12 files changed, 67 insertions, 53 deletions
diff --git a/playbooks/common/openshift-cluster/upgrades/v3_1_to_v3_2/post.yml b/playbooks/common/openshift-cluster/upgrades/v3_1_to_v3_2/post.yml
index 3fd97ac14..12e2edfb9 100644
--- a/playbooks/common/openshift-cluster/upgrades/v3_1_to_v3_2/post.yml
+++ b/playbooks/common/openshift-cluster/upgrades/v3_1_to_v3_2/post.yml
@@ -10,6 +10,7 @@
     router_image: "{{ openshift.master.registry_url | replace( '${component}', 'haproxy-router' ) | replace ( '${version}', 'v' + g_new_version ) }}"
     oc_cmd: "{{ openshift.common.client_binary }} --config={{ openshift.common.config_base }}/master/admin.kubeconfig"
   roles:
+  - openshift_manageiq
   # Create the new templates shipped in 3.2, existing templates are left
   # unmodified. This prevents the subsequent role definition for
   # openshift_examples from failing when trying to replace templates that do
diff --git a/roles/openshift_common/meta/main.yml b/roles/openshift_common/meta/main.yml
index 02150406d..f1cf3e161 100644
--- a/roles/openshift_common/meta/main.yml
+++ b/roles/openshift_common/meta/main.yml
@@ -12,6 +12,5 @@ galaxy_info:
   categories:
   - cloud
 dependencies:
-- role: os_firewall
 - role: openshift_facts
 - role: openshift_repos
diff --git a/roles/openshift_manageiq/tasks/main.yaml b/roles/openshift_manageiq/tasks/main.yaml
index 2a651df65..de0a7000e 100644
--- a/roles/openshift_manageiq/tasks/main.yaml
+++ b/roles/openshift_manageiq/tasks/main.yaml
@@ -59,6 +59,16 @@
   failed_when: "'already exists' not in osmiq_perm_task.stderr and osmiq_perm_task.rc != 0"
   changed_when: osmiq_perm_task.rc == 0
 
+- name: Configure 3_2 role/user permissions
+  command: >
+    {{ openshift.common.admin_binary }} {{item}}
+    --config={{manage_iq_tmp_conf}}
+  with_items: "{{manage_iq_openshift_3_2_tasks}}"
+  register: osmiq_perm_3_2_task
+  failed_when: osmiq_perm_3_2_task.rc != 0
+  changed_when: osmiq_perm_3_2_task.rc == 0
+  when: openshift.common.version_gte_3_2_or_1_2 | bool
+
 - name: Clean temporary configuration file
   command: >
     rm -f {{manage_iq_tmp_conf}}
diff --git a/roles/openshift_manageiq/vars/main.yml b/roles/openshift_manageiq/vars/main.yml
index 69ee2cb4c..b2aed79c7 100644
--- a/roles/openshift_manageiq/vars/main.yml
+++ b/roles/openshift_manageiq/vars/main.yml
@@ -30,3 +30,6 @@ manage_iq_tasks:
     - policy add-scc-to-user privileged system:serviceaccount:management-infra:management-admin
     - policy add-cluster-role-to-user system:image-puller system:serviceaccount:management-infra:inspector-admin
     - policy add-scc-to-user privileged system:serviceaccount:management-infra:inspector-admin
+
+manage_iq_openshift_3_2_tasks:
+    - policy add-cluster-role-to-user system:image-auditor system:serviceaccount:management-infra:management-admin
diff --git a/roles/openshift_master/defaults/main.yml b/roles/openshift_master/defaults/main.yml
index 16df984f9..dbd62c80f 100644
--- a/roles/openshift_master/defaults/main.yml
+++ b/roles/openshift_master/defaults/main.yml
@@ -1,40 +1,4 @@
 ---
 openshift_node_ips: []
-
 # TODO: update setting these values based on the facts
-os_firewall_allow:
-- service: etcd embedded
-  port: 4001/tcp
-- service: api server https
-  port: "{{ openshift.master.api_port }}/tcp"
-- service: api controllers https
-  port: "{{ openshift.master.controllers_port }}/tcp"
-- service: skydns tcp
-  port: "{{ openshift.master.dns_port }}/tcp"
-- service: skydns udp
-  port: "{{ openshift.master.dns_port }}/udp"
-# On HA masters version_gte facts are not properly set so open port 53
-# whenever we're not certain of the need
-- service: legacy skydns tcp
-  port: "53/tcp"
-  when: "{{ 'version' not in openshift.common or openshift.common.version == None }}"
-- service: legacy skydns udp
-  port: "53/udp"
-  when: "{{ 'version' not in openshift.common or openshift.common.version == None }}"
-- service: Fluentd td-agent tcp
-  port: 24224/tcp
-- service: Fluentd td-agent udp
-  port: 24224/udp
-- service: pcsd
-  port: 2224/tcp
-- service: Corosync UDP
-  port: 5404/udp
-- service: Corosync UDP
