From 0e11e4de279def8e7b94b9c89136c92cc590e5b2 Mon Sep 17 00:00:00 2001 From: Ryan Kraus Date: Fri, 30 Jul 2021 14:48:37 -0400 Subject: [PATCH 01/12] Fix typo restarting the faroswan interface. The router role was not correctly restarting the faroswan interface when required. Fix for #161 --- app/roles/router/handlers/main.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/app/roles/router/handlers/main.yaml b/app/roles/router/handlers/main.yaml index 831db5c..d986018 100644 --- a/app/roles/router/handlers/main.yaml +++ b/app/roles/router/handlers/main.yaml @@ -2,7 +2,7 @@ command: sysctl -w net.ipv4.ip_forward=1 - name: restart faroswan - shell: nmcli con up faroslan + shell: nmcli con up faroswan async: 120 poll: 5 From 325e4f73765dda654309568b1932f52ae62687ae Mon Sep 17 00:00:00 2001 From: Chris Blum Date: Mon, 2 Aug 2021 18:33:56 +0200 Subject: [PATCH 02/12] Add Linting (#162) * Add pre-commit config * Automatic pre-commit changes * Add .cache This is generated by ansible-lint runs * Ignore role-name conventions * Fix ansible-lint pipefail * Fix ansible-lint unnamed-task * ansible-lint fix command-instead-of-shell * ansible-lint fix empty-string-compare * ansible-lint fix literal-compare * ansible-lint fix var-spacing * ansible-lint fix no-changed-when * ansible-lint fix no-handler * ansible-lint fix risky-file-permissions * pre-commit fix check-executables-have-shebangs * pre-commit fix line ending * ansible-lint fix yaml truthy values * ansible-lint yamllint more fixes * Add (untested) Github Action for ansible-lint * Bump Workflow ansible-lint version Maybe this helps? * Fix find/replace and other remarks from review Squash me! --- .ansible-lint | 2 + .github/workflows/ansible-lint.yml | 50 ++ .gitignore | 1 + .pre-commit-config.yaml | 23 + .yamllint | 9 + Dockerfile | 1 - README.md | 1 - app/bin/run.sh | 1 - app/collections/requirements.yml | 4 +- app/inventory.py | 1 + app/lib/ansible/callback/my_dense.py | 1 + app/lib/ansible/callback/post_message.py | 1 + app/lib/ansible/callback/save_stats.py | 1 + app/lib/ansible/filter/ClusterOpCheck.py | 1 + app/lib/python/conftui.py | 1 + .../apply.d/host-records/cockpit.yml | 4 +- app/playbooks/apply.d/host-records/dhcp.yml | 15 +- app/playbooks/apply.d/host-records/dns.yml | 23 +- .../apply.d/router/create_router.yml | 4 +- app/playbooks/config.d/cluster/config.py | 1 + app/playbooks/config.d/proxy/config.py | 1 + app/playbooks/create.d/cluster/create.yml | 39 +- .../create.d/install-repos/create.yml | 22 +- .../create.d/load-balancer/create.yml | 4 +- app/playbooks/create.d/machines/create.yml | 10 +- .../deploy.d/container-storage/configure.py | 1 + .../container-storage/container-storage.yml | 44 +- .../container-storage/gather-facts.yml | 8 +- .../container-storage/local-storage.yml | 16 +- .../hosted-loadbalancer.yml | 504 +++++++++--------- app/playbooks/deploy.d/nvidia-drivers/main.sh | 1 - .../nvidia-drivers/nvidia-drivers.yml | 34 +- app/playbooks/deploy.d/odh-demo/main.sh | 5 - app/playbooks/deploy.d/odh-demo/odh-demo.yml | 367 ------------- .../redhat-entitlements/deploy_certs.yaml | 6 +- app/playbooks/deploy.d/wipefs/configure.py | 1 + .../deploy.d/wipefs/gather-facts.yml | 8 +- app/playbooks/deploy.d/wipefs/wipe-host.yml | 14 +- .../deploy.d/wipefs/wipe-local-storage.yml | 4 +- app/playbooks/destroy.d/cluster/destroy.yml | 38 +- .../destroy.d/install-repos/destroy.yml | 6 +- .../destroy.d/load-balancer/destroy.yml | 12 +- .../firmware.d/el8000-sw2-ssd/apply.yml | 13 +- .../firmware.d/el8000-sw2-ssd/bios.yml | 87 ++- app/playbooks/firmware.d/manual/main.sh | 2 + app/playbooks/identify.d/uid_off.yml | 4 +- app/playbooks/identify.d/uid_on.yml | 4 +- app/playbooks/shutdown.yml | 15 +- app/playbooks/startup.yml | 26 +- app/playbooks/util_vm_facts.yml | 6 +- .../wait-for.d/firmware-config/main.sh | 2 + .../management-interfaces/wait.yaml | 8 +- app/roles/cockpit-links/defaults/main.yml | 1 - app/roles/cockpit-links/files/index.html | 1 - app/roles/cockpit-links/handlers/main.yml | 9 + app/roles/cockpit-links/tasks/main.yml | 15 +- app/roles/content-servers/tasks/http.yaml | 15 +- app/roles/content-servers/tasks/tftp.yaml | 6 +- app/roles/dhcp-server/tasks/main.yaml | 10 +- app/roles/dhcp-verify/tasks/main.yaml | 7 +- app/roles/dhcp/defaults/main.yml | 4 +- app/roles/dhcp/handlers/main.yaml | 4 +- app/roles/dhcp/tasks/main.yml | 9 +- app/roles/dns-server/handlers/main.yaml | 4 +- app/roles/dns-server/tasks/main.yaml | 24 +- app/roles/dns/defaults/main.yml | 4 +- app/roles/dns/handlers/main.yaml | 20 +- app/roles/dns/tasks/main.yml | 14 +- app/roles/hypervisor/tasks/main.yml | 4 +- app/roles/keepalived/tasks/main.yml | 6 +- app/roles/loadbalancer/tasks/main.yml | 13 +- app/roles/management/tasks/netboot/kvm.yml | 11 +- app/roles/management/tasks/poweroff/ilo.yml | 16 +- app/roles/management/tasks/poweroff/kvm.yml | 2 +- app/roles/management/tasks/poweron/ilo.yml | 16 +- app/roles/management/tasks/poweron/kvm.yml | 2 +- app/roles/ntp-server/tasks/main.yaml | 6 +- .../kubelet-bootstrap-cred-manager-ds.yaml | 138 ++--- app/roles/ocp-reset-csrs/tasks/main.yml | 148 ++--- .../openshift-installer/defaults/main.yml | 16 +- app/roles/openshift-installer/tasks/main.yml | 17 +- .../templates/98-cache-disk.yaml.j2 | 1 - app/roles/pxelinux-kickstarts/tasks/main.yml | 4 +- .../templates/pxelinux.install.cfg.j2 | 1 - .../templates/pxelinux.wipe.cfg.j2 | 1 - app/roles/rhcos-images/defaults/main.yml | 2 +- app/roles/rhcos-images/tasks/main.yml | 2 +- app/roles/rhcos-images/templates/wipe.ign.j2 | 1 - app/roles/router-hardening/tasks/main.yaml | 4 +- app/roles/router/handlers/main.yaml | 2 +- app/roles/router/tasks/firewall.yaml | 76 +-- app/roles/router/tasks/lan_config.yaml | 24 +- app/roles/router/tasks/main.yaml | 3 +- app/roles/router/tasks/wan_config.yaml | 14 +- app/roles/tang/tasks/main.yaml | 16 +- app/roles/virtual-machine/tasks/main.yml | 4 +- app/roles/vm-gather-facts/tasks/main.yml | 5 +- 97 files changed, 951 insertions(+), 1208 deletions(-) create mode 100644 .ansible-lint create mode 100644 .github/workflows/ansible-lint.yml create mode 100644 .pre-commit-config.yaml create mode 100644 .yamllint delete mode 100755 app/playbooks/deploy.d/odh-demo/main.sh delete mode 100644 app/playbooks/deploy.d/odh-demo/odh-demo.yml create mode 100644 app/roles/cockpit-links/handlers/main.yml mode change 100755 => 100644 app/roles/loadbalancer/tasks/main.yml diff --git a/.ansible-lint b/.ansible-lint new file mode 100644 index 0000000..1cc71de --- /dev/null +++ b/.ansible-lint @@ -0,0 +1,2 @@ +skip_list: + - role-name diff --git a/.github/workflows/ansible-lint.yml b/.github/workflows/ansible-lint.yml new file mode 100644 index 0000000..9f06086 --- /dev/null +++ b/.github/workflows/ansible-lint.yml @@ -0,0 +1,50 @@ +name: Ansible Lint # feel free to pick your own name + +on: [push, pull_request] + +jobs: + build: + runs-on: ubuntu-latest + + steps: + # Important: This sets up your GITHUB_WORKSPACE environment variable + - uses: actions/checkout@v2 + + - name: Lint Ansible Playbook + # replace "master" with any valid ref + uses: ansible/ansible-lint-action@master + env: + ANSIBLE_ROLES_PATH: ./app/roles + with: + # [required] + # Paths to ansible files (i.e., playbooks, tasks, handlers etc..) + # or valid Ansible directories according to the Ansible role + # directory structure. + # If you want to lint multiple ansible files, use the following syntax + # targets: | + # playbook_1.yml + # playbook_2.yml + targets: "./app" + # [optional] + # Arguments to be passed to the ansible-lint + + # Options: + # -q quieter, although not silent output + # -p parseable output in the format of pep8 + # --parseable-severity parseable output including severity of rule + # -r RULESDIR specify one or more rules directories using one or + # more -r arguments. Any -r flags override the default + # rules in ansiblelint/rules, unless -R is also used. + # -R Use default rules in ansiblelint/rules in addition to + # any extra + # rules directories specified with -r. There is no need + # to specify this if no -r flags are used + # -t TAGS only check rules whose id/tags match these values + # -x SKIP_LIST only check rules whose id/tags do not match these + # values + # --nocolor disable colored output + # --exclude=EXCLUDE_PATHS + # path to directories or files to skip. This option is + # repeatable. + # -c C Specify configuration file to use. Defaults to ".ansible-lint" + # args: "-q" diff --git a/.gitignore b/.gitignore index 46b4574..c877443 100644 --- a/.gitignore +++ b/.gitignore @@ -5,3 +5,4 @@ data venv devel.env data.tgz +.cache diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml new file mode 100644 index 0000000..03a0e1d --- /dev/null +++ b/.pre-commit-config.yaml @@ -0,0 +1,23 @@ +# See https://pre-commit.com for more information +# See https://pre-commit.com/hooks.html for more hooks +repos: + - repo: https://github.com/pre-commit/pre-commit-hooks + rev: v3.2.0 + hooks: + - id: check-added-large-files + - id: check-case-conflict + - id: check-executables-have-shebangs + - id: check-merge-conflict + - id: check-symlinks + - id: check-yaml + - id: detect-aws-credentials + - id: detect-private-key + - id: end-of-file-fixer + - id: fix-encoding-pragma + - id: trailing-whitespace + - repo: https://github.com/ansible-community/ansible-lint.git + rev: master + hooks: + - id: ansible-lint + entry: env ANSIBLE_ROLES_PATH=./app/roles ansible-lint --force-color + files: \.(yaml|yml)$ diff --git a/.yamllint b/.yamllint new file mode 100644 index 0000000..3e03784 --- /dev/null +++ b/.yamllint @@ -0,0 +1,9 @@ +rules: + comments: + require-starting-space: true + ignore-shebangs: true + min-spaces-from-content: 1 + line-length: + max: 200 + allow-non-breakable-words: true + allow-non-breakable-inline-mappings: false diff --git a/Dockerfile b/Dockerfile index 6ebc140..c3c8a6b 100644 --- a/Dockerfile +++ b/Dockerfile @@ -40,4 +40,3 @@ RUN rpm -i /app/tmp/ilorest-3.0.1-7.x86_64.rpm; \ ENTRYPOINT ["/app/bin/entry.sh"] CMD ["/app/bin/run.sh"] - diff --git a/README.md b/README.md index 286649c..58785c7 100644 --- a/README.md +++ b/README.md @@ -6,4 +6,3 @@ and automated deployment tools. We are looking to bring OpenShift everywhere, even to the edge. ![Cluster Install](https://raw.githubusercontent.com/project-faros/assets/master/demos/install/8-cluster.gif) - diff --git a/app/bin/run.sh b/app/bin/run.sh index 5f4f4e1..4a83b54 100755 --- a/app/bin/run.sh +++ b/app/bin/run.sh @@ -5,4 +5,3 @@ if [ ! -e /data/config.sh ]; then cp /data.skel/config.sh /data/config.sh fi mkdir -p /data/ansible - diff --git a/app/collections/requirements.yml b/app/collections/requirements.yml index 9809c85..65fe89c 100644 --- a/app/collections/requirements.yml +++ b/app/collections/requirements.yml @@ -1,3 +1,3 @@ collections: -- name: ansible-posix-1.1.1.tar.gz - version: 1.1.1 + - name: ansible-posix-1.1.1.tar.gz + version: 1.1.1 diff --git a/app/inventory.py b/app/inventory.py index 026f7f7..c5566c8 100755 --- a/app/inventory.py +++ b/app/inventory.py @@ -1,4 +1,5 @@ #!/usr/bin/env python3 +# -*- coding: utf-8 -*- import argparse from collections import defaultdict import ipaddress diff --git a/app/lib/ansible/callback/my_dense.py b/app/lib/ansible/callback/my_dense.py index b1646aa..ad272ad 100644 --- a/app/lib/ansible/callback/my_dense.py +++ b/app/lib/ansible/callback/my_dense.py @@ -1,3 +1,4 @@ +# -*- coding: utf-8 -*- # sourced from dense callback plugin in Ansible 2.9 from __future__ import (absolute_import, division, print_function) diff --git a/app/lib/ansible/callback/post_message.py b/app/lib/ansible/callback/post_message.py index 6128069..27ff306 100644 --- a/app/lib/ansible/callback/post_message.py +++ b/app/lib/ansible/callback/post_message.py @@ -1,3 +1,4 @@ +# -*- coding: utf-8 -*- from __future__ import (absolute_import, division, print_function) __metaclass__ = type diff --git a/app/lib/ansible/callback/save_stats.py b/app/lib/ansible/callback/save_stats.py index 9b5930b..2eb213f 100644 --- a/app/lib/ansible/callback/save_stats.py +++ b/app/lib/ansible/callback/save_stats.py @@ -1,3 +1,4 @@ +# -*- coding: utf-8 -*- from __future__ import (absolute_import, division, print_function) __metaclass__ = type diff --git a/app/lib/ansible/filter/ClusterOpCheck.py b/app/lib/ansible/filter/ClusterOpCheck.py index ca68dbe..17a495d 100644 --- a/app/lib/ansible/filter/ClusterOpCheck.py +++ b/app/lib/ansible/filter/ClusterOpCheck.py @@ -1,3 +1,4 @@ +# -*- coding: utf-8 -*- TARGET = { 'Degraded': ['False'], 'Progressing': ['False'], diff --git a/app/lib/python/conftui.py b/app/lib/python/conftui.py index 374feab..2783a34 100644 --- a/app/lib/python/conftui.py +++ b/app/lib/python/conftui.py @@ -1,4 +1,5 @@ #!/usr/bin/env python +# -*- coding: utf-8 -*- import sys import os import json diff --git a/app/playbooks/apply.d/host-records/cockpit.yml b/app/playbooks/apply.d/host-records/cockpit.yml index b6f5df3..1ebacbd 100755 --- a/app/playbooks/apply.d/host-records/cockpit.yml +++ b/app/playbooks/apply.d/host-records/cockpit.yml @@ -2,8 +2,8 @@ - name: Add Management Links to Cockpit hosts: bastion_hosts - gather_facts: no - become: yes + gather_facts: false + become: true tasks: - name: create cockpit links to cluster node management diff --git a/app/playbooks/apply.d/host-records/dhcp.yml b/app/playbooks/apply.d/host-records/dhcp.yml index 3c885d0..a1d5a2c 100755 --- a/app/playbooks/apply.d/host-records/dhcp.yml +++ b/app/playbooks/apply.d/host-records/dhcp.yml @@ -4,7 +4,7 @@ - name: Configure Cluster Node DHCP records hosts: cluster - gather_facts: no + gather_facts: false serial: 1 roles: @@ -12,7 +12,7 @@ - name: Configure Management DHCP records hosts: cluster:!virtual - gather_facts: no + gather_facts: false serial: 1 roles: @@ -23,7 +23,7 @@ - name: Configure extra DHCP records hosts: localhost - gather_facts: no + gather_facts: false serial: 1 vars: @@ -44,7 +44,7 @@ - name: Configure ignored MAC Addresses hosts: localhost - gather_facts: no + gather_facts: false serial: 1 vars: @@ -58,18 +58,17 @@ vars: dhcp_name: "{{ node.name }}" dhcp_mac_address: "{{ node.mac }}" - dhcp_ignore: yes + dhcp_ignore: true loop: "{{ ignored_macs }}" loop_control: loop_var: node - name: Check for orphaned dhcp entries hosts: bastion - gather_facts: no - become: yes + gather_facts: false + become: true roles: - name: dhcp-verify dhcp_verify_ignored: "{{ ignored_macs | from_json | json_query('[*].name') }}" dhcp_verify_records: "{{ lookup('inventory_hostnames', 'cluster,management').split(',') + extra_nodes | json_query('[*].name') }}" - diff --git a/app/playbooks/apply.d/host-records/dns.yml b/app/playbooks/apply.d/host-records/dns.yml index bbcdb22..3d0350b 100755 --- a/app/playbooks/apply.d/host-records/dns.yml +++ b/app/playbooks/apply.d/host-records/dns.yml @@ -4,7 +4,7 @@ - name: Configure Cluster Node DNS Records hosts: cluster - gather_facts: no + gather_facts: false serial: 1 vars: @@ -16,7 +16,7 @@ - name: Configure Cluster Node Management DNS Records hosts: cluster:!virtual - gather_facts: no + gather_facts: false serial: 1 vars: @@ -30,7 +30,7 @@ - name: Configure Bastion DNS entries hosts: bastion_hosts - gather_facts: no + gather_facts: false serial: 1 vars: @@ -42,7 +42,7 @@ - name: Configure Load Balanced DNS entries hosts: loadbalancer - gather_facts: no + gather_facts: false serial: 1 vars: @@ -52,19 +52,19 @@ roles: - name: dns dns_hostname: "api" - dns_reverse: no + dns_reverse: false - name: dns dns_hostname: "api-int" - dns_reverse: no + dns_reverse: false - name: dns dns_hostname: "*.apps" - dns_reverse: no + dns_reverse: false - name: dns dns_hostname: "loadbalancer" - name: Configure etcd DNS entries hosts: control_plane - gather_facts: no + gather_facts: false serial: 1 vars: @@ -74,15 +74,15 @@ roles: - name: dns dns_hostname: "etcd-{{ cp_node_id }}" - dns_reverse: no + dns_reverse: false - name: dns dns_hostname: "_etcd-server-ssl.tcp" - dns_type: 'SRV' + dns_type: "SRV" dns_value: "0 10 2380 etcd-{{ cp_node_id }}.{{ cluster_name }}.{{ cluster_domain }}." - name: Configure extra DNS records hosts: localhost - gather_facts: no + gather_facts: false serial: 1 vars: @@ -99,4 +99,3 @@ loop: "{{ extra_nodes }}" loop_control: loop_var: node - diff --git a/app/playbooks/apply.d/router/create_router.yml b/app/playbooks/apply.d/router/create_router.yml index 90577ad..1047d31 100755 --- a/app/playbooks/apply.d/router/create_router.yml +++ b/app/playbooks/apply.d/router/create_router.yml @@ -2,8 +2,8 @@ - name: Configure layer 3 routing and network services hosts: wan - gather_facts: no - become: yes + gather_facts: false + become: true roles: - name: router diff --git a/app/playbooks/config.d/cluster/config.py b/app/playbooks/config.d/cluster/config.py index c408eea..3b143e1 100644 --- a/app/playbooks/config.d/cluster/config.py +++ b/app/playbooks/config.d/cluster/config.py @@ -1,4 +1,5 @@ #!/usr/bin/env python +# -*- coding: utf-8 -*- import sys import os from conftui import (Configurator, ParameterCollection, Parameter, diff --git a/app/playbooks/config.d/proxy/config.py b/app/playbooks/config.d/proxy/config.py index 1cd0286..a80c7d1 100644 --- a/app/playbooks/config.d/proxy/config.py +++ b/app/playbooks/config.d/proxy/config.py @@ -1,4 +1,5 @@ #!/usr/bin/env python +# -*- coding: utf-8 -*- import sys from conftui import (Configurator, ParameterCollection, Parameter, ListDictParameter, PasswordParameter, diff --git a/app/playbooks/create.d/cluster/create.yml b/app/playbooks/create.d/cluster/create.yml index 892e6e6..3087929 100755 --- a/app/playbooks/create.d/cluster/create.yml +++ b/app/playbooks/create.d/cluster/create.yml @@ -2,9 +2,9 @@ - name: Perform pre-install checks hosts: localhost - become: no - gather_facts: no - any_errors_fatal: yes + become: false + gather_facts: false + any_errors_fatal: true vars: openshift_installer_dir: /data/openshift-installer @@ -36,8 +36,8 @@ - name: Ensure all cluster nodes are powered down hosts: cluster - become: no - gather_facts: no + become: false + gather_facts: false serial: 1 tasks: @@ -54,8 +54,8 @@ - name: Create the Control Plane hosts: control_plane - become: no - gather_facts: no + become: false + gather_facts: false tasks: - include_role: @@ -72,17 +72,17 @@ - name: wait for nodes to start provisioning shell: ping -c 1 {{ ansible_host }} delegate_to: "{{ groups.bastion_hosts[0] }}" - become: no + become: false register: node_ping until: "node_ping is not failed" retries: 30 delay: 10 - changed_when: no + changed_when: false - name: Create the Bootstrap node hosts: bootstrap - become: no - gather_facts: no + become: false + gather_facts: false tasks: - include_role: @@ -104,8 +104,8 @@ - name: Wait for the OpenShift Installation to Complete hosts: localhost - become: no - gather_facts: no + become: false + gather_facts: false tasks: - block: @@ -119,7 +119,7 @@ shell: ./openshift-install wait-for bootstrap-complete 2>&1 args: chdir: /data/openshift-installer - changed_when: no + changed_when: false register: cluster_install retries: 2 delay: 1 @@ -135,7 +135,7 @@ shell: ./openshift-install wait-for install-complete 2>&1 args: chdir: /data/openshift-installer - changed_when: no + changed_when: false register: cluster_install retries: 2 delay: 1 @@ -158,8 +158,8 @@ - name: Power down the bootstrap node hosts: bootstrap - become: no - gather_facts: no + become: false + gather_facts: false serial: 1 tasks: @@ -176,8 +176,8 @@ - name: Add OpenShift Links to Cockpit hosts: bastion_hosts - gather_facts: no - become: yes + gather_facts: false + become: true tasks: - name: create cockpit links @@ -188,4 +188,3 @@ - name: "OpenShift Console" url: "https://console-openshift-console.apps.{{ cluster_name }}.