diff options
Diffstat (limited to 'roles')
31 files changed, 343 insertions, 139 deletions
diff --git a/roles/etcd/defaults/main.yaml b/roles/etcd/defaults/main.yaml index 2ec62c37c..e0746d70d 100644 --- a/roles/etcd/defaults/main.yaml +++ b/roles/etcd/defaults/main.yaml @@ -1,5 +1,5 @@ --- -etcd_service: "{{ 'etcd' if not etcd_is_containerized | bool else 'etcd_container' }}" +etcd_service: "{{ 'etcd' if openshift.common.is_etcd_system_container | bool or not etcd_is_containerized | bool else 'etcd_container' }}" etcd_client_port: 2379 etcd_peer_port: 2380 etcd_url_scheme: http diff --git a/roles/etcd/tasks/main.yml b/roles/etcd/tasks/main.yml index 41f25be70..5f3ca461e 100644 --- a/roles/etcd/tasks/main.yml +++ b/roles/etcd/tasks/main.yml @@ -14,13 +14,17 @@ command: docker pull {{ openshift.etcd.etcd_image }} register: pull_result changed_when: "'Downloaded newer image' in pull_result.stdout" - when: etcd_is_containerized | bool + when: + - etcd_is_containerized | bool + - not openshift.common.is_etcd_system_container | bool - name: Install etcd container service file template: dest: "/etc/systemd/system/etcd_container.service" src: etcd.docker.service - when: etcd_is_containerized | bool + when: + - etcd_is_containerized | bool + - not openshift.common.is_etcd_system_container | bool - name: Ensure etcd datadir exists when containerized file: @@ -36,10 +40,22 @@ enabled: no masked: yes daemon_reload: yes - when: etcd_is_containerized | bool + when: + - etcd_is_containerized | bool + - not openshift.common.is_etcd_system_container | bool register: task_result failed_when: "task_result|failed and 'could not' not in task_result.msg|lower" +- name: Install etcd container service file + template: + dest: "/etc/systemd/system/etcd_container.service" + src: etcd.docker.service + when: etcd_is_containerized | bool and not openshift.common.is_etcd_system_container | bool + +- name: Install Etcd system container + include: system_container.yml + when: etcd_is_containerized | bool and openshift.common.is_etcd_system_container | bool + - name: Validate permissions on the config dir file: path: "{{ etcd_conf_dir }}" @@ -54,7 +70,7 @@ dest: /etc/etcd/etcd.conf backup: true notify: - - restart etcd + - restart etcd - name: Enable etcd systemd: diff --git a/roles/etcd/tasks/system_container.yml b/roles/etcd/tasks/system_container.yml new file mode 100644 index 000000000..241180e2c --- /dev/null +++ b/roles/etcd/tasks/system_container.yml @@ -0,0 +1,63 @@ +--- +- name: Pull etcd system container + command: atomic pull --storage=ostree {{ openshift.etcd.etcd_image }} + register: pull_result + changed_when: "'Pulling layer' in pull_result.stdout" + +- name: Check etcd system container package + command: > + atomic containers list --no-trunc -a -f container=etcd + register: result + +- name: Set initial Etcd cluster + set_fact: + etcd_initial_cluster: > + {% for host in etcd_peers | default([]) -%} + {% if loop.last -%} + {{ hostvars[host].etcd_hostname }}={{ etcd_peer_url_scheme }}://{{ hostvars[host].etcd_ip }}:{{ etcd_peer_port }} + {%- else -%} + {{ hostvars[host].etcd_hostname }}={{ etcd_peer_url_scheme }}://{{ hostvars[host].etcd_ip }}:{{ etcd_peer_port }}, + {%- endif -%} + {% endfor -%} + +- name: Update Etcd system container package + command: > + atomic containers update + --set ETCD_LISTEN_PEER_URLS={{ etcd_listen_peer_urls }} + --set ETCD_NAME={{ etcd_hostname }} + --set ETCD_INITIAL_CLUSTER={{ etcd_initial_cluster | replace('\n', '') }} + --set ETCD_LISTEN_CLIENT_URLS={{ etcd_listen_client_urls }} + --set ETCD_INITIAL_ADVERTISE_PEER_URLS={{ etcd_initial_advertise_peer_urls }} + --set ETCD_INITIAL_CLUSTER_STATE={{ etcd_initial_cluster_state }} + --set ETCD_INITIAL_CLUSTER_TOKEN={{ etcd_initial_cluster_token }} + --set ETCD_ADVERTISE_CLIENT_URLS={{ etcd_advertise_client_urls }} + --set ETCD_CA_FILE={{ etcd_system_container_conf_dir }}/ca.crt + --set ETCD_CERT_FILE={{ etcd_system_container_conf_dir }}/server.crt + --set ETCD_KEY_FILE={{ etcd_system_container_conf_dir }}/server.key + --set ETCD_PEER_CA_FILE={{ etcd_system_container_conf_dir }}/ca.crt + --set ETCD_PEER_CERT_FILE={{ etcd_system_container_conf_dir }}/peer.crt + --set ETCD_PEER_KEY_FILE={{ etcd_system_container_conf_dir }}/peer.key + etcd + when: + - ("etcd" in result.stdout) + +- name: Install Etcd system container package + command: > + atomic install --system --name=etcd + --set ETCD_LISTEN_PEER_URLS={{ etcd_listen_peer_urls }} + --set ETCD_NAME={{ etcd_hostname }} + --set ETCD_INITIAL_CLUSTER={{ etcd_initial_cluster | replace('\n', '') }} + --set ETCD_LISTEN_CLIENT_URLS={{ etcd_listen_client_urls }} + --set ETCD_INITIAL_ADVERTISE_PEER_URLS={{ etcd_initial_advertise_peer_urls }} + --set ETCD_INITIAL_CLUSTER_STATE={{ etcd_initial_cluster_state }} + --set ETCD_INITIAL_CLUSTER_TOKEN={{ etcd_initial_cluster_token }} + --set ETCD_ADVERTISE_CLIENT_URLS={{ etcd_advertise_client_urls }} + --set ETCD_CA_FILE={{ etcd_system_container_conf_dir }}/ca.crt + --set ETCD_CERT_FILE={{ etcd_system_container_conf_dir }}/server.crt + --set ETCD_KEY_FILE={{ etcd_system_container_conf_dir }}/server.key + --set ETCD_PEER_CA_FILE={{ etcd_system_container_conf_dir }}/ca.crt + --set ETCD_PEER_CERT_FILE={{ etcd_system_container_conf_dir }}/peer.crt + --set ETCD_PEER_KEY_FILE={{ etcd_system_container_conf_dir }}/peer.key + {{ openshift.etcd.etcd_image }} + when: + - ("etcd" not in result.stdout) diff --git a/roles/etcd_common/defaults/main.yml b/roles/etcd_common/defaults/main.yml index 93633e3e6..2eb9af921 100644 --- a/roles/etcd_common/defaults/main.yml +++ b/roles/etcd_common/defaults/main.yml @@ -1,6 +1,7 @@ --- # etcd server vars -etcd_conf_dir: /etc/etcd +etcd_conf_dir: "{{ '/etc/etcd' if not openshift.common.is_etcd_system_container else '/var/lib/etcd/etcd.etcd/etc' }}" +etcd_system_container_conf_dir: /var/lib/etcd/etc etcd_ca_file: "{{ etcd_conf_dir }}/ca.crt" etcd_cert_file: "{{ etcd_conf_dir }}/server.crt" etcd_key_file: "{{ etcd_conf_dir }}/server.key" diff --git a/roles/lib_openshift/tasks/main.yml b/roles/lib_openshift/tasks/main.yml index 157cf8f7f..2980c8a8d 100644 --- a/roles/lib_openshift/tasks/main.yml +++ b/roles/lib_openshift/tasks/main.yml @@ -1,12 +1,5 @@ --- - name: lib_openshift ensure python-ruamel-yaml package is on target package: - name: "{{ item }}" + name: python-ruamel-yaml state: present - with_items: - - ruamel.yaml - - ruamel.yaml - - ruamel.yaml - - ruamel.yaml - - ruamel.yaml - - ruamel.yaml diff --git a/roles/openshift_etcd_facts/vars/main.yml b/roles/openshift_etcd_facts/vars/main.yml index cae15d61a..82db36eba 100644 --- a/roles/openshift_etcd_facts/vars/main.yml +++ b/roles/openshift_etcd_facts/vars/main.yml @@ -5,6 +5,6 @@ etcd_hostname: "{{ openshift.common.hostname }}" etcd_ip: "{{ openshift.common.ip }}" etcd_cert_subdir: "etcd-{{ openshift.common.hostname }}" etcd_cert_prefix: -etcd_cert_config_dir: /etc/etcd +etcd_cert_config_dir: "{{ '/etc/etcd' if not openshift.common.is_etcd_system_container | bool else '/var/lib/etcd/etcd.etcd/etc' }}" etcd_peer_url_scheme: https etcd_url_scheme: https diff --git a/roles/openshift_facts/defaults/main.yml b/roles/openshift_facts/defaults/main.yml new file mode 100644 index 000000000..28b388560 --- /dev/null +++ b/roles/openshift_facts/defaults/main.yml @@ -0,0 +1,2 @@ +--- +use_system_containers: false diff --git a/roles/openshift_facts/library/openshift_facts.py b/roles/openshift_facts/library/openshift_facts.py index ec2942b69..7a0642cce 100755 --- a/roles/openshift_facts/library/openshift_facts.py +++ b/roles/openshift_facts/library/openshift_facts.py @@ -1785,11 +1785,14 @@ def set_container_facts_if_unset(facts): facts['etcd']['etcd_image'] = etcd_image if 'master' in facts and 'master_image' not in facts['master']: facts['master']['master_image'] = master_image + facts['master']['master_system_image'] = master_image if 'node' in facts: if 'node_image' not in facts['node']: facts['node']['node_image'] = node_image + facts['node']['node_system_image'] = node_image if 'ovs_image' not in facts['node']: facts['node']['ovs_image'] = ovs_image + facts['node']['ovs_system_image'] = ovs_image if safe_get_bool(facts['common']['is_containerized']): facts['common']['admin_binary'] = '/usr/local/bin/oadm' diff --git a/roles/openshift_facts/tasks/main.yml b/roles/openshift_facts/tasks/main.yml index b7b521f1a..9a1982076 100644 --- a/roles/openshift_facts/tasks/main.yml +++ b/roles/openshift_facts/tasks/main.yml @@ -9,6 +9,10 @@ l_is_atomic: "{{ ostree_booted.stat.exists }}" - set_fact: l_is_containerized: "{{ (l_is_atomic | bool) or (containerized | default(false) | bool) }}" + l_is_openvswitch_system_container: "{{ (use_openvswitch_system_container | default(use_system_containers) | bool) }}" + l_is_node_system_container: "{{ (use_node_system_container | default(use_system_containers) | bool) }}" + l_is_master_system_container: "{{ (use_master_system_container | default(use_system_containers) | bool) }}" + l_is_etcd_system_container: "{{ (use_etcd_system_container | default(use_system_containers) | bool) }}" - name: Ensure various deps are installed package: name={{ item }} state=present @@ -27,6 +31,11 @@ hostname: "{{ openshift_hostname | default(None) }}" ip: "{{ openshift_ip | default(None) }}" is_containerized: "{{ l_is_containerized | default(None) }}" + is_openvswitch_system_container: "{{ l_is_openvswitch_system_container | default(false) }}" + is_node_system_container: "{{ l_is_node_system_container | default(false) }}" + is_master_system_container: "{{ l_is_master_system_container | default(false) }}" + is_etcd_system_container: "{{ l_is_etcd_system_container | default(false) }}" + system_images_registry: "{{ system_images_registry | default('') }}" public_hostname: "{{ openshift_public_hostname | default(None) }}" public_ip: "{{ openshift_public_ip | default(None) }}" portal_net: "{{ openshift_portal_net | default(openshift_master_portal_net) | default(None) }}" diff --git a/roles/openshift_logging/README.md b/roles/openshift_logging/README.md index 9394977c0..f7b2f7743 100644 --- a/roles/openshift_logging/README.md +++ b/roles/openshift_logging/README.md @@ -24,8 +24,8 @@ When both `openshift_logging_install_logging` and `openshift_logging_upgrade_log - `openshift_logging_image_prefix`: The prefix for the logging images to use. Defaults to 'docker.io/openshift/origin-'. - `openshift_logging_image_version`: The image version for the logging images to use. Defaults to 'latest'. - `openshift_logging_use_ops`: If 'True', set up a second ES and Kibana cluster for infrastructure logs. Defaults to 'False'. -- `master_url`: The URL for the Kubernetes master, this does not need to be public facing but should be accessible from within the cluster. Defaults to 'https://kubernetes.default.svc.cluster.local'. -- `openshift_logging_master_public_url`: The public facing URL for the Kubernetes master, this is used for Authentication redirection. Defaults to 'https://localhost:8443'. +- `openshift_logging_master_url`: The URL for the Kubernetes master, this does not need to be public facing but should be accessible from within the cluster. Defaults to 'https://kubernetes.default.svc.