18 files changed, 157 insertions, 60 deletions

diff --git a/.tito/packages/openshift-ansible b/.tito/packages/openshift-ansible
index d9999ac9f..200f8d7f3 100644
--- a/.tito/packages/openshift-ansible
+++ b/.tito/packages/openshift-ansible
@@ -1 +1 @@
-3.6.67-1 ./
+3.6.68-1 ./
diff --git a/inventory/byo/hosts.origin.example b/inventory/byo/hosts.origin.example
index 6ec8b9317..20f342023 100644
--- a/inventory/byo/hosts.origin.example
+++ b/inventory/byo/hosts.origin.example
@@ -30,17 +30,17 @@ openshift_deployment_type=origin
 # use this to lookup the latest exact version of the container images, which is the tag actually used to configure
 # the cluster. For RPM installations we just verify the version detected in your configured repos matches this
 # release.
-openshift_release=v1.5
+openshift_release=v3.6
 
 # Specify an exact container image tag to install or configure.
 # WARNING: This value will be used for all hosts in containerized environments, even those that have another version installed.
 # This could potentially trigger an upgrade and downtime, so be careful with modifying this value after the cluster is set up.
-#openshift_image_tag=v1.5.0
+#openshift_image_tag=v3.6.0
 
 # Specify an exact rpm version to install or configure.
 # WARNING: This value will be used for all hosts in RPM based environments, even those that have another version installed.
 # This could potentially trigger an upgrade and downtime, so be careful with modifying this value after the cluster is set up.
-#openshift_pkg_version=-1.5.0
+#openshift_pkg_version=-3.6.0
 
 # Install the openshift examples
 #openshift_install_examples=true
@@ -568,7 +568,7 @@ openshift_master_identity_providers=[{'name': 'htpasswd_auth', 'login': 'true',
 #openshift_hosted_logging_elasticsearch_cluster_size=1
 # Configure the prefix and version for the component images
 #openshift_hosted_logging_deployer_prefix=docker.io/openshift/origin-
-#openshift_hosted_logging_deployer_version=1.5.0
+#openshift_hosted_logging_deployer_version=3.6.0
 
 # Configure the multi-tenant SDN plugin (default is 'redhat/openshift-ovs-subnet')
 # os_sdn_network_plugin_name='redhat/openshift-ovs-multitenant'
diff --git a/inventory/byo/hosts.ose.example b/inventory/byo/hosts.ose.example
index 05945f586..f75a47bb8 100644
--- a/inventory/byo/hosts.ose.example
+++ b/inventory/byo/hosts.ose.example
@@ -30,17 +30,17 @@ openshift_deployment_type=openshift-enterprise
 # use this to lookup the latest exact version of the container images, which is the tag actually used to configure
 # the cluster. For RPM installations we just verify the version detected in your configured repos matches this
 # release.
-openshift_release=v3.5
+openshift_release=v3.6
 
 # Specify an exact container image tag to install or configure.
 # WARNING: This value will be used for all hosts in containerized environments, even those that have another version installed.
 # This could potentially trigger an upgrade and downtime, so be careful with modifying this value after the cluster is set up.
-#openshift_image_tag=v3.5.0
+#openshift_image_tag=v3.6.0
 
 # Specify an exact rpm version to install or configure.
 # WARNING: This value will be used for all hosts in RPM based environments, even those that have another version installed.
 # This could potentially trigger an upgrade and downtime, so be careful with modifying this value after the cluster is set up.
-#openshift_pkg_version=-3.5.0
+#openshift_pkg_version=-3.6.0
 
 # Install the openshift examples
 #openshift_install_examples=true
@@ -569,7 +569,7 @@ openshift_master_identity_providers=[{'name': 'htpasswd_auth', 'login': 'true',
 #openshift_hosted_logging_elasticsearch_cluster_size=1
 # Configure the prefix and version for the component images
 #openshift_hosted_logging_deployer_prefix=registry.example.com:8888/openshift3/
-#openshift_hosted_logging_deployer_version=3.5.0
+#openshift_hosted_logging_deployer_version=3.6.0
 