{{ cluster_domain }}" icon: fa-redhat - diff --git a/app/playbooks/create.d/install-repos/create.yml b/app/playbooks/create.d/install-repos/create.yml index 172b226..6f1a6cb 100755 --- a/app/playbooks/create.d/install-repos/create.yml +++ b/app/playbooks/create.d/install-repos/create.yml @@ -4,8 +4,8 @@ - name: create cluster encryption services hosts: bastion_hosts - gather_facts: no - become: yes + gather_facts: false + become: true roles: - name: tang @@ -13,19 +13,19 @@ - name: create red hat coreos ignition files hosts: localhost - gather_facts: no - become: no + gather_facts: false + become: false roles: - name: openshift-installer openshift_installer_dir: /data/openshift-installer - openshift_installer_cluster_id: '{{ cluster_name }}' - openshift_installer_base_domain: '{{ cluster_domain }}' - openshift_installer_control_plane: '{{ groups.control_plane }}' + openshift_installer_cluster_id: "{{ cluster_name }}" + openshift_installer_base_domain: "{{ cluster_domain }}" + openshift_installer_control_plane: "{{ groups.control_plane }}" openshift_installer_ssh_key: '{{ lookup("file", ansible_ssh_private_key_file + ".pub") }}' openshift_installer_fips_mode: "{{ fips_mode }}" openshift_installer_cache_disk: "{{ cache_disk }}" - openshift_installer_pull_secret: '{{ pull_secret | to_json }}' + openshift_installer_pull_secret: "{{ pull_secret | to_json }}" openshift_installer_version: "{{ lookup('ini', 'installer section=cluster file=/app/versions.ini') }}" openshift_installer_proxy: "{{ proxy }}" openshift_installer_proxy_http: "{{ proxy_http }}" @@ -38,8 +38,8 @@ - name: create openshift installation source repositories hosts: bastion_hosts - gather_facts: yes - become: yes + gather_facts: true + become: true roles: - name: content-servers @@ -59,7 +59,7 @@ - name: create pxelinux kickstart files hosts: cluster - gather_facts: no + gather_facts: false roles: - name: pxelinux-kickstarts diff --git a/app/playbooks/create.d/load-balancer/create.yml b/app/playbooks/create.d/load-balancer/create.yml index 33b01c9..5dc5097 100755 --- a/app/playbooks/create.d/load-balancer/create.yml +++ b/app/playbooks/create.d/load-balancer/create.yml @@ -2,8 +2,8 @@ - name: deploy openshift load balancer hosts: bastion_hosts - gather_facts: yes - become: yes + gather_facts: true + become: true roles: - name: loadbalancer diff --git a/app/playbooks/create.d/machines/create.yml b/app/playbooks/create.d/machines/create.yml index 5c36291..2ebe01f 100755 --- a/app/playbooks/create.d/machines/create.yml +++ b/app/playbooks/create.d/machines/create.yml @@ -1,19 +1,19 @@ #!/usr/bin/env ansible-playbook - name: configure the hypervisor hosts: bastion_hosts - gather_facts: yes - become: yes + gather_facts: true + become: true roles: - name: hypervisor - name: configure virtual machines hosts: virtual - gather_facts: no - become: no + gather_facts: false + become: false roles: - name: virtual-machine - virtual_machine_hypervisor: '{{ mgmt_hostname }}' + virtual_machine_hypervisor: "{{ mgmt_hostname }}" virtual_machine_network: bridge=faroslan virtual_machine_disk: size=100,format=qcow2 diff --git a/app/playbooks/deploy.d/container-storage/configure.py b/app/playbooks/deploy.d/container-storage/configure.py index 9167755..434fcf6 100644 --- a/app/playbooks/deploy.d/container-storage/configure.py +++ b/app/playbooks/deploy.d/container-storage/configure.py @@ -1,3 +1,4 @@ +# -*- coding: utf-8 -*- import os import sys import pickle diff --git a/app/playbooks/deploy.d/container-storage/container-storage.yml b/app/playbooks/deploy.d/container-storage/container-storage.yml index 5480cf1..a1807ae 100644 --- a/app/playbooks/deploy.d/container-storage/container-storage.yml +++ b/app/playbooks/deploy.d/container-storage/container-storage.yml @@ -1,7 +1,7 @@ - name: install openshift container storage hosts: localhost - become: no - gather_facts: no + become: false + gather_facts: false tasks: - name: ensure project exists @@ -27,7 +27,7 @@ namespace: openshift-storage spec: targetNamespaces: - - openshift-storage + - openshift-storage - name: ensure subscription exists k8s: @@ -59,25 +59,25 @@ manageNodes: false monDataDirHostPath: /var/lib/rook storageDeviceSets: - - count: "{{ drives_per_node }}" - dataPVCTemplate: - spec: - accessModes: - - ReadWriteOnce - resources: - requests: - storage: 1Gi - storageClassName: localblock - volumeMode: Block - name: ocs-deviceset - placement: {} - portable: false - replica: 3 - resources: {} - encryption: - enable: true - kms: {} - flexibleScaling: True + - count: "{{ drives_per_node }}" + dataPVCTemplate: + spec: + accessModes: + - ReadWriteOnce + resources: + requests: + storage: 1Gi + storageClassName: localblock + volumeMode: Block + name: ocs-deviceset + placement: {} + portable: false + replica: 3 + resources: {} + encryption: + enable: true + kms: {} + flexibleScaling: true retries: 60 delay: 15 register: apply diff --git a/app/playbooks/deploy.d/container-storage/gather-facts.yml b/app/playbooks/deploy.d/container-storage/gather-facts.yml index 08f2c7b..22fbe0b 100644 --- a/app/playbooks/deploy.d/container-storage/gather-facts.yml +++ b/app/playbooks/deploy.d/container-storage/gather-facts.yml @@ -1,7 +1,7 @@ - name: query cluster facts hosts: localhost - become: no - gather_facts: no + become: false + gather_facts: false pre_tasks: - name: lookup cluster nodes @@ -12,8 +12,8 @@ shell: oc debug -n default node/{{ item }} -- chroot /host lsblk -dlno NAME 2>/dev/null loop: "{{ cluster_nodes }}" register: cluster_drives - ignore_errors: yes - changed_when: no + ignore_errors: true + changed_when: false - name: save discovered hosts set_stats: diff --git a/app/playbooks/deploy.d/container-storage/local-storage.yml b/app/playbooks/deploy.d/container-storage/local-storage.yml index 529cea0..c96464a 100644 --- a/app/playbooks/deploy.d/container-storage/local-storage.yml +++ b/app/playbooks/deploy.d/container-storage/local-storage.yml @@ -1,20 +1,20 @@ - name: install openshift local storage hosts: localhost - become: no - gather_facts: no + become: false + gather_facts: false tasks: - name: get storage node drive id paths shell: "oc debug -n default node/{{ item }} -- chroot /host find /dev/disk/by-id -type l -exec readlink -nf {} ';' -exec echo ': {}' ';' | egrep '(wwn|eui)' | sed 's/\\/dev\\///'" loop: "{{ stg_drives | json_query('[*].host') }}" register: drive_id_lkp - changed_when: no + changed_when: false - name: save storage node drive id paths set_fact: drive_ids: "{{ drive_ids|default({}) | combine({ item.item : item.stdout | from_yaml }) }}" loop: "{{ drive_id_lkp.results }}" - changed_when: no + changed_when: false - name: ensure project exists k8s: @@ -39,7 +39,7 @@ namespace: openshift-local-storage spec: targetNamespaces: - - openshift-local-storage + - openshift-local-storage - name: ensure subscription exists k8s: @@ -100,9 +100,9 @@ spec: nodeSelector: nodeSelectorTerms: - - matchExpressions: - - key: cluster.ocs.openshift.io/openshift-storage - operator: Exists + - matchExpressions: + - key: cluster.ocs.openshift.io/openshift-storage + operator: Exists storageClassDevices: - storageClassName: localblock volumeMode: Block diff --git a/app/playbooks/deploy.d/hosted-loadbalancer/hosted-loadbalancer.yml b/app/playbooks/deploy.d/hosted-loadbalancer/hosted-loadbalancer.yml index 33081e1..239442f 100644 --- a/app/playbooks/deploy.d/hosted-loadbalancer/hosted-loadbalancer.yml +++ b/app/playbooks/deploy.d/hosted-loadbalancer/hosted-loadbalancer.yml @@ -1,7 +1,7 @@ - name: install self-hosted load balancer hosts: localhost - become: no - gather_facts: no + become: false + gather_facts: false tasks: - name: ensure namespace exists @@ -29,113 +29,113 @@ name: hosted-loadbalancer-operator namespace: openshift-hosted-loadbalancer rules: - - apiGroups: - - "" - resources: - - pods - - services - - services/finalizers - - endpoints - - persistentvolumeclaims - - events - - configmaps - - secrets - - serviceaccounts - verbs: - - create - - delete - - get - - list - - patch - - update - - watch - - apiGroups: - - apps - resources: - - deployments - - daemonsets - - replicasets - - statefulsets - verbs: - - create - - delete - - get - - list - - patch - - update - - watch - - apiGroups: - - security.openshift.io - resources: - - securitycontextcontraints - verbs: - - get - - list - - update - - patch - - apiGroups: - - security.openshift.io - resourceNames: - - privileged - resources: - - securitycontextconstraints - verbs: - - use - - apiGroups: - - rbac.authorization.k8s.io - resources: - - roles - - clusterroles - - rolebindings - - clusterrolebindings - verbs: - - get - - list - - delete - - create - - update - - patch - - watch - - apiGroups: - - monitoring.coreos.com - resources: - - servicemonitors - verbs: - - get - - create - - apiGroups: - - apps - resourceNames: - - operator - resources: - - deployments/finalizers - verbs: - - update - - apiGroups: - - "" - resources: - - pods - verbs: - - get - - apiGroups: - - apps - resources: - - replicasets - - deployments - verbs: - - get - - apiGroups: - - lb.faros.dev - resources: - - '*' - verbs: - - create - - delete - - get - - list - - patch - - update - - watch + - apiGroups: + - "" + resources: + - pods + - services + - services/finalizers + - endpoints + - persistentvolumeclaims + - events + - configmaps + - secrets + - serviceaccounts + verbs: + - create + - delete + - get + - list + - patch + - update + - watch + - apiGroups: + - apps + resources: + - deployments + - daemonsets + - replicasets + - statefulsets + verbs: + - create + - delete + - get + - list + - patch + - update + - watch + - apiGroups: + - security.openshift.io + resources: + - securitycontextcontraints + verbs: + - get + - list + - update + - patch + - apiGroups: + - security.openshift.io + resourceNames: + - privileged + resources: + - securitycontextconstraints + verbs: + - use + - apiGroups: + - rbac.authorization.k8s.io + resources: + - roles + - clusterroles + - rolebindings + - clusterrolebindings + verbs: + - get + - list + - delete + - create + - update + - patch + - watch + - apiGroups: + - monitoring.coreos.com + resources: + - servicemonitors + verbs: + - get + - create + - apiGroups: + - apps + resourceNames: + - operator + resources: + - deployments/finalizers + verbs: + - update + - apiGroups: + - "" + resources: + - pods + verbs: + - get + - apiGroups: + - apps + resources: + - replicasets + - deployments + verbs: + - get + - apiGroups: + - lb.faros.dev + resources: + - "*" + verbs: + - create + - delete + - get + - list + - patch + - update + - watch - name: ensure clusterrole exists k8s: @@ -146,119 +146,119 @@ metadata: name: hosted-loadbalancer-operator rules: - - apiGroups: - - "" - resources: - - nodes - verbs: - - list - - apiGroups: - - "" - resources: - - pods - - services - - services/finalizers - - endpoints - - persistentvolumeclaims - - events - - configmaps - - secrets - - serviceaccounts - verbs: - - create - - delete - - get - - list - - patch - - update - - watch - - apiGroups: - - apps - resources: - - deployments - - daemonsets - - replicasets - - statefulsets - verbs: - - create - - delete - - get - - list - - patch - - update - - watch - - apiGroups: - - security.openshift.io - resources: - - securitycontextcontraints - verbs: - - get - - list - - update - - patch - - apiGroups: - - security.openshift.io - resourceNames: - - privileged - resources: - - securitycontextconstraints - verbs: - - use - - apiGroups: - - rbac.authorization.k8s.io - resources: - - roles - - clusterroles - - rolebindings - - clusterrolebindings - verbs: - - get - - list - - delete - - create - - update - - patch - - watch - - apiGroups: - - monitoring.coreos.com - resources: - - servicemonitors - verbs: - - get - - create - - apiGroups: - - apps - resourceNames: - - operator - resources: - - deployments/finalizers - verbs: - - update - - apiGroups: - - "" - resources: - - pods - verbs: - - get - - apiGroups: - - apps - resources: - - replicasets - - deployments - verbs: - - get - - apiGroups: - - lb.faros.dev - resources: - - '*' - verbs: - - create - - delete - - get - - list - - patch - - update - - watch + - apiGroups: + - "" + resources: + - nodes + verbs: + - list + - apiGroups: + - "" + resources: + - pods + - services + - services/finalizers + - endpoints + - persistentvolumeclaims + - events + - configmaps + - secrets + - serviceaccounts + verbs: + - create + - delete + - get + - list + - patch + - update + - watch + - apiGroups: + - apps + resources: + - deployments + - daemonsets + - replicasets + - statefulsets + verbs: + - create + - delete + - get + - list + - patch + - update + - watch + - apiGroups: + - security.openshift.io + resources: + - securitycontextcontraints + verbs: + - get + - list + - update + - patch + - apiGroups: + - security.openshift.io + resourceNames: + - privileged + resources: + - securitycontextconstraints + verbs: + - use + - apiGroups: + - rbac.authorization.k8s.io + resources: + - roles + - clusterroles + - rolebindings + - clusterrolebindings + verbs: + - get + - list + - delete + - create + - update + - patch + - watch + - apiGroups: + - monitoring.coreos.com + resources: + - servicemonitors + verbs: + - get + - create + - apiGroups: + - apps + resourceNames: + - operator + resources: + - deployments/finalizers + verbs: + - update + - apiGroups: + - "" + resources: + - pods + verbs: + - get + - apiGroups: + - apps + resources: + - replicasets + - deployments + verbs: + - get + - apiGroups: + - lb.faros.dev + resources: + - "*" + verbs: + - create + - delete + - get + - list + - patch + - update + - watch - name: ensure rolebinding exists k8s: @@ -270,8 +270,8 @@ name: hosted-loadbalancer-operator namespace: openshift-hosted-loadbalancer subjects: - - kind: ServiceAccount - name: hosted-loadbalancer-operator + - kind: ServiceAccount + name: hosted-loadbalancer-operator roleRef: kind: ClusterRole name: hosted-loadbalancer-operator @@ -286,9 +286,9 @@ metadata: name: hosted-loadbalancer-operator subjects: - - kind: ServiceAccount - name: hosted-loadbalancer-operator - namespace: openshift-hosted-loadbalancer + - kind: ServiceAccount + name: hosted-loadbalancer-operator + namespace: openshift-hosted-loadbalancer roleRef: kind: ClusterRole name: hosted-loadbalancer-operator @@ -319,9 +319,9 @@ type: object x-kubernetes-preserve-unknown-fields: true versions: - - name: v1beta1 - served: true - storage: true + - name: v1beta1 + served: true + storage: true - name: ensure operator deployment exists k8s: @@ -344,28 +344,28 @@ spec: serviceAccountName: hosted-loadbalancer-operator containers: - - name: hosted-loadbalancer-operator - image: "quay.io/faros/hosted-loadbalancer-operator:latest" - imagePullPolicy: Always - volumeMounts: - - mountPath: /tmp/ansible-operator/runner - name: runner - env: - - name: WATCH_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - - name: POD_NAME - valueFrom: - fieldRef: - fieldPath: metadata.name - - name: OPERATOR_NAME - value: "hosted-loadbalancer-operator" - - name: ANSIBLE_GATHERING - value: explicit + - name: hosted-loadbalancer-operator + image: "quay.io/faros/hosted-loadbalancer-operator:latest" + imagePullPolicy: Always + volumeMounts: + - mountPath: /tmp/ansible-operator/runner + name: runner + env: + - name: WATCH_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: OPERATOR_NAME + value: "hosted-loadbalancer-operator" + - name: ANSIBLE_GATHERING + value: explicit volumes: - - name: runner - emptyDir: {} + - name: runner + emptyDir: {} - name: ensure clusterloadbalancer exists k8s: @@ -378,7 +378,7 @@ namespace: openshift-hosted-loadbalancer spec: vip_addr: "{{ loadbalancer_vip }}" - router_id: '100' + router_id: "100" vip_pass: "{{ lookup('password', '/data/keepalived.pass chars=ascii_letters length=8') }}" node_selector: node-role.kubernetes.io/master: "" diff --git a/app/playbooks/deploy.d/nvidia-drivers/main.sh b/app/playbooks/deploy.d/nvidia-drivers/main.sh index 50eefe7..7fa2d61 100755 --- a/app/playbooks/deploy.d/nvidia-drivers/main.sh +++ b/app/playbooks/deploy.d/nvidia-drivers/main.sh @@ -3,4 +3,3 @@ ME=$(dirname $0) ansible-playbook $ME/nvidia-drivers.yml $@ || exit 1 - diff --git a/app/playbooks/deploy.d/nvidia-drivers/nvidia-drivers.yml b/app/playbooks/deploy.d/nvidia-drivers/nvidia-drivers.yml index f174447..50b22c0 100644 --- a/app/playbooks/deploy.d/nvidia-drivers/nvidia-drivers.yml +++ b/app/playbooks/deploy.d/nvidia-drivers/nvidia-drivers.yml @@ -1,7 +1,7 @@ - name: install nvidia gpu drivers hosts: localhost - become: no - gather_facts: no + become: false + gather_facts: false tasks: - name: ensure project exists @@ -117,7 +117,7 @@ namespace: gpu-operator-resources spec: operand: - image: 'registry.redhat.io/openshift4/ose-node-feature-discovery:v4.7.0' + image: "registry.redhat.io/openshift4/ose-node-feature-discovery:v4.7.0" imagePullPolicy: Always namespace: node-feature-discovery-operator workerConfig: @@ -152,7 +152,7 @@ podSecurityContext: {} repository: nvcr.io/nvidia/k8s securityContext: {} - version: 'sha256:ced606933cd2210768ee8488b624c64ac0bdce6f05d9c4b4210e251370a14ff8' + version: "sha256:ced606933cd2210768ee8488b624c64ac0bdce6f05d9c4b4210e251370a14ff8" image: dcgm-exporter tolerations: [] devicePlugin: @@ -163,18 +163,18 @@ podSecurityContext: {} repository: nvcr.io/nvidia securityContext: {} - version: 'sha256:ea353fe57628f4d3c3e1cda126455d02f2277e3ee92fa9da441d409d76b2ac92' + version: "sha256:ea353fe57628f4d3c3e1cda126455d02f2277e3ee92fa9da441d409d76b2ac92" image: k8s-device-plugin tolerations: [] args: - - '--mig-strategy=single' - - '--pass-device-specs=true' - - '--fail-on-init-error=true' - - '--device-list-strategy=envvar' - - '--nvidia-driver-root=/run/nvidia/driver' + - "--mig-strategy=single" + - "--pass-device-specs=true" + - "--fail-on-init-error=true" + - "--device-list-strategy=envvar" + - "--nvidia-driver-root=/run/nvidia/driver" driver: licensingConfig: - configMapName: '' + configMapName: "" nodeSelector: {} imagePullSecrets: [] resources: {} @@ -183,9 +183,9 @@ repository: nvcr.io/nvidia securityContext: {} repoConfig: - configMapName: '' - destinationDir: '' - version: 'sha256:017d2e2a1bc410e9d2ac116683fc49a6f28e935cadee86e712cc147ea0239469' + configMapName: "" + destinationDir: "" + version: "sha256:017d2e2a1bc410e9d2ac116683fc49a6f28e935cadee86e712cc147ea0239469" image: driver tolerations: [] gfd: @@ -196,7 +196,7 @@ podSecurityContext: {} repository: nvcr.io/nvidia securityContext: {} - version: 'sha256:bfc39d23568458dfd50c0c5323b6d42bdcd038c420fb2a2becd513a3ed3be27f' + version: "sha256:bfc39d23568458dfd50c0c5323b6d42bdcd038c420fb2a2becd513a3ed3be27f" image: gpu-feature-discovery tolerations: [] migStrategy: single @@ -207,7 +207,7 @@ image: cuda-sample imagePullSecrets: [] repository: nvcr.io/nvidia/k8s - version: 'sha256:2a30fe7e23067bc2c3f8f62a6867702a016af2b80b9f6ce861f3fea4dfd85bc2' + version: "sha256:2a30fe7e23067bc2c3f8f62a6867702a016af2b80b9f6ce861f3fea4dfd85bc2" deployGFD: true toolkit: nodeSelector: {} @@ -217,7 +217,7 @@ podSecurityContext: {} repository: nvcr.io/nvidia/k8s securityContext: {} - version: 'sha256:c91875db54ad5d2a2ed396c8fd15cc666411ff35c58c634680946371d32507ae' + version: "sha256:c91875db54ad5d2a2ed396c8fd15cc666411ff35c58c634680946371d32507ae" image: container-toolkit tolerations: [] register: cp_install diff --git a/app/playbooks/deploy.d/odh-demo/main.sh b/app/playbooks/deploy.d/odh-demo/main.sh deleted file mode 100755 index 67d2f98..0000000 --- a/app/playbooks/deploy.d/odh-demo/main.sh +++ /dev/null @@ -1,5 +0,0 @@ -#!