summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--playbooks/provisioning/openstack/README.md28
-rw-r--r--playbooks/provisioning/openstack/custom-actions/add-docker-registry.yml90
-rw-r--r--playbooks/provisioning/openstack/net_vars_check.yaml14
-rw-r--r--playbooks/provisioning/openstack/prerequisites.yml3
-rw-r--r--playbooks/provisioning/openstack/sample-inventory/group_vars/OSEv3.yml4
-rw-r--r--playbooks/provisioning/openstack/sample-inventory/group_vars/all.yml4
-rw-r--r--roles/openstack-stack/templates/heat_stack.yaml.j231
-rw-r--r--roles/openstack-stack/templates/heat_stack_server.yaml.j257
-rw-r--r--roles/openstack-stack/templates/heat_stack_server_nofloating.yaml.j255
9 files changed, 285 insertions, 1 deletions
diff --git a/playbooks/provisioning/openstack/README.md b/playbooks/provisioning/openstack/README.md
index 370f582b2..b9a3b23de 100644
--- a/playbooks/provisioning/openstack/README.md
+++ b/playbooks/provisioning/openstack/README.md
@@ -250,6 +250,9 @@ right after provisioning will fail (unless you're using an external DNS server
your provider network knows about). You must make sure your nodes are able to
resolve each other by name.
+**NOTE**: Flannel SDN requires a dedicated containers data network and cannot
+work over a single provider network.
+
#### Security notes
Configure required `*_ingress_cidr` variables to restrict public access
@@ -267,6 +270,10 @@ be the case for development environments. When turned off, the servers will
be provisioned omitting the ``yum update`` command. This brings security
implications though, and is not recommended for production deployments.
+Flannel network used for user applications and workloads data should be
+isolated from other networks as it has Neutron ports security disabled.
+Openshift master, compute and infra nodes will be connected to that network.
+
##### DNS servers security options
Aside from `node_ingress_cidr` restricting public access to in-stack DNS
@@ -584,12 +591,31 @@ This playbook runs against all cluster nodes. In order to help prevent slow conn
problems, the task is retried 10 times in case of initial failure.
Note that in order for this example to work in your deployment, your servers must use the RHEL image.
+#### Adding extra Docker registry URLs
+
+This playbook is located in the [custom-actions](https://github.com/openshift/openshift-ansible-contrib/tree/master/playbooks/provisioning/openstack/custom-actions) directory.
+
+It adds URLs passed as arguments to the docker configuration program.
+Going into more detail, the configuration program (which is in the YAML format) is loaded into an ansible variable
+([lines 27-30](https://github.com/openshift/openshift-ansible-contrib/blob/master/playbooks/provisioning/openstack/custom-actions/add-docker-registry.yml#L27-L30))
+and in its structure, `registries` and `insecure_registries` sections are expanded with the newly added items
+([lines 56-76](https://github.com/openshift/openshift-ansible-contrib/blob/master/playbooks/provisioning/openstack/custom-actions/add-docker-registry.yml#L56-L76)).
+The new content is then saved into the original file
+([lines 78-82](https://github.com/openshift/openshift-ansible-contrib/blob/master/playbooks/provisioning/openstack/custom-actions/add-docker-registry.yml#L78-L82))
+and docker is restarted.
+
+Example usage:
+```
+ansible-playbook -i <inventory> openshift-ansible-contrib/playbooks/provisioning/openstack/custom-actions/add-docker-registry.yml --extra-vars '{"registries": "reg1", "insecure_registries": ["ins_reg1","ins_reg2"]}'
+```
+
Please consider contributing your custom playbook back to openshift-ansible-contrib!
