diff options
115 files changed, 270 insertions, 530 deletions
diff --git a/playbooks/byo/openshift-cluster/redeploy-certificates.yml b/playbooks/byo/openshift-cluster/redeploy-certificates.yml deleted file mode 100644 index c26f11772..000000000 --- a/playbooks/byo/openshift-cluster/redeploy-certificates.yml +++ /dev/null @@ -1,42 +0,0 @@ ---- -- include: ../../init/main.yml - -- include: ../../common/openshift-cluster/redeploy-certificates/check-expiry.yml - vars: - g_check_expiry_hosts: 'oo_etcd_to_config' - -- include: ../../common/openshift-cluster/redeploy-certificates/etcd-backup.yml - -- include: ../../openshift-etcd/private/certificates.yml - vars: - etcd_certificates_redeploy: true - -- include: ../../common/openshift-cluster/redeploy-certificates/masters-backup.yml - -- include: ../../openshift-master/private/certificates.yml - vars: - openshift_certificates_redeploy: true - -- include: ../../common/openshift-cluster/redeploy-certificates/nodes-backup.yml - -- include: ../../openshift-node/private/certificates.yml - vars: - openshift_certificates_redeploy: true - -- include: ../../openshift-etcd/private/restart.yml - vars: - g_etcd_certificates_expired: "{{ ('expired' in (hostvars | oo_select_keys(groups['etcd']) | oo_collect('check_results.check_results.etcd') | oo_collect('health'))) | bool }}" - -- include: ../../openshift-master/private/restart.yml - -- include: ../../openshift-node/private/restart.yml - -- include: ../../common/openshift-cluster/redeploy-certificates/router.yml - when: openshift_hosted_manage_router | default(true) | bool - -- include: ../../common/openshift-cluster/redeploy-certificates/registry.yml - when: openshift_hosted_manage_registry | default(true) | bool - -- include: ../../openshift-master/private/revert-client-ca.yml - -- include: ../../openshift-master/private/restart.yml diff --git a/playbooks/byo/openshift-cluster/redeploy-etcd-ca.yml b/playbooks/byo/openshift-cluster/redeploy-etcd-ca.yml deleted file mode 100644 index 77dd121b3..000000000 --- a/playbooks/byo/openshift-cluster/redeploy-etcd-ca.yml +++ /dev/null @@ -1,4 +0,0 @@ ---- -- include: ../../init/main.yml - -- include: ../../common/openshift-cluster/redeploy-certificates/etcd-ca.yml diff --git a/playbooks/byo/openshift-cluster/redeploy-etcd-certificates.yml b/playbooks/byo/openshift-cluster/redeploy-etcd-certificates.yml deleted file mode 100644 index 94e50cc28..000000000 --- a/playbooks/byo/openshift-cluster/redeploy-etcd-certificates.yml +++ /dev/null @@ -1,18 +0,0 @@ ---- -- include: ../../init/main.yml - -- include: ../../common/openshift-cluster/redeploy-certificates/check-expiry.yml - vars: - g_check_expiry_hosts: 'oo_etcd_to_config' - -- include: ../../common/openshift-cluster/redeploy-certificates/etcd-backup.yml - -- include: ../../openshift-etcd/private/certificates.yml - vars: - etcd_certificates_redeploy: true - -- include: ../../openshift-etcd/private/restart.yml - vars: - g_etcd_certificates_expired: "{{ ('expired' in (hostvars | oo_select_keys(groups['etcd']) | oo_collect('check_results.check_results.etcd') | oo_collect('health'))) | bool }}" - -- include: ../../openshift-master/private/restart.yml diff --git a/playbooks/byo/openshift-cluster/redeploy-master-certificates.yml b/playbooks/byo/openshift-cluster/redeploy-master-certificates.yml deleted file mode 100644 index 88e52f809..000000000 --- a/playbooks/byo/openshift-cluster/redeploy-master-certificates.yml +++ /dev/null @@ -1,10 +0,0 @@ ---- -- include: ../../init/main.yml - -- include: ../../common/openshift-cluster/redeploy-certificates/masters-backup.yml - -- include: ../../openshift-master/private/certificates.yml - vars: - openshift_certificates_redeploy: true - -- include: ../../openshift-master/private/restart.yml diff --git a/playbooks/byo/openshift-cluster/redeploy-node-certificates.yml b/playbooks/byo/openshift-cluster/redeploy-node-certificates.yml deleted file mode 100644 index 2abbe78f1..000000000 --- a/playbooks/byo/openshift-cluster/redeploy-node-certificates.yml +++ /dev/null @@ -1,10 +0,0 @@ ---- -- include: ../../init/main.yml - -- include: ../../common/openshift-cluster/redeploy-certificates/nodes-backup.yml - -- include: ../../openshift-node/private/certificates.yml - vars: - openshift_certificates_redeploy: true - -- include: ../../openshift-node/private/restart.yml diff --git a/playbooks/byo/openshift-cluster/redeploy-openshift-ca.yml b/playbooks/byo/openshift-cluster/redeploy-openshift-ca.yml deleted file mode 100644 index 9cebeb1ee..000000000 --- a/playbooks/byo/openshift-cluster/redeploy-openshift-ca.yml +++ /dev/null @@ -1,4 +0,0 @@ ---- -- include: ../../init/main.yml - -- include: ../../common/openshift-cluster/redeploy-certificates/openshift-ca.yml diff --git a/playbooks/byo/openshift-cluster/redeploy-registry-certificates.yml b/playbooks/byo/openshift-cluster/redeploy-registry-certificates.yml deleted file mode 100644 index 36b6250a7..000000000 --- a/playbooks/byo/openshift-cluster/redeploy-registry-certificates.yml +++ /dev/null @@ -1,4 +0,0 @@ ---- -- include: ../../init/main.yml - -- include: ../../common/openshift-cluster/redeploy-certificates/registry.yml diff --git a/playbooks/byo/openshift-cluster/redeploy-router-certificates.yml b/playbooks/byo/openshift-cluster/redeploy-router-certificates.yml deleted file mode 100644 index 181e03381..000000000 --- a/playbooks/byo/openshift-cluster/redeploy-router-certificates.yml +++ /dev/null @@ -1,4 +0,0 @@ ---- -- include: ../../init/main.yml - -- include: ../../common/openshift-cluster/redeploy-certificates/router.yml diff --git a/playbooks/common/openshift-cluster/redeploy-certificates/filter_plugins b/playbooks/common/openshift-cluster/redeploy-certificates/filter_plugins deleted file mode 120000 index b1213dedb..000000000 --- a/playbooks/common/openshift-cluster/redeploy-certificates/filter_plugins +++ /dev/null @@ -1 +0,0 @@ -../../../../filter_plugins
\ No newline at end of file diff --git a/playbooks/common/openshift-cluster/redeploy-certificates/library b/playbooks/common/openshift-cluster/redeploy-certificates/library deleted file mode 120000 index 9a53f009d..000000000 --- a/playbooks/common/openshift-cluster/redeploy-certificates/library +++ /dev/null @@ -1 +0,0 @@ -../../../../library
\ No newline at end of file diff --git a/playbooks/common/openshift-cluster/redeploy-certificates/lookup_plugins b/playbooks/common/openshift-cluster/redeploy-certificates/lookup_plugins deleted file mode 120000 index aff753026..000000000 --- a/playbooks/common/openshift-cluster/redeploy-certificates/lookup_plugins +++ /dev/null @@ -1 +0,0 @@ -../../../../lookup_plugins
\ No newline at end of file diff --git a/playbooks/common/openshift-cluster/redeploy-certificates/roles b/playbooks/common/openshift-cluster/redeploy-certificates/roles deleted file mode 120000 index 4bdbcbad3..000000000 --- a/playbooks/common/openshift-cluster/redeploy-certificates/roles +++ /dev/null @@ -1 +0,0 @@ -../../../../roles
\ No newline at end of file diff --git a/playbooks/common/openshift-cluster/upgrades/docker/tasks/restart.yml b/playbooks/common/openshift-cluster/upgrades/docker/tasks/restart.yml index 83f16ac0d..3b779becb 100644 --- a/playbooks/common/openshift-cluster/upgrades/docker/tasks/restart.yml +++ b/playbooks/common/openshift-cluster/upgrades/docker/tasks/restart.yml @@ -6,10 +6,6 @@ retries: 3 delay: 30 -- name: Update docker facts - openshift_facts: - role: docker - - name: Restart containerized services service: name={{ item }} state=started with_items: diff --git a/playbooks/common/openshift-cluster/upgrades/pre/verify_upgrade_targets.yml b/playbooks/common/openshift-cluster/upgrades/pre/verify_upgrade_targets.yml index 446f315d6..84b740227 100644 --- a/playbooks/common/openshift-cluster/upgrades/pre/verify_upgrade_targets.yml +++ b/playbooks/common/openshift-cluster/upgrades/pre/verify_upgrade_targets.yml @@ -6,7 +6,7 @@ - name: Update oreg_auth docker login credentials if necessary include_role: - name: docker + name: container_runtime tasks_from: registry_auth.yml when: oreg_auth_user is defined diff --git a/playbooks/common/openshift-cluster/upgrades/upgrade_control_plane.yml b/playbooks/common/openshift-cluster/upgrades/upgrade_control_plane.yml index d7a52707c..503d75ba0 100644 --- a/playbooks/common/openshift-cluster/upgrades/upgrade_control_plane.yml +++ b/playbooks/common/openshift-cluster/upgrades/upgrade_control_plane.yml @@ -143,10 +143,6 @@ roles: - { role: openshift_cli } vars: - openshift_docker_hosted_registry_network: "{{ hostvars[groups.oo_first_master.0].openshift.common.portal_net }}" - # Another spot where we assume docker is running and do not want to accidentally trigger an unsafe - # restart. - skip_docker_role: True __master_shared_resource_viewer_file: "shared_resource_viewer_role.yaml" tasks: - name: Reconcile Cluster Roles diff --git a/playbooks/common/openshift-cluster/upgrades/v3_6/upgrade.yml b/playbooks/common/openshift-cluster/upgrades/v3_6/upgrade.yml index 6cb6a665f..5f9c56867 100644 --- a/playbooks/common/openshift-cluster/upgrades/v3_6/upgrade.yml +++ b/playbooks/common/openshift-cluster/upgrades/v3_6/upgrade.yml @@ -73,12 +73,6 @@ openshift_release: "{{ openshift_upgrade_target }}" openshift_protect_installed_version: False - # We skip the docker role at this point in upgrade to prevent - # unintended package, container, or config upgrades which trigger - # docker restarts. At this early stage of upgrade we can assume - # docker is configured and running. - skip_docker_role: True - - include: ../../../../openshift-master/private/validate_restart.yml tags: - pre_upgrade diff --git a/playbooks/common/openshift-cluster/upgrades/v3_6/upgrade_control_plane.yml b/playbooks/common/openshift-cluster/upgrades/v3_6/upgrade_control_plane.yml index 8f48bedcc..1aac3d014 100644 --- a/playbooks/common/openshift-cluster/upgrades/v3_6/upgrade_control_plane.yml +++ b/playbooks/common/openshift-cluster/upgrades/v3_6/upgrade_control_plane.yml @@ -77,12 +77,6 @@ openshift_release: "{{ openshift_upgrade_target }}" openshift_protect_installed_version: False - # We skip the docker role at this point in upgrade to prevent - # unintended package, container, or config upgrades which trigger - # docker restarts. At this early stage of upgrade we can assume - # docker is configured and running. - skip_docker_role: True - - include: ../../../../openshift-master/private/validate_restart.yml tags: - pre_upgrade diff --git a/playbooks/common/openshift-cluster/upgrades/v3_6/upgrade_nodes.yml b/playbooks/common/openshift-cluster/upgrades/v3_6/upgrade_nodes.yml index f25cfe0d0..306b76422 100644 --- a/playbooks/common/openshift-cluster/upgrades/v3_6/upgrade_nodes.yml +++ b/playbooks/common/openshift-cluster/upgrades/v3_6/upgrade_nodes.yml @@ -66,12 +66,6 @@ openshift_release: "{{ openshift_upgrade_target }}" openshift_protect_installed_version: False - # We skip the docker role at this point in upgrade to prevent - # unintended package, container, or config upgrades which trigger - # docker restarts. At