a containerized install -    debug: -      msg: > -        openshift_image_tag is used for containerized installs. If you are trying to -        specify an image for a non-container install see oreg_url or oreg_url_master or oreg_url_node. -    when: -    - not openshift_is_containerized | bool -    - openshift_image_tag is defined - -  # At this point we know openshift_version is set appropriately. Now we set -  # openshift_image_tag and openshift_pkg_version, so all roles can always assume -  # each of this variables *will* be set correctly and can use them per their -  # intended purpose. - -  - block: -    - debug: -        msg: "openshift_image_tag was not defined. Falling back to v{{ openshift_version }}" - -    - set_fact: -        openshift_image_tag: v{{ openshift_version }} - -    when: openshift_image_tag is not defined - -  - block: -    - debug: -        msg: "openshift_pkg_version was not defined. Falling back to -{{ openshift_version }}" - -    - set_fact: -        openshift_pkg_version: -{{ openshift_version }} - -    when: -    - openshift_pkg_version is not defined -    - openshift_upgrade_target is not defined - -  - fail: -      msg: openshift_version role was unable to set openshift_version -    name: Abort if openshift_version was not set -    when: openshift_version is not defined - -  - fail: -      msg: openshift_version role was unable to set openshift_image_tag -    name: Abort if openshift_image_tag was not set -    when: openshift_image_tag is not defined - -  - fail: -      msg: openshift_version role was unable to set openshift_pkg_version -    name: Abort if openshift_pkg_version was not set -    when: -    - openshift_pkg_version is not defined -    - openshift_upgrade_target is not defined - - -  - fail: -      msg: "No OpenShift version available; please ensure your systems are fully registered and have access to appropriate yum repositories." -    name: Abort if openshift_pkg_version was not set -    when: -    - not openshift_is_containerized | bool -    - openshift_version == '0.0' - -  # We can't map an openshift_release to full rpm version like we can with containers; make sure -  # the rpm version we looked up matches the release requested and error out if not. -  - name: For an RPM install, abort when the release requested does not match the available version. -    when: -    - not openshift_is_containerized | bool -    - openshift_release is defined -    assert: -      that: -      - openshift_version.startswith(openshift_release) | bool -      msg: |- -        You requested openshift_release {{ openshift_release }}, which is not matched by -        the latest OpenShift RPM we detected as {{ openshift_service_type }}-{{ openshift_version }} -        on host {{ inventory_hostname }}. -        We will only install the latest RPMs, so please ensure you are getting the release -        you expect. You may need to adjust your Ansible inventory, modify the repositories -        available on the host, or run the appropriate OpenShift upgrade playbook. - -  # The end result of these three variables is quite important so make sure they are displayed and logged: -  - debug: var=openshift_release - -  - debug: var=openshift_image_tag - -  - debug: var=openshift_pkg_version +# This role is meant to be used with include_role. diff --git a/roles/openshift_version/tasks/masters_and_nodes.yml b/roles/openshift_version/tasks/masters_and_nodes.yml new file mode 100644 index 000000000..fbeb22d8b --- /dev/null +++ b/roles/openshift_version/tasks/masters_and_nodes.yml @@ -0,0 +1,39 @@ +--- +# These tasks should only be run against masters and nodes + +- block: +  - name: Check openshift_version for rpm installation +    include_tasks: check_available_rpms.yml +  - name: Fail if rpm version and docker image version are different +    fail: +      msg: "OCP rpm version {{ openshift_rpm_version }} is different from OCP image version {{ openshift_version }}" +    # Both versions have the same string representation +    when: rpm_results.results.versions.available_versions.0 != openshift_version +  # block when +  when: not openshift_is_atomic | bool + +# We can't map an openshift_release to full rpm version like we can with containers; make sure +# the rpm version we looked up matches the release requested and error out if not. +- name: For an RPM install, abort when the release requested does not match