A library of custom post-provision actions exists in `openshift-ansible-contrib/playbooks/provisioning/openstack/custom-actions`. Playbooks include:
* [add-yum-repos.yml](https://github.com/openshift/openshift-ansible-contrib/blob/master/playbooks/provisioning/openstack/custom-actions/add-yum-repos.yml): adds a list of custom yum repositories to every node in the cluster
* [add-rhn-pools.yml](https://github.com/openshift/openshift-ansible-contrib/blob/master/playbooks/provisioning/openstack/custom-actions/add-rhn-pools.yml): attaches a list of additional RHN pools to every node in the cluster
+* [add-docker-registry.yml](https://github.com/openshift/openshift-ansible-contrib/blob/master/playbooks/provisioning/openstack/custom-actions/add-docker-registry.yml): adds a list of docker registries to the docker configuration on every node in the cluster
### Install OpenShift
@@ -627,7 +653,7 @@ The `increment_by` variable is used to specify by how much the deployment should
be scaled up (if none exists, it serves as a target number of application nodes).
The path to `openshift-ansible` directory can be customised by the `openshift_ansible_dir`
variable. Its value must be an absolute path to `openshift-ansible` and it cannot
-contain the '/' symbol at the end.
+contain the '/' symbol at the end.
Usage:
diff --git a/playbooks/provisioning/openstack/custom-actions/add-docker-registry.yml b/playbooks/provisioning/openstack/custom-actions/add-docker-registry.yml
new file mode 100644
index 000000000..e118a71dc
--- /dev/null
+++ b/playbooks/provisioning/openstack/custom-actions/add-docker-registry.yml
@@ -0,0 +1,90 @@
+---
+- hosts: OSEv3
+ become: true
+ vars:
+ registries: []
+ insecure_registries: []
+
+ tasks:
+ - name: Check if docker is even installed
+ command: docker
+
+ - name: Install atomic-registries package
+ yum:
+ name: atomic-registries
+ state: latest
+
+ - name: Get registry configuration file
+ register: file_result
+ stat:
+ path: /etc/containers/registries.conf
+
+ - name: Check if it exists
+ assert:
+ that: 'file_result.stat.exists'
+ msg: "Configuration file does not exist."
+
+ - name: Load configuration file
+ shell: cat /etc/containers/registries.conf
+ register: file_content
+
+ - name: Store file content into a variable
+ set_fact:
+ docker_conf: "{{ file_content.stdout | from_yaml }}"
+
+ - name: Make sure that docker file content is a dictionary
+ when: '(docker_conf is string) and (not docker_conf)'
+ set_fact:
+ docker_conf: {}
+
+ - name: Make sure that registries is a list
+ when: 'registries is string'
+ set_fact:
+ registries_list: [ "{{ registries }}" ]
+
+ - name: Make sure that insecure_registries is a list
+ when: 'insecure_registries is string'
+ set_fact:
+ insecure_registries_list: [ "{{ insecure_registries }}" ]
+
+ - name: Set default values if there are no registries defined
+ set_fact:
+ docker_conf_registries: "{{ [] if docker_conf['registries'] is not defined else docker_conf['registries'] }}"
+ docker_conf_insecure_registries: "{{ [] if docker_conf['insecure_registries'] is not defined else docker_conf['insecure_registries'] }}"
+
+ - name: Add other registries
+ when: 'registries_list is not defined'
+ register: registries_merge_result
+ set_fact:
+ docker_conf: "{{ docker_conf | combine({'registries': (docker_conf_registries + registries) | unique}, recursive=True) }}"
+
+ - name: Add other registries (if registries had to be converted)
+ when: 'registries_merge_result|skipped'
+ set_fact:
+ docker_conf: "{{ docker_conf | combine({'registries': (docker_conf_registries + registries_list) | unique}, recursive=True) }}"