 # Configure the multi-tenant SDN plugin (default is 'redhat/openshift-ovs-subnet')
 # os_sdn_network_plugin_name='redhat/openshift-ovs-multitenant'
diff --git a/openshift-ansible.spec b/openshift-ansible.spec
index 016e86b85..19e6356e7 100644
--- a/openshift-ansible.spec
+++ b/openshift-ansible.spec
@@ -9,7 +9,7 @@
 %global __requires_exclude ^/usr/bin/ansible-playbook$
 
 Name:           openshift-ansible
-Version:        3.6.67
+Version:        3.6.68
 Release:        1%{?dist}
 Summary:        Openshift and Atomic Enterprise Ansible
 License:        ASL 2.0
@@ -274,6 +274,54 @@ Atomic OpenShift Utilities includes
 
 
 %changelog
+* Sat May 13 2017 Jenkins CD Merge Bot <tdawson@redhat.com> 3.6.68-1
+- Updating registry-console image version during a post_control_plane upgrade
+  (ewolinet@redhat.com)
+- Remove userland-proxy-path from daemon.json (smilner@redhat.com)
+- Fix whistespace issues in custom template (smilner@redhat.com)
+- Always add proxy items to atomic.conf (smilner@redhat.com)
+- Move container-engine systemd environment to updated location
+  (smilner@redhat.com)
+- doc: Add link to daemon.json upstream doc (smilner@redhat.com)
+- Remove unused daemon.json keys (smilner@redhat.com)
+- bug 1448860. Change recovery_after_nodes to match node_quorum
+  (jcantril@redhat.com)
+- bug 1441369. Kibana memory limits bug 1439451. Kibana crash
+  (jcantril@redhat.com)
+- Extend repoquery command (of lib_utils role) to ignore excluders
+  (jchaloup@redhat.com)
+- lower case in /etc/daemon.json and correct block-registry (ghuang@redhat.com)
+- Fix for yedit custom separators (mwoodson@redhat.com)
+- Updating 3.6 enterprise registry-console template image version
+  (ewolinet@redhat.com)
+- Default to iptables on master (sdodson@redhat.com)
+- Rename blocked-registries to block-registries (smilner@redhat.com)
+- Ensure true is lowercase in daemon.json (smilner@redhat.com)
+- use docker_log_driver and /etc/docker/daemon.json to determine log driver
+  (rmeggins@redhat.com)
+- Temporarily revert to OSEv3 host group usage (rteague@redhat.com)
+- Add service file templates for master and node (smilner@redhat.com)
+- Update systemd units to use proper container service name
+  (smilner@redhat.com)
+- polish etcd_common role (jchaloup@redhat.com)
+- Note existence of Fedora tests and how to rerun (rhcarvalho@gmail.com)
+- Fix for OpenShift SDN Check (vincent.schwarzer@yahoo.de)
+- Updating oc_obj to use get instead of getattr (ewolinet@redhat.com)
+- Updating size suffix for metrics in role (ewolinet@redhat.com)
+- GlusterFS: Allow swapping an existing registry's backend storage
+  (jarrpa@redhat.com)
+- GlusterFS: Allow for a separate registry-specific playbook
+  (jarrpa@redhat.com)
+- GlusterFS: Improve role documentation (jarrpa@redhat.com)
+- hosted_registry: Get correct pod selector for GlusterFS storage
+  (jarrpa@redhat.com)
+- hosted registry: Fix typo (jarrpa@redhat.com)
+- run excluders over selected set of hosts during control_plane/node upgrade
+  (jchaloup@redhat.com)
+- Reserve kubernetes and 'kubernetes-' prefixed namespaces
+  (jliggitt@redhat.com)
+- oc_volume: Add missing parameter documentation (jarrpa@redhat.com)
+
 * Wed May 10 2017 Scott Dodson <sdodson@redhat.com> 3.6.67-1
 - byo: correct option name (gscrivan@redhat.com)
 - Fail if rpm version != docker image version (jchaloup@redhat.com)
diff --git a/playbooks/adhoc/uninstall.yml b/playbooks/adhoc/uninstall.yml
index beaf20b07..6119990fe 100644
--- a/playbooks/adhoc/uninstall.yml
+++ b/playbooks/adhoc/uninstall.yml
@@ -305,8 +305,15 @@
   - shell: systemctl daemon-reload
     changed_when: False
 