this early stage of upgrade we can assume - # docker is configured and running. - skip_docker_role: True - - name: Verify masters are already upgraded hosts: oo_masters_to_config tags: diff --git a/playbooks/common/openshift-cluster/upgrades/v3_7/upgrade.yml b/playbooks/common/openshift-cluster/upgrades/v3_7/upgrade.yml index 2b99568c7..6d4949542 100644 --- a/playbooks/common/openshift-cluster/upgrades/v3_7/upgrade.yml +++ b/playbooks/common/openshift-cluster/upgrades/v3_7/upgrade.yml @@ -77,12 +77,6 @@ openshift_release: "{{ openshift_upgrade_target }}" openshift_protect_installed_version: False - # We skip the docker role at this point in upgrade to prevent - # unintended package, container, or config upgrades which trigger - # docker restarts. At this early stage of upgrade we can assume - # docker is configured and running. - skip_docker_role: True - - include: ../../../../openshift-master/private/validate_restart.yml tags: - pre_upgrade diff --git a/playbooks/common/openshift-cluster/upgrades/v3_7/upgrade_control_plane.yml b/playbooks/common/openshift-cluster/upgrades/v3_7/upgrade_control_plane.yml index d3d2046e6..0a592896b 100644 --- a/playbooks/common/openshift-cluster/upgrades/v3_7/upgrade_control_plane.yml +++ b/playbooks/common/openshift-cluster/upgrades/v3_7/upgrade_control_plane.yml @@ -81,12 +81,6 @@ openshift_release: "{{ openshift_upgrade_target }}" openshift_protect_installed_version: False - # We skip the docker role at this point in upgrade to prevent - # unintended package, container, or config upgrades which trigger - # docker restarts. At this early stage of upgrade we can assume - # docker is configured and running. - skip_docker_role: True - - include: ../../../../openshift-master/private/validate_restart.yml tags: - pre_upgrade diff --git a/playbooks/common/openshift-cluster/upgrades/v3_7/upgrade_nodes.yml b/playbooks/common/openshift-cluster/upgrades/v3_7/upgrade_nodes.yml index c0546bd2d..b381d606a 100644 --- a/playbooks/common/openshift-cluster/upgrades/v3_7/upgrade_nodes.yml +++ b/playbooks/common/openshift-cluster/upgrades/v3_7/upgrade_nodes.yml @@ -66,12 +66,6 @@ openshift_release: "{{ openshift_upgrade_target }}" openshift_protect_installed_version: False - # We skip the docker role at this point in upgrade to prevent - # unintended package, container, or config upgrades which trigger - # docker restarts. At this early stage of upgrade we can assume - # docker is configured and running. - skip_docker_role: True - - name: Verify masters are already upgraded hosts: oo_masters_to_config tags: diff --git a/playbooks/common/openshift-cluster/upgrades/v3_8/upgrade.yml b/playbooks/common/openshift-cluster/upgrades/v3_8/upgrade.yml index b602cdd0e..e7d7756d1 100644 --- a/playbooks/common/openshift-cluster/upgrades/v3_8/upgrade.yml +++ b/playbooks/common/openshift-cluster/upgrades/v3_8/upgrade.yml @@ -77,12 +77,6 @@ openshift_release: "{{ openshift_upgrade_target }}" openshift_protect_installed_version: False - # We skip the docker role at this point in upgrade to prevent - # unintended package, container, or config upgrades which trigger - # docker restarts. At this early stage of upgrade we can assume - # docker is configured and running. - skip_docker_role: True - - include: ../../../../openshift-master/private/validate_restart.yml tags: - pre_upgrade diff --git a/playbooks/common/openshift-cluster/upgrades/v3_8/upgrade_control_plane.yml b/playbooks/common/openshift-cluster/upgrades/v3_8/upgrade_control_plane.yml index da81e6dea..be362e3ff 100644 --- a/playbooks/common/openshift-cluster/upgrades/v3_8/upgrade_control_plane.yml +++ b/playbooks/common/openshift-cluster/upgrades/v3_8/upgrade_control_plane.yml @@ -81,12 +81,6 @@ openshift_release: "{{ openshift_upgrade_target }}" openshift_protect_installed_version: False - # We skip the docker role at this point in upgrade to prevent - # unintended package, container, or config upgrades which trigger - # docker restarts. At this early stage of upgrade we can assume - # docker is configured and running. - skip_docker_role: True - - include: ../../../../openshift-master/private/validate_restart.yml tags: - pre_upgrade diff --git a/playbooks/common/openshift-cluster/upgrades/v3_8/upgrade_nodes.yml b/playbooks/common/openshift-cluster/upgrades/v3_8/upgrade_nodes.yml index abd56e762..6e68116b0 100644 --- a/playbooks/common/openshift-cluster/upgrades/v3_8/upgrade_nodes.yml +++ b/playbooks/common/openshift-cluster/upgrades/v3_8/upgrade_nodes.yml @@ -66,12 +66,6 @@ openshift_release: "{{ openshift_upgrade_target }}" openshift_protect_installed_version: False - # We skip the docker role at this point in upgrade to prevent - # unintended package, container, or config upgrades which trigger - # docker restarts. At this early stage of upgrade we can assume - # docker is configured and running. - skip_docker_role: True - - name: Verify masters are already upgraded hosts: oo_masters_to_config tags: diff --git a/playbooks/init/facts.yml b/playbooks/init/facts.yml index 1166ac538..d41f365dc 100644 --- a/playbooks/init/facts.yml +++ b/playbooks/init/facts.yml @@ -135,11 +135,13 @@ - openshift_http_proxy is defined or openshift_https_proxy is defined - openshift_generate_no_proxy_hosts | default(True) | bool + - name: Initialize openshift.node.sdn_mtu + openshift_facts: + role: node + local_facts: + sdn_mtu: "{{ openshift_node_sdn_mtu | default(None) }}" + - name: initialize_facts set_fact repoquery command set_fact: repoquery_cmd: "{{ 'dnf repoquery --latest-limit 1 -d 0' if ansible_pkg_mgr == 'dnf' else 'repoquery --plugins' }}" repoquery_installed: "{{ 'dnf repoquery --latest-limit 1 -d 0 --disableexcludes=all --installed' if ansible_pkg_mgr == 'dnf' else 'repoquery --plugins --installed' }}" - - - name: initialize_facts set_fact on openshift_docker_hosted_registry_network - set_fact: - openshift_docker_hosted_registry_network: "{{ '' if 'oo_first_master' not in groups else hostvars[groups.oo_first_master.0].openshift.common.portal_net }}" diff --git a/playbooks/init/main.yml b/playbooks/init/main.yml index 1d4f41ffc..5a7483b72 100644 --- a/playbooks/init/main.yml +++ b/playbooks/init/main.yml @@ -24,6 +24,7 @@ - import_playbook: repos.yml - import_playbook: version.yml + when: not (skip_verison | default(False)) - name: Initialization Checkpoint End hosts: all diff --git a/playbooks/common/openshift-cluster/redeploy-certificates/etcd-backup.yml b/playbooks/openshift-etcd/private/certificates-backup.yml index d738c8207..d738c8207 100644 --- a/playbooks/common/openshift-cluster/redeploy-certificates/etcd-backup.yml +++ b/playbooks/openshift-etcd/private/certificates-backup.yml diff --git a/playbooks/common/openshift-cluster/redeploy-certificates/etcd-ca.yml b/playbooks/openshift-etcd/private/redeploy-ca.yml index 438f704bc..cc5d57031 100644 --- a/playbooks/common/openshift-cluster/redeploy-certificates/etcd-ca.yml +++ b/playbooks/openshift-etcd/private/redeploy-ca.yml @@ -21,7 +21,7 @@ name: etcd tasks_from: remove_ca_certificates -- include: ../../../openshift-etcd/private/ca.yml +- include: ca.yml - name: Create temp directory for syncing certs hosts: localhost @@ -44,7 +44,7 @@ etcd_sync_cert_dir: "{{ hostvars['localhost'].g_etcd_mktemp.stdout }}" etcd_ca_host: "{{ groups.oo_etcd_to_config.0 }}" -- include: ../../../openshift-etcd/private/restart.yml +- include: restart.yml # Do not restart etcd when etcd certificates were previously expired. when: ('expired' not in (hostvars | oo_select_keys(groups['etcd']) @@ -82,7 +82,7 @@ state: absent changed_when: false -- include: ../../../openshift-master/private/restart.yml +- include: ../../openshift-master/private/restart.yml # Do not restart masters when master or etcd certificates were previously expired. when: # masters diff --git a/playbooks/common/openshift-cluster/redeploy-certificates/check-expiry.yml b/playbooks/openshift-etcd/private/redeploy-certificates.yml index 4a9fbf7eb..cc1e6adf5 100644 --- a/playbooks/common/openshift-cluster/redeploy-certificates/check-expiry.yml +++ b/playbooks/openshift-etcd/private/redeploy-certificates.yml @@ -1,6 +1,6 @@ --- - name: Check cert expirys - hosts: "{{ g_check_expiry_hosts }}" + hosts: oo_etcd_to_config vars: openshift_certificate_expiry_show_all: yes roles: @@ -10,3 +10,9 @@ # this playbook. Service restarts will be skipped if any # certificates were previously expired. - role: openshift_certificate_expiry + +- include: certificates-backup.yml + +- include: certificates.yml + vars: + etcd_certificates_redeploy: true diff --git a/playbooks/openshift-etcd/redeploy-ca.yml b/playbooks/openshift-etcd/redeploy-ca.yml new file mode 100644 index 000000000..b1d23675d --- /dev/null +++ b/playbooks/openshift-etcd/redeploy-ca.yml @@ -0,0 +1,4 @@ +--- +- include: ../init/main.yml + +- include: private/redeploy-ca.yml diff --git a/playbooks/openshift-etcd/redeploy-certificates.yml b/playbooks/openshift-etcd/redeploy-certificates.yml new file mode 100644 index 000000000..1bd302c03 --- /dev/null +++ b/playbooks/openshift-etcd/redeploy-certificates.yml @@ -0,0 +1,10 @@ +--- +- include: ../init/main.yml + +- include: private/redeploy-certificates.yml + +- include: private/restart.yml + vars: + g_etcd_certificates_expired: "{{ ('expired' in (hostvars | oo_select_keys(groups['etcd']) | oo_collect('check_results.check_results.etcd') | oo_collect('health'))) | bool }}" + +- include: ../openshift-master/private/restart.yml diff --git a/playbooks/openshift-hosted/private/cockpit-ui.yml b/playbooks/openshift-hosted/private/cockpit-ui.yml index 359132dd0..d6529425b 100644 --- a/playbooks/openshift-hosted/private/cockpit-ui.yml +++ b/playbooks/openshift-hosted/private/cockpit-ui.yml @@ -5,4 +5,4 @@ - role: cockpit-ui when: - openshift_hosted_manage_registry | default(true) | bool - - not openshift.docker.hosted_registry_insecure | default(false) | bool + - not (openshift_docker_hosted_registry_insecure | default(false)) | bool diff --git a/playbooks/common/openshift-cluster/redeploy-certificates/registry.yml b/playbooks/openshift-hosted/private/redeploy-registry-certificates.yml index 7e9363c5f..7e9363c5f 100644 --- a/playbooks/common/openshift-cluster/redeploy-certificates/registry.yml +++ b/playbooks/openshift-hosted/private/redeploy-registry-certificates.yml diff --git a/playbooks/common/openshift-cluster/redeploy-certificates/router.yml b/playbooks/openshift-hosted/private/redeploy-router-certificates.yml index 2116c745c..2116c745c 100644 --- a/playbooks/common/openshift-cluster/redeploy-certificates/router.yml +++ b/playbooks/openshift-hosted/private/redeploy-router-certificates.yml diff --git a/playbooks/openshift-hosted/redeploy-registry-certificates.yml b/playbooks/openshift-hosted/redeploy-registry-certificates.yml new file mode 100644 index 000000000..65fb0abda --- /dev/null +++ b/playbooks/openshift-hosted/redeploy-registry-certificates.yml @@ -0,0 +1,4 @@ +--- +- include: ../init/main.yml + +- include: private/redeploy-registry-certificates.yml diff --git a/playbooks/openshift-hosted/redeploy-router-certificates.yml