+
+ - name: Add insecure registries
+ when: 'insecure_registries_list is not defined'
+ register: insecure_registries_merge_result
+ set_fact:
+ docker_conf: "{{ docker_conf | combine({'insecure_registries': (docker_conf_insecure_registries + insecure_registries) | unique }, recursive=True) }}"
+
+ - name: Add insecure registries (if insecure_registries had to be converted)
+ when: 'insecure_registries_merge_result|skipped'
+ set_fact:
+ docker_conf: "{{ docker_conf | combine({'insecure_registries': (docker_conf_insecure_registries + insecure_registries_list) | unique }, recursive=True) }}"
+
+ - name: Load variable back to file
+ copy:
+ content: "{{ docker_conf | to_yaml }}"
+ dest: /etc/containers/registries.conf
+
+ - name: Restart registries service
+ service:
+ name: registries
+ state: restarted
+
+ - name: Restart docker
+ service:
+ name: docker
+ state: restarted
diff --git a/playbooks/provisioning/openstack/net_vars_check.yaml b/playbooks/provisioning/openstack/net_vars_check.yaml
new file mode 100644
index 000000000..68afde415
--- /dev/null
+++ b/playbooks/provisioning/openstack/net_vars_check.yaml
@@ -0,0 +1,14 @@
+---
+- name: Check the provider network configuration
+ fail:
+ msg: "Flannel SDN requires a dedicated containers data network and can not work over a provider network"
+ when:
+ - openstack_provider_network_name is defined
+ - openstack_private_data_network_name is defined
+
+- name: Check the flannel network configuration
+ fail:
+ msg: "A dedicated containers data network is only supported with Flannel SDN"
+ when:
+ - openstack_private_data_network_name is defined
+ - not openshift_use_flannel|default(False)|bool
diff --git a/playbooks/provisioning/openstack/prerequisites.yml b/playbooks/provisioning/openstack/prerequisites.yml
index f2f720f8b..11a31411e 100644
--- a/playbooks/provisioning/openstack/prerequisites.yml
+++ b/playbooks/provisioning/openstack/prerequisites.yml
@@ -2,6 +2,9 @@
- hosts: localhost
tasks:
+ # Sanity check of inventory variables
+ - include: net_vars_check.yaml
+
# Check ansible
- name: Check Ansible version
assert:
diff --git a/playbooks/provisioning/openstack/sample-inventory/group_vars/OSEv3.yml b/playbooks/provisioning/openstack/sample-inventory/group_vars/OSEv3.yml
index 2e897102e..70e77662d 100644
--- a/playbooks/provisioning/openstack/sample-inventory/group_vars/OSEv3.yml
+++ b/playbooks/provisioning/openstack/sample-inventory/group_vars/OSEv3.yml
@@ -51,3 +51,7 @@ openshift_override_hostname_check: true
# NOTE(shadower): Always switch to root on the OSEv3 nodes.
# openshift-ansible requires an explicit `become`.
ansible_become: true
+
+# # Flannel networking
+#openshift_use_openshift_sdn: false
+#openshift_use_flannel: true
diff --git a/playbooks/provisioning/openstack/sample-inventory/group_vars/all.yml b/playbooks/provisioning/openstack/sample-inventory/group_vars/all.yml
index fa1fb6c64..83289307d 100644
--- a/playbooks/provisioning/openstack/sample-inventory/group_vars/all.yml
+++ b/playbooks/provisioning/openstack/sample-inventory/group_vars/all.yml
@@ -15,6 +15,10 @@ public_dns_nameservers: []
openstack_ssh_public_key: "openshift"
openstack_external_network_name: "public"
#openstack_private_network_name: "openshift-ansible-{{ stack_name }}-net"
+# # A dedicated Neutron network name for containers data network
+# # Configures the data network to be separated from openstack_private_network_name
+# # NOTE: this is only supported with Flannel SDN yet
+#openstack_private_data_network_name: "openshift-ansible-{{ stack_name }}-data-net"