+  - name: restart container-engine
+    service: name=container-engine state=restarted
+    ignore_errors: true
+    register: container_engine
+
   - name: restart docker
     service: name=docker state=restarted
+    ignore_errors: true
+    when: "container_engine.state != 'started'"
 
   - name: restart NetworkManager
     service: name=NetworkManager state=restarted
diff --git a/playbooks/common/openshift-cluster/upgrades/post_control_plane.yml b/playbooks/common/openshift-cluster/upgrades/post_control_plane.yml
index fff199f42..8a60ef236 100644
--- a/playbooks/common/openshift-cluster/upgrades/post_control_plane.yml
+++ b/playbooks/common/openshift-cluster/upgrades/post_control_plane.yml
@@ -9,6 +9,8 @@
                          replace ( '${version}', openshift_image_tag ) }}"
     router_image: "{{ openshift.master.registry_url | replace( '${component}', 'haproxy-router' ) |
                       replace ( '${version}', openshift_image_tag ) }}"
+    registry_console_image: "{{ openshift.master.registry_url | replace ( '${component}', 'registry-console') |
+                                replace ( '${version}', openshift.common.short_version ) }}"
 
   pre_tasks:
   - name: Load lib_openshift modules
@@ -61,6 +63,26 @@
     when:
     - _default_registry.results.results[0] != {}
 
+  - name: Check for registry-console
+    oc_obj:
+      state: list
+      kind: dc
+      name: registry-console
+    register: _registry_console
+    when:
+    - openshift.common.deployment_type != 'origin'
+
+  - name: Update registry-console image to current version
+    oc_edit:
+      kind: dc
+      name: registry-console
+      namespace: default
+      content:
+        spec.template.spec.containers[0].image: "{{ registry_console_image }}"
+    when:
+    - openshift.common.deployment_type != 'origin'
+    - _registry_console.results.results[0] != {}
+
   roles:
   - openshift_manageiq
   # Create the new templates shipped in 3.2, existing templates are left
diff --git a/roles/docker/tasks/systemcontainer_docker.yml b/roles/docker/tasks/systemcontainer_docker.yml
index a461c479a..c85801546 100644
--- a/roles/docker/tasks/systemcontainer_docker.yml
+++ b/roles/docker/tasks/systemcontainer_docker.yml
@@ -27,7 +27,21 @@
     state: present
   when: not openshift.common.is_atomic | bool
 
-# If we are on atomic, set http_proxy and https_proxy in /etc/atomic.conf
+# Make sure Docker is installed so we are able to use the client
+- name: Install Docker so we can use the client
+  package: name=docker{{ '-' + docker_version if docker_version is defined else '' }} state=present
+  when: not openshift.common.is_atomic | bool
+
+# Make sure docker is disabled. Errors are ignored.
+- name: Disable Docker
+  systemd:
+    name: docker
+    enabled: no
+    state: stopped
+    daemon_reload: yes
+  ignore_errors: True
+
+# Set http_proxy and https_proxy in /etc/atomic.conf
 - block:
 
     - name: Add http_proxy to /etc/atomic.conf
@@ -46,9 +60,6 @@
         - openshift.common.https_proxy is defined
         - openshift.common.https_proxy != ''
 
-  when: openshift.common.is_atomic | bool
-
-
 - block:
 
     - name: Set to default prepend
@@ -81,19 +92,9 @@
   command: "atomic pull --storage ostree {{ l_docker_image }}"
   changed_when: false
 
-# Make sure docker is disabled Errors are ignored as docker may not
-# be installed.
-- name: Disable Docker
-  systemd:
-    name: docker
-    enabled: no
-    state: stopped
-    daemon_reload: yes
-  ignore_errors: True
-
-- name: Ensure docker.service.d directory exists
+- name: Ensure container-engine.service.d directory exists
   file:
-    path: "{{ docker_systemd_dir }}"
+    path: "{{ container_engine_systemd_dir }}"
     state: directory
 
 - name: Ensure /etc/docker directory exists
@@ -111,7 +112,7 @@
 
 - name: Configure Container Engine Service File
   template:
-    dest: "{{ docker_systemd_dir }}/custom.conf"
+    dest: "{{ container_engine_systemd_dir }}/custom.conf"
     src: systemcontainercustom.conf.j2
 
