6 files changed, 31 insertions, 16 deletions

diff --git a/roles/etcd_common/defaults/main.yml b/roles/etcd_common/defaults/main.yml
index 1ff1d6ef8..93633e3e6 100644
--- a/roles/etcd_common/defaults/main.yml
+++ b/roles/etcd_common/defaults/main.yml
@@ -25,7 +25,7 @@ etcd_ca_new_certs_dir: "{{ etcd_ca_dir }}/certs"
 etcd_ca_db: "{{ etcd_ca_dir }}/index.txt"
 etcd_ca_serial: "{{ etcd_ca_dir }}/serial"
 etcd_ca_crl_number: "{{ etcd_ca_dir }}/crlnumber"
-etcd_ca_default_days: 365
+etcd_ca_default_days: 1825
 
 # etcd server & certificate vars
 etcd_hostname: "{{ inventory_hostname }}"
diff --git a/roles/flannel/tasks/main.yml b/roles/flannel/tasks/main.yml
index 6b6dfb423..d41eb0de8 100644
--- a/roles/flannel/tasks/main.yml
+++ b/roles/flannel/tasks/main.yml
@@ -4,21 +4,18 @@
   action: "{{ ansible_pkg_mgr }} name=flannel state=present"
   when: not openshift.common.is_containerized | bool
 
-- name: Set flannel etcd url
+- name: Set flannel etcd options
   become: yes
   lineinfile:
     dest: /etc/sysconfig/flanneld
     backrefs: yes
-    regexp: "^(FLANNEL_ETCD=)"
-    line: '\1{{ etcd_hosts|join(",") }}'
-
-- name: Set flannel etcd key
-  become: yes
-  lineinfile:
-    dest: /etc/sysconfig/flanneld
-    backrefs: yes
-    regexp: "^(FLANNEL_ETCD_KEY=)"
-    line: '\1{{ flannel_etcd_key }}'
+    regexp: "{{ item.regexp }}"
+    line: "{{ item.line }}"
+    with_items:
+      - { regexp: "^(FLANNEL_ETCD=)", line: '\1{{ etcd_hosts|join(",") }}' }
+      - { regexp: "^(FLANNEL_ETCD_ENDPOINTS=)", line: '\1{{ etcd_hosts|join(",") }}' }
+      - { regexp: "^(FLANNEL_ETCD_KEY=)", line: '\1{{ flannel_etcd_key }}' }
+      - { regexp: "^(FLANNEL_ETCD_KEY_PREFIX=)", line: '\1{{ flannel_etcd_key }}' }
 
 - name: Set flannel options
   become: yes
diff --git a/roles/openshift_master/handlers/main.yml b/roles/openshift_master/handlers/main.yml
index 913f3b0ae..e119db1a2 100644
--- a/roles/openshift_master/handlers/main.yml
+++ b/roles/openshift_master/handlers/main.yml
@@ -17,7 +17,7 @@
   # Using curl here since the uri module requires python-httplib2 and
   # wait_for port doesn't provide health information.
   command: >
-    curl --silent
+    curl --silent --tlsv1.2
     {% if openshift.common.version_gte_3_2_or_1_2 | bool %}
     --cacert {{ openshift.common.config_base }}/master/ca-bundle.crt
     {% else %}
diff --git a/roles/openshift_metrics/handlers/main.yml b/roles/openshift_metrics/handlers/main.yml
index 913f3b0ae..e119db1a2 100644
--- a/roles/openshift_metrics/handlers/main.yml
+++ b/roles/openshift_metrics/handlers/main.yml
@@ -17,7 +17,7 @@
   # Using curl here since the uri module requires python-httplib2 and
   # wait_for port doesn't provide health information.
   command: >
-    curl --silent
+    curl --silent --tlsv1.2
     {% if openshift.common.version_gte_3_2_or_1_2 | bool %}
     --cacert {{ openshift.common.config_base }}/master/ca-bundle.crt
     {% else %}
diff --git a/roles/openshift_node/tasks/systemd_units.yml b/roles/openshift_node/tasks/systemd_units.yml
index 27c9b48f0..f722a6e69 100644
--- a/roles/openshift_node/tasks/systemd_units.yml
+++ b/roles/openshift_node/tasks/systemd_units.yml
@@ -24,11 +24,26 @@
   notify:
   - restart openvswitch
 
+# May be a temporary workaround.
+# https://bugzilla.redhat.com/show_bug.cgi?id=1331590
+- name: Create OpenvSwitch service.d directory
+  file: path=/etc/systemd/system/openvswitch.service.d/ state=directory
+  when: openshift.common.use_openshift_sdn | default(true) | bool
+
+- name: Install OpenvSwitch service OOM fix
+  template:
+    dest: "/etc/systemd/system/openvswitch.service.d/01-avoid-oom.conf"
+    src: openvswitch-avoid-oom.conf
+  when: openshift.common.use_openshift_sdn | default(true) | bool
+  register: install_oom_fix_result
+  notify:
+  - restart openvswitch
+
 - name: Install OpenvSwitch docker service file
   template:
     dest: "/etc/systemd/system/openvswitch.service"
     src: openvswitch.docker.service
-  when: openshift.common.is_containerized | bool and openshift.common.use_openshift_sdn | bool
+  when: openshift.common.is_containerized | bool and openshift.common.use_openshift_sdn | default(true) | bool
   notify:
   - restart openvswitch
 
@@ -67,6 +82,6 @@
 
 - name: Reload systemd units
   command: systemctl daemon-reload
-  when: openshift.common.is_containerized | bool and (install_node_result | changed or install_ovs_sysconfig | changed or install_node_dep_result | changed)
+  when: (openshift.common.is_containerized | bool and (install_node_result | changed or install_ovs_sysconfig | changed or install_node_dep_result | changed)) or install_oom_fix_result | changed
   notify:
   - restart node
diff --git a/roles/openshift_node/templates/openvswitch-avoid-oom.conf b/roles/openshift_node/templates/openvswitch-avoid-oom.conf
new file mode 100644
index 000000000..3229bc56b
--- /dev/null
+++ b/roles/openshift_node/templates/openvswitch-avoid-oom.conf
@@ -0,0 +1,3 @@
+# Avoid the OOM killer for openvswitch and it's children:
+[Service]
+OOMScoreAdjust=-1000