## If you want to use a provider network, set its name here.
## NOTE: the `openstack_external_network_name` and
diff --git a/roles/openstack-stack/templates/heat_stack.yaml.j2 b/roles/openstack-stack/templates/heat_stack.yaml.j2
index a6b088efb..1f1e33cf2 100644
--- a/roles/openstack-stack/templates/heat_stack.yaml.j2
+++ b/roles/openstack-stack/templates/heat_stack.yaml.j2
@@ -113,6 +113,22 @@ resources:
- {{ nameserver }}
{% endfor %}
+{% if openshift_use_flannel|default(False)|bool %}
+ data_net:
+ type: OS::Neutron::Net
+ properties:
+ name: openshift-ansible-{{ stack_name }}-data-net
+ port_security_enabled: false
+
+ data_subnet:
+ type: OS::Neutron::Subnet
+ properties:
+ name: openshift-ansible-{{ stack_name }}-data-subnet
+ network: { get_resource: data_net }
+ cidr: {{ osm_cluster_network_cidr|default('10.128.0.0/14') }}
+ gateway_ip: null
+{% endif %}
+
router:
type: OS::Neutron::Router
properties:
@@ -641,6 +657,11 @@ resources:
template: openshift-ansible-cluster_id-net
params:
cluster_id: {{ stack_name }}
+{% if openshift_use_flannel|default(False)|bool %}
+ attach_data_net: true
+ data_net: { get_resource: data_net }
+ data_subnet: { get_resource: data_subnet }
+{% endif %}
{% endif %}
secgrp:
{% if openstack_flat_secgrp|default(False)|bool %}
@@ -713,6 +734,11 @@ resources:
template: openshift-ansible-cluster_id-net
params:
cluster_id: {{ stack_name }}
+{% if openshift_use_flannel|default(False)|bool %}
+ attach_data_net: true
+ data_net: { get_resource: data_net }
+ data_subnet: { get_resource: data_subnet }
+{% endif %}
{% endif %}
secgrp:
- { get_resource: {% if openstack_flat_secgrp|default(False)|bool %}flat-secgrp{% else %}node-secgrp{% endif %} }
@@ -767,6 +793,11 @@ resources:
template: openshift-ansible-cluster_id-net
params:
cluster_id: {{ stack_name }}
+{% if openshift_use_flannel|default(False)|bool %}
+ attach_data_net: true
+ data_net: { get_resource: data_net }
+ data_subnet: { get_resource: data_subnet }
+{% endif %}
{% endif %}
secgrp:
# TODO(bogdando) filter only required node rules into infra-secgrp
diff --git a/roles/openstack-stack/templates/heat_stack_server.yaml.j2 b/roles/openstack-stack/templates/heat_stack_server.yaml.j2
index 66c2491a9..6552e0a0d 100644
--- a/roles/openstack-stack/templates/heat_stack_server.yaml.j2
+++ b/roles/openstack-stack/templates/heat_stack_server.yaml.j2
@@ -68,6 +68,28 @@ parameters:
description: Subnet resource
{% endif %}
+{% if openshift_use_flannel|default(False)|bool %}
+ attach_data_net:
+ type: boolean
+ default: false
+ label: Attach-data-net
+ description: A switch for data port connection
+
+ data_net:
+ type: string
+ default: ''
+ label: Net ID
+ description: Net resource
+
+{% if not provider_network %}
+ data_subnet:
+ type: string
+ default: ''
+ label: Subnet ID
+ description: Subnet resource
+{% endif %}
+{% endif %}
+
secgrp:
type: comma_delimited_list
label: Security groups
@@ -133,6 +155,11 @@ outputs:
{% endif %}
- addr
+{% if openshift_use_flannel|default(False)|bool %}
+conditions:
+ no_data_subnet: {not: { get_param: attach_data_net} }
+{% endif %}
+
resources:
server:
@@ -143,11 +170,28 @@ resources:
image: { get_param: image }
flavor: { get_param: flavor }
networks:
+{% if openshift_use_flannel|default(False)|bool %}
+ if:
+ - no_data_subnet
+{% if use_trunk_ports|default(false)|bool %}