 # Set local versions of facts that must be in json format for daemon.json
diff --git a/roles/docker/templates/daemon.json b/roles/docker/templates/daemon.json
index c607e6afe..a41b7cdbd 100644
--- a/roles/docker/templates/daemon.json
+++ b/roles/docker/templates/daemon.json
@@ -16,6 +16,5 @@
     },
     "selinux-enabled": {{ l_docker_selinux_enabled | lower }},
     "add-registry": {{ l_docker_additional_registries }},
-    "block-registry": {{ l_docker_blocked_registries }},
-    "userland-proxy-path": "/usr/libexec/docker/docker-proxy-current"
+    "block-registry": {{ l_docker_blocked_registries }}
 }
diff --git a/roles/docker/templates/systemcontainercustom.conf.j2 b/roles/docker/templates/systemcontainercustom.conf.j2
index 1faad506a..b727c57d4 100644
--- a/roles/docker/templates/systemcontainercustom.conf.j2
+++ b/roles/docker/templates/systemcontainercustom.conf.j2
@@ -1,15 +1,15 @@
 # {{ ansible_managed }}
 
 [Service]
-{%- if "http_proxy" in openshift.common %}
+{% if "http_proxy" in openshift.common %}
 ENVIRONMENT=HTTP_PROXY={{ docker_http_proxy }}
-{%- endif -%}
-{%- if "https_proxy" in openshift.common %}
+{% endif -%}
+{% if "https_proxy" in openshift.common %}
 ENVIRONMENT=HTTPS_PROXY={{ docker_http_proxy }}
-{%- endif -%}
-{%- if "no_proxy" in openshift.common %}
+{% endif -%}
+{% if "no_proxy" in openshift.common %}
 ENVIRONMENT=NO_PROXY={{ docker_no_proxy }}
-{%- endif %}
+{% endif %}
 {%- if os_firewall_use_firewalld|default(false) %}
 [Unit]
 Wants=iptables.service
diff --git a/roles/docker/vars/main.yml b/roles/docker/vars/main.yml
index 0082ded1e..4e940b7f5 100644
--- a/roles/docker/vars/main.yml
+++ b/roles/docker/vars/main.yml
@@ -1,4 +1,5 @@
 ---
 docker_systemd_dir: /etc/systemd/system/docker.service.d
+container_engine_systemd_dir: /etc/systemd/system/container-engine.service.d
 docker_conf_dir: /etc/docker/
 udevw_udevd_dir: /etc/systemd/system/systemd-udevd.service.d
diff --git a/roles/lib_openshift/library/oc_objectvalidator.py b/roles/lib_openshift/library/oc_objectvalidator.py
index d9ce5679b..72add01f4 100644
--- a/roles/lib_openshift/library/oc_objectvalidator.py
+++ b/roles/lib_openshift/library/oc_objectvalidator.py
@@ -1398,8 +1398,10 @@ class OCObjectValidator(OpenShiftCLI):
             # check if it uses a reserved name
             name = namespace['metadata']['name']
             if not any((name == 'kube',
+                        name == 'kubernetes',
                         name == 'openshift',
                         name.startswith('kube-'),
+                        name.startswith('kubernetes-'),
                         name.startswith('openshift-'),)):
                 return False
 
diff --git a/roles/lib_openshift/src/class/oc_objectvalidator.py b/roles/lib_openshift/src/class/oc_objectvalidator.py
index 43f6cac67..c9fd3b532 100644
--- a/roles/lib_openshift/src/class/oc_objectvalidator.py
+++ b/roles/lib_openshift/src/class/oc_objectvalidator.py
@@ -35,8 +35,10 @@ class OCObjectValidator(OpenShiftCLI):
             # check if it uses a reserved name
             name = namespace['metadata']['name']
             if not any((name == 'kube',
+                        name == 'kubernetes',
                         name == 'openshift',
                         name.startswith('kube-'),
+                        name.startswith('kubernetes-'),
                         name.startswith('openshift-'),)):
                 return False
 