/bin/bash - -ME=$(dirname $0) - -ansible-playbook $ME/odh-demo.yml $@ || exit 1 diff --git a/app/playbooks/deploy.d/odh-demo/odh-demo.yml b/app/playbooks/deploy.d/odh-demo/odh-demo.yml deleted file mode 100644 index d3199a2..0000000 --- a/app/playbooks/deploy.d/odh-demo/odh-demo.yml +++ /dev/null @@ -1,367 +0,0 @@ ---- -- name: deploy odh demo - hosts: localhost - gather_facts: no - become: no - - tasks: - - name: ensure the odh operator subscription exists - k8s: - state: present - definition: - apiVersion: operators.coreos.com/v1alpha1 - kind: Subscription - metadata: - name: opendatahub-operator - namespace: openshift-operators - spec: - channel: "{{ lookup('ini', 'opendatahub section=operators file=/app/versions.ini') }}" - name: opendatahub-operator - source: community-operators - sourceNamespace: openshift-marketplace - installPlanApproval: "Automatic" - register: op_subscribe - - - name: wait for operators to begin install - pause: - seconds: 15 - when: op_subscribe is changed - - - name: save clusterserviceversion object - set_fact: - k8s_obj: - apiVersion: operators.coreos.com/v1alpha1 - kind: ClusterServiceVersion - name: opendatahub-operator* - namepace: openshift-operators - - - name: wait for operator to become ready - assert: - that: "lookup('k8s', resource_definition=k8s_obj)[0].status.phase | default('error') == 'Succeeded'" - register: op_lkp - until: op_lkp is success - retries: 60 - delay: 15 - - - name: create odh-demo namespace - k8s: - state: present - definition: - kind: Project - apiVersion: project.openshift.io/v1 - metadata: - name: odh-demo - labels: - control-plane: kubeflow - katib-metricscollector-injection: enabled - annotations: - openshift.io/description: '' - openshift.io/display-name: '' - spec: - finalizers: - - kubernetes - - - name: install odh tooling - k8s: - state: present - definition: - apiVersion: kfdef.apps.kubeflow.org/v1 - kind: KfDef - metadata: - name: opendatahub - namespace: odh-demo - spec: - applications: - - kustomizeConfig: - repoRef: - name: manifests - path: odh-common - name: odh-common - - kustomizeConfig: - repoRef: - name: manifests - path: radanalyticsio/spark/cluster - name: radanalyticsio-cluster - - kustomizeConfig: - repoRef: - name: manifests - path: radanalyticsio/spark/operator - name: radanalyticsio-spark-operator - - kustomizeConfig: - parameters: - - name: s3_endpoint_url - value: s3.odh.com - repoRef: - name: manifests - path: jupyterhub/jupyterhub - name: jupyterhub - - kustomizeConfig: - overlays: - - additional - repoRef: - name: manifests - path: jupyterhub/notebook-images - name: notebook-images - - kustomizeConfig: - repoRef: - name: manifests - path: prometheus/cluster - name: prometheus-cluster - - kustomizeConfig: - repoRef: - name: manifests - path: prometheus/operator - name: prometheus-operator - - kustomizeConfig: - repoRef: - name: manifests - path: grafana/cluster - name: grafana-cluster - - kustomizeConfig: - repoRef: - name: manifests - path: grafana/grafana - name: grafana-instance - repos: - - name: kf-manifests - uri: >- - https://github.com/opendatahub-io/manifests/tarball/v0.7-branch-openshift - - name: manifests - uri: 'https://github.com/opendatahub-io/odh-manifests/tarball/v0.6.1' - version: v0.6.1 - - - name: ensure notebook imagestream exists - k8s: - state: present - definition: - kind: ImageStream - apiVersion: image.openshift.io/v1 - metadata: - name: ml-workflows-notebook - namespace: odh-demo - labels: - component.opendatahub.io/name: jupyterhub - opendatahub.io/component: 'true' - opendatahub.io/notebook-image: 'true' - spec: - lookupPolicy: - local: false - tags: - - name: latest - annotations: null - from: - kind: DockerImage - name: 'quay.io/willbenton/jh-ml-workflows-notebook:rhte-demo-2019' - generation: 2 - importPolicy: {} - referencePolicy: - type: Source - - - name: ensure kubeadmin config map exists - k8s: - state: present - definition: - kind: ConfigMap - apiVersion: v1 - metadata: - name: jupyterhub-singleuser-profile-kube-3aadmin - namespace: odh-demo - labels: - app: jupyterhub - data: - profile: | - env: - JUPYTER_PRELOAD_REPOS: https://github.com/willb/openshift-ml-workflows-workshop - gpu: '0' - last_selected_image: ml-workflows-notebook:latest - last_selected_size: None - - - name: ensure s2i builder imagestream exists - k8s: - state: present - definition: - kind: ImageStream - apiVersion: image.openshift.io/v1 - metadata: - name: simple-model-s2i - namespace: odh-demo - spec: - lookupPolicy: - local: false - tags: - - name: cached-pipeline-s2i - annotations: null - from: - kind: DockerImage - name: 'quay.io/willbenton/simple-model-s2i:cached-pipeline-s2i' - generation: 2 - importPolicy: {} - referencePolicy: - type: Source - - - name: ensure pipeline buildconfig exists - k8s: - state: present - definition: - kind: BuildConfig - apiVersion: build.openshift.io/v1 - metadata: - name: pipeline - namespace: odh-demo - labels: - scrapeModelMetrics: 'yes' - annotations: - openshift.io/generated-by: OpenShiftNewBuild - spec: - nodeSelector: null - output: - to: - kind: ImageStreamTag - name: 'pipeline:latest' - resources: - limits: - cpu: 500m - memory: 10Gi - requests: - cpu: 50m - memory: 3Gi - successfulBuildsHistoryLimit: 5 - failedBuildsHistoryLimit: 5 - strategy: - type: Source - sourceStrategy: - from: - kind: ImageStreamTag - namespace: odh-demo - name: 'simple-model-s2i:cached-pipeline-s2i' - env: - - name: S2I_SOURCE_NOTEBOOK_LIST - value: >- - 03-feature-engineering-tfidf.ipynb,04-model-logistic-regression.ipynb - postCommit: {} - source: - type: Git - git: - uri: 'https://github.com/willb/openshift-ml-workflows-workshop' - ref: develop - contextDir: source - triggers: [] - runPolicy: Serial - - - name: ensure pipeline imgestream exists - k8s: - state: present - definition: - kind: ImageStream - apiVersion: image.openshift.io/v1 - metadata: - name: pipeline - namespace: odh-demo - labels: - scrapeModelMetrics: 'yes' - spec: - lookupPolicy: - local: false - - - name: ensure pipeline deploymentconfig exists - k8s: - state: present - definition: - kind: DeploymentConfig - apiVersion: apps.openshift.io/v1 - metadata: - name: pipeline - namespace: odh-demo - labels: - app: pipeline - spec: - strategy: - type: Rolling - rollingParams: - updatePeriodSeconds: 1 - intervalSeconds: 1 - timeoutSeconds: 600 - maxUnavailable: 25% - maxSurge: 25% - resources: {} - activeDeadlineSeconds: 21600 - triggers: - - type: ConfigChange - - type: ImageChange - imageChangeParams: - automatic: true - containerNames: - - pipeline - from: - kind: ImageStreamTag - namespace: odh-demo - name: 'pipeline:latest' - replicas: 1 - revisionHistoryLimit: 10 - test: false - selector: - app: pipeline - deploymentconfig: pipeline - template: - metadata: - creationTimestamp: null - labels: - app: pipeline - deploymentconfig: pipeline - spec: - containers: - - name: pipeline - image: >- - image-registry.openshift-image-registry.svc:5000/odh-demo/pipeline:latest - ports: - - containerPort: 8080 - protocol: TCP - resources: {} - terminationMessagePath: /dev/termination-log - terminationMessagePolicy: File - imagePullPolicy: Always - restartPolicy: Always - terminationGracePeriodSeconds: 30 - dnsPolicy: ClusterFirst - securityContext: {} - schedulerName: default-scheduler - - - name: ensure pipeline service exists - k8s: - state: present - definition: - apiVersion: v1 - kind: Service - metadata: - name: pipeline - namespace: odh-demo - labels: - mlmodel: "yes" - spec: - selector: - app: pipeline - ports: - - protocol: TCP - port: 8080 - targetPort: 8080 - - - name: ensure odhmodelmonitor exists - k8s: - state: present - definition: - apiVersion: monitoring.coreos.com/v1 - kind: ServiceMonitor - metadata: - name: odhmodelmonitor - namespace: odh-demo - labels: - component.opendatahub.io/name: prometheus - opendatahub.io/component: 'true' - team: opendatahub - spec: - endpoints: - - targetPort: 8080 - selector: - matchLabels: - mlmodel: "yes" - diff --git a/app/playbooks/deploy.d/redhat-entitlements/deploy_certs.yaml b/app/playbooks/deploy.d/redhat-entitlements/deploy_certs.yaml index 1fef2f1..b9acf2e 100644 --- a/app/playbooks/deploy.d/redhat-entitlements/deploy_certs.yaml +++ b/app/playbooks/deploy.d/redhat-entitlements/deploy_certs.yaml @@ -1,7 +1,7 @@ - name: gather rhel subscription from bastion host hosts: bastion_hosts[0] - gather_facts: yes - become: no + gather_facts: true + become: false tasks: - name: ensure bastion host in a RHEL system @@ -14,7 +14,7 @@ set -o pipefail && subscription-manager list --consumed --matches="Red Hat CoreOS" | grep Serial | tail -n 1 | awk -F: '{ print $2 }' | xargs echo -n - become: yes + become: true register: entitlement_serial failed_when: entitlement_serial.stdout_lines | length == 0 diff --git a/app/playbooks/deploy.d/wipefs/configure.py b/app/playbooks/deploy.d/wipefs/configure.py index 25ff88f..cd313d0 100644 --- a/app/playbooks/deploy.d/wipefs/configure.py +++ b/app/playbooks/deploy.d/wipefs/configure.py @@ -1,3 +1,4 @@ +# -*- coding: utf-8 -*- import os import sys import pickle diff --git a/app/playbooks/deploy.d/wipefs/gather-facts.yml b/app/playbooks/deploy.d/wipefs/gather-facts.yml index 08f2c7b..22fbe0b 100644 --- a/app/playbooks/deploy.d/wipefs/gather-facts.yml +++ b/app/playbooks/deploy.d/wipefs/gather-facts.yml @@ -1,7 +1,7 @@ - name: query cluster facts hosts: localhost - become: no - gather_facts: no + become: false + gather_facts: false pre_tasks: - name: lookup cluster nodes @@ -12,8 +12,8 @@ shell: oc debug -n default node/{{ item }} -- chroot /host lsblk -dlno NAME 2>/dev/null loop: "{{ cluster_nodes }}" register: cluster_drives - ignore_errors: yes - changed_when: no + ignore_errors: true + changed_when: false - name: save discovered hosts set_stats: diff --git a/app/playbooks/deploy.d/wipefs/wipe-host.yml b/app/playbooks/deploy.d/wipefs/wipe-host.yml index c4401a1..2190988 100644 --- a/app/playbooks/deploy.d/wipefs/wipe-host.yml +++ b/app/playbooks/deploy.d/wipefs/wipe-host.yml @@ -2,27 +2,27 @@ shell: "oc debug -n default node/{{ outer.host }} -- chroot /host pvdisplay /dev/{{ item }} | grep 'VG Name' | awk '{print $3}'" loop: "{{ outer.drives }}" register: vgs - changed_when: no - ignore_errors: yes + changed_when: false + ignore_errors: true - name: delete associated vgs shell: "oc debug -n default node/{{ outer.host }} -- chroot /host vgremove --force --noudevsync '{{ item.stdout }}'" - changed_when: yes + changed_when: true when: item.stdout != "" loop: "{{ vgs.results }}" - name: remove pvs shell: "oc debug -n default node/{{ outer.host }} -- chroot /host pvremove '/dev/{{ item }}'" loop: "{{ outer.drives }}" - changed_when: yes - ignore_errors: yes + changed_when: true + ignore_errors: true - name: wipe filesystem shell: "oc debug -n default node/{{ outer.host }} -- chroot /host wipefs -a '/dev/{{ item }}'" loop: "{{ outer.drives }}" - changed_when: yes + changed_when: true - name: clear GPT and MBR structures shell: "oc debug -n default node/{{ outer.host }} -- chroot /host sgdisk --zap-all '/dev/{{ item }}'" loop: "{{ outer.drives }}" - changed_when: yes + changed_when: true diff --git a/app/playbooks/deploy.d/wipefs/wipe-local-storage.yml b/app/playbooks/deploy.d/wipefs/wipe-local-storage.yml index c73e779..8e76c4b 100644 --- a/app/playbooks/deploy.d/wipefs/wipe-local-storage.yml +++ b/app/playbooks/deploy.d/wipefs/wipe-local-storage.yml @@ -1,7 +1,7 @@ - name: wipe local storage hosts: localhost - become: no - gather_facts: no + become: false + gather_facts: false tasks: - name: wipe drives per host diff --git a/app/playbooks/destroy.d/cluster/destroy.yml b/app/playbooks/destroy.d/cluster/destroy.yml index 9355a15..6816037 100755 --- a/app/playbooks/destroy.d/cluster/destroy.yml +++ b/app/playbooks/destroy.d/cluster/destroy.yml @@ -1,15 +1,15 @@ #!/usr/bin/env ansible-playbook - name: Are you sure? hosts: all - any_errors_fatal: yes + any_errors_fatal: true max_fail_percentage: 0 serial: 100% - gather_facts: no + gather_facts: false vars_prompt: - name: confirm prompt: This will destroy the running cluster and you will lose all data. Are you sure? [yes to continue] - private: no + private: false tasks: - name: Validate user input @@ -21,9 +21,9 @@ - name: Destroy cluster nodes hosts: cluster:!bootstrap - become: no - gather_facts: no - any_errors_fatal: yes + become: false + gather_facts: false + any_errors_fatal: true max_fail_percentage: 0 serial: 1 @@ -61,26 +61,26 @@ - name: Wait for cluster nodes to start wiping hosts: cluster:!bootstrap - become: no - gather_facts: no - any_errors_fatal: yes + become: false + gather_facts: false + any_errors_fatal: true max_fail_percentage: 0 tasks: - name: wait for nodes to start wiping shell: ping -c 1 {{ ansible_host }} delegate_to: "{{ groups.bastion_hosts[0] }}" - become: no + become: false register: node_ping until: "node_ping is not failed" retries: 30 delay: 10 - changed_when: no + changed_when: false - name: Terminate the Bootstrap node hosts: bootstrap - become: no - gather_facts: no + become: false + gather_facts: false tasks: - include_role: @@ -96,8 +96,8 @@ - name: Clean cockpit interface hosts: bastion - gather_facts: no - become: yes + gather_facts: false + become: true tasks: - name: remove faros page from cockpit @@ -105,11 +105,10 @@ path: /usr/local/share/cockpit/faros state: absent - - name: Wait for hosts to finish disk wipe hosts: cluster:!bootstrap - become: no - gather_facts: no + become: false + gather_facts: false tasks: - name: create tmp cache dir @@ -123,9 +122,8 @@ ilorest --cache-dir="{{ cache.path }}" login "{{ mgmt_hostname }}" -u '{{ mgmt_user }}' -p '{{ mgmt_password }}' &>/dev/null ilorest --cache-dir="{{ cache.path }}" --nologo get --selector=ComputerSystem PowerState --json register: powercheck - changed_when: False + changed_when: false delegate_to: localhost retries: 60 delay: 10 until: "(powercheck.stdout | from_json)['PowerState'] == 'Off'" - diff --git a/app/playbooks/destroy.d/install-repos/destroy.yml b/app/playbooks/destroy.d/install-repos/destroy.yml index f26f95b..5feb0ff 100755 --- a/app/playbooks/destroy.d/install-repos/destroy.yml +++ b/app/playbooks/destroy.d/install-repos/destroy.yml @@ -2,8 +2,8 @@ - name: Clean coreos install repos hosts: bastion - become: yes - gather_facts: no + become: true + gather_facts: false tasks: - name: erase stored images and igniton configs @@ -26,7 +26,7 @@ - name: Purge openshift installation resource caches hosts: localhost - gather_facts: no + gather_facts: false tasks: - name: remove installer data cache diff --git a/app/playbooks/destroy.d/load-balancer/destroy.yml b/app/playbooks/destroy.d/load-balancer/destroy.yml index 2d3ce43..d217d9f 100755 --- a/app/playbooks/destroy.d/load-balancer/destroy.yml +++ b/app/playbooks/destroy.d/load-balancer/destroy.yml @@ -1,23 +1,23 @@ #!/usr/bin/env ansible-playbook - name: Uninstall cluster load balancer hosts: bastion - gather_facts: no - become: yes + gather_facts: false + become: true tasks: - name: shutdown the load balancer service systemd: name: haproxy state: stopped - enabled: no - force: yes + enabled: false + force: true - name: shutdown the VIP service systemd: name: keepalived state: stopped - enabled: no - force: yes + enabled: false + force: true - name: delete load balancer configuration file: diff --git a/app/playbooks/firmware.d/el8000-sw2-ssd/apply.yml b/app/playbooks/firmware.d/el8000-sw2-ssd/apply.yml index b0be9d2..72ce42f 100644 --- a/app/playbooks/firmware.d/el8000-sw2-ssd/apply.yml +++ b/app/playbooks/firmware.d/el8000-sw2-ssd/apply.yml @@ -1,16 +1,16 @@ - name: apply firmware hosts: cluster,!virtual - become: no - gather_facts: no + become: false + gather_facts: false serial: 1 vars_prompt: - name: username prompt: Current iLO Admin User [defaults to value in config] - private: no + private: false - name: password prompt: Current iLO Admin Password [defaults to value in config] - private: yes + private: true tasks: - name: use default ilo user when requested @@ -31,7 +31,7 @@ - name: login to ilo shell: ilorest -c "{{ config.path }}" login "{{ mgmt_hostname }}" -u '{{ username }}' -p '{{ password }}' - changed_when: False + changed_when: false delegate_to: localhost - name: ensure server is off @@ -92,6 +92,5 @@ - name: logout of ilo shell: ilorest -c "{{ config.path }}" logout - changed_when: False + changed_when: false delegate_to: localhost - diff --git a/app/playbooks/firmware.d/el8000-sw2-ssd/bios.yml b/app/playbooks/firmware.d/el8000-sw2-ssd/bios.yml index 7ba7472..d634b35 100644 --- a/app/playbooks/firmware.d/el8000-sw2-ssd/bios.yml +++ b/app/playbooks/firmware.d/el8000-sw2-ssd/bios.yml @@ -3,55 +3,54 @@ delegate_to: localhost register: load failed_when: - - 'load.rc != 0' - - '"Error: No differences found from current configuration." not in load.stderr_lines' + - "load.rc != 0" + - '"Error: false differences found from current configuration." not in load.stderr_lines' changed_when: - - 'load.rc == 0' - - '"Error: No differences found from current configuration." not in load.stderr_lines' + - "load.rc == 0" + - '"Error: false differences found from current configuration." not in load.stderr_lines' - block: - - name: check for pending changes (may fail) - shell: ilorest -c "{{ config.path }}" pending | grep -c 'No pending changes found.' - delegate_to: localhost - register: pending_changes - changed_when: no - failed_when: pending_changes.stdout | int < 6 + - name: check for pending changes (may fail) + shell: ilorest -c "{{ config.path }}" pending | grep -c 'No pending changes found.' + delegate_to: localhost + register: pending_changes + changed_when: false + failed_when: pending_changes.stdout | int < 6 rescue: - - name: set bios setup for next boot - shell: ilorest -c "{{ config.path }}" bootorder --onetimeboot=BiosSetup --commit - delegate_to: localhost + - name: set bios setup for next boot + shell: ilorest -c "{{ config.path }}" bootorder --onetimeboot=BiosSetup --commit + delegate_to: localhost - - name: ensure server is on - include_role: - name: management - defaults_from: main.yml - tasks_from: "poweron/{{ mgmt_provider }}.yml" - vars_from: "{{ mgmt_provider }}.yml" - handlers_from: "{{ mgmt_provider }}.yml" - vars: - management_hostname: "{{ mgmt_hostname }}" - management_user: "{{ username }}" - management_pass: "{{ password }}" + - name: ensure server is on + include_role: + name: management + defaults_from: main.yml + tasks_from: "poweron/{{ mgmt_provider }}.yml" + vars_from: "{{ mgmt_provider }}.yml" + handlers_from: "{{ mgmt_provider }}.yml" + vars: + management_hostname: "{{ mgmt_hostname }}" + management_user: "{{ username }}" + management_pass: "{{ password }}" - - name: check for pending changes - shell: ilorest -c "{{ config.path }}" pending | grep -c 'No pending changes found.' - delegate_to: localhost - register: pending_changes - changed_when: no - until: pending_changes.stdout | int >= 6 - delay: 10 - retries: 60 - - - name: ensure server is off - include_role: - name: management - defaults_from: main.yml - tasks_from: "poweroff/{{ mgmt_provider }}.yml" - vars_from: "{{ mgmt_provider }}.yml" - handlers_from: "{{ mgmt_provider }}.yml" - vars: - management_hostname: "{{ mgmt_hostname }}" - management_user: "{{ username }}" - management_pass: "{{ password }}" + - name: check for pending changes + shell: ilorest -c "{{ config.path }}" pending | grep -c 'No pending changes found.' + delegate_to: localhost + register: pending_changes + changed_when: false + until: pending_changes.stdout | int >= 6 + delay: 10 + retries: 60 + - name: ensure server is off + include_role: + name: management + defaults_from: main.yml + tasks_from: "poweroff/{{ mgmt_provider }}.yml" + vars_from: "{{ mgmt_provider }}.yml" + handlers_from: "{{ mgmt_provider }}.yml" + vars: + management_hostname: "{{ mgmt_hostname }}" + management_user: "{{ username }}" + management_pass: "{{ password }}" diff --git a/app/playbooks/firmware.d/manual/main.sh b/app/playbooks/firmware.d/manual/main.sh index d53521d..71ae9fa 100755 --- a/app/playbooks/firmware.d/manual/main.sh +++ b/app/playbooks/firmware.d/manual/main.sh @@ -1,3 +1,5 @@ +#!/bin/bash + echo -e "\e[93m" cat < @@ -79,4 +81,4 @@ label: "{{ item.metadata.name }}" when: item.status.conditions[0].type | default("") != "Approved" delegate_to: localhost - run_once: yes + run_once: true diff --git a/app/playbooks/util_vm_facts.yml b/app/playbooks/util_vm_facts.yml index 776705e..1aeeb0d 100755 --- a/app/playbooks/util_vm_facts.yml +++ b/app/playbooks/util_vm_facts.yml @@ -1,9 +1,9 @@ #!/usr/bin/env ansible-playbook - name: gather virtual machine facts from qemu-kvm hosts: virtual - gather_facts: no - become: no + gather_facts: false + become: false roles: - name: vm-gather-facts - hypervisor: '{{ groups.bastion_hosts.0 }}' + hypervisor: "{{ groups.bastion_hosts.0 }}" diff --git a/app/playbooks/wait-for.d/firmware-config/main.sh b/app/playbooks/wait-for.d/firmware-config/main.sh index a058ab3..c57e0e9 100755 --- a/app/playbooks/wait-for.d/firmware-config/main.sh +++ b/app/playbooks/wait-for.d/firmware-config/main.sh @@ -1,3 +1,5 @@ +#!/bin/bash + echo -e "\e[93m" cat <Faros Cluster Controller - diff --git a/app/roles/cockpit-links/handlers/main.yml b/app/roles/cockpit-links/handlers/main.yml new file mode 100644 index 0000000..fcd20ec --- /dev/null +++ b/app/roles/cockpit-links/handlers/main.yml @@ -0,0 +1,9 @@ +- name: install cockpit plugin + copy: + src: "{{ item }}" + dest: "/usr/local/share/cockpit/faros/{{ item }}" + mode: 0644 + loop: + - index.html + - manifest.json + when: install is changed diff --git a/app/roles/cockpit-links/tasks/main.yml b/app/roles/cockpit-links/tasks/main.yml index 24b3717..6588090 100644 --- a/app/roles/cockpit-links/tasks/main.yml +++ b/app/roles/cockpit-links/tasks/main.yml @@ -3,22 +3,16 @@ path: /usr/local/share/cockpit/faros state: directory mode: 0755 - register: install + notify: install cockpit plugin -- name: install cockpit plugin - copy: - src: "{{ item }}" - dest: "/usr/local/share/cockpit/faros/{{ item }}" - mode: 0644 - loop: - - index.html - - manifest.json - when: install is changed +- name: Flush handlers + meta: flush_handlers - name: add links to cockpit - insert lineinfile: path: /usr/local/share/cockpit/faros/index.html line:
  • {{ item.name }}
    • + # yamllint disable-line insertafter: regexp: "{{ item.name }}" loop: "{{ cockpit_links }}" @@ -28,6 +22,7 @@ lineinfile: path: /usr/local/share/cockpit/faros/index.html line:
  • {{ item.name }}
    • + # yamllint disable-line insertbefore: regexp: "{{ item.name }}" loop: "{{ cockpit_links }}" diff --git a/app/roles/content-servers/tasks/http.yaml b/app/roles/content-servers/tasks/http.yaml index fc38695..0f1c966 100644 --- a/app/roles/content-servers/tasks/http.yaml +++ b/app/roles/content-servers/tasks/http.yaml @@ -14,20 +14,21 @@ zone: internal port: 8081/tcp state: enabled - permanent: yes - immediate: yes + permanent: true + immediate: true - name: configure selinux booleans for http seboolean: name: httpd_can_network_connect - persistent: yes - state: yes - ignore_errors: yes + persistent: true + state: true + failed_when: false - name: deploy custom selinux te file for http copy: src: faros_http.te dest: /root/faros_http.te + mode: 0644 register: http_selinux - name: compile custom selinux te file for http @@ -35,10 +36,10 @@ checkmodule -M -m -o "/root/faros_http.mod" "/root/faros_http.te" && semodule_package -o "/root/faros_http.pp" -m "/root/faros_http.mod" && semodule -i "/root/faros_http.pp" - when: http_selinux is changed + when: http_selinux is changed # noqa no-handler - name: start http services service: name: httpd - enabled: yes + enabled: true state: started diff --git a/app/roles/content-servers/tasks/tftp.yaml b/app/roles/content-servers/tasks/tftp.yaml index b72356c..b0f365b 100644 --- a/app/roles/content-servers/tasks/tftp.yaml +++ b/app/roles/content-servers/tasks/tftp.yaml @@ -8,8 +8,8 @@ zone: internal service: tftp state: enabled - permanent: yes - immediate: yes + permanent: true + immediate: true - name: Create TFTP directory structure file: @@ -63,5 +63,5 @@ - name: Starting PXE services service: name: tftp.socket - enabled: yes + enabled: true state: started diff --git a/app/roles/dhcp-server/tasks/main.yaml b/app/roles/dhcp-server/tasks/main.yaml index f5cf21e..57d6428 100644 --- a/app/roles/dhcp-server/tasks/main.yaml +++ b/app/roles/dhcp-server/tasks/main.yaml @@ -20,7 +20,7 @@ mode: 0640 state: file register: custom_conf_check - ignore_errors: yes + ignore_errors: true - name: create custom dhcpd conf file file: @@ -39,7 +39,7 @@ mode: 0640 state: file register: custom_static_check - ignore_errors: yes + ignore_errors: true - name: create static dhcpd conf file file: @@ -54,15 +54,15 @@ service: name: dhcpd state: started - enabled: yes + enabled: true - name: ensure firewall allows internal access to dhcp ansible.posix.firewalld: zone: internal port: 67/{{ item }} state: enabled - permanent: yes - immediate: yes + permanent: true + immediate: true loop: - tcp - udp diff --git a/app/roles/dhcp-verify/tasks/main.yaml b/app/roles/dhcp-verify/tasks/main.yaml index 57f68b3..6fb5977 100644 --- a/app/roles/dhcp-verify/tasks/main.yaml +++ b/app/roles/dhcp-verify/tasks/main.yaml @@ -1,19 +1,20 @@ - - name: get list of ignored hosts shell: > + set -o pipefail grep '^# BEGIN MANAGED RECORD - ignore_' /etc/dhcp/dhcpd.static.conf | awk '{ print $6 }' | sed 's/^ignore_//g' register: dhcp_verify_file_ignored - changed_when: False + changed_when: false - name: get list of configured hosts shell: > + set -o pipefail grep '^# BEGIN MANAGED RECORD - ' /etc/dhcp/dhcpd.static.conf | grep -v '^# BEGIN MANAGED RECORD - ignore_' | awk '{ print $6 }' register: dhcp_verify_file_records - changed_when: False + changed_when: false - name: remove orphaned ignored hosts blockinfile: diff --git a/app/roles/dhcp/defaults/main.yml b/app/roles/dhcp/defaults/main.yml index b3196a3..d712ecd 100644 --- a/app/roles/dhcp/defaults/main.yml +++ b/app/roles/dhcp/defaults/main.yml @@ -1,5 +1,5 @@ dhcp_mac_address: "{{ mac_address | default('00:00:00:00:00:00') }}" dhcp_ip: "{{ ansible_host }}" dhcp_name: "{{ inventory_hostname }}" -dhcp_ignore: no -dhcp_present: yes +dhcp_ignore: false +dhcp_present: true diff --git a/app/roles/dhcp/handlers/main.yaml b/app/roles/dhcp/handlers/main.yaml index 52bcd12..caa1fc6 100644 --- a/app/roles/dhcp/handlers/main.yaml +++ b/app/roles/dhcp/handlers/main.yaml @@ -4,10 +4,10 @@ state: restarted listen: restart dhcpd delegate_to: dhcp - become: yes + become: true - name: sleep command: sleep 2 delegate_to: localhost - become: no + become: false listen: restart dhcpd diff --git a/app/roles/dhcp/tasks/main.yml b/app/roles/dhcp/tasks/main.yml index 5b1884c..0229897 100755 --- a/app/roles/dhcp/tasks/main.yml +++ b/app/roles/dhcp/tasks/main.yml @@ -9,14 +9,14 @@ fixed-address {{ dhcp_ip }}; } marker: "# {mark} MANAGED RECORD - {{ dhcp_name }}" - create: yes + create: true owner: root group: root mode: 0640 state: "{% if dhcp_present|bool %}present{% else %}absent{% endif %}" notify: restart dhcpd delegate_to: dhcp - become: yes + become: true when: "not dhcp_ignore" - name: configure dhcp ignoring @@ -28,13 +28,12 @@ ignore booting; } marker: "# {mark} MANAGED RECORD - ignore_{{ dhcp_name }}" - create: yes + create: true owner: root group: root mode: 0640 state: "{% if dhcp_present|bool %}present{% else %}absent{% endif %}" notify: restart dhcpd delegate_to: dhcp - become: yes + become: true when: "dhcp_ignore" - diff --git a/app/roles/dns-server/handlers/main.yaml b/app/roles/dns-server/handlers/main.yaml index eaee0c4..d2d8b7c 100644 --- a/app/roles/dns-server/handlers/main.yaml +++ b/app/roles/dns-server/handlers/main.yaml @@ -12,7 +12,7 @@ owner: root group: named mode: 0644 - create: yes + create: true loop: - line: "@ IN SOA ns.{{ dns_server_domain }}. {{ dns_server_domain }}. {{ serial_update.stdout }} 1D 1W 1W 3H;" regexp: "IN\\sSOA" @@ -30,7 +30,7 @@ owner: root group: named mode: 0644 - create: yes + create: true loop: - line: "@ IN SOA ns.{{ dns_server_domain }}. {{ dns_server_domain }}. {{ serial_update.stdout }} 1D 1W 1W 3H;" regexp: "IN\\sSOA" diff --git a/app/roles/dns-server/tasks/main.yaml b/app/roles/dns-server/tasks/main.yaml index 1575700..7f87889 100644 --- a/app/roles/dns-server/tasks/main.yaml +++ b/app/roles/dns-server/tasks/main.yaml @@ -20,7 +20,7 @@ mode: 0640 state: file register: custom_conf_check - ignore_errors: yes + ignore_errors: true notify: restart named - name: create custom dns conf file @@ -36,18 +36,20 @@ - name: read dns zone serial command: cat /var/named/serial.{{ dns_server_domain }} register: serial - changed_when: no - ignore_errors: yes + changed_when: false + ignore_errors: true - name: initialize dns zone serial - shell: date +%s | tee /var/named/serial.{{ dns_server_domain }} + shell: | + set -o pipefail + date +%s | tee /var/named/serial.{{ dns_server_domain }} when: serial is failed - changed_when: yes + changed_when: true - name: read dns zone serial command: cat /var/named/serial.{{ dns_server_domain }} register: serial - changed_when: no + changed_when: false - name: ensure forward dns zone is configured lineinfile: @@ -57,7 +59,7 @@ owner: root group: named mode: 0644 - create: yes + create: true loop: - line: "$TTL 1D" regexp: "^\\$TTL" @@ -83,7 +85,7 @@ owner: root group: named mode: 0644 - create: yes + create: true loop: - line: "$TTL 1D" regexp: "^\\$TTL" @@ -102,15 +104,15 @@ service: name: named state: started - enabled: yes + enabled: true - name: ensure firewall allows internal access to dns ansible.posix.firewalld: zone: internal port: 53/{{ item }} state: enabled - permanent: yes - immediate: yes + permanent: true + immediate: true loop: - tcp - udp diff --git a/app/roles/dns/defaults/main.yml b/app/roles/dns/defaults/main.yml index 9c72115..fe15e2b 100644 --- a/app/roles/dns/defaults/main.yml +++ b/app/roles/dns/defaults/main.yml @@ -3,5 +3,5 @@ dns_hostname: "{{ inventory_hostname }}" dns_domain: "example.com" dns_reverse_domain: "1.168.192.in-addr.arpa" dns_value: "{{ ansible_host }}" -dns_reverse: yes -dns_present: yes +dns_reverse: true +dns_present: true diff --git a/app/roles/dns/handlers/main.yaml b/app/roles/dns/handlers/main.yaml index cb56852..3ed6ac8 100644 --- a/app/roles/dns/handlers/main.yaml +++ b/app/roles/dns/handlers/main.yaml @@ -1,9 +1,9 @@ - name: update saved serial shell: date +%s | tee /var/named/serial.{{ dns_domain }} register: serial_update - run_once: yes + run_once: true delegate_to: dns - become: yes + become: true listen: - update serial @@ -15,16 +15,16 @@ owner: root group: root mode: 0644 - create: yes + create: true loop: - line: "@ IN SOA ns.{{ dns_domain }}. {{ dns_domain }}. {{ serial_update.stdout }} 1D 1W 1W 3H;" regexp: "IN\\sSOA" label: "SOA Record" loop_control: label: "{{ item.label }}" - run_once: yes + run_once: true delegate_to: dns - become: yes + become: true listen: - update serial @@ -36,16 +36,16 @@ owner: root group: root mode: 0644 - create: yes + create: true loop: - line: "@ IN SOA ns.{{ dns_domain }}. {{ dns_domain }}. {{ serial_update.stdout }} 1D 1W 1W 3H;" regexp: "IN\\sSOA" label: "SOA Record" loop_control: label: "{{ item.label }}" - run_once: yes + run_once: true delegate_to: dns - become: yes + become: true listen: - update serial @@ -53,8 +53,8 @@ service: name: named state: restarted - run_once: yes + run_once: true delegate_to: dns - become: yes + become: true listen: - update serial diff --git a/app/roles/dns/tasks/main.yml b/app/roles/dns/tasks/main.yml index af8181b..d7437bb 100755 --- a/app/roles/dns/tasks/main.yml +++ b/app/roles/dns/tasks/main.yml @@ -6,17 +6,18 @@ dns_rev_zone_db: "/var/named/zone.{{ dns_reverse_domain }}" dns_zone_serial: "/var/named/serial.{{ dns_domain }}" delegate_to: dns - become: yes + become: true - name: ensure forward entry exists in zone (not SRV) lineinfile: line: "{{ dns_hostname }} IN {{ dns_type }} {{ dns_value }}" dest: "{{ dns_fwd_zone_db }}" regexp: ";*\\w*{{ dns_hostname | replace('*', '\\*') }} IN" - create: yes + create: true + mode: 0644 state: "{% if dns_present|bool %}present{% else %}absent{% endif %}" delegate_to: dns - become: yes + become: true when: dns_type != "SRV" notify: update serial @@ -24,10 +25,11 @@ lineinfile: line: "{{ dns_hostname }} IN {{ dns_type }} {{ dns_value }}" dest: "{{ dns_fwd_zone_db }}" - create: yes + create: true + mode: 0644 state: "{% if dns_present|bool %}present{% else %}absent{% endif %}" delegate_to: dns - become: yes + become: true when: dns_type == "SRV" notify: update serial @@ -41,5 +43,5 @@ - dns_reverse - dns_type == "A" delegate_to: dns - become: yes + become: true notify: update serial diff --git a/app/roles/hypervisor/tasks/main.yml b/app/roles/hypervisor/tasks/main.yml index ccc29cf..993334f 100644 --- a/app/roles/hypervisor/tasks/main.yml +++ b/app/roles/hypervisor/tasks/main.yml @@ -19,13 +19,13 @@ service: name: libvirtd state: started - enabled: yes + enabled: true - name: ensure root and user can access kvm user: name: "{{ item }}" groups: kvm - append: yes + append: true loop: - root - "{{ ansible_ssh_user }}" diff --git a/app/roles/keepalived/tasks/main.yml b/app/roles/keepalived/tasks/main.yml index 55fc0c8..69b3577 100644 --- a/app/roles/keepalived/tasks/main.yml +++ b/app/roles/keepalived/tasks/main.yml @@ -13,12 +13,12 @@ - name: ensure firewall allows vrrp traffic ansible.posix.firewalld: rich_rule: rule protocol value="vrrp" accept - permanent: yes - immediate: yes + permanent: true + immediate: true state: enabled - name: ensure keepalived is running/enabled service: name: keepalived state: started - enabled: yes + enabled: true diff --git a/app/roles/loadbalancer/tasks/main.yml b/app/roles/loadbalancer/tasks/main.yml old mode 100755 new mode 100644 index 81f3891..919d499 --- a/app/roles/loadbalancer/tasks/main.yml +++ b/app/roles/loadbalancer/tasks/main.yml @@ -26,26 +26,27 @@ template: src: templates/haproxy.cfg.j2 dest: /etc/haproxy/haproxy.cfg + mode: 0644 notify: restart haproxy - name: configure haproxy selinux booleans seboolean: name: haproxy_connect_any - state: yes - persistent: yes - when: ansible_selinux != False + state: true + persistent: true + when: ansible_selinux - name: configure services service: name: haproxy state: started - enabled: yes + enabled: true - name: open firewall ports ansible.posix.firewalld: port: "{{ item }}" - permanent: yes - immediate: yes + permanent: true + immediate: true state: enabled zone: internal loop: diff --git a/app/roles/management/tasks/netboot/kvm.yml b/app/roles/management/tasks/netboot/kvm.yml index 8cd13bc..492ea09 100644 --- a/app/roles/management/tasks/netboot/kvm.yml +++ b/app/roles/management/tasks/netboot/kvm.yml @@ -1,14 +1,16 @@ - name: get current kvm server disk capacity shell: > + set -o pipefail virsh vol-info --pool default --vol {{ inventory_hostname }}.qcow2 | grep Capacity | awk '{ print $2; }' delegate_to: "{{ management_hostname }}" - become: yes + become: true register: kvm_vol_cap - changed_when: no + changed_when: false -- debug: +- name: debug print the disk capacity + debug: var: kvm_vol_cap.stdout.split('.')[0] - name: network boot kvm servers @@ -18,4 +20,5 @@ --capacity {{ kvm_vol_cap.stdout.split('.')[0] }}G --format qcow2 && virsh start {{ inventory_hostname }} delegate_to: "{{ management_hostname }}" - become: yes + become: true + changed_when: true diff --git a/app/roles/management/tasks/poweroff/ilo.yml b/app/roles/management/tasks/poweroff/ilo.yml index babd1c7..9c51260 100644 --- a/app/roles/management/tasks/poweroff/ilo.yml +++ b/app/roles/management/tasks/poweroff/ilo.yml @@ -3,26 +3,26 @@ hpilo_cli -l "{{ management_user }}" -p '{{ management_pass }}' -j "{{ management_hostname }}" get_host_power_status delegate_to: localhost - become: no + become: false register: ilo_power_status - changed_when: no + changed_when: false - name: power off ilo server power state shell: > hpilo_cli -l "{{ management_user }}" -p '{{ management_pass }}' -y "{{ management_hostname }}" hold_pwr_btn delegate_to: localhost - become: no - when: "ilo_power_status.stdout != '\"OFF\"'" + become: false + when: 'ilo_power_status.stdout != ''"OFF"''' - name: wait until ilo server powers off shell: > hpilo_cli -l "{{ management_user }}" -p '{{ management_pass }}' -j "{{ management_hostname }}" get_host_power_status delegate_to: localhost - become: no + become: false register: ilo_power_status_wait - until: "ilo_power_status_wait.stdout == '\"OFF\"'" + until: 'ilo_power_status_wait.stdout == ''"OFF"''' retries: 25 - changed_when: no - when: "ilo_power_status.stdout != '\"OFF\"'" + changed_when: false + when: 'ilo_power_status.stdout != ''"OFF"''' diff --git a/app/roles/management/tasks/poweroff/kvm.yml b/app/roles/management/tasks/poweroff/kvm.yml index d7f65a9..524ed0c 100644 --- a/app/roles/management/tasks/poweroff/kvm.yml +++ b/app/roles/management/tasks/poweroff/kvm.yml @@ -3,4 +3,4 @@ name: "{{ inventory_hostname }}" state: destroyed delegate_to: "{{ management_hostname }}" - become: yes + become: true diff --git a/app/roles/management/tasks/poweron/ilo.yml b/app/roles/management/tasks/poweron/ilo.yml index 85bd3b1..2731ce6 100644 --- a/app/roles/management/tasks/poweron/ilo.yml +++ b/app/roles/management/tasks/poweron/ilo.yml @@ -3,26 +3,26 @@ hpilo_cli -l "{{ management_user }}" -p '{{ management_pass }}' -j "{{ management_hostname }}" get_host_power_status delegate_to: localhost - become: no + become: false register: ilo_power_status - changed_when: no + changed_when: false - name: power on ilo server power state shell: > hpilo_cli -l "{{ management_user }}" -p '{{ management_pass }}' -y "{{ management_hostname }}" press_pwr_btn delegate_to: localhost - become: no - when: "ilo_power_status.stdout != '\"ON\"'" + become: false + when: 'ilo_power_status.stdout != ''"ON"''' - name: wait until ilo server powers on shell: > hpilo_cli -l "{{ management_user }}" -p '{{ management_pass }}' -j "{{ management_hostname }}" get_host_power_status delegate_to: localhost - become: no + become: false register: ilo_power_status_wait - until: "ilo_power_status_wait.stdout == '\"ON\"'" + until: 'ilo_power_status_wait.stdout == ''"ON"''' retries: 25 - changed_when: no - when: "ilo_power_status.stdout != '\"ON\"'" + changed_when: false + when: 'ilo_power_status.stdout != ''"ON"''' diff --git a/app/roles/management/tasks/poweron/kvm.yml b/app/roles/management/tasks/poweron/kvm.yml index fefaec1..4fc1634 100644 --- a/app/roles/management/tasks/poweron/kvm.yml +++ b/app/roles/management/tasks/poweron/kvm.yml @@ -3,4 +3,4 @@ name: "{{ inventory_hostname }}" state: running delegate_to: "{{ management_hostname }}" - become: yes + become: true diff --git a/app/roles/ntp-server/tasks/main.yaml b/app/roles/ntp-server/tasks/main.yaml index bf4ee76..2f955d5 100644 --- a/app/roles/ntp-server/tasks/main.yaml +++ b/app/roles/ntp-server/tasks/main.yaml @@ -8,7 +8,7 @@ path: /etc/chrony.conf line: allow {{ ntp_server_allowed }} regexp: '#*\s*allow' - firstmatch: yes + firstmatch: true when: ntp_server_allowed != omit notify: restart chronyd @@ -16,10 +16,10 @@ ansible.posix.firewalld: service: ntp state: enabled - permanent: yes + permanent: true - name: ensure chrony is running/enabled service: name: chronyd state: started - enabled: yes + enabled: true diff --git a/app/roles/ocp-reset-csrs/files/kubelet-bootstrap-cred-manager-ds.yaml b/app/roles/ocp-reset-csrs/files/kubelet-bootstrap-cred-manager-ds.yaml index 0300ab2..2c82786 100644 --- a/app/roles/ocp-reset-csrs/files/kubelet-bootstrap-cred-manager-ds.yaml +++ b/app/roles/ocp-reset-csrs/files/kubelet-bootstrap-cred-manager-ds.yaml @@ -16,73 +16,73 @@ spec: k8s-app: kubelet-bootstrap-cred-manager spec: containers: - - name: kubelet-bootstrap-cred-manager - image: quay.io/openshift/origin-cli:v4.0 - command: ['/bin/bash', '-ec'] - args: - - | - #!/bin/bash + - name: kubelet-bootstrap-cred-manager + image: quay.io/openshift/origin-cli:v4.0 + command: ["/bin/bash", "-ec"] + args: + - | + #!/bin/bash - set -eoux pipefail + set -eoux pipefail - while true; do - unset KUBECONFIG + while true; do + unset KUBECONFIG - echo "---------------------------------" - echo "Gather info..." - echo "---------------------------------" - # context - intapi=$(oc get infrastructures.config.openshift.io cluster -o "jsonpath={.status.apiServerInternalURI}") - context="$(oc --config=/etc/kubernetes/kubeconfig config current-context)" - # cluster - cluster="$(oc --config=/etc/kubernetes/kubeconfig config view -o "jsonpath={.contexts[?(@.name==\"$context\")].context.cluster}")" - server="$(oc --config=/etc/kubernetes/kubeconfig config view -o "jsonpath={.clusters[?