diff options
Diffstat (limited to 'roles')
| -rw-r--r-- | roles/docker/README.md | 2 | ||||
| -rw-r--r-- | roles/docker/meta/main.yml | 4 | ||||
| -rw-r--r-- | roles/docker/tasks/main.yml | 25 | ||||
| -rw-r--r-- | roles/etcd/etcdctl.sh | 11 | ||||
| -rw-r--r-- | roles/etcd/files/etcdctl.sh | 11 | ||||
| -rw-r--r-- | roles/etcd/tasks/etcdctl.yml | 11 | ||||
| -rw-r--r-- | roles/etcd/tasks/main.yml | 3 | ||||
| -rw-r--r-- | roles/openshift_examples/files/examples/v1.4/image-streams/dotnet_imagestreams.json | 11 | ||||
| -rwxr-xr-x | roles/openshift_facts/library/openshift_facts.py | 6 | ||||
| -rw-r--r-- | roles/openshift_hosted_logging/tasks/deploy_logging.yaml | 23 | ||||
| -rw-r--r-- | roles/openshift_hosted_templates/files/v1.4/enterprise/logging-deployer.yaml | 20 | ||||
| -rw-r--r-- | roles/openshift_hosted_templates/files/v1.4/enterprise/metrics-deployer.yaml | 6 | ||||
| -rw-r--r-- | roles/openshift_hosted_templates/files/v1.4/origin/metrics-deployer.yaml | 6 | ||||
| -rw-r--r-- | roles/openshift_version/tasks/set_version_containerized.yml | 5 | ||||
| -rw-r--r-- | roles/os_firewall/README.md | 2 | ||||
| -rw-r--r-- | roles/os_firewall/meta/main.yml | 1 |
16 files changed, 119 insertions, 28 deletions
diff --git a/roles/docker/README.md b/roles/docker/README.md index 6b5ee4421..1f0d94da0 100644 --- a/roles/docker/README.md +++ b/roles/docker/README.md @@ -17,7 +17,7 @@ docker_udev_workaround: raises udevd timeout to 5 minutes (https://bugzilla.redh Dependencies ------------ -None +Depends on the os_firewall role. Example Playbook ---------------- diff --git a/roles/docker/meta/main.yml b/roles/docker/meta/main.yml index 6e2c98601..3d362158d 100644 --- a/roles/docker/meta/main.yml +++ b/roles/docker/meta/main.yml @@ -9,4 +9,6 @@ galaxy_info: - name: EL versions: - 7 -dependencies: [] +dependencies: + - role: os_firewall + os_firewall_use_firewalld: False diff --git a/roles/docker/tasks/main.yml b/roles/docker/tasks/main.yml index 240673b22..9b7ef0830 100644 --- a/roles/docker/tasks/main.yml +++ b/roles/docker/tasks/main.yml @@ -1,7 +1,4 @@ --- -- stat: path=/etc/sysconfig/docker-storage - register: docker_storage_check - - name: Get current installed Docker version command: "{{ repoquery_cmd }} --installed --qf '%{version}' docker" when: not openshift.common.is_atomic | bool @@ -57,17 +54,6 @@ dest: "{{ docker_systemd_dir }}/custom.conf" src: custom.conf.j2 -- name: Start the Docker service - systemd: - name: docker - enabled: yes - state: started - daemon_reload: yes - register: start_result - -- set_fact: - docker_service_status_changed: start_result | changed - - include: udev_workaround.yml when: docker_udev_workaround | default(False) | bool @@ -125,4 +111,15 @@ notify: - restart docker +- name: Start the Docker service + systemd: + name: docker + enabled: yes + state: started + daemon_reload: yes + register: start_result + +- set_fact: + docker_service_status_changed: start_result | changed + - meta: flush_handlers diff --git a/roles/etcd/etcdctl.sh b/roles/etcd/etcdctl.sh new file mode 100644 index 000000000..0e324a8a9 --- /dev/null +++ b/roles/etcd/etcdctl.sh @@ -0,0 +1,11 @@ +#!