{{openshift.common.dns_domain}}'. +- `openshift_logging_master_public_url`: The public facing URL for the Kubernetes master, this is used for Authentication redirection. Defaults to 'https://{{openshift.common.public_hostname}}:8443'. - `openshift_logging_namespace`: The namespace that Aggregated Logging will be installed in. Defaults to 'logging'. - `openshift_logging_curator_default_days`: The default minimum age (in days) Curator uses for deleting log records. Defaults to '30'. - `openshift_logging_curator_run_hour`: The hour of the day that Curator will run at. Defaults to '0'. @@ -51,8 +51,8 @@ When both `openshift_logging_install_logging` and `openshift_logging_upgrade_log - `openshift_logging_fluentd_cpu_limit`: The CPU limit for Fluentd pods. Defaults to '100m'. - `openshift_logging_fluentd_memory_limit`: The memory limit for Fluentd pods. Defaults to '512Mi'. - `openshift_logging_fluentd_es_copy`: Whether or not to use the ES_COPY feature for Fluentd (DEPRECATED). Defaults to 'False'. -- `openshift_logging_fluentd_use_journal`: Whether or not Fluentd should read log entries from Journal. Defaults to 'False'. NOTE: Fluentd will attempt to detect whether or not Docker is using the journald log driver and may overwrite this value. -- `openshift_logging_fluentd_journal_read_from_head`: Whether or not Fluentd will try to read from the head of Journal when first starting up, using this may cause a delay in ES receiving current log records. Defaults to 'False'. +- `openshift_logging_fluentd_use_journal`: NOTE: Fluentd will attempt to detect whether or not Docker is using the journald log driver when using the default of empty. +- `openshift_logging_fluentd_journal_read_from_head`: If empty, Fluentd will use its internal default, which is false. - `openshift_logging_fluentd_hosts`: List of nodes that should be labeled for Fluentd to be deployed to. Defaults to ['--all']. - `openshift_logging_es_host`: The name of the ES service Fluentd should send logs to. Defaults to 'logging-es'. diff --git a/roles/openshift_logging/defaults/main.yml b/roles/openshift_logging/defaults/main.yml index ead59c029..73849f46a 100644 --- a/roles/openshift_logging/defaults/main.yml +++ b/roles/openshift_logging/defaults/main.yml @@ -1,9 +1,9 @@ --- -openshift_logging_image_prefix: docker.io/openshift/origin- -openshift_logging_image_version: latest +openshift_logging_image_prefix: "{{ openshift_hosted_logging_deployer_prefix | default(docker.io/openshift/origin-) }}" +openshift_logging_image_version: "{{ openshift_hosted_logging_deployer_version | default(latest) }}" openshift_logging_use_ops: False -master_url: "https://kubernetes.default.svc.{{ openshift.common.dns_domain }}" -openshift_logging_master_public_url: "https://{{openshift.common.public_hostname}}:8443" +openshift_logging_master_url: "https://kubernetes.default.svc.{{ openshift.common.dns_domain }}" +openshift_logging_master_public_url: "{{ openshift_hosted_logging_master_public_url | default(https://{{openshift.common.public_hostname}}:8443) }}" openshift_logging_namespace: logging openshift_logging_install_logging: True @@ -19,7 +19,7 @@ openshift_logging_curator_memory_limit: null openshift_logging_curator_ops_cpu_limit: 100m openshift_logging_curator_ops_memory_limit: null -openshift_logging_kibana_hostname: "kibana.{{openshift.common.dns_domain}}" +openshift_logging_kibana_hostname: "{{ openshift_hosted_logging_hostname | default(kibana.{{openshift.common.dns_domain}}) }}" openshift_logging_kibana_cpu_limit: null openshift_logging_kibana_memory_limit: null openshift_logging_kibana_proxy_debug: false @@ -27,7 +27,7 @@ openshift_logging_kibana_proxy_cpu_limit: null openshift_logging_kibana_proxy_memory_limit: null openshift_logging_kibana_replica_count: 1 -openshift_logging_kibana_ops_hostname: "kibana-ops.{{openshift.common.dns_domain}}" +openshift_logging_kibana_ops_hostname: "{{ openshift_hosted_logging_ops_hostname | default(kibana-ops.{{openshift.common.dns_domain}}) }}" openshift_logging_kibana_ops_cpu_limit: null openshift_logging_kibana_ops_memory_limit: null openshift_logging_kibana_ops_proxy_debug: false @@ -39,8 +39,8 @@ openshift_logging_fluentd_nodeselector: {'logging-infra-fluentd': 'true'} openshift_logging_fluentd_cpu_limit: 100m openshift_logging_fluentd_memory_limit: 512Mi openshift_logging_fluentd_es_copy: false -openshift_logging_fluentd_use_journal: false -openshift_logging_fluentd_journal_read_from_head: false +openshift_logging_fluentd_use_journal: '' +openshift_logging_fluentd_journal_read_from_head: '' openshift_logging_fluentd_hosts: ['--all'] openshift_logging_es_host: logging-es @@ -48,13 +48,13 @@ openshift_logging_es_port: 9200 openshift_logging_es_ca: /etc/fluent/keys/ca openshift_logging_es_client_cert: /etc/fluent/keys/cert openshift_logging_es_client_key: /etc/fluent/keys/key -openshift_logging_es_cluster_size: 1 +openshift_logging_es_cluster_size: "{{ openshift_hosted_logging_elasticsearch_cluster_size | default(1) }}" openshift_logging_es_cpu_limit: null openshift_logging_es_memory_limit: 1024Mi openshift_logging_es_pv_selector: null -openshift_logging_es_pvc_dynamic: False -openshift_logging_es_pvc_size: "" -openshift_logging_es_pvc_prefix: logging-es +openshift_logging_es_pvc_dynamic: "{{ openshift_hosted_logging_elasticsearch_pvc_dynamic | default(False) }}" +openshift_logging_es_pvc_size: "{{ openshift_hosted_logging_elasticsearch_pvc_size | default('') }}" +openshift_logging_es_pvc_prefix: "{{ openshift_hosted_logging_elasticsearch_pvc_prefix | default(logging-es) }}" openshift_logging_es_recover_after_time: 5m openshift_logging_es_storage_group: 65534 @@ -66,13 +66,13 @@ openshift_logging_es_ops_port: 9200 openshift_logging_es_ops_ca: /etc/fluent/keys/ca openshift_logging_es_ops_client_cert: /etc/fluent/keys/cert