-  port: 5405/udp
-os_firewall_deny:
-- service: api server http
-  port: 8080/tcp
-- service: former etcd peer port
-  port: 7001/tcp
-
 openshift_version: "{{ openshift_pkg_version | default(openshift_image_tag | default(openshift.docker.openshift_image_tag | default(''))) }}"
diff --git a/roles/openshift_master/meta/main.yml b/roles/openshift_master/meta/main.yml
index e882e0b8b..d8834d27f 100644
--- a/roles/openshift_master/meta/main.yml
+++ b/roles/openshift_master/meta/main.yml
@@ -18,3 +18,25 @@ dependencies:
 - role: openshift_builddefaults
 - role: openshift_master_facts
 - role: openshift_hosted_facts
+- role: os_firewall
+  os_firewall_allow:
+  - service: etcd embedded
+    port: 4001/tcp
+  - service: api server https
+    port: "{{ openshift.master.api_port }}/tcp"
+  - service: api controllers https
+    port: "{{ openshift.master.controllers_port }}/tcp"
+  - service: skydns tcp
+    port: "{{ openshift.master.dns_port }}/tcp"
+  - service: skydns udp
+    port: "{{ openshift.master.dns_port }}/udp"
+  - service: Fluentd td-agent tcp
+    port: 24224/tcp
+  - service: Fluentd td-agent udp
+    port: 24224/udp
+  - service: pcsd
+    port: 2224/tcp
+  - service: Corosync UDP
+    port: 5404/udp
+  - service: Corosync UDP
+    port: 5405/udp
diff --git a/roles/openshift_master/templates/atomic-openshift-master.j2 b/roles/openshift_master/templates/atomic-openshift-master.j2
index 4cf632841..026787421 100644
--- a/roles/openshift_master/templates/atomic-openshift-master.j2
+++ b/roles/openshift_master/templates/atomic-openshift-master.j2
@@ -12,11 +12,11 @@ AWS_SECRET_ACCESS_KEY={{ openshift.cloudprovider.aws.secret_key }}
 # Proxy configuration
 # See https://docs.openshift.com/enterprise/latest/install_config/install/advanced_install.html#configuring-global-proxy
 {% if 'http_proxy' in openshift.common %}
-HTTP_PROXY='{{ openshift.common.http_proxy | default('') }}'
+HTTP_PROXY={{ openshift.common.http_proxy | default('') }}
 {% endif %}
 {% if 'https_proxy' in openshift.common %}
-HTTPS_PROXY='{{ openshift.common.https_proxy | default('')}}'
+HTTPS_PROXY={{ openshift.common.https_proxy | default('')}}
 {% endif %}
 {% if 'no_proxy' in openshift.common %}
-NO_PROXY='{{ openshift.common.no_proxy | default('') | join(',') }},{{ openshift.common.portal_net }},{{ openshift.master.sdn_cluster_network_cidr }}'
+NO_PROXY={{ openshift.common.no_proxy | default('') | join(',') }},{{ openshift.common.portal_net }},{{ openshift.master.sdn_cluster_network_cidr }}
 {% endif %}
diff --git a/roles/openshift_master/templates/native-cluster/atomic-openshift-master-api.j2 b/roles/openshift_master/templates/native-cluster/atomic-openshift-master-api.j2
index 01a8428a0..02c22e374 100644
--- a/roles/openshift_master/templates/native-cluster/atomic-openshift-master-api.j2
+++ b/roles/openshift_master/templates/native-cluster/atomic-openshift-master-api.j2
@@ -12,11 +12,11 @@ AWS_SECRET_ACCESS_KEY={{ openshift.cloudprovider.aws.secret_key }}
 # Proxy configuration
 # See https://docs.openshift.com/enterprise/latest/install_config/install/advanced_install.html#configuring-global-proxy
 {% if 'http_proxy' in openshift.common %}
-HTTP_PROXY='{{ openshift.common.http_proxy | default('') }}'
+HTTP_PROXY={{ openshift.common.http_proxy | default('') }}
 {% endif %}
 {% if 'https_proxy' in openshift.common %}
-HTTPS_PROXY='{{ openshift.common.https_proxy | default('')}}'
+HTTPS_PROXY={{ openshift.common.https_proxy | default('')}}
 {% endif %}
 {% if 'no_proxy' in openshift.common %}
-NO_PROXY='{{ openshift.common.no_proxy | default('') | join(',') }},{{ openshift.common.portal_net }},{{ openshift.master.sdn_cluster_network_cidr }}'
+NO_PROXY={{ openshift.common.no_proxy | default('') | join(',') }},{{ openshift.common.portal_net }},{{ openshift.master.sdn_cluster_network_cidr }}
 {% endif %}
diff --git a/roles/openshift_master/templates/native-cluster/atomic-openshift-master-controllers.j2 b/roles/openshift_master/templates/native-cluster/atomic-openshift-master-controllers.j2
index 89ccb1eed..644640577 100644