/bin/bash +# Sets up handy aliases for etcd, need etcdctl2 and etcdctl3 because +# command flags are different between the two. Should work on stand +# alone etcd hosts and master + etcd hosts too because we use the peer keys. +etcdctl2() { + /usr/bin/etcdctl --cert-file /etc/etcd/peer.crt --key-file /etc/etcd/peer.key --ca-file /etc/etcd/ca.crt -C https://`hostname`:2379 ${@} +} + +etcdctl3() { + ETCDCTL_API=3 /usr/bin/etcdctl --cert /etc/etcd/peer.crt --key /etc/etcd/peer.key --cacert /etc/etcd/ca.crt --endpoints https://`hostname`:2379 ${@} +} diff --git a/roles/etcd/files/etcdctl.sh b/roles/etcd/files/etcdctl.sh new file mode 100644 index 000000000..0e324a8a9 --- /dev/null +++ b/roles/etcd/files/etcdctl.sh @@ -0,0 +1,11 @@ +#!/bin/bash +# Sets up handy aliases for etcd, need etcdctl2 and etcdctl3 because +# command flags are different between the two. Should work on stand +# alone etcd hosts and master + etcd hosts too because we use the peer keys. +etcdctl2() { + /usr/bin/etcdctl --cert-file /etc/etcd/peer.crt --key-file /etc/etcd/peer.key --ca-file /etc/etcd/ca.crt -C https://`hostname`:2379 ${@} +} + +etcdctl3() { + ETCDCTL_API=3 /usr/bin/etcdctl --cert /etc/etcd/peer.crt --key /etc/etcd/peer.key --cacert /etc/etcd/ca.crt --endpoints https://`hostname`:2379 ${@} +} diff --git a/roles/etcd/tasks/etcdctl.yml b/roles/etcd/tasks/etcdctl.yml new file mode 100644 index 000000000..32c176449 --- /dev/null +++ b/roles/etcd/tasks/etcdctl.yml @@ -0,0 +1,11 @@ +- name: Install etcd for etcdctl + action: "{{ ansible_pkg_mgr }} name=etcd state=present" + when: not openshift.common.is_atomic | bool + +- name: Configure etcd profile.d alises + copy: + src: etcdctl.sh + dest: /etc/profile.d/etcdctl.sh + mode: 0755 + owner: root + group: root diff --git a/roles/etcd/tasks/main.yml b/roles/etcd/tasks/main.yml index 2bc6a8678..790eb3c5a 100644 --- a/roles/etcd/tasks/main.yml +++ b/roles/etcd/tasks/main.yml @@ -74,5 +74,8 @@ enabled: yes register: start_result +- include: etcdctl.yml + when: openshift_etcd_etcdctl_profile | default(true) | bool + - set_fact: etcd_service_status_changed: "{{ start_result | changed }}" diff --git a/roles/openshift_examples/files/examples/v1.4/image-streams/dotnet_imagestreams.json b/roles/openshift_examples/files/examples/v1.4/image-streams/dotnet_imagestreams.json index 00b363c42..a65d35c2e 100644 --- a/roles/openshift_examples/files/examples/v1.4/image-streams/dotnet_imagestreams.json +++ b/roles/openshift_examples/files/examples/v1.4/image-streams/dotnet_imagestreams.json @@ -12,14 +12,18 @@ "kind": "ImageStream", "apiVersion": "v1", "metadata": { - "name": "dotnet" + "name": "dotnet", + "annotations": { + "openshift.io/display-name": ".NET Core" + } }, "spec": { "tags": [ { "name": "latest", "annotations": { - "description": "Build and run .NET Core 1.0 applications", + "openshift.io/display-name": ".NET Core (Latest)", + "description": "Build and run .NET Core applications on RHEL 7. For more information about using this builder image, including OpenShift considerations, see https://github.com/redhat-developer/s2i-dotnetcore/tree/master/1.0/README.md.