b/playbooks/openshift-hosted/redeploy-router-certificates.yml new file mode 100644 index 000000000..8dc052751 --- /dev/null +++ b/playbooks/openshift-hosted/redeploy-router-certificates.yml @@ -0,0 +1,4 @@ +--- +- include: ../init/main.yml + +- include: private/redeploy-router-certificates.yml diff --git a/playbooks/openshift-loadbalancer/private/config.yml b/playbooks/openshift-loadbalancer/private/config.yml index d737b836b..78fe663db 100644 --- a/playbooks/openshift-loadbalancer/private/config.yml +++ b/playbooks/openshift-loadbalancer/private/config.yml @@ -11,14 +11,12 @@ status: "In Progress" start: "{{ lookup('pipe', 'date +%Y%m%d%H%M%SZ') }}" -- name: Configure firewall and docker for load balancers +- name: Configure firewall load balancers hosts: oo_lb_to_config:!oo_masters_to_config:!oo_nodes_to_config vars: openshift_image_tag: "{{ hostvars[groups.oo_first_master.0].openshift_image_tag }}" roles: - role: os_firewall - - role: openshift_docker - when: openshift.common.is_containerized | default(False) | bool and not skip_docker_role | default(False) | bool - name: Configure load balancers hosts: oo_lb_to_config diff --git a/playbooks/common/openshift-cluster/redeploy-certificates/masters-backup.yml b/playbooks/openshift-master/private/certificates-backup.yml index 4dbc041b0..4dbc041b0 100644 --- a/playbooks/common/openshift-cluster/redeploy-certificates/masters-backup.yml +++ b/playbooks/openshift-master/private/certificates-backup.yml diff --git a/playbooks/openshift-master/private/redeploy-certificates.yml b/playbooks/openshift-master/private/redeploy-certificates.yml new file mode 100644 index 000000000..3bd38a61d --- /dev/null +++ b/playbooks/openshift-master/private/redeploy-certificates.yml @@ -0,0 +1,6 @@ +--- +- include: certificates-backup.yml + +- include: certificates.yml + vars: + openshift_certificates_redeploy: true diff --git a/playbooks/common/openshift-cluster/redeploy-certificates/openshift-ca.yml b/playbooks/openshift-master/private/redeploy-openshift-ca.yml index 5a837d80d..59657574a 100644 --- a/playbooks/common/openshift-cluster/redeploy-certificates/openshift-ca.yml +++ b/playbooks/openshift-master/private/redeploy-openshift-ca.yml @@ -207,7 +207,7 @@ group: "{{ 'root' if item == 'root' else _ansible_ssh_user_gid.stdout }}" with_items: "{{ client_users }}" -- include: ../../../openshift-master/private/restart.yml +- include: restart.yml # Do not restart masters when master or etcd certificates were previously expired. when: # masters @@ -272,7 +272,7 @@ state: absent changed_when: false -- include: ../../../openshift-node/private/restart.yml +- include: ../../openshift-node/private/restart.yml # Do not restart nodes when node, master or etcd certificates were previously expired. when: # nodes diff --git a/playbooks/openshift-master/redeploy-certificates.yml b/playbooks/openshift-master/redeploy-certificates.yml new file mode 100644 index 000000000..df727247b --- /dev/null +++ b/playbooks/openshift-master/redeploy-certificates.yml @@ -0,0 +1,6 @@ +--- +- include: ../init/main.yml + +- include: private/redeploy-certificates.yml + +- include: private/restart.yml diff --git a/playbooks/openshift-master/redeploy-openshift-ca.yml b/playbooks/openshift-master/redeploy-openshift-ca.yml new file mode 100644 index 000000000..3ae74c7a0 --- /dev/null +++ b/playbooks/openshift-master/redeploy-openshift-ca.yml @@ -0,0 +1,4 @@ +--- +- include: ../init/main.yml + +- include: private/redeploy-openshift-ca.yml diff --git a/playbooks/common/openshift-cluster/redeploy-certificates/nodes-backup.yml b/playbooks/openshift-node/private/certificates-backup.yml index 2ad84b3b9..2ad84b3b9 100644 --- a/playbooks/common/openshift-cluster/redeploy-certificates/nodes-backup.yml +++ b/playbooks/openshift-node/private/certificates-backup.yml diff --git a/playbooks/openshift-node/private/configure_nodes.yml b/playbooks/openshift-node/private/configure_nodes.yml index 06f3df9fa..dc5d7a57e 100644 --- a/playbooks/openshift-node/private/configure_nodes.yml +++ b/playbooks/openshift-node/private/configure_nodes.yml @@ -4,7 +4,6 @@ vars: openshift_node_master_api_url: "{{ hostvars[groups.oo_first_master.0].openshift.master.api_url }}" openshift_node_first_master_ip: "{{ hostvars[groups.oo_first_master.0].openshift.common.ip }}" - openshift_docker_hosted_registry_network: "{{ hostvars[groups.oo_first_master.0].openshift.common.portal_net }}" openshift_no_proxy_internal_hostnames: "{{ hostvars | oo_select_keys(groups['oo_nodes_to_config'] | union(groups['oo_masters_to_config']) | union(groups['oo_etcd_to_config'] | default([]))) diff --git a/playbooks/openshift-node/private/containerized_nodes.yml b/playbooks/openshift-node/private/containerized_nodes.yml index 3c3ac3646..5afa83be7 100644 --- a/playbooks/openshift-node/private/containerized_nodes.yml +++ b/playbooks/openshift-node/private/containerized_nodes.yml @@ -5,7 +5,6 @@ vars: openshift_node_master_api_url: "{{ hostvars[groups.oo_first_master.0].openshift.master.api_url }}" openshift_node_first_master_ip: "{{ hostvars[groups.oo_first_master.0].openshift.common.ip }}" - openshift_docker_hosted_registry_network: "{{ hostvars[groups.oo_first_master.0].openshift.common.portal_net }}" openshift_no_proxy_internal_hostnames: "{{ hostvars | oo_select_keys(groups['oo_nodes_to_config'] | union(groups['oo_masters_to_config']) | union(groups['oo_etcd_to_config'] | default([]))) diff --git a/playbooks/openshift-node/private/redeploy-certificates.yml b/playbooks/openshift-node/private/redeploy-certificates.yml new file mode 100644 index 000000000..3bd38a61d --- /dev/null +++ b/playbooks/openshift-node/private/redeploy-certificates.yml @@ -0,0 +1,6 @@ +--- +- include: certificates-backup.yml + +- include: certificates.yml + vars: + openshift_certificates_redeploy: true diff --git a/playbooks/openshift-node/private/restart.yml b/playbooks/openshift-node/private/restart.yml index c3beb59b7..41eb00f99 100644 --- a/playbooks/openshift-node/private/restart.yml +++ b/playbooks/openshift-node/private/restart.yml @@ -16,10 +16,6 @@ retries: 3 delay: 30 - - name: Update docker facts - openshift_facts: - role: docker - - name: Restart containerized services service: name: "{{ item }}" diff --git a/playbooks/openshift-node/redeploy-certificates.yml b/playbooks/openshift-node/redeploy-certificates.yml new file mode 100644 index 000000000..df727247b --- /dev/null +++ b/playbooks/openshift-node/redeploy-certificates.yml @@ -0,0 +1,6 @@ +--- +- include: ../init/main.yml + +- include: private/redeploy-certificates.yml + +- include: private/restart.yml diff --git a/playbooks/prerequisites.yml b/playbooks/prerequisites.yml index 582dfe794..7dd59c5d8 100644 --- a/playbooks/prerequisites.yml +++ b/playbooks/prerequisites.yml @@ -1,7 +1,12 @@ --- -- name: Place holder for prerequisites - hosts: localhost - gather_facts: false +- include: init/main.yml + vars: + skip_verison: True + +- hosts: "{{ l_containerized_host_groups }}" + vars: + l_chg_temp: "{{ openshift_containerized_host_groups | default([]) }}" + l_containerized_host_groups: "{{ (['oo_nodes_to_config'] | union(l_chg_temp)) | join(':') }}" tasks: - - name: Debug placeholder - debug: msg="Prerequisites ran." + - include_role: + name: container_runtime diff --git a/playbooks/redeploy-certificates.yml b/playbooks/redeploy-certificates.yml new file mode 100644 index 000000000..45135c10e --- /dev/null +++ b/playbooks/redeploy-certificates.yml @@ -0,0 +1,26 @@ +--- +- include: init/main.yml + +- include: openshift-etcd/private/redeploy-certificates.yml + +- include: openshift-master/private/redeploy-certificates.yml + +- include: openshift-node/private/redeploy-certificates.yml + +- include: openshift-etcd/private/restart.yml + vars: + g_etcd_certificates_expired: "{{ ('expired' in (hostvars | oo_select_keys(groups['etcd']) | oo_collect('check_results.check_results.etcd') | oo_collect('health'))) | bool }}" + +- include: openshift-master/private/restart.yml + +- include: openshift-node/private/restart.yml + +- include: openshift-hosted/private/redeploy-router-certificates.yml + when: openshift_hosted_manage_router | default(true) | bool + +- include: openshift-hosted/private/redeploy-registry-certificates.yml + when: openshift_hosted_manage_registry | default(true) | bool + +- include: openshift-master/private/revert-client-ca.yml + +- include: openshift-master/private/restart.yml diff --git a/playbooks/roles b/playbooks/roles new file mode 120000 index 000000000..d8c4472ca --- /dev/null +++ b/playbooks/roles @@ -0,0 +1 @@ +../roles
\ No newline at end of file diff --git a/roles/calico/handlers/main.yml b/roles/calico/handlers/main.yml index 67fc0065f..9cc0604a3 100644 --- a/roles/calico/handlers/main.yml +++ b/roles/calico/handlers/main.yml @@ -3,10 +3,10 @@ become: yes systemd: name=calico state=restarted -- name: restart docker +- name: restart container runtime become: yes systemd: - name: "{{ openshift.docker.service_name }}" + name: "{{ openshift_docker_service_name }}" state: restarted register: l_docker_restart_docker_in_calico_result until: not l_docker_restart_docker_in_calico_result | failed diff --git a/roles/calico/templates/calico.service.j2 b/roles/calico/templates/calico.service.j2 index 7653e19b1..a7809b9f9 100644 --- a/roles/calico/templates/calico.service.j2 +++ b/roles/calico/templates/calico.service.j2 @@ -1,7 +1,7 @@ [Unit] Description=calico -After={{ openshift.docker.service_name }}.service -Requires={{ openshift.docker.service_name }}.service +After={{ openshift_docker_service_name }}.service +Requires={{ openshift_docker_service_name }}.service [Service] Restart=always diff --git a/roles/docker/README.md b/roles/container_runtime/README.md index 19908c036..e363c1714 100644 --- a/roles/docker/README.md +++ b/roles/container_runtime/README.md @@ -10,27 +10,23 @@ Requirements Ansible 2.2 -Role Variables +Mandator Role Variables -------------- -docker_conf_dir: location of the Docker configuration directory -docker_systemd_dir location of the systemd directory for Docker -docker_udev_workaround: raises udevd timeout to 5 minutes (https://bugzilla.redhat.com/show_bug.cgi?id=1272446) -udevw_udevd_dir: location of systemd config for systemd-udevd.service + Dependencies ------------ -Depends on the os_firewall role. +Depends on openshift_facts having already been run. Example Playbook ---------------- - hosts: servers roles: - - role: docker + - role: container_runtime docker_udev_workaround: "true" - docker_use_system_container: False License ------- diff --git a/roles/docker/defaults/main.yml b/roles/container_runtime/defaults/main.yml index 224844a06..62b3e141a 100644 --- a/roles/docker/defaults/main.yml +++ b/roles/container_runtime/defaults/main.yml @@ -2,18 +2,34 @@ docker_cli_auth_config_path: '/root/.docker' openshift_docker_signature_verification: False +repoquery_cmd: "{{ 'dnf repoquery --latest-limit 1 -d 0' if ansible_pkg_mgr == 'dnf' else 'repoquery --plugins' }}" + openshift_docker_alternative_creds: False # oreg_url