--- a/roles/openshift_master/templates/native-cluster/atomic-openshift-master-controllers.j2
+++ b/roles/openshift_master/templates/native-cluster/atomic-openshift-master-controllers.j2
@@ -12,11 +12,11 @@ AWS_SECRET_ACCESS_KEY={{ openshift.cloudprovider.aws.secret_key }}
 # Proxy configuration
 # See https://docs.openshift.com/enterprise/latest/install_config/install/advanced_install.html#configuring-global-proxy
 {% if 'http_proxy' in openshift.common %}
-HTTP_PROXY='{{ openshift.common.http_proxy | default('') }}'
+HTTP_PROXY={{ openshift.common.http_proxy | default('') }}
 {% endif %}
 {% if 'https_proxy' in openshift.common %}
-HTTPS_PROXY='{{ openshift.common.https_proxy | default('')}}'
+HTTPS_PROXY={{ openshift.common.https_proxy | default('')}}
 {% endif %}
 {% if 'no_proxy' in openshift.common %}
-NO_PROXY='{{ openshift.common.no_proxy | default('') | join(',') }},{{ openshift.common.portal_net }},{{ openshift.master.sdn_cluster_network_cidr }}'
+NO_PROXY={{ openshift.common.no_proxy | default('') | join(',') }},{{ openshift.common.portal_net }},{{ openshift.master.sdn_cluster_network_cidr }}
 {% endif %}
diff --git a/roles/openshift_node/meta/main.yml b/roles/openshift_node/meta/main.yml
index ca0c332ea..db1776632 100644
--- a/roles/openshift_node/meta/main.yml
+++ b/roles/openshift_node/meta/main.yml
@@ -17,4 +17,5 @@ dependencies:
 - role: openshift_common
 - role: openshift_node_dnsmasq
   when: openshift.common.use_dnsmasq
+- role: os_firewall
 
diff --git a/roles/openshift_node/tasks/main.yml b/roles/openshift_node/tasks/main.yml
index 06fde88af..be70a170d 100644
--- a/roles/openshift_node/tasks/main.yml
+++ b/roles/openshift_node/tasks/main.yml
@@ -112,6 +112,17 @@
 - name: Start and enable node
   service: name={{ openshift.common.service_type }}-node enabled=yes state=started
   register: node_start_result
+  ignore_errors: yes
+  
+- name: Check logs on failure
+  command: journalctl -xe
+  register: node_failure
+  when: node_start_result | failed
+  
+- name: Dump failure information
+  debug: var=node_failure
+  when: node_start_result | failed
+  
 
 - set_fact:
     node_service_status_changed: "{{ node_start_result | changed }}"
diff --git a/roles/openshift_node_dnsmasq/files/networkmanager/99-origin-dns.sh b/roles/openshift_node_dnsmasq/files/networkmanager/99-origin-dns.sh
index 691fa32f3..09bae1777 100755
--- a/roles/openshift_node_dnsmasq/files/networkmanager/99-origin-dns.sh
+++ b/roles/openshift_node_dnsmasq/files/networkmanager/99-origin-dns.sh
@@ -8,10 +8,12 @@
 # a pod would fail.
 #
 # To use this,
-# Drop this script in /etc/NetworkManager/dispatcher.d/
-# systemctl restart NetworkManager
-# Configure node-config.yaml to set dnsIP: to the ip address of this
-# node
+# - If this host is also a master, reconfigure master dnsConfig to listen on
+#   8053 to avoid conflicts on port 53 and open port 8053 in the firewall
+# - Drop this script in /etc/NetworkManager/dispatcher.d/
+# - systemctl restart NetworkManager
+# - Configure node-config.yaml to set dnsIP: to the ip address of this
+#   node
 #
 # Test it:
 # host kubernetes.default.svc.cluster.local
@@ -31,7 +33,8 @@ if [[ $2 =~ ^(up|dhcp4-change)$ ]]; then
   def_route=$(/sbin/ip route list match 0.0.0.0/0 | awk '{print $3 }')
   def_route_int=$(/sbin/ip route get to ${def_route} | awk '{print $3}')
   def_route_ip=$(/sbin/ip route get to ${def_route} | awk '{print $5}')
-  if [[ ${DEVICE_IFACE} == ${def_route_int} ]]; then
+  if [[ ${DEVICE_IFACE} == ${def_route_int} && \
+       -n "${IP4_NAMESERVERS}" ]]; then
     if [ ! -f /etc/dnsmasq.d/origin-dns.conf ]; then
       cat << EOF > /etc/dnsmasq.d/origin-dns.conf
 strict-order
@@ -42,8 +45,8 @@ server=/30.172.in-addr.arpa/172.30.0.1
 EOF
     fi
     # zero out our upstream servers list and feed it into dnsmasq
-    echo '' > /etc/dnsmasq.d/origin-upstream-dns.conf
-    for ns in ${DHCP4_DOMAIN_NAME_SERVERS}; do
+    echo -n > /etc/dnsmasq.d/origin-upstream-dns.conf
+    for ns in ${IP4_NAMESERVERS}; do
        echo "server=${ns}" >> /etc/dnsmasq.d/origin-upstream-dns.conf
     done
     systemctl restart dnsmasq