\n\nWARNING: By selecting this tag, your application will automatically update to use the latest version of .NET Core available on OpenShift, including major versions updates.", "iconClass": "icon-dotnet", "tags": "builder,.net,dotnet,dotnetcore", "supports":"dotnet", @@ -34,7 +38,8 @@ { "name": "1.0", "annotations": { - "description": "Build and run .NET Core 1.0 applications", + "openshift.io/display-name": ".NET Core 1.0", + "description": "Build and run .NET Core 1.0 applications on RHEL 7. For more information about using this builder image, including OpenShift considerations, see https://github.com/redhat-developer/s2i-dotnetcore/tree/master/1.0/README.md.", "iconClass": "icon-dotnet", "tags": "builder,.net,dotnet,dotnetcore,rh-dotnetcore10", "supports":"dotnet:1.0,dotnet", diff --git a/roles/openshift_facts/library/openshift_facts.py b/roles/openshift_facts/library/openshift_facts.py index a28b58e85..d797eb4d3 100755 --- a/roles/openshift_facts/library/openshift_facts.py +++ b/roles/openshift_facts/library/openshift_facts.py @@ -1595,7 +1595,7 @@ def set_container_facts_if_unset(facts): cli_image = master_image node_image = 'openshift3/node' ovs_image = 'openshift3/openvswitch' - etcd_image = 'registry.access.redhat.com/rhel7/etcd' + etcd_image = 'registry.access.redhat.com/rhel7/etcd3' pod_image = 'openshift3/ose-pod' router_image = 'openshift3/ose-haproxy-router' registry_image = 'openshift3/ose-docker-registry' @@ -1605,7 +1605,7 @@ def set_container_facts_if_unset(facts): cli_image = master_image node_image = 'aep3_beta/node' ovs_image = 'aep3_beta/openvswitch' - etcd_image = 'registry.access.redhat.com/rhel7/etcd' + etcd_image = 'registry.access.redhat.com/rhel7/etcd3' pod_image = 'aep3_beta/aep-pod' router_image = 'aep3_beta/aep-haproxy-router' registry_image = 'aep3_beta/aep-docker-registry' @@ -1615,7 +1615,7 @@ def set_container_facts_if_unset(facts): cli_image = master_image node_image = 'openshift/node' ovs_image = 'openshift/openvswitch' - etcd_image = 'registry.access.redhat.com/rhel7/etcd' + etcd_image = 'registry.access.redhat.com/rhel7/etcd3' pod_image = 'openshift/origin-pod' router_image = 'openshift/origin-haproxy-router' registry_image = 'openshift/origin-docker-registry' diff --git a/roles/openshift_hosted_logging/tasks/deploy_logging.yaml b/roles/openshift_hosted_logging/tasks/deploy_logging.yaml index 0162d1fb0..625af9acd 100644 --- a/roles/openshift_hosted_logging/tasks/deploy_logging.yaml +++ b/roles/openshift_hosted_logging/tasks/deploy_logging.yaml @@ -40,7 +40,7 @@ - name: "Create templates for logging accounts and the deployer" command: > - {{ openshift.common.client_binary }} create + {{ openshift.common.client_binary }} create --config={{ mktemp.stdout }}/admin.kubeconfig -f {{ hosted_base }}/logging-deployer.yaml --config={{ mktemp.stdout }}/admin.kubeconfig -n logging @@ -49,28 +49,41 @@ changed_when: "'created' in logging_import_template.stdout" - name: "Process the logging accounts template" - shell: "{{ openshift.common.client_binary }} --config={{ mktemp.stdout }}/admin.kubeconfig process logging-deployer-account-template | {{ openshift.common.client_binary }} --config={{ mktemp.stdout }}/admin.kubeconfig create -f -" + shell: > + {{ openshift.common.client_binary }} --config={{ mktemp.stdout }}/admin.kubeconfig + process logging-deployer-account-template | {{ openshift.common.client_binary }} --config={{ mktemp.stdout }}/admin.kubeconfig create -f - register: process_deployer_accounts failed_when: process_deployer_accounts.rc == 1 and 'already exists' not in process_deployer_accounts.stderr - name: "Set permissions for logging-deployer service account" command: > - {{ openshift.common.client_binary }} adm --config={{ mktemp.stdout }}/admin.kubeconfig policy add-cluster-role-to-user oauth-editor system:serviceaccount:logging:logging-deployer + {{ openshift.common.client_binary }} adm --config={{ mktemp.stdout }}/admin.kubeconfig + policy add-cluster-role-to-user oauth-editor system:serviceaccount:logging:logging-deployer register: permiss_output failed_when: "permiss_output.rc == 1 and 'exists' not in permiss_output.stderr" - name: "Set permissions for fluentd" command: > - {{ openshift.common.client_binary }} adm policy add-scc-to-user privileged system:serviceaccount:logging:aggregated-logging-fluentd + {{ openshift.common.client_binary }} adm --config={{ mktemp.stdout }}/admin.kubeconfig + policy add-scc-to-user privileged system:serviceaccount:logging:aggregated-logging-fluentd register: fluentd_output failed_when: "fluentd_output.rc == 1 and 'exists' not in fluentd_output.stderr" - name: "Set additional permissions for fluentd" command: > - {{ openshift.common.client_binary }} adm policy add-cluster-role-to-user cluster-reader system:serviceaccount:logging:aggregated-logging-fluentd + {{ openshift.common.client_binary }} adm policy --config={{ mktemp.stdout }}/admin.kubeconfig + add-cluster-role-to-user cluster-reader system:serviceaccount:logging:aggregated-logging-fluentd register: fluentd2_output failed_when: "fluentd2_output.rc == 1 and 'exists' not in fluentd2_output.stderr" + - name: "Add rolebinding-reader to aggregated-logging-elasticsearch" + command: > + {{ openshift.common.client_binary }} adm --config={{ mktemp.stdout }}/admin.kubeconfig + policy add-cluster-role-to-user rolebinding-reader \ + system:serviceaccount:logging:aggregated-logging-elasticsearch + register: rolebinding_reader_output + failed_when: "rolebinding_reader_output == 1 and 'exists' not in rolebinding_reader_output.stderr" + - name: "Create ConfigMap for deployer parameters" command: > {{ openshift.common.client_binary}} --config={{ mktemp.stdout }}/admin.kubeconfig create configmap logging-deployer {{ deployer_cmap_params }} diff --git a/roles/openshift_hosted_templates/files/v1.4/enterprise/logging-deployer.yaml b/roles/openshift_hosted_templates/files/v1.4/enterprise/logging-deployer.yaml index 9cff9daca..ddfda1272 100644 --- a/roles/openshift_hosted_templates/files/v1.4/enterprise/logging-deployer.yaml +++ b/roles/openshift_hosted_templates/files/v1.4/enterprise/logging-deployer.yaml @@ -66,6 +66,15 @@ items: - watch - delete - update + - apiVersion: v1 + kind: ClusterRole + metadata: + name: rolebinding-reader + rules: + - resources: + - clusterrolebindings + verbs: + - get - apiVersion: v1 kind: RoleBinding @@ -88,6 +97,17 @@ items: subjects: - kind: ServiceAccount name: logging-deployer + - + apiVersion: v1 + kind: RoleBinding + metadata: + name: logging-elasticsearch-view-role + roleRef: + kind: ClusterRole + name: view + subjects: + - kind: ServiceAccount + name: aggregated-logging-elasticsearch - apiVersion: "v1" kind: "Template" diff --git a/roles/openshift_hosted_templates/files/v1.4/enterprise/metrics-deployer.yaml b/roles/openshift_hosted_templates/files/v1.4/enterprise/metrics-deployer.yaml index 97a86c11d..66051755c 100644 --- a/roles/openshift_hosted_templates/files/v1.4/enterprise/metrics-deployer.yaml +++ b/roles/openshift_hosted_templates/files/v1.4/enterprise/metrics-deployer.yaml @@ -86,6 +86,8 @@ objects: value: ${HEAPSTER_NODE_ID} - name: METRIC_RESOLUTION value: ${METRIC_RESOLUTION} + - name: STARTUP_TIMEOUT + value: ${STARTUP_TIMEOUT} dnsPolicy: ClusterFirst restartPolicy: Never serviceAccount: metrics-deployer @@ -160,3 +162,7 @@ parameters: description: "How often metrics should be gathered. Defaults value of '15s' for 15 seconds" name: METRIC_RESOLUTION value: "15s" +- + description: "How long in seconds we should wait until Hawkular Metrics and Heapster starts up before attempting a restart" + name: STARTUP_TIMEOUT + value: "500" diff --git a/roles/openshift_hosted_templates/files/v1.4/origin/metrics-deployer.yaml b/roles/openshift_hosted_templates/files/v1.4/origin/metrics-deployer.yaml index 5f2290419..54691572a 100644 --- a/roles/openshift_hosted_templates/files/v1.4/origin/metrics-deployer.yaml +++ b/roles/openshift_hosted_templates/files/v1.4/origin/metrics-deployer.yaml @@ -86,6 +86,8 @@ objects: value: ${HEAPSTER_NODE_ID} - name: METRIC_RESOLUTION value: ${METRIC_RESOLUTION} + - name: STARTUP_TIMEOUT + value: ${STARTUP_TIMEOUT} dnsPolicy: ClusterFirst restartPolicy: Never serviceAccount: metrics-deployer @@ -160,3 +162,7 @@ parameters: description: "How often metrics should be gathered. Defaults value of '15s' for 15 seconds" name: METRIC_RESOLUTION value: "15s" +- + description: "How long in seconds we should wait until Hawkular Metrics and Heapster starts up before attempting a restart" + name: STARTUP_TIMEOUT + value: "500" diff --git a/roles/openshift_version/tasks/set_version_containerized.yml b/roles/openshift_version/tasks/set_version_containerized.yml index 8e2702391..718537287 100644 --- a/roles/openshift_version/tasks/set_version_containerized.yml +++ b/roles/openshift_version/tasks/set_version_containerized.yml @@ -37,3 +37,8 @@ openshift_version: "{{ cli_image_version.stdout_lines[0].split(' ')[1].split('-')[0:2][1:] | join('-') if openshift.common.deployment_type == 'origin' else cli_image_version.stdout_lines[0].split(' ')[1].split('-')[0][1:] }}" when: openshift_version is defined and openshift_version.split('.') | length == 2 +# We finally have the specific version. Now we clean up any strange +# dangly +c0mm1t-offset tags in the version. See also, +# openshift_facts.py +- set_fact: + openshift_version: "{{ openshift_version | oo_chomp_commit_offset }}" diff --git a/roles/os_firewall/README.md b/roles/os_firewall/README.md index 187d74b06..c6c70b81d 100644 --- a/roles/os_firewall/README.md +++ b/roles/os_firewall/README.md @@ -14,7 +14,7 @@ Role Variables | Name | Default | | |---------------------------|---------|----------------------------------------| -| os_firewall_use_firewalld | True | If false, use iptables | +| os_firewall_use_firewalld | False | If false, use iptables | | os_firewall_allow | [] | List of service,port mappings to allow | | os_firewall_deny | [] | List of service, port mappings to deny | diff --git a/roles/os_firewall/meta/main.yml b/roles/os_firewall/meta/main.yml index c93335b7b..6df7c9f2b 100644 --- a/roles/os_firewall/meta/main.yml +++ b/roles/os_firewall/meta/main.yml @@ -11,5 +11,6 @@ galaxy_info: - 7 categories: - system +allow_duplicates: yes dependencies: - { role: openshift_facts } |