(@.name==\"$cluster\")].cluster.server}")" - # token - ca_crt_data="$(oc get secret -n openshift-machine-config-operator node-bootstrapper-token -o "jsonpath={.data.ca\.crt}" | base64 --decode)" - namespace="$(oc get secret -n openshift-machine-config-operator node-bootstrapper-token -o "jsonpath={.data.namespace}" | base64 --decode)" - token="$(oc get secret -n openshift-machine-config-operator node-bootstrapper-token -o "jsonpath={.data.token}" | base64 --decode)" + echo "---------------------------------" + echo "Gather info..." + echo "---------------------------------" + # context + intapi=$(oc get infrastructures.config.openshift.io cluster -o "jsonpath={.status.apiServerInternalURI}") + context="$(oc --config=/etc/kubernetes/kubeconfig config current-context)" + # cluster + cluster="$(oc --config=/etc/kubernetes/kubeconfig config view -o "jsonpath={.contexts[?(@.name==\"$context\")].context.cluster}")" + server="$(oc --config=/etc/kubernetes/kubeconfig config view -o "jsonpath={.clusters[?(@.name==\"$cluster\")].cluster.server}")" + # token + ca_crt_data="$(oc get secret -n openshift-machine-config-operator node-bootstrapper-token -o "jsonpath={.data.ca\.crt}" | base64 --decode)" + namespace="$(oc get secret -n openshift-machine-config-operator node-bootstrapper-token -o "jsonpath={.data.namespace}" | base64 --decode)" + token="$(oc get secret -n openshift-machine-config-operator node-bootstrapper-token -o "jsonpath={.data.token}" | base64 --decode)" - echo "---------------------------------" - echo "Generate kubeconfig" - echo "---------------------------------" + echo "---------------------------------" + echo "Generate kubeconfig" + echo "---------------------------------" - export KUBECONFIG="$(mktemp)" - kubectl config set-credentials "kubelet" --token="$token" >/dev/null - ca_crt="$(mktemp)"; echo "$ca_crt_data" > $ca_crt - kubectl config set-cluster $cluster --server="$intapi" --certificate-authority="$ca_crt" --embed-certs >/dev/null - kubectl config set-context kubelet --cluster="$cluster" --user="kubelet" >/dev/null - kubectl config use-context kubelet >/dev/null + export KUBECONFIG="$(mktemp)" + kubectl config set-credentials "kubelet" --token="$token" >/dev/null + ca_crt="$(mktemp)"; echo "$ca_crt_data" > $ca_crt + kubectl config set-cluster $cluster --server="$intapi" --certificate-authority="$ca_crt" --embed-certs >/dev/null + kubectl config set-context kubelet --cluster="$cluster" --user="kubelet" >/dev/null + kubectl config use-context kubelet >/dev/null - echo "---------------------------------" - echo "Print kubeconfig" - echo "---------------------------------" - cat "$KUBECONFIG" + echo "---------------------------------" + echo "Print kubeconfig" + echo "---------------------------------" + cat "$KUBECONFIG" - echo "---------------------------------" - echo "Whoami?" - echo "---------------------------------" - oc whoami - whoami + echo "---------------------------------" + echo "Whoami?" + echo "---------------------------------" + oc whoami + whoami - echo "---------------------------------" - echo "Moving to real kubeconfig" - echo "---------------------------------" - cp /etc/kubernetes/kubeconfig /etc/kubernetes/kubeconfig.prev - chown root:root ${KUBECONFIG} - chmod 0644 ${KUBECONFIG} - mv "${KUBECONFIG}" /etc/kubernetes/kubeconfig + echo "---------------------------------" + echo "Moving to real kubeconfig" + echo "---------------------------------" + cp /etc/kubernetes/kubeconfig /etc/kubernetes/kubeconfig.prev + chown root:root ${KUBECONFIG} + chmod 0644 ${KUBECONFIG} + mv "${KUBECONFIG}" /etc/kubernetes/kubeconfig - echo "---------------------------------" - echo "Sleep 60 seconds..." - echo "---------------------------------" - sleep 60 - done - securityContext: - privileged: true - runAsUser: 0 - volumeMounts: - - mountPath: /etc/kubernetes/ - name: kubelet-dir + echo "---------------------------------" + echo "Sleep 60 seconds..." + echo "---------------------------------" + sleep 60 + done + securityContext: + privileged: true + runAsUser: 0 + volumeMounts: + - mountPath: /etc/kubernetes/ + name: kubelet-dir nodeSelector: node-role.kubernetes.io/master: "" priorityClassName: "system-cluster-critical" @@ -90,17 +90,17 @@ spec: securityContext: runAsUser: 0 tolerations: - - key: "node-role.kubernetes.io/master" - operator: "Exists" - effect: "NoSchedule" - - key: "node.kubernetes.io/unreachable" - operator: "Exists" - effect: "NoExecute" - tolerationSeconds: 120 - - key: "node.kubernetes.io/not-ready" - operator: "Exists" - effect: "NoExecute" - tolerationSeconds: 120 + - key: "node-role.kubernetes.io/master" + operator: "Exists" + effect: "NoSchedule" + - key: "node.kubernetes.io/unreachable" + operator: "Exists" + effect: "NoExecute" + tolerationSeconds: 120 + - key: "node.kubernetes.io/not-ready" + operator: "Exists" + effect: "NoExecute" + tolerationSeconds: 120 volumes: - hostPath: path: /etc/kubernetes/ diff --git a/app/roles/ocp-reset-csrs/tasks/main.yml b/app/roles/ocp-reset-csrs/tasks/main.yml index ff7f747..a749bd0 100644 --- a/app/roles/ocp-reset-csrs/tasks/main.yml +++ b/app/roles/ocp-reset-csrs/tasks/main.yml @@ -2,7 +2,7 @@ k8s: kubeconfig: /data/openshift-installer/auth/kubeconfig state: present - force: yes + force: true definition: apiVersion: apps/v1 kind: DaemonSet @@ -22,73 +22,73 @@ k8s-app: kubelet-bootstrap-cred-manager spec: containers: - - name: kubelet-bootstrap-cred-manager - image: quay.io/openshift/origin-cli:v4.0 - command: ['/bin/bash', '-ec'] - args: - - | - #!/bin/bash + - name: kubelet-bootstrap-cred-manager + image: quay.io/openshift/origin-cli:v4.0 + command: ["/bin/bash", "-ec"] + args: + - | + #!/bin/bash - set -eoux pipefail + set -eoux pipefail - while true; do - unset KUBECONFIG + while true; do + unset KUBECONFIG - echo "---------------------------------" - echo "Gather info..." - echo "---------------------------------" - # context - intapi=$(oc get infrastructures.config.openshift.io cluster -o "jsonpath={.status.apiServerInternalURI}") - context="$(oc --config=/etc/kubernetes/kubeconfig config current-context)" - # cluster - cluster="$(oc --config=/etc/kubernetes/kubeconfig config view -o "jsonpath={.contexts[?(@.name==\"$context\")].context.cluster}")" - server="$(oc --config=/etc/kubernetes/kubeconfig config view -o "jsonpath={.clusters[?(@.name==\"$cluster\")].cluster.server}")" - # token - ca_crt_data="$(oc get secret -n openshift-machine-config-operator node-bootstrapper-token -o "jsonpath={.data.ca\.crt}" | base64 --decode)" - namespace="$(oc get secret -n openshift-machine-config-operator node-bootstrapper-token -o "jsonpath={.data.namespace}" | base64 --decode)" - token="$(oc get secret -n openshift-machine-config-operator node-bootstrapper-token -o "jsonpath={.data.token}" | base64 --decode)" + echo "---------------------------------" + echo "Gather info..." + echo "---------------------------------" + # context + intapi=$(oc get infrastructures.config.openshift.io cluster -o "jsonpath={.status.apiServerInternalURI}") + context="$(oc --config=/etc/kubernetes/kubeconfig config current-context)" + # cluster + cluster="$(oc --config=/etc/kubernetes/kubeconfig config view -o "jsonpath={.contexts[?(@.name==\"$context\")].context.cluster}")" + server="$(oc --config=/etc/kubernetes/kubeconfig config view -o "jsonpath={.clusters[?(@.name==\"$cluster\")].cluster.server}")" + # token + ca_crt_data="$(oc get secret -n openshift-machine-config-operator node-bootstrapper-token -o "jsonpath={.data.ca\.crt}" | base64 --decode)" + namespace="$(oc get secret -n openshift-machine-config-operator node-bootstrapper-token -o "jsonpath={.data.namespace}" | base64 --decode)" + token="$(oc get secret -n openshift-machine-config-operator node-bootstrapper-token -o "jsonpath={.data.token}" | base64 --decode)" - echo "---------------------------------" - echo "Generate kubeconfig" - echo "---------------------------------" + echo "---------------------------------" + echo "Generate kubeconfig" + echo "---------------------------------" - export KUBECONFIG="$(mktemp)" - kubectl config set-credentials "kubelet" --token="$token" >/dev/null - ca_crt="$(mktemp)"; echo "$ca_crt_data" > $ca_crt - kubectl config set-cluster $cluster --server="$intapi" --certificate-authority="$ca_crt" --embed-certs >/dev/null - kubectl config set-context kubelet --cluster="$cluster" --user="kubelet" >/dev/null - kubectl config use-context kubelet >/dev/null + export KUBECONFIG="$(mktemp)" + kubectl config set-credentials "kubelet" --token="$token" >/dev/null + ca_crt="$(mktemp)"; echo "$ca_crt_data" > $ca_crt + kubectl config set-cluster $cluster --server="$intapi" --certificate-authority="$ca_crt" --embed-certs >/dev/null + kubectl config set-context kubelet --cluster="$cluster" --user="kubelet" >/dev/null + kubectl config use-context kubelet >/dev/null - echo "---------------------------------" - echo "Print kubeconfig" - echo "---------------------------------" - cat "$KUBECONFIG" + echo "---------------------------------" + echo "Print kubeconfig" + echo "---------------------------------" + cat "$KUBECONFIG" - echo "---------------------------------" - echo "Whoami?" - echo "---------------------------------" - oc whoami - whoami + echo "---------------------------------" + echo "Whoami?" + echo "---------------------------------" + oc whoami + whoami - echo "---------------------------------" - echo "Moving to real kubeconfig" - echo "---------------------------------" - cp /etc/kubernetes/kubeconfig /etc/kubernetes/kubeconfig.prev - chown root:root ${KUBECONFIG} - chmod 0644 ${KUBECONFIG} - mv "${KUBECONFIG}" /etc/kubernetes/kubeconfig + echo "---------------------------------" + echo "Moving to real kubeconfig" + echo "---------------------------------" + cp /etc/kubernetes/kubeconfig /etc/kubernetes/kubeconfig.prev + chown root:root ${KUBECONFIG} + chmod 0644 ${KUBECONFIG} + mv "${KUBECONFIG}" /etc/kubernetes/kubeconfig - echo "---------------------------------" - echo "Sleep 60 seconds..." - echo "---------------------------------" - sleep 60 - done - securityContext: - privileged: true - runAsUser: 0 - volumeMounts: - - mountPath: /etc/kubernetes/ - name: kubelet-dir + echo "---------------------------------" + echo "Sleep 60 seconds..." + echo "---------------------------------" + sleep 60 + done + securityContext: + privileged: true + runAsUser: 0 + volumeMounts: + - mountPath: /etc/kubernetes/ + name: kubelet-dir nodeSelector: node-role.kubernetes.io/master: "" priorityClassName: "system-cluster-critical" @@ -96,24 +96,24 @@ securityContext: runAsUser: 0 tolerations: - - key: "node-role.kubernetes.io/master" - operator: "Exists" - effect: "NoSchedule" - - key: "node.kubernetes.io/unreachable" - operator: "Exists" - effect: "NoExecute" - tolerationSeconds: 120 - - key: "node.kubernetes.io/not-ready" - operator: "Exists" - effect: "NoExecute" - tolerationSeconds: 120 + - key: "node-role.kubernetes.io/master" + operator: "Exists" + effect: "NoSchedule" + - key: "node.kubernetes.io/unreachable" + operator: "Exists" + effect: "NoExecute" + tolerationSeconds: 120 + - key: "node.kubernetes.io/not-ready" + operator: "Exists" + effect: "NoExecute" + tolerationSeconds: 120 volumes: - hostPath: path: /etc/kubernetes/ type: Directory name: kubelet-dir delegate_to: localhost - become: no + become: false - name: remove certificate signer authority certs k8s: @@ -126,7 +126,7 @@ - csr-signer-signer - csr-signer delegate_to: localhost - become: no + become: false - name: wait for operators to trigger repair pause: @@ -150,5 +150,5 @@ retries: 360 delay: 10 delegate_to: localhost - become: no - run_once: yes + become: false + run_once: true diff --git a/app/roles/openshift-installer/defaults/main.yml b/app/roles/openshift-installer/defaults/main.yml index 5756697..700eea6 100644 --- a/app/roles/openshift-installer/defaults/main.yml +++ b/app/roles/openshift-installer/defaults/main.yml @@ -6,15 +6,15 @@ openshift_installer_control_plane: [] openshift_installer_cluster_id: ocp openshift_installer_cluster_cidr: 10.128.0.0/14 openshift_installer_service_cidr: 172.30.0.0/16 -openshift_installer_fips_mode: False -openshift_installer_cache_disk: '' +openshift_installer_fips_mode: false +openshift_installer_cache_disk: "" openshift_installer_pull_secret: {} -openshift_installer_ssh_key: '' -openshift_installer_proxy: False -openshift_installer_proxy_http: '' -openshift_installer_proxy_https: '' -openshift_installer_proxy_noproxy: '' -openshift_installer_proxy_ca: '' +openshift_installer_ssh_key: "" +openshift_installer_proxy: false +openshift_installer_proxy_http: "" +openshift_installer_proxy_https: "" +openshift_installer_proxy_noproxy: "" +openshift_installer_proxy_ca: "" openshift_installer_tang_public_key: "" openshift_installer_tang_port: "80" openshift_installer_tang_server: "" diff --git a/app/roles/openshift-installer/tasks/main.yml b/app/roles/openshift-installer/tasks/main.yml index ab2d820..e44011d 100644 --- a/app/roles/openshift-installer/tasks/main.yml +++ b/app/roles/openshift-installer/tasks/main.yml @@ -9,20 +9,21 @@ url: "{{ openshift_installer_source }}" dest: "{{ openshift_installer_dir }}/openshift-installer.tar.gz" mode: 0644 - unsafe_writes: yes + unsafe_writes: true validate_certs: "{{ openshift_installer_proxy_ca == '' }}" register: pkg_download - name: extract openshift installer - shell: "tar xvzf '{{ openshift_installer_dir }}/openshift-installer.tar.gz' -C '{{ openshift_installer_dir }}'" + command: "tar xvzf '{{ openshift_installer_dir }}/openshift-installer.tar.gz' -C '{{ openshift_installer_dir }}'" args: - warn: no - when: pkg_download is changed + warn: false + when: pkg_download is changed # noqa no-handler - name: create cluster install config template: src: install-config.yaml.j2 dest: "{{ item }}" + mode: 0644 loop: - "{{ openshift_installer_dir }}/install-config.yaml" - "{{ openshift_installer_dir }}/install-config.yaml.bkp" @@ -40,7 +41,7 @@ - "{{ openshift_installer_dir }}/worker.ign" - "{{ openshift_installer_dir }}/auth" -- name: create installation manifests +- name: create installation manifests # noqa no-changed-when shell: > {{ openshift_installer_dir }}/openshift-install create manifests --dir={{ openshift_installer_dir }} @@ -49,17 +50,19 @@ template: src: 98-cache-disk.yaml.j2 dest: "{{ openshift_installer_dir }}/openshift/98-cache-disk.yaml" - when: "openshift_installer_cache_disk != ''" + mode: 0644 + when: openshift_installer_cache_disk|length > 0 - name: create disk encryption machine configs template: src: "{{ item }}.j2" dest: "{{ openshift_installer_dir }}/openshift/{{ item }}" + mode: 0644 with_items: - 99-openshift-master-tang-encryption.yaml - 99-openshift-worker-tang-encryption.yaml -- name: create ignition files +- name: create ignition files # noqa no-changed-when shell: > {{ openshift_installer_dir }}/openshift-install create ignition-configs --dir={{ openshift_installer_dir }} diff --git a/app/roles/openshift-installer/templates/98-cache-disk.yaml.j2 b/app/roles/openshift-installer/templates/98-cache-disk.yaml.j2 index 6f5e002..badc83b 100644 --- a/app/roles/openshift-installer/templates/98-cache-disk.yaml.j2 +++ b/app/roles/openshift-installer/templates/98-cache-disk.yaml.j2 @@ -71,4 +71,3 @@ spec: What=/dev/mapper/var-lib-containers [Install] WantedBy=local-fs.target - diff --git a/app/roles/pxelinux-kickstarts/tasks/main.yml b/app/roles/pxelinux-kickstarts/tasks/main.yml index cdb390b..d9ed9f8 100644 --- a/app/roles/pxelinux-kickstarts/tasks/main.yml +++ b/app/roles/pxelinux-kickstarts/tasks/main.yml @@ -4,9 +4,9 @@ dest: "{{ item.dest }}" mode: "0644" loop: - - src: pxelinux.{{ pxelinux_kickstarts_profile}}.cfg.j2 + - src: pxelinux.{{ pxelinux_kickstarts_profile }}.cfg.j2 dest: "/var/lib/tftpboot/pxelinux.cfg/01-{{ mac_address | lower | regex_replace (':', '-') }}" - src: grub.{{ pxelinux_kickstarts_profile }}.cfg.j2 dest: "/var/lib/tftpboot/uefi/grub.cfg-01-{{ mac_address | lower | regex_replace (':', '-') }}" delegate_to: "{{ pxelinux_kickstarts_pxe_server }}" - become: yes + become: true diff --git a/app/roles/pxelinux-kickstarts/templates/pxelinux.install.cfg.j2 b/app/roles/pxelinux-kickstarts/templates/pxelinux.install.cfg.j2 index 9b3a03f..1245bae 100644 --- a/app/roles/pxelinux-kickstarts/templates/pxelinux.install.cfg.j2 +++ b/app/roles/pxelinux-kickstarts/templates/pxelinux.install.cfg.j2 @@ -26,4 +26,3 @@ PROMPT 0 LABEL rhcos_install KERNEL {{ kernel }} APPEND {{ ip }} rd.neednet=1 initrd={{ initrd }} nomodeset coreos.inst=yes coreos.inst.install_dev={{ disk }} coreos.live.rootfs_url={{ rootfs }} coreos.inst.ignition_url={{ ign }} - diff --git a/app/roles/pxelinux-kickstarts/templates/pxelinux.wipe.cfg.j2 b/app/roles/pxelinux-kickstarts/templates/pxelinux.wipe.cfg.j2 index ff1467b..b6ddcd7 100644 --- a/app/roles/pxelinux-kickstarts/templates/pxelinux.wipe.cfg.j2 +++ b/app/roles/pxelinux-kickstarts/templates/pxelinux.wipe.cfg.j2 @@ -10,4 +10,3 @@ PROMPT 0 LABEL wipe_disks KERNEL {{ kernel }} APPEND ip=dhcp rd.neednet=1 initrd={{ initrd }} nomodeset coreos.live.rootfs_url={{ rootfs }} ignition.config.url={{ ign }} systemd.unified_cgroup_hierarchy=0 - diff --git a/app/roles/rhcos-images/defaults/main.yml b/app/roles/rhcos-images/defaults/main.yml index 7ce25c9..6e6267a 100644 --- a/app/roles/rhcos-images/defaults/main.yml +++ b/app/roles/rhcos-images/defaults/main.yml @@ -9,5 +9,5 @@ rhcos_images_master_ign: "" rhcos_images_worker_ign: "" rhcos_images_https_proxy: "" rhcos_images_http_proxy: "" -rhcos_images_https_validate: True +rhcos_images_https_validate: true rhcos_images_noproxy: "" diff --git a/app/roles/rhcos-images/tasks/main.yml b/app/roles/rhcos-images/tasks/main.yml index a229460..3042920 100644 --- a/app/roles/rhcos-images/tasks/main.yml +++ b/app/roles/rhcos-images/tasks/main.yml @@ -7,7 +7,7 @@ - name: download rhcos image checksums uri: url: "{{ rhcos_images_repo }}/sha256sum.txt" - return_content: yes + return_content: true validate_certs: "{{ rhcos_images_https_validate }}" environment: HTTP_PROXY: "{{ rhcos_images_http_proxy }}" diff --git a/app/roles/rhcos-images/templates/wipe.ign.j2 b/app/roles/rhcos-images/templates/wipe.ign.j2 index e22a1a0..77be9b1 100644 --- a/app/roles/rhcos-images/templates/wipe.ign.j2 +++ b/app/roles/rhcos-images/templates/wipe.ign.j2 @@ -12,4 +12,3 @@ ] } } - diff --git a/app/roles/router-hardening/tasks/main.yaml b/app/roles/router-hardening/tasks/main.yaml index 11e6caf..af202ff 100644 --- a/app/roles/router-hardening/tasks/main.yaml +++ b/app/roles/router-hardening/tasks/main.yaml @@ -1,12 +1,12 @@ - name: ensure the root user password is disabled user: name: root - password_lock: yes + password_lock: true - name: do not allow root ssh logins lineinfile: path: /etc/ssh/sshd_config line: PermitRootLogin no regexp: '#*\s*PermitRootLogin' - firstmatch: yes + firstmatch: true notify: restart sshd diff --git a/app/roles/router/handlers/main.yaml b/app/roles/router/handlers/main.yaml index d986018..7179755 100644 --- a/app/roles/router/handlers/main.yaml +++ b/app/roles/router/handlers/main.yaml @@ -2,7 +2,7 @@ command: sysctl -w net.ipv4.ip_forward=1 - name: restart faroswan - shell: nmcli con up faroswan + command: nmcli con up faroslan async: 120 poll: 5 diff --git a/app/roles/router/tasks/firewall.yaml b/app/roles/router/tasks/firewall.yaml index 3de24e4..280d364 100644 --- a/app/roles/router/tasks/firewall.yaml +++ b/app/roles/router/tasks/firewall.yaml @@ -3,16 +3,16 @@ router_ingress_routing: '{{ "External to Internal Routing - DANGER" in allowed_services }}' - name: calculate desired firewall state set_fact: - router_ext_masq: 'yes' - router_int_masq: 'no' - router_external_target: '{% if router_ingress_routing %}default{% else %}DROP{% endif %}' - router_internal_target: 'ACCEPT' + router_ext_masq: "yes" + router_int_masq: "no" + router_external_target: "{% if router_ingress_routing %}default{% else %}DROP{% endif %}" + router_internal_target: "ACCEPT" router_ingress_ssh: '{% if "SSH