the available version. +  when: +  - not openshift_is_containerized | bool +  - openshift_release is defined +  assert: +    that: +    - l_rpm_version.startswith(openshift_release) | bool +    msg: |- +      You requested openshift_release {{ openshift_release }}, which is not matched by +      the latest OpenShift RPM we detected as {{ openshift_service_type }}-{{ l_rpm_version }} +      on host {{ inventory_hostname }}. +      We will only install the latest RPMs, so please ensure you are getting the release +      you expect. You may need to adjust your Ansible inventory, modify the repositories +      available on the host, or run the appropriate OpenShift upgrade playbook. +  vars: +    l_rpm_version: "{{ rpm_results.results.versions.available_versions.0 }}" + +# The end result of these three variables is quite important so make sure they are displayed and logged: +- debug: var=openshift_release + +- debug: var=openshift_image_tag + +- debug: var=openshift_pkg_version diff --git a/roles/openshift_version/tasks/set_version_rpm.yml b/roles/openshift_version/tasks/set_version_rpm.yml deleted file mode 100644 index c7ca5ceae..000000000 --- a/roles/openshift_version/tasks/set_version_rpm.yml +++ /dev/null @@ -1,24 +0,0 @@ ---- -- name: Set rpm version to configure if openshift_pkg_version specified -  set_fact: -    # Expects a leading "-" in inventory, strip it off here, and remove trailing release, -    openshift_version: "{{ openshift_pkg_version[1:].split('-')[0] }}" -  when: -  - openshift_pkg_version is defined -  - openshift_version is not defined - -- block: -  - name: Get available {{ openshift_service_type}} version -    repoquery: -      name: "{{ openshift_service_type}}" -      ignore_excluders: true -    register: rpm_results - -  - fail: -      msg: "Package {{ openshift_service_type}} not found" -    when: not rpm_results.results.package_found - -  - set_fact: -      openshift_version: "{{ rpm_results.results.versions.available_versions.0 | default('0.0', True) }}" -  when: -  - openshift_version is not defined diff --git a/roles/openshift_web_console/tasks/install.yml b/roles/openshift_web_console/tasks/install.yml index 8120c13e3..8ee95e36b 100644 --- a/roles/openshift_web_console/tasks/install.yml +++ b/roles/openshift_web_console/tasks/install.yml @@ -23,7 +23,6 @@    command: mktemp -d /tmp/console-ansible-XXXXXX    register: mktemp    changed_when: False -  become: no  - name: Copy asset config template to temp directory    copy: @@ -76,4 +75,3 @@      state: absent      name: "{{ mktemp.stdout }}"    changed_when: False -  become: no diff --git a/roles/openshift_web_console/tasks/update_asset_config.yml b/roles/openshift_web_console/tasks/update_asset_config.yml index 36e37e35d..0992b32e1 100644 --- a/roles/openshift_web_console/tasks/update_asset_config.yml +++ b/roles/openshift_web_console/tasks/update_asset_config.yml @@ -30,7 +30,6 @@    command: mktemp -d /tmp/console-ansible-XXXXXX    register: mktemp    changed_when: False -  become: no  - name: Copy asset config to temp file    copy: @@ -55,7 +54,6 @@      state: absent      name: "{{ mktemp.stdout }}"    changed_when: False -  become: no  # There's currently no command to trigger a rollout for a k8s deployment  # without changing the pod spec. Add an annotation to force a rollout after diff --git a/roles/template_service_broker/tasks/install.yml b/roles/template_service_broker/tasks/install.yml index 765263db5..604e94602 100644 --- a/roles/template_service_broker/tasks/install.yml +++ b/roles/template_service_broker/tasks/install.yml @@ -21,7 +21,6 @@  - command: mktemp -d /tmp/tsb-ansible-XXXXXX    register: mktemp    changed_when: False -  become: no  - copy:      src: "{{ __tsb_files_location }}/{{ item }}" @@ -86,4 +85,3 @@      state: absent      name: "{{ mktemp.stdout }}"    changed_when: False -  become: no diff --git a/roles/template_service_broker/tasks/remove.yml b/roles/template_service_broker/tasks/remove.yml index 8b4d798db..db1b558e4 100644 --- a/roles/template_service_broker/tasks/remove.yml +++ b/roles/template_service_broker/tasks/remove.yml @@ -2,7 +2,6 @@  - command: mktemp -d /tmp/tsb-ansible-XXXXXX    register: mktemp    changed_when: False -  become: no  - copy:      src: "{{ __tsb_files_location }}/{{ item }}" @@ -32,4 +31,3 @@      state: absent      name: "{{ mktemp.stdout }}"    changed_when: False -  become: no | 