is defined by user input. oreg_host: "{{ oreg_url.split('/')[0] if (oreg_url is defined and '.' in oreg_url.split('/')[0]) else '' }}" oreg_auth_credentials_replace: False +openshift_docker_use_system_container: False +openshift_docker_disable_push_dockerhub: False # bool +openshift_docker_selinux_enabled: True +openshift_docker_service_name: "{{ 'container-engine' if (openshift_docker_use_system_container | default(False)) else 'docker' }}" + +openshift_docker_hosted_registry_insecure: False # bool + +openshift_docker_hosted_registry_network_default: "{{ openshift_portal_net | default(False) }}" +openshift_docker_hosted_registry_network: "{{ openshift_docker_hosted_registry_network_default }}" + openshift_docker_additional_registries: [] openshift_docker_blocked_registries: [] openshift_docker_insecure_registries: [] openshift_docker_ent_reg: 'registry.access.redhat.com' +openshift_docker_options: False # str +openshift_docker_log_driver: False # str +openshift_docker_log_options: [] + # The l2_docker_* variables convert csv strings to lists, if # necessary. These variables should be used in place of their respective # openshift_docker_* counterparts to ensure the properly formatted lists are @@ -21,6 +37,7 @@ openshift_docker_ent_reg: 'registry.access.redhat.com' l2_docker_additional_registries: "{% if openshift_docker_additional_registries is string %}{% if openshift_docker_additional_registries == '' %}[]{% elif ',' in openshift_docker_additional_registries %}{{ openshift_docker_additional_registries.split(',') | list }}{% else %}{{ [ openshift_docker_additional_registries ] }}{% endif %}{% else %}{{ openshift_docker_additional_registries }}{% endif %}" l2_docker_blocked_registries: "{% if openshift_docker_blocked_registries is string %}{% if openshift_docker_blocked_registries == '' %}[]{% elif ',' in openshift_docker_blocked_registries %}{{ openshift_docker_blocked_registries.split(',') | list }}{% else %}{{ [ openshift_docker_blocked_registries ] }}{% endif %}{% else %}{{ openshift_docker_blocked_registries }}{% endif %}" l2_docker_insecure_registries: "{% if openshift_docker_insecure_registries is string %}{% if openshift_docker_insecure_registries == '' %}[]{% elif ',' in openshift_docker_insecure_registries %}{{ openshift_docker_insecure_registries.split(',') | list }}{% else %}{{ [ openshift_docker_insecure_registries ] }}{% endif %}{% else %}{{ openshift_docker_insecure_registries }}{% endif %}" +l2_docker_log_options: "{% if openshift_docker_log_options is string %}{% if ',' in openshift_docker_log_options %}{{ openshift_docker_log_options.split(',') | list }}{% else %}{{ [ openshift_docker_log_options ] }}{% endif %}{% else %}{{ openshift_docker_log_options }}{% endif %}" openshift_docker_use_etc_containers: False containers_registries_conf_path: /etc/containers/registries.conf @@ -38,3 +55,26 @@ openshift_docker_is_node_or_master: "{{ True if inventory_hostname in (groups['o docker_alt_storage_path: /var/lib/containers/docker docker_default_storage_path: /var/lib/docker + +# Set local versions of facts that must be in json format for container-daemon.json +# NOTE: When jinja2.9+ is used the container-daemon.json file can move to using tojson +l_docker_log_options: "{{ l2_docker_log_options | to_json }}" +l_docker_additional_registries: "{{ l2_docker_additional_registries | to_json }}" +l_docker_blocked_registries: "{{ l2_docker_blocked_registries | to_json }}" +l_docker_insecure_registries: "{{ l2_docker_insecure_registries | to_json }}" +l_docker_selinux_enabled: "{{ openshift_docker_selinux_enabled | to_json }}" + +docker_http_proxy: "{{ openshift_http_proxy | default('') }}" +docker_https_proxy: "{{ openshift.common.https_proxy | default('') }}" +docker_no_proxy: "{{ openshift.common.no_proxy | default('') }}" + +openshift_use_crio: False +openshift_use_crio_only: False + + +l_insecure_crio_registries: "{{ '\"{}\"'.format('\", \"'.join(l2_docker_insecure_registries)) }}" +l_crio_registries: "{{ l2_docker_additional_registries + ['docker.io'] }}" +l_additional_crio_registries: "{{ '\"{}\"'.format('\", \"'.join(l_crio_registries)) }}" + +l_openshift_image_tag_default: "{{ openshift_release }}" +l_openshift_image_tag: "{{ openshift_image_tag | default(l_openshift_image_tag_default) | string}}" diff --git a/roles/docker/handlers/main.yml b/roles/container_runtime/handlers/main.yml index 866ed0452..67cd6d782 100644 --- a/roles/docker/handlers/main.yml +++ b/roles/container_runtime/handlers/main.yml @@ -1,8 +1,8 @@ --- -- name: restart docker +- name: restart container runtime systemd: - name: "{{ openshift.docker.service_name }}" + name: "{{ openshift_docker_service_name }}" state: restarted daemon_reload: yes register: r_docker_restart_docker_result diff --git a/roles/docker/meta/main.yml b/roles/container_runtime/meta/main.yml index d5faae8df..02fceb745 100644 --- a/roles/docker/meta/main.yml +++ b/roles/container_runtime/meta/main.yml @@ -1,7 +1,7 @@ --- galaxy_info: author: OpenShift - description: docker package install + description: container runtime install and configure company: Red Hat, Inc license: ASL 2.0 min_ansible_version: 2.2 diff --git a/roles/docker/tasks/crio_firewall.yml b/roles/container_runtime/tasks/crio_firewall.yml index fbd1ff515..fbd1ff515 100644 --- a/roles/docker/tasks/crio_firewall.yml +++ b/roles/container_runtime/tasks/crio_firewall.yml diff --git a/roles/docker/tasks/main.yml b/roles/container_runtime/tasks/main.yml index b02a74711..6d68082b1 100644 --- a/roles/docker/tasks/main.yml +++ b/roles/container_runtime/tasks/main.yml @@ -1,15 +1,7 @@ --- -# These tasks dispatch to the proper set of docker tasks based on the -# inventory:openshift_docker_use_system_container variable - - include_tasks: udev_workaround.yml when: docker_udev_workaround | default(False) | bool -- set_fact: - l_use_system_container: "{{ openshift.docker.use_system_container | default(False) }}" - l_use_crio: "{{ openshift_use_crio | default(False) }}" - l_use_crio_only: "{{ openshift_use_crio_only | default(False) }}" - - name: Add enterprise registry, if necessary set_fact: l2_docker_additional_registries: "{{ l2_docker_additional_registries + [openshift_docker_ent_reg] }}" @@ -17,13 +9,13 @@ - openshift.common.deployment_type == 'openshift-enterprise' - openshift_docker_ent_reg != '' - openshift_docker_ent_reg not in l2_docker_additional_registries - - not l_use_crio_only + - not openshift_use_crio_only | bool - name: Use Package Docker if Requested include_tasks: package_docker.yml when: - - not l_use_system_container - - not l_use_crio_only + - not openshift_docker_use_system_container + - not openshift_use_crio_only - name: Ensure /var/lib/containers exists file: @@ -37,13 +29,13 @@ - name: Use System Container Docker if Requested include_tasks: systemcontainer_docker.yml when: - - l_use_system_container - - not l_use_crio_only + - openshift_docker_use_system_container + - not openshift_use_crio_only - name: Add CRI-O usage Requested include_tasks: systemcontainer_crio.yml when: - - l_use_crio + - openshift_use_crio - openshift_docker_is_node_or_master | bool - name: stat the docker data dir @@ -52,13 +44,13 @@ register: dockerstat - when: - - l_use_crio + - openshift_use_crio - dockerstat.stat.islnk is defined and not (dockerstat.stat.islnk | bool) block: - name: stop the current running docker systemd: state: stopped - name: "{{ openshift.docker.service_name }}" + name: "{{ openshift_docker_service_name }}" - name: copy "{{ docker_default_storage_path }}" to "{{ docker_alt_storage_path }}" command: "cp -r {{ docker_default_storage_path }} {{ docker_alt_storage_path }}" @@ -90,4 +82,4 @@ - name: start docker systemd: state: started - name: "{{ openshift.docker.service_name }}" + name: "{{ openshift_docker_service_name }}" diff --git a/roles/docker/tasks/package_docker.yml b/roles/container_runtime/tasks/package_docker.yml index 044b04478..40ab75a25 100644 --- a/roles/docker/tasks/package_docker.yml +++ b/roles/container_runtime/tasks/package_docker.yml @@ -52,7 +52,7 @@ dest: "{{ docker_systemd_dir }}/custom.conf" src: custom.conf.j2 notify: - - restart docker + - restart container runtime when: not (os_firewall_use_firewalld | default(False)) | bool - stat: path=/etc/sysconfig/docker @@ -78,7 +78,7 @@ reg_fact_val: "{{ l2_docker_insecure_registries }}" reg_flag: --insecure-registry notify: - - restart docker + - restart container runtime - name: Place additional/blocked/insecure registries in /etc/containers/registries.conf template: @@ -86,7 +86,7 @@ src: registries.conf when: openshift_docker_use_etc_containers | bool notify: - - restart docker + - restart container runtime - name: Set Proxy Settings lineinfile: @@ -96,30 +96,34 @@ state: "{{ 'present' if item.reg_fact_val != '' else 'absent'}}" with_items: - reg_conf_var: HTTP_PROXY - reg_fact_val: "{{ docker_http_proxy | default('') }}" + reg_fact_val: "{{ docker_http_proxy }}" - reg_conf_var: HTTPS_PROXY - reg_fact_val: "{{ docker_https_proxy | default('') }}" + reg_fact_val: "{{ docker_https_proxy }}" - reg_conf_var: NO_PROXY - reg_fact_val: "{{ docker_no_proxy | default('') }}" + reg_fact_val: "{{ docker_no_proxy }}" notify: - - restart docker + - restart container runtime when: - - docker_check.stat.isreg is defined and docker_check.stat.isreg and '"http_proxy" in openshift.common or "https_proxy" in openshift.common' + - docker_check.stat.isreg is defined + - docker_check.stat.isreg + - docker_http_proxy != '' or docker_https_proxy != '' - name: Set various Docker options lineinfile: dest: /etc/sysconfig/docker regexp: '^OPTIONS=.