diff --git a/roles/openshift_facts/library/openshift_facts.py b/roles/openshift_facts/library/openshift_facts.py
index 914e46c05..514c06500 100755
--- a/roles/openshift_facts/library/openshift_facts.py
+++ b/roles/openshift_facts/library/openshift_facts.py
@@ -1302,7 +1302,7 @@ def get_version_output(binary, version_cmd):
 def get_docker_version_info():
     """ Parses and returns the docker version info """
     result = None
-    if is_service_running('docker'):
+    if is_service_running('docker') or is_service_running('container-engine'):
         version_info = yaml.safe_load(get_version_output('/usr/bin/docker', 'version'))
         if 'Server' in version_info:
             result = {
diff --git a/roles/openshift_logging/defaults/main.yml b/roles/openshift_logging/defaults/main.yml
index 76dfe518e..f43336dc4 100644
--- a/roles/openshift_logging/defaults/main.yml
+++ b/roles/openshift_logging/defaults/main.yml
@@ -26,10 +26,10 @@ openshift_logging_curator_ops_nodeselector: "{{ openshift_hosted_logging_curator
 
 openshift_logging_kibana_hostname: "{{ openshift_hosted_logging_hostname | default('kibana.' ~ (openshift_master_default_subdomain | default('router.default.svc.cluster.local', true))) }}"
 openshift_logging_kibana_cpu_limit: null
-openshift_logging_kibana_memory_limit: null
+openshift_logging_kibana_memory_limit: 736Mi
 openshift_logging_kibana_proxy_debug: false
 openshift_logging_kibana_proxy_cpu_limit: null
-openshift_logging_kibana_proxy_memory_limit: null
+openshift_logging_kibana_proxy_memory_limit: 96Mi
 openshift_logging_kibana_replica_count: 1
 openshift_logging_kibana_edge_term_policy: Redirect
 
@@ -50,10 +50,10 @@ openshift_logging_kibana_ca: ""
 
 openshift_logging_kibana_ops_hostname: "{{ openshift_hosted_logging_ops_hostname | default('kibana-ops.' ~ (openshift_master_default_subdomain | default('router.default.svc.cluster.local', true))) }}"
 openshift_logging_kibana_ops_cpu_limit: null
-openshift_logging_kibana_ops_memory_limit: null
+openshift_logging_kibana_ops_memory_limit: 736Mi
 openshift_logging_kibana_ops_proxy_debug: false
 openshift_logging_kibana_ops_proxy_cpu_limit: null
-openshift_logging_kibana_ops_proxy_memory_limit: null
+openshift_logging_kibana_ops_proxy_memory_limit: 96Mi
 openshift_logging_kibana_ops_replica_count: 1
 
 #The absolute path on the control node to the cert file to use
diff --git a/roles/openshift_logging/templates/elasticsearch.yml.j2 b/roles/openshift_logging/templates/elasticsearch.yml.j2
index 93c4d854c..355642cb7 100644
--- a/roles/openshift_logging/templates/elasticsearch.yml.j2
+++ b/roles/openshift_logging/templates/elasticsearch.yml.j2
@@ -28,11 +28,10 @@ cloud:
 discovery:
   type: kubernetes
   zen.ping.multicast.enabled: false
-  zen.minimum_master_nodes: {{es_min_masters}}
+  zen.minimum_master_nodes: ${NODE_QUORUM}
 
 gateway:
-  expected_master_nodes: ${NODE_QUORUM}
-  recover_after_nodes: ${RECOVER_AFTER_NODES}
+  recover_after_nodes: ${NODE_QUORUM}
   expected_nodes: ${RECOVER_EXPECTED_NODES}
   recover_after_time: ${RECOVER_AFTER_TIME}
 