to Bastion" in allowed_services %}enabled{% else %}disabled{% endif %}' router_ingress_cockpit: '{% if "HTTPS to Cockpit Panel" in allowed_services %}enabled{% else %}disabled{% endif %}' router_ingress_api: '{% if router_ingress_routing and "HTTPS to Cluster API" in allowed_services %}enabled{% else %}disabled{% endif %}' router_ingress_http: '{% if router_ingress_routing and "HTTPS to Cluster Apps" in allowed_services %}enabled{% else %}disabled{% endif %}' router_ingress_https: '{% if router_ingress_routing and "HTTPS to Cluster Apps" in allowed_services %}enabled{% else %}disabled{% endif %}' - router_ingress_target: '{% if router_ingress_routing %}default{% else %}DROP{% endif %}' + router_ingress_target: "{% if router_ingress_routing %}default{% else %}DROP{% endif %}" router_forward_api: '{{ not router_ingress_routing and "HTTPS to Cluster API" in allowed_services }}' router_forward_http: '{{ not router_ingress_routing and "HTTP to Cluster Apps" in allowed_services }}' router_forward_https: '{{ not router_ingress_routing and "HTTPS to Cluster Apps" in allowed_services }}' @@ -21,45 +21,45 @@ service: name: firewalld state: started - enabled: yes + enabled: true - name: query current external firewall state command: firewall-cmd --zone=external --permanent --get-target register: router_external_target_current - changed_when: no + changed_when: false - name: query current internal firewall state command: firewall-cmd --zone=internal --permanent --get-target register: router_internal_target_current - changed_when: no + changed_when: false # MASQUERADING - name: ensure masquerading is enabled ansible.posix.firewalld: zone: "external" - masquerade: '{{ router_ext_masq }}' - permanent: yes - immediate: yes + masquerade: "{{ router_ext_masq }}" + permanent: true + immediate: true state: enabled - name: ensure internal masquerading is configured ansible.posix.firewalld: zone: "internal" - masquerade: '{{ router_int_masq }}' - permanent: yes - immediate: yes + masquerade: "{{ router_int_masq }}" + permanent: true + immediate: true state: enabled # DEFAULT ACTION / PACKET FORWARDING ACTION - name: configure the external default target command: "firewall-cmd --zone=external --permanent --set-target={{ router_external_target }}" - changed_when: yes + changed_when: true when: router_external_target != router_external_target_current.stdout - name: configure the internal default target command: "firewall-cmd --zone=internal --permanent --set-target={{ router_internal_target }}" - changed_when: yes + changed_when: true when: router_internal_target != router_internal_target_current.stdout - name: reload firewall with new default external target command: "firewall-cmd --reload" - changed_when: yes + changed_when: true when: > router_external_target != router_external_target_current.stdout or router_internal_target != router_internal_target_current.stdout @@ -69,52 +69,52 @@ ansible.posix.firewalld: zone: external service: ssh - permanent: yes - immediate: yes - state: '{{ router_ingress_ssh }}' + permanent: true + immediate: true + state: "{{ router_ingress_ssh }}" - name: configure ingress https to cockpit ansible.posix.firewalld: zone: external service: cockpit - permanent: yes - immediate: yes - state: '{{ router_ingress_cockpit }}' + permanent: true + immediate: true + state: "{{ router_ingress_cockpit }}" # INGRESS SERVICES - NAT - name: configure https to cluster api NAT ansible.posix.firewalld: zone: "external" port: 6443/tcp - permanent: yes - immediate: yes - state: '{{ router_ingress_api }}' + permanent: true + immediate: true + state: "{{ router_ingress_api }}" - name: configure https to cluster apps NAT ansible.posix.firewalld: zone: "external" port: 443/tcp - permanent: yes - immediate: yes - state: '{{ router_ingress_https }}' + permanent: true + immediate: true + state: "{{ router_ingress_https }}" - name: configure http to cluster apps NAT ansible.posix.firewalld: zone: "external" port: 80/tcp - permanent: yes - immediate: yes - state: '{{ router_ingress_http }}' + permanent: true + immediate: true + state: "{{ router_ingress_http }}" # INGRESS SERVICES - PAT - name: configure port forward ansible.posix.firewalld: zone: external - permanent: yes - immediate: yes + permanent: true + immediate: true state: "{% if item.exist %}enabled{% else %}disabled{% endif %}" port_forward: - - port: "{{ item.port }}" - proto: tcp - toaddr: "{{ router_loadbalancer }}" - toport: "{{ item.port }}" + - port: "{{ item.port }}" + proto: tcp + toaddr: "{{ router_loadbalancer }}" + toport: "{{ item.port }}" loop: - name: ingress https to cluster api port: 6443 diff --git a/app/roles/router/tasks/lan_config.yaml b/app/roles/router/tasks/lan_config.yaml index 5c4c3f1..4760433 100644 --- a/app/roles/router/tasks/lan_config.yaml +++ b/app/roles/router/tasks/lan_config.yaml @@ -1,7 +1,9 @@ - name: check for lan bridge - shell: nmcli con sh faroslan | grep -v 802-3 - changed_when: no - failed_when: no + shell: | + set -o pipefail + nmcli con sh faroslan | grep -v 802-3 + changed_when: false + failed_when: false register: br_check - name: parse bridge settings @@ -21,10 +23,12 @@ notify: restart faroslan - name: check interfaces for bridge membership - shell: nmcli con sh faroslan-{{ item }} | grep -v 802-3 + shell: | + set -o pipefail + nmcli con sh faroslan-{{ item }} | grep -v 802-3 loop: "{{ router_all_interfaces }}" - changed_when: no - failed_when: no + changed_when: false + failed_when: false register: member_check - name: add interfaces to the lan bridge @@ -39,21 +43,21 @@ label: "{{ item.item }}" when: - item.item is in router_lan_interfaces - - item.stdout == "" + - item.stdout|length == 0 notify: restart faroslan - name: remove interfaces from the lan bridge - shell: nmcli con del faroslan-{{ item.item }} + command: nmcli con del faroslan-{{ item.item }} loop: "{{ member_check.results }}" loop_control: label: "{{ item.item }}" when: - item.item is not in router_lan_interfaces - - item.stdout != "" + - item.stdout|length > 0 notify: restart faroslan - name: verify faroslan configuration - shell: nmcli con mod faroslan "{{ item.key }}" "{{ item.target }}" + command: nmcli con mod faroslan "{{ item.key }}" "{{ item.target }}" loop: - key: ipv4.method target: manual diff --git a/app/roles/router/tasks/main.yaml b/app/roles/router/tasks/main.yaml index a4ac145..7aeec21 100644 --- a/app/roles/router/tasks/main.yaml +++ b/app/roles/router/tasks/main.yaml @@ -2,7 +2,8 @@ lineinfile: path: /etc/sysctl.d/99-faros.conf line: net.ipv4.ip_forwarding = 1 - create: yes + create: true + mode: 0644 notify: enable ip forwarding - import_tasks: wan_config.yaml diff --git a/app/roles/router/tasks/wan_config.yaml b/app/roles/router/tasks/wan_config.yaml index 54a8680..ad507e2 100644 --- a/app/roles/router/tasks/wan_config.yaml +++ b/app/roles/router/tasks/wan_config.yaml @@ -1,5 +1,5 @@ - name: get wan interface status - shell: nmcli dev sh {{ router_wan_interface }} + command: nmcli dev sh {{ router_wan_interface }} changed_when: false register: wan_int_raw @@ -8,9 +8,11 @@ wan_int_facts: "{{ wan_int_raw.stdout | from_yaml }}" - name: get wan settings - shell: nmcli con sh "{{ wan_int_facts['GENERAL.CONNECTION'] }}" | grep -v 802-3 - changed_when: no - failed_when: no + shell: | + set -o pipefail + nmcli con sh "{{ wan_int_facts['GENERAL.CONNECTION'] }}" | grep -v 802-3 + changed_when: false + failed_when: false register: wan_check - name: parse wan settings @@ -18,14 +20,14 @@ wan_facts: "{{ wan_check.stdout | from_yaml }}" - name: verify wan configuration - shell: nmcli con mod "{{ wan_int_facts['GENERAL.CONNECTION'] }}" "{{ item.key }}" "{{ item.target }}" + command: nmcli con mod "{{ wan_int_facts['GENERAL.CONNECTION'] }}" "{{ item.key }}" "{{ item.target }}" loop: - key: connection.zone target: external - key: ipv4.dns target: "{{ ','.join(['127.0.0.1'] + router_dns_forwarders) }}" - key: ipv4.ignore-auto-dns - target: yes + target: true - key: connection.id target: faroswan when: diff --git a/app/roles/tang/tasks/main.yaml b/app/roles/tang/tasks/main.yaml index abe8807..91b6507 100644 --- a/app/roles/tang/tasks/main.yaml +++ b/app/roles/tang/tasks/main.yaml @@ -21,15 +21,19 @@ service: name: tangd.socket state: started - enabled: yes + enabled: true - name: check if tang keys exist - shell: "ls /var/db/tang | wc -l" + shell: | + set -o pipefail + ls /var/db/tang | wc -l register: key_check - changed_when: no + changed_when: false - name: force tang to generate new keys - shell: "echo 'test' | clevis-encrypt-tang '{\"url\":\"http://localhost:{{ tang_port }}\"}' -y" + shell: | + set -o pipefail + echo 'test' | clevis-encrypt-tang '{"url":"http://localhost:{{ tang_port }}"}' -y when: "key_check.stdout|int == 0" - name: gather tang public key @@ -38,9 +42,9 @@ - tang-show-keys - "{{ tang_port }}" register: key_lkp - changed_when: no + changed_when: false - name: save tang public key set_fact: tang_key: "{{ key_lkp.stdout }}" - changed_when: no + changed_when: false diff --git a/app/roles/virtual-machine/tasks/main.yml b/app/roles/virtual-machine/tasks/main.yml index cdcf596..222dd77 100644 --- a/app/roles/virtual-machine/tasks/main.yml +++ b/app/roles/virtual-machine/tasks/main.yml @@ -3,7 +3,7 @@ command: list_vms register: all_vms delegate_to: "{{ virtual_machine_hypervisor }}" - become: yes + become: true - name: create virtual machine shell: > @@ -20,7 +20,7 @@ --check disk_size=off when: inventory_hostname not in all_vms.list_vms delegate_to: "{{ virtual_machine_hypervisor }}" - become: yes + become: true # Haswell CPU specification fixes some bug in kvm where it might not like # the EL8000 CPUs. Or something. I don't know, I'm tired and it works. diff --git a/app/roles/vm-gather-facts/tasks/main.yml b/app/roles/vm-gather-facts/tasks/main.yml index c1a3995..f1ecf20 100644 --- a/app/roles/vm-gather-facts/tasks/main.yml +++ b/app/roles/vm-gather-facts/tasks/main.yml @@ -1,12 +1,13 @@ - name: lookup kvm mac adress shell: > + set -o pipefail virsh domiflist --domain {{ inventory_hostname }} | tail -n2 | awk '{ print $5 }' delegate_to: "{{ hypervisor }}" - become: yes + become: true register: dommac_lkp - changed_when: no + changed_when: false - name: save mac address set_fact: From 5544fe2ea9daa8a751f512eca9ce3a34db532fee Mon Sep 17 00:00:00 2001 From: Ryan Kraus Date: Mon, 2 Aug 2021 16:36:24 -0400 Subject: [PATCH 03/12] Added retries to oc debug commands while deploying storage. Sometimes clusters don't seem to like making so many debug pods with the same name. This should help reduce failures. --- .../deploy.d/container-storage/gather-facts.yml | 3 +++ .../deploy.d/container-storage/local-storage.yml | 3 +++ app/playbooks/deploy.d/wipefs/gather-facts.yml | 3 +++ app/playbooks/deploy.d/wipefs/wipe-host.yml | 15 +++++++++++++++ 4 files changed, 24 insertions(+) diff --git a/app/playbooks/deploy.d/container-storage/gather-facts.yml b/app/playbooks/deploy.d/container-storage/gather-facts.yml index 22fbe0b..fcd9a63 100644 --- a/app/playbooks/deploy.d/container-storage/gather-facts.yml +++ b/app/playbooks/deploy.d/container-storage/gather-facts.yml @@ -14,6 +14,9 @@ register: cluster_drives ignore_errors: true changed_when: false + retries: 10 + delay: 1 + until: cluster_drives is success - name: save discovered hosts set_stats: diff --git a/app/playbooks/deploy.d/container-storage/local-storage.yml b/app/playbooks/deploy.d/container-storage/local-storage.yml index c96464a..1233fc2 100644 --- a/app/playbooks/deploy.d/container-storage/local-storage.yml +++ b/app/playbooks/deploy.d/container-storage/local-storage.yml @@ -9,6 +9,9 @@ loop: "{{ stg_drives | json_query('[*].host') }}" register: drive_id_lkp changed_when: false + retries: 10 + delay: 1 + until: cluster_drives is success - name: save storage node drive id paths set_fact: diff --git a/app/playbooks/deploy.d/wipefs/gather-facts.yml b/app/playbooks/deploy.d/wipefs/gather-facts.yml index 22fbe0b..fcd9a63 100644 --- a/app/playbooks/deploy.d/wipefs/gather-facts.yml +++ b/app/playbooks/deploy.d/wipefs/gather-facts.yml @@ -14,6 +14,9 @@ register: cluster_drives ignore_errors: true changed_when: false + retries: 10 + delay: 1 + until: cluster_drives is success - name: save discovered hosts set_stats: diff --git a/app/playbooks/deploy.d/wipefs/wipe-host.yml b/app/playbooks/deploy.d/wipefs/wipe-host.yml index 2190988..c399306 100644 --- a/app/playbooks/deploy.d/wipefs/wipe-host.yml +++ b/app/playbooks/deploy.d/wipefs/wipe-host.yml @@ -4,25 +4,40 @@ register: vgs changed_when: false ignore_errors: true + retries: 10 + delay: 1 + until: cluster_drives is success - name: delete associated vgs shell: "oc debug -n default node/{{ outer.host }} -- chroot /host vgremove --force --noudevsync '{{ item.stdout }}'" changed_when: true when: item.stdout != "" loop: "{{ vgs.results }}" + retries: 10 + delay: 1 + until: cluster_drives is success - name: remove pvs shell: "oc debug -n default node/{{ outer.host }} -- chroot /host pvremove '/dev/{{ item }}'" loop: "{{ outer.drives }}" changed_when: true ignore_errors: true + retries: 10 + delay: 1 + until: cluster_drives is success - name: wipe filesystem shell: "oc debug -n default node/{{ outer.host }} -- chroot /host wipefs -a '/dev/{{ item }}'" loop: "{{ outer.drives }}" changed_when: true + retries: 10 + delay: 1 + until: cluster_drives is success - name: clear GPT and MBR structures shell: "oc debug -n default node/{{ outer.host }} -- chroot /host sgdisk --zap-all '/dev/{{ item }}'" loop: "{{ outer.drives }}" changed_when: true + retries: 10 + delay: 1 + until: cluster_drives is success From 2c902ef1d96803ddcd4780488f3c3bcc6747e3c1 Mon Sep 17 00:00:00 2001 From: Ryan Kraus Date: Mon, 2 Aug 2021 16:58:11 -0400 Subject: [PATCH 04/12] Fixed some typos retrying failed oc debug commands. --- .../deploy.d/container-storage/local-storage.yml | 2 +- app/playbooks/deploy.d/wipefs/wipe-host.yml | 14 +++++++------- 2 files changed, 8 insertions(+), 8 deletions(-) diff --git a/app/playbooks/deploy.d/container-storage/local-storage.yml b/app/playbooks/deploy.d/container-storage/local-storage.yml index 1233fc2..f6fcdd1 100644 --- a/app/playbooks/deploy.d/container-storage/local-storage.yml +++ b/app/playbooks/deploy.d/container-storage/local-storage.yml @@ -11,7 +11,7 @@ changed_when: false retries: 10 delay: 1 - until: cluster_drives is success + until: drive_id_lkp is success - name: save storage node drive id paths set_fact: diff --git a/app/playbooks/deploy.d/wipefs/wipe-host.yml b/app/playbooks/deploy.d/wipefs/wipe-host.yml index c399306..dfc31bf 100644 --- a/app/playbooks/deploy.d/wipefs/wipe-host.yml +++ b/app/playbooks/deploy.d/wipefs/wipe-host.yml @@ -6,38 +6,38 @@ ignore_errors: true retries: 10 delay: 1 - until: cluster_drives is success + until: vgs is success - name: delete associated vgs shell: "oc debug -n default node/{{ outer.host }} -- chroot /host vgremove --force --noudevsync '{{ item.stdout }}'" changed_when: true when: item.stdout != "" loop: "{{ vgs.results }}" + register: vg_delete retries: 10 delay: 1 - until: cluster_drives is success + until: vg_delete is success - name: remove pvs shell: "oc debug -n default node/{{ outer.host }} -- chroot /host pvremove '/dev/{{ item }}'" loop: "{{ outer.drives }}" changed_when: true ignore_errors: true - retries: 10 - delay: 1 - until: cluster_drives is success - name: wipe filesystem shell: "oc debug -n default node/{{ outer.host }} -- chroot /host wipefs -a '/dev/{{ item }}'" loop: "{{ outer.drives }}" changed_when: true + register: wipefs retries: 10 delay: 1 - until: cluster_drives is success + until: wipefs is success - name: clear GPT and MBR structures shell: "oc debug -n default node/{{ outer.host }} -- chroot /host sgdisk --zap-all '/dev/{{ item }}'" loop: "{{ outer.drives }}" changed_when: true + register: sgdisk retries: 10 delay: 1 - until: cluster_drives is success + until: sgdisk is success From e5929fe8a2aee096e2969559f98c864f4a7a206d Mon Sep 17 00:00:00 2001 From: Ryan Kraus Date: Mon, 9 Aug 2021 12:43:25 -0400 Subject: [PATCH 05/12] Guest node management on bastion (#163) * Added config options for configuring the bastion node guest VM. Also fixed a bug that was revealed in conftui with CheckParameters * Added code to configure host devices on virtual machines. * Added custom memory/CPU counts and drive mapping to guest VM. * Nothing changes during drive mapping check. * Updated script for fetching VM facts. * Allow VM cpu/ram to be modified on the fly. * Updated vm management to read virsh_name variable. * Added playbook to manage application nodes. * Fixed issue with updating vcpu counts on virtual machines. * Updates to container-storage and nvidia-drivers to work with virtual node. * Updates to container storage to enable using with guest node. * Added storage cluster template. * Minor QA bug fixes --- Dockerfile | 2 +- app/inventory.py | 25 ++++++- app/lib/python/conftui.py | 11 ++- app/playbooks/apply.d/app-nodes/apply.yml | 69 +++++++++++++++++++ .../apply.d/app-nodes/approve-csrs.yml | 46 +++++++++++++ app/playbooks/apply.d/app-nodes/main.sh | 5 ++ app/playbooks/config.d/cluster/config.py | 25 ++++++- app/playbooks/create.d/machines/create.yml | 9 ++- .../container-storage/container-storage.yml | 30 +------- .../container-storage/local-storage.yml | 7 +- .../deploy.d/container-storage/main.sh | 2 +- .../ocs-storagecluster.yml.j2 | 28 ++++++++ .../nvidia-drivers/nvidia-drivers.yml | 60 ---------------- app/playbooks/util_vm_facts.yml | 3 +- app/roles/cockpit-links/handlers/main.yml | 1 - app/roles/management/tasks/netboot/kvm.yml | 14 ++-- app/roles/management/tasks/poweroff/kvm.yml | 2 +- app/roles/router/handlers/main.yaml | 2 +- app/roles/virtual-machine/defaults/main.yml | 4 ++ .../virtual-machine/tasks/host_devices.yml | 38 ++++++++++ .../virtual-machine/tasks/host_drives.yml | 26 +++++++ app/roles/virtual-machine/tasks/main.yml | 56 ++++++++++++++- app/roles/virtual-machine/templates/asdf | 0 .../virtual-machine/templates/hostdev.xml.j2 | 6 ++ app/roles/vm-gather-facts/defaults/main.yml | 1 + app/roles/vm-gather-facts/tasks/main.yml | 21 ++++-- app/versions.ini | 2 +- devel.env | 4 +- 28 files changed, 377 insertions(+), 122 deletions(-) create mode 100755 app/playbooks/apply.d/app-nodes/apply.yml create mode 100755 app/playbooks/apply.d/app-nodes/approve-csrs.yml create mode 100755 app/playbooks/apply.d/app-nodes/main.sh create mode 100644 app/playbooks/deploy.d/container-storage/ocs-storagecluster.yml.j2 create mode 100644 app/roles/virtual-machine/tasks/host_devices.yml create mode 100644 app/roles/virtual-machine/tasks/host_drives.yml delete mode 100644 app/roles/virtual-machine/templates/asdf create mode 100644 app/roles/virtual-machine/templates/hostdev.xml.j2 diff --git a/Dockerfile b/Dockerfile index c3c8a6b..0ebcc68 100644 --- a/Dockerfile +++ b/Dockerfile @@ -34,7 +34,7 @@ RUN rpm -i /app/tmp/ilorest-3.0.1-7.x86_64.rpm; \ chmod -Rv g-rwx /root/.ssh; chmod -Rv o-rwx /root/.ssh; \ rm -rf /app/tmp; \ cd /usr/local/bin; \ - curl https://mirror.openshift.com/pub/openshift-v4/clients/ocp/latest/openshift-client-linux.tar.gz | tar xvzf -; \ + curl https://mirror.openshift.com/pub/openshift-v4/clients/ocp/stable-4.7/openshift-client-linux.tar.gz | tar xvzf -; \ curl https://raw.githubusercontent.com/project-faros/farosctl/master/bin/farosctl > farosctl; \ chmod 755 farosctl; diff --git a/app/inventory.py b/app/inventory.py index c5566c8..3a4b01c 100755 --- a/app/inventory.py +++ b/app/inventory.py @@ -5,6 +5,7 @@ import ipaddress import json import os +import re import sys import pickle @@ -271,7 +272,9 @@ def main(config, ipam, inv): cluster.add_host('bootstrap', ip, ansible_ssh_user='core', node_role='bootstrap', - cluster_nic='') + cluster_nic='', + vnc_port=5901, + virsh_name='bootstrap') # CLUSTER CONTROL PLANE NODES cp = cluster.add_group('control_plane', node_role='master') node_defs = json.loads(config['CP_NODES']) @@ -287,6 +290,24 @@ def main(config, ipam, inv): cluster_nic=node.get('nic', '')) if node.get('install_drive').strip(): cp.host(node['name'])['install_disk'] = node['install_drive'] + # CLUSTER VIRTUAL APP NODE + app = cluster.add_group('app_nodes', node_role='worker') + if config['GUEST'] == "True": + assert config['GUEST_NAME'], "A name must be defined for the guest node." + guest_devices = [ + dict(zip( + ['domain', 'bus', 'slot', 'function'], + re.split('\W', item))) + for item in json.loads(config['GUEST_HOSTDEVS'])] + app.add_host(config['GUEST_NAME'], ipam[config['GUEST_NAME']], + ansible_ssh_user='core', + cluster_nic='enp1s0', + guest_cores=int(config['GUEST_CORES']), + guest_mem=int(config['GUEST_MEM']) * 1024, + guest_drives=json.loads(config['GUEST_DRIVES']), + guest_devices=guest_devices, + virsh_name='guest_node', + vnc_port=5902) # VIRTUAL NODES virt = inv.add_group('virtual', @@ -294,6 +315,8 @@ def main(config, ipam, inv): mgmt_hostname='bastion', install_disk='vda') virt.add_host('bootstrap') + if config['GUEST'] == "True": + virt.add_host(config['GUEST_NAME']) # MGMT INTERFACES mgmt = inv.add_group('management', diff --git a/app/lib/python/conftui.py b/app/lib/python/conftui.py index 2783a34..a7d925f 100644 --- a/app/lib/python/conftui.py +++ b/app/lib/python/conftui.py @@ -122,7 +122,7 @@ class CheckParameter(Parameter): def __init__(self, name, prompt, choices): self._name = name - self._value = json.loads(os.environ.get(self._name, '')) + self._value = json.loads(os.environ.get(self._name, '[]')) self._prompt = prompt self._choices = choices self._choices = [{'name': f'{choice}', @@ -147,9 +147,16 @@ def to_bash(self): class StaticParameter(Parameter): - def __init__(self, name, prompt, value): + def __init__(self, name, prompt, value, save_output=None): super().