*$' line: "OPTIONS='\ - {% if ansible_selinux.status | default(None) == 'enabled' and docker_selinux_enabled | default(true) | bool %} --selinux-enabled {% endif %} \ - {% if docker_log_driver is defined %} --log-driver {{ docker_log_driver }}{% endif %} \ - {% if docker_log_options is defined %} {{ docker_log_options | oo_split() | oo_prepend_strings_in_list('--log-opt ') | join(' ')}}{% endif %} \ + {% if ansible_selinux.status | default(None) == 'enabled' and openshift_docker_selinux_enabled | default(true) | bool %} --selinux-enabled {% endif %} \ + {% if openshift_docker_log_driver | bool %} --log-driver {{ openshift_docker_log_driver }}{% endif %} \ + {% if l2_docker_log_options != [] %} {{ l2_docker_log_options | oo_split() | oo_prepend_strings_in_list('--log-opt ') | join(' ')}}{% endif %} \ + {% if openshift_docker_hosted_registry_insecure and (openshift_docker_hosted_registry_network | bool) %} --insecure-registry={{ openshift_docker_hosted_registry_network }} {% endif %} \ {% if docker_options is defined %} {{ docker_options }}{% endif %} \ - {% if docker_disable_push_dockerhub is defined %} --confirm-def-push={{ docker_disable_push_dockerhub | bool }}{% endif %} \ + {% if openshift_docker_options %} {{ openshift_docker_options }}{% endif %} \ + {% if openshift_docker_disable_push_dockerhub %} --confirm-def-push={{ openshift_docker_disable_push_dockerhub | bool }}{% endif %} \ --signature-verification={{ openshift_docker_signature_verification | bool }}'" when: docker_check.stat.isreg is defined and docker_check.stat.isreg notify: - - restart docker + - restart container runtime - stat: path=/etc/sysconfig/docker-network register: sysconfig_docker_network_check @@ -134,7 +138,7 @@ - sysconfig_docker_network_check.stat.isreg is defined - sysconfig_docker_network_check.stat.isreg notify: - - restart docker + - restart container runtime # The following task is needed as the systemd module may report a change in # state even though docker is already running. diff --git a/roles/docker/tasks/registry_auth.yml b/roles/container_runtime/tasks/registry_auth.yml index 2c7bc5711..2c7bc5711 100644 --- a/roles/docker/tasks/registry_auth.yml +++ b/roles/container_runtime/tasks/registry_auth.yml diff --git a/roles/docker/tasks/systemcontainer_crio.yml b/roles/container_runtime/tasks/systemcontainer_crio.yml index 3439aa353..8dcfe60ef 100644 --- a/roles/docker/tasks/systemcontainer_crio.yml +++ b/roles/container_runtime/tasks/systemcontainer_crio.yml @@ -1,28 +1,5 @@ --- - # TODO: Much of this file is shared with container engine tasks -- set_fact: - l_insecure_crio_registries: "{{ '\"{}\"'.format('\", \"'.join(l2_docker_insecure_registries)) }}" -- set_fact: - l_crio_registries: "{{ l2_docker_additional_registries + ['docker.io'] }}" -- set_fact: - l_additional_crio_registries: "{{ '\"{}\"'.format('\", \"'.join(l_crio_registries)) }}" - -- set_fact: - l_openshift_image_tag: "{{ openshift_image_tag | string }}" - when: openshift_image_tag is defined - -- set_fact: - l_openshift_image_tag: "latest" - when: - - openshift_image_tag is not defined - - openshift_release == "latest" - -- set_fact: - l_openshift_image_tag: "{{ openshift_release | string }}" - when: - - openshift_image_tag is not defined - - openshift_release != "latest" - name: Ensure container-selinux is installed package: @@ -184,4 +161,4 @@ # 'docker login' - include_tasks: registry_auth.yml vars: - openshift_docker_alternative_creds: "{{ l_use_crio_only }}" + openshift_docker_alternative_creds: "{{ openshift_use_crio_only }}" diff --git a/roles/docker/tasks/systemcontainer_docker.yml b/roles/container_runtime/tasks/systemcontainer_docker.yml index 881d83f50..84217e50c 100644 --- a/roles/docker/tasks/systemcontainer_docker.yml +++ b/roles/container_runtime/tasks/systemcontainer_docker.yml @@ -1,28 +1,10 @@ --- - -- set_fact: - l_openshift_image_tag: "{{ openshift_image_tag | string }}" - when: openshift_image_tag is defined - -- set_fact: - l_openshift_image_tag: "latest" - when: - - openshift_image_tag is not defined - - openshift_release == "latest" - -- set_fact: - l_openshift_image_tag: "{{ openshift_release | string }}" - when: - - openshift_image_tag is not defined - - openshift_release != "latest" - # If docker_options are provided we should fail. We should not install docker and ignore # the users configuration. NOTE: docker_options == inventory:openshift_docker_options - name: Fail quickly if openshift_docker_options are set assert: that: - - docker_options is defined - - docker_options != "" + - "{% if not openshift_docker_options %}1{% else %}0{% endif %}" msg: | Docker via System Container does not allow for the use of the openshift_docker_options variable. If you want to use openshift_docker_options you will need to use the @@ -106,7 +88,7 @@ - name: Set the full image name set_fact: - l_docker_image: "{{ l_docker_image_prepend }}/{{ openshift.docker.service_name }}:{{ l_docker_image_tag }}" + l_docker_image: "{{ l_docker_image_prepend }}/{{ openshift_docker_service_name }}:{{ l_docker_image_tag }}" # For https://github.com/openshift/openshift-ansible/pull/5354#issuecomment-328552959 - name: Use a specific image if requested @@ -125,7 +107,7 @@ command: "atomic pull --storage ostree {{ l_docker_image }}" changed_when: false environment: - NO_PROXY: "{{ openshift.common.no_proxy | default('') }}" + NO_PROXY: "{{ docker_no_proxy }}" - name: Ensure container-engine.service.d directory exists @@ -140,7 +122,7 @@ - name: Install Container Engine System Container oc_atomic_container: - name: "{{ openshift.docker.service_name }}" + name: "{{ openshift_docker_service_name }}" image: "{{ l_docker_image }}" state: latest @@ -149,15 +131,6 @@ dest: "{{ container_engine_systemd_dir }}/custom.conf" src: systemcontainercustom.conf.j2 -# Set local versions of facts that must be in json format for container-daemon.json -# NOTE: When jinja2.9+ is used the container-daemon.json file can move to using tojson -- set_fact: - l_docker_insecure_registries: "{{ l2_docker_insecure_registries | default([]) | to_json }}" - l_docker_log_options: "{{ docker_log_options | default({}) | to_json }}" - l_docker_additional_registries: "{{ l2_docker_additional_registries | default([]) | to_json }}" - l_docker_blocked_registries: "{{ l2_docker_blocked_registries | default([]) | to_json }}" - l_docker_selinux_enabled: "{{ docker_selinux_enabled | default(true) | to_json }}" - # Configure container-engine using the container-daemon.json file # NOTE: daemon.json and container-daemon.json have been seperated to avoid # collision. @@ -169,7 +142,7 @@ # Enable and start the container-engine service - name: Start the Container Engine service systemd: - name: "{{ openshift.docker.service_name }}" + name: "{{ openshift_docker_service_name }}" enabled: yes state: started daemon_reload: yes diff --git a/roles/docker/tasks/udev_workaround.yml b/roles/container_runtime/tasks/udev_workaround.yml index 257c3123d..257c3123d 100644 --- a/roles/docker/tasks/udev_workaround.yml +++ b/roles/container_runtime/tasks/udev_workaround.yml diff --git a/roles/docker/templates/80-openshift-sdn.conf.j2 b/roles/container_runtime/templates/80-openshift-sdn.conf.j2 index a693aea5f..a693aea5f 100644 --- a/roles/docker/templates/80-openshift-sdn.conf.j2 +++ b/roles/container_runtime/templates/80-openshift-sdn.conf.j2 diff --git a/roles/docker/templates/crio.conf.j2 b/roles/container_runtime/templates/crio.conf.j2 index 3f066a17f..3f066a17f 100644 --- a/roles/docker/templates/crio.conf.j2 +++ b/roles/container_runtime/templates/crio.conf.j2 diff --git a/roles/docker/templates/custom.conf.j2 b/roles/container_runtime/templates/custom.conf.j2 index 713412473..713412473 100644 --- a/roles/docker/templates/custom.conf.j2 +++ b/roles/container_runtime/templates/custom.conf.j2 diff --git a/roles/docker/templates/daemon.json b/roles/container_runtime/templates/daemon.json index a41b7cdbd..383963bd3 100644 --- a/roles/docker/templates/daemon.json +++ b/roles/container_runtime/templates/daemon.json @@ -5,8 +5,8 @@ "disable-legacy-registry": false, "exec-opts": ["native.cgroupdriver=systemd"], "insecure-registries": {{ l_docker_insecure_registries }}, -{% if docker_log_driver is defined %} - "log-driver": "{{ docker_log_driver }}", +{% if openshift_docker_log_driver is defined %} + "log-driver": "{{ openshift_docker_log_driver }}", {%- endif %} "log-opts": {{ l_docker_log_options }}, "runtimes": { diff --git a/roles/docker/templates/overlay.conf.j2 b/roles/container_runtime/templates/overlay.conf.j2 index 782f46c2e..782f46c2e 100644 --- a/roles/docker/templates/overlay.conf.j2 +++ b/roles/container_runtime/templates/overlay.conf.j2 diff --git a/roles/docker/templates/registries.conf b/roles/container_runtime/templates/registries.conf index d379b2be0..d379b2be0 100644 --- a/roles/docker/templates/registries.conf +++ b/roles/container_runtime/templates/registries.conf diff --git a/roles/docker/templates/systemcontainercustom.conf.j2 b/roles/container_runtime/templates/systemcontainercustom.conf.j2 index 86eebfba6..86eebfba6 100644 --- a/roles/docker/templates/systemcontainercustom.conf.j2 +++ b/roles/container_runtime/templates/systemcontainercustom.conf.j2 diff --git a/roles/docker/vars/main.yml b/roles/container_runtime/vars/main.yml index 4e940b7f5..4e940b7f5 100644 --- a/roles/docker/vars/main.yml +++ b/roles/container_runtime/vars/main.yml diff --git a/roles/contiv/defaults/main.yml b/roles/contiv/defaults/main.yml index b5d2f7c6e..aa976d921 100644 --- a/roles/contiv/defaults/main.yml +++ b/roles/contiv/defaults/main.yml @@ -119,3 +119,5 @@ contiv_h1_gw_default: "10.129.0.1" # contiv default private subnet for ext access contiv_private_ext_subnet: "10.130.0.0/16" + +openshift_docker_service_name: "{{ 'container-engine' if (openshift_docker_use_system_container | default(False)) else 'docker' }}" diff --git a/roles/contiv/tasks/netplugin.yml b/roles/contiv/tasks/netplugin.yml index 0b2f91bab..cf92a8cc0 100644 --- a/roles/contiv/tasks/netplugin.yml +++ b/roles/contiv/tasks/netplugin.yml @@ -105,7 +105,7 @@ - name: Docker | Restart docker service: - name: "{{ openshift.docker.service_name }}" + name: "{{ openshift_docker_service_name }}" state: restarted when: docker_updated|changed register: l_docker_restart_docker_in_contiv_result diff --git a/roles/contiv/templates/aci-gw.service b/roles/contiv/templates/aci-gw.service index 4506d2231..90bb98001 100644 --- a/roles/contiv/templates/aci-gw.service +++ b/roles/contiv/templates/aci-gw.service @@ -1,6 +1,6 @@ [Unit] Description=Contiv ACI gw -After=auditd.service systemd-user-sessions.service time-sync.target {{ openshift.docker.service_name }}.service +After=auditd.service systemd-user-sessions.service time-sync.target {{ openshift_docker_service_name }}.service [Service] ExecStart={{ bin_dir }}/aci_gw.sh start diff --git a/roles/etcd/defaults/main.yaml b/roles/etcd/defaults/main.yaml index a069e4d87..3038ed9f6 100644 --- a/roles/etcd/defaults/main.yaml +++ b/roles/etcd/defaults/main.yaml @@ -97,3 +97,5 @@ r_etcd_os_firewall_allow: # set the backend quota to 4GB by default etcd_quota_backend_bytes: 4294967296 + +openshift_docker_service_name: "{{ 'container-engine' if (openshift_docker_use_system_container | default(False)) else 'docker' }}" diff --git a/roles/etcd/templates/etcd.docker.service b/roles/etcd/templates/etcd.docker.service index 99ae37319..4c25a9955 100644 --- a/roles/etcd/templates/etcd.docker.service +++ b/roles/etcd/templates/etcd.docker.service @@ -1,8 +1,8 @@ [Unit] Description=The Etcd Server container -After={{ openshift.docker.service_name }}.service -Requires={{ openshift.docker.service_name }}.service -PartOf={{ openshift.docker.service_name }}.service +After={{ openshift_docker_service_name }}.service +Requires={{ openshift_docker_service_name }}.service +PartOf={{ openshift_docker_service_name }}.service [Service] EnvironmentFile={{ etcd_conf_file }} @@ -14,4 +14,4 @@ Restart=always RestartSec=5s [Install] -WantedBy={{ openshift.docker.service_name }}.service +WantedBy={{ openshift_docker_service_name }}.service diff --git a/roles/flannel/defaults/main.yaml b/roles/flannel/defaults/main.yaml index 988731ef2..488b6b0bc 100644 --- a/roles/flannel/defaults/main.yaml +++ b/roles/flannel/defaults/main.yaml @@ -5,3 +5,5 @@ etcd_hosts: "{{ etcd_urls }}" etcd_peer_ca_file: "{{ openshift.common.config_base }}/node/{{ 'ca' if (embedded_etcd | bool) else 'flannel.etcd-ca' }}.crt" etcd_peer_cert_file: "{{ openshift.common.config_base }}/node/{{ 'system:node:' + openshift.common.hostname if (embedded_etcd | bool) else 'flannel.etcd-client' }}.crt" etcd_peer_key_file: "{{ openshift.common.config_base }}/node/{{ 'system:node:' + openshift.common.hostname if (embedded_etcd | bool) else 'flannel.etcd-client' }}.key" + +openshift_docker_service_name: "{{ 'container-engine' if (openshift_docker_use_system_container | default(False)) else 'docker' }}" diff --git a/roles/flannel/handlers/main.yml b/roles/flannel/handlers/main.yml index 889069485..80e4d391d 100644 --- a/roles/flannel/handlers/main.yml +++ b/roles/flannel/handlers/main.yml @@ -6,7 +6,7 @@ - name: restart docker become: yes systemd: - name: "{{ openshift.docker.service_name }}" + name: "{{ openshift_docker_service_name }}" state: restarted register: l_docker_restart_docker_in_flannel_result until: not l_docker_restart_docker_in_flannel_result | failed diff --git a/roles/openshift_cli/defaults/main.yml b/roles/openshift_cli/defaults/main.yml index 82da0639e..631a0455e 100644 --- a/roles/openshift_cli/defaults/main.yml +++ b/roles/openshift_cli/defaults/main.yml @@ -4,3 +4,8 @@ system_images_registry_dict: origin: "docker.io" system_images_registry: "{{ system_images_registry_dict[openshift_deployment_type | default('origin')] }}" + +openshift_use_crio_only: False + +l_is_system_container_image: "{{ openshift_use_master_system_container | default(openshift_use_system_containers | default(False)) | bool }}" +l_use_cli_atomic_image: "{{ openshift_use_crio_only or l_is_system_container_image }}" diff --git a/roles/openshift_cli/meta/main.yml b/roles/openshift_cli/meta/main.yml index 29ed82783..5d2b6abed 100644 --- a/roles/openshift_cli/meta/main.yml +++ b/roles/openshift_cli/meta/main.yml @@ -12,6 +12,4 @@ galaxy_info: categories: - cloud dependencies: -- role: openshift_docker - when: not skip_docker_role | default(False) | bool - role: openshift_facts diff --git a/roles/openshift_cli/tasks/main.yml b/roles/openshift_cli/tasks/main.yml index 7b046b2c4..140c6ea26 100644 --- a/roles/openshift_cli/tasks/main.yml +++ b/roles/openshift_cli/tasks/main.yml @@ -1,10 +1,4 @@ --- -- set_fact: - l_use_crio_only: "{{ openshift_use_crio_only | default(false) }}" - l_is_system_container_image: "{{ openshift_use_master_system_container | default(openshift_use_system_containers | default(false)) | bool }}" -- set_fact: - l_use_cli_atomic_image: "{{ l_use_crio_only or l_is_system_container_image }}" - - name: Install clients package: name={{ openshift.common.service_type }}-clients state=present when: not openshift.common.is_containerized | bool diff --git a/roles/openshift_docker/defaults/main.yml b/roles/openshift_docker/defaults/main.yml deleted file mode 100644 index ed97d539c..000000000 --- a/roles/openshift_docker/defaults/main.yml +++ /dev/null @@ -1 +0,0 @@ ---- diff --git a/roles/openshift_docker/meta/main.yml b/roles/openshift_docker/meta/main.yml deleted file mode 100644 index 60efd4e45..000000000 --- a/roles/openshift_docker/meta/main.yml +++ /dev/null @@ -1,16 +0,0 @@ ---- -galaxy_info: - author: Jason DeTiberus - description: OpenShift Docker - company: Red Hat, Inc. - license: Apache License, Version 2.0 - min_ansible_version: 1.9 - platforms: - - name: EL - versions: - - 7 - categories: - - cloud -dependencies: -- role: openshift_docker_facts -- role: docker diff --git a/roles/openshift_docker/tasks/main.yml b/roles/openshift_docker/tasks/main.yml deleted file mode 100644 index ed97d539c..000000000 --- a/roles/openshift_docker/tasks/main.yml +++ /dev/null @@ -1 +0,0 @@ ---- diff --git a/roles/openshift_docker_facts/defaults/main.yml b/roles/openshift_docker_facts/defaults/main.yml deleted file mode 100644 index ed97d539c..000000000 --- a/roles/openshift_docker_facts/defaults/main.yml +++ /dev/null @@ -1 +0,0 @@ ---- diff --git a/roles/openshift_docker_facts/meta/main.yml b/roles/openshift_docker_facts/meta/main.yml deleted file mode 100644 index 5b1be7a8d..000000000 --- a/roles/openshift_docker_facts/meta/main.yml +++ /dev/null @@ -1,15 +0,0 @@ ---- -galaxy_info: - author: Jason DeTiberus - description: OpenShift Docker Facts - company: Red Hat, Inc. - license: Apache License, Version 2.0 - min_ansible_version: 1.9 - platforms: - - name: EL - versions: - - 7 - categories: - - cloud -dependencies: -- { role: openshift_facts } diff --git a/roles/openshift_docker_facts/tasks/main.yml b/roles/openshift_docker_facts/tasks/main.yml deleted file mode 100644 index 5a3e50678..000000000 --- a/roles/openshift_docker_facts/tasks/main.yml +++ /dev/null @@ -1,39 +0,0 @@ ---- -- name: Set docker facts - openshift_facts: - role: "{{ item.role }}" - local_facts: "{{ item.local_facts }}" - with_items: - - role: docker - local_facts: - selinux_enabled: "{{ openshift_docker_selinux_enabled | default(None) }}" - log_driver: "{{ openshift_docker_log_driver | default(None) }}" - log_options: "{{ openshift_docker_log_options | default(None) }}" - options: "{{ openshift_docker_options | default(None) }}" - disable_push_dockerhub: "{{ openshift_disable_push_dockerhub | default(None) }}" - hosted_registry_insecure: "{{ openshift_docker_hosted_registry_insecure | default(openshift.docker.hosted_registry_insecure | default(False)) }}" - hosted_registry_network: "{{ openshift_docker_hosted_registry_network | default(None) }}" - use_system_container: "{{ openshift_docker_use_system_container | default(False) }}" - use_crio: "{{ openshift_use_crio | default(False) }}" - - role: node - local_facts: - sdn_mtu: "{{ openshift_node_sdn_mtu | default(None) }}" - -- set_fact: - docker_selinux_enabled: "{{ openshift.docker.selinux_enabled | default(omit) }}" - docker_log_driver: "{{ openshift.docker.log_driver | default(omit) }}" - docker_log_options: "{{ openshift.docker.log_options | default(omit) }}" - docker_push_dockerhub: "{{ openshift.docker.disable_push_dockerhub - | default(omit) }}" - docker_http_proxy: "{{ openshift.common.http_proxy | default(omit) }}" - docker_https_proxy: "{{ openshift.common.https_proxy | default(omit) }}" - docker_no_proxy: "{{ openshift.common.no_proxy | default(omit) }}" - -- set_fact: - docker_options: "--insecure-registry={{ openshift.docker.hosted_registry_network }} {{ openshift.docker.options | default ('') }}" - when: openshift.docker.hosted_registry_insecure | default(False) | bool and openshift.docker.hosted_registry_network is defined - register: hosted_registry_options - -- set_fact: - docker_options: "{{ openshift.docker.options | default(omit) }}" - when: hosted_registry_options | skipped diff --git a/roles/openshift_docker_facts/vars/main.yml b/roles/openshift_docker_facts/vars/main.yml deleted file mode 100644 index 55c04b0c1..000000000 --- a/roles/openshift_docker_facts/vars/main.yml +++ /dev/null @@ -1,2 +0,0 @@ ---- -repoquery_cmd: "{{ 'dnf repoquery --latest-limit 1 -d 0' if ansible_pkg_mgr == 'dnf' else 'repoquery --plugins' }}" diff --git a/roles/openshift_etcd/meta/main.yml b/roles/openshift_etcd/meta/main.yml index 7cc548f69..0e28fec03 100644 --- a/roles/openshift_etcd/meta/main.yml +++ b/roles/openshift_etcd/meta/main.yml @@ -13,6 +13,4 @@ galaxy_info: - cloud dependencies: - role: openshift_etcd_facts -- role: openshift_docker - when: openshift.common.is_containerized | bool - role: etcd diff --git a/roles/openshift_facts/library/openshift_facts.py b/roles/openshift_facts/library/openshift_facts.py index a5d90d602..508228b2e 100755 --- a/roles/openshift_facts/library/openshift_facts.py +++ b/roles/openshift_facts/library/openshift_facts.py @@ -51,39 +51,6 @@ EXAMPLES = ''' ''' -def migrate_docker_facts(facts): - """ Apply migrations for docker facts """ - params = { - 'common': ( - 'options' - ), - 'node': ( - 'log_driver', - 'log_options' - ) - } - if 'docker' not in facts: - facts['docker'] = {} - # pylint: disable=consider-iterating-dictionary - for role in params.keys(): - if role in facts: - for param in params[role]: - old_param = 'docker_' + param - if old_param in facts[role]: - facts['docker'][param] = facts[role].pop(old_param) - - if 'node' in facts and 'portal_net' in facts['node']: - facts['docker']['hosted_registry_network'] = facts['node'].pop('portal_net') - - # log_options was originally meant to be a comma separated string, but - # we now prefer an actual list, with backward compatibility: - if 'log_options' in facts['docker'] and \ - isinstance(facts['docker']['log_options'], string_types): - facts['docker']['log_options'] = facts['docker']['log_options'].split(",") - - return facts - - # TODO: We should add a generic migration function that takes source and destination # paths and does the right thing rather than one function for common, one for node, etc. def migrate_common_facts(facts): @@ -156,7 +123,6 @@ def migrate_admission_plugin_facts(facts): def migrate_local_facts(facts): """ Apply migrations of local facts """ migrated_facts = copy.deepcopy(facts) - migrated_facts = migrate_docker_facts(migrated_facts) migrated_facts = migrate_common_facts(migrated_facts) migrated_facts = migrate_node_facts(migrated_facts) migrated_facts = migrate_hosted_facts(migrated_facts) @@ -1105,6 +1071,7 @@ def get_version_output(binary, version_cmd): return output +# We may need this in the future. def get_docker_version_info(): """ Parses and returns the docker version info """ result = None @@ -1118,25 +1085,6 @@ def get_docker_version_info(): return result -def get_hosted_registry_insecure(): - """ Parses OPTIONS from /etc/sysconfig/docker to determine if the - registry is currently insecure. - """ - hosted_registry_insecure = None - if os.path.exists('/etc/sysconfig/docker'): - try: - ini_str = text_type('[root]\n' + open('/etc/sysconfig/docker', 'r').read(), 'utf-8') - ini_fp = io.StringIO(ini_str) - config = configparser.RawConfigParser() - config.readfp(ini_fp) - options = config.get('root', 'OPTIONS') - if 'insecure-registry' in options: - hosted_registry_insecure = True - except Exception: # pylint: disable=broad-except - pass - return hosted_registry_insecure - - def get_openshift_version(facts): """ Get current version of openshift on the host. @@ -1588,13 +1536,6 @@ def set_container_facts_if_unset(facts): deployer_image = 'openshift/origin-deployer' facts['common']['is_atomic'] = os.path.isfile('/run/ostree-booted') - # If openshift_docker_use_system_container is set and is True .... - if 'use_system_container' in list(facts['docker'].keys()): - # use safe_get_bool as the inventory variable may not be a - # valid boolean on it's own. - if safe_get_bool(facts['docker']['use_system_container']): - # ... set the service name to container-engine - facts['docker']['service_name'] = 'container-engine' if 'is_containerized' not in facts['common']: facts['common']['is_containerized'] = facts['common']['is_atomic'] @@ -1689,7 +1630,6 @@ class OpenShiftFacts(object): 'buildoverrides', 'cloudprovider', 'common', - 'docker', 'etcd', 'hosted', 'master', @@ -1850,25 +1790,6 @@ class OpenShiftFacts(object): local_quota_per_fsgroup="", set_node_ip=False) - if 'docker' in