diff --git a/roles/openshift_logging/templates/es.j2 b/roles/openshift_logging/templates/es.j2
index f89855bf5..680c16cf4 100644
--- a/roles/openshift_logging/templates/es.j2
+++ b/roles/openshift_logging/templates/es.j2
@@ -78,9 +78,6 @@ spec:
               name: "NODE_QUORUM"
               value: "{{es_node_quorum | int}}"
             -
-              name: "RECOVER_AFTER_NODES"
-              value: "{{es_recover_after_nodes}}"
-            -
               name: "RECOVER_EXPECTED_NODES"
               value: "{{es_recover_expected_nodes}}"
             -
diff --git a/roles/openshift_logging/templates/kibana.j2 b/roles/openshift_logging/templates/kibana.j2
index e6ecf82ff..25fab9ac4 100644
--- a/roles/openshift_logging/templates/kibana.j2
+++ b/roles/openshift_logging/templates/kibana.j2
@@ -44,15 +44,19 @@ spec:
 {% if kibana_cpu_limit is not none %}
               cpu: "{{kibana_cpu_limit}}"
 {% endif %}
-{% if kibana_memory_limit is not none %}
-              memory: "{{kibana_memory_limit}}"
-{% endif %}
+              memory: "{{kibana_memory_limit | default('736Mi') }}"
 {% endif %}
           env:
             - name: "ES_HOST"
               value: "{{es_host}}"
             - name: "ES_PORT"
               value: "{{es_port}}"
+            -
+              name: "KIBANA_MEMORY_LIMIT"
+              valueFrom:
+                resourceFieldRef:
+                  containerName: kibana
+                  resource: limits.memory
           volumeMounts:
             - name: kibana
               mountPath: /etc/kibana/keys
@@ -67,9 +71,7 @@ spec:
 {% if kibana_proxy_cpu_limit is not none %}
               cpu: "{{kibana_proxy_cpu_limit}}"
 {% endif %}
-{% if kibana_proxy_memory_limit is not none %}
-              memory: "{{kibana_proxy_memory_limit}}"
-{% endif %}
+              memory: "{{kibana_proxy_memory_limit | default('96Mi') }}"
 {% endif %}
           ports:
             -
@@ -103,6 +105,27 @@ spec:
             -
              name: "OAP_DEBUG"
              value: "{{openshift_logging_kibana_proxy_debug}}"
+            -
+             name: "OAP_OAUTH_SECRET_FILE"
+             value: "/secret/oauth-secret"
+            -
+             name: "OAP_SERVER_CERT_FILE"
+             value: "/secret/server-cert"
+            -
+             name: "OAP_SERVER_KEY_FILE"
+             value: "/secret/server-key"
+            -
+             name: "OAP_SERVER_TLS_FILE"
+             value: "/secret/server-tls.json"
+            -
+             name: "OAP_SESSION_SECRET_FILE"
+             value: "/secret/session-secret"
+            -
+             name: "OCP_AUTH_PROXY_MEMORY_LIMIT"
+             valueFrom:
+               resourceFieldRef:
+                 containerName: kibana-proxy
+                 resource: limits.memory
           volumeMounts:
             - name: kibana-proxy
               mountPath: /secret
diff --git a/roles/openshift_logging/vars/main.yaml b/roles/openshift_logging/vars/main.yaml
index e06625e3f..e561b41e2 100644
--- a/roles/openshift_logging/vars/main.yaml
+++ b/roles/openshift_logging/vars/main.yaml
@@ -1,12 +1,8 @@
 ---
 openshift_master_config_dir: "{{ openshift.common.config_base }}/master"
-es_node_quorum: "{{openshift_logging_es_cluster_size|int/2 + 1}}"
-es_min_masters_default: "{{ (openshift_logging_es_cluster_size | int / 2 | round(0,'floor') + 1) | int }}"
-es_min_masters: "{{ (openshift_logging_es_cluster_size == 1) | ternary(1, es_min_masters_default)}}"
-es_recover_after_nodes: "{{openshift_logging_es_cluster_size|int - 1}}"
-es_recover_expected_nodes: "{{openshift_logging_es_cluster_size|int}}"
-es_ops_node_quorum: "{{openshift_logging_es_ops_cluster_size|int/2 + 1}}"
-es_ops_recover_after_nodes: "{{openshift_logging_es_ops_cluster_size|int - 1}}"
-es_ops_recover_expected_nodes: "{{openshift_logging_es_ops_cluster_size|int}}"
+es_node_quorum: "{{ (openshift_logging_es_cluster_size | int/2 | round(0,'floor') + 1) | int}}"
+es_recover_expected_nodes: "{{openshift_logging_es_cluster_size | int}}"
+es_ops_node_quorum: "{{ (openshift_logging_es_ops_cluster_size | int/2 | round(0,'floor') + 1) | int}}"
+es_ops_recover_expected_nodes: "{{openshift_logging_es_ops_cluster_size | int}}"
 
 es_log_appenders: ['file', 'console']