__init__(name, prompt, 'Static Value') self._value = value + self._out = save_output + + def to_bash(self): + if self._out: + return "export {}={}".format(self.name, self._out) + else: + return super().to_bash() class ListDictParameter(Parameter): diff --git a/app/playbooks/apply.d/app-nodes/apply.yml b/app/playbooks/apply.d/app-nodes/apply.yml new file mode 100755 index 0000000..eaccdc3 --- /dev/null +++ b/app/playbooks/apply.d/app-nodes/apply.yml @@ -0,0 +1,69 @@ +#!/usr/bin/env ansible-playbook + +- import_playbook: /app/playbooks/util_vm_facts.yml + +- name: Add app nodes to the cluster + hosts: localhost + gather_facts: false + become: false + + tasks: + - name: lookup node object + shell: > + set -o pipefail; + oc get node {{ item }}.{{ cluster_name }}.{{ cluster_domain }} -o json | + jq -r '.status.conditions[] | select(.reason=="KubeletReady").status' + ignore_errors: true + register: node_ready + with_inventory_hostnames: + - app_nodes + changed_when: false + + - name: group new app nodes together + add_host: + name: "{{ item }}" + groups: new_app_nodes + with_items: "{{ node_ready | json_query('results[?failed].item') }}" + changed_when: false + +- name: create new application nodes + hosts: new_app_nodes + gather_facts: no + become: no + + roles: + - name: pxelinux-kickstarts + pxelinux_kickstarts_pxe_server: "{{ groups.bastion_hosts.0 }}" + pxelinux_kickstarts_content_server: "http://{{ hostvars[groups.bastion_hosts.0].ansible_host }}:8081" + pxelinux_kickstarts_host_role: "{{ node_role }}" + pxelinux_kickstarts_install_disk: "{{ install_disk }}" + pxelinux_kickstarts_network_gateway: "{{ hostvars.lan.ansible_host }}" + pxelinux_kickstarts_network_cidr: "{{ subnet_mask }}" + pxelinux_kickstarts_network_nic: "{{ cluster_nic }}" + + post_tasks: + - include_role: + name: management + defaults_from: main.yml + tasks_from: "netboot/{{ mgmt_provider }}.yml" + vars_from: "{{ mgmt_provider }}.yml" + handlers_from: "{{ mgmt_provider }}.yml" + vars: + management_hostname: "{{ mgmt_hostname }}" + management_user: "{{ mgmt_user }}" + management_pass: "{{ mgmt_password }}" + + - name: wait for nodes to finish provisioning + wait_for_connection: + delay: 60 + sleep: 15 + timeout: 3600 + +- name: Approve new application nodes + hosts: localhost + gather_facts: false + become: false + + tasks: + - name: loop + include_tasks: approve-csrs.yml diff --git a/app/playbooks/apply.d/app-nodes/approve-csrs.yml b/app/playbooks/apply.d/app-nodes/approve-csrs.yml new file mode 100755 index 0000000..93ef00f --- /dev/null +++ b/app/playbooks/apply.d/app-nodes/approve-csrs.yml @@ -0,0 +1,46 @@ +- name: auto-approve all pending nodes + block: + - name: delay + pause: + seconds: 15 + + - name: approve all pending certificate requests + shell: > + {% raw %} + oc get csr + -o go-template='{{range .items}}{{if not .status}}{{.metadata.name}}{{"\n"}}{{end}}{{end}}' | + xargs --no-run-if-empty oc adm certificate approve + {% endraw %} + register: approve + changed_when: approve.stdout_lines | length + + - name: check new node status + shell: > + set -o pipefail; + oc get node {{ item }}.{{ cluster_name }}.{{ cluster_domain }} -o json | + jq -r '.status.conditions[] | select(.reason=="KubeletReady").status' + ignore_errors: true + register: node_ready + with_inventory_hostnames: + - new_app_nodes + changed_when: false + + - name: all nodes must be ready to continue + fail: + msg: not all new nodes are ready + when: > + node_ready | json_query('results[?stdout==`True`].item') | length < + groups.new_app_nodes | length + + rescue: + - name: ensure timeout has not been exceeded + fail: + msg: new application nodes failed to become ready + when: retry_count | default(0) | int > 240 + + - name: update loop counter + set_fact: + retry_count: "{{ retry_count | default(0) | int + 1 }}" + + - name: loop + include_tasks: approve-csrs.yml diff --git a/app/playbooks/apply.d/app-nodes/main.sh b/app/playbooks/apply.d/app-nodes/main.sh new file mode 100755 index 0000000..4d126ec --- /dev/null +++ b/app/playbooks/apply.d/app-nodes/main.sh @@ -0,0 +1,5 @@ +#!/bin/bash + +ME=$(dirname $0) + +ansible-playbook $ME/apply.yml $@ || exit 1 diff --git a/app/playbooks/config.d/cluster/config.py b/app/playbooks/config.d/cluster/config.py index 3b143e1..9597639 100644 --- a/app/playbooks/config.d/cluster/config.py +++ b/app/playbooks/config.d/cluster/config.py @@ -1,7 +1,10 @@ #!/usr/bin/env python # -*- coding: utf-8 -*- import sys +import json import os +import sys + from conftui import (Configurator, ParameterCollection, Parameter, ListDictParameter, PasswordParameter, ChoiceParameter, CheckParameter, StaticParameter, BooleanParameter) @@ -24,11 +27,13 @@ def __init__(self, path, footer, rtr_interfaces): [('server', 'DNS Server')], default='[{"server": "1.1.1.1"}]') ]) + self.cluster = ParameterCollection('cluster', 'Cluster Configuration', [ PasswordParameter('ADMIN_PASSWORD', 'Adminstrator Password'), PasswordParameter('PULL_SECRET', 'Pull Secret'), BooleanParameter('FIPS_MODE', 'FIPS Mode', 'False') ]) + self.architecture = ParameterCollection('architecture', 'Host Record Configuration', [ StaticParameter('MGMT_PROVIDER', 'Machine Management Provider', 'ilo'), Parameter('MGMT_USER', 'Machine Management User'), @@ -40,6 +45,24 @@ def __init__(self, path, footer, rtr_interfaces): ('install_drive', 'OS Install Drive', os.environ.get('BOOT_DRIVE'))]), Parameter('CACHE_DISK', 'Container Cache Disk')]) + + stubbed_devices = json.loads(os.environ.get('BASTION_STUBBED_DEVICES', '{"items": []}'))['items'] + if stubbed_devices: + stub_parameter = CheckParameter('GUEST_HOSTDEVS', 'Host devices to passthrough', stubbed_devices) + else: + stub_parameter = StaticParameter('GUEST_HOSTDEVS', 'Host devices to passthrough', '---', '[]') + bastion_drives = os.environ.get('BASTION_UNMOUNTED_DRIVES', '').split() + if bastion_drives: + drives_parameter = CheckParameter('GUEST_DRIVES', 'Host drives to passthrough', bastion_drives) + else: + drives_parameter = StaticParameter('GUEST_HOSTDEVS', 'Host devices to passthrough', '---', '[]') + self.bastionvm = ParameterCollection('bastionvm', 'Bastion Node Guest', [ + BooleanParameter('GUEST', 'Create app node VM on bastion', 'False'), + Parameter('GUEST_NAME', 'Node name'), + Parameter('GUEST_CORES', 'Core Count'), + Parameter('GUEST_MEM', 'Memory (GB)'), + stub_parameter, drives_parameter]) + self.extra = ParameterCollection('extra', 'Extra DNS/DHCP Records', [ ListDictParameter('EXTRA_NODES', 'Static IP Reservations', [('name', 'Node Name'), ('mac', 'MAC Address'), ('ip', 'Requested IP Address')]), @@ -47,7 +70,7 @@ def __init__(self, path, footer, rtr_interfaces): [('name', 'Entry Name'), ('mac', 'MAC Address')]) ]) - self.all = [self.router, self.cluster, self.architecture, self.extra] + self.all = [self.router, self.cluster, self.architecture, self.bastionvm, self.extra] def main(): diff --git a/app/playbooks/create.d/machines/create.yml b/app/playbooks/create.d/machines/create.yml index 2ebe01f..9f07789 100755 --- a/app/playbooks/create.d/machines/create.yml +++ b/app/playbooks/create.d/machines/create.yml @@ -14,6 +14,13 @@ roles: - name: virtual-machine - virtual_machine_hypervisor: "{{ mgmt_hostname }}" + virtual_machine_name: '{{ virsh_name }}' + virtual_machine_hypervisor: '{{ mgmt_hostname }}' virtual_machine_network: bridge=faroslan virtual_machine_disk: size=100,format=qcow2 + virtual_machine_vcpus: '{{ guest_cores | default(4) }}' + virtual_machine_memory: '{{ guest_mem | default(4096) }}' + virtual_machine_hostdevs: '{{ guest_devices | default([]) }}' + virtual_machine_autostart: '{{ inventory_hostname != "bootstrap" }}' + virtual_machine_hostdrives: '{{ guest_drives | default ([]) }}' + virtual_machine_graphics: 'vnc,port={{ vnc_port | default(5900) }},listen=0.0.0.0' diff --git a/app/playbooks/deploy.d/container-storage/container-storage.yml b/app/playbooks/deploy.d/container-storage/container-storage.yml index a1807ae..177be97 100644 --- a/app/playbooks/deploy.d/container-storage/container-storage.yml +++ b/app/playbooks/deploy.d/container-storage/container-storage.yml @@ -49,35 +49,7 @@ - name: ensure storagecluster exists k8s: state: present - definition: - apiVersion: ocs.openshift.io/v1 - kind: StorageCluster - metadata: - name: ocs-storagecluster - namespace: openshift-storage - spec: - manageNodes: false - monDataDirHostPath: /var/lib/rook - storageDeviceSets: - - count: "{{ drives_per_node }}" - dataPVCTemplate: - spec: - accessModes: - - ReadWriteOnce - resources: - requests: - storage: 1Gi - storageClassName: localblock - volumeMode: Block - name: ocs-deviceset - placement: {} - portable: false - replica: 3 - resources: {} - encryption: - enable: true - kms: {} - flexibleScaling: true + definition: "{{ lookup('template', './ocs-storagecluster.yml.j2') | from_yaml }}" retries: 60 delay: 15 register: apply diff --git a/app/playbooks/deploy.d/container-storage/local-storage.yml b/app/playbooks/deploy.d/container-storage/local-storage.yml index f6fcdd1..f60a62d 100644 --- a/app/playbooks/deploy.d/container-storage/local-storage.yml +++ b/app/playbooks/deploy.d/container-storage/local-storage.yml @@ -5,7 +5,7 @@ tasks: - name: get storage node drive id paths - shell: "oc debug -n default node/{{ item }} -- chroot /host find /dev/disk/by-id -type l -exec readlink -nf {} ';' -exec echo ': {}' ';' | egrep '(wwn|eui)' | sed 's/\\/dev\\///'" + shell: "oc debug -n default node/{{ item }} -- chroot /host find /dev/disk/by-id -type l -exec readlink -nf {} ';' -exec echo ': {}' ';' | egrep '(scsi|(wwn|eui))' | sed 's/\\/dev\\///'" loop: "{{ stg_drives | json_query('[*].host') }}" register: drive_id_lkp changed_when: false @@ -65,6 +65,11 @@ stg_devices: "{{ stg_devices|default([]) + [ drive_ids[item.0.host][item.1] ] }}" loop: "{{ lookup('subelements', stg_drives, 'drives') }}" + - name: save storage device id paths + set_stats: + data: + stg_devices: "{{ stg_devices }}" + - name: ensure storage nodes are labeled k8s: state: present diff --git a/app/playbooks/deploy.d/container-storage/main.sh b/app/playbooks/deploy.d/container-storage/main.sh index 0acb5d1..7c1524e 100755 --- a/app/playbooks/deploy.d/container-storage/main.sh +++ b/app/playbooks/deploy.d/container-storage/main.sh @@ -4,5 +4,5 @@ ME=$(dirname $0) STATS_FILE=/tmp/pipeline ansible-playbook $ME/gather-facts.yml $@ || exit 1 STATS_FILE=/tmp/pipeline python3 $ME/configure.py $@ || exit 1 -ansible-playbook $ME/local-storage.yml -e @/tmp/pipeline $@ || exit 1 +STATS_FILE=/tmp/pipeline ansible-playbook $ME/local-storage.yml -e @/tmp/pipeline $@ || exit 1 ansible-playbook $ME/container-storage.yml -e @/tmp/pipeline $@ || exit 1 diff --git a/app/playbooks/deploy.d/container-storage/ocs-storagecluster.yml.j2 b/app/playbooks/deploy.d/container-storage/ocs-storagecluster.yml.j2 new file mode 100644 index 0000000..aef0569 --- /dev/null +++ b/app/playbooks/deploy.d/container-storage/ocs-storagecluster.yml.j2 @@ -0,0 +1,28 @@ +apiVersion: ocs.openshift.io/v1 +kind: StorageCluster +metadata: + name: ocs-storagecluster + namespace: openshift-storage +spec: + manageNodes: false + monDataDirHostPath: /var/lib/rook + storageDeviceSets: + - count: {{ stg_devices | length | int }} + dataPVCTemplate: + spec: + accessModes: + - ReadWriteOnce + resources: + requests: + storage: 1Gi + storageClassName: localblock + volumeMode: Block + name: ocs-deviceset + placement: {} + portable: false + replica: 1 + resources: {} + encryption: + enable: true + kms: {} + flexibleScaling: true diff --git a/app/playbooks/deploy.d/nvidia-drivers/nvidia-drivers.yml b/app/playbooks/deploy.d/nvidia-drivers/nvidia-drivers.yml index 50b22c0..c153e8f 100644 --- a/app/playbooks/deploy.d/nvidia-drivers/nvidia-drivers.yml +++ b/app/playbooks/deploy.d/nvidia-drivers/nvidia-drivers.yml @@ -30,38 +30,6 @@ sourceNamespace: openshift-marketplace installPlanApproval: "Automatic" - - name: wait for install to start - pause: - seconds: 30 - - - name: lookup install plan - set_fact: - install_plan: | - "{{ lookup('k8s', - api_version='operators.coreos.com/v1alpha1', - kind='Subscription', - resource=lookup('ini', 'nfd_name section=operators file=/app/versions.ini'), - namespace='openshift-operators', - wantlist=True)[0].status.installplan.name }}" - register: ip_lkp - until: ip_lkp is success - retries: 60 - delay: 15 - - - name: wait for install to complete - assert: - that: | - "{{ lookup('k8s', - api_version='operators.coreos.com/v1alpha1', - kind='InstallPlan', - resource=install_plan, - namespace='openshift-operators', - wantlist=True)[0].status.phase | default('error') == 'Complete' }}" - register: op_lkp - until: op_lkp is success - retries: 60 - delay: 15 - - name: ensure nvidia subscription exists k8s: state: present @@ -78,34 +46,6 @@ sourceNamespace: openshift-marketplace installPlanApproval: "Automatic" - - name: wait for install to start - pause: - seconds: 30 - - - name: lookup install plan - set_fact: - install_plan: | - "{{ lookup('k8s', - api_version='operators.coreos.com/v1alpha1', - kind='Subscription', - resource=lookup('ini', 'nvidia_name section=operators file=/app/versions.ini'), - namespace='openshift-operators', - wantlist=True)[0].status.installplan.name }}" - - - name: wait for install to complete - assert: - that: | - "{{ lookup('k8s', - api_version='operators.coreos.com/v1alpha1', - kind='InstallPlan', - resource=install_plan, - namespace='openshift-operators', - wantlist=True)[0].status.phase | default('error') == 'Complete' }}" - register: op_lkp - until: op_lkp is success - retries: 60 - delay: 15 - - name: create nfd server k8s: state: present diff --git a/app/playbooks/util_vm_facts.yml b/app/playbooks/util_vm_facts.yml index 1aeeb0d..0442a06 100755 --- a/app/playbooks/util_vm_facts.yml +++ b/app/playbooks/util_vm_facts.yml @@ -6,4 +6,5 @@ roles: - name: vm-gather-facts - hypervisor: "{{ groups.bastion_hosts.0 }}" + hypervisor: '{{ groups.bastion_hosts.0 }}' + primary_network: faroslan diff --git a/app/roles/cockpit-links/handlers/main.yml b/app/roles/cockpit-links/handlers/main.yml index fcd20ec..a305c0a 100644 --- a/app/roles/cockpit-links/handlers/main.yml +++ b/app/roles/cockpit-links/handlers/main.yml @@ -6,4 +6,3 @@ loop: - index.html - manifest.json - when: install is changed diff --git a/app/roles/management/tasks/netboot/kvm.yml b/app/roles/management/tasks/netboot/kvm.yml index 492ea09..95c3eaa 100644 --- a/app/roles/management/tasks/netboot/kvm.yml +++ b/app/roles/management/tasks/netboot/kvm.yml @@ -1,7 +1,7 @@ - name: get current kvm server disk capacity shell: > - set -o pipefail - virsh vol-info --pool default --vol {{ inventory_hostname }}.qcow2 | + set -o pipefail; + virsh vol-info --pool default --vol {{ virsh_name | default(inventory_hostname) }}.qcow2 | grep Capacity | awk '{ print $2; }' delegate_to: "{{ management_hostname }}" @@ -9,16 +9,12 @@ register: kvm_vol_cap changed_when: false -- name: debug print the disk capacity - debug: - var: kvm_vol_cap.stdout.split('.')[0] - - name: network boot kvm servers shell: > - virsh vol-delete --pool default --vol {{ inventory_hostname }}.qcow2 && - virsh vol-create-as --pool default --name {{ inventory_hostname }}.qcow2 + virsh vol-delete --pool default --vol {{ virsh_name | default(inventory_hostname) }}.qcow2 && + virsh vol-create-as --pool default --name {{ virsh_name | default(inventory_hostname) }}.qcow2 --capacity {{ kvm_vol_cap.stdout.split('.')[0] }}G --format qcow2 && - virsh start {{ inventory_hostname }} + virsh start {{ virsh_name | default(inventory_hostname) }} delegate_to: "{{ management_hostname }}" become: true changed_when: true diff --git a/app/roles/management/tasks/poweroff/kvm.yml b/app/roles/management/tasks/poweroff/kvm.yml index 524ed0c..44f4fa1 100644 --- a/app/roles/management/tasks/poweroff/kvm.yml +++ b/app/roles/management/tasks/poweroff/kvm.yml @@ -1,6 +1,6 @@ - name: power off kvm server power state virt: - name: "{{ inventory_hostname }}" + name: "{{ virsh_name | default(inventory_hostname) }}" state: destroyed delegate_to: "{{ management_hostname }}" become: true diff --git a/app/roles/router/handlers/main.yaml b/app/roles/router/handlers/main.yaml index 7179755..fab7fdc 100644 --- a/app/roles/router/handlers/main.yaml +++ b/app/roles/router/handlers/main.yaml @@ -2,7 +2,7 @@ command: sysctl -w net.ipv4.ip_forward=1 - name: restart faroswan - command: nmcli con up faroslan + command: nmcli con up faroswan async: 120 poll: 5 diff --git a/app/roles/virtual-machine/defaults/main.yml b/app/roles/virtual-machine/defaults/main.yml index 50df8a0..d159628 100644 --- a/app/roles/virtual-machine/defaults/main.yml +++ b/app/roles/virtual-machine/defaults/main.yml @@ -1,3 +1,4 @@ +virtual_machine_name: '{{ inventory_hostname }}' virtual_machine_hypervisor: 'localhost' virtual_machine_vcpus: 4 virtual_machine_memory: 4096 @@ -6,3 +7,6 @@ virtual_machine_network: bridge=virbr0 virtual_machine_boot: hd,network virtual_machine_graphics: vnc,port=5901,listen=0.0.0.0 virtual_machine_os_variant: rhel8.0 +virtual_machine_hostdevs: [] +virtual_machine_autostart: false +virtual_machine_hostdrives: [] diff --git a/app/roles/virtual-machine/tasks/host_devices.yml b/app/roles/virtual-machine/tasks/host_devices.yml new file mode 100644 index 0000000..2d40c9e --- /dev/null +++ b/app/roles/virtual-machine/tasks/host_devices.yml @@ -0,0 +1,38 @@ +- name: inspect vm for desired host device mapping + shell: virsh dumpxml --inactive {{ virtual_machine_name }} | grep "domain='0x{{ device.domain }}' bus='0x{{ device.bus }}' slot='0x{{ device.slot }}' function='0x{{ device.function }}'" + ignore_errors: true + register: hostdev_check + delegate_to: "{{ virtual_machine_hypervisor }}" + become: true + changed_when: false + +- name: add host device to virtual machine + when: hostdev_check is failed + block: + - name: create temp file for device definition + tempfile: + state: file + suffix: _tmp.xml + register: xml_file + delegate_to: "{{ virtual_machine_hypervisor }}" + become: true + + - name: generate device xml definition + template: + src: hostdev.xml.j2 + dest: "{{ xml_file.path }}" + changed_when: true + delegate_to: "{{ virtual_machine_hypervisor }}" + become: true + + - name: attach device to virtual machine + command: "virsh attach-device {{ virtual_machine_name }} {{ xml_file.path }} --persistent" + delegate_to: "{{ virtual_machine_hypervisor }}" + become: true + + - name: delete temp device definition file + file: + path: "{{ xml_file.path }}" + state: absent + delegate_to: "{{ virtual_machine_hypervisor }}" + become: true diff --git a/app/roles/virtual-machine/tasks/host_drives.yml b/app/roles/virtual-machine/tasks/host_drives.yml new file mode 100644 index 0000000..61bf760 --- /dev/null +++ b/app/roles/virtual-machine/tasks/host_drives.yml @@ -0,0 +1,26 @@ +- name: inspect vm for desired drive mapping + shell: virsh dumpxml --inactive {{ virtual_machine_name }} | grep "" + ignore_errors: yes + register: hostdev_check + changed_when: false + delegate_to: "{{ virtual_machine_hypervisor }}" + become: yes + +- name: add host drive to virtual machine + when: hostdev_check is failed + block: + - name: lookup next drive letter + shell: sudo virsh dumpxml --inactive {{ virtual_machine_name }} | sed -rn "s/^.