roles: - docker = dict(disable_push_dockerhub=False, - options='--log-driver=journald') - # NOTE: This is a workaround for a dnf output racecondition that can occur in - # some situations. See https://bugzilla.redhat.com/show_bug.cgi?id=918184 - if self.system_facts['ansible_pkg_mgr'] == 'dnf': - rpm_rebuilddb() - - version_info = get_docker_version_info() - if version_info is not None: - docker['api_version'] = version_info['api_version'] - docker['version'] = version_info['version'] - docker['gte_1_10'] = LooseVersion(version_info['version']) >= LooseVersion('1.10') - hosted_registry_insecure = get_hosted_registry_insecure() - if hosted_registry_insecure is not None: - docker['hosted_registry_insecure'] = hosted_registry_insecure - docker['service_name'] = 'docker' - defaults['docker'] = docker - if 'cloudprovider' in roles: defaults['cloudprovider'] = dict(kind=None) @@ -2226,12 +2147,6 @@ class OpenShiftFacts(object): additive_facts_to_overwrite, protected_facts_to_overwrite) - if 'docker' in new_local_facts: - # Convert legacy log_options comma sep string to a list if present: - if 'log_options' in new_local_facts['docker'] and \ - isinstance(new_local_facts['docker']['log_options'], string_types): - new_local_facts['docker']['log_options'] = new_local_facts['docker']['log_options'].split(',') - new_local_facts = self.remove_empty_facts(new_local_facts) if new_local_facts != local_facts: diff --git a/roles/openshift_hosted/tasks/registry.yml b/roles/openshift_hosted/tasks/registry.yml index 9f2ef4e40..e2e06594b 100644 --- a/roles/openshift_hosted/tasks/registry.yml +++ b/roles/openshift_hosted/tasks/registry.yml @@ -101,7 +101,7 @@ static: no run_once: true when: - - not (openshift.docker.hosted_registry_insecure | default(false) | bool) + - not (openshift_docker_hosted_registry_insecure | default(False)) | bool - include: storage/object_storage.yml static: no diff --git a/roles/openshift_loadbalancer/defaults/main.yml b/roles/openshift_loadbalancer/defaults/main.yml index 239b16427..f9c16ba40 100644 --- a/roles/openshift_loadbalancer/defaults/main.yml +++ b/roles/openshift_loadbalancer/defaults/main.yml @@ -26,6 +26,8 @@ r_openshift_loadbalancer_os_firewall_allow: port: "{{ nuage_mon_rest_server_port | default(9443) }}/tcp" cond: "{{ r_openshift_lb_use_nuage | bool }}" +openshift_docker_service_name: "{{ 'container-engine' if (openshift_docker_use_system_container | default(False)) else 'docker' }}" + # NOTE # r_openshift_lb_use_nuage_default may be defined external to this role. # openshift_use_nuage, if defined, may affect other roles or play behavior. diff --git a/roles/openshift_loadbalancer/templates/haproxy.docker.service.j2 b/roles/openshift_loadbalancer/templates/haproxy.docker.service.j2 index 72182fcdd..57121447d 100644 --- a/roles/openshift_loadbalancer/templates/haproxy.docker.service.j2 +++ b/roles/openshift_loadbalancer/templates/haproxy.docker.service.j2 @@ -1,7 +1,7 @@ [Unit] -After={{ openshift.docker.service_name }}.service -Requires={{ openshift.docker.service_name }}.service -PartOf={{ openshift.docker.service_name }}.service +After={{ openshift_docker_service_name }}.service +Requires={{ openshift_docker_service_name }}.service +PartOf={{ openshift_docker_service_name }}.service [Service] ExecStartPre=-/usr/bin/docker rm -f openshift_loadbalancer @@ -14,4 +14,4 @@ Restart=always RestartSec=5s [Install] -WantedBy={{ openshift.docker.service_name }}.service +WantedBy={{ openshift_docker_service_name }}.service diff --git a/roles/openshift_management/defaults/main.yml b/roles/openshift_management/defaults/main.yml index 8ba65b386..e768961ce 100644 --- a/roles/openshift_management/defaults/main.yml +++ b/roles/openshift_management/defaults/main.yml @@ -3,6 +3,8 @@ openshift_management_project: openshift-management # Namespace/project description openshift_management_project_description: CloudForms Management Engine +# Number of retries when waiting for the app to start (retried every 30 seconds) +openshift_management_pod_rollout_retries: 30 ###################################################################### # BASE TEMPLATE AND DATABASE OPTIONS diff --git a/roles/openshift_management/tasks/main.yml b/roles/openshift_management/tasks/main.yml index 9be923a57..3bade9e8c 100644 --- a/roles/openshift_management/tasks/main.yml +++ b/roles/openshift_management/tasks/main.yml @@ -88,9 +88,9 @@ create: True params: "{{ openshift_management_template_parameters }}" -- name: Wait for the app to come up. May take several minutes, 30s check intervals, 10m max +- name: Wait for the app to come up. May take several minutes, 30s check intervals, {{ openshift_management_pod_rollout_retries }} retries command: "oc logs {{ openshift_management_flavor }}-0 -n {{ openshift_management_project }}" register: app_seeding_logs until: app_seeding_logs.stdout.find('Server starting complete') != -1 delay: 30 - retries: 20 + retries: "{{ openshift_management_pod_rollout_retries }}" diff --git a/roles/openshift_master/defaults/main.yml b/roles/openshift_master/defaults/main.yml index 8e4a46ebb..38b2fd8b8 100644 --- a/roles/openshift_master/defaults/main.yml +++ b/roles/openshift_master/defaults/main.yml @@ -52,6 +52,8 @@ openshift_docker_alternative_creds: "{{ (openshift_docker_use_system_container | containerized_svc_dir: "/usr/lib/systemd/system" ha_svc_template_path: "native-cluster" +openshift_docker_service_name: "{{ 'container-engine' if (openshift_docker_use_system_container | default(False)) else 'docker' }}" + # NOTE # r_openshift_master_*_default may be defined external to this role. # openshift_use_*, if defined, may affect other roles or play behavior. diff --git a/roles/openshift_master/templates/docker-cluster/atomic-openshift-master-api.service.j2 b/roles/openshift_master/templates/docker-cluster/atomic-openshift-master-api.service.j2 index 5d4a99c97..cec3d3fb1 100644 --- a/roles/openshift_master/templates/docker-cluster/atomic-openshift-master-api.service.j2 +++ b/roles/openshift_master/templates/docker-cluster/atomic-openshift-master-api.service.j2 @@ -4,9 +4,9 @@ Documentation=https://github.com/openshift/origin After=etcd_container.service Wants=etcd_container.service Before={{ openshift.common.service_type }}-node.service -After={{ openshift.docker.service_name }}.service -PartOf={{ openshift.docker.service_name }}.service -Requires={{ openshift.docker.service_name }}.service +After={{ openshift_docker_service_name }}.service +PartOf={{ openshift_docker_service_name }}.service +Requires={{ openshift_docker_service_name }}.service [Service] EnvironmentFile=/etc/sysconfig/{{ openshift.common.service_type }}-master-api @@ -33,5 +33,5 @@ Restart=always RestartSec=5s [Install] -WantedBy={{ openshift.docker.service_name }}.service +WantedBy={{ openshift_docker_service_name }}.service WantedBy={{ openshift.common.service_type }}-node.service diff --git a/roles/openshift_master/templates/docker-cluster/atomic-openshift-master-controllers.service.j2 b/roles/openshift_master/templates/docker-cluster/atomic-openshift-master-controllers.service.j2 index f93f3b565..a0248151d 100644 --- a/roles/openshift_master/templates/docker-cluster/atomic-openshift-master-controllers.service.j2 +++ b/roles/openshift_master/templates/docker-cluster/atomic-openshift-master-controllers.service.j2 @@ -3,9 +3,9 @@ Description=Atomic OpenShift Master Controllers Documentation=https://github.com/openshift/origin Wants={{ openshift.common.service_type }}-master-api.service After={{ openshift.common.service_type }}-master-api.service -After={{ openshift.docker.service_name }}.service -Requires={{ openshift.docker.service_name }}.service -PartOf={{ openshift.docker.service_name }}.service +After={{ openshift_docker_service_name }}.service +Requires={{ openshift_docker_service_name }}.service +PartOf={{ openshift_docker_service_name }}.service [Service] EnvironmentFile=/etc/sysconfig/{{ openshift.common.service_type }}-master-controllers @@ -32,4 +32,4 @@ Restart=always RestartSec=5s [Install] -WantedBy={{ openshift.docker.service_name }}.service +WantedBy={{ openshift_docker_service_name }}.service diff --git a/roles/openshift_node/defaults/main.yml b/roles/openshift_node/defaults/main.yml index 5a0c09f5c..f3867fe4a 100644 --- a/roles/openshift_node/defaults/main.yml +++ b/roles/openshift_node/defaults/main.yml @@ -101,8 +101,11 @@ oreg_host: "{{ oreg_url.split('/')[0] if (oreg_url is defined and '.' in oreg_ur oreg_auth_credentials_path: "{{ openshift_node_data_dir }}/.docker" oreg_auth_credentials_replace: False l_bind_docker_reg_auth: False +openshift_use_crio: False openshift_docker_alternative_creds: "{{ (openshift_docker_use_system_container | default(False)) or (openshift_use_crio_only | default(False)) }}" +openshift_docker_service_name: "{{ 'container-engine' if (openshift_docker_use_system_container | default(False)) else 'docker' }}" + # NOTE # r_openshift_node_*_default may be defined external to this role. # openshift_use_*, if defined, may affect other roles or play behavior. diff --git a/roles/openshift_node/meta/main.yml b/roles/openshift_node/meta/main.yml index 927d107c6..70057c7f3 100644 --- a/roles/openshift_node/meta/main.yml +++ b/roles/openshift_node/meta/main.yml @@ -17,7 +17,6 @@ dependencies: - role: lib_openshift - role: lib_os_firewall when: not (openshift_node_upgrade_in_progress | default(False)) -- role: openshift_docker - role: openshift_cloud_provider when: not (openshift_node_upgrade_in_progress | default(False)) - role: lib_utils diff --git a/roles/openshift_node/tasks/main.yml b/roles/openshift_node/tasks/main.yml index d46b1f9c3..e60d96760 100644 --- a/roles/openshift_node/tasks/main.yml +++ b/roles/openshift_node/tasks/main.yml @@ -4,7 +4,7 @@ when: - (not ansible_selinux or ansible_selinux.status != 'enabled') - deployment_type == 'openshift-enterprise' - - not openshift_use_crio | default(false) + - not openshift_use_crio - include: dnsmasq.yml @@ -49,7 +49,7 @@ name: cri-o enabled: yes state: restarted - when: openshift_use_crio | default(false) + when: openshift_use_crio - name: restart NetworkManager to ensure resolv.conf is present systemd: diff --git a/roles/openshift_node/tasks/node_system_container.yml b/roles/openshift_node/tasks/node_system_container.yml index 73dc9e130..eb8d9a6a5 100644 --- a/roles/openshift_node/tasks/node_system_container.yml +++ b/roles/openshift_node/tasks/node_system_container.yml @@ -16,6 +16,6 @@ image: "{{ 'docker:' if system_images_registry == 'docker' else system_images_registry + '/' }}{{ openshift.node.node_system_image }}:{{ openshift_image_tag }}" values: - "DNS_DOMAIN={{ openshift.common.dns_domain }}" - - "DOCKER_SERVICE={{ openshift.docker.service_name }}.service" + - "DOCKER_SERVICE={{ openshift_docker_service_name }}.service" - "MASTER_SERVICE={{ openshift.common.service_type }}.service" state: latest diff --git a/roles/openshift_node/tasks/openvswitch_system_container.yml b/roles/openshift_node/tasks/openvswitch_system_container.yml index 8c3548475..d33e172c1 100644 --- a/roles/openshift_node/tasks/openvswitch_system_container.yml +++ b/roles/openshift_node/tasks/openvswitch_system_container.yml @@ -1,14 +1,11 @@ --- - set_fact: - l_use_crio: "{{ openshift_use_crio | default(false) }}" - -- set_fact: l_service_name: "cri-o" - when: l_use_crio + when: openshift_use_crio - set_fact: - l_service_name: "{{ openshift.docker.service_name }}" - when: not l_use_crio + l_service_name: "{{ openshift_docker_service_name }}" + when: not openshift_use_crio - name: Ensure proxies are in the atomic.conf include_role: diff --git a/roles/openshift_node/tasks/upgrade/restart.yml b/roles/openshift_node/tasks/upgrade/restart.yml index a4fa51172..3f1abceab 100644 --- a/roles/openshift_node/tasks/upgrade/restart.yml +++ b/roles/openshift_node/tasks/upgrade/restart.yml @@ -13,19 +13,15 @@ - name: Reload systemd to ensure latest unit files command: systemctl daemon-reload -- name: Restart docker +- name: Restart container runtime service: - name: "{{ openshift.docker.service_name }}" + name: "{{ openshift_docker_service_name }}" state: started register: docker_start_result until: not docker_start_result | failed retries: 3 delay: 30 -- name: Update docker facts - openshift_facts: - role: docker - - name: Start services service: name={{ item }} state=started with_items: diff --git a/roles/openshift_node/templates/node.service.j2 b/roles/openshift_node/templates/node.service.j2 index 7602d8ee6..da751bd65 100644 --- a/roles/openshift_node/templates/node.service.j2 +++ b/roles/openshift_node/templates/node.service.j2 @@ -1,14 +1,14 @@ [Unit] Description=OpenShift Node -After={{ openshift.docker.service_name }}.service +After={{ openshift_docker_service_name }}.service Wants=openvswitch.service After=ovsdb-server.service After=ovs-vswitchd.service -Wants={{ openshift.docker.service_name }}.service +Wants={{ openshift_docker_service_name }}.service Documentation=https://github.com/openshift/origin Requires=dnsmasq.service After=dnsmasq.service -{% if openshift_use_crio|default(false) %}Wants=cri-o.service{% endif %} +{% if openshift_use_crio %}Wants=cri-o.service{% endif %} [Service] Type=notify diff --git a/roles/openshift_node/templates/node.yaml.v1.j2 b/roles/openshift_node/templates/node.yaml.v1.j2 index d452cc45c..16fdde02e 100644 --- a/roles/openshift_node/templates/node.yaml.v1.j2 +++ b/roles/openshift_node/templates/node.yaml.v1.j2 @@ -16,7 +16,7 @@ imageConfig: latest: {{ openshift_node_image_config_latest }} kind: NodeConfig kubeletArguments: {{ openshift.node.kubelet_args | default(None) | to_padded_yaml(level=1) }} -{% if openshift_use_crio | default(False) %} +{% if openshift_use_crio %} container-runtime: - remote container-runtime-endpoint: diff --git a/roles/openshift_node/templates/openshift.docker.node.dep.service b/roles/openshift_node/templates/openshift.docker.node.dep.service index fa7238849..5964ac095 100644 --- a/roles/openshift_node/templates/openshift.docker.node.dep.service +++ b/roles/openshift_node/templates/openshift.docker.node.dep.service @@ -1,9 +1,9 @@ [Unit] -Requires={{ openshift.docker.service_name }}.service -After={{ openshift.docker.service_name }}.service +Requires={{ openshift_docker_service_name }}.service +After={{ openshift_docker_service_name }}.service PartOf={{ openshift.common.service_type }}-node.service Before={{ openshift.common.service_type }}-node.service -{% if openshift_use_crio|default(false) %}Wants=cri-o.service{% endif %} +{% if openshift_use_crio %}Wants=cri-o.service{% endif %} [Service] ExecStart=/bin/bash -c "if [[ -f /usr/bin/docker-current ]]; then echo \"DOCKER_ADDTL_BIND_MOUNTS=--volume=/usr/bin/docker-current:/usr/bin/docker-current:ro --volume=/etc/sysconfig/docker:/etc/sysconfig/docker:ro --volume=/etc/containers/registries:/etc/containers/registries:ro\" > /etc/sysconfig/{{ openshift.common.service_type }}-node-dep; else echo \"#DOCKER_ADDTL_BIND_MOUNTS=\" > /etc/sysconfig/{{ openshift.common.service_type }}-node-dep; fi" diff --git a/roles/openshift_node/templates/openshift.docker.node.service b/roles/openshift_node/templates/openshift.docker.node.service index 561aa01f4..3b33ca542 100644 --- a/roles/openshift_node/templates/openshift.docker.node.service +++ b/roles/openshift_node/templates/openshift.docker.node.service @@ -1,9 +1,9 @@ [Unit] After={{ openshift.common.service_type }}-master.service -After={{ openshift.docker.service_name }}.service +After={{ openshift_docker_service_name }}.service After=openvswitch.service -PartOf={{ openshift.docker.service_name }}.service -Requires={{ openshift.docker.service_name }}.service +PartOf={{ openshift_docker_service_name }}.service +Requires={{ openshift_docker_service_name }}.service {% if openshift_node_use_openshift_sdn %} Wants=openvswitch.service PartOf=openvswitch.service @@ -26,7 +26,7 @@ ExecStart=/usr/bin/docker run --name {{ openshift.common.service_type }}-node \ --rm --privileged --net=host --pid=host --env-file=/etc/sysconfig/{{ openshift.common.service_type }}-node \ -v /:/rootfs:ro,rslave -e CONFIG_FILE=${CONFIG_FILE} -e OPTIONS=${OPTIONS} \ -e HOST=/rootfs -e HOST_ETC=/host-etc \ - -v {{ openshift_node_data_dir }}:{{ openshift_node_data_dir }}{{ ':rslave' if openshift.docker.gte_1_10 | default(False) | bool else '' }} \ + -v {{ openshift_node_data_dir }}:{{ openshift_node_data_dir }}:rslave \ -v {{ openshift.common.config_base }}/node:{{ openshift.common.config_base }}/node \ {% if openshift_cloudprovider_kind | default('') != '' -%} -v {{ openshift.common.config_base }}/cloudprovider:{{ openshift.common.config_base}}/cloudprovider {% endif -%} \ -v /etc/localtime:/etc/localtime:ro -v /etc/machine-id:/etc/machine-id:ro \ @@ -48,4 +48,4 @@ Restart=always RestartSec=5s [Install] -WantedBy={{ openshift.docker.service_name }}.service +WantedBy={{ openshift_docker_service_name }}.service diff --git a/roles/openshift_node/templates/openvswitch.docker.service b/roles/openshift_node/templates/openvswitch.docker.service index 34aaaabd6..37f091c76 100644 --- a/roles/openshift_node/templates/openvswitch.docker.service +++ b/roles/openshift_node/templates/openvswitch.docker.service @@ -1,7 +1,7 @@ [Unit] -After={{ openshift.docker.service_name }}.service -Requires={{ openshift.docker.service_name }}.service -PartOf={{ openshift.docker.service_name }}.service +After={{ openshift_docker_service_name }}.service +Requires={{ openshift_docker_service_name }}.service +PartOf={{ openshift_docker_service_name }}.service [Service] EnvironmentFile=/etc/sysconfig/openvswitch @@ -14,4 +14,4 @@ Restart=always RestartSec=5s [Install] -WantedBy={{ openshift.docker.service_name }}.service +WantedBy={{ openshift_docker_service_name }}.service diff --git a/roles/openshift_node_certificates/defaults/main.yml b/roles/openshift_node_certificates/defaults/main.yml index 455f26f30..b42b75be9 100644 --- a/roles/openshift_node_certificates/defaults/main.yml +++ b/roles/openshift_node_certificates/defaults/main.yml @@ -1,3 +1,5 @@ --- openshift_node_cert_expire_days: 730 openshift_ca_host: '' + +openshift_docker_service_name: "{{ 'container-engine' if (openshift_docker_use_system_container | default(False)) else 'docker' }}" diff --git a/roles/openshift_node_certificates/handlers/main.yml b/roles/openshift_node_certificates/handlers/main.yml index ef66bf9ca..0686ac101 100644 --- a/roles/openshift_node_certificates/handlers/main.yml +++ b/roles/openshift_node_certificates/handlers/main.yml @@ -6,7 +6,7 @@ - name: check for container runtime after updating ca trust command: > - systemctl -q is-active {{ openshift.docker.service_name }}.service + systemctl -q is-active {{ openshift_docker_service_name }}.service register: l_docker_installed # An rc of 0 indicates that the container runtime service is # running. We will restart it by notifying the restart handler since @@ -18,7 +18,7 @@ - name: restart container runtime after updating ca trust systemd: - name: "{{ openshift.docker.service_name }}" + name: "{{ openshift_docker_service_name }}" state: restarted when: not openshift_certificates_redeploy | default(false) | bool register: l_docker_restart_docker_in_cert_result diff --git a/roles/openshift_node_facts/tasks/main.yml b/roles/openshift_node_facts/tasks/main.yml index d33d09980..c234a3000 100644 --- a/roles/openshift_node_facts/tasks/main.yml +++ b/roles/openshift_node_facts/tasks/main.yml @@ -15,7 +15,6 @@ kubelet_args: "{{ openshift_node_kubelet_args | default(None) }}" labels: "{{ openshift_node_labels | default(None) }}" registry_url: "{{ oreg_url_node | default(oreg_url) | default(None) }}" - sdn_mtu: "{{ openshift_node_sdn_mtu | default(None) }}" storage_plugin_deps: "{{ osn_storage_plugin_deps | default(None) }}" set_node_ip: "{{ openshift_set_node_ip | default(None) }}" node_image: "{{ osn_image | default(None) }}" diff --git a/roles/openshift_version/meta/main.yml b/roles/openshift_version/meta/main.yml index 38b398343..5d7683120 100644 --- a/roles/openshift_version/meta/main.yml +++ b/roles/openshift_version/meta/main.yml @@ -12,7 +12,4 @@ galaxy_info: categories: - cloud dependencies: -- role: openshift_docker_facts -- role: docker - when: openshift.common.is_containerized | default(False) | bool and not skip_docker_role | default(False) | bool - role: lib_utils diff --git a/roles/openshift_version/tasks/set_version_containerized.yml b/roles/openshift_version/tasks/set_version_containerized.yml index 574e89899..71f957b78 100644 --- a/roles/openshift_version/tasks/set_version_containerized.yml +++ b/roles/openshift_version/tasks/set_version_containerized.yml @@ -1,7 +1,4 @@ --- -- set_fact: - l_use_crio_only: "{{ openshift_use_crio_only | default(false) }}" - - name: Set containerized version to configure if openshift_image_tag specified set_fact: # Expects a leading "v" in inventory, strip it off here unless @@ -24,7 +21,7 @@ register: cli_image_version when: - openshift_version is not defined - - not l_use_crio_only + - not openshift_use_crio_only # Origin latest = pre-release version (i.e. v1.3.0-alpha.1-321-gb095e3a) - set_fact: @@ -33,7 +30,7 @@ - openshift_version is not defined - openshift.common.deployment_type == 'origin' - cli_image_version.stdout_lines[0].split('-') | length > 1 - - not l_use_crio_only + - not openshift_use_crio_only - set_fact: openshift_version: "{{ cli_image_version.stdout_lines[0].split(' ')[1].split('-')[0][1:] }}" @@ -48,14 +45,14 @@ when: - openshift_version is defined - openshift_version.split('.') | length == 2 - - not l_use_crio_only + - not openshift_use_crio_only - set_fact: openshift_version: "{{ cli_image_version.stdout_lines[0].split(' ')[1].split('-')[0:2][1:] | join('-') if openshift.common.deployment_type == 'origin' else cli_image_version.stdout_lines[0].split(' ')[1].split('-')[0][1:] }}" when: - openshift_version is defined - openshift_version.split('.') | length == 2 - - not l_use_crio_only + - not openshift_use_crio_only # TODO: figure out a way to check for the openshift_version when using CRI-O. # We should do that using the images in the ostree storage so we don't have |