openshift_logging_es_ops_client_key: /etc/fluent/keys/key -openshift_logging_es_ops_cluster_size: 1 +openshift_logging_es_ops_cluster_size: "{{ openshift_hosted_logging_elasticsearch_ops_cluster_size | default(1) }}" openshift_logging_es_ops_cpu_limit: null openshift_logging_es_ops_memory_limit: 1024Mi openshift_logging_es_ops_pv_selector: None -openshift_logging_es_ops_pvc_dynamic: False -openshift_logging_es_ops_pvc_size: "" -openshift_logging_es_ops_pvc_prefix: logging-es-ops +openshift_logging_es_ops_pvc_dynamic: "{{ openshift_hosted_logging_elasticsearch_ops_pvc_dynamic | default(False) }}" +openshift_logging_es_ops_pvc_size: "{{ openshift_hosted_logging_elasticsearch_ops_pvc_size | default('') }}" +openshift_logging_es_ops_pvc_prefix: "{{ openshift_hosted_logging_elasticsearch_ops_pvc_prefix | default(logging-es-ops) }}" openshift_logging_es_ops_recover_after_time: 5m openshift_logging_es_ops_storage_group: 65534 diff --git a/roles/openshift_logging/templates/curator.j2 b/roles/openshift_logging/templates/curator.j2 index de6258eaa..b7bc15b62 100644 --- a/roles/openshift_logging/templates/curator.j2 +++ b/roles/openshift_logging/templates/curator.j2 @@ -48,7 +48,7 @@ spec: env: - name: "K8S_HOST_URL" - value: "{{master_url}}" + value: "{{openshift_logging_master_url}}" - name: "ES_HOST" value: "{{es_host}}" diff --git a/roles/openshift_logging/templates/fluentd.j2 b/roles/openshift_logging/templates/fluentd.j2 index b6c91f8ed..223d342b9 100644 --- a/roles/openshift_logging/templates/fluentd.j2 +++ b/roles/openshift_logging/templates/fluentd.j2 @@ -61,7 +61,7 @@ spec: readOnly: true env: - name: "K8S_HOST_URL" - value: "{{master_url}}" + value: "{{openshift_logging_master_url}}" - name: "ES_HOST" value: "{{openshift_logging_es_host}}" - name: "ES_PORT" diff --git a/roles/openshift_logging/templates/kibana.j2 b/roles/openshift_logging/templates/kibana.j2 index 3a9e03768..be9b45ab4 100644 --- a/roles/openshift_logging/templates/kibana.j2 +++ b/roles/openshift_logging/templates/kibana.j2 @@ -90,7 +90,7 @@ spec: value: kibana-proxy - name: "OAP_MASTER_URL" - value: {{master_url}} + value: {{openshift_logging_master_url}} - name: "OAP_PUBLIC_MASTER_URL" value: {{openshift_logging_master_public_url}} diff --git a/roles/openshift_master/tasks/main.yml b/roles/openshift_master/tasks/main.yml index 9cd6b6c81..2ef61cddf 100644 --- a/roles/openshift_master/tasks/main.yml +++ b/roles/openshift_master/tasks/main.yml @@ -131,6 +131,10 @@ - name: Install the systemd units include: systemd_units.yml +- name: Install Master system container + include: system_container.yml + when: openshift.common.is_containerized | bool and openshift.common.is_master_system_container | bool + - name: Create session secrets file template: dest: "{{ openshift.master.session_secrets_file }}" diff --git a/roles/openshift_master/tasks/system_container.yml b/roles/openshift_master/tasks/system_container.yml new file mode 100644 index 000000000..e3e3d7948 --- /dev/null +++ b/roles/openshift_master/tasks/system_container.yml @@ -0,0 +1,36 @@ +--- +- name: Pre-pull master system container image + command: > + atomic pull --storage=ostree {{ openshift.common.system_images_registry }}/{{ openshift.master.master_system_image }}:{{ openshift_image_tag }} + register: pull_result + changed_when: "'Pulling layer' in pull_result.stdout" + +- name: Check Master system container package + command: > + atomic containers list --no-trunc -a -f container={{ openshift.common.service_type }}-master + register: result + +- name: Update Master system container package + command: > + atomic containers update {{ openshift.common.service_type }}-master + register: update_result + changed_when: "'Extracting' in update_result.stdout" + when: + - ("master" in result.stdout) + - (openshift.common.version is defined) and (openshift.common.version == openshift_version) | bool + +- name: Uninstall Master system container package + command: > + atomic uninstall {{ openshift.common.service_type }}-master + failed_when: False + when: + - ("master" in result.stdout) + - (openshift.common.version is not defined) or (openshift.common.version != openshift_version) | bool + +- name: Install Master system container package + command: > + atomic install --system --name={{ openshift.common.service_type }}-master {{ openshift.common.system_images_registry }}/{{ openshift.master.master_system_image }}:{{ openshift_image_tag }} + when: + - (openshift.common.version is not defined) or (openshift.common.version != openshift_version) or ("master" not in result.stdout) | bool + notify: + - restart master diff --git a/roles/openshift_master/tasks/systemd_units.yml b/roles/openshift_master/tasks/systemd_units.yml index 39ea42ab3..4ab98cbbb 100644 --- a/roles/openshift_master/tasks/systemd_units.yml +++ b/roles/openshift_master/tasks/systemd_units.yml @@ -20,14 +20,14 @@ docker pull {{ openshift.master.master_image }}:{{ openshift_image_tag }} register: pull_result changed_when: "'Downloaded newer image' in pull_result.stdout" - when: openshift.common.is_containerized | bool + when: openshift.common.is_containerized | bool and not openshift.common.is_master_system_container | bool # workaround for missing systemd unit files - name: Create the systemd unit files template: src: "master_docker/master.docker.service.j2" dest: "{{ containerized_svc_dir }}/{{ openshift.common.service_type }}-master.service" - when: openshift.common.is_containerized | bool and (openshift.master.ha is not defined or not openshift.master.ha | bool) + when: openshift.common.is_containerized | bool and (openshift.master.ha is not defined or not openshift.master.ha | bool and not