*'sd([a-z])'.*$/\1/p" | sort | tail -n 1 | tr '_a-z' 'a-z_' + register: next_drive_lkp + changed_when: false + delegate_to: "{{ virtual_machine_hypervisor }}" + become: yes + + - name: save next drive + set_fact: + next_drive: 'sd{% if next_drive_lkp.stdout %}{{ next_drive_lkp.stdout }}{% else %}a{% endif %}' + + - name: attach drive to virtual machine + command: "virsh attach-disk {{ virtual_machine_name }} /dev/{{ drive }} {{ next_drive }} --config" + delegate_to: "{{ virtual_machine_hypervisor }}" + become: yes diff --git a/app/roles/virtual-machine/tasks/main.yml b/app/roles/virtual-machine/tasks/main.yml index 222dd77..6f77037 100644 --- a/app/roles/virtual-machine/tasks/main.yml +++ b/app/roles/virtual-machine/tasks/main.yml @@ -7,7 +7,7 @@ - name: create virtual machine shell: > - virt-install --name={{ inventory_hostname }} + virt-install --name={{ virtual_machine_name }} --vcpus={{ virtual_machine_vcpus }} --memory={{ virtual_machine_memory }} --disk={{ virtual_machine_disk }} @@ -18,10 +18,60 @@ --cpu Haswell-noTSX --noautoconsole --check disk_size=off - when: inventory_hostname not in all_vms.list_vms + {% if virtual_machine_autostart %}--autostart{% endif %} + when: virtual_machine_name not in all_vms.list_vms delegate_to: "{{ virtual_machine_hypervisor }}" become: true - # Haswell CPU specification fixes some bug in kvm where it might not like # the EL8000 CPUs. Or something. I don't know, I'm tired and it works. # https://bugzilla.redhat.com/show_bug.cgi?id=1657738 + +- name: gather current ram allocation + shell: > + virsh dumpxml --inactive {{ virtual_machine_name }} | + sed -rn "s/^.*([0-9]+)<\/memory>/\1/p" + register: vm_ram + delegate_to: "{{ virtual_machine_hypervisor }}" + become: yes + changed_when: false + +- name: ensure vm ram is properly allocated + shell: > + virsh setmem {{ virtual_machine_name }} --config + --size {{ virtual_machine_memory|int * 1024 }} ; + virsh setmaxmem {{ virtual_machine_name }} --config + --size {{ virtual_machine_memory|int * 1024 }} + when: vm_ram.stdout|int - virtual_machine_memory|int * 1024 > 1024 + changed_when: true + delegate_to: "{{ virtual_machine_hypervisor }}" + become: yes + +- name: gather current cpu allocation + shell: > + virsh dumpxml --inactive {{ virtual_machine_name }} | + sed -rn "s/^.*([0-9]+)<\/vcpu>/\1/p" + register: vm_cpu + delegate_to: "{{ virtual_machine_hypervisor }}" + become: yes + changed_when: false + +- name: ensure vm cpu is properly allocated + command: > + virsh setvcpus {{ virtual_machine_name }} --config --maximum + --count {{ virtual_machine_vcpus|int }} + when: vm_cpu.stdout|int - virtual_machine_vcpus|int != 0 + changed_when: true + delegate_to: "{{ virtual_machine_hypervisor }}" + become: yes + +- name: ensure host devices are mapped + include_tasks: host_devices.yml + loop: '{{ virtual_machine_hostdevs }}' + loop_control: + loop_var: device + +- name: ensure host drives are mapped + include_tasks: host_drives.yml + loop: '{{ virtual_machine_hostdrives }}' + loop_control: + loop_var: drive diff --git a/app/roles/virtual-machine/templates/asdf b/app/roles/virtual-machine/templates/asdf deleted file mode 100644 index e69de29..0000000 diff --git a/app/roles/virtual-machine/templates/hostdev.xml.j2 b/app/roles/virtual-machine/templates/hostdev.xml.j2 new file mode 100644 index 0000000..14a41e6 --- /dev/null +++ b/app/roles/virtual-machine/templates/hostdev.xml.j2 @@ -0,0 +1,6 @@ + + + +
    + + diff --git a/app/roles/vm-gather-facts/defaults/main.yml b/app/roles/vm-gather-facts/defaults/main.yml index 218e502..7642d78 100644 --- a/app/roles/vm-gather-facts/defaults/main.yml +++ b/app/roles/vm-gather-facts/defaults/main.yml @@ -1 +1,2 @@ hypervisor: 'localhost' +primary_network: 'virbr0' diff --git a/app/roles/vm-gather-facts/tasks/main.yml b/app/roles/vm-gather-facts/tasks/main.yml index f1ecf20..4d4d78e 100644 --- a/app/roles/vm-gather-facts/tasks/main.yml +++ b/app/roles/vm-gather-facts/tasks/main.yml @@ -1,14 +1,21 @@ - name: lookup kvm mac adress shell: > - set -o pipefail - virsh domiflist --domain {{ inventory_hostname }} | - tail -n2 | - awk '{ print $5 }' + set -o pipefail; + virsh domiflist --domain {{ virsh_name }} | + jq -R -s 'split("\n")[2:] | + map([splits(" +")]) | + map({interface: .[1], type: .[2], source: .[3], + model: .[4], mac: .[5]}) | + map(select(.source != null))' delegate_to: "{{ hypervisor }}" become: true - register: dommac_lkp + register: domif_lkp changed_when: false -- name: save mac address +- name: save network interface data set_fact: - mac_address: "{{ dommac_lkp.stdout }}" + network_interfaces: "{{ domif_lkp.stdout | from_json }}" + +- name: save primary mac address + set_fact: + mac_address: "{{ network_interfaces | json_query('[?source==`' + primary_network + '`].mac | [0]')}}" diff --git a/app/versions.ini b/app/versions.ini index c114112..a5b8861 100644 --- a/app/versions.ini +++ b/app/versions.ini @@ -1,5 +1,5 @@ [host] -shim=20081201 +shim=21080803 [cluster] rhcos=4.7/4.7.7 diff --git a/devel.env b/devel.env index bc427aa..0f12781 100644 --- a/devel.env +++ b/devel.env @@ -1,4 +1,6 @@ -WAN_INT=eno2 +WAN_INT=eno1 +BASTION_UNMOUNTED_DRIVES=nvme2n1 nvme3n1 nvme0n1 nvme1n1 +BASTION_STUBBED_DEVICES={"items":["0000:b1:00.0 3D controller: NVIDIA Corporation TU104GL [Tesla T4] (rev a1)"]} BASTION_IP_ADDR=192.168.8.1 BASTION_SSH_USER=core BASTION_HOST_NAME=bastion From 22dfca0d82aad492cfcb19e935858bfc67530004 Mon Sep 17 00:00:00 2001 From: Ryan Kraus Date: Mon, 9 Aug 2021 12:55:53 -0400 Subject: [PATCH 06/12] Bumping version to 4.7.4 --- version.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/version.txt b/version.txt index 87b18a5..b48b2de 100644 --- a/version.txt +++ b/version.txt @@ -1 +1 @@ -4.7.3 +4.7.4 From 7877577c9a6e7c8c365ff79979b3075e17ce06e4 Mon Sep 17 00:00:00 2001 From: Ryan Kraus Date: Wed, 11 Aug 2021 18:15:37 -0400 Subject: [PATCH 07/12] Bumping version numbers to 4.8 components. (#170) --- Dockerfile | 2 +- app/versions.ini | 14 +++++++------- 2 files changed, 8 insertions(+), 8 deletions(-) diff --git a/Dockerfile b/Dockerfile index 0ebcc68..c8202b5 100644 --- a/Dockerfile +++ b/Dockerfile @@ -34,7 +34,7 @@ RUN rpm -i /app/tmp/ilorest-3.0.1-7.x86_64.rpm; \ chmod -Rv g-rwx /root/.ssh; chmod -Rv o-rwx /root/.ssh; \ rm -rf /app/tmp; \ cd /usr/local/bin; \ - curl https://mirror.openshift.com/pub/openshift-v4/clients/ocp/stable-4.7/openshift-client-linux.tar.gz | tar xvzf -; \ + curl https://mirror.openshift.com/pub/openshift-v4/clients/ocp/stable-4.8/openshift-client-linux.tar.gz | tar xvzf -; \ curl https://raw.githubusercontent.com/project-faros/farosctl/master/bin/farosctl > farosctl; \ chmod 755 farosctl; diff --git a/app/versions.ini b/app/versions.ini index a5b8861..f4bdb3e 100644 --- a/app/versions.ini +++ b/app/versions.ini @@ -1,21 +1,21 @@ [host] -shim=21080803 +shim=21081001 [cluster] -rhcos=4.7/4.7.7 +rhcos=4.8/4.8.2 initramfs=rhcos-live-initramfs.x86_64.img kernel=rhcos-live-kernel-x86_64 rootfs=rhcos-live-rootfs.x86_64.img image=rhcos-metal.x86_64.raw.gz -installer=stable-4.7 +installer=stable-4.8 [operators] -nfd_channel=4.7 +nfd_channel=4.8 nfd_name=nfd nfd_source=redhat-operators -local_storage=4.7 -container_storage=stable-4.7 -opendatahub=beta +local_storage=4.8 +container_storage=stable-4.8 +opendatahub=stable nvidia_channel=stable nvidia_name=gpu-operator-certified nvidia_source=certified-operators From f75b1d318f84fbf3fdbc2caee1c95203ec257661 Mon Sep 17 00:00:00 2001 From: Ryan Kraus Date: Thu, 19 Aug 2021 16:20:23 -0400 Subject: [PATCH 08/12] Allow IP addresses for Ilo interfaces to be specified for user managed ilo networks. (#171) * Added mgmt_ip option to config menu. * Started updates to inventory file. * Added mac address verification to the inventory script. * Fixed an issue with the conftui to allow empty text fields. * Updated dhcp playbook to not create records to ipmi interfaces specified by ip address. --- app/inventory.py | 37 ++++++++++++++------- app/lib/python/conftui.py | 2 +- app/playbooks/apply.d/host-records/dhcp.yml | 1 + app/playbooks/config.d/cluster/config.py | 2 +- 4 files changed, 28 insertions(+), 14 deletions(-) diff --git a/app/inventory.py b/app/inventory.py index 3a4b01c..38817c2 100755 --- a/app/inventory.py +++ b/app/inventory.py @@ -88,6 +88,7 @@ class IPAddressManager(dict): def __init__(self, save_file, subnet, subnet_mask): super().__init__() self._save_file = save_file + self._validate = True # parse the subnet definition into a static and dynamic pool subnet = ipaddress.ip_network(f'{subnet}/{subnet_mask}', strict=False) @@ -116,7 +117,10 @@ def __init__(self, save_file, subnet, subnet_mask): _ = self['bastion'] def __getitem__(self, key): - key = key.lower() + key = key.lower().strip() + if self._validate: + assert re.match('^([0-9a-f]{2}[:-]){5}[0-9a-f]{2}$', key.lower()), \ + f'Provided mac address ({key}) is not valid.' try: return super().__getitem__(key) except KeyError: @@ -136,9 +140,11 @@ def _next_ip(self): loop = new_ip in used_ips return new_ip - def get(self, key, value=None): + def get(self, key, value=None, validate=True): + self._validate = validate if value and value not in self.values(): self[key] = value + self._validate = True return self[key] def save(self): @@ -203,7 +209,7 @@ def main(config, ipam, inv): mgmt_user=config['MGMT_USER'], mgmt_password=config['MGMT_PASSWORD'], install_disk=config['BOOT_DRIVE'], - loadbalancer_vip=ipam['loadbalancer'], + loadbalancer_vip=ipam.get('loadbalancer', validate=False), dynamic_ip_range=ipam.dynamic_pool, reverse_ptr_zone=ipam.reverse_ptr_zone, subnet=config['SUBNET'], @@ -238,29 +244,29 @@ def main(config, ipam, inv): ansible_become_pass=config['ADMIN_PASSWORD'], ansible_ssh_user=config['BASTION_SSH_USER']) router.add_host('lan', - ipam['bastion'], + ipam.get('bastion', validate=False), ansible_become_pass=config['ADMIN_PASSWORD'], ansible_ssh_user=config['BASTION_SSH_USER']) # DNS NODE router.add_host('dns', - ipam['bastion'], + ipam.get('bastion', validate=False), ansible_become_pass=config['ADMIN_PASSWORD'], ansible_ssh_user=config['BASTION_SSH_USER']) # DHCP NODE router.add_host('dhcp', - ipam['bastion'], + ipam.get('bastion', validate=False), ansible_become_pass=config['ADMIN_PASSWORD'], ansible_ssh_user=config['BASTION_SSH_USER']) # LOAD BALANCER NODE router.add_host('loadbalancer', - ipam['loadbalancer'], + ipam.get('loadbalancer', validate=False), ansible_become_pass=config['ADMIN_PASSWORD'], ansible_ssh_user=config['BASTION_SSH_USER']) # BASTION NODE bastion = infra.add_group('bastion_hosts') bastion.add_host(config['BASTION_HOST_NAME'], - ipam['bastion'], + ipam.get('bastion', validate=False), ansible_become_pass=config['ADMIN_PASSWORD'], ansible_ssh_user=config['BASTION_SSH_USER']) @@ -268,7 +274,7 @@ def main(config, ipam, inv): cluster = inv.add_group('cluster', ansible_python_interpreter='/usr/libexec/platform-python') # BOOTSTRAP NODE - ip = ipam['bootstrap'] + ip = ipam.get('bootstrap', validate=False) cluster.add_host('bootstrap', ip, ansible_ssh_user='core', node_role='bootstrap', @@ -280,10 +286,17 @@ def main(config, ipam, inv): node_defs = json.loads(config['CP_NODES']) for count, node in enumerate(node_defs): ip = ipam[node['mac']] - mgmt_ip = ipam[node['mgmt_mac']] + if node.get('mgmt_ip'): + _ = ipaddress.ip_address(node['mgmt_ip']) + mgmt_ip = node['mgmt_ip'] + mgmt_mac = '' + else: + mgmt_mac = node['mgmt_mac'] + mgmt_ip = ipam[node['mgmt_mac']] + cp.add_host(node['name'], ip, mac_address=node['mac'], - mgmt_mac_address=node['mgmt_mac'], + mgmt_mac_address=mgmt_mac, mgmt_hostname=mgmt_ip, ansible_ssh_user='core', cp_node_id=count, @@ -299,7 +312,7 @@ def main(config, ipam, inv): ['domain', 'bus', 'slot', 'function'], re.split('\W', item))) for item in json.loads(config['GUEST_HOSTDEVS'])] - app.add_host(config['GUEST_NAME'], ipam[config['GUEST_NAME']], + app.add_host(config['GUEST_NAME'], ipam.get(config['GUEST_NAME']), ansible_ssh_user='core', cluster_nic='enp1s0', guest_cores=int(config['GUEST_CORES']), diff --git a/app/lib/python/conftui.py b/app/lib/python/conftui.py index a7d925f..5d826b7 100644 --- a/app/lib/python/conftui.py +++ b/app/lib/python/conftui.py @@ -276,7 +276,7 @@ def _mkentry(self, defaults): for item in self._keys: default = defaults.get(item[0], item[2]) answer = answers[item[0]].strip() - answers[item[0]] = default if default and not answer else answer + answers[item[0]] = answer return answers diff --git a/app/playbooks/apply.d/host-records/dhcp.yml b/app/playbooks/apply.d/host-records/dhcp.yml index a1d5a2c..53de713 100755 --- a/app/playbooks/apply.d/host-records/dhcp.yml +++ b/app/playbooks/apply.d/host-records/dhcp.yml @@ -20,6 +20,7 @@ dhcp_mac_address: "{{ mgmt_mac_address }}" dhcp_ip: "{{ mgmt_hostname }}" dhcp_name: "{{ inventory_hostname }}-mgmt" + dhcp_present: "{{ mgmt_mac_address != '' }}" - name: Configure extra DHCP records hosts: localhost diff --git a/app/playbooks/config.d/cluster/config.py b/app/playbooks/config.d/cluster/config.py index 9597639..e67028f 100644 --- a/app/playbooks/config.d/cluster/config.py +++ b/app/playbooks/config.d/cluster/config.py @@ -41,7 +41,7 @@ def __init__(self, path, footer, rtr_interfaces): ListDictParameter('CP_NODES', 'Control Plane Machines', [('name', 'Node Name'), ('nic', 'Network Interface'), ('mac', 'MAC Address'), - ('mgmt_mac', 'Management MAC Address'), + ('mgmt_ip', 'Management IP'), ('mgmt_mac', 'Management MAC Address'), ('install_drive', 'OS Install Drive', os.environ.get('BOOT_DRIVE'))]), Parameter('CACHE_DISK', 'Container Cache Disk')]) From dcd07562331b12f826355f39d0097edec41d5d9c Mon Sep 17 00:00:00 2001 From: Ryan Kraus Date: Thu, 19 Aug 2021 16:57:42 -0400 Subject: [PATCH 09/12] Load the default configuration when no config file exists (#172) * Fixed issue with validating mac addresses. * Automatically load default config file when none exists. This fixes #168. --- app/inventory.py | 8 ++++++-- home/.bashrc | 5 ++++- 2 files changed, 10 insertions(+), 3 deletions(-) diff --git a/app/inventory.py b/app/inventory.py index 38817c2..4646aec 100755 --- a/app/inventory.py +++ b/app/inventory.py @@ -114,7 +114,9 @@ def __init__(self, save_file, subnet, subnet_mask): self.update(restore) # reserve the first ip for the bastion + self._validate = False _ = self['bastion'] + self._validate = True def __getitem__(self, key): key = key.lower().strip() @@ -144,8 +146,9 @@ def get(self, key, value=None, validate=True): self._validate = validate if value and value not in self.values(): self[key] = value + out = self[key] self._validate = True - return self[key] + return out def save(self): with open(self._save_file, 'wb') as handle: @@ -312,7 +315,8 @@ def main(config, ipam, inv): ['domain', 'bus', 'slot', 'function'], re.split('\W', item))) for item in json.loads(config['GUEST_HOSTDEVS'])] - app.add_host(config['GUEST_NAME'], ipam.get(config['GUEST_NAME']), + app.add_host(config['GUEST_NAME'], + ipam.get(config['GUEST_NAME'], validate=False), ansible_ssh_user='core', cluster_nic='enp1s0', guest_cores=int(config['GUEST_CORES']), diff --git a/home/.bashrc b/home/.bashrc index 64f769d..5606d45 100644 --- a/home/.bashrc +++ b/home/.bashrc @@ -23,7 +23,10 @@ function set_proxy() { # User specific environment and startup programs function ps1() { - _CONFIG_LAST_MODIFY=$(stat -c %Z /data/config.sh) + if [[ ! -f /data/config.sh ]]; then + cp -a /data.skel/config.sh /data/config.sh + fi + _CONFIG_LAST_MODIFY=$(stat -c %Z /data/config.sh 2> /dev/null) if [[ $_CONFIG_LAST_MODIFY -gt $_CONFIG_LAST_LOAD ]]; then echo " -- Configuration Reloaded -- " source /data/config.sh 2> /dev/null From 166c0be2d8cfa22354029287e75168f6024a5b2f Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Thu, 19 Aug 2021 22:55:05 -0400 Subject: [PATCH 10/12] Update ansible requirement from <4.2 to <4.5 (#169) Updates the requirements on [ansible](https://github.com/ansible/ansible) to permit the latest version. - [Release notes](https://github.com/ansible/ansible/releases) - [Commits](https://github.com/ansible/ansible/commits) --- updated-dependencies: - dependency-name: ansible dependency-type: direct:production ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/requirements.txt b/requirements.txt index 3fb909e..574964c 100644 --- a/requirements.txt +++ b/requirements.txt @@ -1,5 +1,5 @@ pyinquirer==1.0.3 -ansible<4.2 +ansible<4.5 # for management/ilo provider python-hpilo==4.4.3 From dabf61ad9b54cb2b8a3fcce2b4576c2fb0c5e104 Mon Sep 17 00:00:00 2001 From: Ryan Kraus Date: Fri, 20 Aug 2021 12:49:46 -0400 Subject: [PATCH 11/12] Automatically enable the registry when storage is available. (#173) * Automatically enable the registry when storage is available. * Changed the default storage class to RBD because it is more performant * Manually created PVC for the registry to target the correct StorageClass --- .../container-storage/container-storage.yml | 65 +++++++++++++++++++ 1 file changed, 65 insertions(+) diff --git a/app/playbooks/deploy.d/container-storage/container-storage.yml b/app/playbooks/deploy.d/container-storage/container-storage.yml index 177be97..edf4850 100644 --- a/app/playbooks/deploy.d/container-storage/container-storage.yml +++ b/app/playbooks/deploy.d/container-storage/container-storage.yml @@ -54,3 +54,68 @@ delay: 15 register: apply until: apply is success + + - name: wait for storage class to be ready + k8s_info: + api_version: v1 + kind: StorageCluster + name: ocs-storagecluster + namespace: openshift-storage + wait: yes + wait_condition: + type: Available + + - name: ensure rbd is the default storage class + k8s: + definition: + apiVersion: v1 + kind: StorageClass + metadata: + name: ocs-storagecluster-ceph-rbd + annotations: + storageclass.kubernetes.io/is-default-class: "true" + + - name: ensure registry storage exists + k8s: + definition: + apiVersion: v1 + kind: PersistentVolumeClaim + metadata: + name: image-registry-storage + namespace: openshift-image-registry + spec: + accessModes: + - ReadWriteMany + resources: + requests: + storage: 100Gi + volumeMode: Filesystem + storageClassName: ocs-storagecluster-cephfs + + - name: ensure the registry is configured + k8s: + definition: + apiVersion: imageregistry.operator.openshift.io/v1 + kind: Config + metadata: + name: cluster + spec: + managementState: Managed + storage: + pvc: + claim: image-registry-storage + + - name: wait for the registry to become available + k8s_info: + api_version: imageregistry.operator.openshift.io/v1 + kind: Config + name: cluster + wait: yes + wait_condition: + type: "{{ item.type }}" + status: "{{ item.status }}" + loop: + - type: Removed + status: false + - type: Available + status: true From b27504afcbd8d225f171664cde214dc7e9ef9794 Mon Sep 17 00:00:00 2001 From: Ryan Kraus Date: Fri, 20 Aug 2021 13:00:44 -0400 Subject: [PATCH 12/12] Version bump. --- version.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/version.txt b/version.txt index b48b2de..88f1811 100644 --- a/version.txt +++ b/version.txt @@ -1 +1 @@ -4.7.4 +4.8.0