+ - - port: { get_attr: [trunk-port, port_id] }
+{% else %}
+ - - port: { get_resource: port }
+{% endif %}
+{% if use_trunk_ports|default(false)|bool %}
+ - - port: { get_attr: [trunk-port, port_id] }
+{% else %}
+ - - port: { get_resource: port }
+ - port: { get_resource: data_port }
+{% endif %}
+
+{% else %}
{% if use_trunk_ports|default(false)|bool %}
- port: { get_attr: [trunk-port, port_id] }
{% else %}
- port: { get_resource: port }
{% endif %}
+{% endif %}
user_data:
get_file: user-data
user_data_format: RAW
@@ -179,6 +223,19 @@ resources:
{% endif %}
security_groups: { get_param: secgrp }
+{% if openshift_use_flannel|default(False)|bool %}
+ data_port:
+ type: OS::Neutron::Port
+ condition: { not: no_data_subnet }
+ properties:
+ network: { get_param: data_net }
+ port_security_enabled: false
+{% if not provider_network %}
+ fixed_ips:
+ - subnet: { get_param: data_subnet }
+{% endif %}
+{% endif %}
+
{% if not provider_network %}
floating-ip:
type: OS::Neutron::FloatingIP
diff --git a/roles/openstack-stack/templates/heat_stack_server_nofloating.yaml.j2 b/roles/openstack-stack/templates/heat_stack_server_nofloating.yaml.j2
index 4b79d5ab6..742d53649 100644
--- a/roles/openstack-stack/templates/heat_stack_server_nofloating.yaml.j2
+++ b/roles/openstack-stack/templates/heat_stack_server_nofloating.yaml.j2
@@ -66,6 +66,26 @@ parameters:
label: Subnet ID
description: Subnet resource
+{% if openshift_use_flannel|default(False)|bool %}
+ attach_data_net:
+ type: boolean
+ default: false
+ label: Attach-data-net
+ description: A switch for data port connection
+
+ data_net:
+ type: string
+ default: ''
+ label: Net ID
+ description: Net resource
+
+ data_subnet:
+ type: string
+ default: ''
+ label: Subnet ID
+ description: Subnet resource
+{% endif %}
+
secgrp:
type: comma_delimited_list
label: Security groups
@@ -110,6 +130,11 @@ outputs:
- 0
- addr
+{% if openshift_use_flannel|default(False)|bool %}
+conditions:
+ no_data_subnet: {not: { get_param: attach_data_net} }
+{% endif %}
+
resources:
server_nofloating:
@@ -120,11 +145,28 @@ resources:
image: { get_param: image }
flavor: { get_param: flavor }
networks:
+{% if openshift_use_flannel|default(False)|bool %}
+ if:
+ - no_data_subnet
+{% if use_trunk_ports|default(false)|bool %}
+ - - port: { get_attr: [trunk-port, port_id] }
+{% else %}
+ - - port: { get_resource: port }
+{% endif %}
+{% if use_trunk_ports|default(false)|bool %}
+ - - port: { get_attr: [trunk-port, port_id] }
+{% else %}
+ - - port: { get_resource: port }
+ - port: { get_resource: data_port }
+{% endif %}
+
+{% else %}
{% if use_trunk_ports|default(false)|bool %}
- port: { get_attr: [trunk-port, port_id] }
{% else %}
- port: { get_resource: port }
{% endif %}
+{% endif %}
user_data:
get_file: user-data
user_data_format: RAW
@@ -154,6 +196,19 @@ resources:
- subnet: { get_param: subnet }
security_groups: { get_param: secgrp }
+{% if openshift_use_flannel|default(False)|bool %}
+ data_port:
+ type: OS::Neutron::Port
+ condition: { not: no_data_subnet }
+ properties:
+ network: { get_param: data_net }
+ port_security_enabled: false
+{% if not provider_network %}
+ fixed_ips:
+ - subnet: { get_param: data_subnet }
+{% endif %}
+{% endif %}
+
{% if not ephemeral_volumes|default(false)|bool %}
cinder_volume:
type: OS::Cinder::Volume