openshift.common.is_master_system_container | bool) register: create_master_unit_file - command: systemctl daemon-reload @@ -132,7 +132,7 @@ dest: "/etc/systemd/system/{{ openshift.common.service_type }}-master.service" src: master_docker/master.docker.service.j2 register: install_result - when: openshift.common.is_containerized | bool and openshift.master.ha is defined and not openshift.master.ha | bool + when: openshift.common.is_containerized | bool and openshift.master.ha is defined and not openshift.master.ha | bool and not openshift.common.is_master_system_container | bool - name: Preserve Master Proxy Config options command: grep PROXY /etc/sysconfig/{{ openshift.common.service_type }}-master diff --git a/roles/openshift_metrics/defaults/main.yaml b/roles/openshift_metrics/defaults/main.yaml index 17614f716..0cfbac8a9 100644 --- a/roles/openshift_metrics/defaults/main.yaml +++ b/roles/openshift_metrics/defaults/main.yaml @@ -23,6 +23,7 @@ openshift_metrics_cassandra_limits_cpu: null openshift_metrics_cassandra_requests_memory: 1G openshift_metrics_cassandra_requests_cpu: null openshift_metrics_cassandra_nodeselector: "" +openshift_metrics_cassandra_storage_group: 65534 openshift_metrics_heapster_standalone: False openshift_metrics_heapster_limits_memory: 3.75G @@ -31,6 +32,8 @@ openshift_metrics_heapster_requests_memory: 0.9375G openshift_metrics_heapster_requests_cpu: null openshift_metrics_heapster_nodeselector: "" +openshift_metrics_hostname: "hawkular-metrics.{{openshift_master_default_subdomain}}" + openshift_metrics_duration: 7 openshift_metrics_resolution: 15s @@ -39,7 +42,6 @@ openshift_metrics_resolution: 15s # overriding the values here ##### -openshift_metrics_certs_dir: "{{ openshift.common.config_base }}/master/metrics" openshift_metrics_master_url: https://kubernetes.default.svc.cluster.local openshift_metrics_node_id: nodename openshift_metrics_project: openshift-infra diff --git a/roles/openshift_metrics/tasks/generate_certificates.yaml b/roles/openshift_metrics/tasks/generate_certificates.yaml index 4925275e8..f7cba0093 100644 --- a/roles/openshift_metrics/tasks/generate_certificates.yaml +++ b/roles/openshift_metrics/tasks/generate_certificates.yaml @@ -1,11 +1,11 @@ --- - name: generate ca certificate chain - shell: > + command: > {{ openshift.common.admin_binary }} ca create-signer-cert --config={{ mktemp.stdout }}/admin.kubeconfig - --key='{{ openshift_metrics_certs_dir }}/ca.key' - --cert='{{ openshift_metrics_certs_dir }}/ca.crt' - --serial='{{ openshift_metrics_certs_dir }}/ca.serial.txt' + --key='{{ mktemp.stdout }}/ca.key' + --cert='{{ mktemp.stdout }}/ca.crt' + --serial='{{ mktemp.stdout }}/ca.serial.txt' --name="metrics-signer@$(date +%s)" - when: not '{{ openshift_metrics_certs_dir }}/ca.key' | exists + - include: generate_hawkular_certificates.yaml diff --git a/roles/openshift_metrics/tasks/generate_hawkular_certificates.yaml b/roles/openshift_metrics/tasks/generate_hawkular_certificates.yaml index 9333d341c..854697abb 100644 --- a/roles/openshift_metrics/tasks/generate_hawkular_certificates.yaml +++ b/roles/openshift_metrics/tasks/generate_hawkular_certificates.yaml @@ -13,13 +13,13 @@ hostnames: hawkular-cassandra changed_when: no -- slurp: src={{ openshift_metrics_certs_dir }}/hawkular-cassandra-truststore.pwd +- slurp: src={{ mktemp.stdout }}/hawkular-cassandra-truststore.pwd register: cassandra_truststore_password -- slurp: src={{ openshift_metrics_certs_dir }}/hawkular-metrics-truststore.pwd +- slurp: src={{ mktemp.stdout }}/hawkular-metrics-truststore.pwd register: hawkular_truststore_password -- stat: path="{{openshift_metrics_certs_dir}}/{{item}}" +- stat: path="{{mktemp.stdout}}/{{item}}" register: pwd_file_stat with_items: - hawkular-metrics.pwd @@ -32,44 +32,33 @@ with_items: "{{pwd_file_stat.results}}" changed_when: no -- name: Create temp directory local on control node - local_action: command mktemp -d - register: local_tmp - changed_when: False - - name: generate password for hawkular metrics and jgroups local_action: copy dest="{{ local_tmp.stdout}}/{{ item }}.pwd" content="{{ 15 | oo_random_word }}" with_items: - hawkular-metrics - hawkular-jgroups-keystore - when: "not pwd_files['{{ item }}.pwd'].exists" - name: generate htpasswd file for hawkular metrics local_action: > shell htpasswd -ci '{{ local_tmp.stdout }}/hawkular-metrics.htpasswd' hawkular < '{{ local_tmp.stdout }}/hawkular-metrics.pwd' - when: "not pwd_files['hawkular-metrics.htpasswd'].exists" - name: copy local generated passwords to target copy: src: "{{local_tmp.stdout}}/{{item}}" - dest: "{{openshift_metrics_certs_dir}}/{{item}}" + dest: "{{mktemp.stdout}}/{{item}}" with_items: - hawkular-metrics.pwd - hawkular-metrics.htpasswd - hawkular-jgroups-keystore.pwd - when: "not pwd_files['{{ item }}'].exists" - include: import_jks_certs.yaml -- local_action: file path="{{local_tmp.stdout}}" state=absent - changed_when: False - - name: read files for the hawkular-metrics secret shell: > printf '%s: ' '{{ item }}' - && base64 --wrap 0 '{{ openshift_metrics_certs_dir }}/{{ item }}' + && base64 --wrap 0 '{{ mktemp.stdout }}/{{ item }}' register: hawkular_secrets with_items: - ca.crt diff --git a/roles/openshift_metrics/tasks/generate_heapster_certificates.yaml b/roles/openshift_metrics/tasks/generate_heapster_certificates.yaml index 2449b1518..ced2df1d0 100644 --- a/roles/openshift_metrics/tasks/generate_heapster_certificates.yaml +++ b/roles/openshift_metrics/tasks/generate_heapster_certificates.yaml @@ -3,13 +3,12 @@ command: > {{ openshift.common.admin_binary }} ca create-server-cert --config={{ mktemp.stdout }}/admin.kubeconfig - --key='{{ openshift_metrics_certs_dir }}/heapster.key' - --cert='{{ openshift_metrics_certs_dir }}/heapster.cert' + --key='{{ mktemp.stdout }}/heapster.key' + --cert='{{ mktemp.stdout }}/heapster.cert' --hostnames=heapster - --signer-cert='{{ openshift_metrics_certs_dir }}/ca.crt' - --signer-key='{{ openshift_metrics_certs_dir }}/ca.key' - --signer-serial='{{ openshift_metrics_certs_dir }}/ca.serial.txt' - when: not '{{ openshift_metrics_certs_dir }}/heapster.key' | exists + --signer-cert='{{ mktemp.stdout }}/ca.crt' + --signer-key='{{ mktemp.stdout }}/ca.key' + --signer-serial='{{ mktemp.stdout }}/ca.serial.txt' - when: "'secret/heapster-secrets' not in metrics_secrets.stdout_lines" block: @@ -17,11 +16,11 @@ slurp: src={{ item }} register: heapster_secret with_items: - - "{{ openshift_metrics_certs_dir }}/heapster.cert" - - "{{ openshift_metrics_certs_dir }}/heapster.key" + - "{{ mktemp.stdout }}/heapster.cert" + - "{{ mktemp.stdout }}/heapster.key" - "{{ client_ca }}" vars: - custom_ca: "{{ openshift_metrics_certs_dir }}/heapster_client_ca.crt" + custom_ca: "{{ mktemp.stdout }}/heapster_client_ca.crt" default_ca: "{{ openshift.common.config_base }}/master/ca-bundle.crt" client_ca: "{{ custom_ca|exists|ternary(custom_ca, default_ca) }}" - name: generate heapster secret template diff --git a/roles/openshift_metrics/tasks/import_jks_certs.yaml b/roles/openshift_metrics/tasks/import_jks_certs.yaml index 16fd8d9f8..57ec70c79 100644 --- a/roles/openshift_metrics/tasks/import_jks_certs.yaml +++ b/roles/openshift_metrics/tasks/import_jks_certs.yaml @@ -1,37 +1,37 @@ --- -- stat: path="{{openshift_metrics_certs_dir}}/hawkular-cassandra.keystore" +- stat: path="{{mktemp.stdout}}/hawkular-cassandra.keystore" register: cassandra_keystore check_mode: no -- stat: path="{{openshift_metrics_certs_dir}}/hawkular-cassandra.truststore" +- stat: path="{{mktemp.stdout}}/hawkular-cassandra.truststore" register: cassandra_truststore check_mode: no -- stat: path="{{openshift_metrics_certs_dir}}/hawkular-metrics.keystore" +- stat: path="{{mktemp.stdout}}/hawkular-metrics.keystore" register: metrics_keystore check_mode: no -- stat: path="{{openshift_metrics_certs_dir}}/hawkular-metrics.truststore" +- stat: path="{{mktemp.stdout}}/hawkular-metrics.truststore" register: metrics_truststore check_mode: no -- stat: path="{{openshift_metrics_certs_dir}}/hawkular-jgroups.keystore" +- stat: path="{{mktemp.stdout}}/hawkular-jgroups.keystore" register: jgroups_keystore check_mode: no - block: - - slurp: src={{ openshift_metrics_certs_dir }}/hawkular-metrics-keystore.pwd + - slurp: src={{ mktemp.stdout }}/hawkular-metrics-keystore.pwd register: metrics_keystore_password - - slurp: src={{ openshift_metrics_certs_dir }}/hawkular-cassandra-keystore.pwd + - slurp: src={{ mktemp.stdout }}/hawkular-cassandra-keystore.pwd register: cassandra_keystore_password - - slurp: src={{ openshift_metrics_certs_dir }}/hawkular-jgroups-keystore.pwd + - slurp: src={{ mktemp.stdout }}/hawkular-jgroups-keystore.pwd register: jgroups_keystore_password - fetch: dest: "{{local_tmp.stdout}}/" - src: "{{ openshift_metrics_certs_dir }}/{{item}}" + src: "{{ mktemp.stdout }}/{{item}}" flat: yes changed_when: False with_items: @@ -52,7 +52,7 @@ changed_when: False - copy: - dest: "{{openshift_metrics_certs_dir}}/" + dest: "{{mktemp.stdout}}/" src: "{{item}}" with_fileglob: "{{local_tmp.stdout}}/*.*store" diff --git a/roles/openshift_metrics/tasks/install_hawkular.yaml b/roles/openshift_metrics/tasks/install_hawkular.yaml index 1ba11efa8..6b37f85ab 100644 --- a/roles/openshift_metrics/tasks/install_hawkular.yaml +++ b/roles/openshift_metrics/tasks/install_hawkular.yaml @@ -17,7 +17,7 @@ changed_when: false - name: read hawkular-metrics route destination ca certificate - slurp: src={{ openshift_metrics_certs_dir }}/ca.crt + slurp: src={{ mktemp.stdout }}/ca.crt register: metrics_route_dest_ca_cert changed_when: false diff --git a/roles/openshift_metrics/tasks/main.yaml b/roles/openshift_metrics/tasks/main.yaml index d03d4176b..1eebff3bf 100644 --- a/roles/openshift_metrics/tasks/main.yaml +++ b/roles/openshift_metrics/tasks/main.yaml @@ -9,6 +9,11 @@ changed_when: False when: "{{ openshift_metrics_install_metrics | bool }}" +- name: Create temp directory local on control node + local_action: command mktemp -d + register: local_tmp + changed_when: False + - name: Copy the admin client config(s) command: > cp {{ openshift.common.config_base}}/master/admin.kubeconfig {{ mktemp.stdout }}/admin.kubeconfig @@ -17,3 +22,9 @@ tags: metrics_init - include: "{{ (openshift_metrics_install_metrics | bool) | ternary('install_metrics.yaml','uninstall_metrics.yaml') }}" + +- name: Delete temp directory + local_action: file path=local_tmp.stdout state=absent + tags: metrics_cleanup + changed_when: False + check_mode: no diff --git a/roles/openshift_metrics/tasks/pre_install.yaml b/roles/openshift_metrics/tasks/pre_install.yaml index 262acd546..2e2013d40 100644 --- a/roles/openshift_metrics/tasks/pre_install.yaml +++ b/roles/openshift_metrics/tasks/pre_install.yaml @@ -12,12 +12,6 @@ - openshift_metrics_cassandra_storage_type not in openshift_metrics_cassandra_storage_types - "not {{ openshift_metrics_heapster_standalone | bool }}" -- name: create certificate output directory - file: - path: "{{ openshift_metrics_certs_dir }}" - state: directory - mode: 0700 - - name: list existing secrets command: > {{ openshift.common.client_binary }} -n {{ openshift_metrics_project }} diff --git a/roles/openshift_metrics/tasks/setup_certificate.yaml b/roles/openshift_metrics/tasks/setup_certificate.yaml index 5ca8f4462..199968579 100644 --- a/roles/openshift_metrics/tasks/setup_certificate.yaml +++ b/roles/openshift_metrics/tasks/setup_certificate.yaml @@ -3,50 +3,41 @@ command: > {{ openshift.common.admin_binary }} ca create-server-cert --config={{ mktemp.stdout }}/admin.kubeconfig - --key='{{ openshift_metrics_certs_dir }}/{{ component }}.key' - --cert='{{ openshift_metrics_certs_dir }}/{{ component }}.crt' + --key='{{ mktemp.stdout }}/{{ component }}.key' + --cert='{{ mktemp.stdout }}/{{ component }}.crt' --hostnames='{{ hostnames }}' - --signer-cert='{{ openshift_metrics_certs_dir }}/ca.crt' - --signer-key='{{ openshift_metrics_certs_dir }}/ca.key' - --signer-serial='{{ openshift_metrics_certs_dir }}/ca.serial.txt' - when: not '{{ openshift_metrics_certs_dir }}/{{ component }}.key'|exists + --signer-cert='{{ mktemp.stdout }}/ca.crt' + --signer-key='{{ mktemp.stdout }}/ca.key' + --signer-serial='{{ mktemp.stdout }}/ca.serial.txt' - slurp: src={{item}} register: component_certs with_items: - - '{{ openshift_metrics_certs_dir | quote }}/{{ component|quote }}.key' - - '{{ openshift_metrics_certs_dir | quote }}/{{ component|quote }}.crt' - when: not '{{ openshift_metrics_certs_dir }}/{{ component }}.pem'|exists + - '{{ mktemp.stdout | quote }}/{{ component|quote }}.key' + - '{{ mktemp.stdout | quote }}/{{ component|quote }}.crt' - name: generate {{ component }} certificate copy: - dest: '{{ openshift_metrics_certs_dir }}/{{ component }}.pem' + dest: '{{ mktemp.stdout }}/{{ component }}.pem' content: "{{ component_certs.results | map(attribute='content') | map('b64decode') | join('') }}" - when: not '{{ openshift_metrics_certs_dir }}/{{ component }}.pem'|exists - name: generate random password for the {{ component }} keystore copy: content: "{{ 15 | oo_random_word }}" - dest: '{{ openshift_metrics_certs_dir }}/{{ component }}-keystore.pwd' - when: > - not '{{ openshift_metrics_certs_dir }}/{{ component }}-keystore.pwd'|exists + dest: '{{ mktemp.stdout }}/{{ component }}-keystore.pwd' -- slurp: src={{ openshift_metrics_certs_dir | quote }}/{{ component|quote }}-keystore.pwd +- slurp: src={{ mktemp.stdout | quote }}/{{ component|quote }}-keystore.pwd register: keystore_password - name: create the {{ component }} pkcs12 from the pem file command: > openssl pkcs12 -export - -in '{{ openshift_metrics_certs_dir }}/{{ component }}.pem' - -out '{{ openshift_metrics_certs_dir }}/{{ component }}.pkcs12' + -in '{{ mktemp.stdout }}/{{ component }}.pem' + -out '{{ mktemp.stdout }}/{{ component }}.pkcs12' -name '{{ component }}' -noiter -nomaciter -password 'pass:{{keystore_password.content | b64decode }}' - when: not '{{ openshift_metrics_certs_dir }}/{{ component }}.pkcs12'|exists - name: generate random password for the {{ component }} truststore copy: content: "{{ 15 | oo_random_word }}" - dest: '{{ openshift_metrics_certs_dir | quote }}/{{ component|quote }}-truststore.pwd' - when: > - not - '{{ openshift_metrics_certs_dir | quote }}/{{ component| quote }}-truststore.pwd'|exists + dest: '{{ mktemp.stdout | quote }}/{{ component|quote }}-truststore.pwd' diff --git a/roles/openshift_metrics/templates/hawkular_cassandra_rc.j2 b/roles/openshift_metrics/templates/hawkular_cassandra_rc.j2 index 6f6efc469..504476dc4 100644 --- a/roles/openshift_metrics/templates/hawkular_cassandra_rc.j2 +++ b/roles/openshift_metrics/templates/hawkular_cassandra_rc.j2 @@ -19,6 +19,9 @@ spec: type: hawkular-cassandra spec: serviceAccount: cassandra + securityContext: + supplementalGroups: + - {{openshift_metrics_cassandra_storage_group}} {% if node_selector is iterable and node_selector | length > 0 %} nodeSelector: {% for key, value in node_selector.iteritems() %} diff --git a/roles/openshift_node/tasks/main.yml b/roles/openshift_node/tasks/main.yml index e970c4cd1..3e888b77f 100644 --- a/roles/openshift_node/tasks/main.yml +++ b/roles/openshift_node/tasks/main.yml @@ -69,7 +69,7 @@ - name: Persist net.ipv4.ip_forward sysctl entry sysctl: name="net.ipv4.ip_forward" value=1 sysctl_set=yes state=present reload=yes -- name: Start and enable openvswitch docker service +- name: Start and enable openvswitch service systemd: name: openvswitch.service enabled: yes diff --git a/roles/openshift_node/tasks/node_system_container.yml b/roles/openshift_node/tasks/node_system_container.yml new file mode 100644 index 000000000..01e2d33c7 --- /dev/null +++ b/roles/openshift_node/tasks/node_system_container.yml @@ -0,0 +1,34 @@ +--- +- name: Pre-pull node system container image + command: > + atomic pull --storage=ostree {{ openshift.common.system_images_registry }}/{{ openshift.node.node_system_image }}:{{ openshift_image_tag }} + register: pull_result + changed_when: "'Pulling layer' in pull_result.stdout" + +- name: Check Node system container package + command: > + atomic containers list --no-trunc -a -f container={{ openshift.common.service_type }}-node + register: result + +- name: Update Node system container package + command: > + atomic containers update {{ openshift.common.service_type }}-node + register: update_result + changed_when: "'Extracting' in update_result.stdout" + when: + - (openshift.common.version is defined) and (openshift.common.version == openshift_version) and ("node" in result.stdout) | bool + +- name: Uninstall Node system container package + command: > + atomic uninstall {{ openshift.common.service_type }}-node + failed_when: False + when: + - (openshift.common.version is not defined) or (openshift.common.version != openshift_version) and ("node" in result.stdout) | bool + +- name: Install Node system container package + command: > + atomic install --system --name={{ openshift.common.service_type }}-node {{ openshift.common.system_images_registry }}/{{ openshift.node.node_system_image }}:{{ openshift_image_tag }} + register: install_node_result + changed_when: "'Extracting' in pull_result.stdout" + when: + - (openshift.common.version is not defined) or (openshift.common.version != openshift_version) or ("node" not in result.stdout) | bool diff --git a/roles/openshift_node/tasks/openvswitch_system_container.yml b/roles/openshift_node/tasks/openvswitch_system_container.yml new file mode 100644 index 000000000..47fac99eb --- /dev/null +++ b/roles/openshift_node/tasks/openvswitch_system_container.yml @@ -0,0 +1,36 @@ +--- +- name: Pre-pull OpenVSwitch system container image + command: > + atomic pull --storage=ostree {{ openshift.common.system_images_registry }}/{{ openshift.node.ovs_system_image }}:{{ openshift_image_tag }} + register: pull_result + changed_when: "'Pulling layer' in pull_result.stdout" + +- name: Check OpenvSwitch system container package + command: > + atomic containers list --no-trunc -a -f container=openvswitch + register: result + when: + - openshift.common.is_openvswitch_system_container | bool + +- name: Update OpenvSwitch system container package + command: > + atomic containers update openvswitch + register: update_result + changed_when: "'Extracting' in update_result.stdout" + when: + - (openshift.common.version is defined) and (openshift.common.version == openshift_version) and ("openvswitch" in result.stdout) | bool + +- name: Uninstall OpenvSwitch system container package + command: > + atomic uninstall openvswitch + failed_when: False + when: + - (openshift.common.version is not defined) or (openshift.common.version != openshift_version) and ("openvswitch" in result.stdout) | bool + +- name: Install OpenvSwitch system container package + command: > + atomic install --system --name=openvswitch {{ openshift.common.system_images_registry }}/{{ openshift.node.ovs_system_image }}:{{ openshift_image_tag }} + when: + - (openshift.common.version is not defined) or (openshift.common.version != openshift_version) or ("openvswitch" not in result.stdout) | bool + notify: + - restart docker diff --git a/roles/openshift_node/tasks/systemd_units.yml b/roles/openshift_node/tasks/systemd_units.yml index 5243a87fe..52482d09b 100644 --- a/roles/openshift_node/tasks/systemd_units.yml +++ b/roles/openshift_node/tasks/systemd_units.yml @@ -2,20 +2,6 @@ # This file is included both in the openshift_master role and in the upgrade # playbooks. -- name: Pre-pull node image - command: > - docker pull {{ openshift.node.node_image }}:{{ openshift_image_tag }} - register: pull_result - changed_when: "'Downloaded newer image' in pull_result.stdout" - when: openshift.common.is_containerized | bool - -- name: Pre-pull openvswitch image - command: > - docker pull {{ openshift.node.ovs_image }}:{{ openshift_image_tag }} - register: pull_result - changed_when: "'Downloaded newer image' in pull_result.stdout" - when: openshift.common.is_containerized | bool and openshift.common.use_openshift_sdn | bool - - name: Install Node dependencies docker service file template: dest: "/etc/systemd/system/{{ openshift.common.service_type }}-node-dep.service" @@ -23,12 +9,21 @@ register: install_node_dep_result when: openshift.common.is_containerized | bool -- name: Install Node docker service file - template: - dest: "/etc/systemd/system/{{ openshift.common.service_type }}-node.service" - src: openshift.docker.node.service - register: install_node_result - when: openshift.common.is_containerized | bool +- block: + - name: Pre-pull node image + command: > + docker pull {{ openshift.node.node_image }}:{{ openshift_image_tag }} + register: pull_result + changed_when: "'Downloaded newer image' in pull_result.stdout" + + - name: Install Node docker service file + template: + dest: "/etc/systemd/system/{{ openshift.common.service_type }}-node.service" + src: openshift.docker.node.service + register: install_node_result + when: + - openshift.common.is_containerized | bool + - not openshift.common.is_node_system_container | bool - name: Create the openvswitch service env file template: @@ -39,6 +34,19 @@ notify: - restart openvswitch +- name: Install Node system container + include: node_system_container.yml + when: + - openshift.common.is_containerized | bool + - openshift.common.is_node_system_container | bool + +- name: Install OpenvSwitch system containers + include: openvswitch_system_container.yml + when: + - openshift.common.use_openshift_sdn | default(true) | bool + - openshift.common.is_containerized | bool + - openshift.common.is_openvswitch_system_container | bool + # May be a temporary workaround. # https://bugzilla.redhat.com/show_bug.cgi?id=1331590 - name: Create OpenvSwitch service.d directory @@ -54,13 +62,23 @@ notify: - restart openvswitch -- name: Install OpenvSwitch docker service file - template: - dest: "/etc/systemd/system/openvswitch.service" - src: openvswitch.docker.service - when: openshift.common.is_containerized | bool and openshift.common.use_openshift_sdn | default(true) | bool - notify: - - restart openvswitch +- block: + - name: Pre-pull openvswitch image + command: > + docker pull {{ openshift.node.ovs_image }}:{{ openshift_image_tag }} + register: pull_result + changed_when: "'Downloaded newer image' in pull_result.stdout" + + - name: Install OpenvSwitch docker service file + template: + dest: "/etc/systemd/system/openvswitch.service" + src: openvswitch.docker.service + notify: + - restart openvswitch + when: + - openshift.common.is_containerized | bool + - openshift.common.use_openshift_sdn | default(true) | bool + - not openshift.common.is_openvswitch_system_container | bool - name: Configure Node settings lineinfile: |